Introduction
About Scaleo. We are Owly Labs s.r.o., ID No.: 276 34 051, VAT No.: CZ27634051, with its registered office at V přístavu 1585/10, 170 00 Prague, Czech Republic, registered in the Commercial Register maintained by the Municipal Court in Prague under file No. C 120368. We provide a SaaS system that is used to structure, monitor, analyze and manage data for affiliate marketing purposes, which is called “Scaleo”. More information on how the Scaleo works is available on our website https://scaleo.io.
Definitions
Definitions. To make the text easier to read, we have prepared definitions of the terms we use in this DPA. If you encounter other terms in this DPA, which is not specified below, such terms then have a meaning defined in our Terms.
The “Controller” is your company that uses the Scaleo, based on the applicable Terms.
The “GDPR” refers to the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
The “DPA” refers to this Data Processing Agrement.
The “Processor” is our company, Owly Labs s.r.o. We are the entity which determines the purposes and means of the Personal Data processing.
The “Terms” are the terms that govern use of Scaleo or other form of written agreement on the basis of which we provide Scaleo to you. Different Terms may apply depending on which version of Scaleo you use.
1. Reasons for entering into this DPA1.1. Main Agreement. The Processor and the Controller cooperate on the basis of a contractual relationship which is based in particular on the applicable Terms (the “Main Agreement”). The Processor provides the Controller with the Scaleo and possibly other Services. Within the framework of this cooperation, personal data are or may be transferred by the Controller to the Processor. A purpose of processing and the funds for such processing are determined and provided by the Controller, and the Processor further processes the personal data for the Controller within the limits of this DPA and applicable legal regulations (mainly the GDPR).
1.2. Processing. This DPA defines the rights and obligations of the Parties with regards to the processing of personal data.
1.3. Terms. Unless otherwise provided for in this DPA, the terms used therein shall have the same meaning as in the Main Agreement, especially as in the applicable Terms.
2. Personal data processing2.1. Categories of data subjects. The Processor is authorized to process the personal data of the Affiliates, Enquirers, customers, potential customers and/or employees of the Controller. However, the Processor may process the personal data of anyone, if the Controller or its employees give the Processor access to such personal data to be processed in the Scaleo or for any other reason as stipulated in this DPA or agreed between us.
2.2. Personal Data. The Processor shall be entitled to process the following personal data on behalf of the Controller:
(collectively the “Personal Data”).
2.3. Special categories. The Processor will not process any special categories of personal data as these are described in the GDPR (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union memberships; processing of genetic data, biometric data or data concerning health or sex life or sexual orientation of a data subject). If any such special categories of personal data could be available to the Processor, the Controller agrees to inform the Processor about this.
2.4. By the Controller. The processing will be carried out by the Controller providing the Processor with access to the Personal Data.
2.5. Purpose of processing. The Processor will process any Personal Data solely for the purpose of providing the Scaleo and its Services as per the Main Agreement. The Processor will never use or transfer the Personal Data for its own benefit or for a benefit of a third party.
2.6. Instructions for processing. The Controller may provide the Processor with instructions regarding the processing of Personal Data. The main instruction for the processing is this DPA. The Controller is authorized to extend the purpose of processing in accordance with the law or give additional instructions, whereby instructions for further processing can only be communicated to the Processor in writing. For this DPA, e-mail communications between the Parties addressed to the authorized persons shall also be deemed to be in writing.
2.7. Methods of processing. Processing of the Personal Data by the Processor will consist of collection, recording, sorting, transmission, and storage, as well as other activities necessary for the performance of the Main Agreement. The Processor may process the Personal Data by automated and, where applicable, manual means, so that this activity corresponds to the purpose of the processing of the Personal Data as per this DPA.
3. Rights and obligations of the parties3.1. Measures. The Processor undertakes to take technical, organizational, and other measures that shall prevent unauthorized or accidental access to the Personal Data, their change, destruction, loss, or other unauthorized treatment of the Personal Data. The Processor undertakes in particular:
3.2. Other obligations. The Processor also undertakes:
3.3. Restricted processing. The Processor is obliged to ensure that employees and other persons authorized by the Processor to process the Personal Data only do so to the extent and for the purposes of this DPA and the GDPR.
3.4. Compliance. Both the Processor and the Controller undertake to comply with the obligations set out in the GDPR and other generally binding legal regulations relating to this activity when processing the Personal Data based on this DPA.
3.5. Correctness. The Processor undertakes to correct, update, delete or transfer the Personal Data as instructed by the Controller without undue delay after such request.
3.6. Requests of data subjects. When a data subject exercises a right as per the GDPR or any applicable legal regulation, the Controller agrees to deal with such a request as per the applicable regulation. When required, the Controller shall delete the affected Personal Data from the Scaleo itself (e.g., request for a deletion, objection to processing based on a legitimate interest of the Controller etc.). If such an action cannot be made by the Controller itself, the Processor undertakes to make such an action without undue delay after the written notice of the Controller. E-mail communication of the Parties shall be also considered as written form. When the Processor receives a request from a data subject, it agrees to provide such a request to the Controller without undue delay.
3.7. Professional care. When fulfilling the obligations under the DPA, the Processor shall be obliged to proceed with professional care, observe the Controller’s instructions and act in the interests of the Controller.
