Plainwise

Data Processing Agreement

Updated: October 20, 2018

Privacy PolicyTerms of ServiceData Processing AgreementCookie Policy

DATA PROCESSING ADDENDUM

This Data Processing Addendum (“DPA”) forms part of the Main Services Agreement or other written or electronic agreement between GewoonAI and Customer for the purchase of online services (including associated GewoonAI offline or mobile components) from GewoonAI (identified either as “Services” or otherwise in the applicable agreement, and hereinafter defined as “Services”) (the “Agreement”) to reflect the Parties’ agreement with regard to the Processing of Personal Data.

In the course of providing the Services to Customer pursuant to the Agreement, GewoonAI may Process Personal Data on behalf of Customer and the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.

HOW TO EXECUTE THIS DPA

To complete this DPA, Customer must request a pre-signed DPA of GewoonAI by emailing info@gewoonai.nl, indicating, if applicable, the Customer’s Account Number (as set out on the applicable GewoonAI Order Form or invoice).

Except as otherwise expressly provided in the Agreement, this DPA will become legally binding upon receipt by GewoonAI of the validly completed DPA at this email address.

HOW THIS DPA APPLIES

  • If the Customer entity signing this DPA is a party to the Agreement, this DPA is an addendum to and forms part of the Agreement. In such case, the GewoonAI entity that is party to the Agreement is party to this DPA.
  • If the Customer entity signing this DPA has executed an Order Form with GewoonAI or its Affiliate pursuant to the Agreement, but is not itself a party to the Agreement, this DPA is an addendum to that Order Form and applicable renewal Order Form(s), and the GewoonAI entity that is party to such Order Form is party to this DPA.
  • If the Customer entity signing this DPA is neither a party to an Order Form nor the Agreement, this DPA is not valid and is not legally binding. Such entity should request that the Customer entity who is a party to the Agreement executes this DPA.
  • If the Customer entity signing the DPA is not a party to an Order Form nor an Agreement directly with GewoonAI, but is instead a customer indirectly via an authorized reseller of GewoonAI services, this DPA is not valid and is not legally binding. Such entity should contact the authorized reseller to discuss whether any amendment to its agreement with that reseller may be required.

DATA PROCESSING TERMS

1. DEFINITIONS

  • Affiliate: Any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control” means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
  • Authorized Affiliate: Any of Customer’s Affiliate(s) which (a) is subject to the data protection laws and regulations of the EU, EEA, Switzerland and/or the UK, and (b) is permitted to use the Services pursuant to the Agreement between Customer and GewoonAI, but has not signed its own Order Form with GewoonAI.
  • CCPA: California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act.
  • Controller: The entity which determines the purposes and means of the Processing of Personal Data.
  • Customer: The entity that executed the Agreement together with its Affiliates (for so long as they remain Affiliates) which have signed Order Forms. For this DPA, “Customer” includes Customer and its Authorized Affiliates.
  • Customer Data: As defined in the Agreement (“Customer Data” or “Your Data”), provided that such data is electronic data and information submitted by or for Customer to the Services. This DPA does not apply to Content or Non-GewoonAI Applications.
  • Data Protection Laws and Regulations: All laws and regulations applicable to the Processing of Personal Data under the Agreement, including those of the EU, EEA, Switzerland, UK, and the US.
  • Data Subject: The identified or identifiable person to whom Personal Data relates.
  • Europe: The EU, EEA, Switzerland and the UK.
  • GewoonAI: GewoonAI B.V., a company incorporated in Utrecht, the Netherlands.
  • GewoonAI Group: GewoonAI and its Affiliates engaged in the Processing of Personal Data.
  • GewoonAI Processor BCR: GewoonAI’s processor binding corporate rules.
  • GDPR: Regulation (EU) 2016/679 (General Data Protection Regulation), including UK implementation.
  • Personal Data: Any information relating to an identified or identifiable natural or legal person, where such information is Customer Data.
  • Processing: Any operation performed upon Personal Data, such as collection, recording, storage, alteration, retrieval, use, disclosure, restriction, erasure or destruction.
  • Processor: The entity which Processes Personal Data on behalf of the Controller, including any CCPA “service provider”.
  • Public Authority: A government agency or law enforcement authority, including judicial authorities.
  • Security, Privacy and Architecture Documentation: Documentation applicable to the Services purchased by Customer, as updated from time to time, and accessible via GewoonAI’s Trust and Compliance site.
  • Standard Contractual Clauses (SCCs): As set out in Commission Implementing Decision (EU) 2021/914.
  • Sub-processor: Any Processor engaged by GewoonAI or a member of the GewoonAI Group.

