This Data Processing Addendum (hereafter, the "DPA") sets forth the terms and conditions regarding the processing of personal data (including data concerning health) by Smilecloud on behalf of its Customers (as identified in the General Terms) in connection with the provision of the Services. The purpose of the DPA is to ensure the protection and security of personal data processed by Smilecloud in compliance with applicable Data Protection Laws.
The DPA is incorporated into the Contract, and its provisions apply to the Parties upon acceptance of the Contract. However, if the Customer requires an executable version of the DPA, they can find information on how to electronically sign our DPA below. This DPA shall be effective on the later of (i) the Effective Date of the Contract; or (ii) the date on which the last party signs the DPA.
For Customers countersigning the DPA.
While the incorporation provisions as stated above remain in effect, Customer is given the option, but is not required, to electronically sign this DPA by following this link. The Customer's signatory represents to Smilecloud that they have the legal authority to bind the Customer and are lawfully able to enter into this DPA. The signed DPA will only be effective if the Customer is an active subscriber of the Smilecloud Biometrics platform.
The terms used in this DPA shall have the same meaning as those defined in the General Terms, unless otherwise specified herein. Additionally, the following terms shall have the meanings set forth below:
“Customer Personal Data” means any Customer Data that relates to an identified or identifiable natural person, to the extent that such information is protected as personal data under applicable Data Protection Laws.
“Data Protection Laws” means all applicable data protection and privacy laws, and regulations of the European Union, the European Economic Area and their Member States, Switzerland, and the United Kingdom, including the GDPR and the UK GDPR, PIPEDA, LGPD, as well as US Data Protection Laws.
“GDPR" means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), as may be amended or replaced from time to time.
“LGPD” means Brazil's Lei Geral de Proteção de Dados, the general data protection law of Brazil.
PIPEDA" means the Personal Information Protection and Electronic Documents Act, a Canadian federal privacy law.
“Standard Contractual Clauses" means the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
“Subprocessor" refers to any third-party entity engaged by Smilecloud to conduct specific Customer Personal Data processing tasks under Smilecloud's direction.
“UK GDPR" means the Data Protection Act 2018, as well as the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments, etc.) (EU Exit) Regulations 2019 (SI 2019/419).
“US Data Protection Laws” means any applicable data protection and privacy laws and regulations in the United States, including, but not limited to, the California Consumer Privacy Act (CCPA, as amended and modified) and other similar state laws.
Additionally, terms defined in the GDPR, including "controller," "processor," "processing," "data subject," "personal data," "data concerning health," "special categories of personal data," and "personal data breach" including their equivalents under applicable Data Protection Laws shall have the meanings ascribed to them in the corresponding regulation.
Smilecloud as processor. When Smilecloud processes Customer Personal Data on behalf of the Customer in connection with the Services, Smilecloud will act as a processor or sub-processor on behalf of the Customer (who, in turn, processes such personal data as a controller or processor), and this DPA will apply accordingly.
Instructions. Smilecloud shall process Customer Personal Data only in accordance with the lawful documented instructions of the Customer, as set forth in the Contract, this DPA, or as directed by the Customer or Customer's End Users through the Services (hereinafter, the “Instructions”). Smilecloud shall inform the Customer without undue delay if it becomes aware that the Customer's processing Instructions infringe Data Protection Laws.
Customer's Role and Responsibilities in Data Processing. The Customer shall act as the controller or processor of the Customer Personal Data processed by Smilecloud pursuant to the Contract and this DPA. The Customer shall be responsible for ensuring compliance with all Data Protection Laws, including obtaining any necessary consents and providing any required notices in relation to its processing of Customer Personal Data (including but not limited to any special categories of personal data). Furthermore, the Customer warrants on an ongoing basis that the relevant controller has authorized (i) the Instructions, (ii) Customer’s appointment of Smilecloud as a processor, and (iii) Smilecloud’s engagement of Subprocessors as described in Section 6 (Subprocessors);
Cooperation. The Parties agree to cooperate in good faith and provide assistance to each other, as reasonably necessary, to fulfill their respective obligations under this DPA and Data Protection Laws. This includes providing reasonable assistance to each other in relation to data subject requests, data protection impact assessments, and any other requirements arising from Data Protection Laws, in accordance with the provisions of this DPA.
Description of Processing Activities. The details of the processing activities carried out by Smilecloud on behalf of the Customer, including the subject matter, duration, nature, and purpose of the processing, as well as the categories of data subjects and types of personal data, are described in Schedule 1 of this DPA.
