This Data Processing Agreement (“Agreement”) is part of the Wiremo's Terms of Service between you (“Controller“) and Wiremo (“Processor“) (“Terms of Service“). All defined terms contained herein shall have the same meaning as the definitions set forth in the Terms of Service.
The Processor shall comply with the following in respect of personal data ("PD") as defined under Regulation (EU) 2016/679 (General Data Protection Regulation (“GDPR”)):
Controller’s instructions for processing of PD shall comply with all applicable privacy and data protection laws, including the GDPR. The Controller shall have sole responsibility for the accuracy, quality and legality of PD and the means by which Controller acquired PD.
Details of Processing
The details of the processing activities to be carried out by the Processor in respect of the Services are:
- Nature, purpose and subject matter of the Processing. The nature, purpose and subject matter of the Processing is the provision of the Services set forth in the Terms of Service.
- Categories of Data Subjects. Users that purchased products and/or services from Controller or submitted a review via the onsite widget that is installed on the Controller website.
- Email address, first name, last name, and IP address.
Data Subjects Rights
The Processor shall assist Controller, by using appropriate technical and organizational measures, in the fulfillment of Controller’s obligations to respond to requests by data subjects in exercising their rights under applicable laws.
The Processor shall ensure that its personnel engaged in the processing of PD are bound by a confidentiality undertaking.
The Processor will promptly notify Controller after becoming aware of any suspected or actual breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, PD (“Data Breach“).
The Processor will maintain up-to-date written records of its processing activities, including, inter alia, Processor’s and Controller’s contact details, the categories of processing, transfers of PD across borders and the technical and organizational security measures implemented by the Processor. Upon request, Processor will provide an up-to-date copy of these records to Controller.
Controller acknowledges and agrees that Processor may engage any of the third-party sub-processors listed in Appendix 1, which Processor may update from time to time, subject to Controller’s prior written approval. Such sub-processors shall be bound by data protection obligations no less protective than those in this Agreement to the extent applicable to the nature of the Services provided by such sub-processor.
The Processor will assist Controller in ensuring compliance with Controller’s obligations related to the security of the processing, notification and communication of Data Breaches, conduct of data protection impact assessments and any inquiry, investigation or other requests by a supervisory authority.
Where Processor believes that an instruction would result in a violation of any applicable data protection laws, Processor shall notify the Controller thereof.
The Processor will make available to Controller, upon request, information necessary to demonstrate compliance with the obligations set forth in this Agreement.
Upon Controller’s request, Processor shall cooperate with audits and inspections of its compliance with the requirements and obligations herein and/or under applicable law. Such audits and inspections may be conducted by Controller or by any third party designated by Controller. The costs of the audit shall be borne by the Controller.
Technical and Organizational Measures
- Processor shall implement and maintain all technical and organizational measures that are required for protection of the PD and ensure a level of security that is appropriate to for dealing with and protecting against any risks to the rights and freedoms of the data subjects, and as required in order to avoid accidental or unlawful destruction, loss, alteration or unauthorized disclosure of, or access to PD and/or as otherwise required pursuant to the GDPR, including, inter alia, the measures set forth in Appendix 2. When complying with this Section 12.1, Processor shall take into consideration the state of technological development existing at the time and the nature, scope, context and purposes of processing as well as the aforementioned risks.
- The processor shall regularly monitor its compliance with this Agreement and will provide Controller, upon request, with evidence that will enable verification of such monitoring activities. The processor shall promptly implement all changes to Appendix 2, as requested by Controller. The processor shall ensure that all persons acting under its authority or on its behalf and having access to the PD, do not process the PD except as instructed by Controller and permitted herein.
Transfer of PD to Third Countries
The Processor may process the Personal Data in any country within the European Union.
In addition the Processor may transfer the Personal Data to a country outside the European Union, provided that country ensures an adequate level of protection of Personal Data and complies with other obligations imposed on it under this Data Processing Agreement and the GDPR, including the availability of appropriate safeguards and enforceable data subject rights, and effective legal remedies for data subjects.
The Processor shall report to the Controller of the countries involved. The Processor warrants that, considering the circumstances that apply to the transfer of Personal Data or any category of transfers, the country or countries outside the European Union have an adequate level of protection.
In particular, the Processor shall take into account the duration of the processing, the country of origin and the country of destination, the general and sector-based rules of law in the country of destination and the professional rules and security measures which are complied with in that country.
Return and Deletion of PD
On the Controller’s request, Processor shall return or destroy PD to the extent allowed by applicable law.
Appendix 1 - Sub-Processors
Digital Ocean, Intercom, Hotjar, Google Analytics, Google Tag Manager.
Appendix 2- Technical and Security Measures
- The pseudonymization and encryption of PD.
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.
- The ability to restore the availability and access to PD in a timely manner in the event of a physical or technical incident.
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.