Decidr

START YOUR AI JOURNEYTALK TO US
Decidr logo

Decidr Client Data Processing Addendum

This Data Processing Addendum (“DPA”) is incorporated by reference into the Order Form or Master Agreement between Decidr and the Client (the “Agreement”). By executing an Order Form that references the Agreement, the Client agrees to the terms of this DPA.

By executing an Order Form or Agreement that incorporates this DPA by reference, Client is deemed to have accepted the terms of this DPA on behalf of itself and, to the extent required under applicable law, on behalf of its Data Controller Affiliates (defined below) (collectively, “Client”). For the purposes of this DPA only, and except as otherwise indicated, the term “Client” will include Client and its Data Controller Affiliates.

  1. Data Processing
    1. Scope and Roles: This DPA applies when Client Personal Data is processed by Decidr under applicable Data Protection Law. In this context, where the law provides for the roles of “controller” and “processor,” Client is the Controller of the Client Personal Data covered by this DPA, and Decidr will be a Processor processing Client Personal Data on behalf of Client and this DPA will apply accordingly.
    2. Details of Data Processing.
      1. Subject Matter. The subject matter of the data Processing under this DPA is Client Personal Data.
      2. Duration. The duration of the Processing under this DPA is determined by the Agreement. Regardless of whether the Agreement has terminated or expired, this DPA will remain in effect until, and automatically expire when, Decidr deletes or anonymizes all Client Personal Data as described in the Agreement.
      3. Purpose. The purpose of the processing under the DPA is the provision of the Services by Decidr to Client as specified in the Agreement.
      4. Nature of the Processing. Client Personal data is processed by Decidr in connection with the Services under the Agreement and/or any applicable Order.
      5. Categories of Data Subjects. The Data Subjects of Client which may include Clients’ Authorised Users, employees, contractors, suppliers, or other third parties whose Personal Data is uploaded by Client for use in connection with the Services.
      6. Categories of data. Identifiers (contact detail including name, email, phone number, and addresses); Employment Data (professional data, contact details, hours worked, site access) IT Data (IP addresses, browser type, language preferences, cookies data); and other Personal Data that Client or its Authorised Users elect to submit to the Services.
      7. Special categories of data (if appropriate). Decidr and/or its Subprocessors do not intentionally collect or process any special categories of data in connection with the provision of the Services under the Agreements. However, Client or its Affiliates may choose to include this type of data within content that the Client instructs Decidr to process on its behalf.
    3. Compliance with the laws. Each party will comply with all laws, rules, and regulations applicable to it and binding on it in the performance of this DPA.
    4. Jurisdiction Specific Terms. Certain jurisdictions require other specific terms. Where required under applicable Data Protection Law, this DPA fully incorporates the applicable Jurisdiction Specific Terms as follows:
      1. European Economic Area: European Union Regulations and EEA Member State laws, other than GDPR, requiring a contract governing the processing of personal data, identical to or substantially similar to the requirements specified in Art. 28 of the GDPR. For the purposes of the GDPR, processing of personal data by Decidr on behalf of Client is subject to the terms of the DPA and the EU SCCs.
