Data Processing Addendum

Home
Home

DPA WILL APPLY ACCORDING TO THE RULES STATED HEREIN AND MAY BARE SOME CHANGES DEPENDING ON THE SERVICE.

AS SAAS DATA PROCESSING ADDENDUM

Version: 1 March 2023

This Data Processing Addendum (the “Addendum”) forms part of the Artificial Solutions (“AS”) SaaS Agreement (the “Agreement”) by and between Customer and the applicable AS Entity from which Customer is purchasing the AS SaaS. This Addendum will be effective as of the date (“Effective Date”) both Artificial Solutions and the Customer has signed the signature block below.

This Addendum will apply to the scope of Processing of Dialogue Data in AS SaaS that contains End User Personal Data, thus being considered Dialogue Data with Personal Identifiable Information (“DDPII”). The categories of Data Subjects of DDPII shall be defined by the Customer in the Annex 1 of this Addendum.

For any avoidance of doubt, for this addendum, the term Personal Data only refers to DDPII.

I. EFFECTIVENESS

A. Any change to this Addendum should be approved by both parties in writing.
B. This Addendum will terminate automatically upon termination of the Agreement or as earlier terminated pursuant to the terms of this Addendum.

II. DATA PROCESSING TERMS

The parties agree:

1. Definitions

1.1 The terms below shall have the following meanings:

Artificial Solutions”, “AS”, “we”, “us”, “our” means the applicable AS Entity with whom the Customer has a valid Order Form for AS SaaS.

AS SaaS” Is the Teneo Software as a Service product offered by Artificial Solutions.

AS Entities”, “AS Entity” means the Entity with whom the Customer has a valid offer and any of the Artificial Solutions entities listed in Annex 3 (as may be updated from time to time).

Controller” means the entity which determines the purposes and means of the Processing of Dialogue Data with Personal Identifiable Information (DDPII).

Customer”, “you”, “your” means in the case of an individual accepting this Agreement on behalf of a company or other legal entity, the company or other legal entity for which such individual is accepting the Agreement.

Dialogue Data” means session logs generated from a published Customer Solution in AS SaaS. Dialogue Data might contain End User Personal Data, thus be considered Dialogue Data with Personal Identifiable Information (DDPII).

Customer Solution” means instructions, programming code, scripts, flows, integrations, listeners, program or code libraries, decision rules and similar programmatic parts that the Customer executes in some form in the AS SaaS through its development environment, runtime or embedded services. The Customer Solution consists of a) the code, flows and instruction parts of the solution (“Customer Code”) and b) the language rules and training data (“Customer Training Data”).

Data Subject“, “Personal Data“, “Processing” and “Appropriate Technical and Organizational Measures” as used in this Addendum shall have the meanings given in the GDPR irrespective of whether GDPR applies.

End Users” means an individual “the Customer’s customer” interacting with a published Customer Solution in AS SaaS, for example by chatting or speaking with a bot that the Customer has built, deployed and made available to the End User using AS SaaS.

Europe” means, for the purposes of this Addendum, the member states of the European Economic Area, Switzerland and the United Kingdom.

European Data Protection Law” (or “Data Protection Law“) means any data protection and privacy laws of Europe applicable to the Processing of the Dialogue Data in question by AS under this Addendum, including where applicable (i) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR“); (ii) Directive 2002/58/EC concerning the Processing of personal data and the protection of privacy in the electronic communications sector; (iii) any applicable national implementations of (i) and/or (ii); and (iv) in respect of the United Kingdom, the Data Protection Act 2018 and any applicable national legislation that replaces or converts into domestic law the GDPR or any other law relating to data and privacy as a consequence of the United Kingdom leaving the European Union; in each case as may be amended, superseded or replaced from time to time.

Processor” means the entity which processes Dialogue Data with Personal Identifiable Information (DDPII) on behalf of the Controller.

2. Scope of the Data Protection Law

2.1 The parties acknowledge that European Data Protection Law will only apply to Personal Data that is covered by the territorial scope of European Data Protection Law.

3. Processing of Personal Data

3.1 The Customer shall be the Controller and Artificial Solutions shall be the Processor in respect of Personal Data processed by Artificial Solutions on the Customer’s behalf in performing its obligations under this Agreement.

