Data Processing Addendum
This Data Processing Addendum ("DPA") amends and supplements the Artsteps Terms of Service ("Agreement") entered into between you, the user, together with any company or other business entity you are representing, if any (collectively, "User"), and Dataverse Ltd, owner of Artsteps ( "Dataverse") and is hereby incorporated by reference into the Agreement. All capitalized terms not otherwise defined in this DPA will have the meaning given to them in the Agreement. If there is any inconsistency or conflict between this DPA and the rest of the Agreement as it relates to data protection, this DPA will govern.
"User Personal Data" means (i) the content (images, videos, 3D, text) that User uploads to or creates in the Services or Products, or (ii) any labels, tags, comments, descriptions or categorizations that User adds to the content in the Services or Products. "Data Subject" means any individual to whom User Personal Data relates.
"Data Protection Legislation" means the General Data Protection Regulation (EU) 2016/679 ("GDPR") on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, and any amendment or replacement to it.
"Personal Data" means any information that relates to an identified or identifiable Data Subject, including but not limited to a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the Data Subject.
"Process" or "Processing" means any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of User Personal Data.
The terms "controller, data subject, personal data, personal data breach, processor, and supervisory authority as used in this DPA will have the meanings ascribed to them in the GDPR, regardless of whether the GDPR applies.
2.PROCESSING OF DATA.
2.1 Purpose of Processing. The purpose of data Processing under this Agreement is the provision of the Services or Products pursuant to the Agreement.
2.2 Processor and Controller Responsibilities. The parties acknowledge and agree that. (a) Dataverse is a processor (or equivalent) of User Personal Data under the Data Protection Legislation, (b) User is a controller (or equivalent) of User Personal Data under the Data Protection Legislation, and (c) each party will comply with the obligations applicable to it under the Data Protection Legislation with respect to the Processing of User Personal Data.
2.3 User Instructions. User instructs Dataverse to Process User Personal Data. (a) in accordance with the Agreement, and (b) to comply with other reasonable written instructions provided by User where such instructions are consistent with the terms of the Agreement. Dataverse is prohibited from retaining, using, or disclosing the User Personal Data for any purpose other than for the specific purpose of performing such services for User, except as otherwise permitted by applicable law. User will ensure that its instructions for the Processing of User Personal Data comply with the Data Protection Legislation. User shall have sole responsibility for the accuracy, quality, and legality of User Personal Data and the means by which User obtained the User Personal Data.
2.4 Dataverse’s Compliance with User Instructions. Dataverse shall only retain, use, disclose and otherwise Process User Personal Data in accordance with User’s written instructions set forth above. Dataverse may User Personal Data other than on the written instructions of User if it is required under applicable law to which Dataverse is subject. In this situation, Dataverse shall inform User of such requirement before Dataverse Processes the User Personal Data unless prohibited by applicable law. If User concludes that User’s instructions conflict with any Data Protection Legislation, Dataverse will inform User without unreasonable delay.
3.SECURITY; PRIVACY IMPACT ASSESSMENTS.
3.1 Dataverse Personnel. Dataverse shall ensure that its personnel engaged in the Processing of User Personal Data are informed of the confidential nature of the User Personal Data, and are subject to obligations of confidentiality, and such obligations survive the termination of such individuals engagement with Dataverse.
3.2 Security. Dataverse will implement technical and organizational measures regarding the security of User Personal Data. No security measure is perfect. Dataverse cannot and does not promise that the User Personal Data will remain secure.
3.3 Data Protection Impact Assessments. Dataverse will take reasonable measures to cooperate and assist User in conducting a data protection impact assessment and related consultations with any supervisory authority, if User is required to do so under Data Protection Legislation. Because such assistance may be costly and burdensome, Dataverse reserves the right to condition significant support in this area on the payment of additional fees and agreement to additional terms to be negotiated by the parties.
4.DATA SUBJECT RIGHTS.
