According to the Terms of Service (the “Terms”), Smartsupp is providing Service as stipulated in the Terms to you as the user of the Service. Relationship between Smartsupp and user is thus based on an on-line registration process of the user or via written or electronic contract to which Terms are attached which collectively form an agreement between you and Smartsupp (the "Agreement"). This data processing addendum (hereinafter as the "DPA") forms an integral part of the Agreement.
Words starting with capital letters shall have the same meaning as set out in the Terms or any other annex referred to in the Terms, unless otherwise stated in this DPA.
Smartsupp concludes this DPA in accordance with applicable data protection laws, such as Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”) , Data Protection Act 2018 or CCPA/CPRA and also in accordance with other privacy laws which are applicable during provision of the Service under Agreement (“applicable privacy laws”).
When this DPA stipulates that Smartsupp acts as personal data processor, it shall have the meaning ascribed to “processor” under the GDPR and other equivalent terms under other applicable privacy laws (e.g., “Service Provider” as defined under the CCPA). When this DPA stipulates that you act as personal data controller, it shall have the same meaning ascribed to “controller” under the GDPR and other equivalent terms under applicable privacy laws (e.g., ”Business” as defined under the CCPA).
1. INTRODUCTORY PROVISIONS
1.1 Processing of personal data as personal data processor.Smartsupp may process personal data on behalf of the user when Service is provided to the user and Smartsupp then acts as a processor of personal data (or a sub-processor) in relation to the user.
The processing activities done by Smartsupp arise from registration, the Agreement or from documented requests done by the user during provision of the Service via the platform available at https://www.smartsupp.com (the “Platform”).
1.2 Authorization to process personal data.The user hereby authorizes Smartsupp to process personal data of the data subjects provided by the user in accordance with the Service, as set out in this DPA. Smartsupp will process personal data for the user according to the user's documented instructions and only as necessary for the proper performance of the obligations of Smartsupp under the Agreement.
1.3 User’s responsibility. As Smartsupp acts as the personal data processor, the user acts as a controller, and therefore is responsible for fulfilling all obligations related to the processing of personal data. Among these obligations are to properly inform data subjects about the processing of personal data, to obtain consent to the processing of personal data, if necessary and to handle requests from data subjects regarding the exercise of their rights (such as the right to information, access, correction, erasure, restriction of processing, objection, etc.). Smartsupp will assist the user in fulfilling these obligations via the Platform or via documented requests of the user. However, Smartsupp is not responsible at any way for the accuracy and legality of the user’s activities, including any activity that may breach any privacy or other legislation stipulated in country from which the user uses the Service.
2. SUBJECT MATTER OF PROCESSING, CATEGORY OF DATA SUBJECTS AND TYPE OF PERSONAL DATA
2.1 Subject matter of the processing. The subject matter of processing of personal data, which are defined below, by Smartsupp is provision of the Service as set out in the Agreement, in particular processing personal data when you use our Service features as described on the Website.
2.2 Types of personal data. Under the subject matter of fulfilment of duties according to the Agreement and provision of Service, the following types of personal data may be processed in accordance with this DPA:
a) contact information, such as name, surname, email address, phone number, or social network account contact,
b) details about visiting of website of the user, such as URL of the website visited, date and time of the website visit, technical information (screen resolution, device type, browser type, operating system, etc.), IP address, geolocation data (country and city from which the user viewed your website),
c) information contained in the conversations between users and customers or other users when using the Service features,
d) technical logs and other information about users using the Service (Smartsupp uses third-party tools to capture such information),
e) other personal data uploaded or used in any other way by the user, or
f) the personal data to which type, extent and details are determined and controlled by the user in its sole discretion during provision of the Service.
Scope of personal data depends on the type of Service features used by the user. The Service is not intended to store special categories of personal data. The user shall not use Service to store or process special categories of personal data. If the user process it through Service, Smartsupp accepts no liability for such processing.
2.3 Categories of data subjects. Smartsupp will process personal data about these categories of data subjects:
a) employees (and other workers and persons acting on behalf of the user) of the user;
b) persons for which the user created an account within the Service;
c) customers and other users of the user to whom the Service is provided;
d) visitors of the website of the user;
e) other persons whose personal data were provided to Smartsupp by the user during provision of the Service and whose personal data has been recorded or has been otherwise processed in accordance with the provision of the Service to the user.
3. NATURE AND PURPOSE OF PROCESSING
3.1 Nature of the processing of personal data. Smartsupp will process personal data in an automated, electronic manner and the processing will consist of accessing the personal data as part of the provision of the Service, viewing the personal data, storing personal data, and other activities which can correspond to the provision of the Service to the user. The nature of the processing of personal data results from:
a) the Agreement the Parties have concluded;
b) the requests of the user or other authorized users using the Platform on behalf of the user;
c) the nature of the Service and the Platform;
d) any other documented instructions provided by the user.
