Data Processing Addendum (DPA)
Last Updated On: July 3rd, 2023
This DPA reflects the parties’ agreement with regard to the Processing of Personal Data by Falkor solely on behalf of the Customer. Both parties shall be referred to as the “Parties” and each, a “Party”.
By using the Falkor Solution (including, for the avoidance of doubt, our website, Customer accepts this DPA and (if applicable) the Standard Contractual Clauses, and you represent and warrant that you have full authority to bind the Customer to this DPA. Please be advised that this DPA will become legally binding upon your use of any Falkor Solution. If you cannot, or do not agree to, comply with and be bound by this DPA, or do not have authority to bind the Customer or any other entity, please do not provide Personal Data to us.
- Affiliate means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
- Controller means the entity which determines the purposes and means of the Processing of Personal Data.
- Customer Data means information, data, and other content concerning the activities of an end-user in one of Your platforms and is captured in connection with or as part of the Falkor Solution.
- Data Subject means the identified or identifiable person to whom Personal Data relates.
- GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data, including as implemented or adopted under the laws of the United Kingdom.
- CCPA means the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. seq.
- Personal Data means any information which is Customer Data and relates to an identified or identifiable natural person or legal entity, that is protected under applicable Data Protection Laws and Regulations.
- Processing or Process means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- Processor means the entity which Processes Personal Data on behalf of the Controller, including as applicable any “service provider” as that term is defined by the CCPA.
- Public Authority means a government agency or law enforcement authority, including judicial authorities.
- Sensitive Data means Personal Data that is protected under a special legislation and requires unique treatment, such as “special categories of data”, “sensitive data” or other materially similar terms under applicable Data Protection Laws, which may include any of the following: (a) social security number, tax file number, passport number, driver’s license number, or similar identifier (or any portion thereof); (b) credit or debit card number; (c) financial, credit, genetic, biometric or health information; (d) information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences; and/or (e) account passwords in unhashed form.
- Sub-processor means any third party that Processes Personal Data under the instruction or supervision of Falkor.
- UK GDPR means the Data Protection Act 2018, as well as the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419).
- Standard Contractual Clauses means Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj.
For the purpose of clarity, within this DPA “Controller” shall also mean “Business”, and “Processor” shall also mean “Service Provider”, to the extent that the CCPA applies. In the same manner, Processor’s Sub-processor shall also refer to the concept of service provider.
Processing of Personal Data
Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Personal Data solely on behalf of Customer, (i) Customer is the Controller of Personal Data, (ii) Falkor is the Processor of such Personal Data. The terms “Controller” and “Processor” below hereby signify Customer and Falkor, respectively.
Customer’s Processing of Personal Data. Customer shall, in its use of the Falkor Solution, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations, including any applicable requirement to provide notice to Data Subjects of the use of Falkor as Processor. For the avoidance of doubt, Customer’s instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data. Customer specifically acknowledges and agrees that its use of the Falkor Solution will not violate the rights of any Data Subject under all applicable Data Protection Laws and Regulations.
Data subjects rights
Falkor shall, to the extent legally permitted, promptly notify Customer of any complaint, dispute or request it has received from a Data Subject such as a Data Subject’s right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability or object to the Processing, each such request being a “Data Subject Request”. Falkor shall not respond to a Data Subject Request itself, except that Ccustomer authorizes to redirect the Data Subject Request as necessary to allow Customer to respond directly. Taking into account the nature of the Processing, Falkor shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations.
Appointment of Sub-Processors.
Customer acknowledges and agrees that (a) Processor’s Affiliates may be engaged as Sub-Processors; and (b) Processor and Processor’s Affiliates on behalf of Processor may each engage third-party Sub-Processors in connection with the provision of the Falkor Solution.
List of Current Sub-Processors and Notification of New Sub-Processors.
Customer hereby consents to the engagement of the Processor with Sub-Processors for the provision of certain services, such as cloud computing services, customer support, databases platforms, CRM services, and data sources. Processor shall make available to Customer the current list of its Sub-Processors upon request written request sent to: DPO@falkor.ai Such a list shall include the name of the Sub-Processors, their locations, and their processing activities in connection with the provision of the Falkor Solution. Processor shall notify the Customer if it intends to update the list of Sub-processor(s) and provide the details of such new Sub-Processor upon written request sent to: DPO@falkor.ai
Objection to New Sub-Processors.
