SignKontrol Data Processing Agreement
Introduction
This Data Processing Agreement ("DPA") supplements the terms of service agreement entered into between SignKontrol ("Processor") and Customer ("Controller") (together, the "Parties").
1. Definitions
1.1. "You" or "customer" refers to the company or organization that signs up to use SignKontrol services.
1.2. "Personal Data" means any information relating to an identified or identifiable natural person.
1.3. "Data Protection Laws" means all applicable data protection and privacy laws and regulations, including but not limited to the European Union General Data Protection Regulation (EU GDPR) and the California Consumer Privacy Act (CCPA).
1.4. "Services" means the SaaS digital signage software provided by Processor to Controller.
2. Roles and Responsibilities
2.1. The Parties acknowledge that in providing the Services, Processor may process Personal Data on behalf of Controller, and Processor shall act as a data processor and Controller shall act as a data controller.
2.2. Controller shall be solely responsible for determining the purposes and means of processing Personal Data and for complying with all Data Protection Laws. Controller shall provide clear and comprehensive instructions to Processor regarding the processing of Personal Data.
2.3. Processor shall process Personal Data only as instructed by Controller and in compliance with all applicable Data Protection Laws.
3. Processing of Personal Data
3.1. Processor shall process Personal Data only to the extent necessary to provide the Services and in accordance with Controller's instructions.
3.2. Processor shall implement appropriate technical and organizational measures to ensure the security and confidentiality of Personal Data, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing.
3.3. Processor shall ensure that its personnel who access Personal Data are subject to appropriate confidentiality obligations.
3.4. Processor shall assist Controller in responding to requests from data subjects to exercise their rights under Data Protection Laws, to the extent legally permitted and reasonable.
3.5. Processor shall notify Controller without undue delay if it becomes aware of any Personal Data breach.
4. Subprocessors
4.1. Controller authorizes Processor to engage third-party subprocessors to assist in providing the Services, provided that Processor shall ensure that any such subprocessor is subject to appropriate data protection and confidentiality obligations that are at least as protective as those set out in this DPA.
4.2. Processor shall remain fully liable to Controller for the acts and omissions of any subprocessor engaged by Processor.
5. Data Transfers
5.1. Where Personal Data is transferred from the European Economic Area (EEA) to a country outside the EEA that does not provide an adequate level of data protection as determined by the European Commission, Processor shall ensure that appropriate safeguards are in place, such as standard contractual clauses approved by the European Commission.
5.2. Processor shall ensure that any transfer of Personal Data to a subprocessor located outside the EEA is subject to appropriate safeguards.
6. Term and Termination
6.1. This DPA shall come into effect on the date it is executed by both Parties and shall continue until the termination of the Services agreement between the Parties.
6.2. Upon termination of the Services agreement, Processor shall, at Controller's option, return or delete all Personal Data processed on behalf of Controller, unless retention is required by law.
7. Miscellaneous
7.1. This DPA constitutes the entire agreement between the Parties with respect to the processing of Personal Data and supersedes all prior agreements and understandings, whether written or oral.
7.2. Any amendment to this DPA must be in writing and signed by both Parties.
7.3. This DPA shall be governed by and construed in accordance with the laws of the jurisdiction in which Processor is located.