Data processing terms

Last Updated Date: 1 November 2018

1. INTRODUCTION
1.1 These terms (the “Data Processing Terms”) govern the processing of personal data by Gelato as processor on behalf of the Customer as controller under the Agreement concerning the Services provided by Gelato through the Platform. These Data Processing Terms do not govern personal data processed by Gelato as controller.
1.2 These Data Processing Terms supersede any prior agreements and provisions between the parties concerning the processing of personal data under the Agreement.
1.3 In the event of inconsistency between the Agreement and these Data Processing Terms on matters specifically concerning data protection, the latter shall prevail.

2. DEFINITIONS
2.1 "Applicable Data Protection Law": Applicable data protection and privacy law of the country in which the Customer and Gelato is incorporated, including the GDPR.
2.2 "GDPR": The EU General Data Protection Regulation 2016/679.
2.3 "Standard Contractual Clauses": The standard contractual clauses for the transfer of personal data to processors established in third countries, laid down by the EU Commission decision of 5 February 2010 and/or laid down by the EU Commission or a relevant supervisory authority in accordance with Article 28(7) or 28(8) of the GPDR.
2.4 "Digital Assets" mean text, pictures, audio, video, files, templates, fonts, logos, metadata and other content uploaded to or created on the Platform (Customer Content).
2.5 Other terms shall have the meaning as defined in the Agreement or in Applicable Data Protection Law.

3. SCOPE
3.1 The Customer instructs Gelato to process personal data on behalf of the Customer as follows:
3.2 Nature/purpose: Processing of personal data contained in the Digital Assets uploaded by or on behalf of the Customer to the Platform for the purpose of performing the Services.
3.3 Data subjects: Persons mentioned, depicted or otherwise identifiable from the data contained in the Digital Assets.
3.4 Categories of personal data: Names, positions, phone numbers, email addresses, images and other information relating to the data subjects. The Customer will generally not include special categories of personal data (sensitive data) in the Digital Assets.

4. GENERAL OBLIGATIONS
4.1 The Customer shall comply with its obligations under Applicable Data Protection Law, including by ensuring lawfulness of the processing (such as by collecting consents if required) and by giving data subjects information about the processing (such as by means of a privacy notice).
4.2 Gelato shall process the personal data solely for the purpose and within the scope of clause 3, and shall refrain from processing the personal data for its own purposes. This shall however not prevent Gelato from extracting and processing anonymous data, such as aggregated knowledge and statistics, from such personal data, including for the purpose of product development.
4.3 Gelato shall without undue delay inform the Customer in writing if, in its reasonable opinion, (i) an instruction from the Customer will cause Gelato to infringe applicable data protection law, or (ii) a legal requirement laid down by EU law or law in an EEA/EU country requires Gelato to process personal data beyond the scope of the Customer's documented instructions, unless that law prohibits such information on important grounds of public interest (if so, Gelato shall inform the Customer as soon as permitted by law). In the event of (i) or (ii), the Parties shall in good faith discuss how to solve the issue without adversely affecting the data protection.

5. ASSISTANCE TO THE CUSTOMER
5.1 Gelato shall assist the Customer by appropriate technical and organisational measures,
insofar as this is possible, for the fulfilment of the Customer's obligation to respond to and comply with requests for exercising the data subject's rights laid down in Chapter III of the GDPR.
5.2 Taking into account the nature of processing and the information available to Gelato, Gelato shall assist the Customer with the obligations pursuant to Articles 32 to 36 of the GDPR, including the obligations of data security (as further described in clause 5.3), personal data breach notification (as further described in clause 9), data protection impact assessments, and prior consultations.
5.3 Assistance under this clause 5, which is performed upon the Customer's request, shall be without additional charge up to a maximum of 15 hours per calendar year. Assistance exceeding such hours shall be payable based on the hourly rates which are agreed between the parties under the Agreement. If no rates have been agreed, Gelato's ordinary rates will apply.

