This Data Processing Addendum (DPA) amends and supplements the Terms of Service, being an inseparable part of it. This DPA describes the agreement between you and Caphyon with regards to processing Personal Data in the course of accessing or using the Service and/or the Website. Service, Website and other capitalized terms used herein will have the meaning given to them in the Terms of Service or in the applicable Data Protection legislation.
This Customer Data Processing Agreement reflects the requirements of the European Data Protection Regulation ('GDPR') as it comes into effect on May 25, 2018. Caphyon’s products and services offered in the European Union are GDPR ready and this DPA provides you with the necessary documentation of this readiness. If you do not agree with the provisions herein, please do not use the Service or the Website.
This DPA will not replace any other Data Processing Agreement that you and Caphyon may have executed separately.
The Parties herein agree that Personal Data will be treated as confidential, in compliance with the Data Protection legislation in force. When registering for accessing and using the Service, you are generally considered the Controller, whereas Caphyon is generally considered the Processor. Personal Data provided to Caphyon in the course of using the Service remains the property of the Controller and/or the relevant Data Subjects.
Categories of Data Subjects include, without limitation, Controller’s personnel, collaborators, suppliers, customers, prospects and subcontractors, and any individual who transfers Personal Data to the Controller. Caphyon will process the Personal Data only for the technical scope of our business. Types of Personal Data include, without limitation, contact information which is determined by the Controller, Website and Service navigation data, and User Data as defined in the Terms of Service. Personal Data involved in the provision of the Service to the Controller is subject only to Processing activities and duration covered by the Terms of Service and Privacy Policy.
Controller Responsibility. You agree to comply with obligations as a Controller under Data Protection Legislation in force regarding Personal Data that you provide to the Caphyon for Processing.
As the Controller, you understand that Caphyon will not assess the content that you provide as Personal Data or User Data. It is the Controller’s responsibility to verify that it has the necessary rights to provide the Personal Data and/or User Data of the Data Subjects to the Processor, in the course of accessing and/or using the Service.
The Controller is responsible to make sure that it has obtained the required consent from Data Subjects, and that it has provided Data Subjects with the relevant notifications, as required by the Data Protection Legislation.
Processor Responsibility. Caphyon agrees to comply with obligations as a Processor under Data Protection Legislation in force, regarding the Personal Data from the Controller. As the Processor, Caphyon will process Personal Data strictly within the scope of our business, performing our obligations in accordance with the Terms of Service and Privacy Policy.
The Processor is responsible for implementing and maintaining a data security program as described in the Terms of Service, with appropriate technical and organizational measures to protect Private Data against Data Incidents.
The Processor is responsible for storing the Personal Data in accordance with Data Protection Legislation in force. For this purpose, Personal Data subject to this DPA is stored on data centers based in the European Union and EEA, under the EU Data Protection Directive 95/46/EC and General Data Protection Regulation (EU) 2016/679.
To the extent of Processing Personal Data in the course of using the Service, Personal Data may be transferred to authorized US-based sub-processors, who are engaged directly in Processing activities. Under the Data Protection Legislation in force, it is the Processor’s responsibility to ensure that the transfer of Personal Data subject to this DPA to US-based Sub-processors is made under the appropriate level of security, and the US-based Sub-processors have certified compliance with the GDPR and EU / Switzerland Privacy Shield Framework.
The Processor will ensure that the Personal Data subject to this DPA is accessed and handled only by Caphyon authorized employees and/or authorized Sub-processor staff, who are engaged directly in Processing activities and are subject to privacy, security, and confidentiality contractual obligations. For this purpose, the Processor will ensure the appropriate training for the employees engaged in Processing activities.
As the Controller, you understand that Caphyon may engage external suppliers as Sub-processors, for the scope of Processing Personal Data on behalf of the Controller.
Sub-processors currently engaged by Caphyon, without limitation, are listed herein:
Sub-Processor | Scope of Processing Personal Data | Location | Security Certifications |
---|---|---|---|
Google LLC | Analytics and Remarketing | The U.S. | Privacy Policy GDPR Compliance Statement DPA Privacy Shield |
Firebase / Google LLC | Database Storage | The U.S. | Privacy Policy GDPR Compliance Statement DPA Terms of Service |
Sub-processor responsibility. As Sub-processor, an external supplier of Caphyon, engaged in Processing Personal Data under this DPA, performs its obligations in accordance with written agreements on data protection and confidentiality. Caphyon will remain responsible for the acts and omissions of external suppliers, as Sub-processors, to the same extent it would be if performing directly the external services engaged in Processing activities under this DPA, subject to Limitation of Liability.
Caphyon will make reasonable efforts to implement and enhance an appropriate security program as well as organizational measures, ensuring the security and confidentiality of Personal Data subject to this DPA.
As the Processor, should we become aware of a Data Incident with an impact on Personal Data Processing, we will notify the Controller regarding the incident in a timely manner, no later than 72 hours, as required by the Data Protection Legislation in force. As the Controller, it is your responsibility to provide information reasonably sufficient and up to date to allow Caphyon to contact you, such as an email address or telephone number.
Caphyon will make reasonable efforts to assist you to fulfill obligations as Controller in regards to the rights of Data Subjects, in accordance with the Data Protection Legislation in force. For this purpose, we will respond to written requests with any information reasonably necessary to confirm Caphyon’s compliance with Personal Data Processing under this DPA.
The Parties acknowledge and agree that, except for the changes made by the DPA herein, the Terms of Service remains unchanged and in full force and effect. If there are conflicts between the Terms of Service and this DPA, to the extent of that conflict this DPA will prevail.