Sign inRequest a reviewLearn moreSignature pendingSignRejectView detailsReview labelNot SpamRemove foreverNot SpamPage/15Loading…{"id": "1gQspZLFnTqjflOs0cAdUPbkHQ84KFMEK", "title": "Botpress – Data Processing Agreement.pdf", "mimeType": "application\/pdf"}Page 1 of 15<p>Botpress Data Processing Agreement (DPA)
</p>
<p>This DPA is supplemental to, and forms an integral part of, the agreement between the entity of
</p>
<p>the Botpress group identified in the Terms of Service and the Customer.
This DPA is in force
</p>
<p>upon its incorporation into such agreement by reference.
</p>
<p>1.
Definitions
</p>
<p>1.a Capitalized terms not defined herein have the meaning ascribed to them in the
</p>
<p>Agreement.
</p>
<p>1.b In this DPA :
</p>
<p>(a) “Agreement” has the meaning ascribed to such term in the Terms of Service.
</p>
<p>(b) “Botpress Group” means Botpress and any affiliates thereof.
</p>
<p>(c) “California Personal Information” means Personal Data that is subject to the
</p>
<p>protection of the CCPA.
</p>
<p>(d) “Canadian Data Protection Laws” means the Personal Information Protection and
</p>
<p>Electronic Documents Act, SC 2000, c 5 and the Act respecting the protection of
</p>
<p>personal information in the private sector, CQLR c P-39.1 as may be amended,
</p>
<p>superseded or replaced.
</p>
<p>(e) “CCPA” means California Civil Code Sec.
1798.100 et seq.
(also known as the
</p>
<p>California Consumer Privacy Act of 2018).
</p>
<p>(f) “Consumer”, “Business”, “Sell” and “Service Provider” will have the meanings given
</p>
<p>to them in the CCPA.
</p>
<p>(g) “Controller” means any Person which, alone or jointly with others, determines the
</p>
<p>purposes and means of the Processing of Personal Data.
</p>
<p>(h) “Data Protection Laws” means all applicable worldwide legislation relating to data
</p>
<p>protection and privacy which applies to a party to this DPA, including without limitation
</p>
<p>European Data Protection Laws, Canadian Data Protection Laws and the CCPA in
</p>
<p>each case as amended, repealed, consolidated or replaced from time to time.
</p>
<p>(i) “Data Subject” means the individual to whom Personal Data relates.
</p>
<p>(j) “Europe” means the European Union, the European Economic Area and/or their
</p>
<p>member states, Switzerland and the United Kingdom.
</p>
<p>(k) “European Data Protection Laws” means data protection laws applicable in Europe,
</p>
<p>as may be amended, superseded or replaced.
</p>
<p>(l) “European Data” means Personal Data that is subject to the protection of European
</p>
<p>Data Protection Laws.
</p>
<p>(m) “Permitted Affiliates” means any Customer Affiliates that (i) are permitted to use the
</p>
<p>Software Services pursuant to the Agreement, (ii) qualify as a Controller of Personal
</p>
<p>Data Processed by Botpress, and (iii) are subject to European Data Protection Laws.
</p>Page 2 of 15<p>(n) “Person” is to be interpreted broadly and includes any individual, corporation, limited
</p>
<p>liability company, limited partnership, company, association, partnership, trust or estate,
</p>
<p>joint venture, governmental entity or political subdivision thereof, or any other entity.
</p>
<p>(o) “Personal Data” means any information relating to an identified or identifiable
</p>
<p>individual.
</p>
<p>(p) “Processing” or “Process” means any operation or set of operations which is
</p>
<p>performed by a Processor upon Personal Data, whether or not by automatic means.
</p>
<p>(q) “Processor” means a Person which Processes Personal Data on behalf of a Controller.
</p>
<p>(r) “Regulator” means, as applicable, any Person or law enforcement or other agency
</p>
<p>having regulatory, supervisory or governmental authority (whether under a statutory
</p>
<p>scheme or otherwise) over all or any part of the Processing of Personal Data in
</p>
<p>connection with the provision or receipt of the Services, including, without limitation, the
</p>
<p>European data protection supervisory authorities.
