Data Processing Agreement
This Data Processing Agreement (“Agreement”) is entered into by and between the entity using the services of QuickChart (“Data Controller”) and Alioth LLC d/b/a QuickChart (“Data Processor”) (collectively, the “Parties”).
1.1 “GDPR” means the General Data Protection Regulation (EU) 2016/679.
1.2 “Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
1.3 “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
1.4 “Subprocessor” means any third party engaged by the Data Processor to process Personal Data on behalf of the Data Controller.
2.1 The purpose of this Agreement is to ensure that the Data Processor processes Personal Data on behalf of the Data Controller in compliance with the GDPR.
2.2 The Data Processor shall process Personal Data only on documented instructions from the Data Controller, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by European Union or Member State law to which the Data Processor is subject; in such a case, the Data Processor shall inform the Data Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
3. Data Processor Obligations
3.1 The Data Processor shall ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.2 The Data Processor shall take all measures required pursuant to Article 32 of the GDPR to ensure the security of the Personal Data.
3.3 The Data Processor shall assist the Data Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Data Controller’s obligation to respond to requests for exercising the Data Subject’s rights laid down in Chapter III of the GDPR.
3.4 The Data Processor shall assist the Data Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of the processing and the information available to the Data Processor.
3.5 The Data Processor shall, at the choice of the Data Controller, delete or return all the Personal Data to the Data Controller after the end of the provision of services relating to processing, and delete existing copies unless European Union or Member State law requires storage of the Personal Data.
3.6 The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.
4.1 The Data Processor shall not engage another Subprocessor without prior specific or general written authorization of the Data Controller. In the case of general written authorization, the Data Processor shall inform the Data Controller of any intended changes concerning the addition or replacement of Subprocessors, thereby giving the Data Controller the opportunity to object to such changes.
4.2 Where a Subprocessor is engaged, the Data Processor shall ensure that a contract is in place with the Subprocessor which imposes the same data protection obligations as set out in this Agreement.
5.1 The Data Processor shall be liable for the damage caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors or where it has acted outside or contrary to lawful instructions of the Data Controller.
5.2 The Data Controller shall be liable for any damage caused by processing only where it has not complied with the obligations of the GDPR specifically directed to controllers.
6.1 This Agreement shall continue in force until terminated by either Party upon thirty (30) days’ written notice to the other Party.
6.2 Upon termination of this Agreement, the Data Processor shall, at the choice of the Data Controller, delete or return all the Personal Data to the Data Controller and delete existing copies unless European Union or Member State law requires storage of the Personal Data.
7. Governing Law and Jurisdiction
7.1 This Agreement shall be governed by and construed in accordance with the laws of the State of California, United States, without regard to its conflict of laws principles.
7.2 Any dispute arising out of or in connection with this Agreement, including any question regarding its existence, validity, or termination, shall be referred to and finally resolved by arbitration under the Rules of the American Arbitration Association, which rules are deemed to be incorporated by reference into this clause. The number of arbitrators shall be one. The seat, or legal place, of arbitration shall be San Francisco, California, United States. The language to be used in the arbitral proceedings shall be English.
8.1 This Agreement constitutes the entire understanding between the Parties with respect to the subject matter hereof and supersedes all prior and contemporaneous agreements, understandings, and negotiations, both written and oral, between the Parties with respect to the subject matter of this Agreement.
8.2 No amendment or modification of this Agreement shall be valid or binding upon the Parties unless made in writing and signed by the Parties.
8.3 If any provision of this Agreement is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.
8.4 The failure of either Party to enforce any provision of this Agreement shall not be construed as a waiver of that provision or any other provision.