Last updated: 30-09-2022
• Customer, whose company and contact details and principal place of business are specified at the signature field below, hereinafter referred to as “Controller”
and
• Audio Intakes B.V., a private company with limited liability, incorporated and registered under the laws of the Netherlands having its registered office in (1014 BB) Amsterdam, at the Kabelweg 22, registered with the Chamber of Commerce of the Netherlands under number 83680578, in this matter duly represented by Bram Tierie (Head of partnerships), hereinafter referred to as to as “Processor”,
Processor and Controller are hereinafter also referred to individually as “Party” or collectively as “Parties”
Whereas:
• The Processor provides, for the benefit of the Controller, An integrated, API first, audio questionnaire technology. Standardising question and answer through voice recording (including automatic transcriptions);
• On signing date of this Processing Agreement document, the Controller and the Processor concluded an agreement regarding the provision of the aforementioned services, of which this Processor’s Agreement is a part;
• Where the personal data processing is concerned, the Controller classifies as a controller within the meaning of Section 4(7) of the General Data Protection Regulation (Algemene Verordening Gegevensbescherming) (“GDPR”);
• Where the personal data processing is concerned, the Processor qualifies as a processor within the meaning of Section 4(8) GDPR;
• The Parties - partly in implementation of the provisions of Section 28(3) GDPR- wish to document a number of conditions in the present processor’s agreement which apply to their relationship in the context of the aforesaid activities on the instructions and for the benefit of the Controller.
Declare that they have agreed as follows:
1.1 In this Processor’s Agreement, capitalized words and expressions, whether in single or plural, have the meaning specified as set out below:
• Annex:
Appendix to this Processor’s Agreement which forms an integral part of it;
• Agreement:
The agreement concluded between the Controller and the Processor with regarding the provision of services by Processor;
• Personal Data:
All information relating to an identified or identifiable natural person as referred to in Section 4(1) GDPR;
• Process:
As well as conjugations of this verb: the processing of Personal Data as referred to in Section 4(2) GDPR;
• Proccessor's agreement:
The present agreement;
• Sub processor:
The sub-contractor hired by Processor, that Processes Personal Data in the context of this Processor’s Agreement on behalf of the Controller, as referred to in Section 28(4) GDPR;
• Terms:
The terms of use of Processor, which form an integral part of the Agreement.
2.1 The Controller and the Processor have concluded the present Processing Agreement for the Processing of Personal Data in the context of the Agreement. An overview of the type of Personal Data, categories of data subjects and the purposes of Processing, is included in Annex 1.
2.2 The Controller is responsible and liable for the processing of Personal Data in relation to the Agreement and guarantees that Processing is in compliance with all applicable legislation. Controller will indemnify and hold harmless Processor against any and all claims of third parties, those of the data protection authority in particular, resulting in any way from not complying with this guarantee.
2.3 The Processor undertakes to Process Personal Data only for the purpose of the activities referred to in this Processor’s Agreement. The Processor guarantees that it will not use the Personal Data which it Processes in the context of this Processor’s Agreement for its own or third-party purposes without the Controller’s express written consent, unless a legal provision requires the Processor to do so. In such a case, the Processor shall immediately inform the Controller of that legal requirement before Processing, unless that law prohibits such information on import grounds of public interest.
3.1 The Processor will, taking into account the nature of the Processing and insofar as this is reasonably possible, assist the Controller in ensuring compliance with the obligations pursuant to the GDPR to take appropriate technical and organizational measures to ensure a level of security appropriate to the risk. These measures will guarantee an appropriate level of security, taking into account the state of the art and the costs of implementation, in view of the risks entailed by Personal Data Processing and the nature of the data to be protected. The Processor will in any case take measures to protect Personal Data against accidental or unlawful destruction, accidental or deliberate loss, forgery, unauthorized distribution or access, or any other form of unlawful Processing.
4.1 The Processor will require the employees that are involved in the execution of the Agreement to sign a confidentiality statement – whether or not included in the employment agreement with those employees – which in any case states that these employees must keep strict confidentiality regarding the Personal Data.
5.1 The Processor will process certain Personal Data (described in Annex 2) in locations outside the European Economic Area (EEA), including but not limited to the United States.
5.2 The Processor will ensure that such data transfers comply with the requirements of the General Data Protection Regulation (GDPR), specifically Chapter V regarding transfers of personal data to third countries or international organizations.
5.3 The Processor will ensure that adequate safeguards are in place for the protection of Personal Data transferred outside the EEA. These safeguards may include, but are not limited to:
• The use of Standard Contractual Clauses (SCCs) as adopted by the European Commission.
• The implementation of additional technical and organizational measures to secure the data.
• Adherence to any approved Code of Conduct or certification mechanism, as applicable.
5.4 The Processor will inform the Controller of any changes to the applicable legal framework that may affect the legality of the data transfer and will cooperate with the Controller to implement appropriate measures to maintain compliance.
6.1 The Processor is entitled to outsource the implementation of the Processing on the Controller’s instructions to Sub-processors, either wholly or in part, which parties are described in Annex 2. In case the Processor wishes to enable Sub-processors, the Processor will inform the Controller of any intended changes concerning the addition or replacement of other processors. The Controller will object to such changes within 5 working days. The Processor will respond to the objection within 5 working days.
6.2 Processor obligates each Sub-processors to contractually comply with the confidentiality obligations, notification obligations and security measures relating to the Processing of Personal Data, which obligations and measures must at least comply with the provisions of this Processor’s Agreement.
