ADDENDUM - PROCESSING OF CLIENT DATA AND PERSONAL DATA Last updated: March 22, 2024
1. Additional Definitions. The expressions indicated hereunder shall have the following meaning in this Addendum.Â
“Applicable Data Protection Laws” means all applicable international, federal, national, and state privacy and data protection law(s) applicable to the processor in connection with its processing of personal data as processor to provide the Services to the Client (including GDPR). Notwithstanding the foregoing, “Applicable Data Protection Law” excludes (a) laws requiring the localisation of Client Data and (b) laws specific to Client or Client’s industry that are not generally applicable to the Processor as a Data Processor.
“Client” means the party specified above or who has otherwise accepted these Terms and may also be referred to as “You” or “Your.”Â
“Client Data” means any and all information (including Personal Data) uploaded to the Service from any Non-Company Service or created in the Service or otherwise made available to Company by the Client and its Users regardless of the format of such information.Â
“Personal Data” (for purposes of this Addendum) means any Client Data relating to an identified or identifiable natural person (“data subject”) where an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as name, an identification number, location data, an online identifier or to one or more factors specific to their physical, physiological, mental, economic, cultural or social identity of that natural person.
“Personal Data Breach” shall have the same meaning as in and be inclusive of similar concepts under Applicable Data Protection Law.
2. The Client acknowledges and agrees that any and all Client Data (including its lawfulness, quality, accuracy) shall be the sole responsibility of the Client. The Client shall be solely responsible for uploading Client Data via the Site or through the use of the Services.
3. In connection with Client Data, the Client confirms that: (i) it either owns its Client Data or has the necessary rights to use and authorize further use by Company as stipulated by these Terms; (ii) it has the appropriate legal basis for the processing of the Personal Data and for authorizing Company to process the Personal Data in accordance with these Terms and (iii) performance of Parties’ rights and obligations under these Terms does not and will not: (a) infringe, any third-party right, including any copyright, trademark, patent, trade secret, privacy right or any other intellectual property or proprietary right; (b) violate any applicable law or regulation; or (c) require obtaining a license from or paying any fees and/or royalties by Company to any third party for the performance of the Services to the Client or for the exercise of any rights granted in these Terms.
4. The Client also determines the purposes and means of the processing of the Personal Data, therefore the Client is considered the controller in the meaning of GDPR. As Company provides the Services platform/system to the Client for storage, management, analysis and evaluation of its customer support and has no direct relation with the customers of the Client and has no individual interest in the processing of the Personal Data, Company is the processor of the Personal Data in the meaning of GDPR, processing the Personal Data in accordance with the Terms and for the purposes of rendering Services to the Client.
5. The Client hereby instructs Company to use the Client Data in an aggregated or anonymized format for Company’s internal analysis with the aim to improve the quality of and develop the Services by adding functionality, new features, etc.
6. The Client shall at all times ensure that processing of the Client Data by it is lawful and in compliance with applicable legal acts. By uploading Client Data to the Services platform/system, the Client authorizes Company to process the Client Data as stipulated in these Terms.
7. These Terms constitute the data processing contract between the Client as the data controller and Company as the data processor for the purposes of GDPR Article 28 or Applicable Data Protection Laws. The Client hereby instructs the Supplier to process the data as described in these Terms.
8. Upon processing the Personal Data, Company shall:
8.1 process the Personal Data only within the scope required according to the Terms and for provision of the Services or in any other way according to the instructions of the Client or as required by applicable law;
8.2 apply appropriate technical and organizational measures, inter alia those listed in GDPR Article 32(1), if appropriate, in order to protect the Personal Data against unauthorized or unlawful processing and accidental or unlawful loss, destruction, damage, alteration or disclosure; ensure the performance of Data Protection Laws; and ensure the protection of rights of data subjects;
8.3 shall refer all requests or inquiries by data subjects (customers or employees of the Client) to the Client without responding to such requests, except as necessary to identify the requestor;
8.4 guarantee that all employees of Company related to the provision of Services are bound by confidentiality obligation;
8.5 transfer the Personal Data outside EU only in compliance with conditions laid down in GDPR Chapter V;
8.6 make available information reasonably required by the Client to demonstrate the fulfillment of the obligations of the Client as the controller and Company as the processor as necessary under Applicable Data Protection Law;
8.7 enable the Client or the auditor authorized by the Client to perform the Personal Data processing and protection related audits and contribute to their conduct;
8.8 shall inform the Client of any Data Protection Incident without undue delay and take all appropriate measures required to remedy/mitigate the consequences of Data Protection Incident;
8.9 reasonably assist the Client in fulfillment of the obligations stipulated in GDPR Articles 32-36, taking into consideration the method of processing of Personal Data and the information available for Company.
9. By accepting the Terms and this Addendum, the Client gives Company a general authorization (in the meaning of GDPR Article 28(2)) to involve sub-processors in Section 10 of this Addendum for the purposes of providing the Services. Company shall provide at least thirty (30) days’ prior notice to the Client of any intended changes concerning the addition or replacement of other sub-processors. In the event that the Client objects to any proposed changes to the sub-processors on reasonable grounds related to data protection, the Client shall inform Company in writing by emailing
[email protected] within thirty (30) days following such changes. In such an event, the Parties shall negotiate in good faith a solution to the Client’s objection. If the Parties cannot reach resolution within sixty (60) days of Company’s receipt of the Client’s objection, Company will either (a) instruct the sub-processor to not process the Client’s Personal Data or (b) allow the Client to terminate these Terms and any related services agreements with Company immediately and provide the Client with a pro rata reimbursement of any sums paid in advance for Services to be provided, but not yet received by the Client as of the effective date of termination.
10. Â The sub-processors of Client Data engaged by Company to provide the Services:Google Cloud, Microsoft. OpenAI. Deepgram.
11. Company will process Personal Data on behalf of the Client until the termination of the Services as stipulated in the Terms. Upon termination of the Services, Company will delete all content provided by the Client in the course of using the Services (including the Personal Data) unless otherwise required by applicable law, upon written request of the Client (to
[email protected]). If Company has used sub-processors for processing the Personal Data it shall cause them to do the same.
12. Notwithstanding the provisions of this Addendum, Company may disclose Client Data (including Personal Data) to the extent obligated by applicable laws. In such a case, Company will use reasonable efforts to provide the Client with prior notice of such disclosure (to the extent legally permitted). Should the Client desire to contest the disclosure of the Client Data, it shall provide Company reasonable assistance, at the cost of the Client.
13. When acting as the data controller, i.e. when collecting and processing personal data from its own clients (including you) (e.g. the name and e-mail of Client’s representatives for creation of a user account with Company), Company adheres to its Privacy Policy, available at https://www.hioperator.com/privacy-policy.