3.2 The Customer shall be solely responsible for determining the purposes (and means) for which and the manner in which Personal Data is, or is to be, processed.

3.3 Where Artificial Solutions processes personal data on behalf of the Customer, Artificial Solutions shall, in respect of such Personal Data:

  • 3.3.1 Act only on written instructions and directions from the Customer and shall comply promptly with all such instructions and directions received from the Customer from time to time regarding the Processing of Personal Data. If applicable law requires Artificial Solutions to process the Personal Data for any other purpose, Artificial Solutions will inform the Customer of this requirement first, unless such law(s) prohibit this on important grounds of public interest.
  • 3.3.2 Immediately notify the Customer if, in Artificial Solutions’ opinion, any instruction or direction from the Customer infringes Data Protection Law. Artificial Solutions shall not be required to comply with such an instruction or direction in relation to the Processing of Personal Data, except to the extent the Customer withdraws or amends such direction or instruction.
  • 3.3.3 Not process Personal Data for any purpose other than for the provision of AS SaaS to the Customer and only to the extent reasonably necessary for the performance of the Agreement, including this Addendum.
  • 3.3.4 Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under appropriate statutory obligations of confidentiality.
  • 3.3.5 Implement Appropriate Technical and Organisational Measures (i) to protect the security and confidentiality of Personal Data processed by it in providing the Services and (ii) to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure, access, or Processing. In each case, as required under Data Protection Laws to ensure a level of security appropriate to the risk. At the same time Customer acknowledges that they have understood the technical limitations of the services and themselves determined that the procured services are adequate for Processing Personal Data. Customer acknowledges that the security measures set out in Annex 2 of this Addendum are sufficient and appropriate for the protection of the Personal Data.

3.4 Artificial Solutions shall notify the Customer promptly and without undue delay after becoming aware of any accidental, unlawful or unauthorized destruction, loss, alteration, access to, disclosure of or Processing of Personal Data (“Incident“). Such notice shall include reasonable details of the Incident which are known to Artificial Solutions at the time, including without limitation, where possible: (i) a description of the Incident; (ii) likely consequences of the Incident; (iii) the number of data subjects affected, number of records affected and the types of records affected; and (iv) the measures taken or proposed to be taken to address the Incident, including measures to mitigate possible adverse effects of the Incident.

3.5 To the extent required under Data Protection Laws and in relation to Artificial Solutions Processing of Personal Data under this Addendum, Artificial Solutions shall provide Customer with reasonable assistance to facilitate the Customer’s compliance with the Customer’s obligations under Articles 35 and 36 of GDPR in relation to the preparation of data protection impact assessments and consulting with any supervisory authority if such a data protection impact assessment indicates that such Processing would result in high risk in the absence of measures taken by the Customer to mitigate the risk.

3.6 To the extent required under Data Protection Laws and in relation to Artificial Solutions Processing of Personal Data under this Addendum, Artificial Solutions shall provide Customer with reasonable assistance to facilitate the Customer’s compliance with the Customer’s obligations to respond to data subject rights requests under Data Protection Laws by providing the Customer documentation, product functionality, or processes to assist the Customer in retrieving, correcting, deleting or restricting Personal Data.

3.7 Artificial Solutions shall, on the condition that the Customer has entered into an appropriate non-disclosure agreement with Artificial Solutions:

  • 3.7.1. Allow the Customer and the Customer’s authorized representatives to access and review available up-to-date attestations, certifications, reports or extracts thereof from independent bodies (e.g., external auditors, internal audit, data protection auditors) or other suitable certifications to verify compliance with the terms of this Addendum; or
  • 3.7.2. Where required by Data Protection Law, allow the Customer and authorized representatives to conduct audits (including inspections) during the term of the Agreement to verify compliance with the terms of this Addendum. Notwithstanding the foregoing, any audit must be conducted during Artificial Solutions regular business hours, with reasonable advance notice to Artificial Solutions and subject to reasonable confidentiality procedures. The scope of any audit shall not require us to disclose to the Customer or Customer’s authorized representatives, or to allow the Customer or the Customer’s authorized representatives to access: (a) any data or information of any other Artificial Solutions’ customer, (b) any Artificial Solutions internal accounting or financial information, (c) any Artificial Solutions trade secret, (d) any information that, in Artificial Solutions’ reasonable opinion could: 1) compromise the security of Artificial Solutions systems or premises or 2) cause us to breach Artificial Solutions’ obligations under Data Protection Laws or Artificial Solutions security, confidentiality and / or privacy obligations to any other Artificial Solutions customer or any third party, (e) any information that the Customer or the Customer’s authorized representatives seek to access for any reason other than the good faith verification by the Customer of our compliance with the terms of this Addendum. In addition, any such audits shall be limited to once per year, unless 1) Artificial Solutions have experienced an Incident within the prior twelve (12) months which has impacted the Customer’s Personal Data or 2) an audit reveals a material noncompliance with the obligations set out in this Addendum. If Artificial Solutions decline or are unable to follow the Customer’s instructions regarding audits permitted under this Section 3.7, the Customer is entitled to terminate this Addendum and the Agreement for convenience on written notice.