Customer may reasonably object to Processor’s use of a new Sub-processor, for reasons relating to the protection of Personal Data intended to be Processed by such Sub-processor, by notifying Processor promptly in writing within seven (7) days after receipt of a Processor notification. Such written objection shall include the reasons for objecting to the Processor’s use of the new Sub-processor. Failure to object to such new Sub-processor in writing within seven (7) days following Processor’s notice shall be deemed as acceptance of the new Sub-Processor. In the event Customer reasonably objects to a new Sub-processor, as permitted in the preceding sentences, Processor will use reasonable efforts to make available to Customer a change in the Falkor Solutionor recommend a commercially reasonable change to Customer’s configuration or use of the Falkor Solutionto avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening the Customer. If Processor is unable to make available such change within thirty (30) days, Customer may, as a sole remedy, terminate its engagement with Falkor with respect only to those elements of the Falkor Solution which cannot be provided by Processor without the use of the objected-to new Sub-processor, by providing written notice to Processor. All amounts outstanding before the termination date with respect to the Processing at issue shall be duly paid to Processor. Until a decision is made regarding the new Sub-processor, Processor may temporarily suspend the Processing of the affected Personal Data and/or suspend access to the Falkor Solution. The Customer will have no further claims against the Processor due to the termination of its engagement with Falkor (including, without limitation, requesting refunds) and/or the DPA in the situation described in this paragraph.
Agreements with Sub-Processors.
Processor or a Processor’s Affiliate on behalf of Processor has entered into a written agreement with each Sub-processor containing appropriate safeguards to the protection of Personal Data. Where Processor engages a Sub-processor for carrying out specific Processing activities on behalf of the customer, the same or materially similar data protection obligations as set out in this DPA shall be imposed on such new Sub-processor by way of a contract, in particular, obligations to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of the GDPR. Where a Sub-processor fails to fulfill its data protection obligations concerning its Processing of Personal Data, Processor shall remain responsible for the performance of the Sub-processor’s obligations.
Processor shall ensure that its personnel and advisors engaged in the Processing of Personal Data have committed themselves to confidentiality.
Security & Audits
Controls for the Protection of Personal Data.
Processor shall maintain industry-standard technical and organizational measures for the protection of Personal Data Processed hereunder (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data, confidentiality and integrity of Personal Data), as may be amended from time to time. Upon the Customer’s reasonable request, Processor will reasonably assist Customer, at Customer’s cost, in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of the Processing and the information available to Processor.
Falkor shall maintain an audit program to help ensure compliance with the obligations set out in this DPA and shall make available to Customer information to demonstrate compliance with the obligations set out in this DPA.
Data breach notification
Processor maintains security incident management policies and procedures and, to the extent required under applicable Data Protection Laws, shall notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data Processed by Processor on behalf of the Customer (a “Data Incident”).
Processor shall make reasonable efforts to identify and take those steps as Processor deems necessary and reasonable in order to remediate and/or mitigate the cause of such Data Incident to the extent the remediation and/or mitigation is within Processor’s reasonable control. The obligations herein shall not apply to incidents that are caused by Customer, its Users, or anyone who uses the Falkor Solutionon Customer’s behalf. Customer will not make, disclose, release or publish any finding, admission of liability, communication, notice, press release or report concerning any Data Incident which directly or indirectly identifies Processor (including in any legal proceeding or in any notification to regulatory or supervisory authorities or affected individuals) without Processor’s prior written approval, unless, and solely to the extent that, Customer is compelled to do so pursuant to applicable Data Protection Laws. In the latter case, unless prohibited by such laws, Customer shall provide Processor with reasonable prior written notice to provide Processor with the opportunity to object to such disclosure and in any case Customer will limit the disclosure to the minimum scope required.
Return and deletion of Personal Data
Following termination of the Customer’s engagement with Falkor and cessation of its use in the Falkor Solution, at the choice of Customer (indicated in written notification to Processor), Processor shall delete or return to Customer all the Personal Data it Processes solely on behalf of the Customer in the manner described hereunder, and Processor shall delete existing copies of such Personal Data unless Data Protection Laws require otherwise. To the extent authorized or required by applicable law, Processor may also retain one copy of the Personal Data solely for evidence purposes and/or for the establishment, exercise, or defense of legal claims and/or for compliance with legal obligations.
Cross-border Data transfers
Transfers from the EEA, Switzerland and the United Kingdom to countries that offer adequate levels of data protection.
Personal Data may be transferred from EU Member States, the three EEA member countries (Norway, Liechtenstein, and Iceland) (collectively, “EEA”), Switzerland, and the United Kingdom (“UK”) to countries that offer an adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the EEA, the European Union, the Member States or the European Commission, Switzerland, and/or the UK as relevant (“Adequacy Decisions”), as applicable, without any further safeguard being necessary.
