GDPR DATA PROCESSING ADDENDUM

Current version. Last updated - [23.12.2021]

This Data Processing Addendum (“DPA”) forms part of the service contract executed between you and Smartcat of the Terms of Service available at https://www.smartcat.com/terms/ or such other location as the Terms of Service may be posted from time to time, entered into by you as the User and Smartcat. The purpose of this DPA is to reflect the parties’ agreement with regard to Processing of Personal Data in accordance with the requirements of the General Data Protection Regulation (GDPR).

Terms and definitions used herein shall have the same meaning attributable to them in the Terms of Services and GDPR unless the context herein suggests otherwise.

1. Definitions

1.1. “Affiliates” means any entity that directly or indirectly controls, is controlled by, or is under common control with the Smartcat.

1.2. “Content” means any document, information, data, text, images, software, music, videos, sound, photographs, graphics, messages or other materials, including any text and/or oral communication, that a Customer wishes Smartcat to translate or process in the agreed way, submits it for translation/processing by way of uploading, e-mailing, posting, assigning a task, publishing or displaying (hereinafter, “upload”) it on the Platform and that the Supplier will commit to performing as a project in the form of the Service Task.

1.3. “Controller” means the entity which determines the purposes and means of the Processing of Personal Data.

1.4. “Customer” means any User of the Platform which submits a Service Task on the Platform and provides payment for such Service Task.

1.5. “Data Protection Laws” means GDPR as well as any applicable local data protection and privacy laws.

1.6. “Data Subject” means the identified or identifiable natural person to whom the Personal Data relates.

1.7. “GDPR” / “General Data Protection Regulation” means Regulation (EU) 2016/679 of the European Parliament and of the Counsel of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.

1.8. “Model Contract Clauses” means the standard contractual clauses for the transfer of the Personal Data to third countries set out in Commission Implementing Decision (EU) 2021/914 or any set of clauses approved by the European Commission which amends, replaces or supersedes these.

1.9. “Personal Data” means any information relating to the Data Subject.

1.10. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed

1.11. “Processor” means the entity which processes the Personal Data on behalf of the Controller.

1.12. “Processing of Personal Data” / “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.13. “Security Measures” means any measures of the administrative, physical, and technical safeguards in the Smartcat’s information system.

1.14. “Services” means subscription, translation and related services, i.e. editing, post-editing, proof reading, interpreting, etc.

1.15. “Service Task” means any task placed by Customer via Customer’s account dashboard on the Platform or otherwise, as mutually agreed.

1.16. “Smartcat” means either Smartcat Platform Inc. – a legal entity registered under the laws of the United States of America; or Smartcat Europe B.V. – a legal entity registered in the Netherlands with registered address at Rouboslaan 36 B, 2252 TR, Voorschoten, the Netherlands, registration № 859832880; or Smartcat AI LLC – a legal entity registered under the laws of the Russian Federation. Which legal entity is going to be a contractual party to you depends on what further agreement you are becoming a party to.

1.17. “Smartcat Platform” / “Platform” means Smartcat’s website and technology platform for translation workflow automation, which is located at https://www.smartcat.com/.

1.18. “Sub-processor” means any entity or person appointed by or on behalf of the Processor to process Personal Data on behalf of the Processor.

1.19. “Supervisory authority” means an independent public authority.

1.20. “Supplier” means any individual freelancer or legal entity that registered on the Platform as a Supplier and wishes to perform the Service Task.

1.21. “User” means a Customer or a Supplier (depending on the context) registered on the Platform.

2. Roles

Back to top

2.1. You acknowledge that you are aware of the Data Protection Laws that may affect you when you receive or collect any Content from your Customers containing Personal Data and when you further upload that Content containing Personal Data on Smartcat Platform.

2.2. You also understand that under the Data Protection Laws, depending on how you received and use your Content containing Personal Data, you may be considered a “controller” or a “processor” as defined under article 4 of the GDPR.

