GDPR DATA PROCESSING ADDENDUM

This GDPR Data Processing Addendum (“DPA”) forms part of the Terms of Use available at https://www.smartcat.ai/terms/ or such other location as the Terms of Use may be posted from time to time, entered into by you as the User and Smartcat. The purpose of this DPA is to reflect the parties’ agreement with regard to processing of Personal data in accordance with the requirements of the GDPR.

Terms and definitions used herein shall have the same meaning attributable to them in the Terms of Use unless the context herein suggests otherwise.

1. Roles under GDPR

1.1. You acknowledge that you are aware of the GDPR that may affect you when you receive or collect any Content from your clients containing Personal data and when you further upload that Content containing Personal data on SmartCAT Platform.

1.2. You also understand that under the GDPR, depending on how you received and use your Content containing Personal data, you may be considered a “controller” or a “processor” as defined under article 4 of the GDPR.

1.3. Whenever you act as a Customer and upload any Content containing Personal data SmartCAT will act as a “processor” within the meaning of article 4 of the GDPR and this DPA shall apply. Whenever you act as a Supplier and upload your Personal data SmartCAT will act as a “controller” within the meaning of article 4 of the GDPR, the Privacy Policy and Consent Notice (www.smartcat.ai/privacy-policy) shall apply.

2. Your warranties, covenants and undertakings

Back to top

2.1. You covenant and undertake to SmartCAT:

  • to comply at all times with GDPR prescribed for data controllers or data processors (as the case may be) in respect of any Personal data you provide to Smartcat and/or upload on SmartCAT Platform pursuant to the Terms of Use;
  • if SmartCAT receives any request from a data subject in relation to Personal data, provided to Smartcat and/or uploaded by you on SmartCAT Platform pursuant to the Terms of Use, and advises the data subject to submit his/her request to you, you will be responsible for responding to any such request including, where necessary, by using the functionality of SmartCAT Platform;
  • if specifically requested by SmartCAT, to enter into Model Contract Clauses (see form at: http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32010D0087);
  • that you are solely responsible for complying with incident notification laws applicable to you and fulfilling any third party notification obligations related to any breach of Personal data, provided to Smartcat and/or uploaded by you on SmartCAT Platform pursuant to the Terms of Use.

2.2. You warrant to SmartCAT:

  • if GDPR applies to the processing of Personal data you provide to Smartcat and/or upload on SmartCAT Platform pursuant to the Terms of Use and you are a processor, then your instructions and actions with respect to that Personal data have been authorized by the relevant controller;
  • that the Security Measures (as detailed below) implemented and maintained by SmartCAT as set out herein provide a level of security appropriate to the risk in respect of the Customer data you provide to Smartcat and/or upload on SmartCAT Platform pursuant to the Terms of Use.

3. Your authorizations and consents

Back to top

3.1. You authorize and instruct SmartCAT and give your consent to the following:

  • SmartCAT may store and process Customer Data in the United States and any other country in which SmartCAT maintains facilities provided that SmartCAT can maintain there the same level of privacy protection as required under the EU-US Privacy Shield (https://www.privacyshield.gov/);
  • to process Personal data you provide to Smartcat and/or upload on SmartCAT Platform pursuant to the Terms of Use only in accordance with applicable law: (a) to provide the services and related support to you; (b) as further specified via your use of the SmartCAT Platform (submitted via your User’s profile on Smartcat Platform or by e-mail); c) as documented in the Terms of Use, including this DPA; and (d) as further documented in any other instructions given by you and acknowledged by SmartCAT as constituting instructions for purposes of this DPA;
  • engagement of any other third parties as Subprocessors* with the understanding that if you entered into Model Contract Clauses, this authorization will constitute your prior written consent to the subcontracting by SmartCAT of the processing of Personal data if such consent is required under the Model Contract Clauses.
    (*Subprocessors means third parties authorized under this DPA to have logical access to and process Personal data in order to provide parts of the services under the Terms of Use and related support.)

