Last Modified: 2022-03-09
This Maya Insights Data Processing Agreement and its’ Annexes (the “DPA“) is entered into by and between the Maya Insights customer agreeing to these terms (“Client”) and Maya Insights P.C, located at Chiou 56, Athens 104 39, Greece (“Maya Insights“). Maya Insights and Client are collectively referred to as the “Parties” and each a “Party”.
Client enters into this DPA on behalf of itself and, to the extent required under EU Data Protection Laws, in the name and on behalf of its Affiliates. For the purposes of this DPA only, and except where indicated otherwise, the term “Client” shall include Client and its’ Affiliates. If you are accepting this DPA on behalf of the Client, you represent and warrant that: (a) you are duly authorized to represent the Client; and (b) you accept the terms of this DPA.
This DPA reflects the parties’ agreement with respect to the Processing of Personal Data by Maya Insights on behalf of the Client in connection with the Services and/or the Professional Services and /or any Free or Beta Services (for the purposes of this DPA collectively referred to as the “Services”) provided under the Maya Insights’ Terms of Service Agreement and/or any Order Form (all of them referred to in this DPA as the “Terms”). This DPA is supplemental to, and forms an integral part of, the Terms and is effective upon acceptance of the Terms, or of an executed amendment to the Terms and/or of an Order Form. In case of conflict or inconsistency with the Terms, this DPA will take precedence over the Terms to the extent of such conflict of inconsistency.
Maya Insights reserves the right to update this DPA from time to time in order to comply with revisions, amendments, or updates to EU Data Protection Laws (as defined below). Client’s continued use of the Services shall constitute acceptance of any such updates.
All capitalized terms not defined herein shall have the meaning set forth in the Terms. In the course of providing the Services to Client pursuant to the Terms, Maya Insights may process Personal Data on behalf of Client and the parties agree to comply with the following provisions with respect to the processing of such Personal Data, each acting reasonably and in good faith.
This DPA shall come in effect at the date of the acceptance of the Terms or by executing an Order Form and/or any addendums thereof by the Client (“Effective Date”).
1.1 “Authorized Persons” means any person who processes Personal Data on Maya Insights’s behalf, including Maya Insights’s employees, officers, partners, principals, contractors, and Subcontractors.
1.2 “Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
1.3“Data Subject” means the identified or identifiable person to whom Personal Data relates.
1.4 “EU Data Protection Laws” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (“General Data Protection Regulation” or “GDPR”) and the United Kingdom’s adoption of the GDPR, the Data Protection Act of 2018, as each may be revised and updated from time to time.
1.5 “Personal Data” means all data which is defined as ‘personal data’ under EU Data Protection Laws and to which EU Data Protection Laws apply and which is provided by the Client to Maya Insights, and accessed, stored or otherwise processed by Maya Insights as a data processor as part of its provision of the Service to Client; and
1.6 “Processing” or “Process” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction
1.7 “Processor” means the entity which Processes Personal Data on behalf of the Controller, including as applicable any service provider.
1.8 “Security Incident” means an accidental, unauthorized or unlawful destruction, loss, alteration, disclosure of, or access to, Personal Data.
1.9 “Subcontractor” means any third party engaged by Maya Insights to process any Personal Data relating to this DPA and/or the Terms.
1.10 “supervisory authority”, “personal data breach”, “technical and organizational measures” shall have the meanings ascribed to them in EU Data Protection Laws.
- ROLE AND SCOPE OF PROCESSING
2.1 Maya Insights shall process Personal Data under the Terms only as a Processor acting on behalf of Client. Client shall be the Controller of the Personal Data.
2.2 Maya Insights will at all times process Personal Data only for the purpose of providing the Services to Client under the Terms as described in detail in Annex I, unless Maya Insights is required to process the Personal Data for other purposes by EU Data Protection Laws.