Updates to Processing Activities. Smilecloud may update the description of processing activities in Schedule 1 from time to time to reflect changes in the Services, such as the introduction of new features or functionalities. Smilecloud shall inform the Customer of any significant changes to the processing activities, and the Customer shall have the opportunity to object to such changes, in accordance with the terms set forth in this DPA.
Customer Responsibility. The Customer acknowledges and agrees that it is responsible for determining whether it processes any special categories of personal data (especially data concerning health) in connection with the Services. In such case, the Customer shall comply with any additional obligations and requirements under applicable Data Protection Laws, including obtaining necessary consents and providing appropriate notices, when processing such special categories of personal data.
Smilecloud's Processing. If the Customer processes special categories of personal data in connection with the Services, Smilecloud shall process such data in strict accordance with the Instructions. Smilecloud shall not process special categories of personal data for any other purpose, unless otherwise required by law or with the Customer's explicit consent.
Additional Safeguards. In the event that Smilecloud processes special categories of personal data on behalf of the Customer, Smilecloud shall implement additional appropriate technical and organizational measures to ensure the protection of such data in accordance with Data Protection Laws. These measures may include, but are not limited to, enhanced access controls, encryption, pseudonymization, and secure storage and transmission methods.
Security Measures. Smilecloud will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage (hereinafter, the “Security Measures”). Security Measures shall take into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, as well as the risk and severity for the rights and freedoms of data subjects. Current Security Measures are described on Smilecloud’s Security Practices page, which is incorporated by reference into this DPA.
Confidentiality of Processing. Smilecloud will ensure that any person authorized to process Customer Personal Data on its behalf (including Smilecloud employees, contractors, or Subprocessors) will be subject to appropriate confidentiality obligations (whether contractual or statutory).
Customer Responsibility. The Customer acknowledges its own responsibility to implement appropriate security measures to protect its systems, networks, and devices used to access, transmit, or process Customer Personal Data. The Customer is responsible for ensuring the security of its own data processing environment and the secure transmission of data to and from Smilecloud's systems.
Security Incident Response. In the event of a personal data breach, Smilecloud will, without undue delay and in any event within 72 hours, notify the Customer and provide relevant details about the incident. Smilecloud will cooperate with the Customer in investigating and resolving the incident, including providing reasonable assistance in notifying affected data subjects and relevant authorities, where required by Data Protection Laws. Smilecloud’s notification of or response to a personal data breach under this section shall not be construed as an acknowledgment by Smilecloud of any fault or liability with respect to such an incident.
Security Updates. Smilecloud will regularly review and update its Security Measures to ensure the continued protection of Customer Personal Data. The Customer acknowledges that Smilecloud may make changes to its Security Measures from time to time as part of its ongoing commitment to maintaining a high level of data protection. In the event of any material changes to the Security Measures, Smilecloud will use reasonable efforts to ensure that the updated measures continue to provide an appropriate level of protection for Customer Personal Data, in accordance with Data Protection Laws and industry standard practices.
Compliance Verification and Audit Access. Smilecloud acknowledges the importance of verifying its compliance with Data Protection Laws and this DPA. In order to facilitate audits and inspections, Smilecloud commits to providing the Customer with reasonable access to relevant information and documentation, subject to the signing of a Non-Disclosure Agreement (NDA) to protect the confidentiality of Smilecloud's proprietary and sensitive information.
Provision of Compliance Information and Documentation. Upon the Customer's written request and subject to the NDA, Smilecloud shall provide the Customer with:
(a) relevant information and documentation demonstrating its compliance with its obligations under this DPA and applicable Data Protection Laws; and
(b) any available third-party audits, certifications, or attestations related to its data protection practices and security measures.
Audit Procedure, Scope, Frequency. If the Customer, after reviewing the information provided by Smilecloud, reasonably believes that an audit is necessary to comply with Data Protection Laws and is not satisfied with the information provided, the Customer shall notify Smilecloud of its intention to conduct an audit. The Customer shall bear all costs associated with the audit, including any expenses incurred by Smilecloud, and may be required to provide upfront payment for such expenses. The Parties shall mutually agree on the timing and duration of any audits, which shall not be conducted more frequently than once per year, unless required by Data Protection Laws or a competent supervisory authority. Depending on the scope and extent of the audit, the Customer shall provide Smilecloud with reasonable advance notice and, in any case, no less than forty-five (45) days before any intended audits.
Audit Scope and Limitations. Any audits shall be conducted in a manner that minimizes disruption to Smilecloud's business operations and shall not interfere with Smilecloud's ability to provide services to its other customers. The audit shall be limited in scope, duration, and frequency as required by Data Protection Laws and to address the specific concerns raised by the Customer.