      2. United Kingdom: The UK General Data Protection Regulation (as incorporated into UK law under the European Union (Withdrawal) Act 2018), and the UK Data Protection Act 2018, both as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019, as amended, superseded, or replaced. For the purpose of Section 8 of the DPA, the European Commission decision 2010/87/EU on standard contractual clauses will be implemented for transfers to Non-Adequate Countries subject to the UK General Data Protection Regulation (“UK SCC”), and: (a) the information set out in Annex I of the Appendix to the EU SCCs as set forth above will be deemed to be set out in Appendix 1 of such UK SCCs; (b) the information set out in Annex II to the EU SCCs as set forth above will be deemed to be set out in Appendix 2 of such UK SCCs; (c) the optional illustrative indemnification Clause will not apply; (d) the UK SCCs will be deemed to have been updated in accordance with the recommendations of the Information Commissioner's Office so that they are suitable for transfers from the UK; and (e) Clauses 14 and 15 of the EU SCCs will be deemed incorporated into the DPA so as to also apply to the transfer of Client Personal Data with any changes deemed made to reflect the applicability of the UK GDPR to that data as opposed to the GDPR. In relation to any transfer of Client Personal Data protected by the UK GDPR, in the event that the competent United Kingdom authority issues alternative standard contractual clauses for transfers of Personal Data from a controller to a processor (i) Decidr may on reasonable notice to Client amend the DPA and/or these Jurisdiction Specific Terms to replace the UK SCCs referred to in this Rider with such alternative SCCs and any such amendments or supplemental provisions to the alternative SCCs deemed necessary by Decidr, in its sole discretion, for the purpose of the DPA and/or the Rider ("New UK SCCs"), and (ii) from the date of such notice, any reference in the DPA to UK SCCs will be deemed to refer to such New UK SCCs.
      3. Switzerland: Swiss Federal Data Protection Act (“FDPA”). Decidr’s obligations to a Client under the DPA are only those express obligations imposed by FDPA. Each party is responsible for fulfilling its respective obligations set out in the FDPA, and Decidr will process Personal Data to a standard of protection at least comparable to the standard provided under the FDPA and complying with the terms of the Agreement. For the purpose of Section 8 of the DPA and in relation to Personal Data that is protected by the FDPA, the EU SCCs will apply with the following modifications: (a) any references in the EU SCCs to “Directive 95/46/EC” or “Regulation (EU) 2016/679” will be interpreted as references to the FDPA; (b) references to “EU”, “Union”, “Member State”, and “Member State law” will be interpreted as references to Switzerland and Swiss law, as the case may be; and (c) references to the “competent supervisory authority” and “competent courts” will be interpreted as references to the Swiss Federal Data Protection and Information Commissioner and competent courts in Switzerland, unless the EU SCCs as implemented above cannot be used to lawfully transfer such Personal Data in compliance with the Swiss DPA, in which event the Swiss SCCS will instead be incorporated by reference and form an integral part of this Addendum and will apply to such transfers. Where this is the case, the relevant Annexes of the Swiss SCCs will be populated.
      4. Brazil: Brazilian Law No. 13,709/2018 – Brazilian General Data Protection Law, Lei Geral de Proteção de Dados (“LGPD”). Decidr’s obligations to a Client under the DPA are only those express obligations imposed by LGPD on a “Data Processor (operador)” for the benefit of a “Data Controller (Controlador)” (including new Section 10 below), as “Data Controller (controlador)” and “Data Processor (operador)” are defined by the LGPD. Each party is responsible for fulfilling its respective obligations set out in the LGPD, and Client issues Processing instructions consistent with Section 2.1 of the DPA in order to enable Decidr to fulfill its LGPD obligations. For the purpose of Section 8 of the DPA, the EU SCC will be used for transfers to non-adequate countries as per GDPR.
      5. Singapore: Personal Data Protection Act 2012 (“PDPA”). Decidr’s obligations to Client under the PDPA are only those express obligations imposed by the PDPA that require that an “Organisation” and “Data Intermediary” to have in place. Each party is responsible for fulfilling its respective obligations set out in the PDPA, and Decidr will process Personal Data to a standard of protection at least comparable to the standard provided under the PDPA and complying with the terms of the Agreement. The terms used in the applicable provisions of the DPA will be replaced as follows: “Controller” will mean “Organisation”; “Processor” will mean “Data Intermediary”; and “Data Subject” will mean “Individual” (collectively, the “replaced terms”). Further, the replaced terms will have the definitions ascribed to in the PDPA.
