Data Processing Agreement for Verbit Freelancers
This Data Processing Agreement (“DPA”) is entered into by you (“Freelancer”) and Verbit Software Ltd. and/or its affiliated entities (collectively, “Verbit,” and together with Freelancer, the “Parties”), and governs your processing of Personal Data (defined below) on behalf of Verbit in connection with the services agreement (“Agreement”) between the Parties. The terms of this DPA supplement the Agreement and shall be deemed incorporated therein in their entirety. Capitalized terms used and not specifically defined herein shall have the same meaning as in the Agreement.
- DEFINITIONS
- “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. seq.
- The terms, “Controller“, “Member State“, “Processor“, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR. The terms “Business”, “Business Purpose”, “Consumer” and “Service Provider” shall have the same meaning as in the CCPA.
- For the purpose of clarity, within this DPA “Controller” shall also mean “Business,” and “Processor” shall also mean “Service Provider,” to the extent that the CCPA applies.
- “Data Protection Laws” means all applicable and binding privacy and data protection laws and regulations, including such laws and regulations of the European Union, the European Economic Area and their Member States, Switzerland, the United Kingdom, Canada, Israel and the United States of America, as applicable to the Processing of Personal Data under the Agreement including (without limitation) the GDPR, the UK GDPR, and the CCPA, as applicable to the Processing of Personal Data hereunder and in effect at the time of Processor’s performance hereunder.
- “Data Subject” means the identified or identifiable person to whom the Personal Data relates.
- “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- “Standard Contractual Clauses” shall mean the Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
- “Sub-processor” means any third party that Processes Personal Data under the instruction or supervision of Freelancer.
- “UK GDPR” means the Data Protection Act 2018, as well as the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419).
- PROCESSING OF PERSONAL DATA
- Roles of the Parties. The Parties acknowledge and agree that with regard to Freelancer’s Processing of Personal Data on behalf of Verbit, (i) Verbit is the Controller or processor of Personal Data, (ii) where Verbit is the Controller, Freelancer is a processor of such Personal Data, and (iii) where Verbit is a processor, Freelancer is a sub-processor of such Personal Data.
- Verbit’s Processing of Personal Data. Verbit’s use of the Services and Verbit’s instructions to the Freelancer shall comply with Data Protection Laws.
- Freelancer’s Processing of Personal Data. When Processing on Verbit’s behalf under the Agreement, Freelancer shall Process Personal Data solely for the following purposes: (i) Processing in accordance with the Agreement and this DPA; (ii) Processing in accordance with Verbit’s documented instructions, where such instructions are consistent with the terms of the Agreement; (iii) Processing as required under Data Protection Laws applicable to Freelancer, provided that Freelancer shall inform Verbit of the legal requirement in advance, unless such law or order prohibit such information on important grounds of public interest. Freelancer shall inform Verbit without undue delay if, in Freelancer’s opinion, an instruction for the Processing of Personal Data given by Verbit infringes applicable Data Protection Laws. In such event, Freelancer shall (i) inform Verbit, providing relevant details of the issue, (ii) upon request of Verbit, temporarily cease all Processing of the affected Personal Data (other than securely storing such data), and (iii) if the Parties do not agree on a resolution to the issue in question and the costs thereof, Verbit may terminate the Agreement and this DPA with respect to the affected Processing.
- Details of the Processing. The subject matter of Processing of Personal Data by Freelancer is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 1 (Details of Processing) to this DPA.
- No Subcontracting. Freelancer shall not subcontract any Processing of Personal Data to any third party without prior written consent of Verbit regarding each such subcontracting activity and third party.
- CCPA Standard of Care; No Sale of Personal Data. Freelancer acknowledges and confirms that it does not receive or process any Personal Data as consideration for any services or other items that Freelancer provides to Verbit under the Agreement. Freelancer shall not have, derive, or exercise any rights or benefits regarding Personal Data Processed on Verbit’s behalf, and may use and disclose Personal Data solely for the purposes for which such Personal Data was provided to it, as stipulated in the Agreement and this DPA. Freelancer certifies that it understands the rules, requirements and definitions of the CCPA and agrees to refrain from selling (as such term is defined in the CCPA) any Personal Data Processed hereunder, nor taking any action that would cause any transfer of Personal Data to or from Freelancer under the Agreement or this DPA to qualify as “selling” such Personal Data under the CCPA.
