This data processing agreement (the "DPA") governs the processing of Personal Data in the course of the provision of the Services provided by Plausity or its Affiliates to the Subscriber and forms part of the Agreement between the Parties.
This DPA regulates the Subscriber's rights and obligations in its capacity as data controller or processor as well as Plausity's rights and obligations in its capacity as data processor or sub-processor when Plausity processes Personal Data on behalf of the Subscriber under the Agreement.
The purpose of this DPA is to regulate the processing of Personal Data in accordance with the requirements set forth by Applicable Data Protection Laws. Concepts, terms, and expressions in this DPA shall be interpreted in accordance with Applicable Data Protection Laws (as defined below).
In case of any conflict between the rest of the Agreement and this DPA (including its appendices), the wording of this DPA shall prevail.
The following shall form part of the DPA:
Capitalized terms that are used but not defined in this document shall have the meaning set out in the Agreement Order Form or the General Terms and Conditions Plausity AI.
Plausity undertakes to process Personal Data for purposes set forth in this DPA (including Specification of Data Processing) and in accordance with the Subscriber's written instructions, unless otherwise required by Applicable Data Protection Laws. The Subscriber's instructions to Plausity regarding the subject-matter and duration of the processing, the nature and purpose of the processing, the type of Personal Data and categories of data subjects, and the rights and obligations of both Parties are set forth in this DPA and in Specification of Data Processing.
As data processor, Plausity undertakes to:
Any transfer of Personal Data to Plausity using the Services shall be made using secure, reasonable, and appropriate mechanisms for data transfers.
Plausity shall, without undue delay, inform the Subscriber of any communication with any Data Protection Authority that relates to Plausity's processing of Personal Data under this DPA, and Plausity will provide reasonable assistance to the Subscriber if the Subscriber receives a request from such authority or is subject to a regulatory investigation. In addition, if data subjects, competent authorities or any other third parties request information from Plausity regarding the processing of Personal Data covered by this DPA, Plausity shall refer such requests to the Subscriber to the extent permissible under applicable law.
Plausity shall provide reasonable assistance to the Subscriber, through appropriate technical and organizational measures, with the Subscriber's compliance obligations to implement reasonable security procedures and practices appropriate to the nature of the Personal Data.
Plausity's assistance to the Subscriber in accordance with Clause 2.4 and 2.5 will be provided at the Subscriber's reasonable expense, unless the reason for the assistance is a direct result of an act or omission by Plausity or its Affiliates.
Plausity certifies that it will not:
The Subscriber shall ensure that it has a valid legal basis, and all necessary rights, consents, and authorizations, to provide the Personal Data to Plausity and to authorize Plausity to process that Personal Data in accordance with this DPA, the Agreement and/or other processing instructions provided by the Subscriber to Plausity.
The Subscriber shall comply with all Applicable Data Protection Laws that are applicable to it as controller of the Personal Data.
The Subscriber shall limit the provision of Personal Data to Plausity to what is necessary for the purpose of the Agreement. For example, the Subscriber shall not include Personal Data, other than technical contact information, in technical support tickets.
Plausity is, subject to Clause 4.2, and Clause 5 entitled to engage subcontractors acting as sub-processors, and under the condition that they are bound by a written agreement which impose on them materially the same data processing obligations as the obligations under this DPA in respect of data protection.
Plausity shall inform the Subscriber of any new sub-processors by updating the subprocessor list and give the Subscriber the opportunity to object to such changes. Such objections by the Subscriber shall be based on grounds regarding the new sub-processor's ability to comply with Applicable Data Protection Laws and be made in writing within 30 days from posting. Plausity may not engage a new sub-processor before the 30-day period has ended. Plausity shall upon request provide the Subscriber with such information available to Plausity that the Subscriber may reasonably request to assess the new sub-processor's ability to comply with Applicable Data Protection Laws. If Plausity, despite the Subscriber's objection, wishes to engage the sub-processor, the Parties shall in good faith discuss and try to find an alternative solution which is reasonably acceptable to both Parties. If the Parties cannot find an alternative solution and the Subscriber still objects to the appointment of the sub-processor, and if the Subscriber's objection would result in additional costs or expenses for Plausity, then Plausity is entitled to adjust its fees under the Agreement to ensure that Plausity is compensated for such additional and/or increased costs or expenses. Notwithstanding the previous sentence, if the Subscriber's objection would result in costs or operational consequences which, in Plausity's opinion, would not be commercially reasonable, Plausity may terminate the Agreement upon reasonable written notice.