      6. State of California, United States: The California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations. Decidr’s obligations to Client under the DPA are only those express obligations imposed by the CCPA that require that a “Business” and a “Service Provider” to have in place. Each party is responsible for fulfilling its respective obligations set out in the CCPA. Decidr will not collect, sell, retain, disclose, or use the Personal Information of the Consumer for any purpose other than to perform the Subscription Services specified in the Agreement, or as otherwise permitted by CCPA. Decidr certifies that it understands and will comply with the restrictions set forth herein. The terms used in the applicable provisions of the DPA will be replaced as follows: “Personal Data” will mean “Personal Information”; “Controller” will mean “Business”; “Processor” will mean “Service Provider”; and “Data Subject” will mean “Consumer” (collectively, the “replaced terms”). Further, the replaced terms will have the definitions ascribed to in the CCPA.
  2. Documented Instructions
    1. Client Instructions. Client will, in its use of the Services, at all times provide documented instructions to Decidr for the Processing of Client Personal Data, in compliance with applicable Data Protection Law. The Parties agree that this DPA and the Agreement constitute Client’s documented instructions regarding Decidr’s Processing of Client Personal Data (“Documented Instructions”). Decidr will Process Client Personal Data in accordance with Client’s Documented Instructions. Additional instructions outside the scope of the Documented Instructions (if any) require prior written agreement between Decidr and Client, including agreement on any additional fees payable by Client to Decidr for carrying out such instructions.
    2. Obligations and Indemnity. Client will ensure that its Documented Instructions comply with all laws, rules, and regulations applicable to the Client Personal Data, and that the Processing of Client Personal Data per Client's Documented Instructions will not cause Decidr to be in breach of applicable Data Protection Law. Client is solely responsible for the accuracy, quality, and legality of (a) the Client Personal Data provided to Decidr by or on behalf of Client; (b) how Client acquired any such Client Personal Data (e.g., appropriate notice and/or consent); and (c) the Documented Instructions it provides to Decidr regarding the Processing of such Personal Data. Client will not provide or make available to Decidr any Personal Data in violation of the Agreement, this DPA, or otherwise inappropriate for the nature of the Services and will indemnify Decidr from all claims and losses in connection therewith.
  3. Confidentiality of Client Personal Data. Decidr will not access or use, or disclose to any third party, any Client Personal Data, except, in each case, as necessary to maintain or provide the Services, or as necessary to comply with the law, a Public Authority Request and/or a valid and binding order of a governmental body (such as a subpoena or court order). If a governmental body sends Decidr a demand for Client Personal Data, Decidr will attempt to redirect the governmental body to request that data directly from Client. As part of this effort, Decidr may provide Client’s basic contact information to the governmental body. If compelled to disclose Client Personal Data to a governmental body, then Decidr will give Client reasonable notice of the demand to allow Client to seek a protective order or other appropriate remedy unless Decidr is legally prohibited from doing so.
  4. Authorised persons. Decidr will ensure that all persons Authorised to Process Client Personal Data on behalf of Decidr are made aware of the confidential nature of the Client Personal Data, and have committed themselves to confidentiality (e.g., by confidentiality agreements) or are under an appropriate statutory obligation of confidentiality.
  5. Authorised Subprocessors. Client hereby generally authorizes Decidr to engage Subprocessors in accordance with this Section 5. Client approves the Subprocessors currently disclosed in Appendix A. If Client transfers Client Personal Data to Decidr under the SCCs, the above authorization will constitute Client's prior written consent to the subcontracting by Decidr of the Processing of Client Personal Data if such consent is required under the SCCs. Decidr may remove, replace, or appoint suitable and reliable Subprocessors, provided that Decidr will maintain an up-to-date list of its Subprocessors on Decidr’s website which allows Client to subscribe to notifications of any updates. Decidr will provide Client with an opportunity to object to any change in its Subprocessors where required under applicable Data Protection Law.
