This is the Data Processing Agreement as referred to in the Order Form signed by Keboola and the Client, as such parties are identified in the Order Form, for Services, as defined in the Order Form. According to the terms of the Order Form, this the Data Processing Agreement is incorporated in the agreement entered into between the Keboola and the Client by signing the Order Form. Capitalized terms have the meaning ascribed to them in the Order Form.
1. Controller and processor. Keboola provides the Client with Services which include activities that may involve processing of personal data by Keboola (as a processor) for the Client (as a controller) within the meaning of the regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 94/46/EC (General Data Protection Regulation) (the “GDPR”).
2. Subject-matter and duration of the processing. The subject-matter of the personal data processing is given by a nature of the Services and it is determined in every single case by the Client. Keboola processes the personal data in accordance with the instructions of the Client. The Client may give the instructions also by using the Keboola Connection platform. The personal data are processed during the term of Services under the Order Form.
3. Categories of personal data and categories of data subjects. Personal data processed by Keboola for the Client may include, among others information, personal contact information such as name, address, telephone or mobile number, fax number, e-mail address, and passwords; information concerning family, lifestyle and social circumstances including age, date of birth, marital status, number of children and names of spouse and/or children; employment details including employer name, job title and function, employment history, salary and other benefits, job performance and other capabilities, education/qualification, identification numbers, social security details and business contact details; financial details; goods and services provided; unique IDs collected from mobile devices, network carriers or data providers, IP addresses, and online behaviour and interest data. Categories of data subjects, whose personal data may be processed by Keboola for the Client may include, among others, the Client’s representatives and end users of the Client such as employees, job applicants, contractors, collaborators, partners, customers and user of the Client.
4. Sub-processors. The Client acknowledges and consents that Keboola engages Amazon Web Services, Inc., Seattle, WA - USA and Snowflake Computing, Inc., San Mateo, CA – USA as another processors (while, however, the personal data are not transferred and/or processed outside of the European Economic Area); the purpose of the sub-processing of personal data by the aforementioned entities is the use of their cloud storage capacities. The Client also agrees that Keboola shall engage with further other processors as reasonably required for the provision of Services to the Client (the “Sub-processor”). Keboola undertakes to assess the established technical and organisational measures of each Sub-processor and their credibility prior to engaging them to the processing and to comply with other obligations under GDPR and this Data Processing Agreement, while engaging the Sub-Processors. The Client is always able to access an online list of relevant Sub-processors in its Keboola Connection Project, in the directory “Users & Setting > Users”.
5. Rights and obligation of the Parties. The Client as the controller of personal data, undertakes to comply with the obligations imposed at it by the GDPR (including, but not limited to, furnishing data subjects with relevant information regarding personal data processing and obtaining consents with processing from data subjects). Keboola undertakes to process personal data in such a manner so as not to violate any provision of the GDPR or any other personal data protection laws and not to cause any violation of the GDPR or any other personal data protection laws by the Client. Keboola undertakes in particular, but not limited to, to abide by the following GDPR requirements:
6. Keboola declares, that organizational and technical measures to ensure a security of personal data have been implemented pursuant to Article 32 of the GDPR in order to ensure the level of security appropriate to the personal data processing under this Data Processing Agreement. Detailed description of technical measures is available in Keboola’s Security Whitepaper, available online at [http://www.keboola.com/whitepaper]. In particular, Keboola undertakes to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of transferred, saved or otherwise processed personal data or unauthorized access.
7. Keboola undertakes to notify the Client without undue delay after having become aware of any breach of security of the processed personal data by an e-mail sent to the contact e-mail address specified in the Order Form, or to any other e-mail address specified by the Client for this purpose in writing.
8. Keboola undertakes to maintain confidentiality and to ensure confidentiality of all persons who shall within their scope of authorization have access to personal data processed under this Data Processing Agreement.
9. Upon the Client’s instruction to so, or once this Data Processing Agreement cease to be effective for any reason, Keboola undertakes to delete, return or otherwise make available to the Client all the personal data contained within the Services, unless further retention of the processed person data is prescribed by the law.