(Incorporated into the SantaClues Terms of Service)
This Data Processing Agreement (“DPA”) forms part of and is incorporated into the SantaClues Terms of Service (the “Agreement”) between SantaClues (“Processor”) and the customer identified in the Agreement (“Controller”).
This DPA applies where and to the extent that SantaClues processes Personal Data on behalf of the Controller in connection with the Services and where the GDPR applies to such processing.
Unless otherwise defined herein, capitalised terms have the meaning given in the GDPR or the Agreement.
“GDPR” means Regulation (EU) 2016/679.
“Personal Data”, “Controller”, “Processor”, “Data Subject”, “Personal Data Breach”, and “Processing” have the meanings set out in the GDPR.
2.1 The Controller determines the purposes of processing and the essential means of processing Personal Data.
2.2 SantaClues acts solely as a Processor and determines non-essential technical and organisational means necessary to provide the Services in accordance with the Agreement.
2.3 The Controller is responsible for:
SantaClues does not determine the lawful basis for recording or transcription.
3.1 The subject matter, duration, nature, and purposes of processing, and the categories of Data Subjects and types of Personal Data processed, are described in Annex I.
3.2 Processing shall continue for the duration of the Agreement unless otherwise required by applicable law.
4.1 SantaClues shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or international organisation, unless required to do so by Union or Member State law.
4.2 The Agreement, this DPA, and documented configuration of the Services constitute the Controller’s documented instructions.
4.3 If SantaClues considers that an instruction infringes applicable data protection law, it shall inform the Controller.
4.4 SantaClues shall not be liable for processing carried out in accordance with lawful documented instructions of the Controller.
5.1 SantaClues shall ensure that persons authorised to process Personal Data:
6.1 SantaClues shall implement appropriate technical and organisational measures designed to protect Personal Data, as described in Annex II (Technical and Organisational Measures).
6.2 SantaClues may update such measures from time to time, provided that such updates do not materially reduce the level of protection.
7.1 The Controller grants SantaClues general authorisation to engage subprocessors for the processing of Personal Data.
7.2 A list of current subprocessors is set out in Annex III.
7.3 SantaClues shall:
7.4 SantaClues shall notify the Controller of any intended addition or replacement of a subprocessor at least thirty (30) days in advance, which may be provided via email or through an updated subprocessor list published on the SantaClues website.
7.5 The Controller may object to a new subprocessor on reasonable data protection grounds within the notice period. If the parties cannot resolve the objection in good faith, the Controller may terminate the affected Services.
8.1 The Controller acknowledges that certain subprocessors may process Personal Data outside the European Economic Area.
8.2 Where Personal Data is transferred to a third country for which an adequacy decision has not been adopted, SantaClues shall rely on appropriate safeguards, including Standard Contractual Clauses.
8.3 The Standard Contractual Clauses are incorporated by reference into this DPA where required. The applicable module shall be determined in accordance with the roles of the parties.
8.4 SantaClues conducts transfer impact assessments where appropriate.
EU-only processing is not guaranteed by default.
Taking into account the nature of the processing, SantaClues shall assist the Controller, through appropriate technical and organisational measures, insofar as possible, for the fulfilment of the Controller’s obligations to respond to requests for exercising Data Subject rights under Articles 12–22 GDPR.
SantaClues shall assist the Controller, taking into account the nature of processing and information available to SantaClues, in ensuring compliance with Articles 32–36 GDPR.
The Controller shall provide information reasonably necessary for SantaClues to fulfil such assistance.
10.1 SantaClues shall notify the Controller without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA.
10.2 Such notification shall include information reasonably available to SantaClues to enable the Controller to comply with Articles 33 and 34 GDPR.
11.1 Upon termination of the Agreement, SantaClues shall delete or return Personal Data to the Controller, at the Controller’s choice, subject to applicable law.
11.2 Deletion applies to Personal Data processed under this DPA in active production systems, in accordance with SantaClues’ documented retention schedules described in Annex II.
11.3 Backup copies are retained in accordance with defined rolling retention periods and are not immediately purgeable, but expire automatically within those periods.
11.4 SantaClues may retain data where required by applicable law, including financial and billing records.
12.1 SantaClues shall make available to the Controller information reasonably necessary to demonstrate compliance with this DPA.
12.2 Any audit shall:
12.3 The Controller shall bear its own costs and reimburse reasonable costs incurred by SantaClues where audits exceed reasonable scope.
13.1 Each party’s liability arising out of or in connection with this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement.
13.2 Nothing in this DPA shall increase either party’s liability beyond what is provided in the Agreement.
For data protection inquiries under this DPA:
Email: hello@santaclues.ai
SantaClues has not appointed a Data Protection Officer unless required by applicable law.
This DPA shall be governed by and construed in accordance with the governing law specified in the Agreement.