All policies and documents related to doing business with Softbrik can be found here. Should any information be missing - drop us a Voice Message.
Softbrik Agreement for Data Processing
Last revised on March 20, 2022, effective as of July 1st, 2021
This data processing agreement is concluded between the parties mentioned below. It explains in detail how personal data is collected, stored, retrieved, and processed by users of the Softbrik platform. Please read it carefully and for any questions reach out to us at firstname.lastname@example.org.
Softbrik OÜ, registry code 14597527, address Hobujaama tn 4, 10151 Tallinn, Harju County, Estonia and/or its wholly owned subsidiary. Softbrik Health S.a.rl., registry code B245839, address 21 Rue Glesener, L-1631, Luxembourg, with email id email@example.com, henceforth called (“Processor”), and represented by their legal representative,
legal entity who consents to Softbrik’s terms and conditions to legally receive services by clicking the Submit button of the Sign-up form (“Controller”),
The Controller and the Processor are hereinafter jointly referred to as the Parties and separately as the Party.
2.1 Applicable data protection legislation – any applicable legislation relating to data protection and security, including the
- European Directive on Privacy and Electronic Communications (Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector)
- General Regulation on the Protection of Personal Data or GDPR (Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC) and their amendments, replacement, or extensions (hereinafter together referred to as “EU legislation”),
- All binding national laws within European Union implementing EU law and other binding data protection or data security directives, laws, regulations, and decisions in force at the relevant time.
- California Consumer Privacy Act or CCPA (Directive AB-375 of the California State Legislature, United States of June 28th, 2018)
- and California Privacy Right Act or CPRA (Proposition 24 of the California State Legislature, United States of November 3, 2020)
2.2 Personal data – data relating to an identified or identifiable natural person. An identifiable natural person is a person who can be identified, directly or indirectly, by an identifier, such as name, address, social security number, subscriber number, IP address, location data, online identifier, traffic data or message content, or one or more on the basis of a factor related to the physical, physiological, genetic, mental, economic, cultural, or social identity of the natural person concerned
3.1 The Processor shall grant the Controller access to the Softbrik web platform on the basis of an Agreement concluded between the Parties. The purpose of this data processing agreement is to ensure the protection and security of personal data transmitted by the Controller to the Processor under the Agreement. In connection with the Agreement, the Processor shall process, on behalf of the Controller, personal data received from the Controller relating to the employees, members, or customer of the Controller for whom the Controller is a Controller of personal data in accordance with applicable data protection legislation. The amount of personal data collected by the Controller regarding individuals, can be decided by the Controller through platform functionalities. In order to comply with applicable data protection legislation and to ensure an adequate level of protection of personal data transmitted to the Processor, the Parties agree to the following Obligations of the Controller [Section 4] and Obligations of the Processor [Section 5].
4. Obligations of the Data Controller
4.1. The Controller agrees and confirms that the processing of personal data by the Controller within the framework of the performance of the Agreement takes place in compliance with applicable data protection legislation and this data processing agreement.
4.2. The Controller agrees and confirms that he/she has authorized and during the processing of personal data in connection with the Agreement, authorizes the Processor to process personal data on behalf of the Controller.
4.3. The Controller agrees to provide the Processor with the necessary information and documentation upon request to fulfil the obligations of the processor arising from the applicable data protection legislation.
4.4. The Controller is fully responsible of requiring and maintaining the explicit consent of data subjects to process his/her personal data where the applicable data protection legislation requires such consent (e.g. processing special categories of personal data such as health data). Processor’s personnel do not have access to Controller’s Information and hence cannot take any responsibility, directly or indirectly, under any circumstances, for any private information submitted to the system with or without prior consent.
5. Obligations of the Data Processor
5.1. The Controller shall ensure that the processing of relevant personal data arising from the Agreement complies with the requirements of the applicable data protection legislation, the terms of the Agreement and this data processing agreement and that the rights of data subjects are duly protected. The Processor and third parties employed or involved by the Processor may process personal data only in accordance with the requirements of this data processing agreement and the Agreement and following other instructions issued or documented by the Controller as necessary.
