Data Processing Agreement
This Data Processing Agreement (the “DPA”) forms part of the Terms under which HyperSense AI makes available the Services to You (the “Controller”).
1.1 This DPA shall only apply if and to the extent Content uploaded to the Services contains any personal data within the meaning of Applicable Legislation. The Controller is aware that the Services are cloud based. Hence, personal data is only stored and processed by HyperSense AI if and to the extent the Controller, submits personal data to the Services.
1.2 The Controller acknowledge that HyperSense AI will not be able to control what Content the Controller uploads to the Services. The Controller is responsible for any Personally Identifiable Information (PII) in the Content and compliance with Applicable Laws. The Controller is also required to inform HyperSense AI of the existence of personal data (including any special categories of personal data) within Content, in the Subscription Form or by notice to HyperSense AI.
1.3 The Controller is the data controller in relation to the processing of the personal data. HyperSense AI is a data processor, processing the personal data on behalf of the Controller.
2.1 “Applicable Legislation” means (i) the General Data Protection Regulation, (EU) 2016/679, as amended or supplemented from time to time (the “GDPR”); and (ii) any applicable supplementary legislation to the GDPR.
2.2 “Data” means any personal data (as defined in Applicable Legislation) contained in Content uploaded by the Controller, or any user under a Project, to the Services.
2.3 “Personally Identifiable Information” or “PII” means information in any format about an identifiable individual, including, name, address, phone number, e-mail address, account number(s), identification number(s), any other actual or assigned attribute associated with or identifiable to an individual and any information that when used separately or in combination with other information could identify an individual.
3. INSTRUCTIONS AND DETAILS OF THE PROCESSING
3.1 Parties agree that this DPA is the Controller’s complete and final instructions to HyperSense AI in relation to processing of Data.
3.2 HyperSense AI disclaims all liability for any PII that is uploaded into the Content without the compliance of Applicable laws.
3.3 Any additional instructions by the Controller must be in writing and may be subject to additional fees payable by the Controller to HyperSense AI for carrying out such instructions. The Controller is entitled to terminate the Terms in accordance with of the Terms if HyperSense AI declines to follow instructions requested by the Controller.
3.4 In the event that HyperSense AI considers that any additional instruction violates Applicable Legislation, HyperSense AI shall refrain from acting on such instructions and shall promptly notify the Controller thereof and await amended instructions.
4. DETAILS OF THE PROCESSING OF DATA
4.1 Purpose of the processing. The purpose of the processing is to provide the Services in accordance with the Terms.
4.2 Nature of the processing. Hosting, storage and provision of the Services and technical support.
4.3 Duration of the processing. During the term set out in the Subscription Form, unless otherwise instructed by the Controller.
4.4 Type of personal data. Any Data that the Controller includes in Content (i.e. in the form of data sets).
4.5 Categories of data subjects. Any categories of data subjects that the Controller includes in Content.
4.6 HyperSense AI shall not process the Data for any other purposes or in any other way than as instructed by the Controller in writing.
5. THE CONTROLLER’S OBLIGATION TO PROCESS DATA LAWFULLY
5.1 The Controller shall obtain explicit and legally valid consents from each data subject for the processing of the Data or ensure that another legal ground recognized under Applicable Legislation applies for processing of the Data. The Controller shall further meet all other obligations of a controller under Applicable Legislation (including requirements to properly inform the data subjects of the processing of the Data).
6. SECURITY MEASURES
6.1 The Services are subject to security measures in line with industry practice and HyperSense AI will take reasonable steps and precautions against security breaches.
6.2 HyperSense AI has implemented and will maintain appropriate technical and organizational measures to protect the Data. The security measures shall ensure that the Data is protected against destruction, modification and proliferation. HyperSense AI shall further ensure that each system, in which Data is processed, is protected against unauthorized access and that access events are logged and traceable.
6.3 HyperSense AI shall ensure (a) that only authorized employees who need access to the Data in order for HyperSense AI to provide the processing services under this DPA have access to the Data, (b) that the authorized employees process the Data only in accordance with this DPA and the Controller’s instructions and (c) that each authorized employee is bound by a confidentiality undertaking towards HyperSense AI in relation to the Data.
