Last edited August 14th, 2023
This DPA is entered into between Smint.io GmbH (Smint.io, we, us or our; the Data Processor) and you (”Customer”, ”you”, your, yours, user; the Data Controller) and is governed by the terms of the Smint.io Cloud Service Agreement.
Definitions
Any capitalized term not defined in this section shall have the meaning given to it in the context.
Agreement
Agreement means the Cloud Service Agreement or other agreement between You and us for the provision of Services;
Authorized Affiliate
Authorized Affiliate means Your Affiliate(s) who are permitted to use the Services pursuant to the terms of the Agreement, but who have not signed the Agreement or an Order Document;
Controller
Controller means You or the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data;
Customer Data
Customer Data means all files, content, metadata, Personal Data, Confidential Information, and any other data stored or processed via the Services as requested by you as the Controller.
Data Subject
Data Subject shall have the same meaning as in Data Protection Laws or under any equivalent data protection regulation of applicable law. Without limiting the foregoing, Data Subject essentially means a natural person who is the subject of Personal Data.
Data Protection Laws
Data Protection Laws means all laws and regulations, including laws and regulations of the European Union, the European Economic Area, their member states, the United Kingdom and Switzerland; any amendments, replacements, or renewals thereof, applicable to the processing of Personal Data, including where applicable the Data Protection Act 2018, the Data Protection, Privacy and Electronic Communications (Amendments etc.), (EU Exit) Regulations 2020, the EU GDPR, the Swiss FADP, the UK GDPR and any applicable national laws, regulations and secondary legislation relating to the processing of Personal Data and the privacy of electronic communications, as amended, replaced or updated from time to time, including the Privacy and Electronic Communications Directive (2002/58/EC) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426) and the implementing Decision (EU) 2021/914 of 4 June 2021;
DPA
DPA means this Data Processing Agreement together with its Appendices 1 and 2;
Effective Date means date on which you entered into the Agreement;
EU GDPR
EU GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016;
Personal Data
Personal Data shall have the same meaning as in Data Protection Laws or under any equivalent data protection regulation of applicable law. Without limiting the foregoing, Personal Data means any information that could be used to identify a natural person, directly or indirectly, in particular by reference to a name or personal identification number, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person. Personal Data is considered to be Confidential Information;
Processor
Processor means us or a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller;
Services
Services means the Smint.io Cloud Service, Technical Support or any Professional Services provided by us to You and Authorized Affiliates;
Standard Contractual Clauses (SCC)
Standard Contractual Clauses means the EU model clauses for personal data transfer from controllers to processors and third countries as per Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses;
Purpose
We have agreed to provide Services to you in accordance with the terms of the Agreement. In providing Services, we may process Customer Data on behalf of you. Customer Data may include Personal Data. From the Effective Date, we will process and protect such Customer Data in accordance with the terms of this DPA for the term of the Agreement.
Scope
In providing Services to you pursuant to the terms of the Agreement, we shall process Customer Data only to the extent necessary to provide Services in accordance with both the terms of the Agreement and your instructions documented in the Agreement and this DPA, as may be updated from time to time.
The parties shall take steps to ensure that any natural person acting under their authority respectively who have access to Personal Data do not process Personal Data except on the instructions from you unless he or she is required to do so by any Data Protection Law.
Processor Obligations
We may collect, process, or use Customer Data only within the scope of this DPA.
We confirm that we shall process Customer Data on behalf of you, in accordance with your documented instructions.
We shall promptly inform you, if in our opinion, any of the instructions regarding the processing of Customer Data provided by you, breach any applicable Data Protection Laws.
We shall ensure that all employees, agents, officers, and contractors involved in the handling of Customer Data: (i) are aware of the confidential nature of the Customer Data and are contractually bound to keep the Customer Data confidential; (ii) have received appropriate training on their responsibilities as a data processor; and (iii) are bound by the terms of this DPA.
We shall implement appropriate technical and organizational procedures to protect Customer Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
We shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate: (i) the pseudonymization and encryption of Customer Data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (iii) the ability to restore the availability and access to Customer Data in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing. When assessing the appropriate level of security, in particular the risks associated with the processing must be considered, in particular due to accidental or unlawful destruction, loss, modification, unauthorized disclosure or access to transmitted, stored or otherwise processed customer data.
The technical and organizational measures detailed in Appendix 2 shall be at all times adhered to as a minimum-security standard. You accept and agree that the technical and organizational measures are subject to development and review and that we may use alternative suitable measures to those detailed in the attachments to this DPA provided such measures are at least equivalent to the technical and organizational measures set out in Appendix 2 and appropriate.
