- Dataloop Ltd. (“Dataloop“, “us“, “our“, or “we“) is the creator and owner of a platform that includes data management, data annotation, data pipelines, model management, and function-as-a-service products (“Platform“). These Terms of Service (“Terms“) govern your access to and use of our website (“Site“), the Platform, as well as services provided in connection with the Site and Platform, such as managed labeling, professional services, technical support and customer success (“Services“). Our Privacy Notice, available at https://dataloop.ai/privacy-policy/ (“Privacy Notice“) governs our collection, processing and transfer of any Personal Data (as such term is defined in the Privacy Notice).
These Terms apply to you if you are:
- A visitor to our site (“Site Visitor“);
- A customer registering for use of the Platform and Services (“Customer“); or
- An authorized user of one of our Customers (“Employee“).
Please read these Terms carefully. By clicking on the button marked “I agree” you signify your assent to these Terms. Changes may be made to these Terms from time to time. If you do not agree to any of these Terms, please do not click the button marked “I agree” and do not use the Platform.
Registration as a Customer.
The following terms apply if you are registering for the Platform and Services as or on behalf of a Customer:
- If you are registering on behalf of an entity or company (“Company“), you represent that you are authorized to enter into, and bind the Company to these Terms as a Customer. You are solely responsible for ensuring that these Terms are in compliance with all laws, rules, and regulations applicable to you and the Company and the right to access the Services is revoked where these Terms or use of the Services is prohibited.
- Dataloop offers different plans to suit your needs (“Plans“). Upon registration you can indicate your choice of Plan. Different plans offer different features and scopes, all as listed on the Site.
- Subject to these Terms, during the Term (as defined below) Dataloop grants you and your Employees with a limited, revocable, non-exclusive, non-transferrable right to use the Platform and the Services, solely for your internal business uses.
- Dataloop shall use commercially reasonable efforts to provide you with technical support via email and to respond to all helpdesk tickets within 72 hour, unless otherwise provided in a Service Agreement (as defined below) signed between the parties.
Registration as an Employee.
The following terms apply if you are using the Platform and Services as an Employee of a Customer of ours:
- In the event of a conflict between these Terms and a services agreement or Terms of Service we have entered with the applicable Customer prior to your entering into these Terms (“Services Agreement“), the provisions of such Services Agreement shall prevail.
- Your account will be connected to the Customer’s account and any other Employees registered on behalf of the Customer. The Customer and the other Employees on the Customer’s behalf shall have access to any Customer Materials (as defined below) uploaded by you and all other actions taken by you through your account.
- Within the Customer’s account or project, you may be registered under different roles. Depending on the designation of your account, different services may be available to you. For example, an “Owner” has the ability to delete a project, while other roles do not.
- Use of and access to the Services is void where prohibited by law. You represent and warrant that (a) any and all registration information you submit is truthful and accurate; (b) you will maintain the accuracy of such information; (c) you are 18 years of age or older and have the ability to form a binding contract; (d) your use of the Platform and Services does not violate any applicable law, regulation, or conflict with obligation you may have to a third party; and (e) you shall comply with applicable laws, regulations, guidelines, and these Terms throughout your use of the Platform and/or Services.
- You can register either as a Customer or an Employee by logging in through your Google or other third-party login account (“Login Account“) as may be permitted by Dataloop from time to time. By registering through a Login Account, you represent and warrant that such Login Account is yours and that you have full rights to provide us with the information in such Login Account. To complete the registration process, you must provide all (additional) registration information as requested by us. We may indicate that the provision of some information is optional, but your agreement to provide such information may assist us in providing you with improved Services.
- Dataloop may refuse to open an account for any Company or individual at its sole discretion.
- You agree to notify us immediately of any unauthorized use of your account or password. You are fully and solely responsible for the security of your computer system and/or mobile device and all activities on your account, even if such activities were not committed by you. To the fullest extent permitted by applicable law, Dataloop will not be liable for any losses or damage arising from unauthorized use of your account or password, and you agree to indemnify and hold Dataloop harmless for any unauthorized, improper or illegal use of your account and any charges and taxes incurred, unless you have notified us via e-mail at firstname.lastname@example.org that your account has been compromised and have requested that we block access to it, which we will do as soon as reasonably practicable. We do not police for and cannot guarantee that we will learn of or prevent any inappropriate use of the Services.