1. TECHNICAL AND ORGANISATIONAL SECURITY MEASURES
6.1 Gelato shall implement and maintain throughout the term appropriate technical and organisational data security measures to protect the personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access as required pursuant to Article 32 of the GDPR.
6.2 Gelato's security measures are described in Appendix 1. The Customer acknowledges that Gelato may from time to time make amendments to these measures, provided that the amendments do not adversely affect the level of data security.
6.3 Gelato shall not disclose or make available the personal data to any third party except with the prior written approval of the Customer, and except to any sub-processors (subject to clause 7) on a need-to-know basis.
6.4 Gelato shall ensure that persons under its control who have access to the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

7. USE OF SUB-PROCESSORS
7.1 The Customer authorises Gelato to engage sub-processors. In general, print service providers act as sub-processors, whereas logistics service providers act as separate controllers.
7.2 The Customer is hereby informed that Gelato will continuously add and replace subprocessors for the purpose of maintaining and continuously improving the Services. Gelato shall on the Platform make available an up-to-date list of the sub-processors (identities may be kept confidential if required to comply with confidentiality undertakings). The current list of sub-processors is attached as Appendix 2. The Customer can at any time object to any of the sub-processors. If so, Gelato shall endeavour to deliver the Services without the sub-processor, however the Customer acknowledges that Gelato may then not be able to provide the Services.
7.3 Sub-processing shall only be done by way of a written agreement with the subprocessor which imposes appropriate data protection obligations on the subprocessors. Where a sub-processor is engaged for carrying out specific processing activities on behalf of the Customer, Gelato shall by way of a written agreement impose on the sub-processor the same data protection obligations as set out in these Data Processing Terms. At the Customer's request, Gelato shall provide the Customer with a copy of such written agreement, however commercial and other business sensitive information may be redacted.
7.4 Gelato remains fully liable to the Customer for the performance of the sub-processors' obligations.

8. INTERNATIONAL DATA TRANSFER
8.1 Gelato may transfer personal data to a non-EEA country (third country) or an international organisation only if it complies with the requirements laid down in the GDPR and only on documented instructions from the Customer.
8.2 If, subject to clause 7, the use of a sub-processor requires the transfer of personal data to a third country, Gelato shall ensure that (i) the sub-processor is certified under the U.S.–E.U Privacy Shield framework or (ii) the Standard Contractual Clauses are concluded with the sub-processor. In the event of (ii), the Customer empowers Gelato, in the name of and on behalf of the Customer, to enter into the Standard Contractual Clauses in un-amended form with such sub-processor, and Gelato shall upon request provide a copy thereof to the Customer. Any such Standard Contractual Clauses shall automatically terminate upon the termination of these Data Processing Terms.
8.3 Gelato may transfer personal data to a third country without instructions so if required by applicable law in the EEA. In such event, Gelato shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest (if so, Gelato shall inform the Customer as soon as permitted by law).

9. PERSONAL DATA BREACHES
9.1 In the event of a personal data breach, Gelato shall without undue delay notify the Customer in writing about the breach.
9.2 The notification shall, if relevant, and to the extent Gelato has or may reasonably obtain the information, contain:
a. a description of the nature of the personal data breach including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
b. the identities of the affected data subjects, if possible;
c. the name and contact details of a contact point of Gelato where more information may be obtained;
d. a description of the likely consequences of the personal data breach;
e. a description of the measures taken or proposed to be taken to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
f. other information reasonably required for the Customer to comply with applicable data protection law.
9.3 The Customer is solely entitled to and, if required by Applicable Data Protection Law, obliged to notify the relevant supervisory authority and the data subjects about a personal data breach.
9.4 Gelato shall without undue delay take all those measures reasonably required for the purpose of avoiding the re-occurrence of similar personal data breaches.

10. AUDITS
10.1 Gelato shall maintain necessary records and make available to the Customer all information reasonably necessary to demonstrate compliance with these Data Processing Terms and Applicable Data Protection Law.
10.2 Gelato shall allow for and contribute to audits of Gelato's processing operations conducted by the Customer or another auditor engaged by the Customer. The audits shall generally be performed by review of audit reports prepared by a third party auditor engaged by Gelato, which will be made available to the Customer upon request.
10.3 If the Customer can substantiate reasons that justifies additional audit, the Customer is entitled to request further information and to perform on-site audit of Gelato, and, if required, of the sub-processor. The personnel conducting the audit shall be subject to appropriate confidentiality undertakings. A request for audit shall, if possible, be made with at least 14 days' notice. To the extent reasonably possible, audits shall be conducted within ordinary working hours and without obstructing Gelato's activities.
10.4 Authorities who supervise the Customer has a right to request information from and to conduct audits of Gelato to the same extent as the Customer.
10.5 A party shall cover its own costs associated with an audit performed under this clause 10. However, if an audit reveals material deviations from the obligations set out in these Data Processing Terms, the costs of the audit shall be borne by Gelato, including reasonable costs of the Customer and another auditor engaged by the Customer.