Transfers from the EEA, Switzerland and the United Kingdom to other countries.
If the Processing of Personal Data by Processor includes a transfer (either directly or via onward transfer):
- from the EEA or Switzerland to other countries which have not been subject to a relevant Adequacy Decision, and such transfers are not performed through an alternative recognized compliance mechanism as may be adopted by Processor for the lawful transfer of personal data (as defined in the GDPR) outside the EEA or Switzerland (“EEA Transfer”), the terms set forth in the Standard Contractual Clauses shall apply;
- from the UK to other countries which have not been subject to a relevant Adequacy Decision, and such transfers are not performed through an alternative recognized compliance mechanism as may be adopted by Processor for the lawful transfer of personal data (as defined in the UK GDPR) outside the EEA or UK (“UK Transfer”), the terms set forth in the Standard Contractual Clauses, in accordance with Annex III thereto (UK Cross Border Transfers) shall apply;
- the terms set forth in Annex IV to the Standard Contractual Clauses (Additional Safeguards) shall apply to an EEA Transfer and a UK Transfer.
Data Protection Impact Assessment and Prior Consultation.
Upon Customer’s reasonable request, Processor shall provide Customer, at Customer’s cost, with reasonable cooperation and assistance needed to fulfill Customer’s obligation under the GDPR or the UK GDPR (as applicable) to carry out a data protection impact assessment related to Customer’s use of the Falkor Solution, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Processor. Processor shall provide, at Customer’s cost, reasonable assistance to Customer in the cooperation or prior consultation with the supervisory authority in the performance of its tasks relating to this Section, to the extent required under the GDPR or the UK GDPR, as applicable.
Each Party may by at least forty-five (45) calendar days’ prior written notice to the other Party, request in writing any variations to this DPA if they are required as a result of any change in any Data Protection Laws to allow Processing of Customer Personal Data to be made (or continue to be made) without breach of those Data Protection Laws. Pursuant to such notice: (a) the Parties shall use commercially reasonable efforts to accommodate such required modification; and (b) Customer shall not unreasonably withhold or delay agreement to any consequential variations to this DPA proposed by Processor to protect the Processor against additional risks, or to indemnify and compensate Processor for any further steps and costs associated with the variations made herein at Customer’s request. The Parties shall promptlsy discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in Customer’s or Processor’s notice as soon as is reasonably practicable. In the event that the Parties are unable to reach such an agreement within 30 days of such notice, then Customer or Processor may, by written notice to the other Party, with immediate effect, terminate the engagement or DPA to the extent that it relates to the elements of the Falkor Solutionwhich are affected by the proposed variations (or lack thereof). Customer will have no further claims against Processor (including, without limitation, requesting refunds for the Services) pursuant to the termination of the engagement and the DPA as described in this Section.
SCHEDULE 1 – DETAILS OF THE PROCESSING
Nature and Purpose of Processing
- Providing the Falkor Solution to Customer;
- Performing the agreement between the parties, this DPA and/or other contracts executed by the Parties;
- Acting upon Customer’s instructions, where such instructions are consistent with the terms of the engagement between the parties;
- Sharing Personal Data with third parties in accordance with Customer’s instructions and/or pursuant to Customer’s use of the Falkor Solution (e.g., integrations between the Falkor Solutionand any services provided by third parties, as configured by or on behalf of Customer to facilitate the sharing of Personal Data between the Falkor Solutionand such third party services);
- Complying with applicable laws and regulations;
- All tasks related to any of the above.
Duration of Processing
Type of Personal Data
Customer may submit Personal Data to the Falkor Solution, the extent of which is determined and controlled by Customer in its sole discretion. Personal Data may include data that is publically available on the internet, including social networks, such as name, email, age, hobbies, photos, posts, and participating in groups.
Categories of Data Subjects
Customer may submit Personal Data to the Falkor Solution which may include but is not limited to, Personal Data relating to the following categories of Data Subjects:
- Employees, agents, advisors, and freelancers of Customer (who are natural persons);
- Prospects, customers, business partners, and vendors of Customer (who are natural persons);
- Employees or contact persons of Customer’s prospects, customers, business partners, and vendors; and
- Any other third-party individual that Customer decides to use the Falkor Solution in his/her connection.
SCHEDULE 2 - SUB-PROCESSORS
The current list of Sub-Processors will be made available to Customer upon request written request sent to: DPO@falkor.ai