Data Processing Agreement
Introduction
This Data Processing Agreement (the "DPA") is an annex to the Scalign Terms of Service and forms an integral part of the agreement between you (the "Data Controller") and Scalign AS (the "Data Processor"). The DPA governs the processing of personal data by Scalign on behalf of the Data Controller in connection with the services provided under the Terms of Service.
Definitions
"Personal Data" means any information relating to an identified or identifiable natural person.
"Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means.
“Third Party Services” means any external sources, services, platforms, or applications with which the Data Controller chooses to integrate the Service, and from which Personal Data may be retrieved or to which Personal Data may be sent.
Scope and Purpose
The Data Processor shall process Personal Data solely for the purpose of providing the services described in the Terms of Service and in accordance with the Data Controller's documented instructions.
Data Controller's obligations
The Data Controller shall ensure that Personal Data provided to the Data Processor is collected and processed in accordance with applicable data protection laws. The Data Controller is responsible for the accuracy, quality, and legality of Personal Data and the means by which it was acquired. The Data Controller shall provide documented instructions to the Data Processor regarding the processing of Personal Data and shall ensure that such instructions comply with applicable laws and regulations. The Data Controller shall promptly inform the Data Processor of any changes to the processing of Personal Data that may affect the Data Processor’s obligations under this DPA.
Third Party Integrations
The Data Controller may integrate the Service with Third Party Services and, as a result, retrieve data from and send data to such third parties. The Data Controller is responsible for ensuring that any Personal Data shared with or received from Third Party Services via such integrations is processed in accordance with applicable data protection laws and the terms of this DPA. The Data Processor shall process Personal Data obtained through such integrations solely for the purpose of providing the Service and in accordance with the Data Controller’s documented instructions.
Details of Processing
Subject Matter and Duration: The processing of Personal Data shall be carried out for the duration of the Terms of Service.
Types of Personal Data: Names, contact information (email, phone number, etc.), meeting recordings (this may include meeting recordings (audio/video), meeting notes and transcripts, participant lists, and attribution of comments/statements to specific individuals), calendar data, data from open web sources, and any other Personal Data relevant to the Service. This may include Personal Data retrieved from or sent to Third Party Services as directed by the Data Controller.
Categories of Data Subjects: Users, employees, customers, and other Data Subjects relevant to the Service.
Nature and Purpose of Processing: Collection, recording, structuring, storage, retrieval, consultation, use, analysis, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, and erasure destruction.
Data Processor Obligations
The Data Processor shall implement appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure.
The Data Processor shall ensure that any personnel authorized to process Personal Data are subject to confidentiality obligations.
The Data Processor shall assist the Data Controller in ensuring compliance with applicable data protection laws, including responding to data subject requests and conducting data protection impact assessments.
The Data Processor shall notify the Data Controller without undue delay in the event of a Personal Data breach and provide all necessary information to support the Data Controller's compliance with data breach notification obligations.
The Data Processor shall not be responsible for the processing of Personal Data by Third Party Services integrated by the Data Controller, except to the extent that such processing is carried out by the Data Processor on behalf of the Data Controller within the scope of the Service.
Sub-Processors
The Data Processor has the Data Controller’s prior general written authorization to engage sub-processors to assist in the processing of Personal Data. The Data Processor shall notify the Data Controller in advance of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Data Controller the opportunity to object to such changes. Such notification will be given through https://www.scalign.ai/legal/privacy-policy. The Data Processor shall ensure that any sub-processors are bound by obligations consistent with this DPA.
Data Subject Rights
The Data Processor shall promptly notify the Data Controller of any requests received from data subjects exercising their rights under applicable data protection laws.
Audit Rights
The Data Controller shall have the right to conduct audits or inspections to verify the Data Processor's compliance with this DPA. The Data Processor shall provide all necessary information and access to facilities to facilitate such audits. As an alternative, the Data Processor may provide a third party audit report. The Data Processor shall provide all necessary information and access to facilities to facilitate such audits.
International Transfers
When applicable, the Data Processor shall ensure that any transfers of Personal Data outside the European Economic Area (EEA) comply with GDPR requirements, using mechanisms such as EU Standard Contractual Clauses.
Where Personal Data is transferred to or from Third Party Services integrated by the Data Controller, the Data Controller is responsible for ensuring that such transfers comply with applicable data protection requirements.
Term and Termination
This DPA shall remain in effect for the duration of the Terms of Service. Upon termination, the Data Processor shall, at the choice of the Data Controller, return or delete all Personal Data.
Governing Law
This DPA shall be governed by and construed in accordance with Norwegian law.