DATA PROCESSING AGREEMENT

DATA PROCESSING AGREEMENT


This Data Processing Agreement (“DPA”) is hereby entered by and between ChoiceIP, Inc. (ChoiceIP” or “Company”) and you a customer of the Company (collectively “Customer”), which forms an integral part of the binding terms of use currently available at: https://choiceip.com/index/terms (“Agreement”), entered and online accepted by you, and sets forth the parties’ responsibilities and obligations regarding the Processing of Personal Data, during the course of the Agreement. This DPA amends any previous terms relating to the Processing of Personal Data. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement. Each a "party" and collectively, the "parties".



This DPA applies to the extent that EU Data Protection Law applies to the Processing of Personal Data under the Agreement, including if:

  1. the Processing is in the context of the activities of an establishment of either party in the European Economic Area (“EEA”); or

  2. the Personal Data relates to Data Subjects who are in the EEA and the Processing relates to the offering to them of goods or services or the monitoring of their behavior in the EEA by or on behalf of a party.

Notwithstanding the above, this DPA and the obligations hereunder does not apply to aggregated reporting or statistical information.


  1. DEFINITIONS

    1. Affiliates” means any entity which is controlled by, controls or is in common control with one of the parties.

    2. Customer Data” means any and all Data Subject’s Personal Data processed by Company through the course of the Agreement or shared between the parties, all as detailed in Annex 1 attached herein.

    3. Data Protection Law" means any and all applicable privacy and data protection laws and regulations (including, where applicable, EU Data Protection Law) as may be amended or superseded from time to time.

    4. "Controller", "Processor", "Data Subject", "Personal Data", "Processing" (and "Process"), “Personal Data Breach”, "Special Categories of Personal Data" and “Supervisory Authority” shall have the meanings given in EU Data Protection Law.

    5. "EU Data Protection Law" means the (i) General Data Protection Regulation (Regulation 2016/679) (“GDPR”); (ii) the EU e-Privacy Directive (Directive 2002/58/EC), as amended (e-Privacy Law); (iii) any national data protection laws made under, pursuant to, replacing or succeeding (i) and (ii); (iv) any legislation replacing or updating any of the foregoing (v) any judicial or administrative interpretation of any of the above, including any binding guidance, guidelines, codes of practice, approved codes of conduct or approved certification mechanisms issued by any relevant Supervisory Authority.

    6. Security Incident” means any security breach relating any Personal Data elements leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data within, Personal Data transmitted, stored or otherwise processed; including without limitation the meaning assigned to it under paragraph 12 of Article 4 of the GDPR.For the avoidance of doubt, any Personal Data Breach of the other Party’s Personal Data will comprise a Security Breach.

    7. Services” means the ChoiceIP online intellectual property filing and translation services platform.


  1. RELATIONSHIP OF THE PARTIES

The parties agree and acknowledge that under the performance of their obligations set forth in the Agreement, and with respect to the Processing of Customer Data, ChoiceIP is the Data Processor and the Customer is the Data Controller. Each party shall be individually and separately responsible for complying with the obligations that apply to it, in accordance with the Data Protection Law. The subject-matter and duration of the Processing carried out by the Company as a Processor, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects are described in Annex A attached herein.

  1. PROCESSING OF PERSONAL DATA AND COMPLIANCE WITH DATA PROTECTION LAW

In performing its obligations under the Agreement, the Customer may provide or upload through the Service Personal Data to the Company. The Customer shall collect, process and share Personal Data in compliance with the Data Protection Law, industry standards and its obligations herein. Further, the parties shall treat such Personal Data as Confidential Information. Without derogating from the aforesaid, the Customer hereby warrants and represents it is in compliance with EU Data Protection Law, specifically with the lawful basis for Processing Personal Data. The Company represents and warrants that it shall Process Personal Data, as set forth under Article 28(3) of the GDPR and Annex 1 attached herein, on behalf of the Customer, solely to provide the Services and solely in accordance with the Customer’s instructions. Notwithstanding the above, in the event required under applicable laws, ChoiceIP may Process Personal Data other than as instructed by the Customer, in such event ChoiceIP shall make best efforts to inform the Customer of such requirement unless prohibited under applicable law.


  1. DPO

Each party shall identify and provide contact details for the applicable contact point within its organization, authorized to respond to inquiries concerning Processing of the Personal Data or its Data Protection Officer (“DPO”), as applicable. In the event of a change of the contact person or DPO’s identity, each party shall provide updated contact details.


