Data security is a serious matter and it is of immense importance to us that our customers and users are always safe when using our platform. In this section, you will find everything you need to know in regards to our security and data management.
1.1 This agreement on collection, storage and use of documents and information (hereinafter the ”Data Processing Agreement”) has been entered into by and between
VAT No. 35392610
Danneskiold-Samsøes Allé 41
(hereinafter referred to as ”Data Processor”)
[Company Registration No.]
(hereinafter referred to as the ”Data Controller”)
(hereinafter jointly referred to as the ”Parties” and individually as ”Party”)
2.1 Terms and expressions with capital first letters used in this Data Processing Agreement shall have the meanings set out in the General Data Protection Regulation (EU) 2016/679 or the meanings otherwise defined in this Data Processing Agreement.
2.2 “Data Processor’s IT Security Policies” shall mean the policies for IT Security applicable for the Data Processor while processing Personal Data on behalf of Data Controller. The Data Processor’s IT Security Policies applicable at the time of entering into this Data Processing Agreement is enclosed hereto as Schedule 1.
2.3 “Pre-approved Subcontractors” shall be the sub contractors of Data Processor, stated in Schedule 2.
2.4 “Third party” shall mean a natural or legal person, public authority, agency or body other than the Data Subject, Data Controller, Data Processor and persons who, under the direct authority of the Data Controller or Data Processor, are authorized to process Personal Data.
2.5 “Supplier Agreement” shall mean the agreement on supply of services entered into by and between the Parties on [date].
3.1 This Data Processing Agreement concerns the Parties’ obligations under applicable law on Personal Data and the provisions in Data Processor’s IT security Policies.
3.2 Under this Data Processing Agreement, the Data Controller shall solely or jointly with other parties decide for what purpose and by use of what tools Personal Data may be processed.
3.3 Personal Data may consist of the following elements:
– First name and last name
– Email address
– Name of affiliated legal entity or company
– Password-based Key (with random salt, HMAC digest algorithm)
– Assignment of Data Subject to company units, e.g. country/department/team
– Email templates
– Information on timezone
3.4 Additionally, we will automatically collect the following data during presentation usage sessions from the Data Subject for you in order to provide the Prezentor service, which may include:
– IP Address
– OS Name & Version
– Browser Name & Version
– Screen Resolution
– Language (based on headers sent by browser)
– Usage Date & Time
– Usage Flow (e.g. which presentations, slides were opened and in which order, which emails were opened and which links in emails were clicked, duration of time spent on presentations and specific slides etc.)
– Heat map (e.g. tracking of exactly what was clicked during the usage session, including links, images, selected areas of text etc.)
The types of data, as mentioned above, will additionally be processed and stored for any 3rd party individual, if you or the Data Subject forwards an email with a link to a presentation or sends a link to a presentation directly to the aforementioned 3rd party individual.
3.5 This Data Processing Agreement shall apply to all Data Processor’s current and future deliveries under the Supplier Agreement to all companies within Data Controller’s group of companies, for whom the Data Processor processes Personal Data on behalf of the Data Controller.
3.6 This Data Processing Agreement shall supplement and form part of the Supplier Agreement. In case of any inconsistencies between this Data Processing Agreement and the Supplier Agreement, this Data Processing Agreement shall prevail.
4.1 Data Processor shall process Personal Data on behalf of Data Controller and only in accordance with the lawful, documented instructions of Data Controller, except where otherwise required by applicable law.
4.2 The Data Processor may only process Personal Data upon receipt of a prior specific or general written authorization from the Data Controller, including with regard to the transfer of Personal Data to a third country or an international organisation, unless so required under EU law or any national law to which the Data Processor is subject; If so, the Data Processor shall inform Data Controller about this legal requirement before processing unless the relevant law prohibits such information for reasons of significant public interest.
4.3 This Data Processing Agreement sets out Data Controller’s complete instructions to Data Processor in relation to the processing of the Personal Data and any processing required outside of the scope of these instructions will require prior written agreement between the Parties.
4.4 The Data Processor is not entitled to make use of Data Controller’s Personal Data, information or otherwise for purposes other than fulfilment of this Data Processing Agreement. Data Processor may use anonymized data for historical, statistical or scientific purposes.
5.1 Data Controller shall provide the assistance to Data Processor in connection with the Data Processor’s processing of Personal Data under this Data Processing Agreement, as stated in this Section 5.
5.2 The Data Controller shall comply with any co-operation obligation of the Supplier Agreement. If Data Processor deems necessary specific co-operation obligations from Data Controller, which are not specified in this Data Processing Agreement, then Data Processor will inform Data Controller in writing with reasonable advance notice hereof.