3.2 Purpose of processing. The purpose of the processing is to provide the Service to the user, as defined in the Terms, and for other purposes which may arise from the provision of the Service.
4. DURATION OF THE PROCESSING
4.1 Duration of processing of personal data.The processing of personal data will be carried out for the duration of the Agreement, or for as long as Smartsupp is given instructions by the user, in connection with the performance of the Agreement. Smartsupp undertakes to comply with the obligations set out in the data protection laws for the entire duration of the Agreement, unless it is clear from the Agreement that they are to continue after its termination.
4.2 Return and deletion of personal data. If the Agreement is terminated, to the extent allowed by applicable privacy laws, Smartsupp shall delete all personal data stored for the purpose of the provision of the Service within 3 months after termination. If the User requests Smartsupp within above mentioned period that the user prefers to return data, Smartsupp is entitled to charge a reasonable fee in an amount to be notified in advance.
5. OTHER RIGHTS AND OBLIGATIONS
5.1 Smartsupp’ obligations.In processing of personal data, Smartsupp undertakes to:
a) process personal data solely on the basis of documented instructions of the user; for the avoidance of doubt, the processing of personal data in compliance with obligations under the Agreement shall be regarded as to be carried out in accordance with the user's instructions;
b) follow the user's instructions as to the transfer of personal data to a third country or an international organization, unless such processing is already required by European Union or Member State law to which Smartsupp is subject;
c) ensure that persons authorized to process personal data are bound by an obligation of confidentiality or are subject to a legal obligation of confidentiality;
d) taking into account the nature of the processing, assist the user through appropriate technical and organizational measures, where possible, to comply with the user's obligation to respond to requests to exercise the rights of data subjects; the rules on handling data subjects’ requests are specified in the Article 5.2 of this DPA;
e) assist the user with fulfilling the user's obligations to (i) ensure the level of security of the processing, (ii) report personal data breaches to the Data Protection Authority and, where applicable, to data subjects, (iii) assess the impact on the protection of personal data and (iv) carry out prior consultation with the Data Protection Authority, all taking into account the nature of the processing and the nature of personal data processed;
f) allow the user or a person authorized by the user to check (including audit or inspection) compliance with this DPA, in particular fulfilling the obligations for processing personal data arising therefrom, and shall contribute to such checks according to the user’s or the authorized person’s reasonable instructions; the specific rules for audits are set out in Articles 5.3 and 5.4 of this DPA;
g) provide the user with all information, which can be reasonably expected from Smartsupp, to attest to the fact that the obligations set out in relevant data protection legislation have been met.
5.2 Data subject requests. If a data subject directly contacts Smartsupp, Smarstupp shall notify the data subject to address the request directly to the user. Smartsupp shall only provide commercially reasonable efforts to assist the user in responding to such data subject request, to the extent Smartsupp is legally permitted to do so. The user shall be responsible for any costs arising from Smartsupp’s provision of such assistance and shall be responsible for correct handling of such request.
5.3 Rules for audit. The user shall send any request for an audit (check) exclusively to Smartsupp email address dpo@smartsupp.com, at reasonable intervals. Upon receipt of an audit request, the parties shall agree in advance on (i) the possible date of the audit, (ii) security measures and how to ensure compliance with confidentiality obligations during the audit, and (iii) the expected start, extent and duration of the audit. If no agreement is reached within 30 days of the date of the request, Smartsupp shall determine the terms of the audit.
5.4 Auditor.Smartsupp may raise a written objection to any auditor (authorized person) appointed by the user if, in Smartsupp’s opinion, the auditor is not sufficiently qualified, is not independent, is in a competitive position with Smartsupp or is otherwise manifestly unsuitable. Following the objection, the user shall be obliged to appoint another auditor or to carry out the audit themselves. The user shall promptly notify Smartsupp with information regarding any non-compliance, either with applicable privacy laws or this DPA, discovered during the audit.
5.5 Scope of audit. The scope of the audit done by the user only include documentation and processes directly associated to the usage of the Service by the specific user.
5.6 Sub-processors. The user agrees with the involvement of other sub-processors in the processing of personal data. Depending on the type of the Service provided or requested by the user, Smartsupp may use other sub-processors or share personal data with other personal data recipients. The user agrees that Smartsupp will involve sub-processors listed at: https://help.smartsupp.com/en_US/list-of-sub-processors (the “Sub-processor list”).
