Data Processing Addendum (DPA)

This Data Processing Addendum is an integral part of the PerfectBot Terms of Service.

1. DEFINITIONS

The following terms in this Data Processing Agreement shall be construed as defined below:

1. Personal Data – information about an identified or identifiable natural person to whom processing is entrusted under the Agreement; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the natural person, within the meaning of the RODO. Personal data processed under the Agreement does not constitute special category data as referred to in Article 9 of the GDPR;
2. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation);
3. Controller – the natural or legal person who, alone or jointly with others, determines the purposes and means of the processing of Personal Data; that is, you as a customer using the PERFECTBOT tool;
4. Processor – the natural or legal person who processes Personal Data on behalf of and at the direction of the Controller, We, as the provider of the Services you use;
5. Further Processor – an another Processor to whom we further subcontract Personal Information in order to provide Services to you;
6. Services – services to provide, maintain, support and optimize in the cloud the PerfectBot software-as-a-service platform with a pre-trained chatbot that enables you (the Controller) to automate online chat conversations;
7. Third country – a country that is not part of the European Economic Area (“EEA”);
8. Main Agreement – the Agreement under which you use the Services, available at https://perfectbot.ai/legal/terms-of-service/;
9. DPA or Addendum – this data processing agreement;
10. Standard Contractual Clauses – the mechanism that is the legal basis for the transfer of data outside the European Economic Area, adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN;
11. UK Addendum – an addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, available at https://ico.org.uk/media/for-organisations/documents/4019483/international-data-transfer-addendum.pdf;
12. US Legislation – data protection laws in effect in the U.S. or in individual states, in particular: the California Privacy Rights Act („CPRA”), the Connecticut Data Privacy Act (“CTDPA”), the Virginia’s Consumer Data Protection Act (“VCDPA”), the Colorado Privacy Act (“CPA”), the Utah Consumer Privacy Act (“UCPA”).

2. GENERAL PROVISIONS

1. By using our Services and concluding the Main Agreement with us, You as our customer, are the Controller and entrust us as the Processor the processing of Personal Data, and therefore agree to process the Personal Data in accordance with the GDPR and this DPA. 
2. Personal Data entrusted by you includes Personal Data of individuals using the PerfectBot Platform in connection with providing Services. 
3. Annex No. 1 set out a nature and purpose of the processing, categories of transferred Personal Data and of data subjects whose Personal Data is transferred by you to us, the frequency of the transfer and the period for which the Personal Data will be retained by us.
4. We will only process Personal Data for the term of the Main Agreement.
5. You and we agree that there will be no case of automated decision-making performance using Personal Data.
6. The Services are not dedicated to the processing of a special category of personal data. We do not require this kind of data from you or your end users. Requiring or providing this data is the sole decision of the administrator or its users at their sole risk.
7. DPA constitutes your documented instruction to process the Personal Data. Additional instructions outside the scope of this DPA will be mutually agreed to between us in writing or in another fixed form.
8. We will immediately inform you if, in our reasonable opinion, the instruction given to us constitutes a breach of the GDPR, this DPA or other applicable data protection laws. But it’s your responsibility as a controller to ensure that your instructions regarding the processing of Personal Data you give us will comply with the law. 

3. CONTROLLER’S STATEMENTS

1. You as the Controller declare that:
   1. the Personal Data are processed in connection with your business or statutory activities,
   2. You have an adequate and valid legal basis for processing the Personal Data as required by the GDPR, 
   3. there are no legal impediments preventing the entrustment of Personal Data processing to us,
   4. you know that the Services are not dedicated to the processing of a special category of personal data in meaning of art. 9 of GDPR. If you allow your end users to enter a special category of personal data, you assume sole risk and responsibility for it. 
2. You agree to promptly notify us of any circumstances that may prevent us from performing this DPA.
3. You are obliged to notify us immediately of any request by the data subject, as well as of any inspection by an authorized authority or initiation of proceedings regarding Personal Data that you entrust to us for processing.
4. If you use our Services to collect or process sensitive personal data, you are required to obtain the prior and express consent of your end-users for this.