Term and Termination
- If you are registering for the Platform and/or Services as a Customer, these Terms will be in effect for the period of the service as specified within the Plan for which you have registered (“Term“). If you are using the Platform and/or Services as an Employee, the Term shall be the period during with the Services Agreement is in effect.
- You agree that Dataloop may for any reason, at its sole discretion and without notice, suspend or terminate your account and may remove any Customer Materials (as defined below) associated with your account and take any other corrective action it deems appropriate. Grounds for such termination or suspension may include (i) violation of the letter or spirit of these Terms, (ii) fraudulent, harassing or abusive behavior; or (iii) behavior that is illegal or harmful to other users, third parties, or the business interests of Dataloop. If you have an Employee account, it will be terminated in the event of termination or expiration of the Services Agreement between us and the relevant Customer. If your account is terminated, you may not rejoin Dataloop again without express permission. Upon termination of your account, you shall not have any further access to any Customer Materials that may be available through your account.
- In the event of any termination of the Customer’s account for any reason, Customer Materials associated with the Customer’s account will be available for download for a period of 60 days, following which they may not be available to Customer and may be deleted by Dataloop.
- We reserve the right to investigate suspected violations of these Terms or illegal and inappropriate behavior through the Platform. We will fully cooperate with any law enforcement authorities or court order requesting or directing us to disclose the identity, behavior or Customer Materials of anyone believed to have violated these Terms or to have engaged in illegal behavior in connection with the Platform.
- Any suspension or termination of your account shall not affect your obligations under these Terms (including but not limited to ownership, indemnification, any representations and warranties made by you, and limitation of liability), which by their sense and context are intended to survive such suspension or termination.
Fees and Payment
- If you are registering as a Customer, you agree to pay Dataloop the fees as specified on the Site in accordance with the Plan for which you have registered (“Fees“) in accordance with the payment terms of such Plan.
- If your use of the Services exceeds the service capacity of the Plan for which you have registered, you will be required to upgrade to a Plan with a greater service capacity. You may upgrade the Plan for which you have registered but you may not downgrade to a Plan with a lower service capacity.
- Dataloop reserves the right to change the terms of any Plans, including the applicable Fees, which will be in effect upon renewal of the Term of any Plan.
- Please note that Dataloop may impose or deduct foreign currency processing costs on or from any payments or payouts by Dataloop in currencies other than U.S. dollars. When converting currency, prices may be rounded up to the nearest whole number.
- Where applicable, taxes may also be charged. Except as expressly provided in these Terms, fees are non-refundable.
- Dataloop allows you to upload certain content, including but not limited to images, videos, text and LIDAR on or through the Services, which, along with any modifications or derivatives of the foregoing, shall be referred to as “Customer Materials“.
- Dataloop has no obligation to accept, display, or maintain any Customer Materials. You are and shall remain at all times fully and solely responsible for any Customer Materials you upload to the Platform.
- You represent and warrant that any Customer Materials you upload on your own behalf or on behalf of a Customer (i) comply with applicable law; (ii) do not infringe or violate any third-party intellectual property rights, privacy or publicity rights, or moral rights; and (iii) that you have all necessary rights and authorities to submit such Customer Materials.
- Without limiting the foregoing, you agree that you will not and will not allow any Employees associated with your Customer account (if applicable) to transmit, submit or upload any Customer Materials or act in any way that: (1) restricts of inhibits use of the Platform or Services; (2) violates the legal rights of others, including defaming, abuse, stalking or threatening users; (3) infringes (or results in the infringement of) the intellectual property rights, moral rights, publicity, privacy, or other rights of any third party; (4) is (or you reasonably believe or should reasonably believe to be) stolen, illegal, counterfeit, fraudulent, pirated, violent or unauthorized, or in furtherance of any illegal, counterfeiting, fraudulent, pirating, unauthorized, or violent activity, or that involves (or you reasonably believe or should reasonably believe to involve) any stolen, illegal, counterfeit, fraudulent, pirated, or unauthorized material; (5) does not comply with all applicable laws, rules and regulations; (6) imposes an unreasonably or disproportionately large load on our infrastructure; or (7) posts, stores, transmits, or contains links to (a) any virus, worm, trojan horse, or other harmful or disruptive component or (b) anything that encourages conduct that would be considered a criminal offense, give rise to civil liability, violate any law or regulation.
