Last update: 9-11-2020
DATA PROCESSING AGREEMENT
(A) Virbe (as defined below) and the Customer (as defined below) has entered into the Agreement (as defined below) for the provisions of the Services (as defined below) by Virbe to a Customer;
(B) during the provisions of the Services, Virbe will act as a Processor (as defined below) and the Customer will act as a Controller (as defined below) in relation to Personal Data (as defined below);
(C) pursuant to Art. 28 of the GDPR (as defined below), the Parties (as defined below) has undertaken to conclude this data processing agreement ("DPA").
1.1. The capitalized terms used herein shall have the following meaning, unless the context requires otherwise:
● "Agreement" shall have the meaning given in the Terms and Conditions;
● "Company", "We", "Us" or "Virbe" means Virbe sp. z o.o. with its seat in Lublin, address: ul. Tomasza Zana 11A, 20-601 Lublin, entered into the register of business entities of the National Court Register maintained by the District Court for Lublin-Wschód in Lublin with its seat in Świdnik, VI Commercial Department of the National Court Register under the number KRS 0000780459, NIP: 9462687906, REGON: 383015364, share capital: PLN 6,000;
● "Controller" shall have the meaning given in the GDPR, whereas in the DPA the Controller is the Customer;
● "Customer" or "you" shall have the meaning given in the Terms and Conditions;
● "Data Protection Laws" mean the GDPR and any applicable supplementing national data protection laws;
● "Data Subjects" shall have the meaning given in the GDPR and shall mean the persons, whose Personal Data are processed by the Processor under the DPA;
● "DPA" shall have the meaning given in clause 1.1.3;
● "End-User" shall have the meaning given in the Terms and Conditions;
● "GDPR" means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
● "Law" shall have the meaning given in the Terms and Conditions;
● "Party" or "Parties" means the Company and the Customer, as parties to the Agreement and to the DPA;
● "Personal Data" shall mean the personal data, within the meaning given in the GDPR, processed by the Processor under the DPA;
● "Processor" shall have the meaning given in the GDPR, whereas in the DPA the Processor is Virbe;
● "Services" shall have the meaning given in the Terms and Conditions;
● "Subprocessor" shall have the meaning given in the GDPR;
● "Terms and Conditions" means the part of the Agreement concluded by Virbe and the Customer, available here: https://virbe.ai/terms .
2. SUBJECT MATTER
2.1. This DPA applies to processing of Personal Data in connection with and for the purposes of providing the Services by Virbe to the Customer under the Agreement. An overview of the Personal Data, Data Subjects, the purposes for which Personal Data are being processed and a description of the processing operations are included in the Schedule 1 to the DPA.
2.2. In the course of the performance of the Services, Virbe shall process Personal Data for the Customer. Virbe shall act as the Processor and the Customer shall act as the Controller. The Customer shall be solely and individually responsible and liable for its obligations and responsibilities as the Controller under Data Protection Laws.
3. PROCESOR’S OBLIGATIONS
3.1. Virbe shall process the Personal Data only on documented instructions from the Customer, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by the Law; in such a case, Virbe shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
3.2. For the avoidance of doubt, the Parties confirm that the Customer’s instructions are contained the DPA and in the Agreement. Any further instructions which go beyond the DPA and the Agreement must relate to the subject matter of the DPA and be issued in written form (including electronic correspondence); the instructions issued in the other forms, for example due to the urgency or other special circumstances, should be documented as soon as possible. If the implementation of such further instructions of the Customer could result Virbe incurring additional costs, Virbe will inform the Customer of such costs before the instruction is executed. Only after the Customer confirms that it will bear the costs of executing the instruction and after the Customer has paid an advance for all such costs, Virbe will be obliged to execute such further instruction, provided that Virbe’s technical and organizational capabilities allow for such an execution.
3.3. Virbe shall inform the Customer if, in Virbe’s opinion, any such instruction infringes the Data Protection Laws or other applicable Law(s). Virbe will then be entitled to suspend the execution of such an instruction until Customer confirms or changes it.