2.3. Whenever you act as a Customer and upload any Content containing Personal Data Smartcat will act as a “processor” within the meaning of article 4 of the GDPR and this DPA shall apply.

3. Details of Processing of your Personal Data:

Back to top

3.1. This section includes certain details of the Processing of your Personal Data as required by Article 28(3) GDPR.

a) Subject matter and duration of the Processing of your Personal Data: The subject matter and duration of the Processing of your Personal Data are set out in the Terms of Service, service contracts executed between you and Smartcat and this DPA.

b) Nature and purpose of the Processing of your Personal Data: Provision of software as a service for language translation and related services.

c) Types of your Personal Data to be processed: Name, address, photo, contact data, professional life data, other Personal Data in the uploaded Content to the Smartcat Platform.

d) Categories of the Data Subjects to whom your Personal Data relates: Customers, co-workers and Data Subjects referred to in the uploaded Content to the Smartcat Platform.

4. Purposes of Processing Personal Data

Back to top

4.1 Smartcat may process Personal Data provided to Smartcat and/or uploaded by you on Smartcat Platform pursuant to the Terms of Service for the following purposes:

  • providing, supporting and improving Smartcat’s services, using appropriate technical and organizational security measures; and
  • for the purposes set forth in the Terms of Service or service contract executed between you and Smartcat.

5. Personal Data in the uploaded Content to Smartcat Platform:

Back to top

5.1. If you receive documents or any Content from your Customer, your role shall be Processor, and Smartcat’s role shall be Sub-Processor. In this case, the data Controller is your Customer.

5.2. You acknowledge and accept that Smartcat may not be aware of the presence of Personal Data in the Content uploaded by you to the Smartcat Platform unless you explicitly notify Smartcat in this regard. In this case, the responsibility of protecting such Personal Data remains with you.

5.3. You agree to remove Personal Data from your Content before uploading it to Smartcat Platform whenever such removal (anonymization or pseudonymization) is possible.

6. Smartcat’s personnel

Back to top

6.1. Smartcat shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to your Personal Data, ensuring in each case that access is strictly limited to those individuals who require access to the relevant Controller Personal Data.

6.2. Smartcat ensures that:

6.2.1. Employees, agents or contractors are subject to statutory obligations of confidentiality and confidentiality undertakings at least as restrictive as those described under this DPA.

6.2.2. Employees are thoroughly checked by our security team and can only use Personal Data as part of their work plus in addition to this, access is limited by authorization procedures and infrastructure, which does not allow employees with insufficient rights to access your Personal Data.

6.2.3. All employees have completed appropriate training regarding Personal Data.

7. Security Measures

Back to top

7.1. Security Measures include:

  • use of Tier IV data centers in the U.S., EU and China, run by AWS and Microsoft Azure, which are SOC-1, SOC-2, and SOC-3 compliant and it should be noted that this is a much higher level of protection than conventional office servers provide (learn more about Smartcat security measures);
  • all passwords are stored in hashed and salted form (and several external authorized services are supported via OAuth 2.0);
  • all passwords in the production configuration files are encrypted and certificates required to decrypt configs are installed on the production machines by administrators and not accessible for engineers with lower levels of access;
  • Before contracting any Sub-processors, Smartcat conducts an audit of the security and privacy practices of Sub-processors to ensure Sub-processors provide a level of security and privacy appropriate to their access to Personal Data and the scope of the services they are engaged to provide. The Sub-processor is required to enter into appropriate security, confidentiality and privacy contract terms.

7.2. These Security Measures may be updated or modified provided that such updates and modifications do not result in the degradation of the overall security of Smartcat Platform.

8. Scope of instructions given to Smartcat

Back to top

8.1. This DPA, the Terms of Service and service contracts executed between you and Smartcat set out your complete and final instructions to Smartcat in relation to the Processing of your Content containing Personal Data and Processing outside the scope of these instructions (if any) shall require prior written agreement between you and Smartcat. Smartcat will not use or process the Personal Data for any other purpose other than the Terms of Service, this DPA and service contracts executed between you and Smartcat.

