Data Processing Agreement

Effective Date: 11th April 2020

Please read this Data Processing Agreement (the "DPA") carefully as this DPA constitutes a legally binding contract between You (the "Subscriber", "You", "Your") and Us ("Egregore", "Us" "We", "Our"). This DPA supplements the Terms and Conditions of Use available at www.robana.ai/terms

1. Definitions

Capitalised terms not specifically defined herein shall have the meaning ascribed thereto in the Terms.
In this DPA, the following terms shall have the following meanings:
"CCPA" shall mean the California Consumer Privacy Act of 2018.
"Controller" shall mean the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data. In the context of CCPA, the term Controller shall have the meaning given to the term "Business" under the CCPA.
"Data Protection Laws" shall mean the data protection laws of the country in which the Controller is established, including the GDPR, CCPA and any data protection laws applicable to the Controller in connection with the Terms.
"Data Subject" shall mean an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. In the context of CCPA, the term Data Subject shall have the meaning given to the term "Consumer" under the CCPA.
"GDPR" shall mean the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
"Personal Data" shall mean any information relating to a Data Subject.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
"Processor" shall mean a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the controller. In the context of CCPA, the term Processor shall have the meaning given to the term "Service Provider" under the CCPA.
"Sensitive Personal Information" means an (i) individual's government-issued identification number (including social security number, driver's license number or state-issued identified number) or email address; (ii) financial account number, Cardholder Data (as defined under the Payment Card Industry Data Security Standard (PCI-DSS), debit card number, credit report information, with or without any required security code, access code, personal identification number or password, that would permit access to an individual's financial account; (iii) employment information; (iv) political opinion, racial or ethnic origin, or religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purposes of uniquely identifying a natural person; (v) data concerning health or data concerning a natural person's sex life or sexual orientation; (vi) account passwords, mother's maiden name, or date of birth; (vii) criminal history; or (viii) any other information or combinations of information that is deemed sensitive under the legal framework of any applicable jurisdiction
"Model Clauses" means the standard contractual clauses for Processors as approved by the European Commission (Decision C(2010)593) and available at https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX:32010D0087

2. Scope and Responsibilities

2.1 This DPA applies to Processing of Personal Data forming part of Customer Data.
2.2 Egregore shall Process Personal Data in its capacity as Processor only on behalf of Customer (in its capacity as Controller) and at all times only in accordance with this DPA.
2.3 Within the scope of the Terms, each Party shall be responsible for complying with its respective obligations as Controller and Processor under Data Protection Laws.

3. Term and Termination

3.1 This DPA becomes effective upon Your acceptance of the Terms at the time of subscription to our Services. It shall continue to be in full force and effect as long as Processor is Processing Personal Data pursuant to the Terms and shall terminate automatically thereafter.
3.2 Where amendments are required to ensure compliance of this DPA with Data Protection Laws, the Parties shall make reasonable efforts to agree on such amendments upon request of the Customer. Where the Parties are unable to agree upon such amendments, either party may terminate the Terms with 90 days written notice to the other party.

4. Processing Instructions

4.1 Egregore will Process Personal Data in accordance with Subscriber's instructions. This DPA contains the Subscriber's initial instructions to Egregore. The Parties agree that Subscriber may communicate any change in its initial instructions to Egregore by way of amendment to this DPA.
4.2 For the avoidance of doubt, any instructions that would lead to Processing outside the scope of this DPA (e.g. because a new Processing purpose is introduced) will require a prior agreement between the Parties and, where applicable, shall be subject to the contract change procedure under the respective Agreement.
4.3 Egregore shall without undue delay inform the Subscriber in writing if, in Egregore's opinion, an instruction infringes Data Protection Laws, and provide a detailed explanation of the reasons for its opinion in writing.

5. Processor Personnel

Egregore will restrict its personnel from Processing Personal Data without authorisation. Egregore will impose appropriate contractual obligations upon its personnel, including relevant obligations regarding confidentiality, data protection and data security.