- YOU ACKNOWLEDGE THAT DATALOOP DOES NOT MONITOR CUSTOMER MATERIALS FOR INAPPROPRIATE, ILLEGAL, AND/OR ANY OTHER MATERIALS AND THAT THROUGH YOUR ACCESS TO THE PLATFORM AS AN EMPLOYEE, YOU MAY BE EXPOSED TO MATERIAL THAT MAY BE (A) OFFENSIVE (INCLUDING MATERIAL PROMOTING OR GLORIFYING HATE, VIOLENCE, BIGOTRY, OR ENTITIES DEDICATED TO OR ASSOCIATED WITH SUCH CAUSES); (B) MATERIAL THAT IS RACIALLY OR ETHNICALLY INSENSITIVE, MATERIAL THAT IS DEFAMATORY, HARASSING OR THREATENING; (C) PORNOGRAPHY OR OBSCENE MATERIAL; AND/OR (D) MATERIAL THAT IS OTHERWISE INAPPROPRIATE OR OFFENSIVE. YOU HEREBY WAIVE ANY LEGAL OR EQUITABLE RIGHTS OR REMEDIES YOU HAVE OR MAY HAVE AGAINST US WITH RESPECT THERETO.
- Notwithstanding the above, Dataloop reserves the right to monitor Customer Materials for inappropriate or illegal materials, including through automatic means, provided, however, that Dataloop may treat Customer Materials as content stored at the direction of users for which Dataloop will not exercise editorial control except when violations are directly brought to Dataloop attention.
You may not do or attempt to do or facilitate a third party in doing any of the following: (1) decipher, decompile, disassemble, or reverse-engineer any of the software and/or code, if and as applicable, used to provide the Site, Platform, or Services without our prior written authorization, including framing or mirroring any part of the Site, Platform, or Services; (2) circumvent, disable, or otherwise interfere with security-related features of the Services or features that prevent or restrict use or copying of any Customer Materials or Content (as defined below); (3) use the Site, Platform, or Services or content thereon in connection with any commercial endeavors in any manner, except for the purposes specifically set forth in these Terms; (4) use any robot, spider, site search or retrieval application, or any other manual or automatic device or process to retrieve, index, data-mine, or in any way reproduce or circumvent the navigational structure or presentation of the Platform or Services; (5) use or access another user’s account or password without permission; (6) use the Site, Platform, or Services or content thereon in any manner not permitted by these Terms.
- Dataloop or its licensors, as the case may be, have all right, title and interest in the Site, Platform, Services, and any materials it provides through the Site or Platform (“Content“), including its overall appearance, text, graphics, graphics design, videos, demos, interfaces, and underlying source files, and all worldwide intellectual property rights, the trademarks, service marks, and logos contained therein, whether registered or unregistered. Except as expressly permitted herein, you may not copy, further develop, reproduce, republish, modify, alter download, post, broadcast, transmit or otherwise use the Content for any purpose. You will not remove, alter or conceal any copyright, trademark, service mark or other proprietary rights notices incorporated in the Site, Platform and/or Services, if any. All trademarks are trademarks or registered trademarks of their respective owners. Nothing in these Terms or on the Site should be construed as granting you any right to use any trademark, service mark, logo, or trade name of Dataloop or any third party. If you provide the Dataloop with any feedback regarding any Content or the Platform and/or Services, Dataloop may use all such feedback without restriction and shall not be subject to any non-disclosure or non-use obligations in respect of such feedback.
- You or Customer on whose behalf you are using the Services, have all right, title and interest in the Customer Materials you submit. By submitting any Customer Materials, you (on behalf of Customer, where applicable) grant Dataloop a transferrable, worldwide, royalty-free, fully paid-up and non-exclusive license to use, copy, distribute, display, modify and create derivative works of any Customer Materials solely for the provision of the Services in accordance with these Terms.
