Universal Data Processing Addendum
This Data Processing Addendum (“DPA”) specifies the data protection obligations of the parties, which arise from contract data processing on behalf of the Client, as stipulated inthe ABBYY Terms of Service for “ABBYY FlexiCapture Cloud” and “ABBYY FlexiCapture Cloud API” Web-services flexicapture.com/terms-of-service/ (“Terms”). It applies to all activities performed in connection with the Terms in which the staff of ABBYY or a third party acting on behalf of ABBYY may come into contact with Personal Data. All capitalized terms used herein and not otherwise defined herein shall have the meanings ascribed to such terms in the Terms.
The following definitions are used in this DPA:
“ABBYY” means the same ABBYY’s legal that is a party to the Terms.
“Client” refers to and include any person and/or any entity that is accepting the Terms.
“Data Protection Laws” means any applicable law, rule, regulation, decree, statute, or other enactment, order, mandate or resolution, relating to data security, data protection and/or privacy.
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to processing of personal data and the free movement of such data.
“GDPR Addendum” means the addendum that meets the requirements of Article 28 of the GDPR.
“Processing” – any operation or set of operations performed on the Personal Data including, but not limited to the storage, amendment, transfer, blocking or erasure of Personal Data.
“Sub-processor” or “Subcontractor” means any third party engaged by ABBYY or ABBYY Affiliate, or any ABBYY Affiliate who is not a party to this DPA, to perform Processing of the Personal Data.
1. Personal Data
a. Privacy practices. ABBYY shall comply with applicable Data Protection Laws generally applicable to ABBYY’s provision of the Service. However, ABBYY is not responsible for compliance with Data Protection Laws applicable to Client or its industry and not generally applicable to information technology service providers or providers using critical infrastructure (e.g. financial or credit institutions, health and safety institutions, professional unions or associations, religious organizations). Client shall comply with its own obligations under applicable Data Protection Laws including, but not limited to, its use of the Service and the transfer of Personal Data to ABBYY and any ABBYY Affiliate and Subcontractor. Where Personal Data is protected under the European Data Protection Laws (GDPR / any other UK, Swiss or EEA data protection laws), Client will first inform ABBYY and, if applicable and denoted by ABBYY and Client, ABBYY and Client will sign a GDPR-compliant Addendum per Client’s request.
b. Personal Data. ABBYY will process Personal Data in accordance with the provisions of this DPA and, except as stated in the Terms and this DPA, ABBYY (1) will acquire no rights in Personal Data and (2) will not use or disclose Personal Data for any purpose other than stated in this DPA.
Client instructs ABBYY to Process Personal Data as follows:
(i) Personal Data will be used to provide the Service to Client. This may include any Processing initiated by Client in its use of the Service. This may also include troubleshooting or technical support and maintenance aimed at preventing, detecting and repairing problems affecting the operation of the Service and the improvement of features that involve the detection of, and protection against, emerging and evolving threats to the user (such as malware or spam) as well as upgrading and updating the Service.
(ii) To comply with Client’s other reasonable instructions to the extent they are consistent with the Terms.
(iii) ABBYY will not disclose Personal Data to a third party (including law enforcement, other government entity, or civil litigant; excluding Subcontractors) except as Client directs or unless required or permitted by the Terms, this DPA or by laws or to ABBYY’s Subcontractors and other ABBYY Affiliates. Should a third-party contact ABBYY with a request for Personal Data, ABBYY will attempt to redirect the third party to request it directly from Client. As part of that, ABBYY may provide Client’s basic contact information to the third party. If compelled to disclose Personal Data to a third party, ABBYY will use commercially reasonable efforts to notify Client in advance of a disclosure unless legally prohibited.
c. Personal Data deletion or return. Upon expiration or termination of Client’s use of the Service, Client may receive Personal Data stored and ABBYY will, if technically possible, de-identify or, if required and to the extent technically feasible, delete Personal Data in accordance with the relevant retention periods or otherwise as required or permitted by this DPA or the Terms or under applicable laws.
d. Authorized User requests. ABBYY will not independently respond to requests from Client’s Authorized Users without Client’s prior written consent, except where required by applicable laws and except for responses to Client’s Authorized Users requests with relation to providing the Service (e.g. Authorized User support or helpdesk).
e. Transfer of Personal Data; appointment. Personal Data that ABBYY Processes on Client’s behalf may be transferred to, and stored and Processed in, the European Union/European Economic Area/Switzerland, the United Kingdom, the United States, Australia. Client consents to appoint ABBYY performing any such transfer of Personal Data to any such country and to store and Process Personal Data.
f. ABBYY personnel. ABBYY personnel are obligated to maintain the confidentiality of any Personal Data and this obligation continues even after their engagement ends.
g. Subcontractor; transfer. For the purpose of processing of Personal Data specified in this DPA ABBYY may engage its Affiliates and other companies to provide limited services on its behalf. Any such Subcontractors will be permitted to obtain Personal Data only to deliver the limited services ABBYY has retained them to provide, and they are prohibited from using Personal Data for any other purpose. ABBYY remains responsible for its Subcontractors’ compliance with the obligations of this DPA. Any Subcontractors engaged by ABBYY to carrying out specific Processing activities will have obligations requiring the proper level of data protection with respect to Personal Data. Client consents to Processing of Personal Data by ABBYY’s Subcontractors as described in this DPA.
2. Responsibilities of the Client
Client must comply with all Data Protection Laws related to its use of the Service and Personal Data. Client is wholly responsible for implementing and maintaining privacy protections and security measures within the Client’s infrastructure. Client must have sufficient legal basis under the Data Protection Laws for Processing Personal Data and any other information of Authorized Users or any other party to provide such Personal Data and information to ABBYY in the course of using the Service in order to permit the processing of such data by ABBYY and ABBYY Affiliates, subcontractors and service providers as contemplated by this DPA. Client agrees that, other than ABBYY’s legal obligations as a processor of Personal Data, Client is solely responsible for complying with any laws, treaties, or regulations in connection with its collection, uploading, use, transfer and other control of any Personal Data, including personal or confidential data, and shall defend, indemnify, and hold harmless ABBYY, its Affiliates, subcontractors and service providers from and against any and all liabilities, obligations, claims, damages, fines, penalties, assessments, costs and expenses (including court costs, reasonable costs of investigation and reasonable attorneys’ fees and expenses) incurred by ABBYY, its Affiliates, subcontractors and service providers arising out of or in connection with Personal Data and/or Client’s use of Service alone or in combination with anything else violates the applicable legislation, this DPA or damages a third party.
ABBYY has implemented and will maintain for the Personal Data appropriate technical, administrative and physical security measures as provided by Data Protection Laws to protect Personal Data against accidental loss, destruction, or alteration; unauthorized disclosure or access; or unlawful destruction. Client is responsible for implementing and maintaining security within the Client’s infrastructure.
4. Order of precedence
If there is a conflict between any provision in this DPA and any provision in the Terms, this DPA shall control. Notwithstanding the foregoing, the Terms and the terms of this DPA apply only between the parties and do not confer any rights to any third-party data subjects.
5. Entire Agreement
Except for changes made by this DPA, the Terms remain unchanged and in full force and effect.
6. Term and Termination
This DPA will terminate simultaneously and automatically with the termination of the Terms if otherwise is not required under Data Protection Laws.
This DPA shall be governed by the laws of the same jurisdiction stated in the Terms for governing the Terms, if otherwise is not required by Data Protection Laws. To the extent required by applicable Data Protection Laws, this DPA shall be governed by the law of the applicable jurisdiction.