6. Disclosure to Third Parties; Data Subjects Rights

6.1 Egregore will not disclose Personal Data to any government agency, court, or law enforcement except with written consent from the Subscriber or as necessary to comply with applicable mandatory laws. If Egregore is obliged to disclose Personal Data to a law enforcement agency, Egregore agrees to give the Subscriber reasonable notice of the access request prior to granting such access, to allow the Subscriber to seek a protective order or other appropriate remedy. If such notice is legally prohibited, Egregore will take reasonable measures to protect the Personal Data from undue disclosure as if it were Egregore's own confidential information being requested and shall inform the Subscriber promptly as soon as possible if and when such legal prohibition ceases to apply.
6.2 In case the Subscriber receives any request or communication from Data Subjects which relates to the Processing of Personal Data ("Request"), Egregore shall reasonably provide the Subscriber with full cooperation, information and assistance ("Assistance") in relation to any such Request where instructed by the Subscriber.
6.3 Where Egregore receives a Request, Egregore shall (i) not directly respond to such Request, (ii) forward the request to Subscriber within five (5) business days of identifying the Request as being related to the Subscriber and (iii) provide Assistance according to further instructions from Subscriber.

7. Technical and Organizational Measures

Egregore is certified as ISO27001:2013 as of the Effective Date and will remain certified to these or equivalent or greater standards (the "ISMS Standards"). Upon Customer's written request, Egregore will provide its certificate of registration which states its conformance with the requirements of ISO 27001:2013. Egregore will maintain appropriate administrative, physical and technical safeguards according to the ISMS Standards. These safeguards will include, but not be limited to, measures designed to ensure that Personal Data is Processed according to this DPA, to provide Assistance and to protect Personal Data against a Personal Data Breach ("TOMs").

8. Assistance with Data Protection Impact Assessment

8.1 Where a Data Protection Impact Assessment ("DPIA") is required under applicable Data Protection Laws for the Processing of Personal Data, Egregore shall provide upon request to the Subscriber any information and assistance reasonably required for the DPIA and assistance for any communication with data protection authorities, where required, unless the requested information or assistance is not pertaining to Egregore's obligations under this DPA.
8.2 The Subscriber shall pay Egregore reasonable charges for providing the assistance in clause 7, to the extent that such assistance is not reasonably able to be accommodated within the normal provision of the Services.

9. Information Rights and Audit

9.1 Egregore shall, in accordance with Data Protection Laws, make available to Subscriber on request in a timely manner such information as is necessary to demonstrate compliance by Egregore with its obligations under Data Protection Laws.
9.2 Egregore undertakes to reasonably cooperate with Subscriber with respect to any audit requests received by Subscriber from national data protection authorities.

10. Personal Data Breach Notification

In respect of any Personal Data Breach (actual or reasonably suspected), Egregore shall:

10.1 Notify the Subscriber of a Personal Data Breach involving Egregore or a subcontractor without undue delay and it shall be the responsibility of the Subscriber to inform the Supervisory Authority of such breach within 72 hours of notice by Egregore;
10.2 Provide reasonable information, cooperation and assistance to Subscriber in relation to any action to be taken in response to a Personal Data Breach under Data Protection Laws, including regarding any communication of the Personal Data Breach to Data Subjects and national data protection authorities.

11. Subcontracting

11.1 Subscriber consents to Egregore engaging third party sub-processors as indicated in Appendix 1 to Process Personal Data to fulfil its obligations under the Agreement provided that Egregore will provide at least fifteen (15) days' notice to the Subscriber's account administrator prior to the appointment or replacement of any sub-processor. Subscriber may object to Egregore's appointment or replacement of a sub-processor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such an event, Egregore will either not appoint or replace the sub-processor or, if this is not possible, Subscriber may suspend or terminate the Service (without prejudice to any fees incurred by the Subscriber prior to such suspension or termination).
11.2 Where Egregore, with Subscriber's consent, subcontracts its obligations and rights under this DPA it shall do so only by way of a binding written contract with the sub-processor which imposes essentially the same obligations as this DPA, especially with regard to instructions and TOMs.
11.3 Where the sub-processor fails to fulfil its data protection obligations under the subcontracting agreement, Egregore shall remain fully liable to the Subscriber for the fulfilment of its obligations under this DPA and for the performance of the sub-processor 's obligations.

