Get up and running in minutes

ATTRIA, Inc
Last update: 24th April 2024
This document describes how we collect and process users’ data through https://ATTRIA.DIGITAL webpages, hereinafter simply referred to as the “Website”. The terms “we”, “us”, “our” refer to ATTRIA Inc., a legal person registered under the laws of the State of Delaware, USA.
WE ARE COMMITTED TO SAFEGUARDING PRIVACY AND NOT GOING TO MISUSE OUR USERS’ DATA.
The below information will help you better understand how your data is handled and how you can manage all the matters related to your privacy.TABLE OF CONTENTS:
1. Information we collect:
1.1. Account and profile set up;
1.2. Website functionality;
1.3. Payments;
1.4. Communications;
1.5. Demo access;
1.6. Website, sales, and marketing activities.
1.7. Social media features
2. Third-party access to information:
2.1. Analytics;
2.2. Other disclosures;
3. Your rights;
4. Security of information;
5. Changes to this Notice.1. Information we collect
1.1. Account and profile set up
If you want to use the Website functionality, you will have to register an account on a particular webpage. For this purpose, we will ask only for your email address, since this is enough to set up an account. Further information such as first and last name, photo, company name and other information, in particular geolocation, you provide on a voluntary basis so as to be able to act as a full-fledged Website user.
We use your account information to:
● create and maintain your user account. The applied legal basis for this is the performance of the contract (Terms of Use) between you and us (GDPR Art. 6.1.b);
● provide you with the hosting, backend infrastructure and data collection management systems (hereinafter “Service”) via the Website (GDPR Art. 6.1.b);
● provide you with access to our community network along with the possibility to leave comments (GDPR Art. 6.1.b);
● provide customer support and any pre-contractual communication for the purpose of providing the Service (GDPR Art. 6.1.b);
● alerting of new updates regarding software implemented or general updates regarding the Website functionality (GDPR Art. 6.1.b), and analyse the efficiency of the Website in our legitimate interests (GDPR Art. 6.1.f);
● upon receiving the consent from you, to send you other relevant aspects of the Service and the Website, e.g. personal marketing or promotional materials such as newsletters, etc. (GDPR Art. 6.1.a).
We will store your account data for as long as you have the account with us. If you become inactive, we will delete or anonymize your information within 12 months after your last user session.
1.2. Website functionality
Via the Website, you will be able to perform different actions to organize and manage Server-side tagging in a dedicated server-side environment or communicate with the other users on Service-related topics. We will store and process the following categories of information:
● internal communications made via the Website;
● derived information created while using the Website (e.g., user logs, support requests, using stats, comments, responding to surveys, etc);
The applied legal basis for this is the performance of the contract (Terms of Use) between you and us (GDPR Art. 6.1.b). We will store this data for as long as you have the account with us. If you become inactive, we will delete or anonymize your information within 12 months after your last user session.
1.3. Payments
We do not collect your financial information. For the purpose of ordering the upgraded version of Service you will be automatically redirected to Stripe, or to another duly authorized contractor. They will collect and store your financial data directly and according to their respective policies.
We shall retain only payment confirmation provided by the relevant payment service provider to comply with applicable accounting and financial laws (GDPR Art. 6.1.c and in our legitimate interests to comply with foreign laws as per Art. 6.1.f). We will store this data for as long as you have the account with us. If you become inactive, we will delete or anonymize your information within 12 months after your last user session.
1.4. Communications
You may leave a request with your inquiries including request for support via [email protected]. The provided information used to help you with your request, fix and improve the Website, and analyse our efficiency, including by creating statistics of inquiries related to support issues.
The applied legal basis for this is the performance of the contract (Terms of Use) between you and us (GDPR Art. 6.1.b) and our legitimate interest to improve the Website (GDPR Art. 6.1.f). We will store this data for as long as you have the account with us. If you become inactive, we will delete or anonymize your information within 12 months after your last user session.
1.5. Demo access
You can receive free access to our Service to know how the Website works. In order to perform this, you have to submit your email and setup password upon first visit.
We will use this information to provide you with the free plan of Service. The applied legal basis for these activities is our legitimate interest (GDPR Art. 6.1.f). We will store your email for as long as the demo account is active. If it becomes inactive, we will delete or anonymize your email within 12 months after your last user session.