- The policy of Dataloop is not to infringe upon or violate the intellectual property rights or other rights of any third party, and Dataloop will refuse to use and remove any Customer Materials in connection with the Services that infringes the rights of any third party. Under the Digital Millennium Copyright Act of 1998 (the “DMCA“), Dataloop will remove any Customer Materials (including without limitation any Customer Materials) if properly notified of that such material infringes third party rights, and may do so at its sole discretion, without prior notice to users at any time. The policy of Dataloop is to terminate the accounts of repeat infringers in appropriate circumstances.
- You are in the best position to judge whether Customer Materials is in violation of intellectual property or personal rights of any third-party. You accept full responsibility for avoiding infringement of the intellectual property or personal rights of others in connection with Customer Materials.
- If you believe that something appearing on the Services infringes your copyright, you may send us a notice requesting that it be removed, or access to it blocked. If you believe that such a notice has been wrongly filed against you, the DMCA lets you send us a counter-notice. Notices and counter-notices must meet the DMCA’s requirements. We suggest that you consult your legal advisor before filing a notice or counter-notice. Be aware that there can be substantial penalties for false claims. Send notices and counter-notices to us by contacting us at email@example.com.
Personal Data and Privacy.
- If you are registering on behalf of a Customer, to the extent that the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR“) applies with respect to Personal Data included in Customer Materials, you agree and represent as follows:
- The Customer shall be considered a Controller (as defined in the GDPR) of such Personal Data;
- The Customer has provided any and all notices and has and shall maintain throughout the Term all necessary rights and consents required under applicable law to provide Personal Data to Dataloop in order to allow it to provide its Services hereunder;
- The Customer shall neither provide Dataloop with, nor grant it access to, any Personal Data unless such notices and consents have lawfully been provided or obtained, as applicable; and
- The Customer shall ensure that a record of such consents is maintained, as required under applicable law.
- The parties shall enter into the Data Processing Agreement attached below as Schedule A (“DPA“) and which is an integral part of this Agreement. In case of any conflict between these Terms and the DPA, the provisions of the DPA shall prevail to the extent of such conflict.
- Confidential Information. Dataloop may have access to certain non-public or proprietary information of Customer, including Customer Materials (“Confidential Information“). Except as permitted herein, Dataloop may not use, disseminate, or in any way disclose the Confidential Information except for purposes of providing the Services or in furtherance of the relationship of the parties hereunder or as otherwise set forth herein. Dataloop shall treat all Confidential Information with the same degree of care as it accords to its own Confidential Information of a similar nature but in any event with a high degree of care. Dataloop’s obligations hereunder do not apply to any Confidential Information that (a) was rightfully in Dataloop’s possession or in the public domain free of any obligation of confidence at or subsequent to the time the Confidential Information was shared with Dataloop by Customer; or (b) was independently developed by Dataloop without use of, or reference to, any Confidential Information. A disclosure of any Confidential Information by Dataloop in response to a law, regulation, or governmental or judicial order will not be considered to be a breach of these Terms, provided that Dataloop, to the extent permitted, shall notify Customer of such requirement.
You agree to indemnify, defend, and hold harmless Dataloop and its employees, directors, officers, subcontractors and agents, against any and all claims, damages, or costs, losses, liabilities or expenses (including reasonable court costs and attorneys’ fees) that arise directly or indirectly from: (a) breach of these Terms by you, your Employees (if applicable) or anyone using your computer and/or mobile device, password (whether authorized or unauthorized) or any of your Employees; (b) any claim, loss or damage experienced from your or your Employees’ use or attempted use of the Platform or Services; (c) your or your Employees’ violation of any law or regulation or any of your obligations, representations, or warranties hereunder including but not limited to breach of any privacy and/or data protection laws and regulations to which you are subject; (d) your infringement of any right of any third party; (e) provision of the Customer Materials; and (f) any other matter for which you are responsible hereunder or under applicable law.
Disclaimers and Disclaimer of Warranty
- Your use of the Site, Platform and/or Services is at your sole discretion and risk. The Site, Platform, Services, and Customer Materials are provided on an AS IS and AS AVAILABLE basis without warranties of any kind. We do not represent or warrant that Services will be of good quality or useful for your needs.
