Skip links

Data Processing Agreement (DPA)

Last Updated: January 15, 2024 (Version 1.0.0)

 

Reporfy, S.L.U

 

   1.         Subject of the Agreement

 

This Agreement pertains to the contractual relationship between Reporfy, S.L.U, located at Calle Pascual y Genis, 20-3. 46002 Valencia, Spain (referred to as the "Processor") and the customer (referred to as the "Customer"). The Parties, which include the Processor and the Customer, have entered into an agreement (referred to as the "Contract") for the provision of the Processor's software to the Customer. Within the scope of this Contract, it is possible that the Processor may handle personal data as defined in Article 4, Paragraph 1 of the General Data Protection Regulation ("GDPR"). Personal data includes any information related to identified or identifiable natural persons (such as names, addresses, or phone numbers of individuals who are customers of the Customer). The Customer, in this context, acts as a data controller under data protection law. This Agreement outlines the respective data protection obligations and rights of the Parties concerning the Processor's utilization of Customer Data to deliver services as stipulated in the Contract.

   2.         Scope of the Processing

 

             2.1.    The Processor shall undertake the processing of Customer Data on behalf of and in accordance with the instructions provided by the Customer, as defined in Article 28 of the GDPR. The Customer shall retain its status as the data controller as per Article 28 of the GDPR.

 

             2.2.    The processing of Customer Data by the Processor shall occur in the manner, scope, and for the purposes specified in Annex 1 of this Agreement. This processing pertains to the types of personal data and categories of data subjects as detailed therein. The duration of the processing aligns with the duration of the Contract.

 

             2.3.    The Processor retains the option to anonymize or aggregate the Customer Data to a degree where the identification of individual data subjects is no longer possible. These anonymized and aggregated data may be utilized for purposes such as tailored design, machine learning, development, optimization, and the provision of services as agreed upon in the Contract. Both Parties acknowledge that such anonymized and aggregated Customer Data, as per the aforementioned criteria, are not considered Customer Data for the purposes of this Agreement.

 

             2.4.    The Processor may, within the bounds of data protection law, process and utilize the Customer Data for its own purposes as a data controller. This usage is subject to legal permissions and is not governed by this Agreement.

 

             2.5.    The processing of Customer Data by the Processor will primarily occur within the European Union or another state that is a party to the European Economic Area (EEA) agreement. However, the Processor is allowed to process Customer Data outside the EEA in compliance with the provisions of this Agreement, provided that the Processor informs the Customer in advance (e.g., through the privacy policy) regarding the location of data processing. Additionally, such processing outside the EEA must meet the requirements specified in Articles 44 to 48 of the GDPR or fall under an exception as defined in Article 49 of the GDPR.

 

   3.         Right of the Customer to Issue Instructions

 

             3.1.    The Processor is responsible for processing Customer Data in accordance with the instructions provided by the Customer, unless there is a legal obligation to do otherwise. If the Processor is legally required to deviate from the Customer's instructions, the Processor will inform the Customer of this legal requirement before proceeding, unless such notification is prohibited by law for significant public interest reasons.

 

             3.2.    The instructions given by the Customer are primarily defined and documented in the terms of this Agreement. Any individual instructions that differ from the terms of this Agreement or impose additional requirements will require the explicit consent of the Processor.

 

             3.3.    The Processor is obligated to ensure that Customer Data is processed in accordance with the instructions provided by the Customer. If the Processor believes that a Customer instruction contradicts the terms of this Agreement or applicable data protection laws, the Processor has the right, after notifying the Customer, to suspend the execution of the instruction until the Customer confirms it. Both Parties acknowledge that the ultimate responsibility for the processing of Customer Data in line with the instructions rests with the Customer.

 

   4.         Legal Responsibility of the Customer

 

             4.1.    The Customer bears full responsibility for ensuring that the processing of Customer Data is conducted in compliance with legal requirements and for safeguarding the rights of data subjects in the relationship between the Parties. In the event that third parties make claims against the Processor related to the processing of Customer Data in accordance with this Agreement, the Customer shall promptly indemnify the Processor against all such claims upon first request.

 

             4.2.    It is the Customer's responsibility to provide the Processor with Customer Data in a timely manner for the provision of services under the Contract, and the Customer is accountable for the quality of the Customer Data. If, during the examination of the results provided by the Processor, the Customer identifies errors or irregularities related to data protection provisions or Customer instructions, the Customer must promptly and fully inform the Processor.

