Cira Apps Limited Terms of Service

Effective Date: April 17, 2019

Cira Apps Limited (“Company”, “us”, “our”, and “we”) offers services to its users through our software applications, such as an application for websites or mobile devices (each a “Application” or “Site”) and any other services offered by Company in connection with Our Application (any and all of the foregoing are referred to as the “Services“). The Services do not include any Social Network Services (“SNS”) or other third-party service you may interact with in connection with the Services. Please read the following terms of use (“Terms “) carefully.

These Terms may be modified or replaced at any time in the Company’s sole discretion. After any modification or replacement, users with registered Accounts will be emailed a notification of the change. Your continued use of the Site after such a change will constitute your consent to be bound by the new Terms.

YOU ACKNOWLEDGE AND AGREE THAT BY ACCESSING OR USING THE SERVICES, OR ACCESSING ANY CONTENT THROUGH THE SERVICES, YOU ARE INDICATING THAT YOU HAVE READ, UNDERSTAND AND AGREE TO BE BOUND BY THESE TERMS OF USE. IF YOU DO NOT AGREE TO THESE TERMS OF USE, THEN YOU HAVE NO RIGHT TO ACCESS OR USE THE SERVICES.

Accounts

  1. Account Registration. In order to use certain features of the Site, you must register for an account (“Account”) and provide certain information about yourself as prompted by the account registration form.  You represent and warrant that: (a) all required registration information you submit is truthful, complete, and accurate; (b) you will maintain the accuracy of such information. You may delete your Account at any time, for any reason, by following the instructions on the Site. The Company may suspend or terminate your Account at any time and for any reason, with or without notice.
  2. Account Security. You are responsible for maintaining the confidentiality of your Account login information and are fully responsible for all activities that occur under your Account. You agree to immediately notify the Company of any unauthorized use, or suspected unauthorized use of your Account or any other breach of security. The Company cannot and will not be liable for any loss or damage arising from your failure to comply with the above requirements.
  3. Payments. You may register for one of several Account types. Account types may require the payment of fees in order to purchase or maintain the Account. If you select an account type that requires payment you agree that (i) you will provide accurate, complete, and truthful payment information, such as a credit card or debit card, to the Site (the “Payment Information”); (ii) you authorize the Company to charge, or use a third-party payment processor to charge, your Payment Information for the amount indicated on the Site; and (iii) you will not dispute, charge back, or cancel your payment.
    1. If your selected Account type has a recurring fee component, as specified on the Site, you agree that you authorize recurring charges at the then-current price posted on the Site.
    2. You acknowledge that if a required payment fails, your Account may be immediately terminated.
    3. The Site does not, under any circumstance, offer any refunds.

Access to the Services

  1. License. Subject to these Terms, Company hereby grants you a limited, personal, non- exclusive, revocable, non-transferable, non-sublicensable license to use and access the Site solely for your own authorized personal use for all legal uses contemplated by this License Agreement. The Company may terminate your license at any time and for any reason, with or without notice.
  2. Certain Restrictions. The rights granted to you in these Terms are subject to the following restrictions: (a) you shall not license, sell, rent, lease, transfer, assign, distribute, host, or otherwise commercially exploit the Site, whether in whole or in part, or any content displayed on the Site; (b) you shall not modify, make derivative works of, disassemble, reverse compile or reverse engineer any part of the Site; (c) you shall not access the Site in order to data-mine, reverse engineer, or build a similar or competitive website, product, or service; and (d) except as expressly stated herein, no part of the Site may be copied, reproduced, distributed, republished, downloaded, displayed, posted or transmitted in any form or by any means. Unless otherwise indicated, any future release, update, or other addition to functionality of the Site shall be subject to these Terms. All copyright and other proprietary notices on the Site (or on any content displayed on the Site) must be retained on all copies thereof.
  3. Modification. Company reserves the right, at any time and in its sole discretion, to modify, suspend, or discontinue the Services (in whole or in part) with or without notice. You agree that Company will not be liable to you or to any third party for any modification, suspension, or discontinuation of the Site or any part thereof.