ChoiceIP DPO – dpo@choiceip.com


  1. CONSENT REQUIREMENTS & RIGHTS OF THE DATA SUBJECT

As between the parties, the Customer undertakes, accepts and agrees that ChoiceIP relies on Customer’s lawful basis (as required under Data Protection Law) to Process the Customer Data. In the event consent is required under Data Protection Law, the Customer shall: (i) ensure that it obtains consent from Data Subjects and displays all necessary and applicable notices in accordance with the Data Protection Law as well as enable lawful transfer of the Personal Data to ChoiceIP; (ii) maintain a record of all consents obtained from Data Subject, including the time and date on which consent was obtained, the information presented to Data Subject; and (iii) record of the withdrawals of consent by Data Subject. The Customer shall make these records available to ChoiceIP promptly upon request.


It is agreed that where either party receives a request from a Data Subject or an applicable Supervisory Authority in respect of Personal Data Controlled or Processed by the other party, where relevant, the party receiving such request will direct the Data Subject or the Supervisory Authority to the other party, as applicable, in order to enable the other party to respond directly to the Data Subject’s request. Each party shall reasonably cooperate and assist the other party in handling of a Data Subject’s or a Supervisory Authority’s request, to the extent permitted under Data Protection Law.


  1. SUB-PROCESSOR

Customer acknowledges that the Company may transfer Personal Data to and otherwise interact with third party data processors (“Sub-Processor”). Customer hereby, authorizes ChoiceIP to engage and appoint such Sub-Processors to Process Personal Data.ChoiceIP may continue its engagement with its current Sub-Processors as of the date of this DPA as detailed in Annex 2 attached hereto.In the event ChoiceIP shall appoint a new Sub-Processor, it shall provide a written notice, whether by general or specific reference to such Sub-Processor (e.g., by name or type of service), including relevant details of the Processing to be undertaken by the new Sub-Processor (“Sub-Processor Notice”).ChoiceIP will enter into separate contractual arrangements with such Sub-Processors binding them to comply with obligations in accordance with Data Protection Law and this DPA. Notwithstanding the above, the Customer may object the appointment of the new Sub-Processor, as follows: (i) Customer shall provide ChoiceIP with prior written notice no later than seven (7) days following the receipt of the Sub-Processor Notice, detailing the Customer’s objection, based on reasonable grounds, to the appointment of the New Sub-Processor; (ii) ChoiceIP shall take reasonable steps to address the objections raised by Customer and shall report these steps in writing to the Customer; and (iii) Within three (3) days of receipt of ChoiceIP notice regarding the steps taken, the Customer may notify ChoiceIP it does not find such steps taken sufficient to settle its objections. In the event the Customer did not provided such notification, it will constitute as its approval of the Sub- Processor. In the event the Customer further objects, each party may terminate the relationship upon a written notification effective immediately, without liability.


  1. DELETION OF PERSONAL DATA

As the Processor, the Company shall promptly, and no later than within sixty (60) days of termination, delete or pseudonymize all copies of the Personal Data obtained through the Customer, except such copies as authorized or required to be retained in accordance with applicable law or regulation and except for the applicable video content which will be kept and stored on the Company’s servers until deleted directly by the Customer. In addition, ChoiceIP may retain the Personal Data to the extent authorized or required by applicable laws.


  1. TECHNICAL AND SECURITY MEASURES

Each party shall implement appropriate technical and organizational measures to protect the Personal Data and its security, confidentiality and integrity and the Data Subject’s rights, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing the Personal Data, as well as the risk of varying likelihood and severity for the consumer’s rights, in order to ensure a level of security appropriate to that risk, including measures such as access control, auditing, encrypted transmission of data, encrypted storage and physical protections in line with industry best practices, all in accordance with the Data Protection Laws.Description of the technical and organizational measures implemented by ChoiceIP, are available at: https://choiceip.com/index/securityoverview (“Security Information Page”). ChoiceIP may update or modify the Security Information Page from time to time, provided that such updates and modifications will not result in the degradation of the overall security of the Personal Data.ChoiceIPtakes reasonable steps to ensure that its personnel’s access to the Personal Data is limited on a need to know or access basis, and that its personnel receiving such access are subject to confidentiality undertakings or professional or statutory obligations of confidentiality in connection with their access or use of the Personal Data.