- DATA SUBJECT REQUESTS
Freelancer shall assist Verbit in responding to requests to exercise Data Subject rights or Consumer rights (including any complaints regarding the Processing of Personal Data) under Applicable Laws, including, without limitation, EU Data Protection Laws and the CCPA (“Data Subject Request(s)”). This includes Freelancer (i) promptly notifying Verbit if it receives a Data Subject Request in respect of Personal Data; (ii) providing full cooperation and assistance to Verbit in relation to any Data Subject Request; (iii) ensuring that it does not respond to Data Subject Requests except on the documented instructions of Verbit or as strictly required by Data Protection Laws to which the Freelancer is subject; and (iv) maintain electronic records of Data Subject Requests. - SECURITY & AUDITS
- Controls for the Protection of Personal Data. Freelancer represents and warrants that it has implemented and will maintain all appropriate technical and organizational measures for protection of Personal Data Processed hereunder (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data, confidentiality and integrity of Personal Data). Upon Verbit’s request, Freelancer shall assist Verbit, in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR.
- Records of Processing. Freelancer shall keep records of its Processing activities performed on behalf of Verbit, which shall include at least: (i) the details of the Freelancer as Personal Data Processor, any representatives, Sub-processors, data protection officers and Freelancer Personnel having access to Personal Data; (ii) the categories of Processing activities performed; (iii) information regarding Cross-Border Data Transfers, if any; and (iv) a description of the technical and organizational security measures implemented in respect of the Processed Personal Data. Without derogating from Verbit’s Audit Rights under Section 4(c) below, Verbit reserves the rights to inspect the records maintained by Freelancer under this Section 4(b) at any time.
- Audits and Inspections. Upon prior written request, and subject to confidentiality undertakings by Verbit, Freelancer shall make available to Verbit (or Verbit’s independent third-party auditor subject to their confidentiality undertakings) all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, conducted by them. In the event of an audit or inspections as set forth above, Verbit shall take reasonable steps to avoid causing (or, if it cannot avoid, minimize) any disruption to Freelancer’s operations while conducting such audit or inspection.
- DATA INCIDENT MANAGEMENT AND NOTIFICATION
Freelancer shall notify Verbit without undue delay (but in any event no later than forty-eight (48) hours) after becoming aware of:- any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data (a “Data Incident”). Freelancer shall provide Verbit with information on the nature of the Data Incident, including the categories of Data Subjects concerned and the categories of Personal Data and data records concerned. Freelancer shall take all necessary steps to identify and take those steps necessary in order to remediate and/or mitigate the cause of such Data Incident as well as fully cooperate with Verbit in the investigation, mitigation, and remediation of a Data Incident. Upon request of Verbit, Freelancer shall provide Verbit with sufficient information to allow Verbit to meet any obligations under Data Protection Laws to report or inform Data Subjects or data protection authorities of the Data Incident.
- any request for disclosure of Personal Data by a Supervisory Authority and/or any other law enforcement authority or court unless prohibited under criminal law specifically requiring Freelancer to preserve the confidentiality of a law enforcement investigation against Verbit.
Freelancer will not make, disclose, release or publish any finding, admission of liability, communication, notice, press release or report concerning any Data Incident or disclosure request which directly or indirectly identifies Verbit (including in any legal proceeding or in any notification to regulatory or supervisory authorities or affected individuals) without Verbit’s prior written approval, unless, and solely to the extent that, Freelancer is compelled to do so pursuant to applicable Data Protection Laws. In the latter case, unless prohibited by such laws, Freelancer shall provide Verbit with reasonable prior written notice to provide Verbit with the opportunity to object to such disclosure and in any case Freelancer shall limit the disclosure to the minimum scope required.