    1. Objections. If the Client reasonably objects to the engagement of a new Subprocessor, Decidr will have the right to cure the objection through one of the following options (to be selected at Decidr’s sole discretion): (a) Decidr cancels its plans to use the Subprocessor with regard to Client Personal Data; (b) Decidr will take the corrective steps requested by Client in its objection (which removes Client’s objection) and proceed to use the Subprocessor with regard to Client Personal Data; (c) Decidr may cease to provide or Client may agree not to use (temporarily or permanently) the particular aspect of the Service that would involve the use of such Subprocessor with regard to Client Personal Data; and (d) Decidr provides Client with a written description of commercially reasonable alternative(s), if any, to such engagement, including without limitation modification to the Services. If Decidr, in its sole discretion, cannot provide any such alternative(s), or if Client does not agree to any such alternative(s) if provided, Decidr and Client may terminate this DPA with prior written notice, or suspend the affected Services. Termination will not relieve Client of any fees or charges owed to Decidr for Services provided up to the effective date of the termination under the Agreement. In the event that Decidr elects to suspend Client’s access to and use of affected Services, such suspension will relieve Client of any fees or charges owed to Decidr for such Services after the effective date of the suspension. If Client does not object to a new Subprocessor’s engagement within ten (10) days of notice by Decidr, that new Subprocessor will be deemed accepted.
    2. Subprocessor Obligations. Where Decidr authorizes a Subprocessor as described in Section 5.1:
      1. Decidr will restrict the Subprocessor’s access to Client Personal Data only to what is necessary to provide or maintain the Services in accordance with the Documentation, and Decidr will prohibit the Subprocessor from accessing Client Personal Data for any other purpose;
      2. Decidr will enter into a written agreement with the Subprocessor and, to the extent that the Subprocessor performs the same data processing services provided by Decidr under this DPA, Decidr will impose on the Subprocessor the same contractual obligations that Decidr has under this DPA; and
      3. Decidr will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Subprocessor that cause Decidr to breach any of Decidr obligations under this DPA.
    3. Security; Audits; Personal Data Breach; Impact Assessments
      1. Security. Decidr’s provision of the Services will be consistent with the measures described in Appendix B.
        1.  Updates to Decidr Security Controls. Client is responsible for reviewing the information made available by Decidr relating to data security and making an independent determination as to whether the Security Controls set forth in Section 6.1, above, meet Client’s requirements and legal obligations under applicable law. Client acknowledges that the Security Controls are subject to technical progress and development and that Decidr may update or modify the Security Controls from time to time provided that such updates and modifications do not materially degrade the overall security of the Services during the Subscription Term.
      2. Confidential Security Reports and Audits. For the duration of its processing of Client Personal Data, Decidr will maintain compliance with appropriate security standards for its industry. Upon request, Decidr will, no more than once per calendar year make available for Client’s review, a summary copy of an audit report(s) (“Report”) that reflects such compliance, a request may be made by emailing Decidr at dpareport@decidr.ai. Client acknowledges and agrees that such Reports are Decidr’s Confidential Information. Decidr will also provide a requesting Client with a Report and/or confirmation of Decidr’s own audits and/or a report of third-party auditors’ audits of its Subprocessors that have been provided by those Subprocessors to Decidr, to the extent such reports or evidence may be shared with Client (“Third-party Subprocessor Audit Reports”). Client acknowledges that (a) Reports and Third-party Subprocessor Audit Reports will be considered Confidential Information as well as confidential information of the third-party Subprocessor, and (b) certain third-party Subprocessors to Decidr may require Client to execute a non-disclosure agreement with them in order to view a Third-party Subprocessor Audit Report.
      3. Personal Data Breach. In the event of a Personal Data Breach, except where prohibited by law, Decidr will notify Client without undue delay and otherwise respond as described in 6.3.1 below. In addition, Decidr will, taking into account the nature of the Processing and the information available to Decidr assist Client in ensuring compliance with its obligations under applicable Data Protection Law to conduct a data protection impact assessment and, with prior notice, to assist with consultations with the Competent Supervisory Authority (defined below), where required.
