GDPR DATA PROCESSING ADDENDUM

This GDPR Data Processing Addendum (“DPA”) forms part of the Terms of Use available at https://www.smartcat.com/terms/ or such other location as the Terms of Use may be posted from time to time, entered into by you as the User and Smartcat. The purpose of this DPA is to reflect the parties’ agreement with regard to processing of Personal data in accordance with the requirements of the GDPR.

Terms and definitions used herein shall have the same meaning attributable to them in the Terms of Use unless the context herein suggests otherwise.

1. Roles under GDPR

1.1. You acknowledge that you are aware of the GDPR that may affect you when you receive or collect any Content from your clients containing Personal data and when you further upload that Content containing Personal data on SmartCAT Platform.

1.2. You also understand that under the GDPR, depending on how you received and use your Content containing Personal data, you may be considered a “controller” or a “processor” as defined under article 4 of the GDPR.

1.3. Whenever you act as a Customer and upload any Content containing Personal data SmartCAT will act as a “processor” within the meaning of article 4 of the GDPR and this DPA shall apply. Whenever you act as a Supplier and upload your Personal data SmartCAT will act as a “controller” within the meaning of article 4 of the GDPR, the Privacy Policy and Consent Notice (www.smartcat.com/privacy-policy) shall apply.

2. Your warranties, covenants and undertakings

Back to top

2.1. You covenant and undertake to SmartCAT:

  • to comply at all times with GDPR prescribed for data controllers or data processors (as the case may be) in respect of any Personal data you provide to Smartcat and/or upload on SmartCAT Platform pursuant to the Terms of Use;
  • if SmartCAT receives any request from a data subject in relation to Personal data, provided to Smartcat and/or uploaded by you on SmartCAT Platform pursuant to the Terms of Use, and advises the data subject to submit his/her request to you, you will be responsible for responding to any such request including, where necessary, by using the functionality of SmartCAT Platform;
  • if required by law to be a party to Model Contract Clauses (Annex to this DPA);
  • that you are solely responsible for complying with incident notification laws applicable to you and fulfilling any third party notification obligations related to any breach of Personal data, provided to Smartcat and/or uploaded by you on SmartCAT Platform pursuant to the Terms of Use.

2.2. You warrant to SmartCAT:

  • if GDPR applies to the processing of Personal data you provide to Smartcat and/or upload on SmartCAT Platform pursuant to the Terms of Use and you are a processor, then your instructions and actions with respect to that Personal data have been authorized by the relevant controller;
  • that the Security Measures (as detailed below) implemented and maintained by SmartCAT as set out herein provide a level of security appropriate to the risk in respect of the Customer data you provide to Smartcat and/or upload on SmartCAT Platform pursuant to the Terms of Use.

3. Your authorizations and consents

Back to top

3.1. You authorize and instruct SmartCAT and give your consent to the following:

  • SmartCAT may store and process Customer Data in the United States and any other country in which SmartCAT maintains facilities provided that SmartCAT can maintain there the same level of privacy protection;
  • to process Personal data you provide to Smartcat and/or upload on SmartCAT Platform pursuant to the Terms of Use only in accordance with applicable law: (a) to provide the services and related support to you; (b) as further specified via your use of the SmartCAT Platform (submitted via your User’s profile on Smartcat Platform or by e-mail); c) as documented in the Terms of Use, including this DPA; and (d) as further documented in any other instructions given by you and acknowledged by SmartCAT as constituting instructions for purposes of this DPA;
  • engagement of any other third parties as Subprocessors* with the understanding that if you entered into Model Contract Clauses, this authorization will constitute your prior written consent to the subcontracting by SmartCAT of the processing of Personal data if such consent is required under the Model Contract Clauses.
    (*Subprocessors means third parties authorized under this DPA to have logical access to and process Personal data in order to provide parts of the services under the Terms of Use and related support.)