8.2. You understand that within the provision of Services by Smartcat, you may select Smartcat’s Subcontractors on the Smartcat Platform and grant them access to Personal Data in your uploaded to the Smartcat Platfrom Content (if such Personal Data is present in the uploaded Content) directly through the Platform by way of assigning respective Subcontractor to the Service Task. Subject to section 8.2. such assignment constitutes your authorization and consent to process Personal Data by the selected Subcontractor, who will act as the Sub-processor in the meaning of GDPR.

9. Sub-processors

Back to top

9.1. You acknowledge and agree that a) Smartcat’s Affiliates may be retained as Sub-processors and b) Smartcat and Smartcat’s Affiliates respectively may engage third party Sub-processors in connection with the provision of Services As a condition to permitting a third party Sub-processor to process Personal Data, Smartcat or a Smartcat Affiliate will enter into a written agreement with each Sub-processor containing data protection obligations that provide at least the same level of protection for Personal Data as those in this Agreement, to the extent applicable to the nature of the services provided by such Sub-processor.

9.2. You hereby authorize Smartcat to engage with the following Sub-processors with the understanding that if you entered into Model Contract Clauses (Annex to this DPA), this authorization would constitute your prior written consent to the subcontracting by Smartcat of the Processing of Personal Data if such consent is required under the Model Contract Clauses.



NameLocationPurpose
AmazonEU - Personal Data of all Smartcat Users and Content uploaded by Customers residing in Europe and Africa.
USA - Content uploaded by Customers residing in North and South America
China - Content uploaded by Customers residing in APAC region
Hosting
GoogleEU, USAMachine translation
ABBYYEU, USAOCR services
Appcues, Inc.USANotification service
Hubspot Inc.USACRM Platform
Fullstory Inc.USACustomer analytics
Mixpannel Inc.USABusiness analytics
Smartcat marketplace Subcontractors/freelancers (i.e. translators, editors, proofreaders)To be selected by the ControllerTranslation and related services


9.3. Smartcat shall not engage any other Sub-processors than the Sub-processors indicated above, without your prior written consent.

9.4. Sub-processor only accesses and uses any Personal Data, provided to Smartcat and/or uploaded by you to Smartcat Platform, to the extent required to perform the obligations subcontracted to such Sub-processor.

9.5. Smartcat remains fully liable for all obligations subcontracted to, and all acts and omissions of Sub-processors.

9.6. As indicated above this DPA involves transfers of Personal Data out of the European Economic Area and the GDPR applies to the transfers of such data, Smartcat will, if specifically requested by you, enter as the data importer of the Personal Data into Model Contract Clauses (Annex to this DPA) with you as the data exporter of such data, and that the transfers are made in accordance with such Model Contract Clauses (Annex to this DPA).

10. Data Subject Rights

Back to top

Taking into account the nature of the Processing, Smartcat shall assist you by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of your obligations, as reasonably understood by you, to respond to requests to exercise Data Subject rights under the General Data Protection Regulation as well as any local data protection laws (“Data Protection Laws”).

10.1. Smartcat shall promptly notify you if Smartcat receives a request from a Data Subject, any Supervisory authority under any Data Protection Law in respect of your Personal Data as well as to cooperate as requested by you in order to comply to any Data Protection Laws regarding your Personal Data.