7.1 With regard to the liability and indemnification obligations of Processor under this Processor’s Agreement the stipulation in Article 7 of the Terms regarding the limitation of liability applies.
7.2 Without prejudice to article 7.1 of this Processor’s Agreement, Processor is solely liable for damages suffered by Controller and/or third party claims as a result of any Processing, in the event the specific obligations of Processor under the GDPR are not complied with or in case the Processor acted in violence of the legitimate instructions of the Controller.
8.1 In the event the Processor becomes aware of any incident that may have a (significant) impact on the protection of Personal Data, i) it will notify the Controller without undue delay and ii) will take all reasonable measures to prevent or limit (further) violation of the GDPR.
8.2 The Processor will, insofar as reasonable, provide all reasonable cooperation requested by the Controller in order for Controller to comply with its legal obligations relating to the identified incident.
8.3 The Processor will, insofar as reasonable, assist the Controller with the Controller’s notification obligation relating to the Personal Data to the Data Protection Authority and/or the data subject, as meant in Section 33(3) and 34(1) GDPR. Processor is never held to report a personal data breach with the Data Protection Authority and/or the data subject.
8.4 Processor will not be responsible and/or liable for the (timely and correctly) notification obligation to the relevant supervisor and/or data subjects, as meant in Section 33 and 34 GDPR.
9.1 The Processor will, insofar as reasonably possible, provide all reasonable cooperation to the Controller in fulfilling its obligation pursuant to the GDPR to respond to requests for exercising rights of data subjects, in particular the right of access (Section 15 GDPR), rectification (Section 16 GDPR), erasure (Section 17 GDPR), restriction (Section 18 GDPR), data portability (Section 20 GDPR) and the right to object (Section 21 and 22 GDPR). The Processor will forward a complaint or request from a data subject with regard to the Processing of Personal Data to the Controller as soon as possible, as the Controller is responsible for handling the request. The Processor is entitled to charge any costs associated with the cooperation with the Controller.
9.2 The Processor will, insofar as reasonably possible, provide all reasonable cooperation to the Controller in fulfilling its obligation pursuant to the GDPR to carry out a data protection impact assessment (Section 35 and 36 GDPR).
9.3 The Processor will provide the Controller with all the information reasonably necessary to demonstrate that the Processor fulfills its obligations under the GDPR. Furthermore, the Processor will – at the request of the Controller – enable and contribute to audits, including inspections by the Controller or an auditor that is authorized by the Controller. In case the Processor is of the opinion that an instruction relating to the provisions of this paragraph infringes the GDPR or other applicable data protection legislation, the Processor will inform the Controller immediately.
9.4 The Processor is entitled to charge any possible costs with the Controller.
10.1 With regard to the termination under this Processor’s Agreement the specific provisions of the Agreement apply. Without prejudice to the specific provisions of the Agreement, the Processor will, at the first request of the Controller, delete or return all the Personal Data, and delete all existing copies, unless the Processor is legally required to store (part of) the Personal Data.
10.2 The Controller will adequately inform the Processor about the (statutory) retention periods that apply to the Processing of Personal Data by the Processor.
10.3 The obligations laid down in this Processor’s Agreement which, by their nature, are designed to continue after termination will remain in force also after the termination of this Processor’s Agreement.
10.4 The choice of law and competent court comply with the applicable provisions of the Agreement.
1. Type of personal data
Employee data:
• First name
• Last name
• If provided: birthday
• If provided: gender
• If provided: phone number
• If provided: Job role
Audio metadata:
• Employee’s device
• Employee’s browser
• Employee’s IP address
2. Categories of personal data
In general the data subject is one or more individual(s) that can be identified in an Audio Intake processed by the Processor. More specifically, in case Controller uses Processors technology for human resource purposes, the data subject is an employee, who has an employment agreement at Controllers organization or organization the Controller mediates for.
Audio Intakes utilizes multiple subcontractors to process personal identifiable data. However, we try to limit the number of subcontractors that process this personal identifiable data to a minimum. The companies listed below process personal identifiable data.
Subcontractor 1:
• Name:
AWS S3
• Which data is being processed?
Audio files
• In which countries is data being processed?
Frankfurt, Germany.
• Does the processor store the processed data?
Yes
Subcontractor 2:
• Name:
AWS Elemental MediaConvert
• Which data is being processed?
Audio files
• In which countries is data being processed?
Frankfurt, Germany.
• Does the processor store the processed data?
No
Subcontractor 3:
• Name:
Whisper
• Which data is being processed?
Audio files
• In which countries is data being processed?
USA
• Does the processor store the processed data?
No
Subcontractor 4:
• Name:
PineCone
• Which data is being processed?
Employee data, employee responses (including audio files and transcriptions).
• In which countries is data being processed?
USA
• Does the processor store the processed data?
Yes
Subcontractor 5:
• Name:
Render
• Which data is being processed?
Employee data, employee responses (including audio files and transcriptions).
• In which countries is data being processed?
Frankfurt, Germany.
• Does the processor store the processed data?
Yes
Subcontractor 6:
• Name:
OpenAI
• Which data is being processed?
Employee data, employee responses (including audio files and transcriptions).
• In which countries is data being processed?
USA
• Does the processor store the processed data?
No
Subcontractor 7:
• Name:
Redis
• Which data is being processed?
Session data and non-sensitive metadata like expiration timestamps.
• In which countries is data being processed?
Frankfurt, Germany.
• Does the processor store the processed data?
Yes