</p>
<p>(s) “Security Breach” means a breach of security leading to the accidental or unlawful
</p>
<p>destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data
</p>
<p>transmitted, stored or otherwise Processed by Botpress and/or Sub-Processors in
</p>
<p>connection with the provision of the Services, not including events that do not
</p>
<p>compromise the security of Personal Data, including unsuccessful log-in attempts,
</p>
<p>pings, port scans, denial of service attacks, and other network attacks on firewalls or
</p>
<p>networked systems.
</p>
<p>(t) “Services” means the Software Services or Professional Services provided by any
</p>
<p>entity of the Botpress Group to the Customer or to its Affiliates.
</p>
<p>(u) “Standard Contractual Clauses” means the standard contractual clauses annexed to
</p>
<p>the European Commission’s Decision (EU) 2021/914 of 4 June 2021.
as may be
</p>
<p>amended, superseded or replaced.
</p>
<p>(v) “Sub-Processor” means any Processor engaged by Botpress or Botpress Affiliates to
</p>
<p>assist in fulfilling Botpress obligations with respect to the provision of the Services
</p>
<p>under the Agreement.
Sub-Processors may include third parties or Botpress Affiliates
</p>
<p>but will not include individuals employed or engaged by Botpress.
</p>
<p>(w) “Third-Country” means a jurisdiction or recipient: (i) not recognized by the European
</p>
<p>Commission as providing an adequate level of protection for personal data.
and (ii) not
</p>
<p>covered by a suitable framework recognized by the relevant authorities or courts as
</p>
<p>providing an adequate level of protection for personal data.
</p>
<p>(x) “Usage Data” means data pertaining to the Authorized Users’ Use of the Software,
</p>
<p>which may contain Personal Data where identifying individual users is necessary but
</p>
<p>excluding any Conversation Data.
Usage Data may include Personal Data about the
</p>
<p>employees and contractors of the Customer but not about end-users interacting with
</p>
<p>Customer Bots.
</p>Page 3 of 15<p>2.
Role of the parties
</p>
<p>2.a In Processing Conversation Data through the Services, the parties acknowledge and
</p>
<p>agree that the Customer acts as the Controller and that Botpress acts as a Processor.
</p>
<p>2.b If Customer acts as a Processor on behalf of a Controller, Botpress shall be deemed a
</p>
<p>sub-processor of Customer.
</p>
<p>2.c Botpress shall be a Controller with respect to Usage Data.
</p>
<p>3.
Compliance with Data Protection Laws
</p>
<p>3.a Each party shall carry out any processing of Personal Data in compliance with all
</p>
<p>applicable Data Protection Laws.
</p>
<p>3.b Botpress is not responsible for compliance with any Data Protection Laws applicable to
</p>
<p>the Customer or to the Customer’s industry that are not generally applicable to Botpress.
</p>
<p>3.c If Botpress becomes aware that it cannot Process Personal Data in accordance with
</p>
<p>Customer’s instructions due to a legal requirement under any applicable law, Botpress will (i)
</p>
<p>promptly notify the Customer of that legal requirement to the extent permitted by applicable law.
</p>
<p>and (ii) where necessary, stop all Processing (other than merely storing and maintaining the
</p>
<p>security of the affected Personal Data) until such time as the Customer issues new instructions
</p>
<p>in compliance with applicable law.
If this provision is invoked, Botpress will not be liable to
</p>
<p>Customer under the Agreement for any failure to perform the applicable Software Services or
</p>
<p>Professional Services until such time Botpress reasonable determines that Customer’s
</p>
<p>instruction are lawful.
</p>
<p>4.
Botpress Obligations
</p>
<p>4.a Botpress will only Process Personal Data for the purposes described in this DPA or as
</p>
<p>otherwise agreed within the scope of lawful instructions received from the Customer, except
</p>
<p>where and to the extent otherwise required by applicable law.
</p>
<p>4.b Botpress shall implement and maintain appropriate technical and organizational
</p>
<p>measures to protect Personal Data from Security Incidents, including as described under
</p>
<p>Schedule 2 to this DPA (“Security Measures”).
Botpress may modify or update the Security
</p>
<p>Measures at its discretion provided that such modification or update does not result in a material
</p>
<p>degradation in the protection offered by the Security Measures.
