Data Processing Addendum
DPA WILL APPLY ACCORDING TO THE RULES STATED HEREIN AND MAY BARE SOME CHANGES DEPENDING ON THE SERVICE.
AS SAAS DATA PROCESSING ADDENDUM
Version: 1 March 2023
This Data Processing Addendum (the “Addendum”) forms part of the Artificial Solutions (“AS”) SaaS Agreement (the “Agreement”) by and between Customer and the applicable AS Entity from which Customer is purchasing the AS SaaS. This Addendum will be effective as of the date (“Effective Date”) both Artificial Solutions and the Customer has signed the signature block below.
This Addendum will apply to the scope of Processing of Dialogue Data in AS SaaS that contains End User Personal Data, thus being considered Dialogue Data with Personal Identifiable Information (“DDPII”). The categories of Data Subjects of DDPII shall be defined by the Customer in the Annex 1 of this Addendum.
For any avoidance of doubt, for this addendum, the term Personal Data only refers to DDPII.
I. EFFECTIVENESS
A. Any change to this Addendum should be approved by both parties in writing.
B. This Addendum will terminate automatically upon termination of the Agreement or as earlier terminated pursuant to the terms of this Addendum.
II. DATA PROCESSING TERMS
The parties agree:
1. Definitions
1.1 The terms below shall have the following meanings:
“Artificial Solutions”, “AS”, “we”, “us”, “our” means the applicable AS Entity with whom the Customer has a valid Order Form for AS SaaS.
“AS SaaS” Is the Teneo Software as a Service product offered by Artificial Solutions.
“AS Entities”, “AS Entity” means the Entity with whom the Customer has a valid offer and any of the Artificial Solutions entities listed in Annex 3 (as may be updated from time to time).
“Controller” means the entity which determines the purposes and means of the Processing of Dialogue Data with Personal Identifiable Information (DDPII).
“Customer”, “you”, “your” means in the case of an individual accepting this Agreement on behalf of a company or other legal entity, the company or other legal entity for which such individual is accepting the Agreement.
“Dialogue Data” means session logs generated from a published Customer Solution in AS SaaS. Dialogue Data might contain End User Personal Data, thus be considered Dialogue Data with Personal Identifiable Information (DDPII).
“Customer Solution” means instructions, programming code, scripts, flows, integrations, listeners, program or code libraries, decision rules and similar programmatic parts that the Customer executes in some form in the AS SaaS through its development environment, runtime or embedded services. The Customer Solution consists of a) the code, flows and instruction parts of the solution (“Customer Code”) and b) the language rules and training data (“Customer Training Data”).
“Data Subject“, “Personal Data“, “Processing” and “Appropriate Technical and Organizational Measures” as used in this Addendum shall have the meanings given in the GDPR irrespective of whether GDPR applies.
“End Users” means an individual “the Customer’s customer” interacting with a published Customer Solution in AS SaaS, for example by chatting or speaking with a bot that the Customer has built, deployed and made available to the End User using AS SaaS.
“Europe” means, for the purposes of this Addendum, the member states of the European Economic Area, Switzerland and the United Kingdom.
“European Data Protection Law” (or “Data Protection Law“) means any data protection and privacy laws of Europe applicable to the Processing of the Dialogue Data in question by AS under this Addendum, including where applicable (i) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data (General Data Protection Regulation) (“GDPR“); (ii) Directive 2002/58/EC concerning the Processing of personal data and the protection of privacy in the electronic communications sector; (iii) any applicable national implementations of (i) and/or (ii); and (iv) in respect of the United Kingdom, the Data Protection Act 2018 and any applicable national legislation that replaces or converts into domestic law the GDPR or any other law relating to data and privacy as a consequence of the United Kingdom leaving the European Union; in each case as may be amended, superseded or replaced from time to time.
“Processor” means the entity which processes Dialogue Data with Personal Identifiable Information (DDPII) on behalf of the Controller.
2. Scope of the Data Protection Law
2.1 The parties acknowledge that European Data Protection Law will only apply to Personal Data that is covered by the territorial scope of European Data Protection Law.
3. Processing of Personal Data
3.1 The Customer shall be the Controller and Artificial Solutions shall be the Processor in respect of Personal Data processed by Artificial Solutions on the Customer’s behalf in performing its obligations under this Agreement.
3.2 The Customer shall be solely responsible for determining the purposes (and means) for which and the manner in which Personal Data is, or is to be, processed.
3.3 Where Artificial Solutions processes personal data on behalf of the Customer, Artificial Solutions shall, in respect of such Personal Data:
- 3.3.1 Act only on written instructions and directions from the Customer and shall comply promptly with all such instructions and directions received from the Customer from time to time regarding the Processing of Personal Data. If applicable law requires Artificial Solutions to process the Personal Data for any other purpose, Artificial Solutions will inform the Customer of this requirement first, unless such law(s) prohibit this on important grounds of public interest.
