Savio Data Processing Agreement

From the date of subscribing the Service by the Subscriber: (hereafter referred to as the "Agreement")

Concluded between:
Research Services Marketplace Ltd. Hereafter referred to as the "Processor" and Savio User hereafter referred to as a "Controller" hereafter referred to collectively as the "Parties"

Whereas:

(A) This Agreement is supplemental to any other separate agreement entered into between the Parties and introduces further contractual provisions to ensure the protection and security of personal data passed from the Controller to the Processor for processing.

(B) The Controller may be acting as a data processor for another entity. It is only acting as a Controller for the purpose of the transfer of personal data passed from it to the Processor for processing under the terms of this Agreement.

(C) Following the entry into force of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR) The Parties wish to lay down their rights and obligations.

It is agreed as follows:

Definitions

  • (i) "Agreement" - this Data Processing Agreement;

  • (ii) "personal data" - any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

  • (iii) "processing" - any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

  • (iv) "Controller" - the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;

  • (v) "Processor" - a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

  • (vi) "Sub-processor" - any data processor engaged by the Processor

  • (vii) "confidential Information" – all information disclosed by a Party to the other Party pursuant to this Agreement, including (but not limited to):

    • any trade secret, know-how, invention, concept, software program, source code, object code, application, documentation, schematic, procedure, contract, information, knowledge, data, database, process, technique, design, drawing, program, formula or test data, work in progress, engineering, manufacturing, marketing, financial, sales, supplier, technical, scientific, customer, employee, investor, or business information, whether in oral, written, graphic, or electronic form;

    • any non-public business information, including personnel data, correspondence with any Governmental Authority, historical customer information and data, historical cost information such as budgets, operating expenses, and capital costs, and projected capital additions, operating cost information, and other business, and financial reports and forecasts;

    • any document, diagram, photograph, drawing, computer program, or other communication that is either conspicuously marked "confidential", or is known or reasonably should have been known by the receiving Party to be confidential;

  • (viii) "Service" – the provision of maintenance and support services, consultancy or professional services and the provision of software as a service or any other services provided under the Agreement where Processor processes personal data of Controller. The Service is described more in detail in Savio Privacy Policy.

  • (ix) "Standard Contractual Clauses" means the agreement executed by and between Controller and Processor and attached as Annex 1 pursuant to the European Commission's decision of 5 February 2010 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.

1. Object of this Agreement

1.1 In the course of providing the Services to the Controller pursuant to this Agreement, the Processor may process personal data on behalf of the Controller. The Processor agrees to comply with the following provisions with respect to any personal data processed for the Controller in connection with the provision of the Services.

1.2 The Processor shall process personal data it receives from the Controller solely for purposes stemming from usage of Service and for no other purpose except with the express written consent of the Controller.

1.3 The Processor shall process categories of data subjects which are provided to the Service by the Controller. Processor is not entitled to process any category of data without prior demand or consent of the Controller.

1.4 Types of personal data. Contact information, the extent of which is determined and controlled by the Controller in its sole discretion, and other personal data such as navigational data (including website usage information), email data, system usage data, application integration data, internet protocol (IP) and other electronic data submitted, stored, sent, or received by end users via the Service.

1.5 Subject-Matter and nature of the processing. The subject-matter of processing of personal data by the Processor is the provision of the Service to the Controller that involves the processing of personal data. Personal data will be subject to those processing activities as may be specified in the Savio Privacy Policy.

2. Data protection

2.1 As the performance of this Agreement implies the processing of personal data, both Parties shall comply with the applicable data protection legislation and regulations including GDPR.

2.2 The Controller will ensure that its instructions for the processing shall comply with applicable data protection legislation and regulations including GDPR. Controller shall have sole responsibility for the accuracy, quality, and legality of personal data and the means by which Controller acquired personal data.

2.3 The Controller agrees that with regard to the processing the Processor may engage Sub-processors which list is available compliant with data protection legislation and regulations including GDPR and provisions set out in Standard Contractual Clauses. Where the Processor engages another Sub-processor for carrying out specific processing activities on behalf of the Controller, the same data protection obligations as set out in this Agreement shall be imposed on that Sub-processor by way of a contract or other legal act under applicable data protection legislation and regulations including GDPR.

