Looking to schedule a demo?

Click Here

Data Processing Agreement

Effective Date: 13th September 2023

Version number: 1. 1

Data Processing Agreement

This Data Processing Agreement (the “DPA”) forms part of FigPii’s Terms of Use (the “Principal Agreement”), and is incorporated into the Principal Agreement by reference. FigPii reserves the right to make changes to the respective Agreements at any time without notice. Any updated versions of the aforesaid Agreements will be posted on our website.

1. Introduction

This DPA applies when you sign up for our services, and FigPii acts as the Processor of your Personal Data. When we provide these services to you, you are the Controller of the Personal Data that we Process because you decide why and how we Process that Personal Data.

2. Definitions and Interpretations

2. 1. The defined terms in this DPA supplement the terms of the Principal Agreement. Terms not defined herein will have the meaning as set forth in the Principal Agreement. If there is a conflict between any of the Principal Agreement’s provisions and this DPA’s provisions, the provisions of the DPA will prevail.

Controller means the person who decides why and how personal data will be processed. This would be you, our Customer.

Data Protection Law means any and all data protection laws and regulations that apply to FigPii’s Processing of Personal Data under the DPA including, the GDPR, the Protection of Personal Information Act 4 of 2013, ePrivacy laws and, to the extent applicable, the data protection or privacy laws of any other country;

Data Subject means the person whose data is processed, which are your customers or site visitors.

GDPR means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

Personal Data means any data or information that relates to an individual who can be directly or indirectly identified. For example, names and email addresses are personal data. Location information, ethnicity, gender, biometric data, religious beliefs, web cookies, and political opinions can also be personal data.

Personal Data Breach any unauthorized or otherwise unlawful personal data processing.

Process I Processing means any action performed on data, whether automated or manual. This would include collecting, recording, organizing, structuring, storing, using, or erasing. Thus, basically doing anything with data.

Processor means FigPii, a third party that processes personal data on behalf of a data controller.

Standard Contractual Clauses” means the new Standard Contractual Clauses (the “SCCs”) adopted by the European Commission on 4 June 2021 to facilitate the transfer of data between EU/EEA and non-EU/EEA countries.

Subprocessor means any person appointed by or on behalf of the Processor to process Personal Data on behalf of FigPii in connection with the Agreement.

3. Agreement Subject Matter

3. 1. Application. The DPA applies when FigPii Processes your Personal Data subject to the applicable Data Protection Law.

3. 2. Acceptance. By using our products and services you are deemed to have read, understood, accepted, and agreed to be bound by all of the terms of the respective Agreements.

3. 3. Duration. FigPii will Process Personal Data until the Principal Agreement expires or terminates, unless otherwise agreed in writing, subject to clause 4. 1. 5 below.

3. 4. Limitations. DPA does not apply where FigPii Processes data on either Controller or Data Subject’s behalf in terms of any activity not set out in the Principal Agreement.

3. 5. Details of Processing. The following details related to the Processing is described in the Principal Agreement and our Privacy Policy, which are incorporated into this DPA by reference:

3. 5. 1. the Processing’s subject-matter;

3. 5. 2. the Processing’s nature;

3. 5. 3. the Processing’s purpose;

3. 5. 4. the Personal data type;

3. 5. 5. the Data Subject categories; and

3. 5. 6. the Controller’s rights.

4. Data Processing and Protection

4. 1. Processor’s Obligations

4. 1. 1. Processing of Data

4. 1. 2. Data Transfer

4. 1. 3. Processors Personnel

4. 1. 4. Security Measures

4. 1. 5. Return or Deletion of Personal Data

4. 1. 6. Subprocessing

4. 1. 7. Authorised Subprocessors

Subprocessor Name Purpose of Processing Location of Processing
Fastly, Inc. For CDN, Fastly, Inc. (“Fastly”) provides content distribution, security and DNS services for web traffic transmitted to and from the Services. Secure and manage traffic to the Services, with access to URL interactions and IP addresses. Further reading: Compliance. Global, Fully GDPR Compliant
Cloudflare, Inc. For CDN, Cloudflare, Inc. (“Cloudflare”) provides content distribution, security and DNS services for web traffic transmitted to and from the Services. Secure and manage traffic to the Services, with access to URL interactions and IP addresses. Further reading: Compliance. Global, Fully GDPR Compliant
Amazon Web Services Cloud Hosting Services (SOC 2 Type 2, SOC 3 audited, ISO 27001,27017,27018 Certified). Further reading: GDPR Compliance. United States (Us-east-1), Ireland (eu-west-1), Global
OVH Cloud Services Cloud Hosting Services, long-term storage, list of certifications. Further reading: Compliance. Quebec, Canada, Fully GDPR Compliant

4. 1. 8. Specific obligations

FigPii will ensure that its Subprocessors are bound by data protection obligations compatible with our obligations as a Processor under this DPA.

4. 2. Controller’s Obligations

4. 2. 1. Warranties. Controller warrants that it has all necessary rights to provide the Personal Data to FigPii.

4. 2. 2. Responsibilities. Controller must make sure that certain designated personnel within their organisation:

to the extent that applicable Data Protection Law requires.

5. Processing of Personal Data outside of the European Economic Area (the “EEA”)

5. 1. Standard Contractual Clauses

5. 1. 1. When does it apply?

The Standard Contract Clauses apply to any Processing where the parties:

5. 1. 2. When does it not apply?

5. 1. 3. Adequate protection

The Parties will assess whether the following requirements are met:

Supplementary measures may be taken to ensure a level of protection equivalent to the protection provided under the applicable data protection law, if the requirements in this clause are not met. The Parties will implement the guidance from the relevant supervisory authority to determine the supplementary measures they must put in place.

6. General Terms

6. 1. Confidentiality

FigPii will keep all Personal Data confidential, and will not disclose it to any third party except as is required by law.

6. 2. Notices

All notices and communications given under this Agreement must be in writing and will be sent via email. Controller will be notified via email sent to the address related to its use of the Services under the Principal Agreement. FigPii will be notified via email, sent to the address: legal@FigPii. com.

6. 3. Liability and indemnity

Each Party indemnifies the other and holds them harmless against all claims, actions, third party claims, losses, damages and expenses that the other party incurs arising out of a breach of this DPA or Applicable Data Protection law by the indemnifying party, provided that:

6. 3. 1. each Party provides the other with a notice of the claim promptly after receiving it;

6. 3. 2. the indemnified Party gives the indemnifying Party the right to control the defence;

6. 3. 3. the indemnified Party will provide the indemnifying Party with reasonable assistance as necessary; and

6. 3. 4. the indemnified Party will avoid admission of liability.

Contact

If there are any questions regarding this Statement you may contact FigPii using the information below:

Have any questions? Contact us at support@figpii.com.