4. TECHNICAL AND ORGANIZATIONAL MEASURES

1. We will implement appropriate technical and organizational measures to ensure that the processing is carried out in accordance with the GDPR taking into account the nature, scope, context and purposes of the processing and the risk of infringement of the rights or freedoms of natural persons of varying probability and seriousness and are required to prove it. 
2. To ensure data security and minimize the risk of breach of the security measures we use, we will provide you with a description of the technical and organizational measures we use within 10 working days of your request.

5. OUR PERSONNEL

1. We will only allow persons to process Personal Data who will be acting under our authority and whose access to Personal Data is necessary for the Services’ provision and keep a record of such persons.
2. We shall ensure that persons authorized to process Personal Data are subject to a duty of confidentiality.

6. DUTY TO SUPPORT YOU

1. We will assist you to comply with the obligations set out in Articles 32 to 36 of the GDPR taking into account the nature of the processing and the information available to us.
2. We are obliged to assist you, through appropriate technical and organizational measures, to comply with the obligation to respond to requests from the Personal Data Subject in exercising their rights set out in Chapter III of the GDPR, within our capabilities and taking into account the nature of the processing of Personal Data.  
3. We are obliged to inform you immediately of any proceedings concerning the Data by courts or administrative authorities, decision or ruling, and of any checks and inspections concerning the Personal Data. 
4. We cannot delete or modify Personal Information without your consent  or your instruction.

7. VIOLATION OF PERSONAL DATA PROTECTION

1. If we become aware of a Personal Data breach, we are required to report it to you within the next 48 hours. The notification should include:
   1. a description of the known circumstances of the incident constituting the breach and its established or suspected causes;
   2. a description of the nature of the Personal Data breach, including, to the extent possible, indicating the categories and approximate number of data subjects and the categories and approximate number of Personal Data records affected by the breach;
   3. the name and contact details of a person from whom further information may be obtained;
   4. a description of the possible consequences of the Personal Data breach;
   5. a description of the measures we have taken or propose to take to remedy and minimize the consequences of the Personal Data breach.
2. We are obliged to cooperate with you in any other way you indicate to detect the breach, clarify its nature, and minimize its negative consequences. 
3. We are obliged to keep any Personal Data breach information confidential and disclose it only to those entities authorized to receive such information.
4. We are required to maintain a record of Personal Data breaches and make it available upon your request to the extent it relates to Personal Data provided by you.

8. AUDITS

1. We shall provide you with all information necessary to prove compliance with the obligations imposed by the GDPR and to enable you to carry out audits. 
2. You are required to notify us of your intention to conduct an audit at least 15 working days prior to the commencement of the audit. Your notice should include the planned scope of the audit.   
3. An audit can be conducted in the following ways:
   1. by reviewing the documentation related to the processing of Personal Data not more frequently than once every 12 months,
   2. by providing all information relating to the processing of Personal Data, no later than within 10 business days of receiving such request;
   3. by allowing you to inspect the premises or IT systems where Personal Data is processed;
   4. by obtaining oral or written explanations.
4. The conduct of an audit must not impose an undue burden on us. In particular, an audit must not be conducted outside of our regular business hours or take longer than 2 Business Days. It must not extend beyond the space (physical or digital) where Personal Data is processed.
5. An audit will not be conducted more frequently than once per year unless the need for an additional audit arises as a result of an incident causing a Personal Data breach. 
6. You are required to conduct the audit in such a way as to preserve all of our and the Further Processor’s trade secrets and, to this end, any persons performing audit activities will be required to maintain the confidentiality of any information that constitutes a trade secret of a Processor or Further Processor under model confidentiality agreements used by us. Persons performing audit activities shall not be employed by, or be partners, shareholders or members of bodies of entities engaged in activities that compete with our business. 
7. If you breach clause 8.6. above, we shall be entitled to refuse to allow the audit to take place, which shall not constitute a breach of performance of the Contract. The audit shall be documented by a protocol signed by both Parties. If we identify concerns about our processing of Personal Data, you are entitled to make recommendations to us, whereby:
   1. we will implement the necessary remedies and remedy the breaches at our expense, within a timeframe agreed by the Parties if it relates to our undisputed obligations;
   2. where there is a dispute about the audit findings, the Parties will engage in discussions to reach an agreement; 
   3. we may jointly agree on the scope and timing of such actions that, although not our obligations, appear reasonable; these actions will be carried out at your expense and under a separate agreement. 
8. You shall bear all costs of an audit.

