This Data Processing Agreement (DPA) is a part of the service agreement (“Agreement") between Hai Byte OÜ (an Estonian limited liability company with a business ID 16894880 "Hai Byte") and Hai Byte’s customers (each individually a “Customer”), concerning the provision of the Service whose terms and conditions have been laid out in the Hai Byte Terms of Service (as provided at https://www.haibyte.com/terms-conditions).
Hai Byte and Customer are each individually referred to as the Party and together as the Parties
This DPA forms an integral part of the Agreement and shall apply to all processing of personal data under the Agreement in the context where Hai Byte processes personal data on behalf of the Customer.
Where applicable and when this DPA does not explicitly state otherwise, the terms of the Agreement, such as governing law and dispute resolution, shall be applied to this DPA. If the Agreement or any other document regulating the relationship between Hai Byte and the Customer as set out in the Agreement contains provisions that are in conflict with this DPA, this DPA shall have precedence.
Customer shall be considered the controller under the EU regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) and Hai Byte processes, by providing the Service to the Customer, such personal data on behalf of Customer as a processor for the purposes of the Agreement during the term thereof.
The Customer is responsible for the lawful processing and collection of personal data in compliance with the GDPR and other laws, regulations and directives pertaining to the processing or collection of personal data. Hai Byte will not monitor the Customer’s processing or collection of personal data in the Service. The Customer shall be responsible for having the required rights and necessary permissions from third parties to use and disclose personal data for the purposes set out in the Agreement. The Customer shall ensure that the Customer is entitled to transfer the relevant personal data to Hai Byte so that Hai Byte may lawfully process, use and transfer the personal data in accordance with the Agreement and this DPA.
Each Party shall be responsible for the information security of the Party’s own communications networks. Neither Party shall be responsible or liable for the information security of general communications networks, or for interferences or other disruptions, outside of the Parties influence, that may occur in general communications networks.
The subject matter, categories, and types of data as well as other details of the processing are specified in Schedule 1 of this DPA (Description of the Processing Operations).
When acting as a data processor Hai Byte shall process personal data in accordance with this DPA and documented instructions from Customer, unless required to do otherwise under European Union or Member State law to which Hai Byte is subject. In such a case Hai Byte shall inform the Customer of that legal requirement before processing unless that law prohibits such information on important grounds of public interest.
Hai Byte may not use the Customer’s personal data for any other uses than for which the personal data for the provision of the Services and as otherwise instructed by the Customer. Hai Byte shall process information disclosed to it by the Customer in accordance with this Agreement and according to written instructions or guidelines given to it by the Customer. Customer’s instructions must be commercially reasonable, compliant with applicable data protection legislation and regulations and consistent with this Agreement. In case Hai Byte detects that any instruction given by the Customer is non-compliant with European Union or member state law to which Hai Byte is subject, Hai Byte shall not be obliged to comply with such instruction and shall inform the Customer of that legal requirement.
In case the Customer’s instructions require additional measures or work to be performed by Hai Byte, Hai Byte has the right to charge an hourly consulting fee from the Customer for complying with such Customer’s instructions in accordance with Hai Byte’s then current price for consulting services, subject to the Customer’s prior approval of such additional costs.
Hai Byte ensures that it shall implement and maintain appropriate technical and organizational security measures to protect the personal data within its area of responsibility, in order to safeguard the personal data against unauthorized or unlawful processing or access and against accidental loss, destruction or damage, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing carried out by Hai Byte hereunder as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures shall include, where appropriate and relevant for each processing action:
Hai Byte also ensures that the persons processing personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Taking into account the nature of the processing, Hai Byte shall assist the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the data subject’s rights under Chapter III of the GDPR.
Taking into account the nature of the processing and the information available to Hai Byte, Hai Byte shall further provide the Customer with assistance in ensuring compliance with the Customer’s obligations set out in Articles 32 to 36 of the GDPR (e.g. to perform security and data protection impact assessments, breach notifications and prior consultations of the competent supervisory authority)
In case such assistance requires measures from Hai Byte, Hai Byte has the right to charge an hourly consulting fee from the Customer for handling such assistance requests in accordance with Hai Byte’s then current price for consulting services, subject to the Customer’s prior approval of such additional costs.
The Customer accepts that Hai Byte may have personal data processed and accessible by Hai Byte or its subprocessors outside the European Economic Area (“EEA”) to provide the Service. If personal data is transferred from the EEA for processing in any country outside the EEA that is not recognized by the European Commission as providing an adequate level of protection for personal data, the Customer authorizes Hai Byte to enter, on behalf of the Customer, into the standard contractual clauses adopted or approved by the European Commission applicable to processing outside the EEA, or Hai Byte shall provide for other appropriate safeguard for the protection of the personal data transferred outside the EEA as set out in the GDPR.
The Customer or an auditor appointed by the Customer shall with the assistance of Hai Byte have the right to audit the processing activities of Hai Byte under this DPA to assess the compliance of Hai Byte with its contractual obligations under this DPA and applicable data protection legislation during ordinary business hours of Hai Byte and with 30 days’ prior written notice. If Hai Byte’s employees or other representatives participate in such audits at the request of the Customer, the Customer shall compensate Hai Byte for the expenses caused by such participation. Otherwise, each Party shall bear its own costs for any such audit. Where an audit may lead to the disclosure of business or trade secrets of Hai Byte or threaten intellectual property rights of Hai Byte, the Customer shall employ an independent expert to carry out the audit, and the expert shall agree to be bound by confidentiality to Hai Byte’s benefit.
Where an audit may, in Hai Byte’s sole opinion, lead to the disclosure of business or trade secrets of Hai Byte or threaten the intellectual property rights of Hai Byte, the Customer shall employ an independent auditor, that is not a competitor of Hai Byte, to carry out the audit, and the auditor shall agree to be bound to confidentiality to Hai Byte’s benefit.
Hai Byte makes available to the Customer, at the Customer’s request, information necessary to demonstrate compliance with the GDPR. In case the Customer’s request requires measures or work to be performed by Hai Byte, Hai Byte has the right to charge an hourly consulting fee in accordance with its then current price for consulting services for handling such requests, subject to the Customer’s prior approval of such additional costs.
The Customer gives its general authorization to allow Hai Byte to engage subcontractors as subprocessors to process personal data in connection with the provision of the Service.
Hai Byte is free to choose and change its subprocessors. Upon request, Hai Byte shall inform Customer of subprocessors currently involved. In case there is a later change of a subprocessor (addition or replacement), Hai Byte shall notify the Customer of such change, thereby giving the Customer the opportunity to object to such change. If Hai Byte is not willing to change the subprocessor the Customer has objected to, both Parties shall have the right to terminate the Agreement and this DPA.
Where Hai Byte engages a subprocessor for carrying out specific processing activities on behalf of the Customer, the same data protection obligations as set out in this DPA shall be included in the DPA between Hai Byte and that subprocessor. Where a subprocessor fails to fulfil its data protection obligations, Hai Byte shall remain liable to the Customer for the performance of the subprocessor’s obligations as further stipulated in the Agreement.
9.1 This Agreement commences on the date the Customer first accepts it and continues until the subscription to use the Service hereunder has been terminated.
In connection to the provision of Service, the customer data includes first name, last name, email, and if provided by the customer: title, organization, country, primary field of work, offering the customer is interested in and the features the customer sees as the most valuable.
The data may be processed during the time period the service is used by the customer. It may be processed up to six months after the customer has terminated the service contract unless the customer explicitly requests to delete their data before that.
All our data is currently stored on servers in the EU. For testing and development purposes, some data samples may be transferred between Europe and Singapore.
