Data Processing Addendum
Last Updated: Nov 24, 2023
This Data Processing Addendum (“DPA”) is between the entity identified in an Order Form (“Customer”) and the Rasa Entity identified in the same Order Forms (“Rasa”, each a “Party” and together, the “Parties”. The DPA enters into force at the same effective date as the Commercial Terms (or elsewhere in the Agreement).
This DPA is supplemental to, and forms an integral part of, the Commercial Terms. In case of a conflict between this DPA and the remaining of the Commercial Terms, this DPA will prevail.
We named a Data Protection Officer (“DPO”) to respond to inquiries regarding this DPAf you have any questions on this DPA, or if you would like to provide us with any legal notice regarding this DPA, you can do so by email at firstname.lastname@example.org, and by mail to our representatives in either the European Union (“EU”) or the United Kingdom (“UK”) at the contact details set forth below:
Rasa Technologies GmbH
Attention: Data Protection Officer
175 Schönhauser Allee
Berlin, 10119, Germany
Rasa Technologies Ltd
International House, 38 Thistle Street
Edinburgh, EH2 1EN United Kingdom
Unless specifically agreed upon in writing in the Commercial Terms, Customer enters this DPA on behalf of any Permitted Affiliates. In which case, for the purpose of this DPA only, and except if indicated otherwise, the terms “Customer”, “you” and “your” will be deemed to apply to Permitted Affiliates.
The Parties agree that (a) solely the Customer entity that is the contracting party to the Commercial Terms will exercise any right or seek any remedy that any Permitted Affiliate may have under this DPA on behalf of its Affiliates and (b) the Customer entity that is the contracting party to the Commercial Terms will exercise any such rights under this DPA not separately from each Permitted Affiliate individually but in a combined manner for itself and all of its Permitted Affiliates together. The Customer entity that is the contracting entity is responsible for coordinating all instructions, authorizations and communications with us under the DPA and will be entitled to make and receive communications related to this DPA on behalf of its Permitted Affiliates.
If you need a signed copy of this DPA, you can request it via email at email@example.com.
The DPA only applies to Personal Data which are subject to the GDPR (as these terms are defined below). Rasa is the data processor, the Personal Data, and Customer is the data controller. In case of a contradiction between this DPA and the Commercial Terms, this DPA will prevail.
The terms not defined below are defined in the Commercial Terms.
- “GDPR” means the _General Data Protection Regulations, _the _Data Protection Act 2018, _and any implementation laws in the European Union (“EU”) and the United Kingdom (“UK”).
- “Applicable Laws” shall mean the laws, regulations, mandatory guidance, orders, treaties, directives, regulations, and orders applicable in the EU and UK, as applicable.
- “Personal Data” means, within Custom Data, any data that can directly or indirectly identify an individual, and which are processed by Rasa on behalf of Customer, pursuant to the Rasa Subscription and Software Services, as set forth the Commercial Terms.
- “Restricted Transfers” means a transfer of Personal Data outside of the EU or UK, as applicable, to a country or destination which is not subject to an adequacy status pursuant to Article 46 GDPR.
- “Subprocessor” means a service provider who processes Personal Data on behalf of Rasa, in accordance with this DPA.
- The following expressions have the meaning set forth in the GDPR: “processing,” “data controller,” “processor,” “profiling,”“representative,” “supervisory authority” “data subjects”, “personal data breach”, “subprocessor”, as well as other common expressions in the GDPR that are used in this DPA.
Except as otherwise set for the Commercial Terms, Rasa will only process Personal Data on Customer’s documented instructions. Such instructions include the provision of the Rasa Products and Services. For the avoidance of doubt, Rasa may not process the Personal Data for marketing purposes, or otherwise commercialize, sell, or resell the Personal Data.
If Rasa must Process Personal Data to comply with Applicable Laws, Rasa will inform Customer of such legal requirements before processing, unless Applicable Laws prohibit such information on important grounds of public interests.
If Rasa reasonably believes that the instructions received by Customer regarding the processing of the Personal Data are in violation of the GDPR, Rasa (a) shall inform Customer t without undue delays; (b) may refuse to comply with or execute such instructions, and such refusal shall not be a breach of the Commercial Terms. Unless indicated otherwise in an Order Form, the processing of Personal Data shall be substantially as described below.
|Details of Processing
|To provide the Services to Customer, including, professional services, deployment, installation and technical support services in relation to the Products, as described in Order Forms.
|To provide technical support services. To provide technical support services. To provide deployment and installation services. To help Customer train and configure AI Assistants as part of Subscription Services
|Technical Support Data: To respond to technical support requests. Technical Support data includes content of messages, emails, and any Personal Data made available to us to respond to the technical request. User Data: To train and improve AI Assistants as part of Subscription Services. As part of deployment services, we may access Personal Data, such as User Data, to provide deployment and configuration services.
|Users who interact with Customers’ AI Assistants. Individuals who access and use the Rasa Products and Services, including to obtain technical support.