5.3 Data Controller shall be solely responsible for fulfilling the Data Subject’s rights regarding: (1) processing security for any processing of Personal Data which is not processed by Data Processor or any Pre Approved Subcontractor, (2) notification to the supervisory authority of any Data Security Breach, (3) notification to the Data Subject of any Data Security Breach, (4) consequential analysis of data protection and (5) preliminary hearing.
5.4 Data Controller shall also be solely responsible for fulfilling of Data Subject’s rights regarding: (1) the duty to inform when collecting Personal Data from the Data Subject, (2) the duty to inform if the Personal Data has not been collected from the Data Subject, (3) the Data Subject’s right to access Personal Data, (4) the right to correct Personal Data, (5) the right to be deleted (»the right to be forgotten«), (6) the right to limitation of processing; (7) the duty to notify in connection with corrections or deletions of Personal Data or limitations in the processing activity, (8) the right to data portability and (9) the right to object for processing of Personal Data.
5.5 Data Controller represents and provides to Data Processor its clear consent, that (i) Data Controller is duly authorized to provide the Personal Data provided under this Data Processing Agreement to Data Processor and does so lawfully in compliance with relevant legislation, (ii) Data Processor can use such data for the purposes of performing its obligations under this Data Processing Agreement; (iii) Data Processor may disclose such personal data to any of its Pre-Approved Subcontractors for this purpose; and (iv) if so requested by the Data Controller, Data Processor may transfer such data to countries outside of the country of origin.
5.6 Data Controller also represents and provides that processing by the Data Processor is lawful and that all applicable Principles relating to processing of Personal Data are complied with. Data Controller shall be responsible for, and be able to demonstrate compliance herewith (accountability).
6.1 The Data Processor shall comply with Data Processor’s IT Security Policies. Data Processor shall inform Data Controller in writing each time a change has been made to the Data Processor’s IT Security Policies before such changes takes effect. Upon written request, Data Processor shall inform Data Controller of the content of any such changes made to the Data Processor’s IT Security Policies.
7.1 The Parties accept, both for the duration of this Data Processing Agreement and subsequently, not to disclose any Confidential Information to a Third Party. This non-disclosure obligation shall not apply to information which (a) a Party is obliged to disclose under applicable law, regulations or stock exchange rules or (b) a Party’s Confidential Information has been created by the Party itself.
7.2 “Confidential Information” means all information of a technical, business, infra structural or similar nature, irrespective of whether this information has been documented, except for information which is or will be made available in another way than through breach of this Data Processing Agreement and all Personal Data.
7.3 The Parties shall ensure that employees and consultants who receive Confidential Information are obliged to accept a similar obligation regarding Confidential Information from the other Party and the cooperation in general in accordance with this Data Processing Agreement.
7.4 The Data Processor must further ensure that all people in the company with access to Personal Data being processed on behalf of Data Processor are familiar with this Data Processing Agreement and are subject to the provisions of this Data Processing Agreement.
8.1 The Data Processor must implement appropriate and reasonable technical and organisational measures to ensure a level of security that matches the risks of data processing for the processing of Personal Data which the Data Processor provides under this Data Processing Agreement, including reasonably ensuring a) Pseudonymisation and encryption of Personal Data; b) continuous confidentiality, integrity, availability and robustness of the processing systems and services for which the Data Processor is responsible; c) timely recovery of the availability of and access to Personal Data in case of a physical or technical incident; d) a procedure for regular testing, assessment and evaluation of the effectiveness of the technical and organisational measures to ensure processing security; e) that Personal Data is not accidentally or unlawfully destroyed, lost or impaired and against any unauthorized disclosure, abused or in any other way is processed in violation of any applicable law on Personal Data.
8.2 The Parties must jointly determine the appropriate level of technical and organisational measures. When determining this, the Parties must particularly consider the risks related to the processing, i.e. the risks of accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to Personal Data which has been transmitted, stored or processed in any other way.
8.3 Data Processor shall, upon prior written request from the Data Controller, and within reasonable time-limits provide the Data Controller with sufficient information to document that the above mentioned technical and organisational security measures have been taken.
9.1 For Personal Data being processed by the Data Processor, the Data Processor must cooperate with Data Controller to carry through – both at the time of determining the processing measures and at the time of the actual processing – appropriate technical and organisational measures is designed with a view to effectively implement data protection principles, such as data minimization, and with a view to integrate the necessary guarantees in the processing in order to comply with the requirements of this Data Processing Agreement and applicable law regarding personal data and to protect the rights of the Data Subjects.