10.2. If Smartcat receives any request from a Data Subject in relation to Personal Data, provided to Smartcat and/or uploaded by you to Smartcat Platform, subject to section 10.1., you will be responsible for responding to any such request including, where necessary, by using the functionality of Smartcat Platform;

11. Personal Data Breach

Back to top

11.1. Smartcat shall notify you without undue delay upon Smartcat becoming aware of a Personal Data Breach affecting your Personal Data, providing you with sufficient information to allow you to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws. Smartcat shall co-operate with you and take reasonable commercial steps as are directed by you to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

11.2. Smartcat’s obligation to report or respond to a Breach of Personal Data incident is not and will not be construed as an acknowledgement by Smartcat of any fault or liability of Smartcat with respect to the Breach of Personal Data incident.

11.3. Smartcat hereby declares and you agree that an unsuccessful security incidents will not be reported to you. An unsuccessful security incident is one that results in no unauthorised access to Personal Data or to any of Smartcat’s equipment or facilities storing Personal Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing or similar incidents.

12. Data protection impact assessment

Back to top

12.1. Smartcat shall provide reasonable assistance to you with any data protection impact assessments, and prior consultations with the Information Commissioner’s Office “ICO” in the United Kingdom (“Supervising Authorities”) or other competent data privacy authorities, which you reasonably consider to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of your Personal Data by and taking into account the nature of the Processing and information available to the Sub-processors.

12.2. Upon termination of the Terms of Service or service contracts executed between you and Smartcat, Smartcat shall upon your request return to you all Personal Data that belongs to you and copies of such data or securely destroy them and reasonably demonstrate to you that Smartcat has taken such measures unless applicable law prevents Smartcat from returning or destroying all or part of your Personal Data.

13. Right to Audit

Back to top

13.1. Controller reserves the right to perform an audit related to Smartcat’s compliance to obligations set out in this DPA (limited to conditions of DPA and service contracts executed between you and Smartcat) if required and appropriate, yet not without prior written notification to Smartcat, and without creating a business disturbance for Smartcat. Assessment may be performed by you and/or another auditor mandated by you and the information obtained during the assessment shall be treated with utmost confidentiality.

14. Your warranties, covenants and undertakings

Back to top

14.1. You covenant and undertake to Smartcat:

  • to comply at all times with Data Protection Laws prescribed for data Controllers or data Processors (as the case may be) in respect of any Personal Data you provide to Smartcat and/or upload on Smartcat Platform pursuant to the Terms of Service and service contracts executed between you and Smartcat;
  • if required by law to be a party to Model Contract Clauses (Annex to this DPA);
  • that you are solely responsible for complying with incident notification laws applicable to you and fulfilling any third party notification obligations related to any Breach of Personal Data, provided to Smartcat and/or uploaded by you on Smartcat Platform pursuant to the Terms of Service or service contract executed between you and Smartcat.

14.2. You warrant to Smartcat:

  • if GDPR applies to the Processing of Personal Data you provide to Smartcat and/or upload to Smartcat Platform pursuant to the Terms of Service and service contracts executed between you and Smartcat and you are a Processor, then your instructions and actions with respect to that Personal Data have been authorized by the relevant Controller;
  • that the Security Measures (as detailed above) implemented and maintained by Smartcat as set out herein provide a level of security appropriate to the risk in respect of the Content you provide to Smartcat and/or upload to Smartcat Platform pursuant to the Terms of Service and service contracts executed between you and Smartcat.

15. Warranties, covenants and undertakings of Smartcat

Back to top

15.1. Smartcat covenants and undertakes to you:

  • to comply at all times with Data Protection Laws in respect of any Personal Data provided to Smartcat and/or uploaded by you to Smartcat Platform pursuant to the Terms of Service;
  • to process Personal Data (i) only for the purpose of providing, supporting and improving Smartcat’s services, using appropriate technical and organizational security measures; and (ii) for the purposes set forth in the Terms of Service or service contract between you and Smartcat;
  • to process Personal Data contained in any of your Content only in accordance with the written instructions from you (submitted via your User’s profile on Smartcat Platform or by e-mail);
  • to notify you as the User if, in Smartcat’s opinion, an instruction for the Processing of Personal Data given by you infringes applicable Data Protection Laws;
  • to inform you in writing if Smartcat cannot comply with the requirements under this DPA, in which case you as the User can terminate this DPA or take any other reasonable action, including suspending Personal Data Processing operations;
  • that Smartcat will, in a manner consistent with the functionality of Smartcat Platform, enable you to access, rectify and restrict Processing of Personal Data, provided to Smartcat and/or uploaded by you on Smartcat Platform pursuant to the Terms of Service and service contract between you and Smartcat;
  • upon your written request shall securely destroy or return such Personal Data, provided to Smartcat and/or uploaded by you on Smartcat Platform pursuant to the Terms of Service, to you within a maximum period of 30 days, unless applicable legislation or legal process prevents it from doing so;

