Last updated: June 26, 2021
This Data Processing Addendum ("DPA"), forms part of the Agreement between services offered by M18X BV and ____________________________("Customer") and shall be effective on the date both parties execute this DPA ("Effective Date").
The company behind Tinx.AI is M18X BVBA with registered seat at Zandstraat 68, 9170 Sint-Pauwels and VAT number BE 0753.911.021. For ease of reference, we will further refer to ourselves using we, us, our or Tinx.AI.
All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.
“Confidential Information” means all information disclosed by a Party to the other Party pursuant to this Agreement which is either designated as proprietary and/or confidential, or by its nature or the nature of the circumstances surrounding disclosure, should reasonably be understood to be confidential, including (but not limited to), information on products, customer lists, price lists and financial information.
"Customer Data" means any Personal Data that Tinx.AI processes on behalf of Customer as a Data Processor in the course of providing Services, as more particularly described in this DPA.
"Data Protection Laws" means all data protection and privacy laws applicable to the processing of Personal Data under the Agreement, including, where applicable, EU Data Protection Law.
"Data Controller" means an entity that determines the purposes and means of the processing of Personal Data.
"Data Processor" means an entity that processes Personal Data on behalf of a Data Controller.
"EU Data Protection Law" means (i) prior to 25 May 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of Personal Data and on the free movement of such data ("Directive") and on and after 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) ("GDPR"); and (ii) Directive 2002/58/EC concerning the processing of Personal Data and the protection of privacy in the electronic communications sector and applicable national implementations of it (as may be amended, superseded or replaced).
"Personal Data" has the meaning given to it in the GDPR and refers to any information relating to an identified or identifiable natural person.
"Processing" has the meaning given to it in the GDPR and "process", "processes" and "processed" shall be interpreted accordingly.
"Security Incident" means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Data.
"Services" means any product or service provided by Tinx.AI to Customer pursuant to the Agreement.
"Sub-processor" means any Data Processor engaged by Tinx.AI or its Affiliates to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement or this DPA. Sub-processors may include third parties or members of the Tinx.AI Group.
2 Relationship with the Agreement
2.1 The parties agree that DPA shall replace any existing DPA the parties may have previously entered into in connection with the Services.
2.2 Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict.
2.3 Any claims brought under or in connection with this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement.
2.4 This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.
3 Roles and Scope of Processing
3.1 Role of the Parties. As between Tinx.AI and Customer, Customer is the Data Controller of Customer Data and Tinx.AI shall process Customer Data only as a Data Processor acting on behalf of Customer.
3.2 Customer Processing of Customer Data. Customer agrees that (i) it shall comply with its obligations as a Data Controller under Data Protection Laws in respect of its processing of Customer Data and any processing instructions it issues to Tinx.AI; and (ii) it has a legitimate basis (e.g., part of a contractual agreement or consent) as required under Data Protection Laws for Tinx.AI to process Customer Data and provide the Services pursuant to the Agreement and this DPA.
3.3 Tinx.AI Processing of Customer Data. Tinx.AI shall process Customer Data only for the purposes described in this DPA and only in accordance with Customer’s documented lawful instructions. The parties agree that this DPA and the Agreement set out the Customer’s complete and final instructions to Tinx.AI in relation to the processing of Customer Data and processing outside the scope of these instructions (if any) shall require a prior written agreement between Customer and Tinx.AI.
3.4 Details of Data Processing (a) Subject matter: The subject matter of the data processing under this DPA is Customer Data. (b) Duration: As between Tinx.AI and Customer, the duration of the data processing under this DPA is until the termination of the Agreement in accordance with its terms. (c) Purpose: The purpose of the data processing under this DPA is the provision of the Services to the Customer and the performance of Tinx.AI's obligations under the Agreement (including this DPA) or as otherwise agreed by the parties. (d) Nature of the processing: Tinx.AI provides a cloud-based service to collect data subject requests on a Customer website and help Customer respond to data subjects, as described in the Agreement. (e) Categories of data subjects: Any individual accessing and/or using the Services through the Customer's account ("Users"); and any individual whose contact information (e.g., name and e-mail address) is stored on or collected via the Services. (f) Types of Customer Data: Customer and Users: identification and contact data (name, username, e-mail address); financial information (credit card details, account details, payment information);
4.1 Authorized Sub-processors. Customer agrees that Tinx.AI may engage Sub-processors to process Customer Data on Customer's behalf. The Sub-processors currently engaged by Tinx.AI and authorized by Customer are listed in our subprocessors list.
4.2 Sub-processor Obligations. Tinx.AI shall: (i) enter into a written agreement with the Subprocessor imposing data protection terms that require the Sub-processor to protect the Customer Data to the standard required by Data Protection Laws; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause Tinx.AI to breach any of its obligations under this DPA.
5.1 Security Measures. Tinx.AI shall implement and maintain appropriate technical and organizational security measures to protect Customer Data from Security Incidents and to preserve the security and confidentiality of the Customer Data.
5.2 Customer Responsibilities. Notwithstanding the above, Customer agrees that except as provided by this DPA, Customer is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Customer Data when in transit to and from the Services and taking any appropriate steps to securely encrypt or backup any Customer Data uploaded to the Services.
6 Changes to Sub-processors
6.1 Tinx.AI shall provide an up-to-date list of the Sub-processors in their compliance center.
7.1 Tinx.AI will provide Customer with commercially reasonable cooperation and assistance in relation to the handling of a Data Subject’s request for access to that person’s Personal Data, to the extent legally permitted and to the extent Customer does not have access to such Personal Data through its use or receipt of the Services.
8 Applicable Law and Jurisdiction
8.1 The laws of Belgium shall apply to this Agreement.
8.2 The Courts of Brussels (Belgium) shall have exclusive jurisdiction with respect to all disputes arising out of or in connection with this Agreement. Attempts to solve disputes informally shall not prevent the Parties from submitting such disputes to the Courts.