Terms & Policies

Overview

Richpanel is committed to protecting the privacy and security of our customers' data. Our Data Processing Agreement (DPA) outlines the terms and conditions under which we process personal data on behalf of our customers in compliance with applicable data protection laws, including GDPR.

Key Points

• Defines roles and responsibilities of Richpanel as a data processor
• Outlines data processing limitations and security measures
• Addresses subprocessor engagement and international data transfers
• Includes provisions for data subject rights and breach notifications
• Covers audit rights and compliance with data protection laws

Full Data Processing Agreement

RICHPANEL DATA PROCESSING AGREEMENT

This Data Processing Agreement ("DPA") is effective as of [EFFECTIVE DATE], and is hereby incorporated into the underlying agreement between [CUSTOMER NAME] ("Company") and RICHPANEL INC. ("Service Provider"), a Delaware Corporation.

WHEREAS, Service Provider performs certain services for Company under the Agreement ("Services");

WHEREAS, as part of the Services that Service Provider provides to Company pursuant to the Agreement, Service Provider will be given or have access to Personal Information, as that term is used and understood under Data Privacy Laws (defined below);

WHEREAS, the parties seek to implement a DPA that complies with the requirements of Data Privacy Laws.

NOW THEREFORE, IT IS AGREED AS FOLLOWS:

1. Definitions:

• Data Privacy Laws: Refers to applicable laws, rules, regulations, and other legal requirements relating to privacy, data protection, data security, breach notification, or the Processing of Personal Information, as defined by GDPR
• Personal Information: includes all information that identifies a person as defined by applicable Data Privacy Laws.
• Processing: Includes any operation or set of operations performed on Personal Information, such as collection, storage, use, and any other action as defined under Data Privacy Laws.
• Security Breach: Any unauthorized or unlawful destruction, loss, alteration, disclosure, or access to Personal Information.
• Service Provider: Includes the terms "Processor" and similar terms, with meanings as defined by applicable Data Privacy Laws.
• Subprocessor: Any subcontractor engaged by the Service Provider to Process Personal Information on its behalf.

2. Service Provider Obligations:

1. Processing Limitations: Service Provider shall Process Personal Information for the purpose of providing the Services to Company as enumerated in the Agreement. All such Processing shall comply with Data Privacy Laws. Service Provider shall not: (i) Sell Personal Information (ii) retain, use, or disclose Personal Information for any purpose other than for the business purposes agreed to in the Agreement
2. Re-identification Prohibition: Service Provider shall not attempt to re-identify any pseudonymized, anonymized, aggregate, or de-identified Personal Information in violation of Data Privacy Laws
3. Legal Disclosure: In the event Service Provider is legally obligated to provide any Personal Information to a third party, Service Provider shall disclose only the amount of Personal Information necessary to comply with the legal obligation
4. Breach Notification: Service Provider shall notify the Company within five business days (or as required by applicable Data Privacy Laws) upon determining that it can no longer meet its obligations under this DPA or Data Privacy Laws, or if it has breached any of its obligations in this DPA or violated any Data Privacy Laws affecting the Company.
5. Data Deletion: Service Provider shall delete all Personal Information from its systems upon the termination of the Services related to the Processing. If legally required to maintain such Personal Information or if requested by the Company, Service Provider shall provide notice of the same to Company. Thereafter, such Personal Information may continue to be stored within Service Provider's systems but shall be Processed only to comply with applicable Data Privacy Laws.
6. Subprocessor Engagement: Service Provider may engage Subprocessors, provided that it publishes the list of sub processors under its GDPR policy, which information may be found at https://www.richpanel.com/gdpr
7. Assistance with Compliance: Service Provider shall provide reasonable cooperation to Company in complying with new or amended Data Privacy Laws. Service Provider will assist with individual rights requests made by data subjects to Company regarding Personal Information Processed by Service Provider. If Company requests deletion or modification of Personal Information, Service Provider shall promptly comply and pass along these requests to downstream parties.
8. Audit Rights: Company or its designated auditor may audit Service Provider's compliance with this DPA up to once per year, or as required by applicable Data Privacy Laws. Service Provider shall allow such audits during regular business hours, subject to agreed final audit plans, and without unreasonably interfering with Service Provider's business activities.

3. Security:

• Technical and Organizational Measures: Service Provider shall implement appropriate technical and organizational measures to ensure a level of security for Personal Information appropriate to the risk and compliant with applicable Data Privacy Laws.

4. Compliance:

• Compliance with Laws: Service Provider and anyone acting on its behalf shall Process Personal Information in compliance with this DPA and applicable Data Privacy Laws. Service Provider warrants it has no reason to believe it or anyone acting on its behalf is in violation of any Data Privacy Laws.
• Technical and Organizational Measures: Service Provider warrants it has implemented appropriate measures to prevent unauthorized Processing of Personal Information and will continue to do so.

5. Indemnification:

• Service Provider Liability: Service Provider shall indemnify and hold harmless Company and its affiliates, parents, subsidiaries, employees, officers, contractors, and agents from and against all third-party claims alleging: (a) breach of Service Provider's representations or warranties; or (b) violation of any Data Privacy Laws by Service Provider or anyone acting on its behalf.

6. International Transfers:

• GDPR Compliance: If Personal Information from the EU, EEA, UK, or Switzerland is transferred outside these areas, Service Provider certifies compliance with GDPR and related laws. EU Standard Contractual Clauses and UK International Data Transfer Addendum shall apply to such transfers, with specific elections as detailed in the DPA.

7. Signatures:

• [CUSTOMER NAME]:
  • By: ________________________________
  • Name: _________________________
  • Title: _______________________________
• RICHPANEL INC:
  • By: ________________________________
  • Name: As set forth in the agreement
  • Title: As set forth in the agreement

Schedule 1

DETAILS OF PROCESSING

Annex I

A. LIST OF PARTIES

Data exporter(s): [Identity and contact details of the controller(s) /data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]

• Name of Data exporter: The party identified as the "Customer" in the Agreement and this DPA
• Address: As set forth in the Agreement
• Contact person's name, position, and contact details: As set forth in the Agreement
• Activities relevant to the data transferred under these Clauses: See Annex 1(B) below
• Signature and date: This Annex I shall automatically be deemed executed when the Agreement is executed by Customer
• Role (controller/processor): Controller or Processor

Data importer(s): [Identity and contact details of the processor(s) /data importer(s), including any contact person with responsibility for data protection]

• Name: Richpanel Inc.
• Address: [Richpanel's official address]
• Contact person's name, position, and contact details: Richpanel Privacy Team – privacy@richpanel.com
• Activities relevant to the data transferred under these Clauses: See Annex 1(B) below
• Signature and date: This Annex I shall automatically be deemed executed when the Agreement is executed by Richpanel.
• Role (controller/processor): Processor

B. DESCRIPTION OF TRANSFER

[To be completed based on the specific services and data processing activities involved]

C. COMPETENT SUPERVISORY AUTHORITY

[To be completed based on the applicable supervisory authority]

Contact Us

If you have any questions about our Data Processing Agreement or data protection practices, please contact our Privacy Team at:

Email: privacy@richpanel.com

© 2024 Richpanel Inc. All rights reserved.