16. General Terms

Back to top

16.1. This DPA and Model Contract Clauses (Annex to this DPA) shall remain in effect as long as the Terms of Service or service contracts executed between you and Smartcat remain in effect.

16.2. Any and all liabilities of Smartcat under this DPA are, without exception, limited to the amount of limitation cap indicated in the service contract with you.

16.3. All notices required or permitted under this Agreement shall be in writing addressed to the respective parties and shall be delivered by hand or by registered or certified mail, postage prepaid or by electronic mail with confirmation of receipt.

16.4. This agreement and its annexes shall be governed by the laws of England and Wales, excluding its conflicts-of-law rules, govern this Agreement.

16.5. Any breach of this DPA shall constitute a material breach of the Terms of Service and service contracts executed between you and Smartcat.

16.6. With regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and any other agreements between the parties, including but not limited to the Terms of Service, service contracts executed between you provisions of this DPA shall prevail with regard to the Parties’ data protection obligations for Personal Data of a Data Subject from a Member State of the European Union.

16.7. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.




ANNEX to the GDPR Data Processing Addendum

STANDARD CONTRACTUAL CLAUSES (PROCESSORS)

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to Processors established in third countries which do not ensure an adequate level of data protection.

Customer as defined in the Customer agreement (the data exporter)

And Smartcat as defined in the Customer agreement and the Terms of Service (the data importer) each a ‘party’; together ‘the parties’, HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

Clause 1

Definitions

For the purposes of the Clauses:

  1. ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘Controller’, ‘processor’, ‘data subject’ and ‘Supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
  2. ‘the data exporter’ means the Controller who transfers the personal data;
  3. ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
  4. ‘the sub-processor’ means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
  5. ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data Controller in the Member State in which the data exporter is established;
  6. ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2

Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3

Third-party beneficiary clause

  1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
  2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
  3. The data subject can enforce against the sub-processor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
  4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4

Obligations of the data exporter

The data exporter agrees and warrants:

  1. that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
  2. that it has instructed and throughout the duration of the personal data-processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
  3. that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
  4. that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
  5. that it will ensure compliance with the security measures;
  6. that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
  7. to forward any notification received from the data importer or any sub-processor pursuant to Clause 5(b) and Clause 8(3) to the data protection Supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
  8. to make available to the Data Subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
  9. that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a sub-processor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses;
  10. and that it will ensure compliance with Clause 4(a) to (i).

Clause 5

Obligations of the data importer

The data importer agrees and warrants:

  1. to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
  2. that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
  3. that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
  4. that it will promptly notify the data exporter about:

    (i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;

    (ii) any accidental or unauthorised access; and

    (iii) any request received directly from the Data Subjects without responding to that request, unless it has been otherwise authorised to do so;

  5. to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the Supervisory authority with regard to the processing of the data transferred;
  6. at the request of the data exporter to submit its data-processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the Supervisory authority;
  7. to make available to the data subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
  8. that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent;
  9. that the processing services by the sub-processor will be carried out in accordance with Clause 11;
  10. to send promptly a copy of any sub-processor agreement it concludes under the Clauses to the data exporter.