- RETURN AND DELETION OF PERSONAL DATA
Without undue delay (and in any event within 30 days) following termination of the Agreement, Freelancer shall, at the choice of Verbit, delete or return to Verbit all the Personal Data it Processes on behalf of Verbit, in the manner described in the Agreement or as otherwise reasonably request by Verbit, and Freelancer shall delete existing copies of such Personal Data unless Data Protection Laws require otherwise. In such a case, Freelancer warrants that it will guarantee the confidentiality of Personal Data and will not actively Process Personal Data anymore, and will guarantee the return and/or destruction of the Personal Data (at the choice of Verbit) when the legal obligation to not return or destroy the Personal Data has expired. Upon Verbit’s written request, the Freelancer’s Chief Privacy Officer (or equivalent) shall provide written certification to Verbit stating that Freelancer has fully complied with this section. - CROSS-BORDER DATA TRANSFERS
- Transfers from the EEA, Switzerland and the United Kingdom to countries that offer adequate level or data protection. Personal Data may be transferred from EU Member States, the three EEA member countries (Norway, Liechtenstein and Iceland) (collectively, “EEA”), Switzerland and the United Kingdom (“UK”) to countries that offer an adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the EEA, the European Union, the Member States or the European Commission, Switzerland, and/or the UK as relevant (“Adequacy Decisions”), as applicable, without any further safeguard being necessary.
- Transfers from the EEA, Switzerland and the United Kingdom to other countries. If the Processing of Personal Data by Freelancer includes a transfer (either directly or via onward transfer):
- from the EEA or Switzerland to other countries which have not been subject to a relevant Adequacy Decision, and such transfers are not performed through an alternative recognized compliance mechanism for the lawful transfer of personal data (as defined in the GDPR) outside the EEA or Switzerland (“EEA Transfer”), the terms set forth in Part 1 of Schedule 2 (EEA Cross Border Transfers) shall apply;
- from the UK to other countries which have not been subject to a relevant Adequacy Decision, and such transfers are not performed through an alternative recognized compliance mechanism for the lawful transfer of personal data (as defined in the UK GDPR) outside the UK (“UK Transfer”), the terms set forth in Part 2 of Schedule 2 (UK Cross Border Transfers) shall apply;
- the terms set forth in Part 3 of Schedule 2 (Additional Safeguards) shall apply to an EEA Transfer and a UK Transfer.
- OTHER PROVISIONS
- Data Protection Impact Assessment and Prior Consultation. Upon Verbit’s request, Freelancer shall provide Verbit with the cooperation and assistance needed to fulfil Verbit’s obligations under the GDPR or the UK GDPR (as applicable) to carry out a data protection impact assessment related to Verbit’s use of the Services. Freelancer shall provide the necessary assistance to Verbit in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks relating to this Section 8(a), to the extent required under the GDPR or the UK GDPR, as applicable.
- Indemnification. Freelancer shall indemnify, defend, and hold harmless Verbit, its Affiliates, and their respective officers, directors, and employees from and against all claims and proceedings and all liability, loss, costs, fines, and expenses (including reasonable legal fees) arising in connection with (i) Freelancer’s unlawful or unauthorized Processing, destruction of, or damage to any Personal Data; and/or (ii) Freelancer’s (including the Freelancer Personnel and Sub-processors) failure to comply with its obligations under this DPA, the Agreement or any further written Processing instructions given by Verbit in accordance with this DPA.
- Modifications. Each Party may by at least forty-five (45) calendar days’ prior written notice to the other Party, request in writing any variations to this DPA if they are required as a result of any change in, or decision of a competent authority under Data Protection Laws, to allow Processing of Verbit Personal Data to be made (or continue to be made) without breach of those Data Protection Laws. The Parties shall make commercially reasonable efforts to accommodate such modification requested by Verbit or that Freelancer believes is necessary. The Parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in the notice as soon as is reasonably practicable. In the event that the Parties are unable to reach such an agreement within 30 days of such notice, then Verbit or Freelancer may, by written notice to the other Party, with immediate effect, terminate this DPA and the Agreement.
SCHEDULE 1 – DETAILS OF THE PROCESSING
Nature and Purpose of Processing:
- Providing the Services to Verbit;
- Performing the Agreement, and this DPA;
- Acting upon Verbit’s written instructions in accordance with the Agreement and the DPA;
- Complying with applicable laws and regulations.
Duration of Processing: Freelancer will Process Personal Data pursuant to the DPA and Agreement for the duration of the Agreement, unless otherwise agreed upon in writing.