5.2. The personal data processed by the Processor on the basis of this data processing agreement are described in the personal data instructions (Annex A). The personal data instructions specify the types of personal data processed by the Processor under the Agreement, the purposes of the processing of personal data and the technical and organizational security measures to be applied by the Processor to protect personal data and other details required by applicable data protection legislation.
5.3. The Processor shall not process personal data to a greater extent than is necessary for the performance of the Agreement and the data processing agreement by the Processor. The Processor agrees that, in the absence of explicit written consent, he or she shall not have the right to process personal data for purposes other than those agreed in the Agreement and the data processing agreement. If mandatory European Union or national law applicable to the Processor prohibits the Processor from complying with the Agreement or the instructions given or alternatively requires further processing beyond the Agreement or the data processing agreement, the Processor shall immediately inform the Controller of the relevant legal requirement prior to processing, or notifies the Controller that the Processor cannot fulfil the Agreement or the given instructions. In addition, the Processor shall immediately inform the Controller if, in his opinion, the instruction given by the Controller infringes the applicable data protection legislation.
5.4. The Processor shall keep the personal data confidential and shall ensure that all persons to process the personal data are informed of their confidential nature, have received appropriate training on their responsibilities and have undertaken or are bound by an appropriate legal obligation of confidentiality. The respective obligation of confidentiality shall remain in force after the termination of this data processing agreement and/or the Agreement.
5.5. The Processor shall implement appropriate technical and organizational measures to protect the personal data processed against un or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure. Such measures shall ensure a level of security commensurate with the risks of processing.
5.6. Considering the nature of the processing and the information available, the Processor shall also assist the Controller in ensuring that the Controller fulfils its obligations related to the security of personal data, such as reporting data breaches, risk and impact assessments and advising in accordance with applicable data protection law.
5.7. In the event of an actual or reasonably suspected personal data breach or other imminent enforcement proceedings against the Processor concerning the processing of personal data under a data processing agreement, the Processor shall notify the Controller in writing without delay and no later than forty-eight (48) hours after becoming aware of the breach. After receiving the prior approval of the Controller, the Processor shall try to resolve the situation quickly and prevent further damage and mitigate the effects of the respective case. In the notification, the Processor shall provide the Controller with all data necessary for the Controller to fulfil his/her notification obligation and to eliminate and mitigate the effects of the personal data breach in accordance with the applicable data protection legislation. Where possible and reasonable, the Processor shall provide appropriate remedial services to data subjects upon request.
5.8. The Processor shall also document the violations of personal data related to the Agreement, outlining the circumstances of the violation, its effects and the corrective measures are taken. This documentation must enable the supervisory authority to verify compliance with the applicable data protection legislation. The documentation may contain only the information necessary for that purpose.
5.9. The Processor shall, at the request of the Controller and without additional charge, cooperate and assist the Controller with information on appropriate technical and organizational measures to ensure the data subject’s rights under applicable data protection law, including:
(i) Provide the Controller with a copy of the data subject’s personal data;
(ii) Open, correct, delete personal data or restrict the processing of personal data.
The Processor shall provide the requested assistance with the necessary documents and information within ten (10) days of the request of the Controller.
5.10. If a data subject, supervisory or government agency (e.g. the Data Protection Inspectorate) or another third party requests personal data be processed under the Agreement from the Processor, the Processor shall direct the respective request to the Controller. The Processor shall not disclose personal data or other information concerning the processing of personal data without the prior written consent of the Controller unless the Processor is required to disclose such data under mandatory European Union or national law. In the latter case, the Processor shall immediately notify the Controller of the application to the extent permitted by law.
5.11.The Processor shall provide, without charge to the Controller, all data and documentation and provide the assistance necessary to the Controller to comply with all the requirements of the applicable data protection legislation and to demonstrate compliance with these requirements with respect to personal data related to the Agreement. In addition, the Processor shall allow and facilitate audits by regulatory and/or supervisory authorities.
5.12. The Processor must always keep and make available up-to-date data on processing operations, including the name, contact details, representative (including data protection officer, if applicable) and location of each legal entity acting as a (sub)processor, the types of processing carried out on behalf of the Controller, and, where applicable, the nature of the international transfer of data (including the countries) concerned and the documentation on the applicable transfer mechanisms). The Processor shall, at the request of the Controller and without undue delay, provide the Controller with the documentation provided for in this point so that the Controller can comply with the applicable data protection legislation.