9.2 The Data Processor must carry out appropriate technical and organisational measures, for Personal Data being processed by the Data Processor, in order to ensure through the use of standard settings that only personal data necessary for each specific purpose of processing is being processed. This obligation applies to the amount of Personal Data collected and the scope of the Data Processor’s processing and the Data Processor’s storage period and availability. Such measures must particularly through standard settings ensure that personal data is not made available to an unlimited number of natural personas without said natural person’s intervention.
10.1 The Data Processor shall keep records of all categories of processing operations carried out on behalf of Data Controller under its responsibility, which must at least contain:
a) the name and contact information for the Data Processor or its subcontractor and, if relevant, the Data Processor’s representative and the data protection advisor,
b) the categories of processing carried out on behalf of Data Controller,
c) where relevant, transfers of Personal Data to a third country or an international organisation, including identification of this third country or international organisation and documentation of appropriate guarantees; and
d) if possible, a general description of the technical and organisational security measures
10.2 The records mentioned under Section 10,1 must be in writing, e.g. in electronic form.
10.3 The Data Processor shall make the records available to the regulatory authority or the Data Controller, upon request.
11.1 The Data Processor must continuously report to Data Controller with the agreed contents, quality and frequency. The Data Processor must immediately inform Data Controller of any development which may significantly impair the Data Processor’s current or future ability or possibility to comply with the Data Processing Agreement.
11.2 The Data Processor is obliged to inform Data Controller immediately, if the Data Processor is not able to ensure the correct processing of Data Controllers Personal Data in accordance with this Data Processing Agreement.
12.1 In case of a Data Security Breach for which the Data Processor is responsible, the Data Processor shall without undue delay, inform Data Controller hereof.
12.2 This notification must at least:
a) include a description of the nature of the Data Security Breach including, if possible, the categories and the estimated number of affected Data Subjects as well as the categories and estimated number of affected registrations of Personal Data,
b) include the name of and contact information for the data protection officer (DPO) or another point of contact where further information may be obtained,
c) describe the probable consequences of the Data Security Breach,
d) describe the measures taken by the Data Processor or which the Data Processor proposes are taken in order to handle the Data Security Breach including, if relevant, measures to limit the possible consequential damages.
12.3 The Data Processor must document all Data Security Breaches, including the actual circumstances surrounding the Data Security Breach, its consequences and the remedial measures that have been taken.
12.4 This documentation must enable the regulatory authority to check that Data Controller complies with its duty to inform of any Data Security Breach.
13.1 The Data Processor may not use any subcontractors without Data Controller’s prior written approval.
13.2 Data Controller has provided its consent to Data Processor using the Pre-Approved Subcontractors.
13.3 The Data Processor must inform Data Controller of any plans to either add or replace Pre-Approved Subcontractors. When such information has been provided, Data Processor can update the list of Pre-Approved Subcontractors with any newly added sub contractors. Upon request from the Data Controller, Data Processor shall inform Data Controller of the names of any such new subcontractors.
13.4 All communication between Data Controller and the subcontractor shall go through the Data Processor.
13.5 If the Data Processor uses a subcontractor to carry out specific processing activities on behalf of Data Controller, the same data protection obligations as are described in this Data Processing Agreement shall be imposed on the subcontractor in a written agreement which provides the necessary guarantees that the subcontractor will carry out the appropriate technical and organisational measures in such a manner that the processing complies with the applicable legislation. If the subcontractor does not fulfil its data protection obligations, the Data Processor shall remain fully responsible vis-à-vis Data Controller for the fulfilment of the subcontractor’s obligations.
13.6 If the subcontractor does not comply with the provisions of this Data Processing Agreement, the Data Processor will be liable for the subcontractor’s actions or failures to act/breach on the same terms as for its own services.
13.7 The Data Processor is obliged to inform its subcontractors of the provisions of this Data Processing Agreement.
14.1 The Data Controller is responsible for updating Personal Data comprised by this Data Processing Agreement.
14.2 The Data Controller must inform Data Processor of any changes to the Personal Data and provide Data Processor with copies of the updated Personal Data.
15.1 During the term of this Data Processing Agreement, Data Controller has full access to any Personal Data being processed by the Data Processor.
15.2 If Data Controller so requests, the Data Processor is obliged to keep a back-up copy of Personal Data and additional information available in the Data Processor’s systems for up to 3 months after the expiry or termination of the Data Processing Agreement. Provided such request has been made by the Data Processor, the Data Controller may, until the expiration of such 3-month period and irrespective of the reason for the expiry of the Data Processing Agreement, request for an access to any Personal Data and additional information recorded in such back-up copy.
15.3 Data Processor may only disclose Personal Data and information to Data Controller and/or to a third party appointed by Data Controller.
15.4 The Data Processor must upon Data Controller’s written instructions and within reasonable timeframe, delete Personal Data or any information which has come to the Data Processor’s possession under the Data Processing Agreement.