1.6. Website, sales, and marketing activities
The following data collection activities are present on the Website:
• collection of log files (IP address, device ID, etc.) to ensure correct Website functionality and manage user sessions, stored maximum for 12 months from your last visit. The applied legal basis is our legitimate interests (GDPR Art. 6.1.f);
• cookies – for more information please visit our Cookie Notice;
• web analytics (web pages interactions, source through which you accessed the Website, other user actions). This activity, depending on the method used, is performed based either on your consent (cookie tracking) or our legitimate interests (GDPR Art. 6.1.f).
We store marketing data for 12 months of the last communication with you. For the activities that are based on consent, you can withdraw your consent at any time by contacting us directly. The withdrawal will not affect the lawfulness of processing based on consent before. You can also opt-out of the e-mail subscription by clicking the appropriate button our emails to you.
1.7. Social media features
Our Website may use social media features, such as the “Tweet” button, “Share on Facebook” button or other sharing instruments (“SMF”). SMF can let you post information about your activities on the Website to third-parties platforms and social networks. SMF may also allow you to like or highlight information we have posted on our Website. SMF are either hosted by each respective platform or hosted directly on our Website. To the extent the SMF are hosted by the platforms themselves, and you click through to these from our Website, the platform may receive information showing that you have visited our Website. If you are logged in to your social media account, it is possible that the respective social media network can link your visit to our Website with your social media profile.
We also allow you to log in to certain pages of our Website using sign-in services. These services authenticate your identity and provide you the option to share certain personal data from these services. Your possible information exchanges with SMF are covered by the privacy policies of the companies providing them.2. Third-party access to information
We use the following third-party software providers:
• companies which provide cloud server computing services;
• companies which provide communication, e-mail server, and client relationship management services, where the exchange of messages, e-mails may include personal data;
• companies which help to monitor the behavior of the Website’s visitors or provide advertising or marketing services;
• companies which provide financial services, processing accounting documents and the personal data contained therein;
• companies which provide survey services;
• companies which help with work management with further personal data processing;
• companies which help with your account registration or authorization with further processing of your personal information;
The providers listed afore process personal data based on our instructions only.
We apply appropriate safeguards required by the GDPR such as signing data processing agreements for the protection of personal data with contractors and partners, including the Standard Contractual Clauses (SCC) adopted by the European Commission and compliant with the EU data protection laws when transferring your personal data outside of EEA. Please contact us if you would like to receive a copy of the SCCs.
2.1. Analytics
When using the analytics services, we collect details of the use of the Website, including, but not limited to traffic data and location data.
Non-personally identifiable information is collected and processed by Google Analytics in an anonymized and aggregated way to improve our Website usability and for marketing purposes. Google Analytics is a web analytics service that tracks and reports user traffic on apps and websites. Google Analytics uses the data collected to track and monitor the use of the Website. This data may also be shared with other Google services. For more information on the privacy practices of Google, you can check its Policies at www.google.com/analytics/policies/.
We will store this type of information while it is relevant for our analysis and research or if your account is active whichever comes faster. We will delete analytics data within 24 months of your last Website visit.
2.2. Other disclosures
In addition to the disclosures for the purposes identified before, we may disclose information about you:
• if we are required to do so by law, in connection with any legal proceedings or to establish, exercise or defend our legal rights; and
• in case we sell, license or otherwise assign our company, corporate rights, the Website or its separate parts or features to third parties.
Except as provided in this Privacy Notice, we will not sell, share or rent your information to third parties.
3. Your rights
You may exercise GDPR rights regarding your personal data. In particular, you have the right to:
● The right to object against the processing of your information.
If we process your information for our legitimate interests (e.g., for direct marketing emails or for our marketing research purposes), you can object to it. Let us know what you object against and we will consider your request. If there are no compelling interests for us to refuse to perform your request, we will stop the processing for such purposes. If we believe our compelling interests outweigh your right to privacy, we will clarify this to you. You can also unsubscribe from all our emails in the body thereof.
● The right to access your information.
