in2pbx Data Processing Agreement

This Data Processing Agreement (“DPA”) is made as of the Effective Date by and between in2tel and Customer (each a “party”, together with the “parties”), pursuant to the Service Agreement for the provision and use of in2pbx (“Services”).

This DPA is supplemental to the Service Agreement and sets out the terms that apply when Personal Data is processed by in2tel under the Service Agreement on behalf of the Customer.

Other capitalized terms used but not defined in this DPA have the same meanings as set out in the Service Agreement.

Definitions

  • The terms used in this DPA shall be deemed to have the same meaning as in the applicable data protection regulations and the practice developed at any given time regarding the applicable data protection regulations. This means that definitions in this DPA may change during the term of the agreement. The above means that this DPA involves the following definitions:

Service Agreement: means the Agreement between Customer and in2tel or in2tel’s distributors/resellers, whether written or electronic, for the provision and user of in2pbx (“Services”), and any attachments thereto.

Processing: the measure or combination of measures concerning Personal Data or sets of Personal Data, e.g. collection, registration, organization, structuring, storage, processing or alteration, creation, reading, use, surrender through transfer, dissemination or other provision, adjustment or consolidation, limitation, deletion or destruction.

Applicable Data Protection Law: the General Data Protection Regulation (EU) 2016/679 (‘GDPR’), and other regulations with the relevant implementation statutes and the regulations in this area applying at any given time. Non-European Data Protection Legislation may also apply to the processing of Customer Personal Data.

Data Controller: the entity which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

Data Processor: an entity which processes Personal Data on behalf of the Controller.

Personal Data: any information relating to an identified or identifiable natural person;

Personal Data Breach: security incidents leading to unintentional or unlawful destruction, loss or alteration, or to unauthorized disclosure of or unauthorized access to the Personal Data that has been transferred, stored and otherwise been the subject of Processing.

Sub-processor: any personal-data processor engaged by the Data Processor that processes Personal Data on behalf of the Data Controller.

Background and Roles

  • Parties’ Roles. Customer, as Data Controller, appoints in2tel as a Data Processor to process the Personal Data on Customer’s behalf. The processing the Data Processor will perform on behalf of the Data Controller shall be regulated by this DPA.
  • Purpose Limitation. Data Processor shall process the Personal Data for the purposes described in Annex A, except where otherwise required by applicable law. Any additional processing required by the Data Controller outside of the scope of the DPA will require a prior written agreement between the parties, including an agreement on any additional fees that Data Controller may be required to pay.

Based on the above, the Parties have entered into the following DPA.

Obligation of Data Processor

  • Security. Data processors will maintain appropriate security measures to safeguard the security of Personal Data. Data Processor will maintain an information security and risk management program based on commercial best practices to preserve the confidentiality, integrity and accessibility of Personal Data with administrative, technical and physical measures conforming to generally recognized industry standards and practices. Data Processor shall implement appropriate technical and organizational measures to protect Personal Data from an accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access.
  • Confidentiality. Data Processor shall ensure that any personnel whom Data Processor authorizes to process Personal Data on its behalf is subject to confidentiality obligations concerning that Personal Data. The confidentiality undertaking shall continue after the termination of the above-entitled activities.
  • Personal Data Breaches. Data Processor will notify the Data Controller as soon as practicable after it becomes aware of any of any Personal Data Breach affecting any Personal Data. At the Data Controller’s request, Processor will promptly provide the Data Controller with all reasonable assistance necessary to enable the Data Controller to notify relevant Personal Data Breaches to competent authorities and/or affected Data Subjects, if Data Controller is required to do so under the Data Protection Law.
  • Data Subject Requests. Data Processor will provide reasonable assistance, including appropriate technical and organizational measures and taking into account the nature of the Processing, to enable the Data Controller to respond to any request from Data Subjects seeking to exercise their rights under the Data Protection Law concerning Personal Data (including access, rectification, restriction, deletion or portability of Personal Data, as applicable), to the extent permitted by the law. If such a request is made directly to Data Processor, Data Processor will promptly inform Data Controller and will advise Data Subjects to submit their request to the Data Controller. Data Controller shall be solely responsible for responding to any Data Subjects’ requests. Data Controller shall reimburse Data Processor for the costs arising from this assistance.
  • Sub-processors. Data Processor shall be entitled to engage Sub-processors to fulfil Data Processor’s obligations only with Data Controller’s written consent. For these purposes, Data Controller consents to the engagement as Sub-processors of the Data Processor and the third parties listed in Annex A. The Data Processor shall inform the Data Controller of any intended changes concerning the addition or replacement of any Sub-processors, and the Data Controller has the right to object to such changes. The Data Processor shall ensure that its data protection obligations set out in the DPA and in Applicable Data Protection Law are imposed on any Sub-processors by a written agreement. Any Sub-processor shall in particular provide sufficient guarantees to implement appropriate technical and organizational measures to comply with Applicable Data Protection Law, and provide the Data Controller and relevant supervisory authorities with access and information necessary to verify such compliance. The Data Processor shall remain fully liable to the Controller for the performance of any Sub-processor.