  1. SECURITY INCIDENT

In the event either party suffers a confirmed Security Incident, then such party shall notify the other party, by means of any applicable communication, without undue delay. The parties shall cooperate in good faith to agree and take applicable actions as may be necessary to mitigate or remedy the effects of the Security Incident. A notification of a Security Incident by ChoiceIP shall not constitute an acknowledgement by ChoiceIP of any liability with respect to applicable Personal Data related to the Security Incident.


  1. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION

Following written request by Customer, ChoiceIP shall provide reasonable assistance, at Customer’s expense, with any data protection impact assessments or prior consultations with Supervisory Authorities or other competent data privacy authorities, as required under any Data Protection Laws. Such assistance shall be solely in relation to Processing of Personal Data provided by ChoiceIP.


  1. AUDIT RIGHTS

ChoiceIP shall make available, solely upon prior written notice and no more than once per year, to a reputable auditor nominated by the Customer, information necessary to reasonably demonstrate compliance with this DPA, and shall allow for audits, including inspections, by such reputable auditor solely in relation to the Processing of the Personal Data (“Audit”). The Audit shall be subject to the terms of this DPA and confidentiality obligations (including towards third parties). ChoiceIP may object in writing to an auditor appointed by the Customer in the event ChoiceIP reasonably believes, the auditor is not suitably qualified or independent, a competitor of ChoiceIP or otherwise manifestly unsuitable (“Objection Notice”). In the event of Objection Notice, the Customer will appoint a different auditor or conduct the Audit itself.The Customer shall bear all expenses related to the Audit and shall make (and ensure that each of its mandated auditors makes) reasonable endeavors to avoid causing (or, if it cannot avoid, to minimize) any damage, injury or disruption to ChoiceIP’s premises, equipment, personnel and business while its personnel are on such premises in the course of such Audit. ChoiceIP will reasonably cooperate with the Customer by providing available additional information concerning the security measures, in the event further information is needed by the Customer in order to comply with a competent Supervisory Authority’s request, the Customer will inform ChoiceIP in writing to enable it to provide such information or to grant needed access, at ChoiceIP sole discretion. In the event the Audit will discover non-compliance activity by ChoiceIP, the Customer shall promptly notify ChoiceIP with such conclusion.


  1. DATA TRANSFER

Where EU Data Protection Law applies, neither party shall transfer to a territory outside of the EEA unless it has taken such measures as are necessary to ensure the transfer is in compliance with EU Data Protection Law. Such measures may include (without limitation) transferring the Personal Data to a recipient in a country that the European Commission has decided provides adequate protection for Personal Data.


  1. LIABILITY

Each party shall take out and maintain insurance policies to the value sufficient to meet their respective liabilities under or in connection with this DPA and the Agreement. Upon a party's request, the other party will provide evidence that such insurance is in place. The total combined liability of either party towards the other party and its Affiliates under or in connection with the DPA will be limited to any liability cap set between the parties.


  1. GENERAL

In the event of any conflict or inconsistency between this DPA and ChoiceIP privacy policy available at: https://choiceip.com/index/privacypolicy (“Privacy Policy”), the Privacy Policy shall prevail, provided only that the procedure prevailing through the Privacy Policy shall not constitute as a breach or infringement of any Data Protection Laws. In the event of inconsistencies between the provisions of this DPA and the Agreement, the terms of this DPA shall prevail. This DPA is not intended to and does not in any way limit or derogate from Customer’s own obligations and liabilities towards ChoiceIP under the Agreement or pursuant to the EU Data Protection Laws. Nothing in this DPA shall confer any benefits or rights on any person or entity other than the parties to this DPA.


ANNEX 1

Details of Processing of Personal Data


This Annex 1 includes certain details of the Processing of Personal Data as required by Article 28(3) GDPR.

Subject matter

The subject matter is as set forth in the Agreement and the Privacy Policy.


Duration of the Processing of Personal Data


The term of this DPA shall commence and terminate along with the term of the Agreement.


The nature and purpose of the Processing of Personal Data

To provide the Services as set forth in the Agreement


The types of Personal Data Processed

Customer data (e.g. full name, email address, phone number and company name)

Personal Data included in the content uploaded to the Services.


The categories of Data Subject to whom the Personal Data relates

Users of the Services established in the EEA.



The obligations and rights of the Customer and its Affiliates

As set forth in the Agreement and this DPA.


ANNEX 2

Sub Processors


Amazon Web Services – Cloud server provider