Skip to main content

Data Processing Agreement

1. Background

This Data Processing Agreement (‘’DPA’’) is attached to the General Terms (available at https://danian.co/
terms-and-conditions and forms an inseparable part of the Agreement entered into by DANIAN limited (hereinafter “DANIAN”) and the Customer. This DPA shall set out the terms and conditions for the processing of Personal Data by DANIAN on behalf of the Customer under the Agreement.

2. Scope and conflict of rules

To the extent the Customer inputs Personal Data into the Cloud Services and DANIAN processes such Personal Data, the Parties acknowledge that the Customer acts as a Data Controller and DANIAN is a Data Processor processing Personal Data on behalf of the Customer for the purpose of providing the Cloud Services.

In the event of any discrepancy between this DPA and the Agreement, this DPA prevails.

3. Definitions

Unless otherwise defined in this DPA or in the Agreement, terms used in this DPA, such as "Data Controller", "Data Processor", "Data Subject" and "Personal Data" have the meanings as defined in the Data Protection Regulation.

Data Protection Regulation means all applicable laws relating to data protection, including without limitation the GDPR and the laws implementing EU Directive 2002/58/EC and any amendments to or replacements for such laws and regulations.

GDPR means the General Data Protection Regulation (EU) 2016/679.

Personal Data Breach means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.

Standard Contractual Clauses means the contractual clauses issued by the European Commission by the decision 2021/914/EU for international transfers of Personal Data.

Subprocessor means third parties: i) providing back-end services for DANIAN and/or ii) selected by the Customer to provide the hosting services for the data Customer inputs to the Cloud Services. The Subprocessors and their services are listed on the Website.

Website means DANIAN's website available at danian.co and the DANIAN console through which the Customer may use the Cloud Services.

4. Processing of personal data

Processing of Personal Data under this DPA is for the purpose of providing the Cloud Services to the Customer. Processing of Personal Data in this context refers to storage, maintenance and other processing activities initiated by the Customer, depending on which Cloud Services the Customer has chosen to order from time to time. The categories of Data Subjects and the types of Personal Data processed are defined in the Appendix 1 (Details of processing).

Personal Data may be processed as long as the Cloud Services are provided under the Agreement and after that if required by applicable law or contractual obligations or rights of either Party.

5. Customer's instructions

The DANIAN shall process Personal Data in accordance with the Customer's written instructions as established in this DPA. The Parties agree that this DPA is the Customer's complete written instruction to the DANIAN in the Customer's role as the Data Controller. Additional instructions require prior written agreement between the Parties.

6. DANIAN’s general obligations

DANIAN shall, at the Customer's written request and the Customer's sole cost and expense, assist the Customer by providing such readily available information, or creating such information, as the Customer may reasonably require and which the Customer does not have, in complying with the requests of the Data Subjects or supervisory authority or any other law enforcement or regulatory authority.

DANIAN shall inform the Customer, as soon as reasonably practicable, if it receives a request from a Data Subject seeking to exercise his or her rights under the Data Protection Regulation.

DANIAN shall maintain records of processing activities under its responsibility to ensure DANIAN's own compliance as a Data Processor with the Data Protection Regulation, and upon the Customer's written request DANIAN shall make available to the Customer such records to the extent necessary to demonstrate compliance with DANIAN’s obligations set out in this DPA and in the Data Protection Regulation.

7. Data security

DANIAN shall implement and maintain appropriate technical and organizational measures to ensure an appropriate level of security of the Personal Data and to protect the Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure for the purposes of the Cloud Services.

In the event of a Personal Data Breach, DANIAN shall notify the Customer without undue delay and at least within 48 hours after becoming aware of the Personal Data Breach and take reasonable steps to mitigate any damage resulting from such breach. The notification shall contain information DANIAN is reasonably able to disclose to the Customer, including following information:

  1. a description of the nature of the Personal Data breach, including where possible the categories of Data Subjects and the Personal Data concerned;

  2. the name and contact details of contact point where more information can be obtained;

  3. a description of likely consequences of the Personal Data Breach; and

  4. a description of the measures taken or proposed to be taken to address the Personal Data Breach.

The information may be provided in phases if it is not possible to provide the information at the same time.

DANIAN shall cooperate with and assist the Customer, at the Customer's written request, in relation to the Personal Data Breach notifications made to supervisory authority as required under the Data Protection Regulation. DANIAN shall document the Personal Data Breaches and have the documentation available to the Customer upon the Customer's written request.

8. Subprocessors

DANIAN is entitled to use Subprocessors for the purposes of providing the Cloud Services under the Agreement. DANIAN provides information on its Subprocessors at its Website. The Customer can choose a Subprocessor to provide the hosting for the Cloud Services from the options provided by DANIAN. DANIAN shall inform the Customer in writing of any intended changes of the hosting service provider Subprocessor at least fourteen (14) days in advance, giving the Customer sufficient time to be able to object to such change. The Customer hereby consents to DANIAN's use of Subprocessors as described in this section.