16.1 The Data Controller and the Data Processor and, where applicable, their representatives, shall cooperate, on request, with the supervisory authority in the performance of its tasks.
17.1 All costs, including costs and disbursement related to revision, inspection and regular implementation of measures under applicable law and to fulfil the Data Processor’s obligations under this Data Processing Agreement shall be borne by the Data Controller and is in addition to any fees paid by the Data Controller under the Supplier Agreement.
18.1 The Data Processing Agreement shall come into force on [date].
18.2 The Data Processing Agreement shall expire when Data Processor no longer processes Data Controller’s Personal Data or when it is terminated by one of the Parties by giving at least 30 days’ prior written notice.
19.1 Data Controller is entitled to audit Data Processor’s compliance with this Data Processing Agreement once per year or else in case of any reasonable suspicion of Data Processor’s non-compliance with this Data Processing Agreement. The Data Controller may audit Data Processor’s compliance with this Data Processing Agreement either by itself or by an inspection body, which must be bound to confidentiality, selected by the Data Controller and approved by Data Processor, and, where applicable, in coordination with the supervisory authority.
19.2 The Data Controller bears the cost of such an audit.
20.1 Data Processor’s liability for damages caused by slight negligence shall, irrespective of its legal ground, be limited as follows:
20.2 Data Processor’s liability under this Agreement shall be limited to an amount equal to the total charges paid under the Supplier Agreement for the twelve (12) months period preceding the event leading to the violation.
20.3 Where no Supplier Agreement has been executed between Data Processor and Data Controller for the purchase of a license, Data Processor’s liability under this Agreement shall be limited to a maximum amount of fifty ($50.00) dollars (USD).
20.4 In no event shall Data Processor be liable, whether in contract or tort, or otherwise for any incidental, indirect, consequential or unforeseeable loss, damage or expense, loss of profits, loss of business, loss of opportunity, loss or corruption of data, however arising, even if advised of the possibility of such loss or damages being incurred.
21.1 If a change in mandatory applicable data protection legislation applicable to Data Controller or to Data Processor requires Data Processor to (i) sign on to any additional documentation for mandatory data protection compliance purposes, or (ii) implement additional technical and organizational measures to the ones listed herein, or (iii) accept additional obligations to those set out herein, and such requirement mentioned in (i) – (iii) above cause additional costs or risks for Data Processor, then the parties agree to negotiate in good faith a fair adjustment of any applicable fees.
21.2 Clause 21.1 shall apply accordingly, in case (i) the Data Controller instructs Data Processor to undertake services not foreseen in this Data Processing Agreement or (ii) mandatory applicable data protection legislation applicable to Data Controller or to Data Processor or the relevant supervisory authority imposes obligations on Data Processor in addition to those set out herein.
22.1 Amendments. The terms of this Data Processing Agreement can only be amended by written agreement between the Parties.
22.2 Independent Parties. The Parties explicitly accept that the relationship between them is a customer-independent contractor relationship.
22.3 Information. The Parties are obliged to act loyally towards each other and to inform each other without undue delay about any changes that may affect this Data Processing Agreement.
22.4 Force majeure. None of the Parties are responsible for any actions or failure to carry out measures to the extent that such actions or such failure is due to matters beyond a Party’s reasonable control, including but not limited to war, uprisings, force majeure, strikes or other work stoppages (either in part or in whole), disturbances of the public telenet, disturbances of internet connections or similar evens, but only if said Party could not have predicted the event at the time of taking on the obligation. As long as such an event prevents a Party from performing said obligation, this must be suspended until such disturbance no longer exists.
22.5 Notices. All notices related to this Data Processing Agreement must be made to the other Party either in person or by registered mail.
22.6 Assignment. Data Processor may, either in part or in whole, assign its rights and obligations under this Data Processing Agreement to a third party. The Data Controller may not assign its rights or obligations under this Data Processing Agreement to a third party without Data Controller’s prior written approval.
22.7 Invalid condition. If a condition or a provision in this Agreement is invalid, such invalidity shall not mean that the remaining part of this Data Processing Agreement is invalid. If the applicable law on personal data is changed after the effective date of this Data Processing Agreement, the Data Controller is obliged to accept such changes to this Data Processing Agreement.
22.8 Governing law. This Data Processing Agreement is governed by Danish law with the City Court of Copenhagen as its legal venue. United Nations Convention on Contracts for the International Sale of Goods (CISG) shall not apply to the Data Processing Agreement.
22.9 Complete Agreement. This Data Processing Agreement constitutes the complete and entire agreement on all terms and conditions between Data Processor and the Data Controller.