Botpress

Data Processing Agreement

Add Comment

Sign inRequest a reviewLearn moreSignature pendingSignRejectView detailsReview labelNot SpamRemove foreverNot SpamPage/15Loading…{"id": "1gQspZLFnTqjflOs0cAdUPbkHQ84KFMEK", "title": "Botpress – Data Processing Agreement.pdf", "mimeType": "application\/pdf"}Page 1 of 15Botpress Data Processing Agreement (DPA) This DPA is supplemental to, and forms an integral part of, the agreement between the entity of the Botpress group identified in the Terms of Service and the Customer. This DPA is in force upon its incorporation into such agreement by reference. 1. Definitions 1.a Capitalized terms not defined herein have the meaning ascribed to them in the Agreement. 1.b In this DPA : (a) “Agreement” has the meaning ascribed to such term in the Terms of Service. (b) “Botpress Group” means Botpress and any affiliates thereof. (c) “California Personal Information” means Personal Data that is subject to the protection of the CCPA. (d) “Canadian Data Protection Laws” means the Personal Information Protection and Electronic Documents Act, SC 2000, c 5 and the Act respecting the protection of personal information in the private sector, CQLR c P-39.1 as may be amended, superseded or replaced. (e) “CCPA” means California Civil Code Sec. 1798.100 et seq. (also known as the California Consumer Privacy Act of 2018). (f) “Consumer”, “Business”, “Sell” and “Service Provider” will have the meanings given to them in the CCPA. (g) “Controller” means any Person which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. (h) “Data Protection Laws” means all applicable worldwide legislation relating to data protection and privacy which applies to a party to this DPA, including without limitation European Data Protection Laws, Canadian Data Protection Laws and the CCPA in each case as amended, repealed, consolidated or replaced from time to time. (i) “Data Subject” means the individual to whom Personal Data relates. (j) “Europe” means the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom. (k) “European Data Protection Laws” means data protection laws applicable in Europe, as may be amended, superseded or replaced. (l) “European Data” means Personal Data that is subject to the protection of European Data Protection Laws. (m) “Permitted Affiliates” means any Customer Affiliates that (i) are permitted to use the Software Services pursuant to the Agreement, (ii) qualify as a Controller of Personal Data Processed by Botpress, and (iii) are subject to European Data Protection Laws. Page 2 of 15(n) “Person” is to be interpreted broadly and includes any individual, corporation, limited liability company, limited partnership, company, association, partnership, trust or estate, joint venture, governmental entity or political subdivision thereof, or any other entity. (o) “Personal Data” means any information relating to an identified or identifiable individual. (p) “Processing” or “Process” means any operation or set of operations which is performed by a Processor upon Personal Data, whether or not by automatic means. (q) “Processor” means a Person which Processes Personal Data on behalf of a Controller. (r) “Regulator” means, as applicable, any Person or law enforcement or other agency having regulatory, supervisory or governmental authority (whether under a statutory scheme or otherwise) over all or any part of the Processing of Personal Data in connection with the provision or receipt of the Services, including, without limitation, the European data protection supervisory authorities. (s) “Security Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by Botpress and/or Sub-Processors in connection with the provision of the Services, not including events that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems. (t) “Services” means the Software Services or Professional Services provided by any entity of the Botpress Group to the Customer or to its Affiliates. (u) “Standard Contractual Clauses” means the standard contractual clauses annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021. as may be amended, superseded or replaced. (v) “Sub-Processor” means any Processor engaged by Botpress or Botpress Affiliates to assist in fulfilling Botpress obligations with respect to the provision of the Services under the Agreement. Sub-Processors may include third parties or Botpress Affiliates but will not include individuals employed or engaged by Botpress. (w) “Third-Country” means a jurisdiction or recipient: (i) not recognized by the European Commission as providing an adequate level of protection for personal data. and (ii) not covered by a suitable framework recognized by the relevant authorities or courts as providing an adequate level of protection for personal data. (x) “Usage Data” means data pertaining to the Authorized Users’ Use of the Software, which may contain Personal Data where identifying individual users is necessary but excluding any Conversation Data. Usage Data may include Personal Data about the employees and contractors of the Customer but not about end-users interacting with Customer Bots. Page 3 of 152. Role of the parties 2.a In Processing Conversation Data through the Services, the parties acknowledge and agree that the Customer acts as the Controller and that Botpress acts as a Processor. 2.b If Customer acts as a Processor on behalf of a Controller, Botpress shall be deemed a sub-processor of Customer. 