Confidentiality and Security During Audits. The Customer must ensure that its representatives conducting an audit safeguard the confidentiality of all information obtained during the audit in accordance with the Contract and NDA, sign an enhanced mutually agreeable non-disclosure agreement if requested by Smilecloud, and adhere to Smilecloud's security policies while on Smilecloud's premises.
Sharing Audit Results and Non-Compliance. The Customer must promptly share with Smilecloud any written audit report generated and any instances of non-compliance discovered as a result of the audit. If the Customer is required to disclose the audit results to a competent supervisory authority or as otherwise required by law, the Customer shall notify Smilecloud and provide a copy of the intended disclosure, giving Smilecloud an opportunity to review and propose modifications to protect its proprietary and sensitive information. If the audit reveals any non-compliance by Smilecloud with its obligations under this DPA or applicable Data Protection Laws, Smilecloud shall promptly take necessary corrective actions and provide the Customer with an appropriate remediation plan.
General Written Authorization. The Customer grants Smilecloud a general written authorization to engage new subprocessors in the provision of the Services. Smilecloud will provide the Customer with a 10-day prior notice via email before appointing any new subprocessor, giving the Customer an opportunity to object. If the Customer objects within 7 days of receiving the notice, the Parties will engage in good-faith discussions to explore alternative options. If no agreement can be reached within a period of thirty (30) days, the Customer may terminate the Contract without penalty, and Smilecloud will refund any prepaid fees covering the remainder of the contract term.
Current Subprocessors. The Customer acknowledges that Smilecloud has already engaged subprocessors as of the Effective Date. A list of the current subprocessors, their roles, and locations can be found on Smilecloud’s Subprocessors page, incorporated by reference into this DPA. The Customer authorizes the engagement of these subprocessors in accordance with this DPA.
Subprocessor Agreements. Smilecloud will enter into a written agreement with each subprocessor, which imposes data protection obligations on the subprocessor that are at least as protective as those set forth in this DPA. Smilecloud will be responsible for the subprocessors' compliance with the data protection obligations specified in their respective agreements.
Subprocessor Updates. Smilecloud will regularly review and update the subprocessor list as necessary. The Customer will have the opportunity to review any changes made to the list and follow the same objection process as described in the first section of this clause.
Data Subject Requests. Smilecloud will collaborate with the Customer to ensure compliance with data subject rights under Data Protection Laws. Smilecloud will provide reasonable assistance to the Customer in fulfilling its obligations to respond to data subject requests, considering the nature of Smilecloud's processing activities and the information available to Smilecloud.
The Customer is responsible for handling data subject requests it receives directly. If Smilecloud receives any information or requests from a data subject related to the processing of their personal data under the Contract, Smilecloud will promptly forward such requests or information to the Customer and await further instructions.
If a data subject submits a request directly to Smilecloud regarding their personal data processed by Smilecloud as a processor on behalf of the Customer, Smilecloud will promptly inform the Customer of such a request and cooperate with the Customer to help facilitate an appropriate response. Smilecloud may acknowledge receipt of the data subject's request and inform the data subject that it is working on the matter; however, Smilecloud will not provide a final resolution to the data subject's request without obtaining the Customer's prior written consent, unless required by Data Protection Laws.
Assistance in Compliance. Smilecloud will provide reasonable assistance to the Customer, at the Customer's expense, in conducting any data protection impact assessments, consulting with supervisory authorities, and implementing any required measures, to the extent applicable to Smilecloud's role as a processor.
Time and Cost of Assistance. Smilecloud's assistance in handling data subject requests and complying with the Customer's obligations under this clause will be provided at the Customer's expense, based on Smilecloud's reasonable fees for such services. The Parties agree to discuss and agree upon the scope of assistance and associated costs before Smilecloud begins providing the requested assistance.
Customer’s Choice and Return of Data. Upon termination of the Contract, or upon the Customer's written request, Smilecloud will, at the Customer's choice, either return all Customer Personal Data in its possession or control to the Customer or securely delete the Customer Personal Data. Smilecloud will provide the returned data in a commonly used and machine-readable format, when possible and depending on the Customer's subscription plan. The Customer acknowledges that exporting data in such a format may not be available for all subscription plans and could incur additional charges. The Parties may agree upon alternative arrangements for the return of data if the Customer's subscription plan does not include this feature or if the Customer wishes to avoid additional charges.
Deletion of Data. If the Customer requests the deletion of Customer Personal Data, Smilecloud will securely delete the Customer Personal Data from its systems and any storage media, along with any existing copies, in accordance with industry-standard practices and Data Protection Laws. Smilecloud may provide the Customer with written confirmation of the deletion upon request.