3.8 Artificial Solutions shall not engage any sub-processor to process any Personal Data under this Addendum without the Customer’s prior written consent. The Customer provides general consent Artificial Solutions’ appointment of the Artificial Solutions affiliates and applicable third party sub-processors listed under Annex 3. Artificial Solutions may update the list of approved sub-processors, at which point the Customer will have the opportunity to object within forty-five (45) days of any such update to the list of sub-processors by terminating the Agreement for convenience on written notice. When engaging sub-processors in the Processing of Personal Data, Artificial Solutions are responsible for the performance of each sub-processor. Artificial Solutions will include in the agreement with any such third party sub-processor terms for the protection of Personal Data as required by applicable Data Protection Law.

3.9 No Personal Data processed by Artificial Solutions pursuant to this Agreement shall be exported outside the United Kingdom or European Economic Area without the prior explicit instruction from the Customer.

3.10 On termination or expiry of this Agreement, at the Customer’s request, Artificial Solutions shall delete or return to the Customer all Personal Data processed on behalf of the Customer, and Artificial Solutions shall delete existing copies of such Personal Data except where necessary to retain such Personal Data strictly necessary for the purposes of compliance with applicable law.

4. Miscellaneous

4.1 Artificial Solutions shall not retain, use, sell or otherwise disclose Personal Data other than as required by law or as needed to provide and support AS SaaS, as set forth in the Agreement.

4.2 Each party acknowledges that the other party may disclose this Addendum and any relevant privacy provisions in the Agreement to any relevant regulator or judicial body.

5. Conflict

5.1 If there is a conflict between this Addendum and any supplementary terms agreed between the parties, this Addendum will govern.

6. Survival

6.1 This Addendum shall survive the termination or expiry of any supplementary terms to the extent that Artificial Solutions continues to process Personal Data on behalf of the Customer.

7. Notices

7.1 All notices must be in (electronic) writing and addressed to the attention of the other party’s primary contact. Notice will be deemed given upon receipt if verifiable by trusted logs or receipts (electronic or otherwise) to the last provided contact information. Each party is responsible for keeping the other informed of changes to its contact information.

8. Waiver

8.1 Failure to enforce any provision of this Addendum will not constitute a waiver.

9. Severability

9.1 If any provision of this Addendum is found unenforceable, the balance of this Addendum will remain in full force and effect.

10. Entire Agreement

10.1 This Addendum (including any document incorporated herein by reference) is the entire agreement between the parties on the topic of Processing of Personal Data and supersedes all prior agreements between the parties on this subject matter.

11. Governing Law

11.1 The construction, validity and performance of this Agreement and all non-contractual obligations arising from or connected with this Agreement shall be governed by Swedish law and the parties hereby submit irrevocably to the exclusive jurisdiction of the Swedish courts to resolve any dispute between them.

Annex 1 – Data Protection Schedule

Categories of data subjects
The personal data concerns End Users of AS SaaS, in addition to individuals whose Personal Data is supplied by End Users of AS SaaS.

Categories of personal data
The personal data processed may include the following categories of data:

  • Direct identifying information (e.g., name, email address, telephone).
  • Indirect identifying information (e.g., job title, gender, date of birth).
  • Device identification data and traffic data (e.g., IP addresses, MAC addresses, web logs).
  • Any personal data supplied by End Users of AS SaaS or supplied by the Customer by implementation and execution of the Customer Solution.