Proprietary Rights

  1. Company retains all right, title and interest (including all copyright, trade secret, patent and other rights) in and to the Services. If you give feedback on the Services, for example recommendations for improvements or features, such feedback will be deemed non-confidential and non-proprietary, and implementation of that feedback is owned by us and may become part of the Services without compensation to you. We reserve all rights in and to the Services unless we expressly state otherwise. The Services contains proprietary and confidential information that is protected by applicable intellectual property and other laws. You may not decompile, reverse engineer, disassemble, or otherwise reduce the Services to a human-perceivable form, except and only to the extent that such activity is expressly permitted by applicable law, and in that case, only if you notify us in writing in advance. You may not copy, frameset, enclose or otherwise distribute any part of the Services.
  2. All brand, product and service names used in the Services which identify Company or our partners and/or their proprietary products and services are the trademarks or service marks of Company or our partners. Nothing in the Services shall be deemed to confer on any person any license or right on the part Company or such supplier with respect to any such image, logo or name.
  3. We are making the Services available to you for your information and use only. You may not (and you agree not to) use, copy, distribute, transmit, broadcast, sell, or do anything else with the Services for any other purpose. You agree not to disable, interfere, or try to get around any of the features of the Services related to security, or enforcing the limits on the use of the Services.

Indemnification

You agree to indemnify, defend and hold harmless the Company, its officers, employees, and agents (collectively “Company Affiliates”) from any claim or demand made by any third party, including for attorneys’ fees and expenses, due to or arising out of (a) your use of the Site, (b) your violation of these Terms, (c) your violation of applicable laws or regulations, or (d) your User Content.

Availability

You acknowledge that temporary interruptions in the availability of the Services may occur from time to time as normal events. Also, we may decide to cease making available the Services or any portion of the Services at any time and for any reason. Under no circumstances will Company or its partners be held liable for any damages due to such interruptions or lack of availability.

Disclaimers

THE SERVICE IS PROVIDED ON AN “AS-IS” AND “AS AVAILABLE” BASIS, AND THE COMPANY (AND OUR SUPPLIERS) EXPRESSLY DISCLAIM ANY AND ALL WARRANTIES AND CONDITIONS OF ANY KIND, WHETHER EXPRESS, IMPLIED, OR STATUTORY, INCLUDING ALL WARRANTIES OR CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, TITLE, QUIET ENJOYMENT, ACCURACY, OR NON-INFRINGEMENT.  WE AND OUR COMPANY AFFILIATES MAKE NO WARRANTY THAT THE SITE WILL MEET YOUR REQUIREMENTS, WILL BE AVAILABLE ON AN UNINTERRUPTED, TIMELY, SECURE, OR ERROR-FREE BASIS, OR WILL BE ACCURATE, RELIABLE, FREE OF VIRUSES OR OTHER HARMFUL CODE, COMPLETE, LEGAL, OR SAFE. IF APPLICABLE LAW REQUIRES ANY WARRANTIES WITH RESPECT TO THE SITE, ALL SUCH WARRANTIES ARE LIMITED IN DURATION TO NINETY (90) DAYS FROM THE DATE OF FIRST USE.

SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO THE ABOVE EXCLUSION MAY NOT APPLY TO YOU.  SOME JURISDICTIONS DO NOT ALLOW LIMITATIONS ON HOW LONG AN IMPLIED WARRANTY LASTS, SO THE ABOVE LIMITATION MAY NOT APPLY TO YOU.

Limitation on Liability

TO THE MAXIMUM EXTENT PERMITTED BY LAW, IN NO EVENT SHALL THE COMPANY OR COMPANY AFFILIATES BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY LOST PROFITS, LOST DATA, COSTS OF PROCUREMENT OF SUBSTITUTE PRODUCTS, OR ANY INDIRECT, CONSEQUENTIAL, EXEMPLARY, INCIDENTAL, SPECIAL OR PUNITIVE DAMAGES ARISING FROM OR RELATING TO THESE TERMS OR YOUR USE OF, OR INABILITY TO USE, THE SITE, EVEN IF COMPANY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. ACCESS TO, AND USE OF, THE SITE IS AT YOUR OWN DISCRETION AND RISK, AND YOU WILL BE SOLELY RESPONSIBLE FOR ANY DAMAGE TO YOUR DEVICE OR COMPUTER SYSTEM, OR LOSS OF DATA RESULTING THEREFROM.

