Company name: Optidash GmbH
Company address: Mühlenstr. 8A, 14167 Berlin, Germany.
This Optidash GDPR Data Processing Addendum ("DPA") amends the Terms of Service (the "Agreement") available at https://supares.com/legal/terms, entered into by and between Customer and Optidash. The purpose of this DPA is to reflect the parties' agreement with regard to the processing of Personal Data in accordance with the requirements of Data Protection Legislation as defined below.
This DPA shall not replace or supersede any agreement or addendum relating to processing of Personal Data negotiated by Customer and referenced in the Agreement, and any such individually negotiated agreement or addendum shall apply instead of this DPA.
In the course of providing the Services to Customer pursuant to the Agreement, Optidash may process Personal Data on behalf of Customer. Optidash agrees to comply with the following provisions with respect to any Personal Data submitted by or for Customer to the Services or collected and processed by or for Customer through the Application Services. Any capitalized but undefined terms herein shall have the meaning set forth in the Agreement.
a. "Data Protection Legislation" means European Directives 95/46/EC and 2002/58/EC, and any legislation and/or regulation implementing or made pursuant to them, or which amends or replaces any of them (including the General Data Protection Regulation, Regulation (EU) 2016/679);
b. The terms "Data Subject", "Data Processor", "Processor", "Processing", "Sub-Processor" shall be interpreted in accordance with applicable Data Protection Legislation.
c. The parties agree that Customer is the Data Subject and that Optidash is its Data Processor in relation to Personal Data that is processed in the course of providing the Services. Customer shall comply at all times with Data Protection Legislation in respect of all personal data it provided to Optidash pursuant to the Agreement.
2. Data Protection
When Optidash Processes Personal Data in the course of providing the Services, Optidash will:
a. process the Personal Data as a Data Processor, only for the purpose of providing the Services in accordance with documented instructions from Customer (provided that such instructions are commensurate with the functionalities of the Services), and as may subsequently be agreed to by Customer. If Optidash is required by law to Process the Personal Data for any other purpose, Optidash will provide Customer with prior notice of this requirement, unless Optidash is prohibited by law from providing such notice;
b. notify Customer without undue delay if, in Optidash' opinion, an instruction for the processing of Personal Data given by Customer infringes applicable Data Protection Legislation.
c. notify Customer promptly, to the extent permitted by law, upon receiving an inquiry or complaint from a Data Subject relating to Optidash's Processing of the Personal Data;
d. implement and maintain appropriate technical and organizational measures to protect the Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorized or unlawful processing, accidental loss, destruction, damage or theft of Personal Data and appropriate to the nature of the Personal Data which is to be protected;
e. provide Customer, upon request, with up-to-date attestations, reports or extracts thereof where available from a source charged with auditing Optidash's data protection practices (e.g. external auditors, internal audit, data protection auditors), or suitable certifications, to enable Customer to assess compliance with the terms of this Addendum;
f. notify Customer promptly upon becoming aware of and confirming any accidental, unauthorized, or unlawful processing of, disclosure of, or access to the Personal Data;
g. ensure that all Optidash personnel who access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause;
h. upon termination of the Agreement, upon Customer's request, Optidash will promptly initiate its purge process to delete or anonymize the Personal Data.
i. In the course of providing the Services, Customer acknowledges and agrees that Optidash may use Sub-Processors to Process the Personal Data. Optidash's use of any specific Sub-Processor to process the Personal Data must be in compliance with Data Protection Legislation and must be governed by a contract between Optidash and Sub-Processor.
a. In the event of any conflict or inconsistency between the provisions of the Agreement and this Addendum, the provisions of this Addendum shall prevail. For avoidance of doubt and to the extent allowed by applicable law, any and all liability under this Addendum, including limitations thereof, will be governed by the relevant provisions of the Agreement. Customer acknowledges and agrees that Optidash may amend this Addendum from time to time by posting the relevant amended and restated Addendum on Optidash's website, available at https://supares.com/legal/data-processing-addendum and such amendments to the Addendum are effective as of the date of posting. Customer's continued use of the Services after the amended Addendum is posted to Optidash's website constitutes Customer's agreement to, and acceptance of, the amended Addendum. If Customer do not agree to any changes to the Addendum, is asked not continue to use the Service.
b. Save as specifically modified and amended in this Addendum, all of the terms, provisions and requirements contained in the Agreement shall remain in full force and effect and govern this Addendum. If any provision of the Addendum is held illegal or unenforceable in a judicial proceeding, such provision shall be severed and shall be inoperative, and the remainder of this Addendum shall remain operative and binding on the parties.
This DPA shall remain in effect as long as Optidash carries out Personal Data processing operations on behalf of Customer.
Appendix A: List of Sub-Processors
We work with a number of suppliers where personal data may be transferred to help us run our business.
The GDPR provides derogations from the general prohibition on transfers of personal data outside the EU for certain specific situations which include informed consent and being necessary for the performance of a contract between the individual and the organisation or for pre-contractual steps taken at the individual's request. In providing this list of suppliers we are providing information for users to consent through making use of the service.
Entity Country: USA, Ireland
Purpose: Storage and backup
Entity Country: USA
Purpose: Accounting, invoicing, and payment processing
Entity Country: USA
Purpose: Email delivery
Entity Country: USA
Purpose: Issue tracking and incident communication
Entity Country: USA
Purpose: Customer support