Data Processing Agreement

THIS DATA PROCESSING ADDENDUM is entered into as of the Addendum Effective Date by and between Perceptif, Inc. (“Perceptif”) and the customer identified in the signature lines into this Data Processing Addendum (“Customer”).

This Data Processing Addendum applies to Perceptif’s Processing of Customer Personal Data pursuant to the Agreement.

‍INTERPRETATION
‍In this Data Processing Addendum, the following terms shall have the meanings set out in this Paragraph 1, unless expressly stated otherwise:“

‍Addendum Effective Date” means the effective date of the Agreement.

"Agreement” means the Software and Services License Agreement (or similar agreement) entered into by and between the parties.“

‍Applicable Data Protection Laws” means data protection and privacy laws and regulations applicable to the processing of Customer Personal Data under the Agreement, including but not limited to, where applicable, the GDPR and the CCPA, in each case, to the extent applicable to the relevant Customer Personal Data or Processing thereof under the Agreement.  

“Customer Personal Data” means any Personal Data Processed by or on behalf of Perceptif on behalf of Customer to perform the Services under the Agreement.

“CCPA” means the California Consumer Privacy Act of 2018 and any binding regulations promulgated thereunder.

“Data Subject Request” means the exercise by Data Subjects of their rights in accordance with Applicable Data Protection Laws in respect of Customer Personal Data.

“Data Subject” means the identified or identifiable natural person to whom Customer Personal Data relates. 

“Delete” means to remove or obliterate Customer Personal Data such that it cannot be recovered or reconstructed, and

“Deletion” shall be construed accordingly.

“EEA” means the European Economic Area.

“GDPR” means: (i) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“EU GDPR”); (ii) the EU GDPR as it forms part of United Kingdom (“UK”) law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”); and (iii) any applicable implementing or supplementary legislation in any member state of the EEA or the UK (including the UK Data Protection Act 2018).

“Personnel” means a person’s employees, agents, consultants or contractors.

“Personal Data” means Customer Data that constitutes “personal data,” “personal information,” or similar information governed by Applicable Data Protection Laws, except that Personal Data does not include such information pertaining to Customer’s business contacts who are Customer Personnel where Perceptif acts as a Controller of such information.

“Personal Data Breach” means a breach of Perceptif’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data in Perceptif’s possession, custody or control. Personal Data Breaches do not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.

“Processing” means any operation or set of operations which is performed on Customer Personal Data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Relevant Body” means:in the context of the UK and the UK GDPR, the UK Information Commissioner’s Office and/or UK Government (as and where applicable); and/orin the context of the EEA and the EU GDPR, the European Commission.

“Restricted Country” means:in the context of the UK, a country or territory outside the UK; andin the context of the EEA, a country or territory outside the EEA,that the Relevant Body has not deemed to provide an adequate level of protection for Personal Data pursuant to a decision made in accordance with the GDPR. 

“Restricted Transfer” means the disclosure, grant of access or other transfer of Personal Data to any person which would be prohibited without a legal basis under the GDPR.

“Services” means those services and activities to be supplied to or carried out by or on behalf of Perceptif for Customer pursuant to the Agreement.

“Standard Contractual Clauses” means the Standard Contractual Clauses for Processors as approved by the European Commission and available at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en (as updated, amended or superseded from time to time).

“Subprocessor” means any third party appointed by or on behalf of Perceptif to Process Customer Personal Data.

“Supervisory Authority”:in the context of the UK and the UK GDPR, means the UK Information Commissioner’s Office; andin the context of the EEA and the EU GDPR, shall have the meaning given to that term in the EU GDPR.In this Data Processing Addendum:the terms,

“Controller” and “Processor” shall have the meaning ascribed to the corresponding terms in the GDPR, and “Controller” shall include a “business” as defined in the CCPA; the terms, “business,” “commercial purpose,” “sell” and “service provider” shall have the respective meanings given thereto in the CCPA; and “personal information” shall mean Customer Personal Data that constitutes personal information governed by the CCPA; andunless otherwise defined in this Data Processing Addendum, all capitalized terms in this Data Processing Addendum shall have the meaning given to them in the Agreement.

‍DURATION AND SCOPE OF THIS DATA PROCESSING AGREEMENT
‍This Data Processing Addendum will remain in effect so long as Perceptif Processes Customer Personal Data, notwithstanding the expiration or termination of the Agreement. Annex 1 (EU Annex) to this Data Processing Addendum applies only to the Processing of Customer Personal Data subject to the GDPR. Annex 2 (California Annex) to this Data Processing Addendum applies only to the Processing of Customer Personal Data subject to the CCPA with respect to which Customer is a “business” (as defined in the CCPA). 

‍PROCESSING OF CUSTOMER PERSONAL DATA

‍Perceptif shall:not Process Customer Personal Data other than on Customer’s instructions or as required by Applicable Data Protection Laws. Customer instructs Perceptif to Process Customer Personal Data as necessary:to provide the Services to Customer; and to perform Perceptif’s obligations and exercise Perceptif’s rights under the Agreement, including to maintain records relating to the Service and comply with any legal or self-regulatory obligations relating to the Service.If applicable law requires Perceptif to conduct Processing that is inconsistent with the Customer’s instructions, then Perceptif will immediately notify Customer in writing prior to commencing the Processing, unless applicable law prohibits such notification. Perceptif also will immediately notify Customer if Perceptif believes that Customer’s instructions violate, or result in Processing in violation of Applicable Data Protection Laws. 