You have the right to know what personal data we process. As such you can obtain the disclosure of the data involved in the processing and you can obtain a copy of the information undergoing processing.
● The right to verify your information and seek its rectification.
If you find that we process inaccurate or out-of-date information, you can verify the accuracy of your information and/or ask for it to be updated or corrected;
● Restrict the processing of your information.
When you contest the accuracy of your information, believe we process it unlawfully or want to object against the processing, you have the right to temporarily stop the processing of your information to check if the processing was consistent. In this case, we will stop processing your data (other than storing it) until we are able to provide you with evidence of its lawful processing;
● The right to have your personal data deleted.
If we are not under the obligation to keep the data for legal compliance and your data is not needed in the scope of an active contract or claim, we will remove your information upon your request.
● The right to have your personal data transferred to another organization.
Where we process your personal data on the legal basis of consent you provided us or on the necessity to perform a contract, we can make, at your request, your data available to you or to an organization of your choosing.
You can formulate such requests or channel further questions on data protection by contacting us at [email protected].
If you believe that our use of personal information violates your rights, or if you are dissatisfied with a response you received to a request you formulated to us, you have the right to lodge a complaint with the competent data protection authority of your choice.
4. Security of information
We will take all necessary measures to protect your information from unauthorized or accidental access, destruction, modification, blocking, copying, distribution, as well as from other illegal actions of third parties. As we use the services of third-party software providers across several countries outside of the European Union, we may transfer the collected data to those countries for further processing. In such cases, we will make sure that relevant safeguards are in place. More information on international safeguards can be provided upon request.
Immediate access to the data is only allowed to our authorized employees involved in maintaining the application. Such employees keep strict confidentiality and prevent unauthorized third-party access to personal information.
5. Changes to this notice
We may update this Privacy Notice from time to time by posting a new version on our Website. We advise you to check this page occasionally to ensure you are happy with any changes. However, we will endeavor to provide you with an announcement about any significant changes.

ATTRIA, Inc.
Version: 1
Last updated: April 24, 2024
Please carefully read these Terms of Use (“Terms”) before using the app.attria.digital website (“Website”) and other versions of ATTRIA, a project that provides you with a tool for client and server-side tagging.
These Terms describe on what conditions you can use the Website. Please read them.
If you do not agree with them, you cannot use the Website.
The terms “we”, “us”, “our” refer to ATTRIA, INC.
Please note that all materials of the Website are for information purposes only. No such materials are or should be taken as any sort of professional advice.
You can contact us at:
ATTRIA, INC.
Contact email address: [email protected]
1. General Terms
1.1. These Terms constitute a legally binding agreement between you and the Company.
1.2. The laws of the State of Delaware shall apply to your use of the Website.
1.3. By using this Website, you confirm that you meet the following requirements:
• you have a scope of civil capacity necessary to enter into these Terms;
• there are no restrictions for you in terms of being a consumer or a business user;
• you aren’t located in a country that is subject to a U.S. Government embargo, or that has been designated by the U.S. Government as a “terrorist-supporting” country;
• you aren’t listed on any U.S. Government list of prohibited or restricted parties.
1.4. The Company can change, delete and addend these Terms at any time. All new or changed terms shall become valid at the moment they are published. The Company will notify you about substantial changes to the Terms. This can be made by posting a notification on the Website or sending an email (if appropriate).
1.5 Attria does not provide any services in the Russian Federation and Belarus.
If you do not agree with the new Terms, you should stop using the Website. Please check these Terms from time to time.
2. Services
2.1. On the Website, you can receive the following services (“Service(s)”), which include, but are not limited to:
2.1.5. consultation about server-side tracking;
2.1.6. audit of the server-side tracking setup;
2.1.7. setting up server-side tracking for your site;
2.1.8. receiving client support via email and chat;
2.1.9. getting access to the blog containing articles on how to use the server-side tracking with various services;
2.2. The exact scope of Services provided shall be available on the Website on pages dedicated to subscription plans or products, which are offered separately from subscription plans.
2.3. The Company shall, by the means of the Website, provide you the Services according to one of the subscription plans or terms applicable to product chosen by you. The Company reserves the right to change the content and the price of any subscription plan or product at any time. In this event, the change shall apply to you from the next billing period.