- 3.3.2 Immediately notify the Customer if, in Artificial Solutions’ opinion, any instruction or direction from the Customer infringes Data Protection Law. Artificial Solutions shall not be required to comply with such an instruction or direction in relation to the Processing of Personal Data, except to the extent the Customer withdraws or amends such direction or instruction.
- 3.3.3 Not process Personal Data for any purpose other than for the provision of AS SaaS to the Customer and only to the extent reasonably necessary for the performance of the Agreement, including this Addendum.
- 3.3.4 Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under appropriate statutory obligations of confidentiality.
- 3.3.5 Implement Appropriate Technical and Organisational Measures (i) to protect the security and confidentiality of Personal Data processed by it in providing the Services and (ii) to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure, access, or Processing. In each case, as required under Data Protection Laws to ensure a level of security appropriate to the risk. At the same time Customer acknowledges that they have understood the technical limitations of the services and themselves determined that the procured services are adequate for Processing Personal Data. Customer acknowledges that the security measures set out in Annex 2 of this Addendum are sufficient and appropriate for the protection of the Personal Data.
3.4 Artificial Solutions shall notify the Customer promptly and without undue delay after becoming aware of any accidental, unlawful or unauthorized destruction, loss, alteration, access to, disclosure of or Processing of Personal Data (“Incident“). Such notice shall include reasonable details of the Incident which are known to Artificial Solutions at the time, including without limitation, where possible: (i) a description of the Incident; (ii) likely consequences of the Incident; (iii) the number of data subjects affected, number of records affected and the types of records affected; and (iv) the measures taken or proposed to be taken to address the Incident, including measures to mitigate possible adverse effects of the Incident.
3.5 To the extent required under Data Protection Laws and in relation to Artificial Solutions Processing of Personal Data under this Addendum, Artificial Solutions shall provide Customer with reasonable assistance to facilitate the Customer’s compliance with the Customer’s obligations under Articles 35 and 36 of GDPR in relation to the preparation of data protection impact assessments and consulting with any supervisory authority if such a data protection impact assessment indicates that such Processing would result in high risk in the absence of measures taken by the Customer to mitigate the risk.
3.6 To the extent required under Data Protection Laws and in relation to Artificial Solutions Processing of Personal Data under this Addendum, Artificial Solutions shall provide Customer with reasonable assistance to facilitate the Customer’s compliance with the Customer’s obligations to respond to data subject rights requests under Data Protection Laws by providing the Customer documentation, product functionality, or processes to assist the Customer in retrieving, correcting, deleting or restricting Personal Data.
3.7 Artificial Solutions shall, on the condition that the Customer has entered into an appropriate non-disclosure agreement with Artificial Solutions:
- 3.7.1. Allow the Customer and the Customer’s authorized representatives to access and review available up-to-date attestations, certifications, reports or extracts thereof from independent bodies (e.g., external auditors, internal audit, data protection auditors) or other suitable certifications to verify compliance with the terms of this Addendum; or
- 3.7.2. Where required by Data Protection Law, allow the Customer and authorized representatives to conduct audits (including inspections) during the term of the Agreement to verify compliance with the terms of this Addendum. Notwithstanding the foregoing, any audit must be conducted during Artificial Solutions regular business hours, with reasonable advance notice to Artificial Solutions and subject to reasonable confidentiality procedures. The scope of any audit shall not require us to disclose to the Customer or Customer’s authorized representatives, or to allow the Customer or the Customer’s authorized representatives to access: (a) any data or information of any other Artificial Solutions’ customer, (b) any Artificial Solutions internal accounting or financial information, (c) any Artificial Solutions trade secret, (d) any information that, in Artificial Solutions’ reasonable opinion could: 1) compromise the security of Artificial Solutions systems or premises or 2) cause us to breach Artificial Solutions’ obligations under Data Protection Laws or Artificial Solutions security, confidentiality and / or privacy obligations to any other Artificial Solutions customer or any third party, (e) any information that the Customer or the Customer’s authorized representatives seek to access for any reason other than the good faith verification by the Customer of our compliance with the terms of this Addendum. In addition, any such audits shall be limited to once per year, unless 1) Artificial Solutions have experienced an Incident within the prior twelve (12) months which has impacted the Customer’s Personal Data or 2) an audit reveals a material noncompliance with the obligations set out in this Addendum. If Artificial Solutions decline or are unable to follow the Customer’s instructions regarding audits permitted under this Section 3.7, the Customer is entitled to terminate this Addendum and the Agreement for convenience on written notice.
3.8 Artificial Solutions shall not engage any sub-processor to process any Personal Data under this Addendum without the Customer’s prior written consent. The Customer provides general consent Artificial Solutions’ appointment of the Artificial Solutions affiliates and applicable third party sub-processors listed under Annex 3. Artificial Solutions may update the list of approved sub-processors, at which point the Customer will have the opportunity to object within forty-five (45) days of any such update to the list of sub-processors by terminating the Agreement for convenience on written notice. When engaging sub-processors in the Processing of Personal Data, Artificial Solutions are responsible for the performance of each sub-processor. Artificial Solutions will include in the agreement with any such third party sub-processor terms for the protection of Personal Data as required by applicable Data Protection Law.