The Subscriber acknowledges that it may transfer Personal Data or make Personal Data available by remote access to Plausity in the EU, in order for Plausity to provide the Services. Plausity may not process Personal Data outside or engage sub-processors processing the personal data outside of the EU/EEA or the US without the Subscriber's consent (which shall be considered given if the Subscriber has not objected to a new sub-processor within the time set out in Clause 4.2).
To the extent any transfer described in Clause 5.1 constitutes a Restricted Transfer, Plausity shall upon request provide all reasonably relevant information regarding the Restricted Transfer to enable the Subscriber to make an informed decision, including details of the country or territory to which the Personal Data will be transferred.
If Standard Contractual Clauses are used as a Data Transfer Mechanism under this DPA, they shall be implemented as follows:
Plausity represents and warrants that Plausity has no reason to believe that legislation or practices applicable to it or its sub-processors, including in any country to which Personal Data is transferred either by itself or through a sub-processor, prevents it from fulfilling its obligations under Applicable Data Protection Laws, this DPA or its obligations in the Standard Contractual Clauses. In the event Plausity is unable to fulfil its obligations in this Clause 5.4, Plausity agrees to immediately notify the Subscriber.
To maintain an adequate level of security for the protection of Personal Data, and without prejudice to the information security and confidentiality obligations which otherwise follows from the Agreement, Plausity commits to the appropriate technical and organizational measures described in Security Measures.
Plausity shall protect the Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise processed. The Personal Data shall also be protected against other forms of unlawful processing.
Plausity shall ensure that only staff and other representatives who require access to Personal Data to fulfil Plausity's obligations under the Agreement have access to such information. Plausity shall guarantee that all persons authorized to process the Personal Data are committed to confidentiality or are under an appropriate statutory obligation of confidentiality. Furthermore, all persons authorized to process Personal Data shall receive sufficient and necessary training covering awareness of GDPR and data processing agreements.
Plausity shall inform the Subscriber without undue delay and at the latest within 36 hours from becoming aware of a Personal Data breach.
Plausity shall assist the Subscriber with any information reasonably required to fulfil the Subscriber's data breach notification requirements under Applicable Data Protection Laws. Any costs associated with such assistance will be subject to the limitations of liability in the General Terms and Conditions.
Plausity shall, at the Subscriber's reasonable expense, considering the nature of the processing and the information available to Plausity, assist the Subscriber in fulfilling the Subscriber's obligation to, when applicable, carry out data protection impact assessments and prior consultations with the Data Protection Authority.
Subscriber shall have the right to perform audits of Plausity's processing of Subscriber's personal data to verify Plausity's compliance with this DPA and Applicable Data Protection Laws. This audit right is limited to once per 12-month period unless the Subscriber has clear reasons to believe that Plausity has materially breached its obligations under this DPA.
Plausity undertakes to make available to the Subscriber all information and other assistance necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including on-site inspections, conducted by an authorized and reputable auditor mandated by the Subscriber, provided that the individuals performing the audits enter into confidentiality agreements or are bound by statutory obligations of confidentiality.
In this context, it is noted that among Plausity's customers there may be entities which are subject to statutory and/or bar association rules on confidentiality in relation to client/customer matters (e.g. banks, financial institutions, law firms, etc.). Hence, the Subscriber acknowledges that audits under this DPA shall not include access to information pertaining or belonging to Plausity's other customers.
The Subscriber is responsible for all costs associated with audits, save for when an audit concludes a material breach of Plausity's undertakings in violation of the Agreement. If so, Plausity shall compensate the Subscriber for reasonable and verified costs associated with the audit.
