Date Processing Agreement
This Data Processing Agreement ("Agreement") forms part of the Terms of Service or any other agreement between Survaigo Ltd ("Processor") and the Customer ("Controller"). This Agreement governs the processing of personal data by Survaigo Ltd on behalf of the Customer in the course of providing access to the Survaigo platform.
1. Definitions
"Personal Data" means any information relating to an identified or identifiable natural person.
"Processing" means any operation performed on personal data.
"Controller" means the entity that determines the purposes and means of the processing.
"Processor" means the entity that processes data on behalf of the controller.
2. Scope and Duration
This Agreement applies to all personal data processed by Survaigo Limited on behalf of the Customer while providing the services. It shall remain in effect for as long as the Processor is processing personal data on behalf of the Controller.
3. Obligations of the Processor
Survaigo Limited shall:
- Process personal data only on documented instructions from the Controller;
- Ensure confidentiality and data security;
- Ensure that persons authorized to process the personal data have committed to confidentiality;
- Implement appropriate technical and organisational measures to ensure data security;
- Assist the Controller in fulfilling its obligations under GDPR;
- Notify the Controller without undue delay of any data breach.
4. Sub-processors
The Controller authorises the use of the following sub-processors for hosting, support, and AI-powered processing:
- Amazon Web Services (AWS), Ireland (EU-West-1): Hosting and storage
- Intercom, United States: Customer support platform
- OpenAI (ChatGPT), United States: AI-powered processing for summarisation, drafting, and automation
The Processor shall inform the Controller of any intended changes to sub-processors to give the Controller an opportunity to object.
5. International Data Transfers
Personal data may be transferred to third countries (e.g., the United States) for support and AI processing purposes. Such transfers shall be subject to appropriate safeguards, including standard contractual clauses or equivalent legal mechanisms.
6. Data Subject Rights
The Processor shall, to the extent possible, assist the Controller in responding to data subject requests under GDPR.
7. Return or Deletion of Data
Upon termination of services, the Processor shall, at the choice of the Controller, delete or return all personal data, unless retention is required by applicable law.
8. Audit and Compliance
The Processor shall make available all information necessary to demonstrate compliance and allow for audits by the Controller or its representatives, subject to reasonable notice and confidentiality obligations.
9. Liability
Each party shall be liable for its respective obligations under this Agreement and applicable data protection laws.
10. Governing Law
This Agreement is governed by the laws of England and Wales.