ProductSolutionPricingIntegrationsAboutTrust Center
Resources
Sign InStart for Free
Table of Contents
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.
This is some text inside of a div block.

Data Processing Agreement

Alysio (DPA)

This Data Processing Agreement, including its Schedules, (“DPA”) forms part of the Master Subscription Agreementbetween Alysio and Customer for the purchase of the Service (the “Agreement”) to reflect the Parties’ agreement withregard to the Processing of Personal Data.

Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Lawsand Regulations, in the name and on behalf of its Authorized Affiliates. For the purposes of this DPA only, and exceptwhere indicated otherwise, the term “Customer” shall include Customer and Authorized Affiliates. All capitalized termsnot defined herein shall have the meaning set forth in the Agreement.

In the course of providing the Service to Customer pursuant to the Agreement, Alysio may Process Personal Data onbehalf of Customer and the Parties agree to comply with the following provisions with respect to any Personal Data,each acting reasonably and in good faith.

For the avoidance of doubt, signature of the on the Agreement shall be deemed to constitute signature andacceptance of the Standard Contractual Clauses, including Schedule 2.

HOW THIS DPA APPLIES

If the Customer entity signing this DPA is a party to the Agreement, this DPA is an addendum to and forms part of theAgreement. In such case, the Alysio entity that is party to the Agreement is party to this DPA.

If the Customer entity signing this DPA has executed a Order Form with Alysio or its Affiliate pursuant to theAgreement, but is not itself a party to the Agreement, this DPA is an addendum to that Order Form and applicablerenewal Order Form(s), and the Alysio entity that is party to such Order Form is party to this DPA.

1. DATA PROCESSING TERMS

  • “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with thesubject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50%of the voting interests of the subject entity.
  • “Authorized Affiliate” means any of Customer’s Affiliate(s) which (a) is subject to the data protection laws andregulations of the European Union, the European Economic Area and/or their member states, Switzerland and/or theUnited Kingdom, and (b) is permitted to use the Service pursuant to the Agreement between Customer and Alysio,but has not signed its own Order Form with Alysio and is not a “Customer” as defined under this DPA.
  • “CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended by theCalifornia Privacy Rights Act, and its implementing regulations.
  • “Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
  • “Cookies” means cookies, pixel tags and other similar technologies.
  • “Customer” means the entity that executed the Agreement together with its Affiliates (for so long as they remainAffiliates) which have signed Order Forms.
  • “Customer Data” means what is defined in the Agreement as “Customer Data”, provided that such data is electronicdata and information submitted by or for Customer to the Service. This DPA does not apply to ConnectedApplications as defined in the Agreement.
  • “Customer Data Incident” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of,or access to Customer Data, including Personal Data, transmitted, stored or otherwise Processed by Alysio or itsSub-processors.
  • “Data Protection Laws and Regulations” means all laws and regulations applicable to the Processing of PersonalData under the Agreement and the placement of Cookies, including those of the European Economic Area,Switzerland, the United Kingdom and the United States and its states.
  • “Data Subject” means the identified or identifiable person to whom Personal Data relates.
  • “Data Subject Request” means, a Data Subject’s legal right of access, right to rectification, restriction of Processing,erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automatedindividual decision making as set out in applicable Data Protection Laws and Regulations.
  • “Europe” means the European Economic Area, Switzerland and the United Kingdom.
  • “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on theprotection of natural persons with regard to the processing of personal data and on the free movement of such data,and repealing Directive 95/46/EC (General Data Protection Regulation), including as implemented or adopted underthe laws of the United Kingdom.
  • “Personal Data” means any information relating to (i) an identified or identifiable natural person and, (ii) an identifiedor identifiable legal entity (where such information is protected similarly as Personal Data or personally identifiableinformation under applicable Data Protection Laws and Regulations), where for each (i) or (ii), such data is CustomerData.
  • “Processing” or “Process” means any operation or set of operations which is performed upon Personal Data,whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation oralteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available,alignment or combination, restriction, erasure or destruction.
  • “Processor” means the entity which Processes Personal Data on behalf of the Controller, including as applicable any“service provider” as that term is defined by the CCPA.
  • “Public Authority” means a government agency or law enforcement authority, including judicial authorities.
  • “Alysio” means Alysio Sales, LLC, a company incorporated in Delaware, US.
  • “Standard Contractual Clauses” means Standard Contractual Clauses for the transfer of Personal Data to thirdcountries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by EuropeanCommission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eurlex.europa.eu/eli/dec_impl/2021/914/oj.
  • “Sub-processor” means any Processor engaged by Alysio.