12. International Data Transfers

Egregore shall at all times provide an adequate level of protection for the Personal Data, wherever processed, in accordance with the requirements of Data Protection Laws. Where Egregore processes Personal Data under this Agreement that originates from the EEA (including United Kingdom) and/or Switzerland, any such processing shall be conditional on Egregore complying with (and procuring any sub-processor comply with) the Model Clauses, which are incorporated by reference and form an integral part of this Agreement. Purely for the purposes of the descriptions in the Model Clauses and only as between Egregore and the Subscriber, Egregore agrees that it is a "data importer" and the Subscriber is the "data exporter" under the Model Clauses (notwithstanding that Subscriber is located outside the EEA). Further, Appendix 1 and 2 of this Agreement will take the place of Appendices 1 and 2 of the Model Clauses respectively.

13. Deletion or Return of Personal Data

Upon termination or expiry of the Terms, Egregore shall delete all Subscriber Data, including Personal Data, within thirty (30) days of effective termination of the Subscriber's account. Within such retention period, Subscriber may export the Subscriber Data by writing to Egregore at [email protected]

14. CCPA undertaking

Subscriber acknowledges and agrees that Subscriber is the Business and Egregore the Service Provider with respect to any Personal Information of Consumers (as those terms are understood under the CCPA) forming part of Subscriber Data. Egregore will not sell, retain, use, or disclose Personal Information of Consumers that Egregore processes on behalf of the Subscriber when providing the Service under the Terms for any purpose other than for the specific purpose of providing the Service in accordance with the Terms and as part of the direct relationship between Egregore and the Subscriber. Egregore certifies that it understands the restrictions in this clause 14 and will comply with such restrictions

15. Miscellaneous

15.1 Egregore may perform analytics on Subscriber Data to improve, enhance, support and operate the Service and compile statistical reports and record insights into usage patterns. Subscriber acknowledges that Egregore uses Subscriber Data for the aforementioned purpose in compliance with applicable laws.
15.2 Subscriber shall not disclose (and shall not permit any individual to disclose) any Sensitive Personal Information to Egregore for Processing.
15.3 In case of any conflict, the provisions of this DPA shall take precedence over the provisions of any other agreement with Egregore.
15.4 No Party shall receive any remuneration for performing its obligations under this DPA except as explicitly set out herein or in another agreement.
15.5 Where this DPA requires a "written notice" such notice can also be communicated per email to the other Party.
15.6 Any supplementary agreements or amendments to this DPA must be made in writing and signed by both Parties.
15.7 Should individual provisions of this DPA become void, invalid or non-viable, this shall not affect the validity of the remaining conditions of this agreement.

The following Appendices forms an integral part of this DPA:

APPENDIX 1

DETAILS OF THE PROCESSING OF PERSONAL DATA

1. Data subjects
Data Subjects are those individuals whose Personal Data is transferred to the Processor pursuant to the Terms.

2. Categories of data
Categories of data include Personal Data of the Users or end-users of the Service(s) forming part of Customer Data.

3. Processing operations
Egregore must process the data collected from or for the Controller or in connection with its services provided to the Controller solely to provide the services specified in the Terms. The duration of processing will be as designated in the Terms.

4. List of Sub-processors
List available at https://app.robana.ai/subprocessors

APPENDIX 2

SECURITY MEASURES

The technical and organisational measures as set forth at https://app.robana.ai/safeguards