2.3 Maya Insights shall treat Personal Data as confidential information and shall only process Personal Data on behalf of and in accordance with the Client’s documented instructions for the provision of the Services and to comply with any other documented instruction of the Client. Maya Insights shall not provide Services in conjunction with Personal Data to the extent that doing so would violate the EU Data Protection Laws.
2.4 Each Party shall comply with its obligations under EU Data Protection Laws in respect of any Personal Data it processes under this DPA. This Agreement is in addition to, and does not relieve, remove or replace a Party’s obligations under the EU Data Protection Laws.
- AUTHORISED PERSONS
3.1 Maya Insights shall take reasonable steps to ensure the reliability of its Authorised Persons who have access to the Personal Data, ensuring in each case that access is limited to those individuals who need to know and access the relevant Personal Data, as necessary for the purposes of the Terms, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
4.1 The Client agrees that Maya Insights may engage Sub-processors to process Personal Data on his/her behalf. Maya Insights has currently appointed, as Sub-Processors, the third parties listed in Annex III to this DPA and Client gives general authorisation for this engagement.
4.2 Maya Insights shall provide at least 30 days’ prior written notice to Client of the engagement of any new Sub-processor. If the Client has a reasonable objection to any new or replacement Sub-processor, it shall notify Maya Insights of such objections in writing within ten (10) business days of the notification and the parties will seek to resolve the matter in good faith. If Client objects to the engagement of that Sub-processor on data protection grounds, then either Maya Insights will not engage the Sub-processor to process the Personal Data or Client may elect to suspend or terminate the Terms and this DPA pursuant to the Terms.
4.3 If the Client does not provide a timely objection to any new or replacement sub-processor in accordance with this clause 4.2, the Client will be deemed to have consented to the sub-processor and waived its right to object.
4.4 Where Maya Insights engages Sub-Processors, it will impose data protection terms on the Sub-Processors that provide at least the same level of protection for Personal Data as those in this DPA (including, where appropriate, the Standard Contractual Clauses), to the extent applicable to the nature of the services provided by such Sub-Processors. Maya Insights will remain responsible for each Sub-Processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-Processor that cause breach any of its obligations under this DPA.
- DATA ACCESS AND SECURITY STANDARDS
5.1 Maya Insights will implement and maintain all reasonable and appropriate technical and organizational security measures to meet the requirements of EU Data Protection Law, and in particular, to protect against the occurrence of Security Incidents and to preserve the security, integrity and confidentiality of Personal Data (“Security Measures”). Such Security Measures shall take into account industry standards, the costs of implementation, and the nature, scope, context and purposes of the processing, as well as the risk of a Security Incident and potential impact on the rights and freedoms of natural persons. Maya Insights shall regularly monitor compliance with these measures.
5.2 Maya Insights shall implement appropriate technical and organizational measures for protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Clients Data, confidentiality and integrity of Client’s Data.
6. PERSONAL DATA BREACH
6.1 Maya Insights maintains security incident management policies and procedures and shall notify Client as applicable without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Client Data, including Personal Data, transmitted, stored or otherwise Processed by Maya Insights or its Sub-processors of which Maya Insights becomes aware (a “Security Incident”). Maya Insights shall make reasonable efforts to identify the cause of such Security Incident and take such steps as Maya Insights deems necessary and reasonable to remediate the cause of such security Incident to the extent the remediation is within Maya Insights’s reasonable control. The obligations herein shall not apply to incidents that are caused by Client or its’ Affiliates or its’ Authorized Users.
6.2 The notification to Client shall include:
a) a description of the Security Incident;
b) the type of Personal Data that was the subject of the Security Incident;
c) the identity of each affected person (or, where not possible, the approximate number of data subjects and of Personal Data records concerned);
d) a description of the likely consequences of the Security Incident; and
e) a description of the measures taken or proposed to be taken by Maya Insights to address the Security Incident, including, where appropriate, measures to mitigate its possible adverse effects.
