Data processing agreement, Astronuts Inc.

This Data Processing Agreement (“DPA”) sets out the terms and conditions for the processing of Personal Data under and in connection with the Agreement. This DPA forms an inseparable part of the Agreement. The Parties acknowledge that the provision of the Service involves Processing of Personal Data. To the extent Personal Data is processed in connection with the Service, the Parties acknowledge that the Customer is a Controller and Astronuts is a Processor processing Personal Data on behalf of the Customer. In the event of any discrepancy between this DPA and Terms of Service, this DPA prevails.

Definitions

  • The terms used in this DPA, such as “Controller”, “Processor”, “Data Subject”, “Special Categories of Personal Data”, “Processing”, “Data Protection Impact Assessment” and “Personal Data Breach”, shall have the meanings as defined in the Data Protection Regulation.
  • “Personal Data” means any information relating to an identified or identifiable person, which Astronuts processes on behalf of the Customer or its Affiliates under the Agreement.
  • “Data Protection Regulation” means all applicable laws relating to protection of Personal Data, including without limitation the GDPR and the national laws supplementing the GDPR and the laws implementing EU Directive 2002/58/EC; and
  • “GDPR” means the EU General Data Protection Regulation (EU) 2016/679 and any amendments thereto.
  • “Standard Contractual Clauses” means the Decision (EU) 2021/914 issued by the European Commission on 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries, or any following decision of the Commission, and any amendments thereto.

Description of Processing

  • Astronuts processes Personal Data under the Agreement for the purpose of providing the Service to the Customer. Processing of Personal Data in this context refers to access to and analysis of data provided by the Customer in connection with the provision of the Service.
  • Data Subjects are employees of the Customer or other individuals, whose Personal Data the Customer has provided to Astronuts in connection with the provision of the Service.
  • Categories of Personal Data contain metadata on employees who use the Service in connection with a software development project, such as nature and time of modifications as well as identifiers of the individual who made the modification. Astronuts may also process other categories of Personal Data when such Personal Data is included in the Customer Material

Responsibilities of Customer

  • The Customer shall comply with the obligations applicable to it as a Controller as set out in the Data Protection Regulation and this DPA.
  • The Customer's documented instructions to Astronuts on the processing of Personal Data are given in this DPA. Additional instructions require prior written agreement between the Parties.
  • The Customer shall be solely responsible for providing appropriate access rights to Astronuts and limiting access to Personal Data as strictly necessary for the purpose of the Service.

Responsibilities of Astronuts

  • Astronuts shall process Personal Data in accordance with this DPA and Data Protection Regulation.
  • Astronuts shall ensure that personnel with access to Personal Data are subject to confidentiality obligation.
  • Astronuts shall implement and maintain appropriate technical and organizational measures to ensure an appropriate level of security to protect Personal Data against unauthorized access and loss, destruction, damage, alteration or disclosure, or against other unlawful processing. Security measures are described in our support center.
  • Astronuts shall notify the Customer of Personal Data Breaches without undue delay after Astronuts has become aware of the Personal Data Breach and take reasonable steps to mitigate any damage resulting from such. The notification shall contain at least the information required by the Data Protection Regulation. If it is not possible to provide the information at the same time, the information may be provided in phases. Astronuts shall document Personal Data Breaches and provide the documentation to the Customer upon request.
  • Astronuts shall, upon the Customer's request, to a reasonable extent assist the Customer, for example by means of appropriate technical and organizational measures, in carrying out the requests of Data Subjects and supervisory authorities and carrying out Data Protection Impact Assessment when required by the Data Protection Regulation. The Customer shall reimburse Astronuts reasonable costs and expenses incurred from such assistance.
  • Astronuts shall to a reasonable extent assist the Customer in demonstrating compliance with the Data Protection Regulation, and for such purposes, make available to the Customer all information available to Astronuts reasonably required and necessary for the Customer to demonstrate its compliance.
  • Astronuts may use its Affiliates and third parties as subcontractors to provide certain parts of the Service. The Customer hereby authorises Astronuts to use these subcontractors for the processing of Personal Data. Astronuts may remove or appoint other suitable and reliable subcontractors at its own discretion. Astronuts will notify the Customer in writing of a new subcontractor at least fourteen (14) days prior to the appointment or replacement of a subcontractor. The Customer may, on reasonable grounds related to protection of Personal Data, object a subcontractor, in which case Astronuts shall use reasonable efforts to find and implement an alternative solution which does not include engaging such subcontractor. If no alternative solution is reasonably available, the Customer may terminate, with immediate effects, the Agreement and related Order(s). Upon the Customer's request, Astronuts shall provide a list of used subcontractors with access to Personal Data, including their processing location and the specific processing activities they are engaged for.
  • Astronuts shall ensure that its subcontractors, who have access to Personal Data, comply with equivalent obligations as set out in this DPA, including security and confidentiality requirements. Astronuts remains liable for its subcontractors and the work of its subcontractors as for its own.
  • The Service is hosted within the European Economic Area (”EEA“). The Customer acknowledges, however, that some of the subcontractors are located in or have access to Personal Data outside of EEA. To the extent Personal Data is processed outside of EEA by subcontractors, the Customer hereby approves the processing of Personal Data outside of EEA. Where Personal Data is transferred (or accessed) outside of EEA, Astronuts and its subcontractor shall enter into Standard Contractual Clauses (Module Three, Transfer processor to processor) and where necessary, supplementary measures to ensure adequate level of data protection.

Auditing

  • At the Customer's written request and the Customer's sole cost and expense, the Customer, or a third party appointed by the Customer, is entitled, once every twelve (12) months, to audit Astronuts's compliance with this DPA. The audit report and related information shall at all times be deemed as Astronuts's confidential information. The Customer shall notify Astronuts in writing at least thirty (30) days prior to conducting the audit, unless otherwise required by applicable law or authority decision.

Term and Termination

  • This DPA shall continue in force until the termination of the Agreement or as long as Astronuts processes Personal Data on behalf of the Customer.
  • Upon termination or expiry of the Agreement, or upon the Customer's written request, Astronuts shall either destroy or return, either to the Customer or to a third party designated by the Customer in writing, the Personal Data processed, unless otherwise required by Data Protection Regulation or other applicable legislation.

Changes

  • Any changes to this DPA shall be made in writing and signed by both Parties in order to be valid and binding.