3.9 No Personal Data processed by Artificial Solutions pursuant to this Agreement shall be exported outside the United Kingdom or European Economic Area without the prior explicit instruction from the Customer.
3.10 On termination or expiry of this Agreement, at the Customer’s request, Artificial Solutions shall delete or return to the Customer all Personal Data processed on behalf of the Customer, and Artificial Solutions shall delete existing copies of such Personal Data except where necessary to retain such Personal Data strictly necessary for the purposes of compliance with applicable law.
4. Miscellaneous
4.1 Artificial Solutions shall not retain, use, sell or otherwise disclose Personal Data other than as required by law or as needed to provide and support AS SaaS, as set forth in the Agreement.
4.2 Each party acknowledges that the other party may disclose this Addendum and any relevant privacy provisions in the Agreement to any relevant regulator or judicial body.
5. Conflict
5.1 If there is a conflict between this Addendum and any supplementary terms agreed between the parties, this Addendum will govern.
6. Survival
6.1 This Addendum shall survive the termination or expiry of any supplementary terms to the extent that Artificial Solutions continues to process Personal Data on behalf of the Customer.
7. Notices
7.1 All notices must be in (electronic) writing and addressed to the attention of the other party’s primary contact. Notice will be deemed given upon receipt if verifiable by trusted logs or receipts (electronic or otherwise) to the last provided contact information. Each party is responsible for keeping the other informed of changes to its contact information.
8. Waiver
8.1 Failure to enforce any provision of this Addendum will not constitute a waiver.
9. Severability
9.1 If any provision of this Addendum is found unenforceable, the balance of this Addendum will remain in full force and effect.
10. Entire Agreement
10.1 This Addendum (including any document incorporated herein by reference) is the entire agreement between the parties on the topic of Processing of Personal Data and supersedes all prior agreements between the parties on this subject matter.
11. Governing Law
11.1 The construction, validity and performance of this Agreement and all non-contractual obligations arising from or connected with this Agreement shall be governed by Swedish law and the parties hereby submit irrevocably to the exclusive jurisdiction of the Swedish courts to resolve any dispute between them.
Annex 1 – Data Protection Schedule
Categories of data subjects
The personal data concerns End Users of AS SaaS, in addition to individuals whose Personal Data is supplied by End Users of AS SaaS.
Categories of personal data
The personal data processed may include the following categories of data:
- Direct identifying information (e.g., name, email address, telephone).
- Indirect identifying information (e.g., job title, gender, date of birth).
- Device identification data and traffic data (e.g., IP addresses, MAC addresses, web logs).
- Any personal data supplied by End Users of AS SaaS or supplied by the Customer by implementation and execution of the Customer Solution.
Subject matter, nature and purposes of processing
The Personal Data is processed for the purposes of providing AS SaaS in accordance with the Agreement.
Annex 2 – Security Objectives & Measures for protecting Artificial Solutions’ Information
The defined security objectives for Artificial Solutions are:
Area | Sub-area and Security Objectives |
---|---|
Organization of information security |
|
Human resource security |
|
Asset management |
|
Access control |
|
Cryptography |
|
Physical and environmental security |
|
Operations security |
|
Communications security |
|
System acquisition, development, and maintenance |
|
Supplier relationships |
|
Information security incident management |
|
Information security aspects of business continuity management |
|
Compliance |
|
Privacy |
|
Security Measures included for AS SaaS
Area | Sub-area and Security Objectives |
---|---|
Physical Access Control | |
System Access Control |
|
Data Access Control |
|
Transmission Control |
|
Process Control |
|
Availability Control |
|
Security & Vulnerability Controls |
|
Audit Logging |
|
Annex 3 – Artificial Solutions’ Sub-processors
Artificial Solutions’ Entities
NAME | ACTUAL LOCATION OF THE PROCESSING |
---|---|
Artificial Solutions International AB (HQ) | Sweden |
Artificial Solutions Scandinavia AB | Sweden |
Artificial Solutions Iberia, S. L. | Spain |
Artificial Solutions Germany GmbH | Germany |
Artificial Solutions B.V. | Netherlands |
Sub-Processors
NAME | ACTUAL LOCATION OF THE PROCESSING
|
---|---|
Orange Business Services AS (former Basefarm AS) | Norway |
Orange Business Services AB (former Basefarm AB) | Sweden |
Orange Business Services B.V. (Basefarm – Part of Log*In Consultants Nederland B.V) | Netherlands |
Entity name | Country/countries | Purpose of Processing | Comments |
---|---|---|---|
Microsoft Corporation | Europe North | Azure Services Database storage in Azure cloud Kubernetes | Own terms, see Microsoft Online services DPA – see https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA |