This Data Processing Addendum (“DPA”) forms part of and is incorporated into the Effy AI Terms of Service or other written or electronic agreement governing Customer's use of the Service between Customer and Effy AI (each a “Party” and together the “Parties").
1. Background
1.1. The Customer has agreed to the Terms of Service, according to which Effy AI has agreed to provide certain services to Customer (the “Services”).
1.2. When providing the Services, Effy AI may collect, process, and gain access to Personal Data of individuals on behalf of Customer. From a data protection perspective, Customer will be the Data Controller, and Effy AI will be the Data Processor.
1.3. This Addendum specifies the data protection obligations of the Parties under the Terms of Service. It applies to all activities performed by Effy AI in connection with the Terms of Service in which Effy AI, its staff, or a third party acting on behalf of Effy AI comes into contact with Personal Data of individuals as a Data Processor.
1.4. The Addendum is based on the provision of Article 28 of the GDPR and the definitions contained in the GDPR.
1.4.1. For UK based Customers: Effy AI’s Processing of Personal Data under the Terms of Service is subject to the UK GDPR. UK specific provisions in the Addendum, reference to:
- “Union or Member State” in Section 6.1 shall be deemed to include the United Kingdom;
- “GDPR” in Sections 5.6, 5.9 and 6.1 shall be deemed to include the UK GDPR;
- “EU”, “EEA” and “European Economic Area” in Sections 6.5.3 and 7.3 shall be deemed to include the United Kingdom;
- “EU Standard Contractual Clauses” shall be deemed to include the UK Addendum to the EU Commission Standard Contractual Clauses; and
- “GDPR” in Sections 5.13, 7.2 and 8 shall be deemed to include the UK GDPR.
1.4.2. For Switzerland based Customers: Effy AI is established in Switzerland (or otherwise subject to the Swiss DPA) and processes Personal Data from the Customer in Switzerland. In addition to the provisions set out in the Addendum, the following applies for Switzerland:
- Section 5.6: Any notifications must occur as soon as possible;
- Section 7.3: The countries outside the EEA are: USA. In addition, Effy AI has concluded the EU Standard Contractual Clauses in order to ensure the transmission of the Personal Data to such third countries.
- Section 10.3: Since there is no equivalent of Article 82 GDPR under the Swiss DPA, the general provisions of the Swiss Code of Obligations on liability shall apply.
1.5. If there is a conflict between the terms of the Terms of Service and those of this Addendum, the provisions of this Addendum will prevail.
2. Definitions
2.1. All capitalized terms used herein and not otherwise defined herein, shall have the meaning ascribed to such term in the Terms of Service.
2.2. Agreement means the Terms of Service, the Privacy Notice and this Addendum.
2.3. Customer means a natural, legal person or entity who has accepted the Terms of Service with Effy AI. As set forth in the Terms of Service, Customer has access to User Management at all times and can assign Authorisations to any User.
2.4. Customer Data means files and any other digital data and information, which is subjected to the Services or otherwise inserted to the Effy AI system by the Customer (including general employee information including name, email, phone number, job title, department, and direct manager; specific information related to the employees’ professional goals, accomplishments, training and development, awards and performance, feedback and reviews). Effy AI does not intentionally collect or process special category data. However, Customer may submit special category data to the Service, the extent of which is determined and controlled by Customer in its sole discretion, and which may include but is not limited to the following categories of special category data: gender, race or ethnicity, health data, sexual orientation, trade union membership, and any other category of special category uploaded by (or on behalf of) Customer.
2.5. Administrator means a User(s) of an Account which the Customer has granted a special authorisation to manage the Customer Account.
2.6. Data Controller means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
2.7. Data Processor means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller.
2.8. Data Protection Laws means all applicable worldwide legislation relating to data protection and privacy which applies to the respective party in the role of Processing Personal Data in question under the Agreement, including but not limited to the European Union Regulation 2016/679 (the “General Data Protection Regulation” or “GDPR”), the United Kingdom Data Protection Act of 2018 and the European Union Regulation 2016/679 as applicable by virtue of Section 3 of the European Union (withdrawal) Act of 2018 and as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419) (the “UK GDPR”), the Swiss Federal Data Protection Act (the “Swiss DPA”) as revised on 25 September 2020, as well as the California Consumer Privacy Act (the “CCPA”), in each case as amended, repealed, consolidated or replaced from time to time.
2.9. Data Subject means the individual to whom Personal Data relates.
2.10. Instructions means the written, documented instructions issued by Customer to Effy AI, and directing the same to perform a specific or general action with regard to Personal Data (including, but not limited to, depersonalizing, blocking, deleting, making available).
2.11. Personal Data means any information relating to an identified or identifiable individual where such information is contained within Customer Data and is recognised as personal data, personal information or personally identifiable information under applicable Data Protection Laws.
2.12. Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by Effy AI and/or its Sub-Processors in connection with the provision of the Services. "Personal Data Breach" will not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
2.13. Processing means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data. The terms “Process”, “Processes” and “Processed” will be construed accordingly.
2.14. Sensitive Data means Personal Data that is protected under special legislation and requires unique treatment, such as “special categories of data”, “sensitive data” or other materially similar terms under applicable Data Protection Laws, which may include any of the following: (a) social security number, tax file number, passport number, driver’s license number, or similar identifier (or any portion thereof); (b) financial or credit information, including credit or debit card number; (c) genetic or health information; (d) information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, biometric data for the purpose of uniquely identifying a natural person, data concerning a person’s sex life or sexual orientation, or data relating to criminal convictions and offenses; and/or (e) account passwords in unhashed form.
2.15. Sub-Processors means any Processor engaged by Effy AI to assist in fulfilling its obligations with respect to the provision of the Services under the Terms of Service.
2.16. Terms of Service means the terms available at https://www.effy.ai/terms.
3. Details of Processing
3.1. Purpose of Processing. Subject to Section 5.1 below, Effy AI will collect and Process Personal Data in connection with the Terms of Service only for the purpose of providing the Services. Effy AI will carry out the data Processing operations in accordance with the Terms of Service as well as any Instructions received from Customer that do not conflict with the provisions of this Addendum or the Terms of Service. Copies or duplicates of any Personal Data made available hereunder may only be compiled with the approval of Customer, as may be technically required for the provision of the Services, or required for lawful data retention.
3.2. Nature of Processing. Effy AI is a cloud-based, self-service, SaaS performance review tool. Personal Data will be Processed in accordance with the Terms of Service, Privacy Notice and this Addendum, and may be subject to the following Processing activities:
- Storage and other Processing necessary to provide, maintain and improve the Services; and
- Disclosure in accordance with the Agreement (including this Addendum) and/or as compelled by applicable laws.
3.3. Controller Instructions. The Parties agree that the Terms of Service (including this Addendum), and the Privacy Notice, together with the Customer’s use of the Services, constitute the Customer’s complete and final Instructions to Effy AI in relation to the Processing of Personal Data, and any additional Instructions outside the scope of the Instructions shall require prior written agreement between the Parties.
3.4. Categories of Data Subjects. Effy AI will not have any knowledge or control over the categories of Data Subjects whose Personal Data the Customer may elect to record or upload into the Service, except as provided in the Terms of Service. Personal Data to which Effy AI may receive access usually concerns, in particular, the following categories of Data Subjects:
- Customer’s directors, officers, employees, interns, trainees, agents, contractors, job applicants, customers, suppliers, subcontractors, business contacts;
- Any other individuals for which Customer enters Personal Data or information into the Service.
3.5 Categories and Nature of Personal Data. Effy AI will not have any knowledge or control over the categories or nature of the Personal Data that Customer may elect to record or upload into the Service, except as provided in the Terms of Service. The data Processing activities will generally include the following categories of Personal Data:
- Name, title, email address, other contact information;
- Work relationships between individuals and organiztionsl structure;
- Individual’s feedback, reviews and evaluations;
- IP addresses;
- References, meeting notes; and
- Other data collected by Customer and entered or uploaded into the Service by Customer.
The Parties agree that the Services are not intended for the Processing of Sensitive Data, and, as such, the Parties do not anticipate the Processing of Sensitive Data.
3.6. Term. As between Customer and Effy AI, this DPA is incorporated into and subject to the Terms of Service and shall be effective and remain in force for the term of the Terms of Service or the duration of the Service.
4. Customer’s Obligations
4.1. Compliance with Laws. Within the scope of the Agreement and in its use of the Services, Customer will be responsible for complying with all requirements that apply to it under applicable Data Protection Laws with respect to its Processing of Personal Data and the Instructions it issues to Effy AI.
4.2. In particular, but without prejudice to the generality of the foregoing, Customer acknowledges and agrees that it will be solely responsible for:
4.2.1. The accuracy, quality, and legality of Personal Data and the means by which it acquired Personal Data;
4.2.2. Complying with all necessary transparency and lawfulness requirements under applicable Data Protection Laws for the collection and use of the Personal Data, including providing the necessary notifications and obtaining any necessary consents and authorizations (particularly for use by Customer for marketing purposes);
4.2.3. Ensuring Customer has the right to transfer, or provide access to, the Personal Data to Effy AI for Processing in accordance with the terms of the Agreement (including this Addendum);
4.2.4. Ensuring that Customer’s Instructions to Effy AI regarding the Processing of Personal Data comply with applicable laws, including Data Protection Laws; and
4.2.5. Complying with all laws (including Data Protection Laws) applicable to any emails or other content created, sent or managed through the Services, including those relating to obtaining consents (where required) to send emails, the content of the emails and its email deployment practices.
4.3. Customer will inform Effy AI without undue delay if Customer is not able to comply with its responsibilities under this Section 5 or applicable Data Protection Laws.
5. Effy AI’s Obligations
5.1. Scope of Processing. Effy AI commits to process Personal Data received within the scope of the Agreement only based on the documented Instructions from the Customer. This does not apply to cases in which Effy AI is obliged to Process Personal Data under European Union or European Union Member State law to which Effy AI is subject. In such a case, Effy AI shall inform the Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
5.2. Confidentiality. Effy AI will ensure that persons authorized to Process Personal Data have committed themselves to confidentiality concerning Personal Data or are under an appropriate statutory obligation of confidentiality.
5.3. Qualified Personnel. Effy AI will use qualified personnel with data protection training to provide the Services.
5.4. Instructions to Personnel. Effy AI will oblige its personnel to Process Personal Data only in accordance with the Agreement, including its appendices, and any Instructions received from Customer.
5.5. Notification of Violation. Effy AI will notify Customer without undue delay if Effy AI is of the opinion that an Instruction received from Customer is in violation of applicable Data Protection Laws and/or in violation of contractual duties under the Agreement.
5.6. Notification of Personal Data Breach. Effy AI will notify Customer via email to the designated account Administrator(s) without undue delay after becoming aware of a Personal Data Breach involving Personal Data for which Customer is Controller, and will assist Customer in fulfilling its statutory obligations under applicable Data Protection Laws, including the GDPR, taking into account the nature of Processing and the information available to Effy AI.
5.7. Third Parties. Effy AI will keep confidential and will not make available any Personal Data received in connection with the Services to any third party except in accordance with the Terms of Service or this Addendum or as required by applicable law.
5.8. Data Subjects’ Requests. Taking into account the nature of the Processing, Effy AI will support Customer by implementing appropriate technical and organisational measures in fulfilling the rights of the Data Subject, as laid down in Chapter III of the GDPR, including but not limited to the correction, objection to the Processing of, deletion, and provision of Personal Data. If so instructed by Customer, and if feasible, Effy AI will correct, block, delete and take other required actions with the Personal Data in accordance with Customer’s Instructions. If a Data Subject contacts Effy AI directly in order to have his or her data corrected, deleted, blocked or use any other rights under Chapter III of the GDPR, Effy AI will instruct the Data Subject to contact the Data Controller without undue delay after receipt of such request.
5.9. Security. Taking into account the nature of Processing and the information available to Effy AI, Effy AI will assist Customer in ensuring compliance with its obligations under Article 32 of the GDPR regarding security of Processing.
5.10. Cooperation with Supervisory Authorities. Effy AI will use reasonable efforts to fully cooperate and to comply with any instructions, guidelines, and orders received from the relevant supervisory authority when such instructions, guidelines, or orders pertain to the Personal Data.
5.11. Deletion and Return of Personal Data. Upon termination of Services under the Terms of Service or, if applicable, an agreed exit phase, upon Instruction from Customer, Effy AI will, in accordance with Customer’s Instructions either delete and/or return all Personal Data to Customer unless Effy AI is under an legal obligation to retain the Personal Data. The return and/or destruction of the Personal Data transferred shall be deemed to have been achieved via Customer initiating the export or deletion (as the case may be) of such Personal Data via the user interface or through Effy AI support in-app made available by Effy AI and noted as completed by Effy AI. If the Customer terminates the Services but does not give any Instructions, the normal data retention period applies as described in https://www.effy.ai/privacy.
5.12. Data Protection Impact Assessment and Prior Consultation. To the extent that the required information is reasonably available to Effy AI, and Customer does not otherwise have access to the required information, Effy AI will provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with supervisory authorities or other competent data privacy authorities to the extent required by the GDPR or the UK GDPR (as applicable).