6.4 If HyperSense AI becomes aware of a personal data breach, HyperSense AI will notify the Controller without undue delay and will take reasonable steps to mitigate the effects of the personal data breach. Furthermore, taking into account the nature of processing and the information available to HyperSense AI, HyperSense AI will assist the Controller in ensuring compliance with the Controller’s obligations to (a) document any personal data breach, (b) notify the applicable supervisory authority of any personal data breach and (c) communicate such personal data breaches to the data subjects, in accordance with Applicable Legislation. Any assistance provided by HyperSense AI under this section 6.4 shall be at the sole cost of the Controller.
7. HYPERSENSE AI’S OBLIGATIONS TO ASSIST
7.1 Taking into account the nature of the processing, HyperSense AI shall assist the Controller with the fulfilment of the Controller’s obligation to ensure that the data subjects may exercise their rights under Applicable Legislation by ensuring appropriate technical and organizational measures. The Controller acknowledges that, given that the Data is uploaded to the Services in complete data sets, it is not technically possible for HyperSense AI to erase, correct or restrict the processing of specific pieces of Data in a data set. If a data subject requests that the Controller erases, corrects or restricts the processing of specific pieces of Data in a data set, the Controller must erase the data set from the Services and upload a new data set excluding the relevant pieces of Data. Any assistance provided by HyperSense AI under this section 7.1 shall be at the sole cost of the Controller.
7.2 If a data subject, supervisory authority or any third-party requests information from HyperSense AI regarding the processing of Data, HyperSense AI will refer such request to the Controller and await further instructions from the Controller. HyperSense AI may not represent, or act on behalf of, the Controller in relation to any data subjects, supervisory authority or third party.
7.3 Taking into account the nature of processing and the information available to HyperSense AI, HyperSense AI shall further assist the Controller in relation to the Controller’s obligations to ensure security of the processing, carry out impact assessments regarding data protection and participate in prior consultations. Any assistance provided by HyperSense AI under this section shall be at the sole cost of the Controller.
8.1 HyperSense AI may engage third parties to process Data or any part thereof on its behalf (“Sub-Processor”). In such event HyperSense AI, will provide details of its sub-processors on its website.
9. TRANSFERS TO THIRD COUNTRIES
9.1 The Processor may transfer Data outside the EU/EEA. If HyperSense AI transfers Data outside the EU/EEA, or engages a Sub-Processor to process Data outside of the EU/EEA, HyperSense AI is hall ensure that at least one of the following prerequisites is fulfilled:
a) the receiving country has an adequate level of protection of personal data as decided by the European Commission,
b) the transfer is subject to the European Commission’s standard contractual clauses for transfer of personal data to third countries, or
9.2 In the event of a transfer of Data outside the EU/EEA initiated by HyperSense AI, HyperSense AI shall demonstrate that a valid legal ground applies to the transfer.
10.1 Any information provided or made available by HyperSense AI to the Controller under this section 10 is deemed Confidential Information and may not be disclosed by the Controller, unless HyperSense AI has approved such disclosure in writing.
10.2 Upon the Controller’s request, HyperSense AI will make available to the Controller all information necessary to demonstrate its compliance with the obligations laid in this DPA.
10.3 the Controller shall, with at least 20 days’ written notice, be entitled to carry out an audit of HyperSense AI’s processing of Data, if the Controller has reason to believe that HyperSense AI fails to comply with this DPA. HyperSense AI undertakes to assist the Controller and disclose all information necessary for the Controller to carry out such an audit. Any on-site audit shall be performed by an independent third party agreed between the parties and be subject to the confidentiality and security restrictions as deemed necessary by HyperSense AI. The Controller shall carry all costs for an audit.
11. RETURN AND DELETION OF DATA
11.1 You may retrieve Data from the Services up until the termination or expiration. HyperSense AI will delete any and all Data from the Services no later than 90 days after the termination Date.
12.1 This DPA shall, notwithstanding the term of the Subscription Form, enter into effect when HyperSense AI commences to process Data on behalf of the Controller and shall terminate when the Controller has retrieved Data and/or HyperSense AI has erased Data in accordance with section 11 above.