 

             4.3.    Upon request, the Customer must furnish the Processor with the information specified in Article 30, paragraph 2 of the GDPR, to the extent that such information is not already available to the Processor.

 

             4.4.    In cases where the Processor is obliged to provide information to a government authority or individual regarding the processing of Customer Data or to cooperate with such entities in any manner, the Customer is obligated to assist the Processor in fulfilling such information requests and other appropriate cooperation obligations upon the Processor's first request.

 

   5.         Requirements for Personnel and Systems

 

The Processor is obligated to require all individuals involved in the processing of Customer Data to maintain confidentiality regarding the handling of Customer Data.

 

   6.         Security of Processing

 

             6.1.    Security of the processing of Customer Data is ensured through the implementation of necessary and appropriate technical and organizational measures as specified in Article 32 of the GDPR. These measures take into consideration the current state of technology, the costs of implementation, the nature, scope, context, and purposes of the Customer Data processing, as well as the varying risks to the rights and freedoms of data subjects. The aim is to guarantee an appropriate level of protection for Customer Data in line with the associated risks. The specific technical and organizational measures are detailed in Annex 6.1 of this Agreement.

 

             6.2.    The Processor reserves the right to modify these technical and organizational measures during the term of this Agreement, provided that such modifications continue to align with the legal requirements for data protection.

 

   7.         Engagement of Further Processors

 

             7.1.    The Customer grants the Processor general authorization to engage further processors for the processing of Customer Data. A list of further processors engaged at the time of this Agreement's conclusion is provided in Annex 2. Generally, no specific authorization is required for contractual relationships with service providers that involve the examination or maintenance of data processing procedures or systems by third parties or that entail other additional services, even if such relationships may involve access to Customer Data. However, the Processor is obligated to take reasonable steps to ensure the confidentiality of Customer Data in such cases. To receive notifications regarding the addition or replacement of existing subprocessors, the Customer may subscribe to a mailing list using the provided link. Notifications of subprocessor changes will be sent at least 14 days prior to any modifications, allowing the Customer the opportunity to raise objections. The Customer can only object to such changes for substantial reasons, which must be substantiated to the Processor. If the Customer does not raise objections within 14 days of receiving the notification, their right to object to the engagement of the subprocessor will expire. In the event of an objection, the Processor is entitled to terminate the Contract and this Agreement, with a notice period of three months effective until the end of a month.

 

             7.2.    Any agreement between the Processor and a further processor must impose obligations on the further processor that are equivalent to those imposed on the Processor by this Agreement. The Parties agree that this requirement is satisfied if the contract provides a level of protection equivalent to that outlined in this Agreement.

 

             7.3.    The provisions of this Section 7 also apply if a further processor in a third country is involved, provided that the requirements of Section 2.5 of this Agreement are met. The Customer authorizes the Processor to enter into an agreement with another processor on behalf of the Customer, based on the standard contractual clauses for the transfer of personal data to processors in third countries, as per the decision of the European Commission dated June 5th, 2021. The Customer expresses its willingness to cooperate in fulfilling the requirements of Article 49 of the GDPR as necessary.

 

   8.         Data Subjects' Rights

 

             8.1.    The Processor shall reasonably assist the Customer in fulfilling the Customer's obligations to respond to requests for exercising data subjects' rights.

 

             8.2.    If a data subject submits a request directly to the Processor to exercise their rights, the Processor will promptly forward this request to the Customer.

 

             8.3.    The Processor shall inform the Customer about any information related to the stored Customer Data, recipients of Customer Data to whom the Processor may disclose it as per the Customer's instructions, and the purpose of storage, provided the Customer does not already possess this information and cannot collect it independently.

 

             8.4.    Within reasonable and necessary limits, the Processor shall facilitate the Customer in correcting, deleting, or restricting the further processing of Customer Data, or the Processor will carry out such actions at the Customer's instruction if the Customer is unable to do so. In such cases, the Processor shall be entitled to reimbursement for expenses and costs incurred, substantiated to the Customer.

 

             8.5.    If a data subject has a right to data portability vis-à-vis the Customer regarding Customer Data as per Article 20 of the GDPR, the Processor shall assist the Customer within reasonable and necessary bounds in providing the Customer Data in a structured, commonly used, and machine-readable format if the Customer is unable to obtain the data elsewhere. In such cases, the Processor shall be entitled to reimbursement for expenses and costs incurred, substantiated to the Customer.

