Data processing agreement

WHEREAS:

Customer (hereinafter, “the Controller”) of the one part, and Leap Tools Inc. (hereinafter, “the Processor”) of the other part, who have entered into an agreement for services (the “Agreement”), hereby agree to the following terms:

I. Purpose

The purpose of these clauses is to define the conditions in which the Processor undertakes to carry out, on the Controller’s behalf, the personal data processing operations defined below.

As part of their contractual relations, the parties shall undertake to comply with the applicable regulations on personal data processing and, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 which is applicable from 25 May 2018 (hereinafter “the General Data Protection Regulation” or “GDPR”), including the definitions contained therein.

II. Description of the processing being subcontracted out

The Processor is authorized to process, on behalf of the Controller, the necessary personal data for providing the services outlined in the Agreement (the “Services”). The purpose of the Services is to enable a user to visualize the Controller’s product in a room picture, to store such a picture and to share such a picture with third parties. For this purpose the following personal data shall be processed by the Processor:

  • Users accessing the Services via the Controller’s webpage: IP-address of user;
  • User sending a link to a room configured within the Services, to themselves or a third party: email-address of recipient;
 

The Services as well as any personal data being processed by the Processor is run on IT-infrastructure (including server) of the Processor.

The categories of data subjects are users of the software Roomvo.

III. Duration of the contract

As a result of being incorporated into the Agreement, this Data Processing Agreement enters into force in concurrence with the Agreement, for the duration of the Agreement.

IV. Processor’s obligations with respect to the Controller

The Processor shall undertake to:

  1. process the data solely for the purpose(s).
  2. process the data in accordance with the documented instructions from the Controller herein. Where the Processor considers that an instruction infringes the General Data Protection Regulation or of any other legal provision of the European Union or of European Union Member States bearing on data protection, it shall immediately inform the Controller thereof. Moreover, where the Processor is obliged to transfer personal data to a third country or an international organization, under European Union law or European Union Member State law to which the Processor is subject, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
  3. guarantee the confidentiality of personal data processed hereunder.
  4. ensure that the persons authorized to process the personal data hereunder:
    • have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and
    • receive the appropriate personal data protection training.
  5. take into consideration, in terms of its tools, products, applications or services, the principles of data protection by design and by default.

V. Sub-processing

The Processor may engage other processors (hereinafter “the sub-processors”) to conduct specific processing activities. In this case, the Processor shall inform the Controller, in writing, of any changes concerning the addition or replacement of sub-processors. If the Controller disapproves of changes to the sub-processors (the Controller’s disapproval shall not be unreasonable), the Controller shall notify the Processor immediately and the Processor will have the right to attempt to resolve, mitigate, or cure the adverse change within a reasonable period of time. If the Processor cannot, or will not cure the adverse change, the Controller shall have the right to terminate this agreement, without further obligation, within 30 days of the aforementioned changes being made.

These are the sub-processors engaged by the Processor:

  • Amazon Web Services

The Processor has a Data Processing Agreement in place with Amazon Web Services, which includes the Standard Contractual Clauses as adopted by the European Commission for the transfer of personal data to processors established in third countries.

VI. Data subjects’ right to information

It is the Controller’s responsibility to inform the data subjects concerned by the processing operations prior to the time data are being collected.

VII. Exercise of data subjects’ rights

The Processor shall assist the Controller, insofar as this is possible, for the fulfilment of its obligation to respond to requests for exercising the data subject’s rights: right of access, to rectification, erasure and to object, right to restriction of processing, right to data portability, right not to be subject to an automated individual decision (including profiling).

VIII. Notification of personal data breaches

The Processor shall notify the Controller of any violations of the protection of personal data processed on behalf of the Controller, including special occurrences such as burglary, theft, and hacking attacks that result in such violations.

The notification shall contain the following information, if known at the time of the notification:

  • a description of the nature of the breach of the protection of personal data;
  • a description of the likely consequences of the violation;
  • a description of the measures taken or proposed by the Processor to remedy the breach of the protection of personal data and, where appropriate, measures to mitigate its possible adverse effects.

IX. Assistance lent by the Processor to the Controller regarding compliance with its obligations

The Processor assists the Controller in carrying out data protection impact assessments.

The Processor assists the Controller with regard to prior consultation of the supervisory authority.

X. Security measures

The Processor undertakes to implement the following security measures:

  • the pseudonymization and encryption of personal data, where appropriate
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
  • the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing
 
The Processor’s technical and organizational measures may be provided upon request.

XI. Fate of data

At the end of performing the Services, the Processor undertakes to destroy all non-pseudonymized personal data, except for archiving in the public interest, scientific or historical research purposes for statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organizational measures required by GDPR.

XII. The Data Protection Contact

The Processor shall communicate to the Controller the name and contact details of its data protection officer, if it has designated one in accordance with Article 37 of the GDPR.

XIII. Record of categories of processing activities

The Processor states that it maintains a written record of all categories of processing activities carried out on behalf of the Controller, containing:

  • the name and contact details of the Controller on behalf of which the Processor is acting, any other processors and, where applicable, the data protection officer;
  • the categories of processing carried out on behalf of the Controller;
  • where applicable, transfers of personal data to a third country or an international organization, including the identification of that third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49(1) of the GDPR, the documentation of suitable safeguards;
  • where appropriate, a general description of the security measures, as set forth in Section X.

XIV. Documentation

The Processor provides the Controller with the necessary documentation for demonstrating compliance with all of its obligations and for allowing an independent third-party auditor, appointed by the Controller and approved by the Processor, to conduct audits, including inspections, and for contributing to such audits. The Controller shall compensate the Processor for any and all reasonable costs related to audits and inspections.

XV. Controller’s obligations with respect to the Processor

The Controller undertakes to:

  • document, in writing, any instruction bearing on the processing of data by the Processor
  • ensure, before and throughout the processing, compliance with the obligations set out in the General Data Protection Regulation on the Processor’s part

Last Updated: January 23, 2024