Subject matter, nature and purposes of processing
The Personal Data is processed for the purposes of providing AS SaaS in accordance with the Agreement.

Area
Sub-area and Security Objectives
Organization of information security
  • Internal organisation. Establish a management framework to initiate and control the implementation and operation of information security within AS.
  • Mobile devices and teleworking. Ensure the security of teleworking and use of mobile devices.
Human resource security
  • Prior to employment. Ensure that employees and contractors understand their responsibilities and are suitable for the roles for which they are considered.
  • During employment. Ensure that employees and contractors are aware of and fulfil their information security responsibilities.
  • Termination and change of employment. Protect AS’ interests as part of the process of changing or terminating employment.
Asset management
  • Responsibility for AS’ assets. Identify organisational assets and define appropriate protection responsibilities.
  • Information classification. Ensure that information receives an appropriate level of protection in accordance with its importance to AS.
  • Media handling. Prevent unauthorized disclosure, modification, removal, or destruction of information stored on media.
Access control
  • Business requirements of access control. Limit access to information and data centres.
  • User access management. Ensure authorized user access and to prevent unauthorized access to systems and services.
  • User responsibilities. Make users accountable for safeguarding their authentication information.
  • System and application access control. Prevent unauthorized access to systems and applications.
Cryptography
  • Cryptographic controls. Ensure proper and effective use of cryptography to protect the confidentiality, authenticity and/or integrity of information.
Physical and environmental security
  • Secure areas. Prevent unauthorized physical access, damage and interference to AS’ information and data centres.
  • Equipment. Prevent loss, damage, theft or compromise of assets and interruption to AS’ operations.
Operations security
  • Operational procedures and responsibilities. Ensure correct and secure operations of data centres. Protection from malware, ensure that information and data centres are protected against malware.
  • Backup. Protect against loss of data.
  • Logging and monitoring. Record events and generate evidence.
  • Control of operational software. Ensure the integrity of operational systems.
  • Technical vulnerability management. Prevent exploitation of technical vulnerabilities.
  • Information systems audit considerations. Minimise the impact of audit activities on operational systems.
Communications security
  • Network security management. Ensure the protection of information in networks and its supporting data centres.
  • Information transfer. Maintain the security of information transferred within AS and with any external entity.
System acquisition, development, and maintenance
  • Security requirements of information systems. Ensure that information security is an integral part of information systems across the entire lifecycle. This also includes the requirements for information systems which provide services over public networks.
  • Security in development and support processes. Ensure that information security is designed and implemented within the development lifecycle of information systems.
  • Test data. Ensure the protection of data used for testing.
Supplier relationships
  • Information security in supplier relationships. Ensure protection of AS’ assets that is accessible by suppliers.
  • Supplier service delivery management. Maintain an agreed level of information security and service delivery in line with supplier agreements.
Information security incident management
  • Management of information security incidents and improvements. Ensure a consistent and effective approach to the management of information security incidents, including communication on security events and weaknesses.
Information security aspects of business continuity management
  • Information security continuity. Information security continuity shall be embedded in AS’ Business Continuity Management systems.
  • Redundancies. Ensure availability of data centres.
Compliance
  • Compliance with legal and contractual requirements. Avoid breaches of legal, statutory, regulatory, or contractual obligations related to information security and of any security requirements.
  • Information security reviews. Ensure that information security is implemented and operated in accordance with AS’ policies and procedures
Privacy
  • Protect employees’ and customers’ information. Ensure that AS operates in accordance with local legislation.
  • Maintain privacy routines. Ensure that proper procedures, routines, and templates are available for business units.
Area
Sub-area and Security Objectives
Physical Access Control
System Access Control
  • Dedicated Customer Clusters
  • Two-factor for all Operational Access
  • Least Privilege principle to Identity & Policy Control
  • Unique Personal identifiers