You acknowledge and agree that, in the course of providing the Services to you, it may be necessary for us to access the Customer Data to respond to any technical problems or queries and to ensure the proper working of the Cloud Service. All such access by us will be limited to those purposes defined in Appendix 1.
Where Customer Data relating to an EU (or UK or Swiss) Data Subject is transferred outside of the EUROPEAN UNION (or the UK or Switzerland) it shall be processed in accordance with the Standard Contractual Clauses unless the processing: (i) takes place in a third country or territory recognized by the EU Commission as having an adequate level of protection; or (ii) is by an organization located in a country which has other legally recognized appropriate safeguards in place.
Considering the nature of the processing and the information available to us, we shall assist you by having in place appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of your obligation to respond to requests for exercising the Data Subject’s rights and your compliance with your data protection obligations in respect of the processing of Customer Data.
We confirm that we have appointed a data protection officer where such appointment is required by applicable data protection legislation.
Controller Obligations
You represent and warrant that you shall comply with the terms of the Agreement, this DPA and all applicable Data Protection Laws.
You represent and warrant that you have obtained any and all necessary permissions and authorizations necessary to permit us, our Affiliates and Sub-Processors, to execute their rights or perform their obligations under this DPA.
You are responsible for compliance with all applicable data protection legislation, including requirements with regards to the transfer of Customer Data under this DPA and the Agreement.
All Authorized Affiliates who use the Services shall comply with your obligations set out in this DPA.
You shall implement appropriate technical and organizational procedures to protect Personal Data, considering the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. You shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
You acknowledge and agree that some instructions from you, including destruction or return of data from us, us assisting you with inspections, data protection impact assessments (DPIAs) or providing any assistance under this DPA, may result in additional fees which shall not be unreasonable. In such case, we will notify you of such fees in advance unless otherwise agreed.
Sub-Processors
You acknowledge and agree that: (i) Our Affiliates may be used as Sub-processors; and (ii) we and our Affiliates respectively may engage Sub-processors in connection with the provision of the Services.
We shall not authorize any Sub-processor to process Personal Data without prior notification to you as defined under Compliance, Cooperation and Response.
All Sub-processors who process Customer Data in the provision of Services to you shall comply with our obligations set out in this DPA and we acknowledge and agree that we are fully responsible and liable for any Sub-processor’s processing of Personal Data for the performance of its obligations under this DPA.
You agree that Sub-Processors may transfer Personal Data for the purpose of providing the Services to you in accordance with the Agreement to countries outside the European Economic Area (EUROPEAN UNION). Where Sub-processors are located outside of the EUROPEAN UNION, we confirm that such Sub-processors: (i) are located in a third country or territory recognized by the EU Commission to have an adequate level of protection; or (ii) have entered into Standard Contractual Clauses with us; or (iii) have other legally recognized appropriate safeguards in place.
You authorize us to use the Sub-Processors already engaged by us on the Effective Date and we shall make available to you the current list of Sub-processors in Appendix 3. During the term of this DPA, we shall provide you with prior notification of at least 30 days, via email or postal mail, of any changes to the list of Sub-processor(s) who may process Customer Data before authorizing any new or replacement Sub- processor(s) to process Customer Data in connection with the provision of the Services.
You may object to the use of a new or replacement Sub-processor, by notifying us promptly in writing within ten (10) Business Days after receipt of our notice. If you object to a new or replacement Sub-processor, you may terminate the Agreement or applicable Order with respect to those services which cannot be provided by us without the use of the new or replacement Sub- processor. We will refund you any prepaid fees covering the remainder of the term of the Agreement (or applicable Order) following the effective date of termination with respect to such terminated services.
Transfer of Data
The Processor will assist the Controller and its Affiliates based in the European Territories and/or that process Personal Data of Data Subjects in the European Territories to provide an adequate level of protection for EU, Swiss or UK Personal Data by executing Standard Contractual Clauses with that Sub-Processor on the Controller’s behalf. The Controller hereby appoints the Processor as its agent for the sole purpose of entering such Standard Contractual Clauses on its behalf. The Processor shall provide the Controller with a copy of any Standard Contractual Clauses entered into pursuant to this section promptly on request.
Data Subject Access Requests
You may require correction, deletion, blocking and/or making available the Customer Data during or upon termination of the Agreement. You acknowledge and agree that we will process the request and will reasonably fulfil such request in accordance with our standard operational procedures to the extent possible.
