Gdpr - Data processor agreement
Legal contract outlining terms for processing personal data, ensuring compliance with data protection regulations.
Data processor agreement
Background to the data processing agreement
This agreement sets out the rights and obligations that application when Previsto carries out treatment of personal data on behalf of the Customer.
The agreement is drawn up with a view to the parties' compliance with the article 28, subsection 3, in Regulation (EU) of the European Parliament and of the Council 2016/679 of 27 April 2016 on the protection of natural persons in in connection with the processing of personal data and on free exchange of such information and on the repeal of Directive 95/46/EC (Data Protection Regulation), which sets specific requirements for the content of a data processing agreement.
- In connection with the provision of route planning and related services, Previsto processes personal data on behalf of the Customer in accordance with these Regulations.
The data processing agreement and terms of use of Previstos are interdependent, and cannot be terminated separately. However, the data processing agreement can be replaced by another valid one data processing agreement.
This data processing agreement takes precedence over any other corresponding provisions in other agreements between the parties, including conditions for the use of Previstos.
The customer approves that Previsto can involve sub-processors to process personal data on the customer's behalf. Annex B of the data processor agreement contains a list of the sub-processors Previsto uses.
This data processing agreement does not release Previsto from obligations under the data protection regulation or any other other legislation is directly imposed on Previsto.
The customer's rights and obligations
The customer is responsible for ensuring that the processing of personal data takes place in accordance with the data protection regulation (see the regulation's article 24), data protection regulations in other EU law or the national law of the member states and these Regulations.
The customer has the right and duty to make decisions about for which purpose(s) and with which means personal data may be processed.
The customer is responsible for, among other things, ensuring that there is a processing basis for the processing of personal data that Previsto is instructed to carry out.
Data processing
- Previsto only processes personal data on instructions from the Customer, unless required by EU law or the national law of the Member States, which Previsto is subject to
Safety
Safety measures: Previsto must ensure appropriate technical and organizational security measures to protect personal data from security incidents and for safe and confidential storage of personal data in accordance with Previsto's security measures.
Confidentiality: Previsto must ensure that any person that Previsto has authorized to process personal data (including its staff, agents and subcontractors), is subject to an appropriate confidentiality obligation (whether a contractual or statutory service).
Security breach notification: After becoming aware of a security breach, Previsto must notify the Customer without undue delay and must provide timely information regarding the security incident, as it becomes known or requested by the customer.
Security updates: The customer acknowledges that the security measures are subject to technical development and that Previsto may update or change the security measures from time to time second, provided that such updates and changes do not result in deterioration of the overall security of the services that the Customer purchases.
Transfer of information to third countries or international organizations
- Data treatment locations: Previsto stores and processes EU data (defined below) in data centers located within the EU.
Assistance to the Customer
To the extent that the customer is unable to independently access the relevant personal data within the Services, Previsto shall (at the Customer's expense) offer reasonable cooperation to assist the Customer with appropriate technical and organizational measures as far as possible, as well as respond to requests from individuals or applicable data protection authorities regarding the processing of personal data pursuant to the agreement. In the case of, that such a request is addressed directly to Previsto, Previsto shall not respond directly to this message without the Customer's prior permission unless required by law. If Previsto must respond to such a request, it must Previsto immediately notify the Customer and provide the Customer with a copy of the request, unless prohibited by law.
To the extent required by Previsto in accordance with the Data Protection Act, Previsto must (at the Customer's expense) provide access to information about Previsto's processing of personal data in accordance with the agreement, in order to make this possible for the customer to carry out impact assessments for data protection or consultations with data protection authorities as required by law.
Deletion and return of information
- Upon termination of the services relating to processing, obliges Previsto to, at the Customer's choice, delete or return all personal data to the Customer, as well as to delete existing copies, unless EU law or national law prescribes the storage of the personal data.
Annex A - List of sub-processors
Explanation
The Supplier's Software is dependent on a number of sub-suppliers in order to operate. Such "sub-processors" are third-party suppliers in and outside the EU/EEA. The supplier's subcontractors are listed in the list of subprocessors, which is updated at all times. The Supplier must ensure that its Sub-Data Processors must comply with corresponding obligations and requirements, which are described in the Agreement. All use of Sub-Data Processors is also subject to the Supplier's General Terms and Conditions.
Suppliers
| Supplier | Personal data category | Purpose |
|---|---|---|
| Postmark WildBit, LLC 225 Chewstnut Street Philadelphia, PA 191106 |
Registrerede data: Customers customers Kategorier Name, email |
Sending transactional emails |
| Gateway API Onlinecity Aps Buchwaldsgade 50 5000 Odense C |
Registrerede data: Customers customers Kategorier Name, phone number |
Sending transactional emails sms'es |
| Stripe North Wall Quay Dublin 1. Dublin 1 Dublin |
Registrerede data: Customers organization Kategorier NName, address, organization, payment details |
Completing credit card payments |
| Digital Ocean101 Avenue of the Americas 10th Floor New York NY 10013 |
Registrerede data: The customer's customers and any agreements and tasks, the customer's company, the customer's employees, the customer's notes, the customer's notifications Kategorier: Name, address, telephone number, e-mail, CVR |
Hosting |
Annex B - Safety measures
Network security
This section describes the type of security that has been established for Previsto's servers.
Encryption
All connections to and from Previsto's servers are encrypted http connections (https) and certified with certificates from LetsEncrypt which are updated every month. However, unencrypted http connections are also received, but these are redirected to encrypted connections at the outer end.
Firewall
All network ports to Previsto's servers are blocked except ports 80 and 443. The following table describes the purpose of each port.
| Port | Formål |
|---|---|
| 80 | HTTP. Redirects to HTTPS immediately. |
| 443 | HTTPS. All data is served through this port. |
Data security
This section describes the data security of our customer data.
Storage
All data is stored in a database which can only be accessed via Previsto's internal network from selected servers and with correct authentication. Vulnerable data such as Passwords are stored as far as possible with one-way encryption and cannot be re-established, but can only be used for validation.