Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Terms of Services available at https://answmachine.com/ (“Principal Agreement”) between

RETRO WAVE PUBLISHING LIMITED, legal entity, registered under the laws of Republic of Cyprus, located at 2-4 Arch. Makariou III Avenue, Capital Center, 9th floor, 1065 Nicosia, Cyprus, identification number of the legal entity: 457187 (“Company”) and

You, the user of Company’s website https://answmachine.com/ (“You”), together referred to as “Parties”.

Parties agree as follows:

DEFINITIONS AND INTERPRETATION

Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. Within the DPA, You are the Controller.

Data Protection Laws mean all applicable worldwide legislation relating to data protection and privacy which applies to the respective party in the role of the Processing Personal Data in question under the Principal Agreement.

Data Subject means the individual to whom Personal Data relates.

Instructions means the written, documented instructions issued by a Controller to a Processor, and directing the same to perform a specific or general action with regard to Personal Data (including, but not limited to, depersonalizing, blocking, deletion, making available).

Personal Data means any information relating to an identified or identifiable individual, personal information or personally identifiable information under the applicable Data Protection Laws.

Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by the Company and/or its Sub-Processors in connection with the provision of the Services. Personal Data Breach shall not include unsuccessful attempts or activities that do not compromise the security of the Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

Processing means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data.

Processor means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller. Within the DPA, the Company is the Processor.

Standard Contractual Clauses means the standard contractual clauses for the Processors.

Sub-Processor means any Processor engaged by the Company to assist in fulfilling its obligations with respect to the provision of the Services under the Principal Agreement.

Privacy Policy means the then-current Company’s privacy policy available at https://answmachine.com.

Services means collectively, the Company’s product and services available at https://answmachine.com/ as outlined in the Principal Agreement.

ROLES AS DATA CONTROLLER AND DATA PROCESSOR

For purposes of this DPA, you are the Controller of the Personal Data Processed by the Company in its performance of the services within the scope of the Principal Agreement. You are responsible for complying with Your obligations as the Controller under the Applicable Data Protection Laws governing your provision of the Personal Data to the Company for the performance of the Services.

The Company is the Processor with respect to such Personal Data, except when You act as the Processor of the Personal Data, in which case the Company is a Sub-Processor. The Company is responsible for complying with its obligations under the applicable Data Protection Laws that apply to its Processing of the Personal Data under the Agreement and this DPA.

You are responsible for ensuring that You:

  1. Complied, and will continue to comply, with the applicable Data Protection Law in Your use of the Services and Your own Processing of the Personal data; and
  2. Have, and will continue to have, the right to transfer, or provide access to the Personal data to the Company for Processing in accordance with the Principal Agreement and this DPA.

PARTIES OBLIGATIONS

According to the above the Parties have the following obligations:

You are responsible for:

  1. Compliance with applicable laws. Within the scope of the Principal Agreement and in use of the Services, You are responsible for complying with all requirements that apply to it under the applicable Data Protection Laws with respect to the Processing of the Personal Data and the Instructions issued to the Company.
  2. The Controller Instructions. The Parties agree that the Principal Agreement and this DPA, together with Your use of the Service in accordance with the Principal Agreement, constitute Your complete and final Instructions to the Company in relation to the Processing of Personal Data, and additional instructions outside the scope of the Instructions shall require prior written agreement between You and the Company.

The Company is responsible for:

  1. Compliance with Instructions. The Company shall only Process the Personal Data for the purposes described in this DPA or within the scope of Your lawful Instructions, except where and to the extent required by applicable law. The Company is not responsible for compliance with any Data Protection Laws applicable to You or Your industry that are not generally applicable to the Company.
  2. Conflict of Laws. If the Company becomes aware that it cannot Process the Personal Data in accordance with Your Instructions due to a legal requirement under any applicable law, the Company will:
    • promptly notify You of that legal requirement to the extent permitted by the applicable law, and
    • where necessary, cease all Processing (other than merely storing and maintaining the security of the affected Personal Data) until such time as You issue new Instructions with which the Company is able to comply. If this provision is invoked, the Company will not be liable to You under Principal Agreement for any failure to perform the applicable Services until such time as You issue new lawful Instructions with regard to the Processing.
  3. Confidentiality. The Company shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Sub-Processor who may have access to the Personal Data, ensuring in each case that access to the Personal Data is strictly limited to those individuals who need to know / access the relevant Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with applicable laws in the context of that individual’s duties to the Sub-Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
  4. Security
    5. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Company shall in relation to the Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk.
  5. Personal Data Breach. The Company will notify You without undue delay upon becoming aware of a Personal Data Breach affecting Personal Data, providing You with sufficient information to allow You to fulfill any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

    The Company will co-operate with You and take reasonable commercial steps as directed by You to assist in the investigation, mitigation and remediation of each such Personal Data Breach. You shall coordinate with the Company on the content of any public statements or required notices to individuals and/or supervisory authorities.
  6. Deletion or return of Personal Data. The Company shall, within the timeframe specified by the Principal Agreement, Privacy Policy, or this DPA, securely delete or return (as determined by such governing documents) and procure the deletion or return of all copies of Personal Data Processed under the ceased Services, unless retention is mandated by applicable law.

PURPOSE OF PROCESSING

The Company and any persons acting under its authority under this DPA, including Sub-Processors, will Process the Personal Data only for the purposes of performing the Services in accordance with Your Instructions as specified in the Principal Agreement, this DPA and in accordance with the applicable Data Protection Laws. The Company will not disclose the Personal Data in response to a subpoena, judicial or administrative order, or other binding instrument (“Demand”) unless required by law. The Company will promptly notify You of any Demand unless prohibited by law and provide You reasonable assistance to facilitate Your timely response to the Demand.