Type of Personal Data: Personal data exchanged by use of the Services, namely the content of audio or video recordings, transcriptions or translations.
Categories of Data Subjects: Individuals whose communications or other information are captured on audio or video recordings, transcriptions or translations.
SCHEDULE 2 – CROSS BORDER TRANSFERS
PART 1 – EEA Transfers
- The parties agree that the terms of the Standard Contractual Clauses are hereby incorporated by reference and shall apply to an EEA Transfer.
- Module Two (Controller to Processor) of the Standard Contractual Clauses shall apply where the EEA Transfer is effectuated by Verbit as the data controller of the Personal Data and Freelancer is the data processor of the Personal Data.
- Module Three (Processor to Processor) of the Standard Contractual Clauses shall apply where the EEA Transfer is effectuated by Verbit as the data processor of the Personal Data and Freelancer is a Sub-processor of the Personal Data.
- Clause 7 of the Standard Contractual Clauses (Docking Clause) shall not apply.
- Option 2: GENERAL WRITTEN AUTHORISATION in Clause 9 of the Standard Contractual Clauses shall apply, and the method for appointing and time period for prior notice of Sub-processor changes shall be as set forth in Section 5.2 of the DPA.
- In Clause 11 of the Standard Contractual Clauses, the optional language will not apply.
- In Clause 17 of the Standard Contractual Clauses, Option 1 shall apply, and the Parties agree that the Standard Contractual Clauses shall be governed by the laws of the Republic of Ireland.
- In Clause 18(b) of the Standard Contractual Clauses, disputes will be resolved before the courts of the Republic of Ireland.
- Annex I.A of the Standard Contractual Clauses shall be completed as follows:
- Data Exporter: Verbit, Inc.
- Contact details: As detailed in the Agreement.
- Data Exporter Role:
- Module Two: The Data Exporter is a data controller.
- Module Three: The Data Exporter is a data processor.
- Signature and Date: By entering into the Agreement and DPA, Data Exporter is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Agreement.
- Data Importer: Freelancer.
- Contact details: As detailed in the Agreement.
- Data Importer Role:
- Module Two: The Data Importer is a data processor.
- Module Three: The Data Importer is a sub-processor.
- Signature and Date: By entering into the Agreement and DPA, Data Importer is deemed to have signed these Standard Contractual Clauses, incorporated herein, including their Annexes, as of the Effective Date of the Agreement.
- Annex I.B of the Standard Contractual Clauses shall be completed as follows:
- The categories of data subjects are described in Schedule 1 (Details of Processing) of this DPA.
- The categories of personal data are described in Schedule 1 (Details of Processing) of this DPA.
- The frequency of the transfer is a continuous basis for the duration of the Agreement.
- The nature of the processing is described in Schedule 1 (Details of Processing) of this DPA.
- The purpose of the processing is described in Schedule 1 (Details of Processing) of this DPA.
- The period for which the personal data will be retained is for the duration of the Agreement, unless agreed otherwise in the Agreement and/or the DPA.
- In relation to transfers to Sub-processors, the subject matter, nature, and duration of the processing is set forth in Schedule 1 (Details of Processing) of this DPA.
- Annex I.C of the Standard Contractual Clauses shall be completed as follows:
The competent supervisory authority in accordance with Clause 13 is the supervisory authority in the Member State stipulated in Section 7 above. - The following requirements are deemed to comprise the content of Annex II of the Standard Contractual Clauses:
- Freelancer must access Verbit’s platform via a secure and private user account on its local computer.
- Virus scanning software must be installed locally, and shall be run at least monthly.
- Freelancer must maintain security and confidentiality of credentials to Verbit’s systems, and not provide access to any other individual.
- Freelancer must not make any record or copy locally on its device or anywhere outside of Verbit’s systems, of any of files or media accessed via Verbit’s platform.
- To the extent there is any conflict between the Standard Contractual Clauses and any other terms in this DPA or the Agreement, the provisions of the Standard Contractual Clauses will prevail.
PART 2 – UK Transfers
- This Part 2 is effective from the same date as the Standard Contractual Clauses.