        1. Practices. Decidr does and will (a) maintain and follow a documented incident response plan and associated procedures consistent with industry standards for Personal Data Breach handling; (b) investigate Personal Data Breach of which Decidr becomes aware, and, within the scope of the Services, and take such steps as Decidr in its sole discretion deems necessary and reasonable to remediate such Personal Data Breach; and (c) notify Client without undue delay upon confirmation of a Personal Data Breach that is known or reasonably suspected by Decidr to affect Client Personal Data, and provide Client with reasonably requested information about such Personal Data Breach and the status of the remediation and restoration activities. The obligations herein will not apply to a Personal Data Breach caused by Client, Client’s Authorised Users or misuse of Client’s Access Credentials. Decidr’s obligation to report or respond to a Personal Data Breach under this Section 6 is not and will not be construed as an acknowledgement by Decidr of any fault or liability of Decidr with respect to the Personal Data Breach.
    4. Decidr Assistance with Data Subject Requests. Decidr will inform Client of requests from Data Subjects exercising their Data Subject rights under applicable Data Protection Law (e.g., including but not limited to rectification, deletion and blocking of data) addressed directly to Decidr regarding Client Personal Data. Client will be responsible for handling such requests of Data Subjects. Upon a written request for assistance by Client, Decidr will reasonably assist Client with handling such Data Subject request. Decidr may charge Client no more than a reasonable charge to perform such assistance, and such charges will be set forth in a quote and agreed in writing by the Parties, or as set forth in the Agreement. If Client does not agree to the quote, the Parties agree to reasonably cooperate to find a feasible solution.
    5. International Transfers of Personal Data
      1. U.S. Based Processing; Notification of Changes. Client acknowledges and agrees that Decidr may transfer and process Client Personal Data to and in the United States and anywhere else in the world where Decidr, its Affiliates, or its Subprocessors maintain data processing operations. Decidr will ensure that such transfers are made in compliance with applicable Data Protection Law and this DPA.
      2. Application of SCCs. The applicable SCC Controller-to-Processor Clauses will apply to Client Personal Data that is transferred via the Services from Europe (defined below) and/or the United Kingdom, either directly or via onward transfer, to any country not recognized by the European Commission, the Swiss Federal Data Protection and Information Commissioner and/or a competent United Kingdom regulatory authority or governmental body as providing an adequate level of protection for Client Personal Data.
        1. For purposes of this DPA, if the SCCs apply, this DPA fully incorporates the SCCs as Attachment 1. If Client submits Client Personal Data to the Services for Processing by Decidr, Client and Decidr will be deemed to have entered into the SCCs, where applicable, and the submission of such Client Personal Data to the Services will constitute Client’s prior written consent to the transfer and Processing by Decidr if such consent is required under the SCCs. The SCCs will not apply where the Client Personal Data is transferred in accordance with an Alternative Transfer Mechanism (defined below), such as when necessary for the performance of Services pursuant to the Agreement or on Client’s Documented Instructions.
      3. Explicit Consent and Notice. Client will bear sole responsibility for obtaining its Authorised User’s and/or Data Subjects’ informed and explicit consent prior to the transfer of any Client Personal Data to Decidr in a manner consistent with the applicable Data Protection Law. If, at any time, an Authorised User and/or Data Subject withdraws any consent given pursuant to this Subsection, Client will immediately inform Decidr in writing at privacy@Decidr.com and cease use and collection of Client Personal Data related to such objecting Authorised User and/or Data Subject. Client will keep an electronic record of all consents given, and any consents withdrawn, by Authorised Users and/or Data Subjects and will make such records available to Decidr upon request as required by law.
    6. Effect of Termination.
      1. Upon termination or expiration of the Agreement, Decidr will (at Client's written request) anonymize all Client Personal Data in its possession or control. This requirement will not apply to the extent Decidr is required by applicable law to retain some or all of the Client Personal Data.
      2. Client acknowledges that the Services are used as a system of record and that data uploaded to the Services is required to be retained under applicable laws for the establishment, exercise, or defense of legal claims. As an equivalent to deletion, Decidr will permanently and securely anonymise Client Personal Data to the extent no individual could be identified.