TO THE MAXIMUM EXTENT PERMITTED BY LAW, NOTWITHSTANDING ANYTHING TO THE CONTRARY CONTAINED HEREIN, OUR LIABILITY TO YOU FOR ANY DAMAGES ARISING FROM OR RELATED TO THIS AGREEMENT (FOR ANY CAUSE WHATSOEVER AND REGARDLESS OF THE FORM OF THE ACTION), WILL AT ALL TIMES BE LIMITED TO A MAXIMUM OF FIVE HUNDRED US DOLLARS. THE EXISTENCE OF MORE THAN ONE CLAIM WILL NOT ENLARGE THIS LIMIT. YOU AGREE THAT OUR SUPPLIERS WILL HAVE NO LIABILITY OF ANY KIND ARISING FROM OR RELATING TO THIS AGREEMENT.

  1. Term and Termination. We may suspend or terminate your rights to use the Site (including your Account) at any time for any reason at our sole discretion, including for any use of the Site in violation of these Terms. Upon termination of your rights under these Terms, your Account and right to access and use the Site will terminate immediately. You understand that any termination of your Account may involve deletion of the configuration settings, audit or change logs and associated with your Account from our live databases. Company will not have any liability whatsoever to you for any termination of your rights under these Terms, including for termination of your Account or deletion of configuration settings and logs.
  2. General.
    1. Choice of Law. This Agreement is subject to, and will be governed by and construed in accordance with the substantive laws in force of the State of California which shall have exclusive jurisdiction over any disputes except in matters of conflict of laws.
    2. Dispute Resolution. You agree that any dispute shall be settled via arbitration and that arbitration will be administered by Judicial Arbitration & Mediation Services, Inc. (“JAMS”) pursuant to its Streamlined Arbitration Rules & Procedures (the “JAMS Rules”). You agree that the arbitrator shall have the power to decide any motions brought by any party to the arbitration, including motions for summary judgment and/or adjudication and motions to dismiss and demurrers applying the standards set forth under the California Code of Civil Procedure. You agree that the arbitrator shall issue a written decision on the merits. You also agree that the arbitrator shall have the final power to award any remedies available under applicable law, and that the arbitrator shall award Attorney’s fees and costs to the prevailing party where provided by applicable law. You agree that the decree or award rendered by the arbitrator may be entered as a final and binding judgment in any court having jurisdiction thereof. You agree that the arbitrator shall administer and conduct any arbitration in accordance with California LAW, including the California Code of Civil Procedure and the California evidence code, and that the arbitrator shall apply substantive and procedural California law to any dispute or claim, without reference to rules of conflict of law. To the extent that the JAMS Rules conflict with California law, California law shall take precedence. You further agree that any arbitration under this agreement shall be conducted in Santa Clara County, California.
      1. YOU AGREE THAT ANY LEGAL CLAIM AGAINST US MUST BE FILED WITHIN SIX MONTHS AFTER THE EVENT THAT GAVE RISE TO YOUR LAWSUIT. OTHERWISE, YOUR LAWSUIT WILL BE PERMANENTLY BARRED.
      2. Except as otherwise provided by law, the arbitrator shall be the sole, exclusive, and final remedy for any dispute between you and us. Neither you nor we will be permitted to pursue court action regarding claims that are subject to arbitration.
      3. You and we agree that any and all claims may be brought solely in each other’s individual capacity and not in the capacity as a class for litigation purposes. You and we further agree that the arbitrator may not consolidate more than your or our claims specifically as they relate to one another.

Electronic Communications

The communications between you and Company use electronic means, whether you use the Site or send us emails, or whether Company posts notices on the Site or communicates with you via email. For contractual purposes, you (a) consent to receive communications from Company in an electronic form; and (b) agree that all terms and conditions, agreements, notices, disclosures, and other communications that Company provides to you electronically satisfy any legal requirement that such communications would satisfy if it were be in a hardcopy writing. The foregoing does not affect your non-waivable rights.

Entire Terms

These Terms constitute the entire agreement between you and us regarding the use of the Site. Our failure to exercise or enforce any right or provision of these Terms shall not operate as a waiver of such right or provision. The section titles in these Terms are for convenience only and have no legal or contractual effect. The word “including” means “including without limitation”. If any provision of these Terms is, for any reason, held to be invalid or unenforceable, the other provisions of these Terms will be unimpaired and the invalid or unenforceable provision will be deemed modified so that it is valid and enforceable to the maximum extent permitted by law.

Your relationship to Company is that of an independent contractor, and neither party is an agent or partner of the other. These Terms, and your rights and obligations herein, may not be assigned, subcontracted, delegated, or otherwise transferred by you without Company’s prior written consent, and any attempted assignment, subcontract, delegation, or transfer in violation of the foregoing will be null and void.  Company may freely assign these Terms. The terms and conditions set forth in these Terms shall be binding upon assignees.