4. Warranties, covenants and undertakings of SmartCAT

Back to top

4.1 Smartcat covenants and undertakes to you:

  • to comply at all times with GDPR in respect of any Personal data provided to Smartcat and/or uploaded by you on SmartCAT Platform pursuant to the Terms of Use;
  • to process Personal data (i) only for the purpose of providing, supporting and improving Smartcat’s services, using appropriate technical and organizational security measures; and (ii) for the purposes set forth in the Terms of Use;
  • to process Personal data contained in any of your Content only in accordance with the written instructions from you (submitted via your User’s profile on Smartcat Platform or by e-mail);
  • to notify you as the User if, in Smartcat’s opinion, an instruction for the processing of Personal data given by you infringes applicable GDPR;
  • to inform you in writing if SmartCAT cannot comply with the requirements under this DPA, in which case you as the User can terminate the Agreement or take any other reasonable action, including suspending Personal data processing operations;
  • that SmartCAT will, in a manner consistent with the functionality of SmartCAT Platform, enable you to access, rectify and restrict processing of Personal data, provided to Smartcat and/or uploaded by you on SmartCAT Platform pursuant to the Terms of Use;
  • that SmartCAT will assist you in fulfilling any obligation to respond to requests by data subjects, including if applicable your obligation to respond to requests for exercising the data subject’s rights set out in the GDPR;
  • SmartCAT will take appropriate steps to ensure compliance with the security measures by its employees, contractors and Subprocessors to the extent applicable to their scope of performance, including ensuring that all persons authorized to process Personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • in case SmartCAT engages any Subprocessor, such Subprocessor only accesses and uses any Personal data, provided to Smartcat and/or uploaded by you on SmartCAT Platform pursuant to the Terms of Use, to the extent required to perform the obligations subcontracted to it, and does so in accordance with the relevant agreement and the data protection obligations under article 28(3) of the GDPR are imposed on such Subprocessor;
  • in case SmartCAT engages any Subprocessor, SmartCAT remains fully liable for all obligations subcontracted to, and all acts and omissions of, the Subprocessor;
  • to comply with the instructions described in section 3.1 above (including with regard to Personal data transfers);
  • to implement appropriate technical and organisational measures in such a manner that processing of Personal data will meet the GDPR requirements and ensure the protection of the rights of the data subjects;
  • if SmartCAT receives any request from a data subject in relation to Personal data, provided to Smartcat and/or uploaded by you on SmartCAT Platform pursuant to the Terms of Use, SmartCAT will advise the data subject to submit his/her request to you;
  • for transfers of EU personal data from the EEA to the US or other jurisdiction providing ‘adequate’ data protection, shall comply with and provide at least the same level of privacy protection as required under the EU-US Privacy Shield (https://www.privacyshield.gov/);
  • upon your written request or on termination of the Agreement, shall securely destroy or return such Personal data, provided to Smartcat and/or uploaded by you on SmartCAT Platform pursuant to the Terms of Use, to you within a maximum period of 30 days, unless applicable legislation or legal process prevents it from doing so;
  • if the storage and/or processing of Personal data involves transfers of Personal data out of the EEA and the GDPR applies to the transfers of such data, SmartCAT will, if specifically requested by you, enter as the data importer of the Personal data into Model Contract Clauses with you as the data exporter of such data, and that the transfers are made in accordance with such Model Contract Clauses (see form at: http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32010D0087);
  • if SmartCAT becomes aware of any breach of Personal data, provided to Smartcat and/or uploaded by you on SmartCAT Platform pursuant to the Terms of Use, SmartCAT will: (a) notify you of such breach of Personal data promptly and without undue delay; and (b) promptly take reasonable steps to minimize harm and secure Personal data.

5. Purposes of processing Personal data

Back to top

5.1. SmartCAT may process Personal data provided to Smartcat and/or uploaded by you on SmartCAT Platform pursuant to the Terms of Use (i) for the purpose of providing, supporting and improving Smartcat’s services, using appropriate technical and organizational security measures; and (ii) for the purposes set forth in the Terms of Use.

6. Security Measures of SmartCAT

Back to top

6.1. Security Measures include:

  • use of Tier IV data centers in the U.S. and EU, run by AWS and Microsoft Azure, which are SOC-1, SOC-2, and SOC-3 compliant and it should be noted that this is a much higher level of protection than conventional office servers provide (learn more about Smartcat security measures);
  • all passwords are stored in hashed and salted form (and several external authorized services are supported via OAuth 2.0);
  • all passwords in the production configuration files are encrypted and certificates required to decrypt configs are installed on the production machines by administrators and not accessible for engineers with lower levels of access;
  • a limited number of SmartCAT employees have access to Personal data and they are all bound by relevant confidentiality covenants under their employment or civil law services agreements;
  • a limited number of SmartCAT employees who have access to your personal data are thoroughly checked by our security team and can only use Personal data as part of their work plus in addition to this, access is limited by authorization procedures and infrastructure, which does not allow employees with insufficient rights to access personal data;
  • Before contracting any Subprocessors, SmartCAT conducts an audit of the security and privacy practices of Subprocessors to ensure Subprocessors provide a level of security and privacy appropriate to their access to Personal data and the scope of the services they are engaged to provide. The Subprocessor is required to enter into appropriate security, confidentiality and privacy contract terms.

6.2. These Security Measures may be updated or modified provided that such updates and modifications do not result in the degradation of the overall security of SmartCAT Platform.

7. Scope of instructions given to SmartCAT

Back to top

7.1. This DPA and the Terms of Use set out your complete and final instructions to Smartcat in relation to the processing of your Content containing Personal data and processing outside the scope of these instructions (if any) shall require prior written agreement between you and Smartcat. Smartcat will not use or process the Personal Data for any other purpose other than the Terms of Use and this DPA.

8. DPA Duration

Back to top

8.1. This DPA shall remain in effect as long as the Terms of Use between you and SmartCAT remain in effect.