  • Secure Passwords
  • Separate user ID for privileged access
  • Automatic Access Lock & Deactivation
  • Network Segmentation
  • Firewalls
  • Secure Management of Certificates & Tokens
  • Security Training for Operational Resources
  • Enhanced Security on devices with access to Operational environments
  • Workplace restrictions for Operational Access
Data Access Control
  • Customer Solution and Dialogue Data only in Dedicated Customer Cluster or Encrypted Backup
  • Operational Resources L1/L2 never access Dialogue Data (organizational measure)
  • Operational Resources L3+ only access Dialogue Data after Client Approval
  • Privileged Rights required for Operational Access
  • Data Residency always Cloud Region EU/EEA
  • Operational Access only from EU/EEA/UK
  • GDPR training for all employees.
  • Customer can apply pseudonymization/sanitization algorithms to Dialogue Data before logging/storing in cloud
  • Data Encryption at rest
  • Data Retention times for Dialogue Data based on Change Request
  • Confidential Compute endpoints for encryption in-use (availability per cloud regions)
Transmission Control
  • Artificial Solutions offer transfer of data via HTTPS endpoints
  • All traffic in transfer between Artificial Solutions endpoints and Customer is encrypted in accordance with Artificial Solutions Cryptography manual
  • Artificial Solutions endpoints require authentication for data access
  • TLS Data Encryption in transit over public/shared networks
  • VPN/Encrypted Bastion host connection for Operational Access
Process Control
  • ISO-based Information Security Management System (ISMS) with three mandatory levels: Policy, Instruction and Guideline
  • Strict Programmatic Procedures for Commission/De-commission of Customer Environments
  • Strict Operating Manuals
  • Strict Runbooks for Operational duties L1/L2
  • Risk Management Process
  • Change Management Process for Customer Environments
  • Separation of Development & Production Tenants
  • Compliance roadmap
  • L1/L2 team in ISO 270001 Certified Organization
  • Task segregation
Availability Control
  • 24/7 Monitoring & Management
  • Daily Backups across two cloud regions in each of the regions three availability zones
  • Business Continuity Management Plan
  • Restore Procedures
  • Auto-scaling Prod Endpoints
Security & Vulnerability Controls
  • Binding Guidelines for Secure Software Development
  • Common Vulnerabilities and Exposure (CVE) Process
  • Static Application Security Testing
  • Dynamic Application Security Testing
  • Vulnerability & Malicious Code Scanning
  • Peer Security & Risk Assessment Analysis before release to Production
  • Release Restrictions of only verified Components in Production Environments – “Don’t break the seal” approach
  • Environment Hardening – based on CIS where applicable (Summer 2023)
  • Penetration Testing
  • POD images scanned for vulnerabilities / malicious code
  • SIEM
  • Development Suite Access Logs
  • Environment Access Logs
  • Cloud Component Upgrades & Security Patching according to Vendor  Specifications
  • Monthly Operational Reviews
  • Security Incident Management Process
Audit Logging
  • Logged events include but are not limited to: unsuccessful authentication and access attempts against systems, networks and network devices, authorized and unauthorized user access to the systems, networks and network devices, administration events and use of privileged administration accounts, changes in configuration parameters of systems, networks and network devices, running errors in systems and networks, authorized and unauthorized access to communications networks, traffic which has been disallowed or rejected by firewalls and network devices, changes in access privileges: user registration, deregistration and modification, changes in roles, etc., changes in security systems, such as activation/deactivation or changes in antimalware scanner configuration, access to the source code of the developed systems, activation/deactivation or changes in the configuration of the mechanisms generating audit logs, modification or deletion of audit log data.
  • Access to audit logs and the control mechanisms which generate the logs is only granted to authorized individuals.
  • Audit logs are stored using tamper proof methods in order to guarantee log integrity and prevent unauthorized manipulation or deletion of audit log data

Annex 3 – Artificial Solutions’ Sub-processors

Artificial Solutions’ Entities

NAME
ACTUAL LOCATION OF THE PROCESSING
Artificial Solutions International AB (HQ)
Sweden
Artificial Solutions Scandinavia AB
Sweden
Artificial Solutions Iberia, S. L.
Spain
Artificial Solutions Germany GmbH
Germany
Artificial Solutions B.V.
Netherlands

Sub-Processors

NAME
ACTUAL LOCATION OF THE PROCESSING
Orange Business Services AS (former Basefarm AS)
Norway
Orange Business Services AB (former Basefarm AB)
Sweden
Orange Business Services B.V. (Basefarm – Part of Log*In Consultants Nederland B.V)
Netherlands
Entity name
Country/countries
Purpose of Processing
Comments
Microsoft Corporation
Europe North
Azure Services

Database storage in Azure cloud Kubernetes