To the extent that any such information is not available at the time of initial notification, Maya Insights shall provide prompt updates as such information becomes available.
6.3 Furthermore, in the event of a Security Incident, Maya Insights shall:
a) provide timely information and cooperation as Client may require in order to fulfill Client’s data breach reporting and notification obligations under EU Data Protection Laws; and
b) take such measures and actions as are appropriate to remedy or mitigate the effects of the Security Incident and shall keep Client up to date about all material developments in connection with the Security Incident.
6.4 The content and provision of any notification, public/regulatory communication or press release concerning the Security Incident (a “Communication”) shall be solely at Client’s discretion, except as otherwise required by applicable laws. If and to the extent Maya Insights is referenced by name in any such Communication, Maya Insights shall review and pre-approve the Communication for accuracy, such approval not to be unreasonably withheld.
7. DATA PROTECTION IMPACT ASSESSMENTS
7.1 To the extent that the required information is reasonably available to Maya Insights, and Client is not otherwise have access to the required information, Maya Insights will provide reasonable assistance to Client with any data protection impact assessments, and prior consultations with supervisory authorities or other competent data privacy authorities to the extent required by EU Data Protection Laws.
8. COOPERATION AND AUDITS
8.1 Maya Insights shall reasonably cooperate with Client to enable Client to respond to any requests, complaints or other communications from data subjects and regulatory or judicial bodies relating to the processing of Personal Data under the Terms, including requests from data subjects seeking to exercise their data subject rights under EU Data Protection Law. In the event that any such request, complaint or communication is made directly to Maya Insights, Maya Insights shall, unless prohibited by applicable law, promptly pass this onto Client and shall not respond to such communication without Client’s authorization.
8.2 Maya Insights shall, upon receipt of written request from Client, make available to Client such information as is reasonably necessary to demonstrate Maya Insights’s compliance with the EU Data Protection Laws and permit Client to audit its records to the extent reasonably required in order to confirm that Maya Insights is complying with its obligations under this DPA or any EU Data Protection Laws, provided always that any such audit does not involve the review of any third party data and that the records and information accessed in connection with such audit are treated as confidential information by Client. Client shall bear its own costs to conduct such an audit. Unless Client’s request for such audit follows a Security Incident, or is otherwise required by EU Data Protection Laws, Client shall not make any such request more than once in any 12-month period.
9. CROSS-BORDER TRANSFERS
9.1 Maya Insights will provide at all times of processing of Personal Data, an adequate level of protection, in accordance with applicable requirements of EU Data Protection Laws.
9.2 Maya Insights shall not process or transfer any Personal Data in a territory out of EEA unless: (i) subject to the below exception, it has first obtained Client’s prior written consent; and (ii) it takes all such measures as are necessary to ensure such processing or transfer is in compliance with EU Data Protection Laws. For purposes of the foregoing, the United Kingdom and Switzerland are considered as adequate to EEA territories. Client acknowledges and agrees that, for so long as Maya Insights has in place a valid transfer mechanism in place (as outlined in 8.3) permitting the transfer of personal data out of EEA, Maya Insights shall have the right to transfer Personal Data out of EEA without need for Client’s prior written consent.
9.3 To the extent that transfers of Personal Data are not permitted under EU Data Protection Laws, the Parties agree that such transfers shall be subject to the 2021 Standard Contractual Clauses (“2021 SCCs”), conditioned on Maya Insights complying with (and requiring any Subcontractor to comply with) the 2021 SCCs, a full copy of which can be found here. The relevant provisions contained in the Standard Contractual Clauses are incorporated by reference herein and form an integral part of this DPA. For the purposes of the descriptions in the 2021 SCCs and only as between Maya Insights and Client, Maya Insights agrees that it is a “data importer” and Client is the “data exporter” on behalf of itself and its Affiliates and under the 2021 SCCs (notwithstanding that Client is located outside the EEA).
