This Data Processing Agreement ("DPA") supplements the
Terms of Service ("Terms") and
Privacy Policy for all Customers, and will remain in effect until all Customer Personal Data has been deleted. If there is any conflict or inconsistency between this DPA and the Terms, this DPA will govern.
This DPA reflects our mutual agreement on the terms governing the processing and security of Personal Data in connection with the privacy laws below:
(The United Kingdom ("UK") officially withdrew from the European Union ("EU") and
European Economic Area ("EEA") on Jan 1, 2021. The UK has thus adopted a slightly modified version of the GDPR, called the UK-GDPR. For convenience, this DPA uses "EEA" and "GDPR" as umbrella terms that include the UK and its modified UK-GDPR, as there are no fundamental differences in relation to your usage of the Service.)
Data processing
The parties acknowledge and agree that:
- Under the GDPR and LGPD,
- g.premper S.A de C.V. is a "Data Processor" of Personal Data, and Customer is a "Data Controller".
- If Customer is also a Data Processor for its own customers, Customer warrants to g.premper S.A de C.V. that Customer’s instructions and actions with respect to Personal Data, including its appointment of g.premper S.A de C.V. as another Data Processor, have been authorized by the relevant Data Controllers or customers.
- Under the CCPA,
- g.premper S.A de C.V. is a "Service Provider", and Customer is a "Business", as these terms relate to Personal Data.
- If Customer is also a Service Provider for its own customers, Customer warrants to g.premper S.A de C.V. that Customer's instructions and actions with respect to Personal Data, including its appointment of g.premper S.A de C.V. as another Service Provider, have been authorized by the relevant Businesses or customers).
- Each party will comply with the obligations applicable to it under the laws above with respect to the processing of Personal Data.
By entering into this DPA, Customer instructs g.premper S.A de C.V. to process Personal Data only in accordance with applicable law:
- to provide the Data Processing and any related technical support;
- as further specified via Customer’s use of the Service (including in the settings, preferences, and other functionality) and any related technical support;
- as documented in the Terms of Service, Privacy Policy, and this DPA; and
- as further documented in any other written instructions given by Customer and acknowledged by g.premper S.A de C.V. as constituting instructions for purposes of this DPA.
Furthermore, as a Service Provider under the CCPA, g.premper S.A de C.V. certifies that it:
- receives Personal Data from Customer pursuant to a "business purpose";
- will not "sell" the Personal Data to any third party, as the term "sell" is defined under the CCPA;
- will retain, use and disclose such Personal Data only for the specific purposes as defined above and by the Customer; and
- understands its contractual restrictions and shall comply with them.
g.premper S.A de C.V. will comply with Customer instructions (including with regard to data transfers), unless applicable law requires other processing of Personal Data by g.premper S.A de C.V., in which case g.premper S.A de C.V. will inform Customer as the law allows.
Customer is solely liable for its compliance with the GDPR, LGPD, CCPA, and all other applicable privacy laws, with regards to its use of the Service.
Data deletion
The Service includes
tools for Customers to manually delete Personal Data as needed, e.g. per End User request; the Personal Data will be deleted from our systems as soon as reasonably practicable and within a maximum period of 180 days, unless applicable law requires further storage.
Upon deletion of a Customer account, all Personal Data will be deleted from production and backup systems within 1 year.
Data security
g.premper S.A de C.V. maintains reasonable measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. Secure (HTTPS) access is forced for Customers so login credentials and Personal Data are secure in transit.
Physical access to the data center requires two-factor authentication via keycard and thumbprint. Server racks are further secured within a locked cage. Data center has 24/7 video surveillance and on-site staff. Backend access to servers and data, whether physical, shell, or administrative interfaces, is limited to employees who require it to perform their duties. No contractors or subprocessors are authorized for such access.
If g.premper S.A de C.V. becomes aware of a security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer's Personal Data on our servers ("Incident"), we will notify Customer, via Customer's registered email address, of the Incident promptly and without undue delay, and take reasonable steps to minimise harm and secure Customer's data. Our notification of or response to an Incident will not be construed as an acknowledgement of any fault or liability with respect to the Incident.
Customer agrees that they are solely responsible for their use of the Service, including securing the account credentials, systems and devices Customer uses to access the Service. g.premper S.A de C.V. has no obligation to protect Customer's Personal Data that Customer elects to store or transfer outside of g.premper S.A de C.V. systems.
Data rights
EEA and UK residents have the legal right to access, correct, and delete their Personal Data, per the GDPR, with some exceptions. Residents of California and Brazil have similar rights and exceptions, per the CCPA and LGPD, respectively.
If we receive a request from an End User in the EEA, UK, California or Brazil in relation to Personal Data processed for a Customer, we will advise the End User to submit their request to Customer, and Customer will be responsible for responding to such request using the
tools we have provided on our Site for handling Personal Data requests.
Customer agrees to use all reasonable measures to verify the identity and location of an End User before sharing or modifying Personal Data. Per GDPR recital 64, "the controller [Customer] should use all reasonable measures to verify the identity of a data subject [End User] who requests access, in particular in the context of online services and online identifiers."
Data transfer
Customer agrees that Personal Data may be transferred to g.premper S.A de C.V. in the United States of America, where it will be stored and processed.
For Customers within the EU, UK, or Switzerland, this data transfer is covered by the
Standard Contractual Clauses.