In the event that we receive a request from a Data Subject in relation to Customer Data, we will refer the Data Subject to you unless otherwise prohibited by law. You shall reimburse us for reasonable costs incurred resulting from providing reasonable assistance in dealing with a Data Subject request; provided you receive prior written notice regarding all such costs. In the event that we are legally required to respond to the Data Subject, you will fully cooperate with us as applicable.
Audit
We shall make available to you and subject to a reasonable fee all information reasonably necessary to demonstrate compliance with our processing obligations and allow for and contribute to audits and inspections.
Any audit conducted by you under this DPA shall consist of examination of our most recent reports, certificates and/or extracts prepared by us, or an independent auditor bound by confidentiality provisions at least as strict as those set out in the Agreement. In the event that provision of the same is not deemed sufficient in your reasonable opinion, you may conduct a more extensive audit which will be: (i) at your expense; (ii) limited in scope to matters specific to you and agreed in advance; (iii) carried out during Austrian business hours and upon reasonable notice which shall be not less than 4 weeks unless an identifiable material issue has arisen; and (iv) conducted in a way which does not interfere with our day-to-day business.
This clause shall not modify or limit your rights of audit in accordance with applicable law, instead it is intended to clarify the procedures in respect of any audit undertaken pursuant thereto.
Data Breach
We shall notify you without undue delay after becoming aware of and in any event within 48 hours of discovering any accidental or unlawful destruction, loss, alteration or unauthorized disclosure or access to any Customer Data.
We will promptly investigate every security breach and take reasonable measures to identify its root cause(s), mitigate its adverse effect and prevent a recurrence. As information becomes available, unless prohibited by law, we will provide you with a description of the security breach, the type of Customer Data that was the subject of the Data Breach, and other information you may reasonably request concerning the affected Customer Data.
We will take all commercially reasonable measures to secure the Customer Data, to limit the effects of any Data Breach, and to assist you in meeting your obligations under applicable law.
Compliance, Cooperation and Response
We will notify you promptly of any request or complaint regarding the processing of Customer Data, which adversely affects you, unless such notification is not permitted under applicable law or a relevant court order.
We may make copies of and/or retain Customer Data in compliance with any legal or regulatory requirement including, but not limited to, retention requirements.
We shall reasonably assist you in meeting your obligation to carry out data protection impact assessments (DPIAs), taking into account the nature of the processing and the information available to us.
If you are located outside of the EEA you shall notify us within a reasonable time, of any changes to Data Protection Laws in your country or territory, and applicable codes or regulations which may affect our contractual duties. We shall respond within a reasonable timeframe in respect of any changes that need to be made to the terms of this DPA or to the technical and organizational measures to maintain compliance. If we are unable to accommodate reasonably necessary changes, you may terminate the part or parts of the Services which give rise to the non- compliance. To the extent that other parts of the Services provided are not affected by such changes, the provision of those Services shall remain unaffected.
The Controller and the Processor and, where applicable, their representatives, shall cooperate, on request, with the applicable supervisory authority in the performance of their respective obligations under this DPA and Data Protection Laws.
Liability
The limitations on liability set out in the Agreement apply to all claims made pursuant to any breach of the terms of this DPA.
The parties agree that we shall be liable for any breaches of this DPA caused by the acts and omissions or negligence of our Sub-processors to the same extent we would be liable if performing the services of each Sub-processor directly under the terms of the DPA, subject to any limitations on liability set out in the terms of the Agreement.
The parties agree that you shall be liable for any breaches of this DPA caused by the acts and omissions or negligence of your Authorized Affiliates as if such acts, omissions or negligence had been committed by you yourself.
You shall not be entitled to recover more than once in respect of the same loss.
Term and Termination
The term of this DPA shall coincide with the commencement of the Agreement and this DPA shall terminate automatically together with termination or expiry of the Agreement.
We shall at your choice, upon receipt of a written request received within 10 days of the effective date of termination of the Agreement, delete Personal Data according to our internal procedures or return Personal Data to you. We shall in any event within ninety (90) days of termination of the Agreement, delete all Customer Data from our systems and provide you with certificates of such deletion upon request.
If you make a request to have Customer Data deleted earlier than the expiry of aforementioned periods, we shall delete the Customer Data without undue delay, for a reasonable charge unless prohibited from doing so by applicable law.
General
This DPA sets out the entire understanding of the parties with regards to the subject matter herein.
