This DPA forms part of the agreement between Pipecorn (the βProcessorβ) and the Client (the βControllerβ) for the provision of the Services. It applies whenever Pipecorn processes personal data on the Clientβs behalf.
1. Purpose
This DPA sets out the terms under which Pipecorn processes personal data on behalf of the Client, ensuring compliance with Article 28 of the GDPR and other applicable data protection laws.
2. Characteristics of the processing
The processing concerns business and professional prospects. The categories of data include identity and contact data. Personal data processed under this DPA is retained for a period of 3 months, unless a longer period is required by law or agreed in writing.
3. Instructions
Pipecorn processes personal data only on documented instructions from the Client, including with regard to transfers of personal data, unless required to do so by law. Pipecorn will inform the Client if, in its opinion, an instruction infringes applicable data protection law.
4. Security measures
Pipecorn implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption, controlled processing environments and strict access controls. These measures are described in Appendix 1.
5. Documentation and audit rights
Pipecorn makes available to the Client all information necessary to demonstrate compliance with this DPA, and allows for and contributes to audits, including inspections, conducted by the Client or an appointed auditor. Audits require at least 30 daysβ prior written notice.
6. Sub-processors
The Client grants a general authorization for Pipecorn to engage sub-processors. Pipecorn informs the Client of any intended changes concerning the addition or replacement of sub-processors at least 8 days in advance, giving the Client the opportunity to object. A current list of sub-processors is maintained in Appendix 2.
7. International data transfers
Any transfer of personal data to a country outside the European Economic Area is carried out in accordance with Chapter V of the GDPR, relying on appropriate safeguards such as Standard Contractual Clauses where required.
8. Assistance with data-subject rights
Taking into account the nature of the processing, Pipecorn assists the Client by appropriate technical and organizational measures, insofar as possible, in fulfilling the Clientβs obligation to respond to requests for exercising data-subject rights.
9. Breach notification
Pipecorn notifies the Client without undue delay after becoming aware of a personal data breach, providing sufficient information to allow the Client to meet any obligations to report or inform data subjects of the breach.
10. Deletion of data
Upon termination of the Services, Pipecorn deletes or returns all personal data to the Client, and deletes existing copies, unless retention is required by applicable law.
11. Modifications
Pipecorn reserves the right to modify this DPA to reflect changes in applicable law or its processing operations. Material changes will be communicated to the Client.
Appendix 1 Technical and organizational measures
Pipecorn maintains a set of technical and organizational security measures, including: encryption of data in transit and at rest, access control and authentication, environment segregation, logging and monitoring, regular backups, vulnerability management, employee confidentiality commitments, secure software development practices, incident-response procedures, physical security of infrastructure, and periodic security reviews.
Appendix 2 Sub-processors
Pipecorn engages a number of sub-processors to deliver the Services (covering hosting, infrastructure, communications, analytics, payment and support). Each sub-processor is bound by data protection obligations consistent with this DPA. The current list, including each sub-processorβs location and purpose, is available on request at contact@prontohq.com.