3.4. Virbe shall ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligations of confidentiality.
3.5. Virbe shall take all measures required pursuant to Article 32 of the GDPR, for example secure connections, SSL protocols, HTTPS, secure key storage, encrypting data;
3.6. Taking into account the nature of the processing, Virbe shall assist the Customer with appropriate technical and organizational measures, to the extent possible, for the purpose of fulfillment of the Customer’s obligation to respond to requests for exercising the Data Subject’s right set out in Chapter III of the GDPR (rights of data subjects) subject to this point 3.6.
If the Data Subject contacts Virbe directly to exercise their rights under the Data Protection Laws, Virbe will forward the Data Subject’s request to the Customer with no undue delay. Virbe shall assist the Customer, at the Customer’s expense, in the fulfillment of the Customer’s obligation to respond to such requests.
3.7. Virbe shall assist the Customer in ensuring the compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of processing and the information available to Virbe. Virbe will assist only to the extent the Customer is unable to fulfil its obligations by other means. Virbe shall inform the Customer about the costs of such assistance. Only after the Customer confirms the acceptance of the costs and shall pay to Virbe an advance for such costs, Virbe will provide the necessary assistance.
3.8. Virbe shall inform the Customer about any inspections and controls regarding the Personal Data and any administrative or court decision regarding the Personal Data.
4.1. Virbe may commission subcontractors (Subprocessors) for the processing of the Personal Data. The list of the Subprocessors approved by the Customer consists in Schedule 2 to this DPA. Virbe will inform the Customer of any intended changes concerning the addition or replacement of the Subprocessors at least 14 days before commissioning them and the Customer will have the possibility to object to such changes by an e-mail or a letter within 7 days of obtaining the information from Virbe. Lack of the Customer’s response will be treated as consent to the planned changes. After receiving the objections, Virbe shall have 14 days to determine further proceedings in connection with the Customer’s objection. After the lapse of this period without an effect, each Party will be entitled to terminate the DPA upon 1-month notice. The termination of the DPA may result in the Customer’s inability to use the Services, which the Customer hereby acknowledges. In addition, Virbe represents that the Customer's objection to the selection or change of a Subprocessor may prevent the Customer from using all the Services specified in the Agreement, which the Customer hereby acknowledges.
4.2. Where Virbe engages a Subprocessor for carrying out specific processing activities on behalf of the Customer, the same data protection obligations as set out in the DPA shall be imposed on that other processor by way of a contract or other legal act under the Law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR. Where that Subprocessor fails to fulfil its data protection obligations, Virbe shall remain fully liable to the Customer for the performance of that Subprocessor's obligations.
4.3. If a Subprocessor provides the agreed service outside the EU/EEA, Virbe shall ensure compliance with the GDPR by appropriate measures. If European Commission will not adopt a Processor-to-Subprocessor Standard Contractual Clauses, Virbe shall conclude a data processing agreement pertaining to appropriate safeguards (for instance Standard Contractual Clauses) for and on behalf of the Customer, unless the Client objects to engaging a Subcontractor pursuant to clause 5.1 above.
5. DATA BREACHES
5.1. Virbe shall inform the Customer about any data security breaches (within the meaning given in the GDPR) regarding the Personal Data within 24 hours from discovering the breach, to the extent possible providing the Customer with information listed in Article 33(3) of the GDPR.
5.2. Virbe will cooperate with the Customer, to the reasonable extent, in order to enable the Customer to conduct a thorough investigation regarding the data breach and formulate an adequate response. Virbe shall assist only to the extent the Customer is unable to fulfill its obligations by other means. Virbe shall inform the Customer about the costs of such assistance. Only after the Customer confirms the acceptance of the costs and the Customer pays to Virbe an advance for such costs, Virbe will provide the necessary assistance.
6. AUDIT RIGHTS
6.1. The Customer has the right to carry out inspections (including audits) of processing of the Personal Data or to have them carried out by the designated third parties. Engagement of such a third party will be subject to prior conclusion of a confidentiality agreement between such a party and Virbe.