 

   9.         Notification and Support Obligations of the Processor

 

             9.1.    The Processor shall promptly inform the Customer of any reportable security breaches regarding Customer Data that fall under the Processor's responsibility. If the Customer has a legal obligation to notify authorities or data subjects of such breaches (particularly under Articles 33 and 34 of the GDPR), the Processor shall support the Customer in fulfilling these notification obligations upon the Customer's request, to the extent that it is reasonable and necessary. The Processor shall be entitled to reimbursement for the expenses and costs incurred in providing such support, which shall be substantiated to the Customer.

 

             9.2.    The Processor shall also assist the Customer, as necessary and reasonable, in conducting data protection impact assessments and any subsequent consultations with the supervisory authority, as required by Articles 35 and 36 of the GDPR. In such cases, the Processor shall be entitled to reimbursement for the expenses and costs incurred in providing assistance, which shall be substantiated to the Customer.

 

10.         Deletion and Return of Customer Data

 

         10.1.    Upon termination of this Agreement, the Processor shall, at the Customer's discretion:

a)    Either delete or return the Customer Data to the Customer.

b)    Delete any existing copies of the Customer Data.

 

         10.2.    However, the Processor may retain documentation that serves as evidence of the proper and accurate processing of Customer Data, even after the termination of this Agreement. This retention may be necessary for compliance with legal obligations.

 

11.         Evidence and audits

 

         11.1.    The Processor is obligated to furnish the Customer, upon request, with all necessary information to demonstrate adherence to the obligations specified in this Agreement.

 

         11.2.    The Customer holds the right to conduct audits, including inspections, of the Processor's operations to ensure compliance with the terms outlined in this Agreement, especially pertaining to the implementation of technical and organizational measures.

 

         11.3.    For audit purposes in accordance with Section 11.2, the Customer is authorized to access the Processor's business premises where Customer Data is processed during regular business hours (from Monday to Friday, 10 am to 6 pm). This access must be preceded by timely notification, as described in Section 11.5, and it will be at the Customer's expense. The audit should not disrupt the Processor's normal business operations and must be conducted with strict confidentiality regarding the Processor's business practices and proprietary information.

 

         11.4.    The Processor, at its discretion, may choose not to disclose sensitive information about its business, especially if such disclosure would breach statutory regulations or other contractual obligations. The Customer's access during the audit is limited to information directly related to the agreed audit objectives and does not extend to data about the Processor's other clients, financial details, quality control, contract management reports, or any other confidential information not relevant to the audit.

 

         11.5.    The Customer is responsible for informing the Processor well in advance, typically at least two weeks beforehand, of all circumstances related to the audit. The Customer may perform one audit per calendar year, not exceeding this limit.

 

         11.6.    In cases where the Customer engages a third party to conduct the audit, the Customer is required to impose the same obligations on the third party as those imposed on the Customer concerning the Processor, as detailed in this Section. Furthermore, a written agreement must obligate the third party to maintain confidentiality, unless they are subject to a professional obligation of secrecy. Upon request from the Processor, the Customer must promptly provide the Processor with copies of the commitments and confidentiality agreements with the third party. The Customer is prohibited from commissioning any of the Processor's competitors to carry out the audit.

 

         11.7.    At the Processor's discretion, instead of conducting an audit, proof of compliance with the obligations under this Agreement may be provided by submitting a current opinion or report from an independent authority (e.g., auditor, audit department, data protection officer, IT security department, data protection auditors, or quality auditors) or a relevant certification in IT security or data protection audit (referred to as the "Audit Report"). The Audit Report should sufficiently demonstrate the Processor's adherence to the contractual obligations defined in this Agreement, allowing the Customer to be reasonably assured of compliance.

 

12.         Contract term and termination

 

The duration and termination of this Agreement align with the term and termination provisions established in the Contract. If the Contract is terminated, this Agreement is automatically canceled. Terminating this Agreement in isolation is not possible.

 

13.         Liability

 

         13.1.    The Processor's liability as defined in this Agreement adheres to the disclaimers and liability limitations as outlined in the Contract. In cases where third parties assert claims against the Processor due to the Customer's culpable breach of this Agreement or any of the Customer's obligations as the data controller under data protection regulations, the Customer is obligated to indemnify and absolve the Processor from these claims upon initial request.

 

         13.2.    Furthermore, the Customer commits to indemnify the Processor upon initial request for any potential fines imposed on the Processor, which are proportionate to the Customer's share of responsibility for the violation that led to the imposition of the fine.

