LAST UPDATED: December 7, 2021
This data processing agreement (DPA), pursuant to art. 28 General Data Protection Regulation (GDPR), is made between the following parties:
Controller: a customer of neeto (“Customer”, “you”);
Processor: neeto, operated by Neeto, LLC. ("Neeto", "neeto", "we," "our", or “us”).
The subject matter of this DPA and the thereto related processing activities result from neeto Terms of Service Agreement (“Agreement”) between you and neeto. This DPA amends and supplements your Agreement and requires no further action on your part.
The parties agree that to the extent neeto operates and manages the Service, neeto is acting as a processor under data protection laws on the Customer’s behalf, and the Customer is acting as the controller under data protection laws for the Customer’s end users.
The term of this DPA corresponds to the term of the Agreement.
The categories of personal data processed are:
The personal data collected and processed related to:
The Customer acknowledges that, in connection with the Services, personal data will be transferred to neeto in the United States.
The Standard Contractual Clauses apply with respect to personal data that is transferred outside the European Economic Area (“EEA”), either directly or via onward transfer, to any country not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the data protection laws).
Prior to the execution of this DPA, the Processor shall demonstrate that all necessary technical and organisational measures, specifically with regard to the detailed performance of this DPA, have been adopted and shall, upon request, provide documented evidence thereof to the Controller. Upon acceptance by the Controller, such documented measures become binding part of this DPA and are attached to it. Insofar as an inspection/audit by the Controller shows the necessity for amendments, such amendments shall be implemented by mutual agreement.
The Processor shall guarantee security in accordance with Article 28 Paragraph 3 Point c, and Article 32 GDPR in particular in conjunction with Article 5 Paragraph 1, and Paragraph 2 GDPR. Such measures shall guarantee data security and a protection level appropriate to the risk concerning confidentiality, integrity, availability, and resilience of the systems. The state of the art, implementation costs, the nature, scope and purposes of processing as well as the likelihood of data breaches and the severity of risks to the rights and freedoms of natural persons possibly resulting thereof within the meaning of Article 32 Paragraph 1 GDPR must be taken into account.
The technical and organisational measures are subject to technical and technological progress and development. Hence, the Processor may adopt alternative adequate measures adapted to the changed technological environment. When doing so, the processing security level may not be reduced. Substantial changes must be documented.
The Processor may not rectify, erase or restrict the processing of data that is being processed on the Controller's behalf at its own initiative but only upon documented instructions by the Controller, unless the Controller violates neeto Terms of Service and their access to Service is terminated as a result of such violation.
Should a Data Subject contact the Processor directly concerning a rectification, erasure, or restriction of processing, the Processor shall immediately forward such Data Subject’s request to the Controller. The requests of erasure, rectification, data portability and access shall be fulfilled by the Processor in accordance with documented instructions by the Controller without undue delay.
In addition to complying with the provisions of this DPA, the Processor commits to meet all applicable statutory requirements set forth at Articles 28 to 33 GDPR. Therefore the Processor ensures, in particular, compliance with the following requirements:
The Processor shall inform the Controller without delay about any changes of Data Protection Officer.
Confidentiality. Processing activities under this DPA shall only be performed by such employees or collaborators and agents that have been instructed by the Processor about the appropriate dealing with personal data and have been contractually subjected to confidentiality pursuant to art. 28 par. 3 (b) and art. 32 GDPR. The Processor and any person acting under its authority who has access to personal data, shall not process that data unless upon instructions by the Controller, including the powers granted under this DPA, unless they are required to do so by statutory law.
Technical and Organisational Measures. Implementation of and compliance with all appropriate Technical and Organisational Measures in the framework of this DPA, in particular as set forth at art. 32 GDPR. The Processor shall periodically monitor the internal processes and the technical and organisational measures to ensure that processing within its area of responsibility is in accordance with the requirements of applicable data protection law and the protection of data subjects' rights. The Processor shall grant verifiability of the technical and organisational measures to the Controller as part of the Controller’s supervisory powers referred to in sec. 7 of this contract.