6.2. Performance of the audit shall be subject to the following conditions:
6.2.1. it shall take place on the date agreed by both Parties and may take place during regular working hours of Virbe, without disrupting Virbe’s business operations and in compliance with security policies of Virbe. The Customer will inform Virbe at least 7 days prior to the proposed date of the audit;
6.2.2. it may only apply to Personal Data entrusted for processing by the Customer to Virbe under this DPA and shall be limited to Virbe’s registered office, devices used to process Personal Data and staff involved in the processing under the DPA;
6.2.3. it shall not take place more than once a year, unless other frequency is obligatory under applicable Law(s) or is mandated by a competent supervisory authority;
6.2.4. it shall last no more than 1 working day;
6.2.5. the Customer shall bear all costs arising from or connected to the audit, except where it reveals a serious breach of Personal Data security rules that directly threat the Personal Data;
6.2.6. it cannot lead to the disclosure of any trade secrets of other undisclosed information pertaining to Virbe.
6.3. The audit will result in an execution of an audit protocol by the Parties. Such a protocol will contain, in particular, the recommendations in connection with the audit and the scope of changes to data processing agreed by the Parties (if applicable).
6.4. Virbe shall make available to the Customer all information necessary to demonstrate the compliance with the obligations laid down in the GDPR, unless such information results from the DPA, Agreement or any other materials and information provided by Virbe to the Customer in the course of performance of the Services. Such information shall not include any internal procedures, policies, analyses and other confidential information of Virbe.
7.1. The remuneration for the processing of the Personal Data is included in the remuneration from the Agreement.
7.2. Virbe may claim remuneration for any services that are not included in the DPA and which are not attributable to failures on the Virbe’s side, including reasonable out of pocket expenses.
8.1. Any liability resulting from or connected to the violations of this DPA or Data Protection Laws shall be governed by the liability provisions set out in the Agreement, unless this DPA provides otherwise.
9. DURATION AND TERMINATION
9.1. This DPA is effective as of the date that it is signed both by Virbe and the Customer. It will continue to bind the parties for as long as the Agreement remains in force.
9.2. After the expiration of the DPA, Virbe - at the choice of the Customer - shall delete or return all the Personal Data to the Customer and delete existing copies, unless the Law requires storage of the Personal Data. The confirmation of the deletion shall be provided upon request. Virbe may retain one copy of the data for the purpose of complying with its internal procedures or in case of a dispute.
10. FINAL PROVISIONS
10.1. Clauses 12 (Notifications) and 14 (Final Provisions) of the Terms and Conditions shall apply accordingly to this DPA.
DETAILS OF THE PROCESSING OF PERSONAL DATA
Data exporter (Cutomer)
The data exporter: the Customer
Data importer (Virbe)
The data importer: Virbe sp. z o.o. with its seat in Lublin, address: ul. Tomasza Zana 11A, 20-601 Lublin, entered into the register of business entities of the National Court Register maintained by the District Court for Lublin-Wschód in Lublin with its seat in Świdnik, VI Commercial Department of the National Court Register under the number KRS 0000780459, NIP: 9462687906, REGON: 383015364, share capital: PLN 6,000
The personal data transferred concern the following categories of data subjects (please specify):
● Customer’s clients who contact the Customer via the Service
Categories of data
The Personal Data transferred concern the following categories of data (please specify):
● first name
● last name
● phone number
Special categories of data (if appropriate)
The Personal Data transferred concern the following special categories of data (please specify):
Nature and purpose of the processing
The nature and purpose of the processing is as follows:
● Storing Personal Data for the purposes of providing Services.
● Sending communication emails to Customer’s clients on behalf of Customer in case of direct contact via Service
● Displaying Personal Data to the Customer in provided Services.
The list of the Subprocessors approved by the Customer:
Place of data processing
Purpose of use
Amazon Web Services, EMEA SARL
8 Avenue John F. Kennedy, L-1855, Luxembourg
Providing hosting services, data storage
37 Beale Street, Suite 300, San Francisco CA 94105, USA
EU and outside EU/EEA
Sending e-mail to the Customer’s client (if e-mail address provided by the client)
Functional Software, Inc. (Sentry)
132 Hawthorne Street, San Francisco, CA 94107, USA
EU and outside EU/EEA
Crash reporting and data logs
Google Ireland Limited
EU and outside EU/EEA
Using Google Cloud Text-To-Speech to translate spoken word into text
Google Ireland Limited
EU and outside EU/EEA
Using Google Analytics for statistical purposes and to improve the Services