9.4 It is not the intention of either party, nor the effect of this DPA, to contradict or restrict any of the provisions set forth in the 2021 SCCs. Accordingly, if and to the extent the 2021 SCCs conflict with any provision of this DPA, the 2021 SCCs shall prevail. In no event does this DPA restrict or limit the rights of any data subject or of any competent supervisory authority.
10. RIGHTS OF DATA SUBJECTS
10.1 Maya Insights shall, to the extent legally permitted, promptly notify Client of any complaint, dispute or request it has received from a Data Subject such as a Data Subject’s right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making, each such request being a “Data Subject Request”. Taking into account the nature of the Processing, Maya Insights shall assist Client by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Client’s obligation to respond to a Data Subject Request under EU Data Protection Laws. In addition, to the extent Client, in its use of the Services, does not have the ability to address a Data Subject Request, Maya Insights shall upon Client’s request provide commercially reasonable efforts to assist Client in responding to such Data Subject Request, to the extent Maya Insights is legally permitted to do so and the response to such Data Subject Request is required under EU Data Protection Laws. To the extent legally permitted, Client shall be responsible for any costs arising from Maya Insights provision of such assistance.
11.1 This DPA shall remain in full force and effect as long as (a) the Terms remain in effect; or (b) Maya Insights retains any of the Personal Data related to the Terms in its possession or control.
11.2 Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Terms in order to protect the Personal Data will remain in full force and effect.
11.3 Any of the parties failure to comply with the terms of this DPA is a material breach of the Terms and in such event either Party may terminate the Terms or any part of the Terms involving the Processing of Personal Data, if the other Party does not cure its material breach of this DPA within 30 days of receiving written notice of the material breach from the non-breaching Party.
12. DELETION AND RETURN
12.1 Upon Client’s request, or upon termination or expiration of this DPA, Maya Insights shall, at Client’s election, destroy or return to Client all Personal Data (including copies) in its possession or control (including any Personal Data processed by its Subcontractors). This requirement shall not apply to the extent that Maya Insights is required by any applicable law to retain some or all of the Personal Data, in which event Maya Insights shall isolate and protect the Personal Data from any further processing except to the extent required by such law.
13.1 Maya Insights agrees to indemnify, keep indemnified and defend the Client against all damages or expenses incurred by the Client or for which the Client may become liable due to any failure by Maya Insights or its employees, subcontractors or agents to comply with any of its obligations under this DPA or the EU Data Protection Laws and such indemnification obligation shall be limited to the liability caps agreed by the Parties within the Terms (section 14).
14.1 This DPA shall be governed by and construed in accordance with the laws of the Republic of Greece unless otherwise required by EU Data Protection Laws.
14.2 All terms of this DPA are hereby incorporated into the Terms. In the event of a conflict between the Terms and a term in this DPA, the term contained in this DPA shall prevail.
14.3 The obligations placed upon the Maya Insights under this DPA shall survive so long as Maya Insights and/or its Subcontractors process Personal Data on behalf of Client.
14.4 This DPA may not be modified except by a subsequent written instrument signed by both parties.
14.5 If any part of this DPA is held unenforceable, the validity of all remaining parts will not be affected.
ANNEX I – Details of the Processing.
ANNEX II – Organizational and security measures
ANNEX III – List of Sub-processors
ANNEX I- Details of the Processing
1. LIST OF PARTIES
Data exporter(s): Client and its Affiliates.
Address: Clients’ Address as listed in Client’s account.
Contact person’s name, position and contact details: Account owner listed in Client’s account.
Activities relevant to the data transferred under these Clauses: Client shall be the Controller of the Personal Data it provides to Maya Insights to provide the Service(s) as outlined in the Terms.
Role (controller/processor): Controller
Data importer(s): Maya Insights P.C
Address: Chiou 56, Athens 104 39, Greece
Contact person’s name and contact details: George Yanakeas, [email protected]
Activities relevant to the data transferred under these Clauses: To provide the Service(s) pursuant to the Terms and security and monitoring.