</p>
<p>4.c Botpress shall treat Personal Data as Customer’s confidential information and will
</p>
<p>ensure that any of its employees or contactors authorized to access or Process Personal Data
</p>
<p>is subject to appropriate confidentiality obligations (whether contractual or statutory) with
</p>
<p>respect to that Personal Data.
</p>
<p>4.d Botpress will delete or return all Personal Data Processed pursuant to this DPA, on
</p>
<p>termination or expiration of the Agreement.
Botpress may retain copies of Personal Data where
</p>
<p>required by applicable law, or where Personal Data has been archived on back-up systems,
</p>
<p>which data will be securely isolated and protected from any further Processing and deleted in
</p>
<p>accordance with applicable deletion practices.
</p>Page 4 of 15<p>5.
Customer’s Obligations
</p>
<p>5.a The Customer is responsible to ensure that its use of the Software Services or the
</p>
<p>Software is in accordance with all applicable Data Protection Laws, including by ensuring that (i)
</p>
<p>it is authorized to appoint Botpress to Process Personal Data on its behalf in accordance with
</p>
<p>this DPA, (ii) it has the right to transfer, or provide access to, the Personal Data to Botpress for
</p>
<p>Processing in accordance with the terms of the Agreement (including this DPA), (iii) ensuring
</p>
<p>that Customer’s instructions with respect to the Processing of Personal Data comply with
</p>
<p>applicable laws, including Data Protection Laws.
</p>
<p>5.b Customer shall promptly notify Botpress in writing if it has reason to believe or if it has
</p>
<p>been notified that the Processing of Personal Data effected by Customer through the Services is
</p>
<p>or may be in violation of applicable law, including Data Protection Laws.
</p>
<p>5.c Customer is responsible for determining whether the security measures implemented by
</p>
<p>Botpress adequately meets Customer’s obligations under applicable Data Protection Laws.
</p>
<p>Customer is also responsible to ensure that its access to the Software Services is secured and
</p>
<p>reserved to authorized personnel.
</p>
<p>6.
Security Breach
</p>
<p>6.a Botpress will promptly notify Customer if it becomes aware of any Security Breach and
</p>
<p>will provide timely information relating to such Security Breach as it becomes known or
</p>
<p>reasonably requested by Customer.
</p>
<p>6.b Upon request, Botpress will promptly provide reasonable assistance to Customer as
</p>
<p>necessary to allow Customer to notify a Security Breach to Regulators and/or affected Data
</p>
<p>Subjects, if such notification is required under Data Protection Laws.
</p>
<p>7.
Sub-Processors
</p>
<p>7.a Botpress may engage Sub-Processors to Process Personal Data.
Current
</p>
<p>Sub-Processors are listed at Schedule 3, any change to Sub-Processors will be notified to
</p>
<p>Customer.
</p>
<p>7.b Botpress selects Sub-Processors who offer data protection undertakings that provide at
</p>
<p>least the same level of protection for Personal Data as those in this DPA (including, where
</p>
<p>appropriate, the Standard Contractual Clauses), to the extent applicable to the nature of the
</p>
<p>services provided by such Sub-Processors.
Botpress remains responsible for each
</p>
<p>Sub-Processor’s compliance with the obligations of this DPA and for any acts or omissions of
</p>
<p>such Sub-Processor causing a breach any of Botpress’ obligations under this DPA.
</p>
<p>7.c If Botpress Processes European Data on behalf of Customer, Customer may object to a
</p>
<p>new Sub-Processor, for reasonable reasons based on data protection.
If notified of such an
</p>
<p>objection, Botpress agrees to discuss the matter in good faith to achieve a commercially
</p>
<p>reasonable resolution.
If no such resolution can be reached, Botpress may either elect to forgo
</p>
<p>the appointment of the new Sub-Processor, or allow the Customer to terminate its subscription
</p>
<p>to the portion of the Software Services relying on such new Sub-Processor without liability to
</p>
<p>either party (but without prejudice to any fees incurred prior to termination).
</p>Loading…Loading Botpress – Data Processing Agreement.pdf.
Page 1 of 15CopyAdd a comment