9. TERMINATION OF DATA PROCESSING

1. We will delete or return Personal Data to you, including any existing copies within 30 days after the termination of the Main Agreement, unless we are required by law to retain them. We will give you the opportunity to make copies of the Personal Data before deleting it.
2. We are entitled to process Personal Data in anonymized form, as it is no longer Personal Data within the meaning of the GDPR.

10. CUSTOMER OUTSIDE THE EUROPEAN ECONOMIC AREA

1. If you are a customer from outside the European Economic Area (excluding the United Kingdom) then the Standard Contractual Clauses (module IV) will also apply between us and will form part of this DPA.
2. If you are a customer from the United Kingdom it will also apply between us the terms of the Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses (UK Addendum). Part I of the UK Addendum is in compliance with the Annex No. 1 and 2 to this DPA.

11. STANDARD CONTRACTUAL CLAUSES

1. In the case referred to in clause 11.1. above, the Standard Contractual Clauses (module IV) will apply as follows:
   1. Clause from 1 to 6 will be apply,
   2. Clause 7 (optional docking clause) will be apply,
   3. Clause 8 will be apply,
   4. Clause 9 will not be apply in module IV,
   5. Clause 10 will be apply,
   6. in Clause 11 an optional provision will not be apply,
   7. Clause 12 will be apply,
   8. in Clause 13 in letter a will be apply an option “Where the data exporter in not established in an EU Member State”,
   9. Clause 14 and Clause 15 will not apply, because we, as EU processor, do not combine the personal data which we collected with the personal data received from you, as the third country controller,
   10. Clause 16 will be apply,
   11. in Clause 17 these clauses shall be governed by the law of Poland,
   12. in Clause 18 any dispute arising from these clauses shall be resolved by the courts of Poland.

12. COOPERATION WITH FURTHER PROCESSORS

1. We are entitled to entrust the processing further and give instructions regarding Personal Data to Further Processors that you agree to. The list of Further Processors is attached as Annex No. 2 to this DPA. 
2. We will notify you of any change to the Further Processors List, which you may object to within a further seven (7) days. 
3. We will ensure that we will use only such Further Processors that provide sufficient guarantees to implement appropriate the requirements of GDPR, other personal data legislation and this Agreement. 
4. Objecting to a change of Further Processors: (i) may result in our inability to continue to perform the Services, of which we will inform you immediately; (ii) entitles us to terminate the Main Agreement and/or this Agreement on 14 days’ notice without negative legal consequences of such termination. During the notice period, we will not use the activities of the Further Processors to which the objection has been raised regarding the Personal Data.

13. TRANSFER OF PERSONAL DATA

1. You acknowledge and accept that the service provision under the Main Agreement may require the processing of Personal Data by Further Processors in countries outside the EEA.
2. We transfer Personal Data to a Further Processor located outside the EEA under this DPA. We will, in advance of any such transfer, ensure that a legal mechanism to achieve adequacy in respect of that processing is in place, such as:
   1. the requirement for us to execute or procure that the Further Processor executes to the benefit of the Customer standard contractual clauses approved by the EU authorities under the GDPR; or
   2. the existence of any other specifically approved safeguard for data transfers (as recognized under the GDPR) and/or a European Commission finding of adequacy.
3. The following terms shall apply to the Standard Contractual Clauses:
   1. You may exercise your right of audit under a clause of the standard contractual clauses as set out in, and subject to the requirements of, clause 8 of this DPA; and
   2. We may appoint Further Processors as set out and subject to the requirements of, Clause 10 of this DPA.
   3. You shall be deemed to have given us authority to conclude the Standard Contractual Clauses in the relevant module with our Further Processors outside the EEA  on your behalf.
4. You explicitly agree that we may transfer Personal Data to the entities referred to in Annex No.2.

14. LEGISLATION OF PERSONAL DATA IN USA

1. We, as your service providers, in accordance with the US Legislation, are considered as “processors”.
2. If you are a  Controller based in the USA  direct your services to individuals who are resident in the USA (“Resident”) and you are bounded by US Legislation, specifically data protection law of the State of California, Connecticut, Virginia, Colorado, Utha, all provisions of this DPA will be apply, and we further declare that we: 
   1. will not collect, store, use or disclose Resident’s Personal Data except as necessary to fulfill your business purpose according to the Main Agreement or the US Legislation or this DPA;
   2. do not provide any remuneration any compensation to our Customer for Personal Data and our Customer has not sold us the Personal Data entrustment under this DPA;
   3. will not sell Personal Data to anyone;
   4. do not provide targeted or behavioral advertising services; 
   5. do not make automated decisions about your end-users and we do not profile your end-users. 
3. We will not be liable for your violations under the US Legislation.