2. PROCESSING OF PERSONAL DATA

  1. Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of PersonalData, Customer is a Controller or a Processor, Alysio is a Processor and that Alysio will engageSub-processors pursuant to the requirements set forth in section 5 “Sub-processors” below.
  2. Customer’s Personal Data Obligations. Customer’s instructions for the Processing of Personal Data shallcomply with Data Protection Laws and Regulations and where Customer is a processor, the instructions ofits Controller. Customer confirms that its instructions do not conflict with the instructions of its Controller.Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data, the means bywhich Customer acquired Personal Data. Customer acknowledges that any Processing governed by thisDPA has a lawful basis. Customer specifically acknowledges and agrees that (i) its use of the Service willnot violate the rights of any Data Subject, including those that have opted-out from sales, placement ofCookies or other disclosures of Personal Data, and (ii) it is solely responsible for evidencing consent forplacement of Cookies, in each case to the extent applicable under Data Protection Laws and Regulations.
  3. Alysio’s Processing of Personal Data. Alysio shall Process Personal Data on behalf of and only inaccordance with applicable Data Protection Laws and Regulations and Customer’s documented instructionsfor the following purposes: (i) Processing in accordance with the Agreement and applicable Order Form(s);(ii) Processing initiated by Users in their use of the Service; and (iii) Processing to comply with otherdocumented reasonable instructions provided by Customer (e.g., via email) where such instructions areconsistent with the terms of the Agreement. Where Customer is a processor, Customer confirms that itsinstructions to Alysio are consistent with the terms of the agreement between the Customer and theController.
  4. Details of the Processing. The subject-matter of Processing of Personal Data by Alysio is the performance ofthe Service pursuant to the Agreement. The duration of the Processing, the nature and purpose of theProcessing, the types of Personal Data and categories of Data Subjects Processed under this DPA arefurther specified in Schedule 2 (Description of Processing/Transfer) to this DPA.
  5. Customer Instructions. Alysio shall inform Customer if, in its opinion, Customer’s instructions for theProcessing of Personal Data infringes GDPR. Where this relates to instructions from the Customer’sController, Customer agrees to immediately inform its Controller.

3. RIGHTS OF DATA SUBJECTS

  1. Notification. Alysio shall, to the extent legally permitted, promptly notify Customer of any complaint, disputeor Data Subject Request it has received from a Data Subject. Where Customer is a processor, Customeragrees to forward any notification it receives from Alysio without undue delay, to its Controller. Alysio shallnot respond to a complaint, dispute or Data Subject Request itself, and shall redirect the complaint, disputeor Data Subject Request as necessary to allow Customer to respond directly. Taking into account the natureof the Processing, Alysio shall assist Customer by appropriate technical and organizational measures,insofar as this is possible, for the fulfillment of Customer’s obligation to respond to a Data Subject Requestunder Data Protection Laws and Regulations.
  2. Assistance. In addition, to the extent Customer, in its use of the Service, does not have the ability toaddress a Data Subject Request, Alysio shall upon Customer’s request provide commercially reasonableefforts to assist Customer in responding to such Data Subject Request, to the extent Alysio is legallypermitted to do so and the response to such Data Subject Request is required under Data Protection Lawsand Regulations.

4. ALYSIO PERSONNEL

  1. Confidentiality. Alysio shall ensure that its personnel engaged in the Processing of Personal Data areinformed of the confidential nature of the Personal Data, have received appropriate training on theirresponsibilities and have committed themselves to confidentiality or are under an appropriate statutoryobligation of confidentiality. Alysio shall ensure that such confidentiality commitments survive the terminationof the personnel engagement.
  2. Reliability. Alysio shall take commercially reasonable steps to ensure the reliability of any Alysio personnelengaged in the Processing of Personal Data.
  3. Limitation of Access. Alysio shall ensure that Alysio’s access to Personal Data is limited to those personnelperforming Service in accordance with the Agreement.
  4. Data Protection Officer. Alysio has appointed a data protection officer. The appointed person may bereached at privacy@alysio.ai.