DANIAN shall use its commercially reasonable efforts to reasonably ensure that its Subprocessors are subject to equivalent requirements regarding data protection, as set out in this DPA. DANIAN remains responsible for its Subprocessors and their compliance with the obligations of this DPA.

9. Transfers of personal data

The Customer may choose where the Cloud Services will be hosted. If the Customer has selected a Subprocessor to provide the hosting within the European Economic Area (‘’EEA’’), DANIAN shall store the Personal Data within the EEA and transfers outside the EEA are subject to the Customer's prior approval, instruction or request thereto.

If the Customer selects a Subprocessor to provide the hosting services outside the EEA, the Customer accepts that DANIAN; (i) performs the international data transfer of Personal Data in accordance with the Standard Contractual Clauses (processor-to-processor module) entered into by DANIAN (as a data exporter) and the Subprocessor (as a data importer) or; (ii) agrees the Subprocessor to carry out the transfer in accordance with the Standard Contractual Clauses (processor-to-processor module) entered into by the Subprocessor group companies (Subprocessor’s EEA entity as a data exporter and third country entity as a data importer), as applicable, depending on the Subprocessor the Customer chooses.

The Customer warrants to have used reasonable efforts to determine that the Subprocessor acting as data importer, and chosen by Customer, is able through the implementation of appropriate technical and organizational measures, to satisfy data importer’s obligations under the Standard Contractual Clauses for the transfer to be performed as agreed in this DPA. In the event of discrepancies between the Standard Contractual Clauses and this DPA, the Standard Contractual Clauses prevail.

Notwithstanding the foregoing, the Standard Contractual Clauses will not apply if DANIAN has adopted alternative safeguards in accordance with Data Protection Regulation for the lawful transfer of Personal Data outside the EEA.

10. Auditing

We will comply with any audit request to the extent required by law or due legal process. We will keep reasonable records to evidence our compliance with our obligations under this DPA and shall preserve such records for at least two (2) years from the date of the events reflected therein.

11. Data confidentiality

DANIAN will not use, or disclose to any third party, any data that the Customer has input into the Cloud Services, except, if specifically requested in writing by the Customer in order to provide customer-specific support services as requested and instructed by the Customer.

If a governmental body sends DANIAN a demand for the data input into the Cloud Services, DANIAN will do its best efforts to redirect the governmental body to request that data directly from the Customer. If compelled to disclose Customer Data to a governmental body, then DANIAN will only disclose the Personal Data strictly to the extent it is legally required to do so and shall give the Customer reasonable notice of the demand to allow the Customer to seek a protective order or other appropriate remedy unless DANIAN is legally prohibited from doing so.

12. Term and termination

This DPA shall become effective in parallel with the Agreement and shall continue in force until the termination of the Agreement or as long as DANIAN processes Personal Data on behalf of the Customer.

If not instructed otherwise in writing by the Customer and unless legally required to keep the Personal Data, DANIAN shall delete and destroy the Personal Data processed hereunder the latest within ninety (90) days' of the termination of the Agreement or after the maximum data retention period permitted by the technology of the relevant Cloud Service. In case the Customer demands that the Personal Data are returned to the Customer or to a third party, the Customer will pay DANIAN for any additional costs and expenses arising out of such return of the Personal Data.

Appendix 1 - Details of processing

This Appendix 1 forms part of this DPA describing the details of personal data to be processed by DANIAN.

The Customer has full control of what personal data will be processed by uploading such personal data into the Cloud Services. DANIAN has no visibility to such personal data provided and uploaded by the Customer.

Data subjects
  • Prospects, customers, business partners, and vendors of the Customer (who are natural persons)
  • Employees or contact persons of the Customer’s prospects, customers, business partners and vendors
  • Employees, agents, advisors, and freelancers of the Customer (who are natural persons)
  • Individuals unauthorized by the Customer under the Agreement

Categories of personal data
  • Full name
  • Title, position
  • Email address, address
  • Phone number

Special categories of personal data - No special categories of Personal Data are processed.

Subject matter of the processing - Hosting, storing and maintenance for the data Customer has input to the Cloud Services.

For clarity, the Customer is the Data Controller of, and this DPA is only applied to, the Personal Data input to the Cloud Services by Customer.

Appendix 2 - DANIAN’s technical and organisational safety measures

This Appendix 2 forms a part of this DPA describing DANIAN’s technical and organizational safety measures.

Description of the technical and organizational security measures implemented by DANIAN.

DANIAN will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data processed on the Cloud Services as applicable to the specific Cloud Service purchased by the Customer.

DANIAN must report, in an internal document, to be kept updated and available upon request of the Data Controller or the Guarantor Authority, the identification details of the natural persons who have been assigned the role of System Administrator, with the list of functions assigned to them.

Last modification date: 23-09-2024