2.c Botpress shall be a Controller with respect to Usage Data. 3. Compliance with Data Protection Laws 3.a Each party shall carry out any processing of Personal Data in compliance with all applicable Data Protection Laws. 3.b Botpress is not responsible for compliance with any Data Protection Laws applicable to the Customer or to the Customer’s industry that are not generally applicable to Botpress. 3.c If Botpress becomes aware that it cannot Process Personal Data in accordance with Customer’s instructions due to a legal requirement under any applicable law, Botpress will (i) promptly notify the Customer of that legal requirement to the extent permitted by applicable law. and (ii) where necessary, stop all Processing (other than merely storing and maintaining the security of the affected Personal Data) until such time as the Customer issues new instructions in compliance with applicable law. If this provision is invoked, Botpress will not be liable to Customer under the Agreement for any failure to perform the applicable Software Services or Professional Services until such time Botpress reasonable determines that Customer’s instruction are lawful. 4. Botpress Obligations 4.a Botpress will only Process Personal Data for the purposes described in this DPA or as otherwise agreed within the scope of lawful instructions received from the Customer, except where and to the extent otherwise required by applicable law. 4.b Botpress shall implement and maintain appropriate technical and organizational measures to protect Personal Data from Security Incidents, including as described under Schedule 2 to this DPA (“Security Measures”). Botpress may modify or update the Security Measures at its discretion provided that such modification or update does not result in a material degradation in the protection offered by the Security Measures. 4.c Botpress shall treat Personal Data as Customer’s confidential information and will ensure that any of its employees or contactors authorized to access or Process Personal Data is subject to appropriate confidentiality obligations (whether contractual or statutory) with respect to that Personal Data. 4.d Botpress will delete or return all Personal Data Processed pursuant to this DPA, on termination or expiration of the Agreement. Botpress may retain copies of Personal Data where required by applicable law, or where Personal Data has been archived on back-up systems, which data will be securely isolated and protected from any further Processing and deleted in accordance with applicable deletion practices. Page 4 of 155. Customer’s Obligations 5.a The Customer is responsible to ensure that its use of the Software Services or the Software is in accordance with all applicable Data Protection Laws, including by ensuring that (i) it is authorized to appoint Botpress to Process Personal Data on its behalf in accordance with this DPA, (ii) it has the right to transfer, or provide access to, the Personal Data to Botpress for Processing in accordance with the terms of the Agreement (including this DPA), (iii) ensuring that Customer’s instructions with respect to the Processing of Personal Data comply with applicable laws, including Data Protection Laws. 5.b Customer shall promptly notify Botpress in writing if it has reason to believe or if it has been notified that the Processing of Personal Data effected by Customer through the Services is or may be in violation of applicable law, including Data Protection Laws. 5.c Customer is responsible for determining whether the security measures implemented by Botpress adequately meets Customer’s obligations under applicable Data Protection Laws. Customer is also responsible to ensure that its access to the Software Services is secured and reserved to authorized personnel. 6. Security Breach 6.a Botpress will promptly notify Customer if it becomes aware of any Security Breach and will provide timely information relating to such Security Breach as it becomes known or reasonably requested by Customer. 6.b Upon request, Botpress will promptly provide reasonable assistance to Customer as necessary to allow Customer to notify a Security Breach to Regulators and/or affected Data Subjects, if such notification is required under Data Protection Laws. 7. Sub-Processors 7.a Botpress may engage Sub-Processors to Process Personal Data. Current Sub-Processors are listed at Schedule 3, any change to Sub-Processors will be notified to Customer. 7.b Botpress selects Sub-Processors who offer data protection undertakings that provide at least the same level of protection for Personal Data as those in this DPA (including, where appropriate, the Standard Contractual Clauses), to the extent applicable to the nature of the services provided by such Sub-Processors. Botpress remains responsible for each Sub-Processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-Processor causing a breach any of Botpress’ obligations under this DPA. 7.c If Botpress Processes European Data on behalf of Customer, Customer may object to a new Sub-Processor, for reasonable reasons based on data protection. If notified of such an objection, Botpress agrees to discuss the matter in good faith to achieve a commercially reasonable resolution. If no such resolution can be reached, Botpress may either elect to forgo the appointment of the new Sub-Processor, or allow the Customer to terminate its subscription to the portion of the Software Services relying on such new Sub-Processor without liability to either party (but without prejudice to any fees incurred prior to termination). Loading…Loading Botpress – Data Processing Agreement.pdf. Page 1 of 15CopyAdd a comment