- WE EXPRESSLY DISCLAIM ALL WARRANTIES OF ANY KIND, EXPRESS, IMPLIED OR STATUTORY, RELATING TO THE SITE, PLATFORM AND/OR SERVICES OR ANY CONTENT, INCLUDING WITHOUT LIMITATION THE WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, NON-INFRINGEMENT OF PROPRIETARY RIGHTS, COURSE OF DEALING OR COURSE OF PERFORMANCE. WE DISCLAIM ANY WARRANTIES, EXPRESS OR IMPLIED, (I) REGARDING THE SECURITY, ACCURACY, RELIABILITY, TIMELINESS AND PERFORMANCE OF THE SITE, PLATFORM AND/OR SERVICES; OR (II) THAT THE SITE, PLATFORM OR SERVICES WILL BE ERROR-FREE OR THAT ANY ERRORS WILL BE CORRECTED; OR (III) REGARDING THE PERFORMANCE OF OR ACCURACY, QUALITY, CURRENCY, COMPLETENESS OR USEFULNESS OF ANY INFORMATION PROVIDED ON THE SITE, PLATFORM AND/OR SERVICES.
- No advice or information, whether oral or written, obtained by you from us, shall create any warranty not expressly stated in these Terms. If you choose to rely on such information, you do so solely at your own risk. Some states or jurisdictions do not allow the exclusion of certain warranties. Accordingly, some of the above exclusions may not apply to you. Check your local laws for any restrictions or limitations regarding the exclusion of implied warranties.
Limitation of Liability
- In addition to the foregoing, we assume no responsibility for any error, omission, interruption, deletion, defect, delay in operation or transmission, communications line failure, theft or destruction or unauthorized access to, or alteration of, any Customer Materials or Services. We are not responsible for any problems or technical malfunction of any telephone network or lines, computer online systems or equipment, servers or providers, software, failure due to technical problems or traffic congestion on the Internet or on the Services. Under no circumstances shall we be responsible for any loss or damage, including personal injury or death and any injury or damage to any person’s mobile device or computer, resulting from use of the Site, Platform, Services, from any Content, or from the conduct of any users of the Platform, whether online or offline. In addition, we assume no responsibility for any incorrect data, including Personal Data provided by you or on your behalf and you hereby represent and warrant that you are solely responsible for any and all data provided to Dataloop, including any incorrect data and you shall assume any and all liability for any consequences of provision of such incorrect data to us.
- IN NO EVENT SHALL DATALOOP, OR ITS OFFICERS, DIRECTORS, EMPLOYEES, ASSIGNEES, OR AGENTS BE LIABLE TO YOU OR ANY THIRD PARTY FOR ANY DAMAGES WHATSOEVER, INCLUDING WITHOUT LIMITATION INDIRECT, INCIDENTAL, SPECIAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES, ARISING OUT OF OR IN CONNECTION WITH YOUR USE OF OR ACCESS TO THE SITE, PLATFORM AND/OR SERVICES, INCLUDING BUT NOT LIMITED TO THE QUALITY, ACCURACY, OR UTILITY OF ANY CUSTOMER MATERIALS, WHETHER THE DAMAGES ARE FORESEEABLE AND WHETHER OR NOT DATALOOP HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THE FOREGOING LIMITATION OF LIABILITY SHALL APPLY TO THE FULLEST EXTENT PERMITTED BY LAW IN THE APPLICABLE JURISDICTION AND IN NO EVENT SHALL OUR CUMULATIVE LIABILITY TO YOU EXCEED IN THE AGGREGATE AN AMOUNT OF US$100. IF YOU HAVE NOT MADE ANY PAYMENTS TO DATALOOP FOR THE USE OF THE SERVICES, THEN DATALOOP SHALL NOT HAVE ANY LIABILITY TOWARD YOU.
During the Term, Dataloop may refer to Customer as a customer of Dataloop, including by displaying Customer’s name and logo on Dataloop’s website and other marketing materials.