Should a provision of this DPA be invalid or become invalid then the legal effect of the other provisions shall be unaffected. A valid provision is deemed to have been agreed which comes closest to what the parties intended commercially and shall replace the invalid provision. The same shall apply to any omissions.
Subject to any provision of the Standard Contractual Clauses to the contrary, this DPA shall be governed by the law applicable to the terms of the Agreement. The courts that shall have exclusive jurisdiction for the settlement of all disputes arising under this DPA shall be the same as those set out in the terms of the Agreement.
The provisions of this DPA shall survive the termination of other relevant existing Agreement(s) and continue as long as we have possession of your Personal Data.
Any notices under this DPA shall be in writing, sent via email to the email addresses as provided in the Order Documents with a copy sent via email to office@smint.io.
Appendix 1
Overview of data processing activities to be performed by us.
Controller
You in your role as the Data Controller will use the Services or grant users the right to access the Cloud Service in accordance with the terms of the Agreement for transfer of Customer Data identified herein, as it relates to the processing operations.
Processor
We in our role as the Data Processor receive data as identified herein below, as it relates to the processing operations.
Data Subjects
You acknowledge and agree that the categories of Data subjects that use and might process Customer Data via the Services are solely determined by you and your User’s use of the Cloud Service. Notwithstanding the foregoing, the Customer Data processed usually concerns the following categories of Data Subjects:
- Employees, freelancers, and contractors of you.
- Users, Authorized Affiliates and other participants.
- Partners, suppliers, or service providers of you
- Customers of you or your media contacts.
- Any individual to whom you have granted the right to access the Services in accordance with the terms of the Agreement.
- Other individuals to the extent identifiable through their use or registration with the Cloud Service, or through content of files or metadata processed with the Services.
Categories of Customer Data
The categories of Customer Data processed is solely determined by you and your Users use of the Services but when using the Cloud Service as a registered user which may include the User’s full name, email, address, password, and IP address. Customer Data might be stored in database records, metadata and files on file systems which identify or may reasonably be used to identify, Data Subjects.
When using the Cloud Service, you agree and acknowledge that you and your Users will abide by the Acceptable Use Policy (AUP) and that Customer Data including Personal Data is only processed via the Cloud Service with the prior written consent of the Data Subject.
Special categories of Personal Data
We do not require any special categories of Personal Data for using the Services such as, for example only, data of minors. Your and your User’s use of the Services solely determines if and which special categories of Personal Data are stored and processed.
Processing operations
- The Customer Data processed will be subject to the following basic processing activities:
- Customer Data will be processed to the extent necessary to provide the Services in accordance with both the Agreement and your instructions. We process Customer Data only on behalf of you, the Data Controller.
- Processing operations include, but are not limited to:
- Provision of the Cloud Service via our hosting infrastructure.
- Auditing use of the Cloud Service for compliance with the Agreement or applicable law.
- Analyzing the usage of the Cloud Service and Customer Data for the purpose of protecting it against threats or for improving the Cloud Service.
- Provision of Technical support, issue diagnosis and Defect resolution to ensure the efficient and proper running of the systems and to identify, analyze and resolve technical issues both generally in the provision of the Cloud Service and specifically in answer to Support queries of you or your users.
- Informing users about changes, issues or maintenance work related to the Cloud Service.
- Complying with your requests for Professional Services or auditing that involve accessing and processing Customer Data.
- Fulfilling any other obligation set out in the Agreement.
All these operations relate to all categories and aspects of Customer Data processed.
Appendix 2
Technical and Organizational Security Measures
For more information on our technical and organizational security measures, please visit the page Security at Smint.io.
It’s acknowledged and agreed that the technical and organizational security measures that we publish, or that we define in our internal information & security policies will be updated and amended from time to time, at our sole discretion. Notwithstanding the foregoing, the technical and organizational measures will not fall short of those measures described in our information security policies in any material, detrimental way.
Appendix 3
Depending upon the Services ordered pursuant to and set out in the DPA and the Cloud Service Agreement, we use sub-processors for the provisioning of our Services to you, as described therein which can be found at https://www.smint.io/terms-and-policies/ or Order documents. Capitalized terms shall have the meaning as defined in our DPA and the Cloud Service Agreement.
Important note: Sub-Processors defined as “optional” under Purpose are not mandatory and are used depending on your Service and Subscription Plan for providing you with optional Services.