5.13. Records of Processing Activities. Effy AI shall keep a record of processing activities in accordance with Article 30(2) of the GDPR and make it available to the Customer upon request.
6. Sub-Processors
6.1. Customer grants Effy AI a general authorization in line with Article 28(2) of the GDPR to engage Sub-Processors for the purposes of providing the Services.
6.2. Customer authorizes Effy AI’s engagement of the Sub-Processors listed in http://www.effy.ai/subprocessors. Effy AI shall ensure that authorized Sub-Processors comply with the conditions provided for in Section 6.5. below at all times during provision of the Services.
6.3. Effy AI shall provide Customer notification, prior to the appointment of any new Sub-Processor (irrespective of whether such new Sub-Processor is appointed for carrying out an existing Processing function or a new Processing function). The notification will be sent via email to the designated account Administrator(s). Upon notification regarding Effy AI’s intention to engage a new Sub-Processor, Customer may object to such engagement by notifying Effy AI promptly in writing via email at dpo@effy.ai, within ten (10) business days after receipt of Effy AI's notice.
6.4. In the event that Customer objects to the use of any Sub-Processor, Effy AI will recommend to Customer commercially reasonable changes in the configuration or use of the Services to avoid Processing of Personal Data by the proposed Sub-Processor. If Effy AI is unable to assist Customer with its objection regarding engagement of a Sub-Processor within a reasonable period of time which shall not exceed thirty (30) calendar days, Customer may, upon written notice to Effy AI, terminate the Services. In the event of such termination, Effy AI will refund Company on a pro-rata basis any amounts paid by such Company for use of the Services.
6.5. Effy AI may only engage Sub-Processors for providing the Services under the Terms of Service if Effy AI:
6.5.1. Communicates the name, contact details, and the services to be provided by the Sub-Processor prior to engaging or replacing the Sub-Processor;
6.5.2. Ensures that an adequate level of data protection for Sub-Processors that are located outside of the European Union / European Economic Area exists as per GDPR or is created (e.g., by concluding Processor-to-Processor EU Standard Contractual Clauses); and
6.5.3. Has sufficient rights against the Sub-Processor to enforce a claim, or request of the Customer in the context of the Services provided by the Sub-Processor.
6.6. Effy AI shall be fully responsible for any data protection violations by the Sub-Processors in connection with the provision of Services, and shall remain fully liable to Customer for any such violations in accordance with Section 10 of this Addendum.
7. Place of Data Processing and Data Transfers
7.1. Customer acknowledges and agrees that Effy AI may access and Process Personal Data on a global basis as necessary to provide the Service in accordance with the Terms of Service and, in particular, that Personal Data may be transferred to and Processed by Sub-Processors in jurisdictions they have operations.
7.2. Wherever Personal Data is transferred outside its country of origin, each Party will ensure such transfers are made in compliance with the requirements of Data Protection Laws, especially the conditions pursuant to Chapter V of the GDPR.
7.3. Where Customer is based in the European Economic Area (EEA), the Parties acknowledge that the transfer of Personal Data by Customer to Effy AI will involve the transfer of data outside the EEA.
8. Technical and Organizational Measures
Taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of the Data Subjects, Effy AI will implement appropriate technical and organizational security measures to ensure a level of security appropriate to the risk (Article 32 of the GDPR) to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services. The technical and organizational measures implemented by Effy AI are set forth at https://www.effy.ai/security.
9. Audits
Effy AI will grant to Customer and its designees during the term of the Addendum all requested information and access rights strictly in accordance with Effy AI’s security policy in order to verify Effy AI’s compliance with the Terms of Service, this Addendum and with applicable Data Protection Laws upon written request by Customer. Customer may determine Effy AI’s compliance with the agreed technical and organizational measures at Effy AI’s facilities upon a reasonable request in writing once a year, which is subject to confidentiality. If and to the extent Customer engages third parties to conduct an audit, such third parties must be bound by confidentiality obligations similar to and no less protective than those agreed to under this Addendum. Customer shall reimburse Effy AI for any time expended for any on-site audits at Effy AI’s then-current professional services rates. Customer shall promptly notify Effy AI and provide information about any actual or suspected non-compliance discovered during an audit.
10. Liability
For the purposes of this Addendum, the liability between “controller” and “processor” will be allocated pursuant to Article 82 of the GDPR.
11. Miscellaneous
11.1. The Addendum is governed by the law indicated as the governing law in the respective provisions of the Terms of Service.
11.2. This Addendum as well as changes and additions must be concluded by mutual agreement of the Parties recorded in signed writing.