These Terms shall be governed by the laws of the State of Israel exclusive of its choice of law rules, and without regard to the United Nations Convention on the International Sales of Goods and the competent courts in Tel Aviv-Jaffa shall have exclusive jurisdiction to hear any disputes arising hereunder. In any action to enforce these Terms, the prevailing party will be entitled to costs and attorneys’ fees. In the event that any provision of these Terms is held to be unenforceable, such provision shall be replaced with an enforceable provision which most closely achieves the effect of the original provision, and the remaining terms of these Terms shall remain in full force and effect. Nothing in these Terms creates any agency, employment, joint venture, or partnership relationship between you and Dataloop or enables you to act on behalf of Dataloop. Except as may be expressly stated in these Terms, these Terms and the DPA constitute the entire agreement between us and you pertaining to the subject matter hereof, and any and all other agreements existing between us relating thereto are hereby canceled. We may assign and/or transfer our rights and obligations hereunder to any third party without prior notice. You shall not assign and/or transfer any of your rights or obligations hereunder, and any assignment in violation of the foregoing shall be void. No waiver of any breach or default hereunder shall be deemed to be a waiver of any preceding or subsequent breach or default. If we are required to provide notice to you hereunder, we may provide such notice to the contact details you provided upon registration.
Last updated: May 2022
Data Processing Agreement
- This Data Processing Agreement (“DPA“) forms an integral part of, and is subject to the Terms of Service to which they are attached (“Terms“). Capitalized terms not otherwise defined herein shall have the meaning given to them in the Terms.
- Whereas, in connection with the performance of its obligations under the Terms, Dataloop Ltd. (“Processor“) may Process Controller Personal Data (both as defined below) on behalf of the Customer accepting the Terms (“Controller“); and
- Whereas, the parties wish to set forth the mutual obligations with respect to the processing of Controller Personal Data by the Processor;
- Now therefore, intending to be legally bound, the parties hereby agree as follows:
- Definitions. In addition to capitalized terms defined elsewhere in this DPA, the following terms shall have the meanings set forth below:
- “Applicable Law” means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (“GDPR“), laws implementing or supplementing the GDPR.
- “Controller Personal Data” means any Personal Data Processed by Processor on behalf of Controller pursuant to or in connection with the Terms.
- “Data Protection Laws” means Applicable Law and, to the extent applicable, the data protection or privacy laws of any other applicable country where the Services are provided or as agreed in writing between the Parties.
- “Sub Processor” means any person (excluding an employee of Processor) appointed by or on behalf of Processor to Process Controller Personal Data on behalf of the Controller in connection with the Terms.
- The terms “Controller“, “Data Subject“, “Member State“, “Personal Data“, “Personal Data Breach“, “Processor“, “Processing” and “Supervisory Authority” shall have the meanings ascribed to them in the GDPR.
Processing of Controller Personal Data.
- Processor shall Process Controller Personal Data on Controller’s behalf and at Controller’s instructions as specified in the Terms and in this DPA, including without limitation with regard to transfers of Controller Personal Data to a third country or international organization. Any other Processing shall be permitted only in the event that such Processing is required by any Data Protection Laws to which the Processor is subject. In such event, Processor shall, unless prohibited by such Data Protection Laws on important grounds of public interest, inform Controller of that requirement before engaging in such Processing.
- Controller instructs Processor (and authorizes Processor to instruct each Sub Processor) (i) to Process Controller Personal Data for the provision of the Services, as detailed in the Terms and as otherwise set forth in the Terms and in this DPA, and/or as otherwise directed by Controller; and (ii) to transfer Controller Personal Data to any country or territory as reasonably necessary for the provision of the Services and in accordance with Applicable Law.
- Controller sets forth the details of the Processing of Controller Personal Data, as required by Article 28(3) of the GDPR in Appendix 1 (Details of Processing of Controller Personal Data), attached hereto.
- Controller. Controller represents and warrants that it has and shall maintain throughout the term of the Terms and this DPA, all necessary rights to provide the Controller Personal Data to Processor for the Processing to be performed in relation to the Services and in accordance with the Terms and this DPA. To the extent required by Data Protection Laws, Controller is responsible for obtaining any necessary Data Subject consents to the Processing, and for ensuring that a record of such consents is maintained throughout the term of the Terms and this DPA and/or as otherwise required under Data Protection Laws.
- Processor Employees. Processor shall take reasonable steps to ensure that access to the Controller Personal Data is limited on a need to know and/or access basis and that all Processor employees receiving such access are subject to confidentiality undertakings or professional or statutory obligations of confidentiality in connection with their access to and use of Controller Personal Data.