The provisions of this Section 3.5 shall mutually apply if the Data Processor engages a Sub-processor in a country outside the European Economic Area (“EEA”) not recognized by the European Commission as providing an adequate level of protection for personal data. If in the performance of this DPA, in2tel transfers any Personal Data to a Sub-processor located outside of the EEA, in2tel shall, in advance of any such transfer, ensure that a legal mechanism to achieve adequacy in respect of that processing is in place.

Data Controller Responsibility

Within the scope of the DPA and in its use of the services, Data Controller shall be solely responsible for complying with the statutory requirements relating to data protection and privacy, in particular regarding the disclosure and transfer of Personal Data to the Data Processor and the Processing of Personal Data. Customer, as Data Controller, shall be responsible for ensuring that:

  • It has complied and will continue to comply, with all Applicable Data Protection Law, including in any instructions it issued to in2tel under this DPA.
  • It has, and will continue to have, the right to transfer, or provide access to, the Personal Data to in2tel for processing in accordance with this DPA.

Validity

  • This DPA is valid until the Data Processor’s processing of the Personal Data ceases.
  • Upon completion of processing, the Data Processor shall return the Personal Data to the Data Controller in a general and legible format, and shall thereafter delete the Personal Data from systems used for processing, unless this is incompatible with other mandatory legislation.

Indemnity

Customer will indemnify, keep indemnified and hold harmless in2tel, its clients, officers, directors, employees, agents, and representatives (each an “Indemnified Party”) from and against all third-party loss, harm, cost (including reasonable legal fees and expenses), expense and liability that an Indemnified Party may suffer or incur as a result of Customer’s non-compliance with the requirements of this DPA.

Annex A Details of Processing

These instructions form an integral part of the DPA and shall be adhered to by the Data Processor in the processing of Personal Data unless expressly stated otherwise in the DPA. The Data Controller may unilaterally change these instructions at a later date by notifying the Data Processor of the change in writing.

Changes take effect no earlier than 3 calendar days after having been sent by the Data Controller. By accepting the DPA, the Data Controller Processor has confirmed the meaning of these instructions.

Purpose

The purpose of the processing is

1) to deliver communication and collaboration services in accordance with the agreement entered into by the Parties (“Service Agreement”) and services delivered (“Services”)

2) to support the Services with which the customer is supplied

Type of Processing

Registration of user data, storage of Personal Data, storage of use of the Services, statistical analyses, and troubleshooting.

Type of Personal Data

The following types of Personal Data are processed:

  • Name
  • Password
  • Email
  • Phone number
  • IP address
  • User-generated content, e.g. call information
  • User behaviour, system log for troubleshooting
  • The Data Controller and its users can upload Personal Data e.g. profile picture, phone number, address and further contact details. Upon uploading, the Data Controller approves the Data Processor’s processing and storage of this information.
  • The Data Controller and its users can enable/disable certain features, e.g. LDAP, Call Recording, Remote Management. Upon enabling these features, the Data Controller approves the Data Processor’s processing and storage of this information.

Duration of Processing

Processing lasts for as long as the Data Processor represents the Data Controller. Upon termination of the Service Agreement, Personal Data is deleted from active systems immediately.

Sub-processors

The Sub-processors are used for hosting servers, and these Sub-processors operate with an adequate level of protection for personal data and comply with Applicable Data Protection Law. The list of Sub-processors is as follows:

Entity NamePurposeEntity Country
Alibaba CloudCloud Service ProviderChina
Amazon Web Services, Inc.Cloud Service ProviderUnited States
Google, Inc.Cloud Service ProviderUnited States
Any other customer-assigned local data centreCloud Service Provider
Netease, Inc.Instance Messaging ServicesChina

Disclosure of Personal Data

Personal Data may be disclosed to:

  • Authorities

On request, and in accordance with the law and official decisions, the Data Processor is obliged to disclose the data resulting from the decision, e.g. to the police.

  • Emergency services

In the event of a call to SOS Alarm, for example.

  • Other operators or service providers providing the Service

When placing calls to another operator, for example, certain Personal Data is registered with the said operator.

Personal Data may also be disclosed to other companies and authorities after the Data Controller has given consent, and/or in order to discharge a specific part of the Services under an agreement.