Last edit: 8/14/2023
Sub-Processor | Purpose | Processed Data | Location / Transfer Mechanism | Contact Details / Additional Information |
---|---|---|---|---|
Chatlio | Handling of support requests (chat) | Administrators only. User ID, name, email address, browser and browser version, operating system and operating system version, location, IP address of the administrator issuing the support request, chat history about the support request | USA (SCCs) | Chatlio LLC 1329 N 47th St, Ste 31231, Seattle, Washington 98103, United States https://chatlio.com/ https://chatlio.com/legal/privacy-policy/ |
Cloudinary | Image, video & document processing (generation of previews and thumbnails) | Mandatory for resources, optional for assets. Processes personal data as depicted or contained in images or videos, audio files, or documents (both in file content and in metadata associated with the file) | USA (SCCs) | Cloudinary Inc. 3400 Central Expressway, Suite 110 Santa Clara, CA 95051, United States https://www.cloudinary.com https://cloudinary.com/privacy |
ConvertAPI | Document processing (generation of previews and thumbnails) | Optional for document assets. Processes personal data as contained in document files (both in file content and in metadata associated with the file) | Lithuania (E.U. GDPR) | ConvertAPI, Lauksargio g. 111, 10105 Vilnius, Lithuania https://www.convertapi.com https://www.convertapi.com/terms |
Front | Handling of support requests (email) | Name, email address, chat history about the support request | USA (SCCs) | Front Inc. 1455 Market Street, floor 19, San Francisco, United States https://www.front.com/ https://front.com/legal/privacy-notice/ |
HubSpot | Sending of email newsletters | Administrators only. Name, email address of the administrator, opt-out information, email newsletter history | USA (SCCs) | HubSpot Inc., 25 First Street, 2nd Floor, Cambridge, MA 02141, United States https://www.hubspot.com https://legal.hubspot.com/privacy-policy |
Invoiced | Invoicing, subscription management | Administrators (invoice recipients) only. Name and email address of the invoice recipient | USA (SCCs) | Invoiced Inc. 5301 Southwest Pkwy, Ste 470 Austin, Texas, 78735, United States https://www.invoiced.com https://invoiced.com/privacy |
Kickbox | Email address verification | Email address | USA (SCCs) | Kickbox Inc. 2030 Main St, Suite 500 Dallas, Texas, 75201, United States https://kickbox.com/ https://docs.kickbox.com/docs/privacy-policy |
Microsoft Ireland Operations Limited | Data center operations | User ID, name, email address, password, personal settings, IP address, requests & approvals, information about downloads; Personal data as depicted or contained in images or videos, audio files, or documents (both in file content and in metadata associated with the file); Optional: 3rd party authentication tokens (pass-through authentication), proprietary information (generated by extensions of our platform through our SDKs) | Ireland (E.U. GDPR) | Microsoft Ireland Operations Limited 70 Sir John Rogerson's Quay Dublin 2, Ireland https://microsoft.com Using Microsoft Azure datacenters in the Netherlands or the EEA. See Azure Compliance Information. |
Mixpanel | In-product analytics | Administrators only. User ID, name, email address, IP address, location, browser information, user activity | USA (SCCs) | One Front Street, 28th Floor, San Francisco, CA 941, USA https://mixpanel.com/ https://mixpanel.com/terms/ |
Segment | In-product analytics middleware | Administrators only. User ID, name, email address, IP address, location, browser information, user activity | USA (SCCs) | 100 California Street Suite 700 San Francisco, CA 94111 United States https://segment.com/ https://segment.com/docs/legal/privacy/ |
SendGrid | Transactional email sending | Name and email address of the email recipient, email sending data (like success / failure information) | USA (SCCs) | Sendgrid Inc. 1801 California St #500 Denver, CO 80202, United States https://sendgrid.com/ https://sendgrid.com/policies/privacy/ |
Sentry | Error tracking | If available. User ID, name, email address, IP address, browser information, browser log entries | USA (SCCs) | Functional Software, Inc. dba Sentry 45 Fremont Street, 8th Floor San Francisco, CA 94105, United States https://sentry.io/ https://sentry.io/privacy/ |
Slack | Handling of support requests (chat) | Administrators only. User ID, name, email address, browser and browser version, operating system and operating system version, location, IP address of the administrator issuing the support request, chat history about the support request | USA (SCCs) | Slack Technologies Inc. 500 Howard Street, San Francisco, CA 94105, United States https://www.slack.com https://slack.com/privacy-policy |
Stripe | Credit card processing | Administrators only. Name and email address of the paying user; transactional data to process the payment (see Stripe privacy policy) | USA (SCCs) | Stripe Inc. 510 Townsend Street San Francisco CA 94103 United States https://www.stripe.com https://stripe.com/at/privacy |