2.4. The Services do not constitute business, technical, legal, or any other sort of professional advice. The Company shall not be liable for the result of your use of the Services.3. Registering an Account
3.1. Before using the Services, you must first open a personal account (“Account”) on the Website.
3.2. To open an Account, you have:
3.2.1. to be capable of entering into a legally binding contract under your personal law (for natural persons); or
3.2.2. to be a duly authorized representative of a legal entity and be explicitly authorized to create an Account on its behalf (for legal persons).
3.3. You can create an Account by providing your email address which will serve further as your login. After confirming your email address following the link sent to you by us, you will be able to set your Account password.
3.4. Please use true and accurate information about yourself when opening an Account.
3.5. You must not create an Account on behalf of another individual or entity, unless you are legally authorized to do so. You must not impersonate or misrepresent your identity or affiliations with other persons or entities.
3.6. You are solely responsible for keeping your Account secure. Sharing your login credentials with third parties is at your own risk.
3.7. You must notify the Company immediately upon becoming aware of any breach of security or unauthorized use of your Account.
3.8. The Company reserves its right to suspend your Account without providing notice or reason in case of any violation of these Terms or the applicable law.
3.9. You are solely responsible for the accuracy, validity, and correctness of all information you submit to the Company. Should there be any error, mistake, update, or change in information you have submitted prior, you are obliged to notify the Company immediately.
4. Fee for the Services
4.1. The Services described in Section 2 above are provided according to the subscription plans or terms applicable to products, which are offered separately from subscription plans, available on the Website.
Please note that, products, which are offered separately from subscription plans include specific terms, which are not covered by available subscription plans in any way.
4.2. Subscription plan “Basic” is intended for small websites and is provided at no charge. The subscription plans for big websites (this criterion is based on the number of requests a website or app sends to the server) are provided for a fee specified on the Website (“Fee”).
4.3. The Fee for the Services is charged on a prepayment basis. This means that you have to pre-pay the Services in full (100%) according to the subscription plan or terms applicable to product chosen by you. Failure to do so may cause the Services’ interruptions.
4.4. The subscription plans and terms applicable to products, which are offered separately from subscription plans, available on the Website are part of these Terms. Notwithstanding the foregoing, they can be unilaterally changed by the Company at any time by posting updated information on the Website. We shall notify you about such a change by posting a notification on the Website or sending you an email (if appropriate).
4.5. Once the subscription plan or terms applicable to products, which are offered separately from subscription plans are changed, the change shall apply to you from the next billing period.
4.6. The subscription is considered to be active from the moment you pay for it. The payments for the subscription shall be made on a monthly basis.
4.7. If the Company is unable to bill you for a subscription, your access to the Services will be temporarily put on hold. Your access will be renewed once you pay for the Services.
4.8. The Company will not refund any unused portion of the subscription.
4.9. We will only issue refunds if by technical error you have been billed twice for the same billing period. To receive a refund please contact us at [email protected] within 14 days from an erroneous payment. No other refunds will be made.
4.10. You hereby acknowledge and agree that in the event you file a dispute through our third-party processing system, you will no longer be eligible to receive our Services, unless otherwise is decided by the Company. For any additional information regarding our third-party processing systems’ dispute resolutions and chargebacks, please visit their website or contact them directly.
4.11. The Services are paid for using payment methods available on the Website. The payments are done with the help of a third-party payment service provider. This means that we do not collect nor process your payment information.
4.12. The Company may, at its sole discretion, offer discounts or provide special offers for the Services. Any such offer or discount shall always be subject to the eligibility criteria and the terms and conditions set out in the corresponding section of this Website. Repeated or recurring offers or discounts create no claim/title or right that you may enforce in the future. Depending on the case, discounts or offers shall be valid for a limited time only or while stocks last. If an offer or discount is limited by time, the time indications refer to the time zone of the Company, as indicated in the Company’s location details in this document, unless otherwise specified.
4.13. The Company may, at its sole discretion, offer subscription plans or products, which are not listed on the Website, directly to you. To know more please contact us at [email protected].