2. PROCESSING OF PERSONAL DATA

2.1 Customer’s Processing of Personal Data

  • Customer shall Process Personal Data in accordance with applicable laws.
  • Customer is responsible for the accuracy, quality, legality and lawful acquisition of Personal Data.
  • Customer acknowledges that its use of Services will not violate Data Subject rights.

2.2 GewoonAI’s Processing of Personal Data

  • GewoonAI shall treat Personal Data as Confidential Information.
  • GewoonAI will only Process Personal Data per Customer’s documented instructions:
    1. In accordance with the Agreement and Order Forms,
    2. Initiated by Users in their use of Services,
    3. Or otherwise documented and lawful instructions by Customer.

2.3 Details of the Processing

The subject matter of Processing is the performance of the Services under the Agreement.

2.4 Customer Instructions

GewoonAI shall inform Customer if instructions:

  • Breach the GDPR, or
  • Cannot be followed.

3. RIGHTS OF DATA SUBJECTS

3.1 Data Subject Request

  • GewoonAI will notify Customer of any Data Subject Request.
  • GewoonAI will not respond directly (except to redirect requests to Customer).

3.2 Required Assistance

GewoonAI shall assist Customer, where possible, to fulfill obligations regarding Data Subject Requests.

3.3 Additional Assistance

  • If Customer cannot address a Data Subject Request, GewoonAI will provide commercially reasonable assistance.
  • Customer bears costs for such assistance where legally permitted.

4. GEWOONAI PERSONNEL AND DATA PROTECTION OFFICER

4.1 Confidentiality, Reliability and Limitation of Access

  • Personnel must be trained, bound by confidentiality, and reliable.
  • Access to Personal Data is restricted to personnel necessary to perform Services.

4.2 Data Protection Officer

  • GewoonAI has appointed a Data Protection Officer, reachable at info@gewoonai.nl.

5. SECURITY AND AUDIT

5.1 Controls

GewoonAI maintains technical and organizational measures to protect Customer Data.

5.2 Audit Program

GewoonAI shall maintain an audit program and make compliance information available to Customer.

5.3 Data Protection Impact Assessment

GewoonAI shall provide reasonable cooperation to assist Customer in carrying out DPIAs.

6. CUSTOMER DATA INCIDENT MANAGEMENT AND NOTIFICATION

  • GewoonAI shall notify Customer without undue delay of any Customer Data Incident.
  • GewoonAI will investigate, remediate, and mitigate such incidents within reasonable control.
  • Obligations do not apply to incidents caused by Customer or its Users.

7. GOVERNMENT ACCESS REQUESTS

7.1 GewoonAI Requirements

  • GewoonAI shall notify Customer of binding government requests unless prohibited by law.
  • GewoonAI shall challenge unlawful requests and limit disclosure to the minimum required.
  • GewoonAI certifies that it has not created backdoors or processes for unauthorized government access.

7.2 Sub-processor Requirements

Sub-processors must comply with SCCs and GewoonAI Processor BCR commitments.

8. RETURN AND DELETION OF CUSTOMER DATA

  • Upon termination, GewoonAI shall return or delete Customer Data in accordance with its Security Documentation.

9. AUTHORIZED AFFILIATES

9.1 Contractual Relationship

  • Customer enters into this DPA for itself and Authorized Affiliates.
  • Each Authorized Affiliate is bound by this DPA but not the Agreement.

9.2 Communication

  • Customer (the contracting party) coordinates all communication with GewoonAI.

9.3 Rights of Authorized Affiliates

  • Authorized Affiliates may exercise rights only via Customer, except where laws require direct action.

10. LIMITATION OF LIABILITY

  • Liability is subject to the Agreement’s “Limitation of Liability” clause.
  • Liability applies in the aggregate across all DPAs and Affiliates.

11. EUROPE SPECIFIC PROVISIONS

11.1 Definitions

  • European Personal Data: Personal Data subject to European laws.
  • European Data Protection Laws and Regulations: Data protection laws applying in Europe.
  • SCC Module 2: Controller-to-Processor.
  • SCC Module 3: Processor-to-Processor.
  • Third-Country Transfer: Transfer not subject to EU adequacy decision (except transfers under the EU-US Data Privacy Framework).

11.2 GDPR

GewoonAI will Process Personal Data in accordance with GDPR.

11.3 Impact of Local Laws

  • GewoonAI will notify Customer if local laws prevent compliance.
  • Customer may terminate affected Services if no reasonable solution is found.

This DPA becomes legally binding only once the steps in HOW TO EXECUTE THIS DPA have been fully completed.