Book a Consultation

DPA

Definitions

In this Data Protection Agreement (DPA), certain terms have specific meanings.

  • “Controller” refers to the entity that determines the purposes and methods of processing personal data.
  • “Customer Content” means the personal data that the customer provides to 365 AITECH or stores on its behalf through its account while using the services.
  • “Customer Subscription Data” includes personal data related to the customer’s interactions with 365 AITECH, such as billing information and contact details of authorized individuals.
  • “Customer Usage Data” is the data processed by 365 AITECH to identify the source and destination of customer content and improve system abuse prevention.
  • “Data Protection Laws” means the European Union data protection laws and other relevant data protection or privacy laws.
  • “Data Subject” refers to any natural person whose personal data is processed.
  • “GDPR” is the General Data Protection Regulation of the European Union.
  • “Model Clauses”are standard contractual clauses for processors approved by the European Commission.
  • “Personal Data” includes any information related to a data subject that 365 AITECH processes to provide its services.
  • “Personal Data Breach” is a security breach that results in unauthorized access, disclosure, or loss of personal data.
  • “Privacy Policy” refers to 365 AITECH policy on privacy.
  • “Process” means any operation or set of operations performed on personal data.
  • “Processor” is a person or entity that processes personal data on behalf of the controller.
  • “Sensitive Data” includes personal data related to sensitive information such as racial or ethnic origin, political opinions, religious beliefs, genetic data, and health information.
  • “Services” refers to 365 AITECH call transcription, monitoring, evaluation, and analytics services subscribed to by the customer under the Terms of Use.

Scope, Duration and Responsibilities

  1. The processing of Customer Content is subject to this DPA.

  2. 365 AITECH is authorized to process Customer Content during the validity of this DPA, and only as per the terms outlined in the relevant appendix.

  3. Each Party is accountable for fulfilling their obligations as Controller or Processor under the Data Protection Laws, in line with the provisions of the Terms.

Relationship of the Parties

  1. 365 AITECH’s role as a Processor: The Parties agree that 365 AITECH will act as a Processor for the Processing of Customer Content. It is acknowledged that Customer may act as either a Controller or Processor in this regard.

  2. 365 AITECH’s role as a Controller of Customer Subscription Data: The Parties acknowledge that 365 AITECH is an independent Controller, not a joint Controller with Customer, for the Processing of Customer Subscription Data. Customer is the Controller and 365 AITECH will Process this data in accordance with its Privacy Policy.

  3. 365 AITECH’s role as a Controller of Customer Usage Data: The Parties acknowledge that 365 AITECH is an independent Controller, not a joint Controller with Customer, for the Processing of Customer Usage Data. It is acknowledged that Customer may act as either a Controller or Processor in this regard. Customer Usage Data will be Processed by 365 AITECH in accordance with its Privacy Policy.

Term and Termination

  1. Upon signing, this DPA will become effective and remain valid for as long as 365 AITECH is Processing Customer Content in accordance with the Terms. After that, it will automatically terminate.

  2. If any amendments are needed to comply with Data Protection Laws, the Controller may request such amendments, and the Parties will make reasonable efforts to agree upon them. If the Parties cannot agree upon such amendments, either Party may terminate Customer’s use of the Services by giving the other Party written notice at least thirty (30) days in advance.

Processing Instructions for Customer Content

  1. 365 AITECH is obligated to follow the instructions provided by the Customer when processing Customer Content. The initial instructions are provided in this DPA and any changes to these instructions may be communicated by the Customer through an amendment to this DPA.

  2. It is important to note that any instructions that would result in processing outside the scope of this DPA, such as a new processing purpose, must be agreed upon by both Parties and subject to the contract change procedure.

  3. If 365 AITECH believes that an instruction provided by the Controller violates Data Protection Laws, they must promptly inform the Controller in writing and provide a detailed explanation of the reasons for their opinion.

Processor Personnel

365 AITECH will ensure that its personnel do not process Customer Content without proper authorization. 365 AITECH will also require its personnel to agree to relevant contractual obligations, such as confidentiality, data protection, and data security obligations.