3.8. Sub-processors. The Processor shall be entitled to involve other processors (the “Sub-processor”) in the processing of the Personal Data, in particular storage and cloud solution providers, operators of other software necessary and currently available on the market for the purpose of services that meet the standards set by the European Union, and other service providers necessary to fulfill the purpose of this DPA and the Main Agreement, without any additional explicit specific permission from the Controller. The Processor must enter into a written DPA with each Sub-processor imposing data protection terms of the standard required by this DPA. The Processor remains liable to the Controller if a Sub-processor fails to fulfill its data protection obligations. Current list of Sub-processors is attached hereto as Appendix 1.
3.9. Notice of new Sub-processors. The Processor maintains an up-to-date list of its Sub-processors in Appendix 1 of this DPA. The Controller is obliged to review the list itself. The Controller is entitled to raise objections against the involvement of any new Sub-processor and may do so within 30 days of the date when the information about the new Sub-processor was made available by the Processor. The Controller only agrees to raise an objection for a valid reason which it agrees to disclose to the Processor, as an unfounded objection could influence the provision of the Services by the Processor.
3.10. Audit. The Processor undertakes to provide the Controller with any information necessary for proving that the duties stipulated by this DPA or by the GDPR relating to the Personal Data were fulfilled and to allow the Controller or a third party to carry out an audit to a reasonable extent. The intention to carry out the audit shall be notified by the Controller to the Processor by e-mail. After this notification, the Parties shall agree on the date of the audit, which shall occur no later than 30 days after the receipt of this notification. If the Parties do not agree on the audit date, it shall be determined by the Processor. The audit shall not unduly interfere with the activities of the Processor. The costs of the audit are covered by the Controller. The Controller shall maintain the confidentiality of any information discovered during the audit concerning the Processor, in particular its security policies and standards. The Controller shall oblige third parties authorized by him to carry out the audit to the same extent.
3.11. Cooperation. Upon the Controller's reasonable request, and considering the nature of the processing, the Processor will provide reasonable assistance to the Controller in fulfilling the Controller's obligations under applicable data protection laws (including data protection impact assessments and consultations with regulatory authorities), provided that the Controller cannot reasonably fulfill such obligations independently. The Processor is entitled to request additional compensation for such cooperation.
3.12. Notification obligation. Processor shall notify Controller within twenty-four (24) hours of discovering any actual or suspected security breach affecting personal data. Such notice shall include: (i) nature and extent of the breach; (ii) categories and approximate number of data records concerned; (iii) likely consequences of the breach; (iv) measures taken or proposed to address the breach.
4. Duration of the DPA4.1. Effectiveness. This DPA shall be effective for the duration of the Main Agreement (see Paragraph 1.1 of the DPA).
4.2. Termination. In the event of any termination of the DPA or termination of the Personal Data processing, the Processor shall be obliged to destroy immediately the Personal Data provided to him or any copies thereof, unless otherwise provided by this DPA and/or the Main Agreement, in particular if there is another legal reason for their processing or if the Parties agree that the Personal Data will be returned to the Controller.
5. Confidentiality5.1. Confidentiality. The Processor undertakes to maintain the confidentiality of the Personal Data processed, in particular, the Processor shall not publish them, spread them, or transfer them to other persons except for the persons in an employment relationship with the Processor or other authorized persons entrusted with the processing of the Personal Data. The Processor shall be obliged to ensure that also his employees and other authorized persons comply with the duty of confidentiality. This obligation of the Processor continues even after the termination of this contractual relationship.
5.2. Safety measures. The Processor undertakes to maintain confidentiality concerning the safety measures taken to secure the Personal Data protection, even after the termination of this contractual relationship. The Parties expressly agree that the Processor is entitled to disclose its general security standards, which it undertakes to follow, and such disclosure shall not breach this obligation of confidentiality.
6. Liability6.1. Liability. If the Processor breaches its obligations under this DPA or the GDPR, it shall be liable for damages resulting from such violation. However, the Processor is not liable for any unauthorized processing of the Personal Data by the Controller.
7. Final provisions7.1. Appendix. This DPA is a binding and inseparable appendix to the Main Agreement.
7.2. Changes. Any change or amendment hereto shall be in writing and signed by both Parties.
7.3. Assistance. The Parties undertake to provide each other with all the necessary assistance and data to secure effective implementation hereof, in particular in the case of dealing with The Office for Personal Data Protection or other public authorities.
7.4. Czech Law. In the case that the contractual relationship established hereby contains an international element, the Parties agree that this DPA shall be governed by Czech law.
7.5. Czech Courts. In the event of disputes arising from this DPA, the Parties agree that any disputes will be resolved by the Czech courts. The Parties agree to the exclusive local jurisdiction of the court of the Processor registered seat.
7.6. Effectiveness. This DPA is effective as of 23.12.2024.
Appendix 1 to Data Processing AgreementList of Sub-Processors
Company | Address | Nature of processing | Data Storage Location |
---|---|---|---|
Amazon Web Services EMEA SARL (AWS) | 38 Avenue John F. Kennedy L-1855 Luxembourg | Hosting of customer data and the Services | European Economic Area |
Clickhouse B.V. | Herengracht 576, 1017 CJ Amsterdam, Netherlands | Database management | European Economic Area |