5. User Conduct
5.1. When using the Website and the Services you agree to not:
5.1.1. violate or help another person violate these Terms or the applicable law;
5.1.2. violate intellectual property rights of any party;
5.1.3. use the Website in any way that can damage, disable or overburden the Website, which may include, but is not limited to, uploading or in any other way, while using the Website, sending viruses, Trojan horses, spyware, adware, or any other malicious code; performing DoS attacks, interfering with or disrupting any network, equipment, or server connected to or used to provide access to the Website;
5.1.4. attempt to gain unauthorized access to the Website, computer systems or networks connected to the Website, or extract data not intended for you;
5.1.5. impersonate or misrepresent your affiliation with another user, person, or entity, nor make other fraudulent, false, deceptive, or misleading representations;
5.1.6 violate the legislation, which may apply to you when you use the Website.
6. Liability
6.1. Violation of these Terms will result in liability under the applicable law, unless otherwise provided in the Terms.
6.2. To the extent permitted by the applicable law, the Company and its affiliates shall not be liable for:
6.2.1. the accuracy, completeness of the Website, or its Content;
6.2.2 the accuracy, completeness, or content of any websites linked to the Website (through hyperlinks, banner advertising, or otherwise);
6.2.3. property damage of any nature, connected with the use of the Website;
6.2.4. third-party conduct;
6.2.5. any unauthorized access to or use of the Company’s servers and/or any Content, personal information or other information and data stored if such unauthorized access did not directly occur due to the Company’s actions or inactions;
6.2.6. any interruption or cessation of access to the Website;
6.2.7. any viruses, worms, bugs, Trojan horses, or the like, which may be transmitted to or from the Website or any third-party websites;
6.2.8. any loss or damage of any kind incurred as a result of your use of the Website, whether or not the Company advised of the possibility of such damages;
6.2.9. other risks associated with the use of online platforms and websites.
6.3. The Website and the Services are provided on the “as-is” basis without any warranty or guarantee whatsoever.
6.4. To the extent permitted by the applicable law, you agree to defend, indemnify, and hold harmless the Company from and against all claims, damages, obligations, losses, liabilities, costs or debts, and expenses (including, but not limited to, attorney fees) arising from:
6.4.1. your use of the Website and the Services;
6.4.2. Content that you use, distribute or save;
6.4.3. your violation of these Terms and the applicable law.
6.5. In case of any circumstances of insuperable force (i.e. events of extraordinary or insuperable nature) that have occurred and remain in effect beyond the party’s control and that a party could neither foresee nor prevent for objective reasons, if these circumstances prevent a party from proper fulfilment of its obligations hereunder, the term for the fulfilment of such obligations shall be extended for the period of the effect of such circumstances of insuperable force.
The circumstances of insuperable force shall include wars and other military operations, earthquakes, floods, and other natural disasters, adoption of laws and regulations by state and local authorities, epidemics and pandemics, failure of power supply or communication system, or other similar circumstances that prevent the parties from the proper fulfilment of their obligations under these Terms.
7. Content, Intellectual Property, and Links
7.1. We use the Website to post content: information, texts, images, video, and audio files (“Content”).
7.2. The Content is not business, technical, legal, or any other sort of professional advice, unless stated otherwise. The Company shall not be responsible for your use of the Content.
7.3. All Website’s components and Content (unless stated otherwise) and the Website as a whole, Company’s Content and accounts on social media belong to the Company and are protected by the intellectual property legislation.
7.4. You cannot use our intellectual property without our direct written consent, unless such use is permitted by law.
7.5. The Website may contain links to other websites or services, which do not belong to the Company, and we do not control them. The Company shall not be responsible for the content, privacy practices and the functioning of other websites and services. Please read public documents of those websites and services.
8. Confidentiality
8.1. The terms of collecting, storing, processing and transferring your personal data by the Company are provided in the Privacy Notice.
8.2. The terms of how we use cookies are provided in the Cookie Notice.
8.3. The Privacy Policy and the Cookie Notice are parts of these Terms. Please make sure you read them.
9. Dispute Resolution
9.1. You and the Company shall attempt to resolve any disputes by negotiations.
9.2. Please use the following email address for dispute resolution purposes: [email protected]
9.3. In case we cannot resolve the dispute in 30 days from the day we start negotiations, it shall be resolved by the courts of the State of Delaware.