5. SUB-PROCESSORS

  1. Appointment of Sub-processors. Customer acknowledges and agrees that (a) Alysio’s Affiliates may beretained as Sub-processors; and (b) Alysio and Alysio’s Affiliates respectively may engage third-partySub-processors in connection with the provision of the Service. Alysio or a Alysio Affiliate has entered into awritten agreement with each Sub-processor containing, in substance, the same data protection obligationsthan those in the Agreement with respect to the protection of Customer Data to the extent applicable to thenature of the Service provided by such Sub-processor.
  2. List of Current Sub-processors and Notification of New Sub-processors. The current list of Sub-processorsengaged in Processing Personal Data for the performance of each applicable Purchased Service, includinga description of their processing activities and countries of location, is listed here:https://alysio.ai/terms-of-service/sub-processors. Customer hereby consents to these Sub-processors, theirlocations and processing activities as it pertains to their Personal Data. Customer is responsible forre-checking the sub-processor URL to obtain notice of future changes.
  3. Objection Right for New Sub-processors. Customer may reasonably object to Alysio’s use of a newSub-processor by notifying Alysio promptly in writing within thirty (30) days Alysio’s notice on thesub-processor page, but Alysio is not obligated to make reasonable efforts to make available to Customer achange in the Service or recommend a commercially reasonable change to Customer’s configuration or useof the Service to avoid Processing of Personal Data by the objected-to new Sub-processor. If Alysio isunable to resolve Customer’s objections, Customer may terminate the applicable Order Form(s) with respectonly to the Service which cannot be provided by Alysio without the use of the objected-to newSub-processor by providing written notice to Alysio. Alysio will refund Customer any prepaid but unusedFees covering the remainder of the term of such Order Form(s) following the effective date of terminationwith respect to such terminated Service, without imposing a penalty for such termination on Customer.
  4. Liability. Alysio shall be liable for the acts and omissions of its Sub-processors to the same extent Alysiowould be liable if performing the services of each Sub-processor directly under the terms of this DPA. Wherethe performance of the Service requires Alysio to contract with Sub-processors who only offer click-wrapdata protection agreements, namely third party cloud hosting providers, Alysio shall not be liable for anySub-processors’ acts of omissions that are not recoverable under the terms of such data protectionagreements because of the Sub-processors’ decision to impose their terms on a non-negotiable basis.

6. SECURITY

  1. Controls for the Protection of Customer Data. Alysio shall maintain appropriate technical and organizationalmeasures for protection of the security (including protection against unauthorized or unlawful Processingand against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, oraccess to, Customer Data), confidentiality and integrity of Customer Data, as set forth in Schedule 3attached hereto. Alysio regularly monitors compliance with these measures. Alysio will not materiallydecrease the overall security of the Service during a Subscription Term.
  2. Audit. Alysio shall maintain an audit program to help ensure compliance with the obligations set out in thisDPA and shall make available to Customer information to demonstrate compliance with the obligations setout in this DPA, including those obligations required by applicable Data Protection Laws and Regulations, asset forth in this section 6.2. Where Customer is a processor, Customer agrees to provide the informationdemonstrating compliance provided by Alysio in this section 6.2, to its Controller.
    1. Third-Party Certifications and Audits. Alysio has obtained the third-party certifications and audits setforth in Schedule 3 for each applicable Purchased Service. Upon Customer’s written request, and witha least thirty days’ notice, and subject to the confidentiality obligations set forth in the Agreement,Alysio shall make available to Customer (or Customer’s Third-Party Auditor) information regardingAlysio’s compliance with the obligations set forth in this DPA in the form of a copy of Alysio’s thenmost recent SOC II report and an executive summary of its most recent penetration test. Suchthird-party audits or certifications may also be shared with Customer’s competent supervisoryauthority on its request. Where Alysio has obtained a SOC 2, Type II report, Alysio agrees to maintainthese certifications or standards, or appropriate and comparable successors thereof, for the durationof the Agreement. Customer acknowledges that any information provided under this Section 6.2 shallbe considered Confidential Information.
    2. Legally Mandated On-Site Audits. Where applicable Data Protection Laws and Regulations mandate that Alysio must submit to an on-site audit by the Customer, Alysio will permit Customer (or its Third-Party Auditor) to conduct an audit of the Processing undertaken by Alysio in respect of the provision of the Service. Such on-site audits shall take place on reasonable notice and no more than annually, or if there are indications of non-compliance with this DPA from the third party certifications provided in accordance with section 6.2.1 above, more frequently.
  3. Data Protection Impact Assessment. Upon Customer’s request, Alysio shall provide Customer withreasonable cooperation and assistance needed to fulfill Customer’s obligation under Data Protection Lawsand Regulations to carry out a data protection impact assessment related to Customer’s use of the Service,to the extent Customer does not otherwise have access to the relevant information, and to the extent suchinformation is available to Alysio.