Clause 6

Liability

  1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or sub-processor is entitled to receive compensation from the data exporter for the damage suffered.
  2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his sub-processor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
    The data importer may not rely on a breach by a sub-processor of its obligations in order to avoid its own liabilities.
  3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the sub-processor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-processor agrees that the data subject may issue a claim against the data sub-processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the sub-processor shall be limited to its own processing operations under the Clauses.

Clause 7

Mediation and jurisdiction

  1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:

    (a) to refer the dispute to mediation, by an independent person or, where applicable, by the Supervisory authority;

    (b) to refer the dispute to the courts in the Member State in which the data exporter is established.

  2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8

Cooperation with supervisory authorities

  1. The data exporter agrees to deposit a copy of this contract with the Supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
  2. The parties agree that the Supervisory authority has the right to conduct an audit of the data importer, and of any sub-processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
  3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub-processor preventing the conduct of an audit of the data importer, or any sub-processor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5(b).

Clause 9

Governing law

The Clauses shall be governed by the law indicated in the DPA.

Clause 10

Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11

Sub-processing

  1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on the data importer under the Clauses. Where the sub-processor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub-processor’s obligations under such agreement.
  2. The prior written contract between the data importer and the sub-processor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
  3. The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law indicated in the DPA.
  4. The data exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection Supervisory authority.

Clause 12

Obligation after the termination of personal data-processing services

  1. The parties agree that on the termination of the provision of data-processing services, the data importer and the sub-processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
  2. The data importer and the sub-processor warrant that upon request of the data exporter and/or of the Supervisory authority, it will submit its data-processing facilities for an audit of the measures referred to in paragraph 1.

Parties may reproduce definitions and meanings contained in Directive 95/46/EC within this Clause if they considered it better for the contract to stand alone.

Mandatory requirements of the national legislation applicable to the data importer which do not go beyond what is necessary in a democratic society on the basis of one of the interests listed in Article 13(1) of Directive 95/46/EC, that is, if they constitute a necessary measure to safeguard national security, defence, public security, the prevention, investigation, detection and prosecution of criminal offences or of breaches of ethics for the regulated professions, an important economic or financial interest of the State or the protection of the data subject or the rights and freedoms of others, are not in contradiction with the standard contractual clauses. Some examples of such mandatory requirements which do not go beyond what is necessary in a democratic society are, inter alia, internationally recognised sanctions, tax-reporting requirements or anti-money-laundering reporting requirements.

This requirement may be satisfied by the sub-processor co-signing the contract entered into between the data exporter and the data importer under this Decision.

Clause 13

Confidentiality and non-disclosure

Restrictions. Smartcat acknowledges that, in order to perform the Services or to provide Supplementary Services, it shall be necessary for Customer to disclose to Smartcat certain Confidential Information (defined below) of Customer. Smartcat agrees that it shall not disclose, transfer, use, copy, or allow access to any such Confidential Information to any third parties, except as authorized by Customer. Customer hereby authorizes Smartcat to provide Confidential Information to Suppliers, translation service providers, marketing services providers and infrastructure and development service providers, including those located in jurisdictions without adequate protection of personal data, on the terms established by Smartcat provided that Smartcat shall implement technical and organizational security measures in respect of processing of such data.

Definition. Information disclosed by Customer, including, but not limited to, information that relates to existing and future products or services, designs, business plans, business opportunities, finances, research, development, know-how, personnel, personal data or third party confidential information will be considered and referred to collectively in this Agreement as “Confidential Information.” Confidential Information, however, does not include information that (a) is now or subsequently becomes generally available to the public through no fault or breach by Smartcat; (b) Smartcat can demonstrate to have rightfully had in its possession prior to disclosure by Customer; or (c) Smartcat rightfully obtains from a third party who has the right to transfer or disclose it.