2.4 The Processor shall ensure that any personal data that it processes are kept confidential. All persons authorized by the Processor to process the personal data are under an appropriate obligation of confidentiality and not disclose the personal data to any person other than to its personnel.

2.5 The Processor shall ensure that it implies appropriate technical and organisational measures in such a manner that processing will meet the requirements of applicable data protection legislation and regulations including the protection of the rights of the data subject.

2.6 The Processor shall promptly notify the Controller of its inability to comply with data protection agreement and Standard Contractual Clauses and in which case, with a right reserved by the Controller stemming from clause 5 a) of SCCs, the Processor is entitled to terminate the agreement or suspend the transfer.

2.7 The above section shall apply in particular in case a request of public authorities may infringe the agreement and GDPR.

2.8 In accordance with GDPR regulation as the performance of this Agreement the Processor shall in particular:

  • create and maintain a record of its processing activities in relation to this Agreement; the Processor shall make the record available to the Controller, any auditor appointed by it and/or the supervisory authority on first request;

  • assist the Controller in ensuring compliance with the monitoring of the personal data breach obligations resulting from applicable data protection legislation and regulations including GDPR, taking into account the nature of processing and the information available to the Processor;

  • promptly notify, with reference to point 2.6., the Controller about (i) any legally binding request for disclosure of the personal data by a data subject, a judicial or regulatory authority unless otherwise prohibited, such as the obligation under criminal law to preserve the confidentiality of a judicial enquiry, and to assist the Controller therewith (ii) any accidental or unauthorised access, and more in general, any unlawful processing and to assist the Controller therewith;

  • at the choice of the Controller, deletes or returns all the personal data to the Controller after the end of the provision of Service relating to processing, and deletes existing copies unless applicable data protection legislation and regulations requires storage of the personal data;

  • make available to the Controller all information necessary to demonstrate compliance with the obligations resulting from this Agreement;

  • assist the Controller with impacts assessment regarding cross border transfer;

  • inform the Controller immediately if it believes that any instruction from the Controller infringes applicable data protection legislation and regulations;

  • at the request and costs of the Controller, submit its data processing facilities for audits or control of the processing activities including inspections, conducted by the Controller or another auditor mandated by the Controller.

2.9 The Controller shall agree to transfer personal data to the U.K. by the Processor without further written consent.

3. Confidentiality

3.1 Both Parties acknowledge that during this Agreement, a Party may become privy to Confidential information which is disclosed by the other Party.

3.2 The receiving Party shall keep all confidential information confidential, in particular the receiving Party shall not disclose any confidential information to any third party and shall not use these information for purposes not resulting from this Agreement.

3.3 Any violation of this section by either of the Parties shall be deemed a material breach of this Agreement.

4. Liability

4.1 The Parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Section 2 by any Party or Sub-processor is entitled to receive compensation from the Controller for the damage suffered.

4.2 The above statement does not preclude form data subject rights stemming from third-party beneficiary clauses.

5. Standard Contractual Clauses

5.1 The Standard Contractual Clauses in Annex 1 will apply to the processing of personal data by Processor in the course of providing the Services.

5.2 The Standard Contractual Clauses apply only to personal data that is transferred from the European Economic Area (EEA) or Switzerland to outside the EEA or Switzerland, either directly or via onward transfer, to any country or recipient: (i) not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the EU Data Protection Directive or Swiss Federal Data Protection Act, as applicable), and (ii) not covered by a suitable framework recognized by the relevant authorities or courts as providing an adequate level of protection for personal data, including but not limited to Binding Corporate Rules for Processors.

5.3 In the event of any conflict or inconsistency between this DPA and the Standard Contractual Clauses in Attachment 1, the Standard Contractual Clauses shall prevail, unless superseded by applicable Data Protection Laws.

6. General provisions

6.1 This Agreement shall apply to all personal data disclosed to the Processor or otherwise obtained from the Controller from the date of this Agreement until the expiry of the subscription, passive or active usage of the Service (Savio).

6.2 Where individual provisions of this Agreement are invalid or unenforceable, the validity and enforceability of the other provisions of this Agreement shall not be affected.

6.3 In the event of any dispute arising between the Parties in connection with this Data Processing Agreement, the Parties shall negotiate in good faith to resolve their dispute. If the dispute cannot be resolved by good faith, the parties agree to endeavor to settle the dispute in an amicable manner by mediation.