7. CUSTOMER DATA INCIDENT MANAGEMENT AND NOTIFICATION

  1. Notification. Alysio maintains security incident management policies and procedures. Alysio shall notifyCustomer without undue delay after becoming aware of a “Customer Data Incident”.
  2. Alysio Responsibilities. In respect of such Customer Data Incident, Alysio shall: (i) make reasonable effortsto identify the cause; (ii) take such steps as Alysio deems necessary and reasonable to remediate the causeto the extent the remediation is within Alysio’s reasonable control; (iii) cooperate reasonably with theCustomer and provide Customer with the information needed to fulfil its data breach obligations under DataProtection Laws and Regulations; (iv) take other further measures and actions that Alysio determines arenecessary to remedy or mitigate the effects of the security incident, and (v) except as required by law, Alysiowill not take action to notify Data Subjects of any security incident.
  3. Exclusions. The obligations imposed on Alysio and set out in section 7.2, shall not apply to incidents thatare caused by Customer or Customer’s Users.

8. RETURN AND DELETION OF CUSTOMER DATA

  1. Customer Data. Customer may download Customer Data at any time during the term of the Agreement andfor thirty (30) days after termination of the Agreement or this Addendum. Thirty (30) days after thetermination of the Agreement or of this Addendum, and to the extent allowed by applicable law and/orAlysio’s ongoing contractual obligations, Alysio shall destroy the Customer Data. Customer acknowledgesthat Customer Data may be stored by Alysio after the Termination Date pursuant to Alysio’s data retentionrules and back-up procedures until it is eventually deleted. To the extent that any portion of Customer Dataremains in the possession of Alysio following the Termination Date, Alysio’s obligations set forth in this DPAshall survive termination of the Agreement or this DPA with respect to that portion of the Customer Data untilit is deleted.

9. AUTHORIZED AFFILIATES

  1. Contractual Relationship. The parties acknowledge and agree that, by executing the Agreement, Customerenters into this DPA on behalf of itself and, as applicable, in the name and on behalf of its AuthorizedAffiliates, thereby establishing a separate DPA between Alysio and each such Authorized Affiliate subject tothe provisions of the Agreement and this section 9 and section 10. Each Authorized Affiliate agrees to bebound by the obligations under this DPA and, to the extent applicable, the Agreement. For the avoidance ofdoubt, an Authorized Affiliate is not and does not become a party to the Agreement, and is a party only tothis DPA. All access to and use of the Service by Authorized Affiliates must comply with the terms andconditions of the Agreement and any violation of the terms and conditions of the Agreement by anAuthorized Affiliate shall be deemed a violation by Customer
  2. Communication. The Customer that is the contracting party to the Agreement shall remain responsible forcoordinating all communication with Alysio under this DPA and be entitled to make and receive anycommunication in relation to this DPA on behalf of its Authorized Affiliates.
  3. Rights of Authorized Affiliates. Where an Authorized Affiliate becomes a party to this DPA with Alysio, it shallto the extent required under applicable Data Protection Laws and Regulations be entitled to exercise therights and seek remedies under this DPA, subject to the following: Except where applicable Data ProtectionLaws and Regulations require the Authorized Affiliate to exercise a right or seek any remedy under this DPAagainst Alysio directly by itself, the parties agree that (i) solely the Customer that is the contracting party tothe Agreement shall exercise any such right or seek any such remedy on behalf of the Authorized Affiliate,and (ii) the Customer that is the contracting party to the Agreement shall exercise any such rights under thisDPA, not separately for each Authorized Affiliate individually, but in a combined manner for itself and all of itsAuthorized Affiliates together.