11. TERM AND TERMINATION
11.1 These Data Processing Terms will remain in force as long as Gelato processes personal data on behalf of the Customer under the Agreement.
11.2 Upon expiry, Gelato shall, at the choice of the Customer, return all personal data and copies thereof to the Customer or delete all personal data. Return, if chosen, shall take place by means of allowing the Customer to have access to the personal data within a period of 90 days following termination, so as to enable the extraction of the personal data.
11.3 The Customer acknowledges that, irrespective of deletion, Gelato may retain personal data in backup may be deleted in accordance with Gelato's ordinary backup routines, however without using the personal data for any purpose.

APPENDIX 1 - SECURITY MEASURES
We are compliant with Applicable Data Protection Law, including article 32 of the GDPR.
Gelato uses physical, technical, and organizational security measures to safeguard the confidentiality, integrity and availability of its data, from unauthorized or accidental disclosure.
Gelato maintains a security program aligned to ISO 27000 series and NIST standards. We develop security policies and procedures for the key areas of the organization. All Gelato employees are kept up-to-date on our security and privacy practices, and regular security awareness trainings are performed.
Access to Gelato portal is encrypted and protected (encryption in transit) using strong protocols (TLS) and algorithms. All Gelato servers are hosted in the cloud. Security measures are one of the key criteria based on which we select our cloud providers (currently AWS, AliYun, Infobox).
In addition to the cloud providers security measures, we use encryption at rest for the data. The data is backed up regularly so that it can be restored if needed.
When payments are processed via credit card, we use third party vendors that are PCI DSS compliant. Despite these efforts, no information system can be 100% secure, so we cannot guarantee the absolute security of our systems. Customers also have a role to play in keeping their data safe.
We encourage your users to use unique and hard-to-guess passwords for their accounts and not to share them with others. You should only grant access rights to people who you know and trust. You should monitor the accounts regularly. If you suspect that someone has gained unauthorized access to your account, please contact us immediately so that we can investigate.

APPENDIX 2 - LIST OF SUBPROCESSORS

Entity country Entity name Entity type
USA Amazon Web Services Inc. Cloud service provider
Russia Infobox Cloud service provider
USA Zendesk Software Provider
Ireland Google Inc. Cloud Service provider
China Alibaba Cloud (Singapore) Private Ltd. Cloud service provider
USA Intercom R&D Unlimited Company Software Provider
USA Slack Software Provider
Australia Name redacted Printer
Australia Name redacted Printer
Australia Name redacted Printer
Austria Name redacted Printer
Belgium Name redacted Printer
Brazil Name redacted Printer
Canada Name redacted Printer
Canada Name redacted Printer
Chile Name redacted Printer
Chile Name redacted Printer
China Name redacted Printer
China Name redacted Printer
Czech Name redacted Printer
Denmark Name redacted Printer
Denmark Name redacted Printer
France Name redacted Printer
France Name redacted Printer
France Name redacted Printer
Germany Name redacted Printer
Germany Name redacted Printer
Germany Name redacted Printer
Germany Name redacted Printer
Germany Name redacted Printer
Germany Name redacted Printer
Germany Name redacted Printer
India Name redacted Printer
Ireland Name redacted Printer
Italy Name redacted Printer
Netherlands Name redacted Printer
Netherlands Name redacted Printer
New Zealand Name redacted Printer
New Zealand Name redacted Printer
Norway Name redacted Printer
Norway Name redacted Printer
Norway Name redacted Printer
Norway Name redacted Printer
Portugal Name redacted Printer
Russia Name redacted Printer
Singapore Name redacted Printer
Spain Name redacted Printer
Spain Name redacted Printer
Spain Name redacted Printer
Sweden Name redacted Printer
Sweden Name redacted Printer
Sweden Name redacted Printer
Sweden Name redacted Printer
Sweden Name redacted Printer
Switzerland Name redacted Printer
Switzerland Name redacted Printer
Switzerland Name redacted Printer
United Kingdom Name redacted Printer
United Kingdom Name redacted Printer
United Kingdom Name redacted Printer
United Kingdom Name redacted Printer
United Kingdom Name redacted Printer
United Kingdom Name redacted Printer
USA Name redacted Printer
USA Name redacted Printer
USA Name redacted Printer