The provisions of this DPA shall apply as long as Plausity processes Personal Data for which the Subscriber is data controller or until such time this DPA is replaced with another data processing agreement.
Before the expiration of this DPA, Plausity shall, at the choice and instruction of the Subscriber, securely delete or return all Personal Data to the Subscriber, unless Applicable Data Protection Laws require Plausity to store the Personal Data in which case the obligations set out in Clause 11.4 (a)-(c) shall apply.
If return or destruction is impracticable or incidentally prohibited by a valid legal requirement, Plausity shall take measures to inform the Subscriber and block such Personal Data from any further processing (except to the extent necessary for its continued hosting or processing required under German or EU law) and shall continue to appropriately protect the Personal Data remaining in its possession, custody, or control and, where any authorized sub-processor continues to possess Personal Data, require the authorized sub-processor to take the same measures that would be required of Plausity.
Upon request by the Subscriber, Plausity shall provide a written notice of the measures taken regarding the Personal Data upon completion of the processing as set out in Clause 11.1.
If Plausity is legally required to retain archival copies of any specific data belonging to the Subscriber for tax or similar regulatory purposes, Plausity shall:
Any amendments to this DPA shall, to be valid, be agreed in writing and duly signed by authorized representatives of both Parties.
Notwithstanding Clause 12.1, the Subscriber is entitled to make updates to its written instructions regarding the processing set out in the Specification of Data Processing. Plausity shall be entitled to remuneration for any reasonable and verified additional costs that Plausity incurs due to the Subscriber having made amendments to its written instructions regarding the processing. Notwithstanding the aforesaid, no remuneration shall be payable due to amendments in the written instructions directly due to, or directly based on, regulatory requirements.
The liability provisions and limitations thereof set out in the General Terms and Conditions Plausity AI shall apply to this DPA.
Except as otherwise required by Applicable Data Protection Laws, this DPA shall be governed by and construed in accordance with the governing law provision in the GTCs.
Any dispute, controversy, or claim arising out of or in connection with this DPA, or the breach, termination, or invalidity thereof, shall be finally settled in accordance with the dispute resolution provision set out in the General Terms and Conditions Plausity AI.
"Applicable Data Protection Laws" means any nationally or internationally binding data protection laws, case law, and regulations, including those (i) applicable within the European Union (the "EU"), including the EU General Data Protection Regulation ("EU GDPR"), the United Kingdom General Data Protection Regulation, which is the EU GDPR as incorporated into UK domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018 and amended by The Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 ("UK GDPR"), and all other privacy and data protection laws of the European Economic Area ("EEA") and the United Kingdom and (ii) those applicable in the United States, including the California Consumer Privacy Act ("CCPA"), and applicable subordinate legislation and regulations implementing those laws in (i) and (ii), as amended and supplemented from time to time.
"Data Transfer Mechanism" means a transfer mechanism that enables the lawful cross-border transfer of Personal Data under Applicable Data Protection Laws. This includes transfer mechanisms that are required under Applicable Data Protection Laws in the EEA, UK, and Switzerland such as the Data Privacy Framework, the Standard Contractual Clauses, the UK International Data Transfer Addendum and any data transfer mechanism available under Applicable Data Protection Laws.
"Data Protection Authority" means a regulatory authority, supervisory authority, or other government agency authorized to enforce Applicable Data Protection Laws.
"Personal Data" means any Subscriber Content that (i) relates to an identified or identifiable natural person, or (ii) constitutes "personal data", "personal information" or any similar term within the meaning of Applicable Data Protection Laws.
"Restricted Transfer" means any transfer of Personal Data that requires a Data Transfer Mechanism.
"Standard Contractual Clauses" means the European Commission's standard contractual clauses adopted 4th of June 2021 or any clauses thereafter replacing such standard contractual clauses.
The terms "data controller" and "data processor" have the meanings accorded to them under Applicable Data Protection Laws and encompass the concepts of a "business" and "service provider," respectively, as such terms are defined by the CCPA.