    7. Indemnification by Client. To the maximum extent permitted by applicable law and in addition to any other remedy that is available, including the indemnities provided in the Agreement, Client agrees to defend, indemnify and hold harmless Decidr, its Affiliates and Decidr’s Subprocessors, including their respective officers, directors, employees, agents, successors, representatives, agents, resellers and assigns (each, a “Decidr Indemnitee”) from and against any and all Losses resulting from Client’s violation of this DPA and/or the infringement or violation by Client, its Authorised Users, or any other user of Client’s Access Credentials, of any privacy or other right of any person under applicable Data Protection Law.
    8. Limitation of Liability
      1. Exclusion of Damages. UNDER NO CIRCUMSTANCES AND REGARDLESS OF THE NATURE OF ANY ACTION WILL THE DECIDR INDEMNITEES BE LIABLE, DIRECTLY OR INDIRECTLY, IN WHOLE OR IN PART, TO CLIENT OR TO ANY OTHER PERSON OR ENTITY FOR ANY LOSSES OR LOSS, DAMAGE, CORRUPTION OR RECOVERY OF CLIENT PERSONAL DATA ARISING FROM OR RELATING TO CLIENT’S BREACH OF ITS OBLIGATIONS IN THIS DPA.
      2. Limitation of Liability. Each Party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Client and its Data Controller Affiliates and Decidr, whether in contract, tort or under any other theory of liability, is subject to the “Limitation of Liability” section of the Agreement and the applicable cap (maximum) for the relevant party set forth in the Agreement. Any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together. For the avoidance of doubt, the Decidr Indemnitees’ total liability for all Actions by Client and all of Clients Affiliates (including Data Controller Affiliates) arising out of or related to the Agreement and all DPAs will apply in the aggregate for all claims under both the Agreement and all DPAs established under the Agreement, and, in particular, will not be understood to apply individually and severally to Client and/or to any Client Affiliate that is a contractual party to any such DPA. To the extent required by applicable law, (a) this Section is not intended to modify or limit the Parties’ liability for Data Subject claims made against a Party where there is joint and several liability under Data Protection Law, or (b) limit either Party’s responsibility to pay penalties imposed on such Party by a regulatory authority.
    9. Survival of the DPA. This DPA will continue in force until the termination of the Agreement (the “Termination Date”), provided that the data protection obligations of this DPA and the SCCs will continue to apply for so long as Decidr processes Client Personal Data.
    10. Severance. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA will remain valid and in force. The invalid or unenforceable provision will be either (a) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (b) construed in a manner as if the invalid or unenforceable part had never been contained therein.
    11. Entire Agreement; Order of Precedence. Except as supplemented by this DPA, the Agreement will remain in full force and effect. Any conflict between the terms of the Agreement and this DPA related to the processing of Client Personal Data are resolved in the following order of priority: (1) the Standard Contractual Clauses, where applicable; (2) the DPA; and (3) the Agreement.
    12. Definitions. Unless otherwise defined in the Agreement, all capitalized terms used in this DPA will have the meanings given to them below:
      1. Access Credentials” means any user name, identification number, password, license or security key, security token, PIN, or other security code, method, technology, or device used, alone or in combination, to verify an individual’s identity and authorization to access and use the Services.
      2. Action” means any claim, action, cause of action, demand, lawsuit, arbitration, inquiry, audit, notice of violation, proceeding, litigation, citation, summons, subpoena, or investigation of any nature, civil, criminal, administrative, regulatory, or other, whether at law, in equity, or otherwise.
      3. Affiliates”, “Client Data”, “Decidr”, and “Services” will each have the meaning ascribed to it in the Agreement.
      4. Alternative Transfer Mechanism” means a mechanism, other than SCCs that enables the lawful transfer of Personal Data from Europe or the U.K. to a third country in accordance with applicable Data Protection Law.