4.1 Notification and Assistance Obligations. User must respond to Data Subjects’ requests to exercise their rights under Data Protection Legislation (such as access, deletion or takedown) within 7 days (or sooner if legally required). User must honor such requests to the extent legally required. Dataverse shall, to the extent legally permitted, promptly either notify User if it receives such a request from a Data Subject, or direct such individual to contact User directly. Dataverse may communicate with the Data Subject, such as to facilitate this process, to explain why Dataverse has not immediately honored the individual’s request, to address potential violations of the Terms of Service, and to address requests unrelated to the ones covered by this paragraph.
4.2 Dataverse shall provide User with commercially reasonable cooperation and assistance in relation to handling of a Data Subject request, to the extent Dataverse is legally permitted and able to do so, where User does not have the ability to honor such requests through its use or receipt of the Services or Products. As part of this, Dataverse will de- publish the User Personal Data and notify User when the individual requests removal of User Personal Data but Dataverse concludes that User has not responded within 7 days.
5.1 General Authorization. User provides a general authorization for the use of subprocessors to Process User Personal Data in connection with fulfilling Dataverse’s obligations under the Agreement and/ or this DPA. Dataverse’s third -party subprocessors are listed at Annex I below.
5.2 New Subprocessors. . When Dataverse engages any new Subprocessor to process User Personal Data, Dataverse will update the Subprocessor List to give User the opportunity to object to such Subprocessor by terminating service pursuant to the Terms of Service.
5.3 Dataverse Obligations. Dataverse will contractually impose data protection obligations on its subprocessors that are at least equivalent to those data protection obligations imposed on Dataverse under this DPA.
6.INTERNATIONAL DATA TRANSFERS.
6.1 Dataverse operates globally, which means personal data collected in the European Economic Area ("EEA") or Switzerland may be stored and processed outside of the country or region where it was initially collected. We protect your personal data in accordance with this Statement wherever it is processed and take appropriate contractual or other steps to protect it under applicable laws. These steps include implementing the European Commission's standard contractual clauses and relying on the European Commission's adequacy decisions about certain countries, as applicable, for data transfers from the EEA to the United States and other countries.
7.1 Notification Obligations. In the event of a confirmed Security Breach, Dataverse will notify User of the Security Breach without undue delay. The obligations in this Section 7 do not apply to unsuccessful attempts or activities that do not compromise the security of User Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems. It is User’s responsibility to notify the relevant governmental authorities and affected Data Subjects. User authorizes Dataverse to notify governmental authorities or affected individuals of a Security Breach if Dataverse considers such notification appropriate.
7.2 Manner of Notification. Notification (s) of Security Breaches, if any, will be delivered via email. It is User’s sole responsibility to ensure it maintains accurate contact information on Dataverse ’s support systems at all times.
8.TERM AND TERMINATION.
8.1 Term of DPA. This DPA will remain in effect until, and automatically expire upon, deletion of all User Personal Data as described in this DPA.
8.2 Deletion of User Data. Dataverse shall delete or return User Personal Data to User after the end of the provision of Services or Products under the Agreement and shall delete all existing copies thereof, except to the extent that Dataverse is required under applicable law to keep a copy of the User Personal Data.
9.1 Information Available. To the extent applicable law requires User to impose the following provision on Dataverse, it applies: Dataverse will make available all information reasonably necessary to demonstrate compliance with the obligations set forth in this Addendum and will contribute to reasonable audits as necessary upon a written request and subject to agreement on audit fees and scope.
10.LIMITATION OF LIABILITY.
10.1 Because this DPA is part of the Agreement, Dataverse ’s liability for breach of its obligations in this DPA is subject to the limitation of liability provisions in the Agreement.
ΑΝΝΕΧ Ι - Subprocessors List
THIRD PARTY SERVICE/ VENDOR: OVH
PURPOSE: Data Hosting, Content Delivery
ENTITY COUNTRY: Ireland