Smartcat Proprietary Information. Customer shall treat as confidential and agrees not to disclose to any third party without the prior written consent of Smartcat, any information learned by Customer within the scope of the Services relationship with Smartcat that would appear to a reasonable person to be confidential or proprietary. Names and rates of Suppliers will be considered confidential information of Smartcat pursuant hereto.

Personal Data. The Parties shall comply with the terms of Smartcat’s Data Processing Agreement if, and solely to the extent, that the Services require personal data processing by the Parties. Smartcat may modify the terms of Data Processing Agreement unilaterally at any time with or without notice to Customer, provided, however, that such modifications shall become effective and binding on Customer upon the earlier of (a) notice to Customer, or (b) access by Customer of its account on the Platform. If Customer does not accept such modified terms of the Data Processing Agreement, Customer may terminate the Customer agreement unilaterally for convenience within two (2) weeks following the effective date thereof (as determined in accordance with the preceding sentence).

Clause 14

All Smartcat intellectual property rights such as text, graphics, editorial Content, data, formatting, graphs, designs, HTML, look and feel, photographs, music, sounds, images, software, videos, designs, typefaces and other Content (collectively “Proprietary Material”) that Users see or read through the Platform is owned by Smartcat, excluding any User-generated Content licensed to Smartcat pursuant to this TOS. Proprietary Material is protected in all forms, media and technologies now known or hereinafter developed. Smartcat owns all Proprietary Material, as well as the coordination, selection, arrangement and enhancement of such Proprietary Materials as a collective work under the applicable intellectual property legislation. The Proprietary Material is protected by the domestic and international laws on copyright, patents, and other proprietary rights and laws. User may not copy, download, use, redesign, reconfigure, or retransmit anything from the Platform without Smartcat’s express prior written consent and, if applicable, the holder of the rights to the User Content. Any use of such Proprietary Material, other than as permitted therein, is expressly prohibited without Smartcat prior permission and, if applicable, the holder of the rights to the User Content.

Smartcat service marks and trademarks, including, without limitation, Smartcat logos are service marks owned by Smartcat. Any other trademarks, service marks, logos and/or trade names appearing on the Platform are the property of their respective owners. User may not copy or use any of these marks, logos or trade names without the express prior written consent of the owner.


Appendix 1 to the Standard Contractual Clauses


This Appendix forms part of the Clauses.

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix. Data exporter

Data exporter

The data exporter is Customer as defined in the Customer agreement:

Data importer

The data importer is Smartcat as defined in the Customer agreement and the Terms of Service which is a SaaS platform which processes personal data upon the instruction of the data exporter in accordance with the terms of the Customer agreement published at www.smartcat.com.

Data Subjects

The personal data transferred concern the following categories of Data Subjects (please specify):

  • Prospects, Customers, business partners and vendors of data exporter (who are natural persons)
  • Employees or contact persons of data exporter’s prospects, Customers, business partners and vendors
  • Employees, agents, advisors, freelancers of data exporter (who are natural persons)
  • Data exporter’s Users authorized by data exporter to use the Smartcat Platform.

Categories of data

The personal data transferred concern but is not limited to the following categories of Personal Data:

  • Personal Data
  • Contact Data
  • Professional life data
  • Disclosed Information (from third parties, e.g. Credit Reference Agencies or from Public Directories.

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data (please specify):

Data exporter may submit special categories of data to the Smartcat, the extent of which is determined and controlled by the data exporter in its sole discretion and which is for the sake of clarity Personal Data with information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.

Processing operations

The personal data transferred will be subject to the following basic processing activities set forth in the Customer agreement published at www.smartcat.com.


Appendix 2 to the Standard Contractual Clauses


This Appendix forms part of the Clauses and must be completed and signed by the parties.

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

Data importer will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data uploaded on the Smartcat, as described in the Documentation applicable to the specific Services purchased by data exporter, and accessible via https://www.smartcat.com/ or otherwise made reasonably available by data importer. Data Importer will not materially decrease the overall security of the Services during a term of the contract with the data exporter.