5.13. The Processor shall ensure that the Controller has the right to understand the Processor’s mechanisms involving their business (and shall ensure that the Processor has equivalent control and audit rights regarding third-party sub processors) in order to verify that the Processor’s processing activities and related technical and organizational security measures are in accordance with this obligation set out in the data processing agreement, the Agreement or applicable data protection law.
6. Transfer of Personal Data to a Third Party
6.1. The Processor shall not have the right to transfer personal data to a third party or to grant access to a third party, e.g. by giving remote access to personal data (all understood as a transfer) or to involve sub-processors to process personal data (the above-mentioned transfer and sub-processing activities are collectively referred to as the transfer of personal data to a third party) except the list of service providers mentioned at the relevant section of the website like the ‘Service-providers’ page (https://softbrik.com/service-providers)
6.2 In the future if the list of such service providers expands, the processor will periodically inform the controller in writing. Once informed, the transfer of personal data by the Processor shall be subject to the establishment of the same data protection obligations as provided for in this data processing agreement before the transfer of personal data to the relevant third party. The consent shall not be required for those sub-processors (service providers) listed in the relevant section of the website like the ‘Features’ page (https://softbrik.com/service-providers).
6.3. This consent shall be valid until the earliest of the following: (i) if the Controller notifies the Processor of the withdrawal of the consent; or (ii) if the Processor notifies the Controller that the Processor no longer uses the approved third party for that purpose.
6.4. If the Controller does not consent to the transfer of personal data to a third party for the reason that the Controller considers reasonable, the Processor shall continue to perform the Agreement and the data processing agreement under the agreed conditions until the following events occur: (i) The Parties have agreed to terminate the Agreement related to the processing of personal data and have ensured the return of the relevant personal data to the Controller (or deletion, as the case may be) or have agreed to transfer the Agreement to a new service provider, which can in no case take longer than three (3) months; or (ii) the Parties have agreed how the performance of the Agreement will continue, including the relevant costs and in a manner reasonably acceptable to the Controller.
6.5. If the third party sub-processor does not comply with the applicable data protection legislation or does not comply with the data protection obligations arising from the Agreement with the Controller, the Processor shall remain liable to the Controller for the third party obligations under applicable data protection legislation and the relevant Agreement only where Processor has not complied with obligations of data protection legislation or where Processor has given such instructions to the third party sub-processor which led the third party sub-processor to the noncompliance of data protection legislation or the Agreement.
Important: Impact of Work from Home and Remote Work on 3rd Party Data Processing
In light of the Covid pandemic, it is possible that a significant majority of the Processor’s team handling Data is working remotely at any moment of time. The Processor shall ensure that at any time data needs to be handled remotely, they are processed using the appropriate list of service providers as mentioned in Section 6.1 with reasonable data security (https://softbrik.com/security) for prevention of any abuse of information.
7. Termination of processing of Personal Data
If the processing of personal data is no longer necessary under the Agreement or if the respective Agreement terminates or is terminated, the Processor shall delete or return to the Controller all personal data processed by the Processor under the Agreement, unless otherwise required by applicable data protection legislation. Upon deletion of personal data, the Processor shall immediately confirm the destruction of personal data at the request of the Controller. If the Controller requests the return of personal data, the Processor shall return all personal data in the manner and form requested by the Controller and delete all existing copies thereof.
The Processor shall not be liable for any damage caused in the course of processing the data in any shape or form including any security vulnerability due to underlying provider’s service malfunction or any malware or any human errors. Processor shall only be responsible for carrying out legally required tasks. The Controller shall reimburse the Processor for all costs and protect it against claims, damages and expenses incurred by the Processor or for which the Processor may be held liable in connection with the performance of its obligations under this data processing agreement due to the Controller or its employees or agents. The obligations set out above shall survive the termination, cancellation or expiration of this data processing agreement and/or the Agreement.
This data processing agreement is valid as long as the Processor processes personal data on behalf of the Controller on the basis of the Agreement.