 

14.         Final provisions

 

         14.1.    If any individual provisions of this Agreement are found to be ineffective, become ineffective, or contain gaps, the remaining provisions shall remain valid and unaffected. The Parties commit to replacing the ineffective provision with a legally permissible provision that best serves the purpose of the ineffective provision and satisfies the requirements of Art. 28 GDPR.

 

         14.2.    In the event of conflicts between this Agreement and other agreements between the Parties, especially the Contract, the provisions of this Agreement shall take precedence.

 


 

Annex 1

Further Information on the Processing of Customer Data

 

1

Purpose and extent of Data Processing

The Reporfy software is delivered through various user-friendly interfaces, including web, desktop, and mobile applications. It serves as a versatile platform for report creation, collaborative efforts, and seamless distribution. Additionally, it facilitates the comprehensive gathering, secure storage, meticulous analysis, and insightful reporting of data and metrics pertaining to reader engagement with reports. This pivotal role aligns with the Processor's commitments as outlined in the Contract. Furthermore, the Reporfy software harnesses the capabilities of advanced language models, such as Generative Pre-trained Transformer models (referred to as "GPT"), to enhance presentation generation, automate the annotation of slide content, and transform images employed throughout the web application into a refined vector representation.

2

Types of personal data

The types of data encompassed within our purview include contact data, usage data, information manually entered by the Customer within the Software (including prompts), Employee Data, Customer Data, Supplier Data, User-generated Data, User data, Profile data, Usernames, passwords, email addresses, log files, and data pertaining to reader interactions with reports.

3

Categories of data subjects

Our scope encompasses individuals who utilize the Reporfy software, readers of reports, and potentially other data subjects referred to or included in the information entered by the Customer within the Software.


 

Annex 6.1

 

Technical and Organizational Measures according to Art. 32 GDPR

 

In compliance with Art. 32 of the General Data Protection Regulation (GDPR), both the data controller and the data processor are obliged to implement technical and organizational measures (TOM) to guarantee the security and data protection requirements. Technical measures encompass all safeguarding actions that can be physically implemented, including physical security measures like securing physical access points such as doors and windows, as well as software and hardware measures such as enforcing user account and password requirements. Organizational measures, on the other hand, consist of protective measures that are established through instructions, protocols, and procedures. These measures are essential to ensure the security and privacy of personal data in accordance with GDPR regulations.

 

 

No.

Category of Measures

Description of Category

Technical Measures

Organisational Measures

1

Encryption (Art. 32 (1) a) GDPR)

Cryptographic measures to ensure that information is hashed when transferred internally or externally and can only become readable again by using the correct encryption key.

Encryption of the company website (“data in motion”)           

Encryption of data carriers on laptops/notebooks and mobile data carriers ("data at rest”)

 

2

Confidentiality – physical access control (Art. 32 (1) b) GDPR)

Measures to prevent unauthorised persons from gaining access to data Processing systems with which personal data is processed or used.

Security of the buildings, windows and doors with an alarm system 

Automated access control system and manual locking system with safety locks

 

Light barriers/motion detectors

 

Video surveillance of entrances

 

Digital keys management system

3

Confidentiality – data access control (Art. 32 (1) b) GDPR)

Measures to prevent data Processing systems from being used without authorisation. 

Authentication with username /password, and/or biometric methods            Allocate user rights, defining user profiles, assignment passwords, and assign user profiles to IT-systems

Use of Intrusion-Detection-Systems           

 

Locked housings / security locks

Password protected screensavers and automated screen locking in case of inactivity, and two-factor user authentication

 

Implementation of virtual networks for the separation of data streams.

Immediate blocking of authorization when employees leave the company

4

Confidentiality – data usage control (Art. 32 (1) b) GDPR)

Measures to ensure that persons entitled to use a data Processing system have access only to the data to which they have a right of access, and that personal data cannot be read, copied, altered or removed without authorisation in the course of Processing or use and after storage.

Use of document shredders or appropriate service providers and physical deletion of data mediums before reuse

Development of an authorization concept (Differentiated authorisations for read, edit or delete data) and password procedures (incl. special characters, minimum length, change of password)

Assignment of rights by system administrator

5

Confidentiality – transmission control (Art. 32 (1) b) GDPR)

Measures to ensure that personal data cannot be read, copied, altered or removed during electronic transmission or transport or storage onto data carriers, and that it is possible to check and establish to which bodies the transfer of personal data by means of data transmission facilities is envisaged.