15. MISCELLANEOUS

1. If there is a conflict between this DPA and:
   1. Standard Contractual Clauses, the Standard Contractual Clauses will prevail; 
   2. UK Addendum, the UK Addendum will prevail.
2. In no event does this DPA restrict or limit the rights of any data subject or of any competent supervisory authority.
3. Neither party will be liable for any fines or penalties imposed under GDPR or other data protection legislation on the other party by any authority to the other party’s violation of the GDPR and/or other data protection legislation.

16. INDEMNITY

1. YOU ARE SOLELY RESPONSIBLE FOR ENSURING THAT PROCESSING OF PERSONAL DATA COMPLIES WITH THE REQUIREMENTS OF GDPR OR OTHER DATA PRIVACY LEGISLATION, FOR EXAMPLE US LEGISLATION, WHICH BOUND YOU.
2. WE ARE NOT LIABLE FOR YOUR VIOLATIONS OF PERSONAL DATA PROCESSING, AS A RESULT YOUR ACTS OR OMISSIONS, UNDER GDPR, US LEGISLATION OR OTHER DATA PROTECTION LEGISLATION WHICH YOU SHOULD APPLY.

17. FINAL PROVISIONS

1. Our responsibility as the Processor is stipulated in the Main Agreement.
2. The DPA shall become effective as of the date of the Main Agreement being an integral part of it.
3. Any changes to the DPA must be made in at least electronic form, otherwise being null and void.
4. Annexes to the DPA are its integral part:
   1. Annex No. 1 – a list of Personal Data that is entrusted to us under this DPA,
   2. Annex No. 2 – a list of Further Processors.
5. If any provision of DPA is invalid or ineffective, the remaining part of the DPA provisions will be binding and in effect despite this fact.
6. The DPA is governed by Polish law, as well as the Polish courts will solve any disputes arose out of it, if any dispute between you and us is not settled within 30 days. 

ANNEX No. 1

A. LIST OF PARTIES

Data exporter(s): 

Name: the Party identified as the “Customer” in the Main Agreement,

Address: as identify in the Main Agreement,

Contact person’s name, position and contact details: as identify in the Main Agreement,

Activities relevant to the data transferred under these Clauses: conclusion and performance of the Main Agreement

Signature and date: this DPA and Annex No. 1 are concluded automatically when Customer orders the Services, without separate signatures; the date of concluding DPA and Annex No. 1 is the same as the date at which Customer concludes the Main Agreement.

Role (controller/processor): Controller

Data importer(s): 

Name: PerfectBot Sp. z o.o.

Address: Domaniewska Str 44A, 02-677 Warsaw, Poland

Contact person’s name, position and contact details: as identify in the Main Agreement,

Activities relevant to the data transferred under these Clauses:  conclusion and performance of the Main Agreement

Signature and date: this DPA and Annex No. 1  are concluded automatically when Customer orders the Services, without separate signatures; the date of concluding DPA and Annex No. 1 is the same as the date at which Customer concludes the Main Agreement.

Role (controller/processor): Processor

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred: Users of the PerfectBot platform available on the Controller’s website as part of the Services provided by the Processor

Categories of personal data transferred: ordinary personal data, i.e. name and surname of the person using Perfectbot platform, e-mail address, address of residence. 

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: The Processor does not require and it is not its intention to process personal data of a special category of so-called sensitive data as defined in the GDPR.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): continuous.

Nature of the processing: collecting, recording, organizing, ordering, storing, limiting, removing or destroying in electronic form only

Purpose(s) of the data transfer and further processing: performing of the Main Agreement

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: for the entire duration of the Main Agreement and for 30  days after the termination of the Main Agreement;

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: the same as for Processor.

ANNEX No. 2

LIST OF FURTHER PROCESSORS

This Annex No. 2  is in compliance with the Annex III of the Standard Contractual Clauses.