Severability

If any provision of this Agreement is determined by a court of competent jurisdiction to be contrary to law, that provision will be deemed to have be drafted such that it is enforced to the maximum extent permissible, and the remaining provisions of this Agreement will remain in full force and effect.

Contact Us

You may contact the company at: telephone 202-747-0888 or use our Contact Us form on our website.

Cira Apps Limited
Data Processing Agreement

Last Revised: June 8th, 2023

View PDF

This Data Processing Agreement (“DPA”) applies where there is no specific DPA submitted by the Controller towards Cira Apps which has been ratified by both parties and it will be updated over time as the applicable legal context evolves.

Cira Apps indicates the last date when this DPA has been updated at the top.

All changes apply and are automatically accepted by the parties (users and Corporate Clients) from the above posted date onwards, any conflicting clauses will supraceed the previous ones and new clauses constitute an addendum to the previous DPA version that has been automatically accepted by you at the date you started using Cira Apps services.

The parties to this DPA are:

Cira Apps Limited, established at 801 Barton Springs Road Austin, TX 78704, United States (hereinafter called “the Processor” and also referred to as “we”, “us”)

and

The Corporate Client and its individual users who are utilizing Cira Apps tools (hereinafter called “the Controller” and also referred to as “you”) while both also referred to as the “Parties”.

Although the Processor has the knowhow to develop the tools (Apps) and inherent functionalities that the Controller and its users will be using, the Processor in fact acts under the instructions of the Controller in the sense that the Controller is the one which defines what Personal Data and pertaining to which Data Subjects as well as for which Purposes will be under Processing by Cira Apps tools.

This DPA, including its Annexes, bears the objective of defining and documenting a mutual commitment (by the Parties) towards the assurance of secure and confidential Processing activities with regards to Personal Data pertaining to 3rd Party natural persons (Data Subjects) who are either staff members; prospects or customer, in full compliance with the European Union Regulation 2016/679, General Data Protection Regulation (the “GDPR”) plus other applicable Personal Data Protection Legislation, namely yet not limited), as per specific marketplace and country: CCPA (California U.S.); POPIA (South Africa); LGPD (Brazil); PDPA (Singapore) and APPI (Japan).

The Parties also hereby acknowledge to having entered into this agreement (a mutual commitment) by themselves as well as in the name and on behalf of their “Authorized Affiliates”/ “Partner” companies, towards which each Party resorts as an enabler of/ contributor to the enablement of Processor services in what implies the “Processing of Personal Data”.

Both Parties agree therefore that GDPR is the “Personal Data” Protection Regulation which primarily rules on the entire herein described scope of Personal Data Processing Activities and inherent obligations since it bears, at present date, the most comprehensive and demanding set of rules and requirements towards the assurance of “Personal Data” Privacy, Security, and Confidentiality.

1. DEFINITIONS

Affiliate” means any entity that directly or indirectly controls, is controlled by or is under common control with each Party. Whereas “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the Party.

Controller” as defined under the GDPR, means the Processor which determines the “Personal Data” that is forward to the other Processor under the “Services” scope, as well as the inherent “Processing of Personal Data” purposes, processes and/ or workflows which must be observed by the other Processor within the mutual relationship.

Data Protection Officer“/ “DPO” as defined under the GDPR, means the natural person within a company/ organization (herein ahead referred to simply as “organization”) who bear the responsibility of ensuring company compliance towards GDPR (as per defined under this Regulation), both by means of monitoring compliance status as well as acting towards the organization and management structure informing those about existing non-conformity points and the need for the organization to act upon them in order to make them compliant with GDPR rules, guidelines and requirements.

Data Subject” as defined under the GDPR, means the identified or identifiable natural person to whom “Personal Data” pertains to. Both Parties understand that the “Data Subject” is the sole entity in full control of “Personal Data” which pertains to him/ her.

Data Subjects’ Rights” means the rights established towards the Data Subjects under the GDPR plus where applicable, the CCPA; POPIA and LGPD depending on the country of residence of the Data Subject.

GDPR means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regards to the “Processing of Personal Data” and on the free movement of such data, while Repealing and replacing the Directive 95/46/EC from May 25th, 2018 onwards.

GDPR Training” means the mandatory necessary endeavor which the Parties must undertake to ensure in a documented manner and as per GDPR requirements that their staff who performs “Processing of Personal Data” activities is fully aware of GDPR rules and guidelines.