- Security. Processor shall implement appropriate technical and organizational measures to ensure an appropriate level of security of the Controller Personal Data including, as appropriate and applicable, the measures referred to in Article 32(1) of the GDPR. In assessing the appropriate level of security, Processor shall take into account the risks that are presented by the nature of the Processing and the information available to the Processor.
- Personal Data Breach.
- Processor shall notify Controller without undue delay and, where feasible, not later than within 48 (forty eight) hours upon Processor becoming aware of a Personal Data Breach affecting Controller Personal Data. In such event, Processor shall provide Controller with reasonable and available information to assist Controller in meeting any obligations to inform Data Subjects or Supervisory Authorities of the Personal Data Breach as required under Applicable Law.
- At the written request of the Controller, Processor shall reasonably cooperate with Controller and take such commercially reasonable steps as are agreed by the parties or required under Applicable Law to assist in the investigation, mitigation and remediation of any Personal Data Breach.
- Sub Processing.
- Controller authorizes Processor to appoint (and permits each Sub Processor appointed in accordance with this Section 7 to appoint) Sub Processors in accordance with this Section 7.
- Processor may continue to use those Sub Processors already engaged by Processor as identified to Controller as of the date of this DPA.
- Processor may appoint new Sub Processors and shall give notice of any such appointment to Controller. If, within seven (7) days of such notice, Controller notifies Processor in writing of any reasonable objections to the proposed appointment, Processor shall not appoint the proposed Sub Processor for the Processing of Controller Personal Data until reasonable steps have been taken to address the objections raised by Controller and Controller has been provided with a reasonable written explanation of the steps taken. Where such steps are not sufficient to relieve Controller’s reasonable objections, each of Controller or Processor may, by written notice to the other party and with immediate effect, terminate the Terms to the extent that it relates to the Services requiring the use of the proposed Sub Processor. In such event, the terminating party shall not bear any liability for such termination.
- With respect to each new Sub Processor, Processor shall:
- Prior to the Processing of Controller Personal Data by Sub Processor, take reasonable steps (for instance by way of reviewing privacy policies as appropriate) to ensure that Sub Processor is committed and able to provide the level of protection for Controller Personal Data required by this DPA; and
- ensure that the arrangement between the Processor and the Sub Processor is governed by a written contract, including terms that offer a materially similar level of protection for Controller Personal Data as those set out in this DPA and meet the requirements of Applicable Law.
- Processor shall remain fully liable to the Controller for the performance of any Sub Processor’s obligations.
Data Subject Rights.
- Controller shall be solely responsible for compliance with any statutory obligations concerning requests to exercise Data Subject rights under Data Protection Laws (e.g., for access, rectification, deletion of Controller Personal Data, etc.). Processor shall, at Controller’s sole expense, use commercially reasonable efforts to assist Controller in fulfilling Controller’s obligations with respect to such Data Subject requests, as required under Data Protection Laws.
- Upon receipt of a request from a Data Subject under any Data Protection Laws in respect to Controller Personal Data, Processor shall promptly notify Controller of such request and shall not respond to such request except on the documented instructions of Controller or as required by Data Protection Laws to which the Processor is subject, in which case Processor shall, to the extent permitted by Data Protection Laws, inform Controller of such legal requirement prior to responding to the request.
Data Protection Impact Assessment and Prior Consultation. At Controller’s written request and expense, the Processor and each Sub Processor shall provide reasonable assistance to Controller with respect to any Controller Personal Data Processed by Processor and/or a Sub Processor, with any data protection impact assessments or prior consultations with Supervisory Authorities or other competent data privacy authorities, as required under any Data Protection Laws.
Deletion or Return of Controller Personal Data. Processor shall promptly and in any event within 60 (sixty) days of the date of cessation of provision of the Services to Controller involving the Processing of Controller Personal Data, delete, return, or anonymize all copies of such Controller Personal Data, provided however that Processor may retain Controller Personal Data, as permitted by Applicable Law.
- Subject to Sections 11.2 and 11.3, Processor shall make available to an auditor mandated by Controller in coordination with Processor, upon prior written request, such information reasonably necessary to demonstrate compliance with this DPA and shall allow for audits, including inspections, by such reputable auditor mandated by the Controller in relation to the Processing of the Controller Personal Data by the Processor, provided that such third-party auditor shall be subject to confidentiality obligations.