Documentation of all interfaces

Documentation of recipients of data and the time periods of planned surrender or agreed erasure time limits

6

Confidentiality – separation control (Art. 32 (1) b) GDPR)

Measures to ensure that data collected for different purposes can be processed separately.

Segregation of functions (production/testing)

 

Separated databases and separate tables within database

Development of an authorization concept

 

 

Logical client separation

7

Integrity – input control (Art. 32 (1) b) GDPR)

Full documentation of data management and maintenance must be maintained - to ensure the ongoing integrity of data. Measures for subsequent checking whether data has been entered, changed or removed (deleted), and by whom.

No local admin privileges

Assignment of authorisations for input

 

Alteration and erasure of data on the basis of an authorisation concept

 

8

Availability – availability control (Art. 32 (1) b) GDPR)

Measures to ensure that personal data is protected from accidental destruction or loss.

Air conditioning in server rooms

 

Fire extinguishers in server rooms, installation of fire and smoke detection systems, uninterruptible power supply (UPS)

 

Monitoring of temperature and humidity and power outlet strip with surge protection in server rooms 

 

 

Alarm during unauthorized entry into server room

 

Remote data backup in secure outsourced locations

 

Development of an emergency plan and a disaster recovery plan, in flood areas: server rooms above waterline

 

 

9

Availability – job control (Art. 32 (1) b) GDPR)

Measures to ensure that, in the case of commissioned Processing of personal data, the data is processed only in accordance with the instructions of the Controller.

 

Selection of the Processor giving consideration to diligence aspects (in particular with respect to data security)

 

Contractual penalties for breaches

 

Written instructions to the Processor (e.g. Data Processing Agreement) as defined in Art. 28 (2) GDPR

 

Processor has appointed a Data Protection Officer

 

Efficient rights of control agreed with the Processor

 

Putting the Processor's employees under an obligation of data confidentiality (Art. 28 Abs. 3 lit. b GDPR)

 

Assurance of deletion of the data at the end of the provision of services, continuous control of the Processor and its activities

 

Use of Subcontractors requires the Controller's consent and prior verification and documentation of the security measures taken by the Processor

 

10

Resilience (Art. 32 (1) b) GDPR)

Measures to ensure the resilience of the systems and services that guarantee that the systems and services are designed in such a way that even high peak loads and high continuous loads of Processing can be handled.

 

Testing of storage, access and line capacities

11

Restoration of availability (Art. 32 (1) c) GDPR)

Measures to ensure that availability of and access to the data can be restored in a timely manner in the event of a physical or technical incident.

Redundant design of the infrastructure (of hard disks, e.g. RAID)

 

Cloud Service

Backup concept

 

Testing of data restoration

12

Data protection management (Art. 32 (1) d) GDPR)

Measures to ensure a process for regularly testing, assessing and evaluating the effectiveness of the technical and organizational measures for ensuring the security of the Processing.

 

Checking of the DSB and the IT revision

 


 

Annex 2

 

Further Processors

 

 

No.

Name of the further processor

Description of processing via this further processor

1

Auth0, Inc., 10800 NE 8th Street

Suite 600, Bellevue, WA 98004, USA

Authentication software

2

Microsoft Azure. Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399

Secure cloud service platform for database storage

3

MongoDb, Inc. 1633 Broadway, 38th Floor New York, NY 10019

Secure cloud service platform for database storage

4

OpenAI OpCo, LLC. 3180 18th St., San Francisco, CA 94110, USA

API platform for accessing Large Language Models GPT-4 and GPT 3.5

5

Astrodon Corporation (Loops), 9450 South West Gemini Drive PMB 22902 Beaverton, OR 97008, USA

Email provider

6

Functional Software, Inc., (Sentry), 45 Fremont Street, 8th Floor, San Francisco, CA 94105.

Tests and error tracking platform

7

Cloudflare, Inc., located at 101 Townsend St., San Francisco, California 94107.

Content delivery network services, cloud cybersecurity and DDoS mitigation

8

Alphabet, Inc. (Google Analytics), 1600 Amphitheatre Parkway in Mountain View, California.

Analytics

9

Tolt, Inc., located at 2093 Philadelphia Pike, #2726, Claymont, DE 19703.

Affiliate Marketing Management Platform

10

Airbyte, Inc., located at 2261 Market Street #4381, San Francisco, CA 94114.

Integrations Management Platform

 

 

Explore
Drag