      5. Competent Supervisory Authority” means, in accordance with Clause 13 of the EU SCCs, (i) the supervisory authority applicable to the data exporter in its EEA country of establishment or, (ii) where the data exporter is not established in the EEA, the supervisory authority applicable in the EEA country where the data exporter's EU representative has been appointed pursuant to Article 27(1) of the GDPR, or (iii) where the data exporter is not obliged to appoint a representative, the supervisory authority applicable to the EEA country where the data subjects relevant to the transfer are located. With respect to Personal Data to which the UK GDPR applies, the competent supervisory authority is the Information Commissioners Office (the “ICO”). With respect to Personal Data to which the Swiss DPA applies, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.
      6. Controller” means the entity that determines as a legal person alone or jointly with others the purposes and means of the Processing of Personal Data. Unless otherwise specified, Controller or "data exporter" refers to Client.
      7. Client”, as used on this DPA, will include Client (as defined in the Agreement) and its Data Controller Affiliates.
      8. Client Personal Data” means Client Data submitted to Decidr for Processing in connection with the Services pursuant to the Agreement, which contains Personal Data.
      9. Data Controller Affiliates” means any of Client’s Affiliates that have not signed or otherwise accepted their own Order with Decidr and therefore would not be a “Client” as defined under the Agreement but is an entity which is: (i) subject to Data Protection Law; and (ii) permitted to use the Decidr Services pursuant to the Agreement between Client and Decidr. For the avoidance of doubt, no third-party beneficiaries are intended.
      10. Data Protection Law” means any data protection and privacy laws and regulations that are applicable to the processing of Client Personal Data by Decidr, including, where applicable, the laws listed in Decidr’s Jurisdiction Specific Terms, as may be amended, superseded, or replaced from time to time.
      11. Data Subject” means the identified or identifiable person to whom Client Personal Data relates.
      12. Documented Instructions” has the meaning ascribed in Subsection 2.1 of this DPA.
      13. Europe” means the European Economic Area and Switzerland.
      14. GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data and repealing of Directive 95/46/EC (General Data Protection Regulation).
      15. including” and its derivatives mean “including but not limited to.”
      16. Losses” means any and all losses, damages, deficiencies, claims, actions, judgments, settlements, interest, awards, penalties, fines, costs, or expenses of whatever kind, including reasonable attorneys’ fees, expert witness fees, settlement amounts, and the costs of enforcing any right to indemnification hereunder and the cost of pursuing any insurance providers.
      17. “Personal Data” means any data that relates to an identified or identifiable natural person, to the extent that such information is protected under applicable Data Protection Law.
      18. Personal Data Breach” means a breach of security which results in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Client Personal Data Processed by Decidr or Decidr’s Subprocessors.
      19. Decidr Indemnitee” will have the meaning ascribed to it in Section 11, above.
      20. “Processing” (unless defined differently under applicable Data Protection Law) means any operation or set of operations which is performed upon Personal Data, manually or automatically, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
      21. “Processor” means an entity which Processes Personal Data on behalf of the Controller pursuant to the Agreement. Processor or "data importer" in this DPA refers to Decidr.
      22. Public Authority Request” means a government agency or law enforcement authority, including a judicial authority request for information.
      23. Services” means Decidr’s Services as set forth in the Agreement.
      24. Standard Contractual Clauses” or “SCCs” means : (i) where the GDPR applies the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the “EU SCCs”); (ii) where the UK GDPR applies, the applicable standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR (the “UK SCCs”); and (iii) where the Swiss DPA applies, the applicable standard data protection clauses issued, approved or otherwise recognized by the Swiss Federal Data Protection and Information Commissioner (“FDPIC”) (the “Swiss SCCs”).
      25. Subprocessor” means any Processor engaged by Decidr to assist in processing Client Personal Data in connection with the Services per Client’s Documented Instructions under the terms of the Agreement and this DPA. Subprocessors may include Decidr’s Affiliates, but will exclude Decidr employees, contractors, and consultants. 
      26. UK GDPR” means the UK General Data Protection Regulation, as retained in UK law by the European Union (Withdrawal) Act 2018 and renamed by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020 and the UK's Data Protection Act 2018.

    Apply to receive a subsidised AI business today