Rasa will implement technical and organizational measures to assist Customer in responding to data subjects’ rights requests (each a “DSR Request”). Such measures will be proportional given technical limitations inherent to the Rasa Products and Services including the Rasa Platform. Rasa will inform Customer without undue delays if it receives such a DSR Request and will collaborate in good faith with tCustomer to respond in accordance with GDPR.
Notwithstanding the foregoing, Customer agrees and understands that we do not control User Data, nor the use cases in which Customer decides to use the AI Assistant Using, the training data leveraged by Customer to train and optimize the AI Assistants, nor the retention periods applied by Customer in relation to User Data. You agree that we do not host Customer Data as part of the Rasa Products and Services.
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, Rasa shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk of Personal Data, including inter alia as appropriate (a) the pseudonymization and encryption of Personal Data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident, and (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
Notwithstanding anything else to the contrary, Customer agrees and understands that (a) Rasa does not control the use cases in which the AI Assistant is used; (b) Customer is solely responsible for determining if the Rasa Products and Services offer adequate information security, and technical and organizational measures for the use cases determined by Customer.
Personal Data Breach
In the event of a personal data breach affecting the Personal Data, Rasa will notify Customer without undue delays upon the discovery of a personal data breach and provide Customer with all required information for Customer to make required notifications under GDPR. Rasa will conduct a proper assessment of the vulnerabilities that caused the personal data breach, keep Customer reasonably informed, and address remediation within a reasonable timeline given the risks associated with the vulnerabilities. If the information required is not available at the time of disclosure, we will follow up promptly as the information becomes available.
Data Processing Impact Assessment
Upon reasonable written request from Customer t, Rasa will provide the information reasonably required to complete a Data Processing Impact Assessment (“DPIA”), to the extent Customer believes that a DPIA is required under Applicable Laws. In the case that extensive support is required to conduct a DPIA personalized for Customer’s use cases, Rasa reserves the right to charge additional fees, or otherwise to complete the DPIA as part of the Subscription Services, at its own discretion. Rasa will inform you of any fees applicable beforehand.
Customer Data is hosted in the location set forth in the Agreement. Customer agrees and understands that Rasa may perform Restricted Transfers with or without Customer's prior authorization unless agreed otherwise in the Commercial Terms. Prior to performing new or additional Restricted Transfers, Rasa will provide a notice of 30 days to Customer. If Customer does not agree with the Restricted Transfer, the Parties will negotiate in good faith a reasonable business solution, such as restricting the Rasa Products and Services to avoid the performance of the Restricted Transfer.
Prior to completing a Restricted Transfer, Rasa will (a) enter into an appropriate agreement with the recipients of the Personal Data, including standard contractual clauses, if required under GDPR; (b) perform an adequate risk assessment if required under GDPR. Upon written request, Rasa will provideCustomer with a list of Restricted Transfers affecting the Personal Data.
Customer hereby authorizes Rasa to use Subprocessors for the subject to the following conditions: (a) Rasa will enter into contractual terms substantially similar to those contained in this DPA prior to allowing a Subprocessors to process Personal Data on its behalf; (b) Rasa will make available a list of current Sub Processors to Customer upon written request; (b) Rasa will inform Customer in writing of any intended changes concerning the addition or replacement of Subprocessors by providing Customer with a reasonable opportunity to object to such changes.
Upon termination of the Commercial Terms,at the choice of Customer, Rasa will delete or return the Personal Data to Customer and securely delete existing copies without undue delays (except for copies reasonably required to comply with applicable laws, or for business continuity), or securely delete existing copies without undue delays. Notwithstanding the foregoing, Rasa may keep a copy of the Personal Data if required to comply with Applicable Laws, or as required for reasonable back-ups, if such back-ups are encrypted. This DPA will continue to apply to such Personal Data for as long as Rasa is processing the Personal Data.
Rasa will ensure that persons authorized to process Personal Data on its behalf have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Upon prior written notice of 30 days, and no more than once a year, during office hours, Rasa will make available to Customer all information reasonably necessary to demonstrate its compliance with the obligations laid down in this DPA, and allow for and contribute to audits, including inspections, conducted by Customer, or another auditor mandated by Customer. The Parties agree that Customer, when reviewing our compliance with this DPA pursuant to this section, will take all reasonable measures to limit any impact on us and our Representatives by combining several audit requests carried on behalf of the Customer entity that is the contracting party to the Commercial Terms and all of its Permitted Affiliates in one single audit.
The disclaimers and liability set forth in the Agreement are applicable to the DPA.
We can change this DPA by providing Customer with a 30 days’ notice, including as required to comply with Applicable Laws (e.g., changes to GDPR). If you disagree with any changes, please reach out to us at firstname.lastname@example.org, and we will work together to find an acceptable solution. If we cannot find such a solution, either Party may terminate the Commercial Terms, including this DPA, upon written notice of 30 days.
This DPA will be governed in accordance with the Commercial Terms.
Customer cannot assign any of its rights under this DPA to anyone else, except as set forth in the Commercial Terms. Unless we agree otherwise in the Commercial Terms, we may assign our rights and obligations as we see fit, subject to a written notice to Customer.
If any individual provisions of this DPA are determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this DPA will not be affected. The “No Waiver” section of the Commercial Terms finds application.