IT Landscape” means the set of IT assets and services of and at the disposal of each Party that enables their “Processing of Personal Data” operation, meaning the communications infrastructure (LAN, WAN, Wi-Fi networks), Data Center and technical rooms, Cloud-based services, workstations, software systems and tools, mobile devices in use, peripheral IT devices, Firewalls and web-based resources.

Legal Basis” as defined under the GDPR, means the enlisted Legal Basis that an organization has to entice “Processing of Personal Data” activities under GDPR, namely (but not limited to) having documented: the “Data Subject’” Explicit Consent towards “Processing of Personal Data” activities; the organization Legitimate Interest in proceeding with “Processing of Personal Data” activities; accessory legal obligations that the organization must observe and which entitled it to proceed with “Processing of Personal Data” activities within the limits of such ruling and inherent obligations; other as per defined under GDPR.

Operational Landscape” means the set of both Controller Operational Policies, Processes, Procedures, Workflows, permissions given to staff over the access to “Personal Data”, 3rd Party under the scope of Corporate Client Core Business and related to “Processing of Personal Data”.

Partner” means any 3rd Party entity towards which each Party may resort in order to ensure “Processing of Personal Data” under a “Legal Basis” (as established by GDPR) and within the scope of agreed “Services”. As determined under the GDPR these entities may act as Sub-Processors or Joint Controllers or still Independent Controllers in the case of the Controller.

Party means the companies that sign this DPA.

Personal Data” as defined under the GDPR, means any data which by itself or when cross-referenced with other data enables one to univocally identify one given natural person, the “Data Subject”.

Processing of Personal Data” as defined under the GDPR, means any operation or set of operations which is performed on “Personal Data”, whether or not by automated means, such as: collection/ retrieval; accessing (consultation, use); processing (organization, structuring, adaptation or alteration); storage (recording, erasure or destruction); sharing (disclosure by transmission, dissemination or otherwise making available, publishing).

Personal Data Breach” as defined under the GDPR, means any “event” or “incident” (as per ITIL definition) which enables the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to “Personal Data”.

Processor as defined under the GDPR, means the entity which proceeds with authorized “Processing of Personal Data” on behalf of the Controller and exclusively under the instructions of the Controller.

Services” means the scope of “Processing of Personal Data” activities that are both inherent and/ or derive from the services being rendered by the Processor towards the Controller via its tools (the apps that Cira Apps has developed/ owns and are being used by the Controller.

Sub-processor” as defined under the GDPR, means any 3rd Party entity engaged by the Processor or by the Controller to provide accessory services to the Processor while performing complimentary “Processing of Personal Data” within the scope of the “Services”.

Supervisory Authority” as defined under the GDPR, means an independent public authority that is established by an EU Member State pursuant to the GDPR which acts as the responsible public entity for auditing and enforcing local GDPR compliance.

2. PROCESSING OF PERSONAL DATA

a. “Processing of Personal Data”

The Parties commit to proceed with “Processing of Personal Data” activities in full compliance with the requirements of the GDPR including (but not limited to) having a defined and documented “Legal Basis” bearing each the sole responsibility for maintaining “Personal Data” in their possession Accurate, Secure and Confidential during “Processing of Personal Data” operations and observing defined retention periods.

The Legal Basis for “Processing of Personal Data” under the scope of the services from the side of the Processor is a Contractual Obligation that derives from Controller’s using the tools.

The Processor commits not to undergo any Personal Data Processing activities which exceed or are not within the scope of the services, namely:

▪ Hosting and retention period that exceed the lifecycle inherent to the services;

▪ Access to Personal Data under the scope of the services by individuals or entities that do not play an active and relevant role in the fulfillment/ delivery of such services (staff or sub-Processors);

▪ Processing activities that exceed what is mandatory to enable the services;

▪ Sharing Personal Data under the scope of the services with unauthorized 3rd parties, meaning entities or individuals who are not relevant or required to enable the services fulfillment and delivery;

b. “Processing of Personal Data” Details

The subject-matter of “Processing of Personal Data” by the Processor exclusively pertains the agreed service scope as per the services and while exclusively aligned with the inherent “Legal Basis” of a Contractual Obligation by the Processor towards the Controller.

3. “DATA SUBJECTS’” RIGHTS

Both Parties commit to promptly inform each other (within 3 calendar days) upon the event of having “Data Subjects” exercising their rights towards them as per defined under the GDPR that may affect the other Party in the sense that action from it is required.