Disclosure to Third Parties; Data Subjects Rights

  1. 365 AITECH shall not disclose Customer Content to any government agency, court, or law enforcement, except with the written consent of the Controller or as required by mandatory laws. If 365 AITECH is obligated to disclose Customer Content to a law enforcement agency, it agrees to provide the Controller with reasonable notice before granting access, allowing the Controller to seek a protective order or other appropriate remedy. If such notice is legally prohibited, 365 AITECH will take reasonable measures to protect the Customer Content from undue disclosure, treat it as its own confidential information, and promptly inform the Controller when the legal prohibition ceases to apply.

  2. If Data Subjects submit any requests or communications related to the Processing of Customer Content (“Request”), 365 AITECH shall provide the Controller with reasonable cooperation, information, and assistance (“Assistance”) upon instruction by the Controller.

  3. Upon receiving a Request, 365 AITECH shall not directly respond to it but rather forward it to the Controller within ten (10) business days of identifying it as being related to the Controller, and provide Assistance according to further instructions from the Controller.

Technical and Organizational Measures

365 AITECH is required to establish and uphold suitable technical and organizational measures to guarantee that Customer Content is processed in compliance with this DPA, and to assist and safeguard it against any Personal Data Breach. These measures, also known as TOMs, shall incorporate the measures outlined in the Appendix.

Assistance with Data Protection Impact Assessment

  1. If required by applicable Data Protection Laws, 365 AITECH shall assist the Controller in conducting a Data Protection Impact Assessment (DPIA) for the Processing of Customer Content. 365 AITECH shall provide the Controller with any information and assistance reasonably required for the DPIA and also provide assistance for any communication with data protection authorities, if necessary. However, 365 AITECH shall not be obliged to provide any information or assistance that is not related to its obligations under this DPA.

  2. The Controller shall pay 365 AITECH reasonable fees for providing the assistance mentioned in clause 9, to the extent that such assistance cannot be accommodated within the normal provision of the Services.

Information Rights and Audit

  1. Upon request, 365 AITECH will provide Customer with necessary information to demonstrate compliance with Data Protection Laws in a timely manner.

  2. 365 AITECH will allow and assist in audits of its Processing of Customer Content, including TOMs, during regular business hours, with minimal interruption to its operations. Audits may be conducted by Customer, its affiliates, or an independent third party subject to confidentiality obligations and who is not a competitor of 365 AITECH.

  3. Customer will pay reasonable costs for audits or inspections conducted more than once every 12 months in accordance with clause 10(2). 365 AITECH will promptly refer any requests received from national data protection authorities related to the Processing of Customer Content to Customer.

  4. 365 AITECH will cooperate with Customer and national data protection authorities in audit requests related to the Processing of Customer Content.

Personal Data Breach Notification

365 AITECH has the following obligations in case of a Personal Data Breach (whether actual or suspected):

  1. Notify Customer immediately in the event of a Personal Data Breach that involves 365 AITECH or a subcontractor. It is the Controller’s responsibility to inform the Supervisory Authority within 72 hours of receiving notice from 365 AITECH about the breach.
  2. Provide Customer with reasonable information, cooperation, and assistance in responding to the Personal Data Breach in accordance with Data Protection Laws. This includes guidance on how to communicate the breach to Data Subjects and national data protection authorities.

Subcontracting

  1. 365 AITECH may engage third-party sub-processors to process Customer Content to fulfil its obligations under the Agreement, subject to Customer’s consent as outlined in Appendix 1.

  2. If 365 AITECH does engage a sub-processor with Customer’s consent, it will only do so through a written contract that imposes the same obligations on the sub-processor regarding instructions and TOMs as those imposed on 365 AITECH under this DPA.

  3. If the sub-processor fails to meet its data protection obligations under the contract, 365 AITECH will remain fully liable to Customer for complying with its obligations under this DPA and ensuring the sub-processor’s obligations are fulfilled.