Cooperation with Supervisory Authorities. The Controller and the Processor shall cooperate, on request, with the supervisory authority. The Controller shall be informed immediately of any inspections and measures executed by the supervisory authority, insofar as they relate to the activities under this DPA. This also applies insofar as the Processor is under investigation or is party to an investigation by a competent authority in connection with infringements to any provision regarding the processing of personal data in connection with the processing of this DPA. Insofar as the Controller is subject to an inspection by the supervisory authority, an administrative fine, a preliminary injunction or criminal procedure, a liability claim by a Data Subject or by a third party or any other claim in connection with the processing of data by the Processor as of this DPA, the Processor shall make every effort to support the Controller.
The Processor may outsource part of the processing activities pursuant to this DPA to Subprocessors that, as far as legally required, shall be subject to the contractual obligations resulting from art. 28 par. 4 GDPR.
The Processor currently commissions the following Subprocessors on the condition of a contractual agreement in accordance with Article 28 paragraphs 2-4 GDPR are listed in our list of Subprocessors.
The transfer of personal data to any Subprocessor shall only take place after all above-mentioned conditions for the appointment of Subprocessors have been met.
The Processor shall bear full responsibility and liability for the activities of its Subprocessors. Any change in the list of Subprocessors shall be notified to the Controller without undue delay, giving the Controller the option to object. In case of objection, the Processor retains the right to terminate the Contract with the Controller without notice.
In particular, in case a Subprocessor should provide its services outside the EU/EEA, the Processor shall ensure compliance with EU Data Protection Regulations by appropriate measures, as described at sec. 2 of this DPA.
Upon consultation with the Processor, the Controller has the right to carry out inspections or to have them carried out by an auditor to be designated on a case-by-case basis. The auditor shall have the right to assess the Processor's compliance with this DPA in his business operations by means of random checks, which are ordinarily to be announced in advance.
The Processor shall allow the Controller to verify compliance with its obligations as provided by Article 28 GDPR. The Processor undertakes to give the Controller the necessary information on request and, in particular, to demonstrate the implementation of the technical and organisational measures.
Evidence of such measures, which may not only concern the activities under this DPA, may also be provided by:
The Processor shall not process any personal data under this DPA except on instructions from the Controller, unless required to do so by Union or Member State law.
In case the Controller should require any change in the processing of personal data set forth by the documented instructions mentioned at sec. 2, the Processor shall immediately inform the Controller if it considers such changes likely to result in infringements to data protection provisions. The Processor may refrain from carrying out any activity that may result in any such infringement.
Each party to this DPA commits to indemnify the other party for damages or expenses resulting from its own culpable infringement of this DPA, including any culpable infringement committed by its legal representative, subcontractors, employees or any other agents. Furthermore, each party commits to indemnify the other party against any claim exerted by third parties due to or in connection with any culpable infringement by the respectively other party.
Art. 82 GDPR stays unaffected.
The Processor shall not create copies or duplicates of the data without the Controller's knowledge and consent, except for backup copies as far as they are necessary to ensure orderly data processing, as well as data required to meet regulatory data retention requirements.
After conclusion of the provision of services, the Processor shall, at the Controller's choice, delete in a data-protection compliant manner or return to the Controller all the personal data collected and processed under this DPA, unless any applicable legal provision requires further storage of the personal data. In any case the Processor may retain all information necessary to demonstrate orderly and compliant processing activities beyond termination of the Contract, in accordance with the statutory retention periods.
Documentation which is used to demonstrate orderly data processing in accordance with the DPA shall be stored beyond the contract term by the Processor in accordance with the respective retention periods. It may hand such documentation over to the Controller at the end of the contract duration to relieve the Processor of this contractual obligation.
If you have any questions, you can contact us at [email protected] or write to us at Neeto LLC 382 NE 191st St PMB 39793 Miami, FL 33179 USA.