Background: - This Part 2 is intended to provide appropriate safeguards for the purposes of transfers of Personal Data to a third country or an international organisation in reliance on Articles 46 of the UK GDPR and with respect to data transfers from controllers to processors and/or processors to processors.
Interpretation: - Where this Part 2 uses terms that are defined in the Standard Contractual Clauses, those terms shall have the same meaning as in the Standard Contractual Clauses. In addition, the following terms have the following meanings:
UK Data Protection Laws All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018. UK GDPR The United Kingdom General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018. UK The United Kingdom of Great Britain and Northern Ireland - This Part 2 shall be read and interpreted in the light of the provisions of UK Data Protection Laws, and so that it fulfills the intention for it to provide the appropriate safeguards as required by Article 46 GDPR.
- This Part 2 shall not be interpreted in a way that conflicts with rights and obligations provided for in UK Data Protection Laws.
- Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, reenacted and/or replaced after this DPA has been entered into.
- In the event of a conflict or inconsistency between this Part 2 and the provisions of the Standard Contractual Clauses or other related agreements between the Parties, existing at the time the DPA is agreed or entered into thereafter, the provisions which provide the most protection to data subjects shall prevail.
- This Part 2 incorporates the Standard Contractual Clauses which are deemed to be amended to the extent necessary so they operate:
- for transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that transfer; and
- to provide appropriate safeguards for the transfers in accordance with Articles 46 of the UK GDPR Laws.
- The amendments required by Section 8 above, include (without limitation):
- References to the “Clauses” means this Part 2 as it incorporates the Standard Contractual Clauses
- Clause 6 Description of the transfer(s) is replaced with: “The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”
- References to “Regulation (EU) 2016/679” or “that Regulation” are replaced by “UK Data Protection Laws” and references to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws.
- References to Regulation (EU) 2018/1725 are removed.
- References to the “Union”, “EU” and “EU Member State” are all replaced with the “UK”
- Clause 13(a) and Part C of Annex II are not used; the “competent supervisory authority” is the Information Commissioner;
- Clause 17 is replaced to state “These Clauses are governed by the laws of England and Wales”.
- Clause 18 is replaced to state: “Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”
- The footnotes to the Clauses do not form part of this Part 2.
- The Parties may agree to change Clause 17 and/or 18 to refer to the laws and/or courts of Scotland or Northern Ireland.
- The Parties may amend this Part 2 provided it maintains the appropriate safeguards required by Art 46 UK GDPR for the relevant transfer by incorporating the Standard Contractual Clauses and making changes to them in accordance with Section 8 above.
- The Parties may give force to this Part 2 (incorporating the Standard Contractual Clauses) in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in the Contractual Clauses.
PART 3 – Additional Safeguards
- In the event of an EEA Transfer or a UK Transfer, the Parties agree to supplement these with the following safeguards and representations, where appropriate:
- The Freelancer shall have in place and maintain in accordance with good industry practice measures to protect the Personal Data from interception (including in transit from Verbit to the Freelancer and between different systems and services). This includes having in place and maintaining network protection intended to deny attackers the ability to intercept data and encryption of Personal Data whilst in transit and at rest intended to deny attackers the ability to read data.
- The Freelancer will make commercially reasonable efforts to resist, subject to applicable laws, any request for bulk surveillance relating to the Personal Data protected under GDPR or the UK GDPR, including under section 702 of the United States Foreign Intelligence Surveillance Court (“FISA”);
- If the Freelancer becomes aware that any government authority (including law enforcement) wishes to obtain access to or a copy of some or all of the Personal Data, whether on a voluntary or a mandatory basis, then unless legally prohibited or under a mandatory legal compulsion that requires otherwise:
- The Freelancer shall inform the relevant government authority that the Freelancer is a processor of the Personal Data and that Verbit has not authorized the Freelancer to disclose the Personal Data to the government authority, and inform the relevant government authority that any and all requests or demands for access to the Personal Data should therefore be notified to or served upon the Verbit in writing;
- The Freelancer will use commercially reasonable legal mechanisms to challenge any such demand for access to Personal Data which is under the Freelancer’s control and notify Verbit, immediately after first becoming aware of such demand for access and provide Verbit with all relevant details of the same, unless and to the extent legally prohibited to do so.