Last updated: 16 May 2019
Please read the Data Processing Addendum (“DPA") carefully as they form a contract between You (“Customer”) and Us (“Delve AI”). As referenced in the Delve AI Terms of Service available at https://www.delve.ai/tos (“Terms”), this DPA will apply where We and Our Group Companies are processors of personal data. The capitalized terms used in this DPA but not defined herein shall have the same meaning as defined in the Terms. In the event of a conflict between this DPA and the Terms, this DPA shall prevail.
1.1 Definitions: In this DPA, the following terms shall have the following meanings:
1.1 a) "controller", "processor", "data subject", "personal data", "processing" (and "process") and "special categories of personal data" shall have the meanings given in Applicable Data Protection Law; and
b) "Applicable Data Protection Law" shall mean the EU General Data Protection Regulation (Regulation 2016/679) (GDPR) and any other applicable data protection laws and regulations.
1.2 Relationship of the parties: Customer (the controller) appoints Delve AI as a processor to process the personal data forming part of the Service Data (the "Data") for the purposes described in the Terms (or as otherwise agreed in writing by the parties) (the "Permitted Purpose"). Each party shall comply with the obligations that apply to it under Applicable Data Protection Law.
1.3 Prohibited data: Customer shall not disclose (and shall not permit any data subject to disclose) any special categories of personal data to Delve AI for processing.
1.4 International transfers: Delve AI and its subcontractors may Process personal data outside the EU/EEA area. In case such transfers or Processing takes place, Delve AI ensures that the EU Commission standard contractual clauses 2010/87/EU concerning the transfer of Personal Data to outside the EU/EEA, or a similar legal safeguard approved by the Regulation, will apply to such transfer or Processing.
1.5 Confidentiality of processing: Delve AI shall ensure that any person it authorises to process the Data (an "Authorised Person") shall protect the Data in accordance with Delve AI's confidentiality obligations under the Terms.
1.5 Security: The processor shall implement technical and organisational measures to protect the Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorised disclosure of, or access to the Data (a "Security Incident").
1.7 Subcontracting: Customer consents to Delve AI engaging third party subprocessors to process the Data for the Permitted Purpose provided that: (i) Delve AI maintains an up-to-date list of its subprocessors at https://www.delve.ai/sub-processors/, which it shall update with details of any change in subprocessors prior to any such change; (ii) Delve AI imposes data protection terms on any subprocessor it appoints that require it to protect the Data to the standard required by Applicable Data Protection Law; and (iii) Delve AI remains liable for any breach of this Clause that is caused by an act, error or omission of its subprocessor. Customer may object to Delve AI's appointment or replacement of a subprocessor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such event, Delve AI will either not appoint or replace the subprocessor or, if this is not possible, Customer may suspend or terminate the Terms (without prejudice to any fees incurred by Customer prior to suspension or termination).
1.8 Cooperation and data subjects' rights: Delve AI shall provide reasonable and timely assistance to Customer (at Customer's expense) to enable Customer to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data. In the event that any such request, correspondence, enquiry or complaint is made directly to Delve AI, Delve AI shall promptly inform Customer providing full details of the same.
1.9 Data Protection Impact Assessment: If Delve AI believes or becomes aware that its processing of the Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, it shall inform Customer and provide reasonable cooperation to Customer (at Customer's expense) in connection with any data protection impact assessment that may be required under Applicable Data Protection Law.
1.10 Security incidents: If it becomes aware of a confirmed Security Incident, Delve AI shall inform Customer without undue delay and shall provide reasonable information and cooperation to Customer so that Customer can fulfil any data breach reporting obligations it may have under (and in accordance with the timescales required by) Applicable Data Protection Law. Delve AI shall further take reasonably necessary measures and actions to remedy or mitigate the effects of the Security Incident and shall keep Customer informed of all material developments in connection with the Security Incident.
1.11 Deletion of Data: Following the termination of Customer’s Account by either party, subject to (ii) and (iii) below and the Service Agreement, Service Data will be retained for a period of 14 days from such termination; and (ii) logs are archived for a period of two years (each a “Data Retention Period”). Beyond each such Data Retention Period, Processor shall delete all Service Data in the normal course of operation except as necessary to comply with Processor’s legal obligations, maintain accurate financial and other records, resolve disputes, and enforce its agreements. Service Data cannot be recovered once it is deleted.
Data Subjects are those individuals to whom personal data relates to and are Users or End-Users who interact using the Service(s).
Categories of data
Categories of data refers to the personal data of Users and End-Users, contained in electronic data, text, messages or other materials, submitted to the Service(s) by Customer through Customer’s Account in connection with Customer’s use of the Service(s) and web analytics data.
Subject-matter and nature of the processing
The personal data processed will be subject to the basic processing activities required for the provision of the Service(s) by Delve AI to the Customer that involves the processing of personal data. Personal data will be subject to those processing activities as may be specified in the Terms and the DPA.
Purpose of the processing
Personal data will be processed for purposes of providing the Service(s) set out in a Form, as further instructed by Customer in its use of the Service(s), and otherwise agreed to in the Terms, this DPA and any applicable Form.
Duration of processing
Personal Data will be processed for the duration of the Terms.