If and when feedback from or towards the other Party is required to address/ answer such “Data Subjects’” Rights request, both Parties hereby commit to ensuring full cooperation and making available required internal or “Partner” resources while bearing no cost towards the other Party.

4. PARTIES’ STAFF

a. Confidentiality

The Parties will ensure to have established towards their staff, who are involved in “Processing of Personal Data”, proper written confidentiality agreements (e.g. a data processing agreement under GDPR).

b. Limitation of Access

The Parties shall ensure that their staff’ access to “Personal Data” is limited to those personnel performing relevant/ required internal operational tasks which contribute towards the execution of agreed “Services” and/ or which are done so under a “Legal Basis” towards the “Data Subject”, further having set in place the appropriate access permissions that exclusively allow each staff member to access “Personal Data” which is relevant under the scope of their individual contribution towards those “Services”.

c. “GDPR Training”

Both Parties commit to ensuring that their staff, who are involved in “Processing of Personal Data”, are trained on GDPR and properly informed about the requirements posed by GDPR, having documented the degree of acquired knowledge and awareness by their staff towards GDPR via an individual test.

d. Obligation to assist

Pursuant to Articles 32 to 36 of the GDPR, both Parties commit to mutually provide relevant and necessary assistance to the other Party where that does not comprehend a direct sole responsibility of one Party and it is relevant to ensure the observance of Personal Data Protection as well as the reply to any Supervisory Authority or a Data Subject exercising his/ her Rights under the law.

This includes also (as per article 28 of the GDPR), the obligation by the Processor to inform the controller if, under its perspective, a provided instruction infringes the GDPR ruling.

5. “SUB-PROCESSORS”

a. Appointment of “Sub-processors”

The Controller agrees that the Processor may resort to “Partners” that enable the provision of agreed Service which may also have to entice the “Processing of Personal Data” on behalf of the Controller and are, therefore its “Sub-processors” within this scope.

The Processor commits to having its Affiliates and Processors (subProcessors before the Controller) entered into a written agreement containing data protection obligations not less protective than those in this DPA with respect to the protection of “Personal Data” to the extent applicable to the nature of the “Services” provided by such “Subprocessor”.

6. SECURITY

a. Controls for the Protection of Personal Data

Both Parties commit to implement and maintain (by regularly monitoring those) appropriate technical and organizational measures that ensure the Security, Integrity and Confidentiality of “Processing of Personal Data” while fully aligned with GDPR requirements as set forth in both companies Privacy Policies and/ or Code of Conduct under and as per defined by GDPR.

7. PERSONAL DATA BREACH INCIDENT MANAGEMENT AND NOTIFICATION

Both Parties commit to maintaining security incident management policies and procedures specified in their Security, Privacy, Operational Processes and “IT Landscape” Documentation.

In the event of a “Personal Data Breach”, with origin on the Processor, the Processor shall notify without undue delay the Controller after becoming aware of such “Personal Data Breach” when it relates to the Controller staff or any of its Clients/ Customers.

The notification process is described below under ANNEX 1.

8. PERSONAL DATA RETURN AND DELETION

Upon being informed by the Controller of the need to return or erase “Personal Data” under processing the Processor shall, to the extent allowed by applicable law, erase Personal Data in accordance with the market standards and best practices.

 

Appendixes List

Annex 1: Personal Data Breach notification

ANNEX 1

Personal Data Breach notification form

Personal Data Breaches (both potential as well as verified as effective) need to be reported by the Processor to the DPO of the Controller within 36 hours of having been detected, in writing to the contact email described in this document and containing details as per the bullet points below:

1. Nature of the personal data breach

a. insert a description of the breach including, how and when this occurred.
b. insert details of the categories and volume of personal data compromised.
c. insert details of the categories and volume of data subjects impacted.

2. Contact details

a. confirm contact details of the DPO or another individual responsible for compliance with the data protection who can be contacted in relation to the personal data breach.

3. Consequences of the personal data breach

a. insert a description of the likely consequences (from Processor’s perspective) of the personal data breach for example identity theft, fraudulent activity, unauthorized access to accounts, etc.

4. Mitigation and containment

a. insert details of the measures taken or proposed to be taken to mitigate and contain the personal data breach and its effect, as well as to prevent it from happening again in the future.

This initial report will be followed by a final full and detailed version definite report from the Processor to the Controller 60 hours after the incident has been detected by the Processor.

View PDF
GDPR
soc2comliant