Customer acknowledges and agrees that Perceptif may create and derive from Processing related to the Agreement, deidentified, anonymized and/or aggregated data that does not identify Customer or any natural person and use, publicize, or share with third parties such data to improve Perceptif’s products and services and for its other legitimate business purposes. 

‍Perceptif PERSONNEL
‍Perceptif shall: limit access to Perceptif Personnel who need to access the relevant Customer Personal Data for the purposes described in this Data Processing Addendum; andsubject Perceptif Personnel to confidentiality undertakings or professional or statutory obligations of confidentiality.

‍SECURITY 
‍Perceptif shall implement and maintain technical and organizational measures in relation to Customer Personal Data designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access as described in Annex 3 (Security Measures). Perceptif may update the Security Measures from time to time, provided the updated measures do not materially decrease the overall protection of Customer Personal Data.

‍DATA SUBJECT RIGHTS
‍Perceptif, taking into the account the nature of the Processing of Customer Personal Data, shall provide Customer with such assistance as may be reasonably necessary and technically feasible to assist Customer in fulfilling its obligation to respond to Data Subject Requests. If Perceptif receives a Data Subject Request, Perceptif will advise the Data Subject to submit the request to Customer and Customer will be responsible for responding to any such request.Perceptif shall:promptly notify Customer if it receives a Data Subject Request; andnot respond to any Data Subject Request except on the written instructions of Customer (and in such circumstances, at Customer’s cost) or as required by Applicable Data Protection Laws.

‍PERSONAL DATA BREACH
‍Perceptif shall notify Customer without undue delay upon Perceptif’s discovering a Personal Data Breach affecting Customer Personal Data. Perceptif shall provide Customer with information (insofar as such information is within Perceptif’s possession and knowledge) to allow Customer to meet its obligations under the Applicable Data Protection Laws to report the Personal Data Breach. Perceptif’s notification of or response to a Personal Data Breach will not be construed as Perceptif’s acknowledgement of any fault or liability with respect to the Personal Data Breach.Perceptif shall, at Customer’s cost, co-operate with Customer and take such commercially reasonable steps as may be directed by Customer to assist in the investigation of any such Personal Data Breach.Customer is solely responsible for complying with notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Personal Data Breaches.

‍CUSTOMERS’S RESPONSIBILITIES
‍Customer agrees that, without limitation of Perceptif’s obligations under Section 5 (Security), Customer is solely responsible for its use of the Service, including (a) making appropriate use of the Service to maintain a level of security appropriate to the risk in respect of the Customer Personal Data; (b) securing the account authentication credentials, systems and devices Customer uses to access the Service; (c) securing Customer’s systems and devices that Perceptif uses to provide the Service; (d) providing all appropriate notices and obtaining any necessary consents for Perceptif to Process Customer Personal Data as set forth in the Agreement; and (e) backing up Customer Personal Data.

Customer Personal Data provided or otherwise made available to Perceptif shall not contain any (a) Social Security numbers or other government-issued identification numbers; (b) protected health information subject to the Health Insurance Portability and Accountability Act (HIPAA) or other information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; (c) health insurance information; (d) biometric information; (e) passwords to any online accounts; (f) credentials to any financial accounts; (g) tax return data; (h) any payment card information subject to the Payment Card Industry Data Security Standard; (i) Personal Data of children under 13 years of age; or (j) any other information that falls within any special categories of data (as defined in GDPR).

‍LIABILITY CAP
‍The total combined liability of either party towards the other party, whether in contract, tort or any other theory of liability, under or in connection with Agreement, or this Data Processing Addendum combined, will be limited to the limitations on liability or other liability caps agreed to by the parties in the Agreement. Despite the foregoing, in no event will any party limit its liability with respect to any individual’s data protection rights, whether under this Data Processing Addendum or otherwise.

‍GENERAL
This Data Processing Addendum shall be incorporated into and form part of the Agreement with effect from the Addendum Effective Date. In the event of any conflict or inconsistency between: this Data Processing Addendum and the Agreement, this Data Processing Addendum shall prevail; or any Standard Contractual Clauses entered into pursuant to Section 6 of Annex 1 and this Data Processing Addendum and/or the Agreement, the Standard Contractual Clauses shall prevail.

No amendment to this Data Processing Addendum is effective unless it is in writing, identified as an amendment to this Data Processing Addendum and signed by an authorized representative of each party.

If any provision of this Data Processing Addendum is determined invalid or unenforceable by a court of competent jurisdiction, the remaining provisions will continue in full force. In place of the invalid or unenforceable provision, a provision shall be deemed to be agreed which comes closest to the economic meaning and purpose of the invalid or unenforceable provision.


Contact Us
If you have any questions about this Data processing policy, You can contact us:
By email: support@perceptif.ai

By visiting this page on our website: www.perceptif.ai