Role (controller/processor): Processor
2. CATEGORIES OF DATA SUBJECTS WHOSE PERSONAL DATA IS TRANSFERRED
Client may provide or make available or import Personal Data from Data Sources and upload them into the Software as a result of the use of the Service(s), or as otherwise provided by Client or Clients’ Affiliates, the extent of which is determined and controlled by Client in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:
- Prospects, customers, business partners and vendors of Client or its Affiliates (who are natural persons);
- Employees or contact persons of Client’s or its Affiliates prospects, customers, business partners and vendors;
- Employees, agents, advisors, freelancers of Client or its Affiliates (who are natural persons);
- Client’s End Users.
3. CATEGORIES OF PERSONAL DATA TRANSFERRED
Client may submit Personal Data to the Service(s), the extent of which is determined and controlled by Client in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:
● First and last name;
● Contact information (company, email, phone, physical address);
- Location Data such as IP Address.
4. FREQUENCY OF THE TRANSFER
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Continuous basis depending on the use of the Services by Client.
5. NATURE OF THE PROCESSING
The nature of the Processing is the performance of the Services pursuant to the Terms.
6. PURPOSE OF PROCESSING, THE DATA TRANSFER AND FURTHER PROCESSING
Maya Insights will Process Personal Data as necessary to perform the Service(s) pursuant to the Terms, and as further instructed by Client in its use of the Service(s).
7. DURATION OF PROCESSING
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Maya Insights will Process Personal Data for the duration of the Terms, unless otherwise agreed upon in writing.
8. SUB-PROCESSOR TRANSFERS
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: as described in Annex III below herein.
ANNEX II – Organizational and Security Measures
Description of the technical and organizational security measures implemented by Maya Insights in accordance with Section 5 of the DPA:
- Security Management:
- Security Policy and Procedures: Processor implements a security policy with regards to the processing of personal data.
- Roles and responsibilities related to the policy are clearly defined and allocated in accordance with the security policy.
- Access Control: Maya Insights implements suitable measures in order to prevent unauthorized persons from gaining access to the data processing equipment (namely database and application servers and related hardware) where Personal Data are processed or used. Specific access control rights are allocated to each role involved in the Processing of Personal Data, following the need-to-know principle.
2. Incident Response and business continuity
- Incident Handling / Personal Data Breaches: Maya Insights will report within 72 hours to Controller any security incident that has resulted in a loss, misuse or unauthorized acquisition of any personal data.
- Business Continuity: Maya Insights establishes the main procedures and controls to be followed in order to ensure the required level of continuity and availability of the IT system processing personal data in case of an incident or breach.
- Employees: Maya Insights ensures that all employees understand their responsibilities and obligations related to the processing of Personal Data and performs regular training on data protection requirements. All Employees are binding by confidentiality obligations.
- Sub-processors: Maya Insights ensures that there are adequate confidentiality provisions in place with any Sub-Processor.
4. Technical Security Measures
- Access Control System in place;
- Avoidance of common users accounts;
- ‘Need to know principle’ shall be observed in order to limit the number of users having access to personal data;
- Strong passwords are required from users;
- Authentication credentials shall never be transmitted unprotected over the network;
- Log files are activated for each system used for processing of personal data;
- Server/Database security measures;
- Antivirus systems;
- Network Security: traffic to and from the IT systems is monitored and controlled through firewalls and intrusion detection systems;
- Backups and data restore procedures in place;
ANNEX III – List of Sub-processors
Maya Insights Service(s) relies upon certain suppliers to support the delivery of the Service(s). The following link includes a list of the name(s), location(s) and activities of the suppliers for the Maya Insights Service(s) and Client as Controller agrees and authorizes Maya Insights as the Processor to use the following sub-processors as indicated here.