International Data Transfers

365 AITECH is responsible for ensuring that the Customer Content is adequately protected in accordance with Data Protection Laws, regardless of where it is processed. If 365 AITECH processes Customer Content from the EEA or Switzerland under this Agreement, it must comply with the Model Clauses and ensure that any sub-processors also comply. The standard contractual clauses for data Controller to data Processor transfers approved by the European Commission in decision 2010/87/EU are incorporated by reference into this Agreement. The Model Clauses will apply to Customer Content that is transferred via the Services from the European Economic Area, the United Kingdom, and/or Switzerland to outside these areas, either directly or via onward transfer. 365 AITECH agrees to be the “data importer” and Customer to be the “data exporter” under the Model Clauses, only for the purposes of the descriptions in the Model Clauses and only as between 365 AITECH and the Customer. Additionally, Appendices 1 and 2 of this Agreement will replace Appendices 1 and 2 of the Model Clauses, respectively.

Deletion or Return of Personal Data

At the end of the contractual period, 365 AITECH must erase all Customer Content, including Personal Data, within two years. However, if 365 AITECH is obligated by applicable law to retain some or all of the Personal Data, it shall isolate and safeguard it from further processing, except as required by law.

CCPA Undertaking

Customer acknowledges and agrees that in relation to any Personal Information of Consumers (as defined under the CCPA) included in Customer Content, Customer is the Business and 365 AITECH is the Service Provider. 365 AITECH will not use, sell, disclose, or retain Personal Information of Consumers processed on behalf of Customer under the Terms for any purpose other than providing the Services as part of the direct relationship between 365 AITECH and Customer. 365 AITECH certifies its understanding of the limitations under clause 15 and commits to comply with them.

Usage of Customer Content for Analytics

The Customer acknowledges and gives permission to 365 AITECH to utilize the Customer Content for the purpose of collecting, using, copying, storing, and transmitting such content, but only to the extent required to fulfill the Customer’s intended purposes, such as conducting analytics for machine learning.

Miscellaneous

  1. This DPA’s provisions shall prevail over any conflicting provisions in other agreements with 365 AITECH.
  2. Neither party shall receive payment for fulfilling obligations under this DPA, except as specifically outlined in this agreement or another agreement between the parties.
  3. Any changes or additions to this DPA must be made in writing and signed by both parties.
  4. If any provision of this DPA becomes unenforceable, it shall not affect the validity of the remaining provisions.

APPENDIX 1

Data exporter refers to the Customer who utilizes the Services provided by 365 AITECH.

Data importer refers to 365 AITECH, a provider of conversation intelligence tools that enable analysis of calls and chats, and allows users to listen to conversations and run analysis on them.

Data subjects refer to the end-users of the data exporter. The Personal Data that the data exporter transfers to the data importer is controlled solely by the data exporter and is in the form of Customer Content that the data exporter instructs the data importer to Process through its products and services.

The Personal Data transferred includes Customer Content as defined in Section 1 of the Agreement. No Sensitive Data shall be transferred as part of Customer Content.

365 AITECH will Process the data collected from or for the Customer or in connection with its Services provided to the Customer solely for the purpose of providing the services specified in the DPA, and the duration of processing will be as designated in the DPA.

365 AITECH may use subcontractors for Processing Personal Data as of the effective date of this DPA.

Name of Sub-processorPurpose
AWSServer & Hosting
ChargebeeInvoicing
StripeBilling
MongoDBProvides Database

APPENDIX 2

365 AITECH has implemented and documented the following policies, which are subject to regular review and continuous improvement, and evidence of these policies is required:

  1. Access Control Policy: 365 AITECH has a policy in place for controlling access to sensitive data, and a change management policy for handling modifications to the system.

  2. Security Awareness and Training Program: 365 AITECH provides a Security Awareness Program for all employees, which includes training at the time of hire and at least once per year thereafter.

  3. Physical Security: 365 AITECH restricts access to areas where Controller data is processed to authorized personnel only.

 
Scroll to Top