9.4. You also agree that regardless of any statute or law to the contrary, any claim or cause of action of yours arising from or related to the use of the Services must be filed within 3 months after such claim or cause of action arose or be forever barred.
10. Final Terms
10.1. These Terms shall remain in force until terminated by the Company. The Company may terminate these Terms at any time, at its discretion, without explaining the reasons for this decision.
10.2. These Terms of Service, Privacy Policy, Cookie Notice, any other notices and disclaimers on the Website constitute the entire agreement between you and the Company regarding your use of the Website.
10.3. If any matters have not been regulated by these Terms, they shall be regulated by the laws of the State of Delaware.
10.4. The Company can change these Terms at any time. In this case, your continued use of the Website and the Services shall mean that you agree to the new version of the Terms. We shall notify you about significant changes by posting a notification on the Website or sending you an email (if appropriate).
10.5. Should you have any questions, please contact us at [email protected] or using contact information available on the Website.

Data processing agreement and standard contractual clausesThis Data Processing Agreement in the form of Standard Contractual Clauses is attached to and form part of Attria’s Terms and Conditions (hereinafter referred to as the "Master Agreement") between the data exporter and data importer (as defined below).
SECTION I
Clause 1. Purpose and scope
a. The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.
b. The Parties:
i. the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter “entity/ies”) transferring the personal data, as listed in Annex I.A. (hereinafter each “data exporter”), and
ii. the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A. (hereinafter each “data importer”)
have agreed to these standard contractual clauses (hereinafter: “Clauses”).
c. These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.
d. The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.
Clause 2. Effect and invariability of the Clauses
a. These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46 (2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.
b. These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.
Clause 3. Third-party beneficiaries
a. Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:
i. Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;
ii. Clause 8 - Module Two: Clause 8.1(b), 8.9(a), (c), (d) and (e); Module Three: Clause 8.1(a), (c) and (d) and Clause 8.9(a), (c), (d), (e), (f) and (g);
iii. Clause 9 - Module Two: Clause 9(a), (c), (d) and (e); Module Three: Clause 9(a), (c), (d) and (e);
iv. Clause 12(a), (d) and (f);
v. Clause 13;
vi. Clause 15.1(c), (d) and (e);
vii. Clause 16(e);
viii. Clause 18(a) and (b);
Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.
Clause 4. Interpretation
a. Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.
b. These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
c. These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.
Clause 5. Hierarchy
In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.
Clause 6. Description of the transfer(s)
The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.
Clause 7 - Docking clause
a. An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A.
b. Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A.
c. The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.
SECTION II – OBLIGATIONS OF THE PARTIES
Clause 8. Data protection safeguards
The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organizational measures, to satisfy its obligations under these Clauses.
MODULE TWO: Transfer controller to processor
8.1 Instructions
a. The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.
b. The data importer shall immediately inform the data exporter if it is unable to follow those instructions.
8.2 Purpose limitation
The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.
8.3 Transparency
On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.
8.4 Accuracy
If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.
8.5 Duration of processing and erasure or return of data
Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).
8.6 Security of processing
a. The data importer and, during transmission, also the data exporter shall implement appropriate technical and organizational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to that data (hereinafter “personal data breach”). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymization, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymization, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organizational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.
b. The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
c. In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
d. The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.
8.7 Sensitive data
Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter “sensitive data”), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.
8.8 Onward transfers
The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (in the same country as the data importer or in another third country, hereinafter “onward transfer”) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:
i. the onward transfer is to a country benefiting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;
ii. the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;
iii. the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or
iv. the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.
Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.
8.9 Documentation and compliance
a. The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.
b. The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.
c. The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non- compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.
d. The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.
e. The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.
Clause 9. Use of sub-processors
MODULE TWO: Transfer controller to processor
a. The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub- processors at least 30 days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.
b. Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.
c. The data importer shall provide, at the data exporter’s request, a copy of such a sub- processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.
d. The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub- processor to fulfill its obligations under that contract.
e. The data importer shall agree a third-party beneficiary clause with the sub-processor whereby - in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent - the data exporter shall have the right to te