The Company may provide the Personal Data to affiliates in connection with any anticipated or actual merger, acquisition, sale, bankruptcy or other reorganization of some or all of its business, subject to the obligation to protect the Personal Data consistent with the terms of this DPA.

DATA SUBJECTS AND CATEGORIES OF PERSONAL DATA

You determine the Personal Data to which You provide the Company has access to in order to perform the Services. This may involve the Processing of the Personal Data of the following categories:

  1. Data that directly identifies the user of Your product: username; application version; operating system version; device model; device language.
  2. Data that relates to the review: content of the review; store name where the review was submitted; date and time when the review was submitted.
  3. You shall refrain from providing the Company with access to any information that constitutes: Special categories of Personal Data, including, but not limited to, data pertaining to racial or ethnic origin, political opinions, religious or philosophical beliefs, health status, intimate life, sexual orientation, biometric data, genetic data, and any other data classified as special categories under applicable legislation;
  4. Personal Data that exceeds the minimum necessary scope required for the legal basis of Processing such Personal Data;
  5. Personal Data, the disclosure of which carries a demonstrable risk of causing substantial harm to the Data Subject or violating the Data Subject’s right to privacy.

SUB-PROCESSING

Subject to the terms of this DPA, You authorize the Company to engage the Sub-Processors and affiliates for the Processing of the Personal Data. The Company remains responsible at all times for the such Sub-Processors’ and affiliates’ compliance with the requirements of the Principal Agreement, this DPA and the applicable Data Protection Laws. Such Sub-Processors include but are not limited to:

  1. Open AI, USA.
  2. Google, USA.

Sub-Processor Liability. Where the Company engages the Sub-Processors, the Company will impose data protection terms on the Sub-Processors that provide at least the same level of protection for Personal Data as those in this DPA, to the extent applicable to the nature of the services provided by such Sub-Processors. The Company remains liable for any breach of this DPA that is caused by an act, error or omission of its Sub-Processors.

CROSS-BORDER DATA TRANSFER

You acknowledge and agree that Company may Process Personal Data on a global basis, to the extent necessary for the provision of Services as stipulated in the Principal Agreement. Specifically, Personal Data may be transferred to jurisdictions where the Company’s affiliates and Sub-Processors maintain operations. The Company shall ensure that all such transfers are conducted in compliance with the applicable Data Protection Laws.

For international transfers subject to the EU Standard Contractual Clauses, You and the Company shall use the EU Standard Contractual Clauses, irrespective of Your location and otherwise comply with any and all guarantees and corporate rules provided. For such purposes, You will act as the data exporter on Your behalf and on behalf of any of Your entities, the Company will act as the data importer on its own behalf and/or on behalf of its affiliates, and any Sub-Processors will act as “sub-contractors”.

You hereby consent to the Company to enter into any agreement or take any measures, including on behalf of You, to establish and ensure an adequate level of data protection in the transfer of the Personal Data to the Sub-Processor outside the European Economic Area. In the event of the application of the EU Standard Contractual Clauses, the Company is entitled to conclude such clauses on behalf of You and the power of authority for this purpose is hereby granted by You.

AUDIT RIGHTS

In the event the information You request from the Company does not satisfy Your obligations under the applicable Data Protection Laws, You may conduct an audit of the Company's Processing of Personal Data up to one (1) time per year, or as otherwise mandated by applicable Data Protection Laws. To request an audit, You must provide the Company with a detailed proposed audit plan two (2) months in advance, and the Company will work with You in good faith to agree upon a final written plan. Any such audit shall be conducted at Your own expense, during normal business hours, without disruption to the Company’s business operations, and in accordance with the Company’s security rules and requirements.

Prior to any audit, the Company shall provide You with reasonably requested information and associated evidence to satisfy Your audit obligations, and You shall review this information prior to undertaking any independent audit. If any of the requested scope of the audit is addressed by an audit report issued to the Company by a qualified third-party auditor within the preceding twelve (12) months, the Parties agree that the scope of Your audit will be reduced accordingly.

Prior to any third-party audit, such auditor shall be required to execute an appropriate confidentiality agreement with the Company. If the third party is Your regulatory authority, and applicable law enables it to audit the Company directly, the Company will cooperate with and provide reasonable assistance to such regulatory authority in accordance with applicable law. You will provide the Company with a copy of any final report unless prohibited by applicable Data Protection Laws, and will treat the findings as confidential information, and use it solely for the purpose of assessing the Company’s compliance with the terms of the Principal Agreement, this DPA, and applicable Data Protection Laws.

GENERAL TERMS

All notices and communications given under this DPA must be in writing and will be delivered personally, sent by post or sent by email to the address set out in this DPA.

This DPA is governed by the law that the Principal Agreement is governed by. In the event of a dispute and the inability to resolve it amicably, the Parties shall refer the matter to the court specified in the Principal Agreement.

By accepting the terms of the Principal Agreement and the Privacy Policy You automatically agree to this DPA.

CONTACTS

You can contact the Company by following means of communication:

By email: support@answmachine.com

Or write to the Company at: 2-4 Arch. Makariou III Avenue, Capital Center, 9th floor, 1065 Nicosia, Cyprus

Still need help?

We are always happy to help.

Contact us