10. LIMITATION OF LIABILITY

  1. Limitations. Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of orrelated to this DPA, and all DPAs between Authorized Affiliates and Alysio, whether in contract, tort or underany other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement, and anyreference in such section to the liability of a party means the aggregate liability of that party and all of itsAffiliates under the Agreement and all DPAs together.
  2. Aggregate and Several Liability. For the avoidance of doubt, Alysio’s and its Affiliates’ total liability for allclaims from Customer and all of its Authorized Affiliates arising out of or related to the Agreement and allDPAs shall apply in the aggregate for all claims under both the Agreement and all DPAs established underthe Agreement, including by Customer and all Authorized Affiliates, and, in particular, shall not beunderstood to apply individually and severally to Customer and/or to any Authorized Affiliate that is acontractual party to any such DPA.

11. EUROPE SPECIFIC PROVISIONS

  1. Definitions. For the purposes of this section 11 and Schedule 1 these terms shall be defined as follows:
    1. "EU C-to-P Transfer Clauses" means Standard Contractual Clauses sections I, II, III and IV (as applicable) to theextent they reference Module Two (Controller-to-Processor).
    2. "EU P-to-P Transfer Clauses" means Standard Contractual Clauses sections I, II, III and IV (as applicable) to theextent they reference Module Three (Processor-to-Processor).
  2. Transfer mechanisms for data transfers. If, in the performance of the Service, Personal Data that is subjectto the GDPR or any other law relating to the protection or privacy of individuals that applies in Europe istransferred out of Europe to countries which do not ensure an adequate level of data protection within themeaning of the Data Protection Laws and Regulations of Europe, the transfer mechanisms listed below shallapply to such transfers and can be directly enforced by the Parties to the extent such transfers are subject tothe Data Protection Laws and Regulations of Europe:
    1. The EU C-to-P Transfer Clauses. Where Customer and/or its Authorized Affiliate is a Controller and adata exporter of Personal Data and Alysio is a Processor and data importer in respect of that PersonalData, then the Parties shall comply with the EU C-to-P Transfer Clauses, subject to the additionalterms in Schedule 1.
    2. The EU P-to-P Transfer Clauses. Where Customer and/or its Authorized Affiliate is a Processor and adata exporter of Personal Data and Alysio is a Processor and data importer in respect of that PersonalData, then the Parties shall comply with the EU P-to-P Transfer Clauses, subject to the additionalterms in Schedule 1.

12. COMPLIANCE WITH CCPA.

  1. CCPA. To provide the Service Customer may disclose Personal Information to Alysio. The parties agreethat to provide the Service, Alysio is acting as a “Service Provider” pursuant to §1798.140 of the CaliforniaConsumer Protection Act (“CCPA”). Alysio shall not retain, use, or disclose Personal Information providedby Customer pursuant to this Agreement except as necessary for the specific purpose of providing theService and the Professional Services, as applicable, pursuant to this Agreement or as otherwise set forth inthis Agreement or as permitted by the CCPA. Alysio will not sell Personal Information. Customer isresponsible for responding to Consumer requests using Customer’s own access to the relevant PersonalInformation. Upon Customer’s written request, and subject to and in accordance with all applicable laws,Alysio will provide assistance, as required under CCPA, to Customer for the fulfillment of Customer’sobligations to respond to requests to exercise Consumer’s rights under CCPA with respect to PersonalInformation provided by Customer pursuant to this Agreement, to the extent Customer is unable to accessthe relevant Personal Information itself. To the extent legally permitted, Customer shall be responsible forany costs arising from Alysio’s provision of such assistance.

List of Schedules

Schedule 1: Transfer Mechanisms for European Data Transfers

Schedule 2: Description of Processing/Transfer

Schedule 3: Technical and Organizational Security Measures.

Full documentation in Finsweet's Attributes docs.
Get Started
For Free Today!
Try Alysio

Contact Sales

First Name
Last Name
Organization Name
Business Email

Thank you for your request!

We’ve received your request and will contact you soon.
Oops! Something went wrong while submitting the form.