Retention of Data for Compliance Purposes. Notwithstanding the foregoing, Smilecloud may retain a copy of the Customer Personal Data to the extent required by applicable Data Protection Laws or for compliance with Smilecloud's legal obligations, provided that such retained data will continue to be subject to the confidentiality and security obligations set forth in the Contract and this DPA.
Subprocessors. Smilecloud will ensure that any Subprocessors engaged by Smilecloud will comply with the obligations in this clause regarding the return and deletion of Customer Personal Data. Smilecloud will remain responsible for the acts and omissions of its Subprocessors in relation to their compliance with this clause.
Adequate Countries. Smilecloud may transfer Customer Personal Data to a country outside the European Economic Area (EEA), the United Kingdom (UK), or Switzerland without any further safeguards being necessary, provided that the relevant Data Protection Authority has determined that such a country ensures an adequate level of protection for personal data in accordance with Data Protection Laws.
Other Countries. For transfers of Customer Personal Data to countries outside the EEA, the UK, or Switzerland that do not provide an adequate level of protection, Smilecloud will ensure that such transfers are subject to the Standard Contractual Clauses or other data transfer mechanism approved by the relevant Data Protection Authority.
Subprocessors. Where Smilecloud engages subprocessors located in countries outside the EEA, the UK, or Switzerland that do not provide an adequate level of protection, Smilecloud will enter into written agreements with such subprocessors that include Standard Contractual Clauses or another data transfer mechanism approved by the relevant Data Protection Authority.
Customer Obligations. The Customer agrees to provide any assistance, information, or documentation necessary for Smilecloud to comply with its obligations under this International Data Transfers clause, including cooperating in the execution of the Standard Contractual Clauses or other data transfer mechanisms approved by the relevant Data Protection Authority.
Updates to Data Transfer Mechanisms. Smilecloud may update the data transfer mechanisms used to comply with its obligations under this International Data Transfers clause, provided that such updates do not materially reduce the level of protection afforded to Customer Personal Data.
Suspension of processing. In the event that Smilecloud doesn't meet its obligations under this DPA, the Customer can ask Smilecloud to suspend processing Customer Personal Data until Smilecloud starts complying with the DPA again or until the Contract is terminated. Smilecloud shall promptly inform the Customer in case it is unable to comply with this DPA, for whatever reason.
Termination by Customer. The Customer can terminate the Contract insofar as it concerns the processing of Customer Personal Data under this DPA if:
Termination by Smilecloud. Smilecloud shall be entitled to terminate the Contract insofar as it concerns the processing of Customer Personal Data under this DPA where, after having informed the Customer that its Instructions infringe applicable legal requirements, the Customer insists on compliance with the Instructions.
Superseding Clause. This DPA supersedes and replaces all previous data processing agreements between the Parties in connection with the Services.
Relationship with Contract. The terms and conditions of the Contract remain in full force and effect. In the event of any conflict or inconsistency between the provisions of the Contract and this DPA in relation to data processing, the provisions of this DPA shall take precedence.
Liability. The liability of each Party under this DPA shall be subject to the exclusions and limitations of liability set out in the Contract.
Choice of Law and Jurisdiction. This DPA shall be governed by and construed in accordance with the governing law and jurisdiction stipulated in the Contract unless otherwise required by applicable Data Protection Laws.
1. Categories of data subjects whose personal data is processed
The Customer may transfer personal data to Smilecloud related to the following categories of data subjects:
2. Categories of personal data processed
Customer Personal Data may include, at Customer's sole discretion and control, the following categories of personal data:
(1) Non-special categories of personal data, such as
(2) Special categories of data
No other special categories of personal data shall be transferred by the Customer without prior written authorization from Smilecloud.
3. Nature of processing
The nature of the processing of Customer Personal Data by Smilecloud in providing its Services involves the following:
4. Purpose of Processing
The processing of Customer Personal Data by Smilecloud is limited to the following purposes:
5. Duration of Processing
Upon Contract termination or at the Customer's request, Smilecloud will remove all Customer Personal Data from the live production database within 90 days, unless retention is allowed or mandated by applicable Data Protection Laws or specified otherwise under this DPA for different compliance or business purposes.
In scenarios where a database restore becomes necessary within the retention window, Smilecloud commits to re-deleting Customer Personal Data as swiftly as practicable once the live production system is entirely restored.
In line with Section 4, Smilecloud has put in place and commits to maintaining adequate technical and organizational measures to safeguard personal data from unauthorized access, misuse, and accidental loss or destruction, as detailed in Smilecloud's Security Practices page.
Last updated: 18.12.2023