- Any audit or inspection shall be at Controller’s sole expense, and subject to Processor’s obligations to third parties, including with respect to confidentiality.
- Controller and any auditor on its behalf shall use best efforts to minimize or avoid causing any damage, injury or disruption to the Processors’ premises, equipment, employees and business. Controller and Processor shall mutually agree upon the scope, timing and duration of the audit or inspection and the reimbursement rate, for which Controller shall be responsible. Processor need not give access to its premises for the purposes of such an audit or inspection:
- to any individual unless he or she produces reasonable evidence of identity and authority;
- if Processor was not given a prior written notice of such audit or inspection;
- outside of normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis; or
- for the purposes of more than one (1) audit or inspection in any calendar year, except for any additional audits or inspections which:
- Controller reasonably considers necessary because of genuine concern as to Processor’s compliance with this DPA; or
- Controller is required to carry out by Applicable Law, a Supervisory Authority or any similar regulatory authority responsible for the enforcement of Applicable Law in any country or territory, where Controller has identified its concerns or the relevant requirement or request in its prior written notice to Processor of the audit or inspection.
- Processor shall immediately inform Controller if, in its opinion, an instruction received under this DPA infringes the GDPR or other applicable Data Protection Laws.
- Indemnity. Controller shall indemnify and hold Processor harmless against all claims, actions, third party claims, losses, damages and expenses incurred by the Processor and arising directly or indirectly out of or in connection with a breach of this DPA and/or the Data Protection Laws by Controller.
- General Terms.
- Governing Law and Jurisdiction.
- The parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Terms with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity.
- This DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Terms.
Order of Precedence.
- Nothing in this DPA reduces Processor’s obligations under the Terms in relation to the protection of Controller Personal Data or permits Processor to Process (or permit the Processing of) Controller Personal Data in a manner that is prohibited by the Terms.
- This DPA is not intended to, and does not in any way limit or derogate from Controller’s obligations and liabilities towards the Processor under the Terms and/or pursuant to Data Protection Laws or any law applicable to Controller in connection with the collection, handling and use of Controller Personal Data by Controller or other processors or their sub processors, including with respect to the transfer or provision of Controller Personal Data to Processor and/or providing Processor with access thereto.
- Subject to this Section 13.2, with regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and any other Terms between the parties, including the Terms and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) Terms entered into or purported to be entered into after the date of this DPA, the provisions of this DPA shall prevail.
Changes in Data Protection Laws.
- Controller may, by at least 45 (forty five) calendar days’ prior written notice to Processor, request in writing any variations to this DPA if they are required as a result of any change in, or decision of a competent authority under any Data Protection Laws in order to allow Controller Personal Data to be Processed (or continue to be Processed) without breach of that Data Protection Laws.
- If Controller gives notice with respect to its request to modify this DPA under Section 13.3.1, (i) Processor shall make commercially reasonable efforts to accommodate such modification request and (ii) Controller shall not unreasonably withhold or delay Terms to any consequential variations to this DPA proposed by Processor to protect the Processor against additional risks, or to indemnify and compensate Processor for any further steps and costs associated with the variations made herein.
- Severance. Should any provision of this DPA be held invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall either be (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
- Appendix 1: Details of Processing of Controller Personal Data
This Appendix 1 includes certain details of the Processing of Controller Personal Data as required by Article 28(3) GDPR.
Subject matter and duration of the Processing of Controller Personal Data.
The subject matter and duration of the Processing of the Controller Personal Data are set out in the Terms, in Processor’s Privacy Notice (“Privacy Notice“) and this DPA.
The nature and purpose of the Processing of Controller Personal Data:
Rendering data management, data annotation and/or turn-key data labeling services as detailed in the Terms and the Privacy Notice.
The types of Controller Personal Data to be Processed are as follows:
Personal Data included in images or video provided to Processor as Customer Materials (as defined in the Terms).
The categories of Data Subject to whom the Controller Personal Data relates to are as follows:
Any individuals who are identified or identifiable in the Customer Materials provided by the Controller.
The obligations and rights of Controller.
The obligations and rights of Controller are set out in the Terms and this DPA.