5.7 Objections to other sub-processors. Smartsupp shall inform the user in written form or via updating Sub-processor list about the involvement of an additional sub-processor before the involvement of the additional sub-processor, and the user may object to the involvement of the additional sub-processor within 10 business days after notification. If the user does not object within the set time limit, Smartsupp will involve the additional sub-processor. In case an objection is raised by the user, Smartsupp will assess the objection and, if it finds it justified, it will not engage the additional sub-processor or make commercially reasonable change to the user’s configuration or use of the Service to avoid processing by such sub-processor. If change is not possible, Smartsupp may terminate the Agreement with the user (or partly) or not provide the part of the Service to which the additional sub-processor is linked, without being in default or in breach of any obligation. Smartsupp will refund the user any prepaid fees covering the remainder of the term of such Agreement following the effective date of termination with respect to such terminated Service, without imposing a penalty for such termination on the user.
5.8 Obligations to other sub-processors.If Smartsupp engages another sub-processor, this other sub-processor must contractually commit to the same obligations to protect personal data as those agreed between the user and Smartsupp and also to implement appropriate technical and organizational measures.
5.9 Liability for sub-processor.Smartsupp shall be liable for the acts and omissions of its sub-processors to the same extent Smartsupp would be liable in case the provision of the Service of each sub-processor is done directly under the terms of this DPA, except as otherwise set forth in the Agreement.
5.10 Costs related to the performance of the DPA. Unless otherwise agreed in writing, the user shall bear their own costs associated with the performance of the DPA. Smartsupp shall be entitled to charge user for the reasonable costs incurred in dealing with any request and performing any obligation under this DPA.
6. SECURITY OF PERSONAL DATA AND PERSONAL DATA BREACHES
6.1 Obligation to secure personal data.Smartsupp has adopted and maintains technical and organizational measures to prevent unauthorized or accidental access to, modification, destruction or loss of personal data, unauthorized transmissions, other unauthorized processing or other unauthorized misuse of personal data. Smartsupp regularly monitors compliance with these measures.
6.2 Specific security measures.Smartsupp has adopted and maintains the following measures to ensure an adequate level of security:
Technical measures:
a) Pseudonymisation and encryption of personal data:
the Platform on which personal data are processed allows only secure channels or protocols for inbound network connections; Smartsupp encrypts data using SSL/TLS for all data transmission
the IT systems processing personal data allow only secure channels or protocols;
cryptographic keys are securely managed.
b) The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services:
physical access by personnel of Smartsupp is restricted to authorized persons;
Smartsupp adopted mechanisms to restrict physical or on-line access to servers hosting personal data;
prevention of unauthorized persons from gaining access to personal data and prevention that personal data will be used without authorization;
persons authorized to process personal data have access only to those personal data they need and are authorized to access, and that personal data cannot be read, copied, altered or removed without authorization during processing;
access is strongly authenticated (e.g., by using strong passwords);
access rights are periodically checked;
access attempts (both successful and failed) are logged and monitored;
Smartsupp personnel are prohibited to download and process personal data locally in their workstations or in any other network location;
all possible failures of the Platform and anomalies are logged.
c) The ability to restore the availability of and access to personal data in a timely manner in the event of physical or technical incidents:
Smartsupp has adopted the backup process, mechanism and tools;
restoration procedure, data readability and integrity of backups are periodically tested.
d) Smartsupp has adopted process for regular testing, assessing and evaluating the effectiveness of the technical and organizational measures in place to ensure the security of processing.
e) Personal data cannot be modified or deleted without authorization during electronic transmission, transport or storage, and that the recipient entities for any transfer can be established and verified.
Organizational measures:
f) All personnel engaged in the processing of personal data are informed of the confidential nature of the personal data, have received appropriate training regarding their responsibilities and have concluded written confidentiality agreements.
g) Smartsupp has implemented internal directives and processes to secure personal data processing in accordance with applicable privacy laws.
h) For questions about this DPA, data protection laws compliance, data privacy, or any other privacy issues, the Customer may send an email to privacy@smartsupp.com.
6.3 Security incidents.If Smartsupp discovers a personal data breach, it shall report it to the user without undue delay, not later than 48 hours after becoming aware of the security incident, and shall use reasonable efforts to provide the user with all information known about the incident, limited to:
- description of the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
- description of the likely consequences of the personal data breach;
- proposal of measures that may be taken by the user to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Smartsupp will respond to any request from the user for assistance in the event of a security breach with undue delay.
6.4 Unlawful instructions.If the user instructs Smartsupp in such a way that a breach of obligations under the data protection laws occurs, and Smartsupp is sanctioned by a supervisory authority or other regulatory body on the basis of such instruction, or is required to compensate data subjects, the user agrees to compensate Smartsupp and pay for any damages incurred, upon written notice by Smartsupp.
6.5 Limitation of liability. The same limitation of liability as stipulated in the Terms shall apply to this DPA.
6.6 Changes. The same rules for changes as stipulated in the Terms shall apply.
6.7 Effectiveness. This DPA shall become legally binding between the user and Smartsupp together with the Agreement.