4. Warranties, covenants and undertakings of SmartCAT

Back to top

4.1 Smartcat covenants and undertakes to you:

  • to comply at all times with GDPR in respect of any Personal data provided to Smartcat and/or uploaded by you on SmartCAT Platform pursuant to the Terms of Use;
  • to process Personal data (i) only for the purpose of providing, supporting and improving Smartcat’s services, using appropriate technical and organizational security measures; and (ii) for the purposes set forth in the Terms of Use;
  • to process Personal data contained in any of your Content only in accordance with the written instructions from you (submitted via your User’s profile on Smartcat Platform or by e-mail);
  • to notify you as the User if, in Smartcat’s opinion, an instruction for the processing of Personal data given by you infringes applicable GDPR;
  • to inform you in writing if SmartCAT cannot comply with the requirements under this DPA, in which case you as the User can terminate the Agreement or take any other reasonable action, including suspending Personal data processing operations;
  • that SmartCAT will, in a manner consistent with the functionality of SmartCAT Platform, enable you to access, rectify and restrict processing of Personal data, provided to Smartcat and/or uploaded by you on SmartCAT Platform pursuant to the Terms of Use;
  • that SmartCAT will assist you in fulfilling any obligation to respond to requests by data subjects, including if applicable your obligation to respond to requests for exercising the data subject’s rights set out in the GDPR;
  • SmartCAT will take appropriate steps to ensure compliance with the security measures by its employees, contractors and Subprocessors to the extent applicable to their scope of performance, including ensuring that all persons authorized to process Personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • in case SmartCAT engages any Subprocessor, such Subprocessor only accesses and uses any Personal data, provided to Smartcat and/or uploaded by you on SmartCAT Platform pursuant to the Terms of Use, to the extent required to perform the obligations subcontracted to it, and does so in accordance with the relevant agreement and the data protection obligations under article 28(3) of the GDPR are imposed on such Subprocessor;
  • in case SmartCAT engages any Subprocessor, SmartCAT remains fully liable for all obligations subcontracted to, and all acts and omissions of, the Subprocessor;
  • to comply with the instructions described in section 3.1 above (including with regard to Personal data transfers);
  • to implement appropriate technical and organisational measures in such a manner that processing of Personal data will meet the GDPR requirements and ensure the protection of the rights of the data subjects;
  • if SmartCAT receives any request from a data subject in relation to Personal data, provided to Smartcat and/or uploaded by you on SmartCAT Platform pursuant to the Terms of Use, SmartCAT will advise the data subject to submit his/her request to you;
  • upon your written request or on termination of the Agreement, shall securely destroy or return such Personal data, provided to Smartcat and/or uploaded by you on SmartCAT Platform pursuant to the Terms of Use, to you within a maximum period of 30 days, unless applicable legislation or legal process prevents it from doing so;
  • if the storage and/or processing of Personal data involves transfers of Personal data out of the EEA and the GDPR applies to the transfers of such data, SmartCAT will, if specifically requested by you, enter as the data importer of the Personal data into Model Contract Clauses with you as the data exporter of such data, and that the transfers are made in accordance with such Model Contract Clauses (Annex to this DPA);
  • if SmartCAT becomes aware of any breach of Personal data, provided to Smartcat and/or uploaded by you on SmartCAT Platform pursuant to the Terms of Use, SmartCAT will: (a) notify you of such breach of Personal data promptly and without undue delay via your email indicated in your corporate account; and (b) promptly take reasonable steps to minimize harm and secure Personal data.
  • SmartCAT’s obligation to report or respond to a breach of Personal data incident is not and will not be construed as an acknowledgement by SmartCAT of any fault or liability of SmartCAT with respect to the breach of Personal data incident
  • SmartCAT hereby declares and you agree that an unsuccessful security Incidents will not be reported to you. An unsuccessful security Incident is one that results in no unauthorised access to Personal data or to any of SmartCAT’s equipment or facilities storing Personal data, [and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing or similar incidents

5. Purposes of processing Personal data

Back to top

5.1. SmartCAT may process Personal data provided to Smartcat and/or uploaded by you on SmartCAT Platform pursuant to the Terms of Use (i) for the purpose of providing, supporting and improving Smartcat’s services, using appropriate technical and organizational security measures; and (ii) for the purposes set forth in the Terms of Use.

6. Security Measures of SmartCAT

Back to top

6.1. Security Measures include:

  • use of Tier IV data centers in the U.S. and EU, run by AWS and Microsoft Azure, which are SOC-1, SOC-2, and SOC-3 compliant and it should be noted that this is a much higher level of protection than conventional office servers provide (learn more about Smartcat security measures);
  • all passwords are stored in hashed and salted form (and several external authorized services are supported via OAuth 2.0);
  • all passwords in the production configuration files are encrypted and certificates required to decrypt configs are installed on the production machines by administrators and not accessible for engineers with lower levels of access;
  • a limited number of SmartCAT employees have access to Personal data and they are all bound by relevant confidentiality covenants under their employment or civil law services agreements;
  • a limited number of SmartCAT employees who have access to your personal data are thoroughly checked by our security team and can only use Personal data as part of their work plus in addition to this, access is limited by authorization procedures and infrastructure, which does not allow employees with insufficient rights to access personal data;
  • Before contracting any Subprocessors, SmartCAT conducts an audit of the security and privacy practices of Subprocessors to ensure Subprocessors provide a level of security and privacy appropriate to their access to Personal data and the scope of the services they are engaged to provide. The Subprocessor is required to enter into appropriate security, confidentiality and privacy contract terms.

6.2. These Security Measures may be updated or modified provided that such updates and modifications do not result in the degradation of the overall security of SmartCAT Platform.

7. Scope of instructions given to SmartCAT

Back to top

7.1. This DPA and the Terms of Use set out your complete and final instructions to Smartcat in relation to the processing of your Content containing Personal data and processing outside the scope of these instructions (if any) shall require prior written agreement between you and Smartcat. Smartcat will not use or process the Personal Data for any other purpose other than the Terms of Use and this DPA.

8. DPA Duration

Back to top

8.1. This DPA shall remain in effect as long as the Terms of Use between you and SmartCAT remain in effect.

9. Indemnity

Back to top

Liability and Indemnity

9.1. You shall be liable for, and shall indemnify (and keep indemnified) SmartCAT in respect of any and all action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and payments on a solicitor and client basis), or demand suffered or incurred by, awarded against, or agreed to be paid by, SmartCAT and any Sub-Processor arising directly or in connection with:

9.1.1. any non-compliance by the Data Controller with the GDPR or other applicable legislation;

9.1.2. any Personal Data processing carried out by Smartcat or Sub-Processor in accordance with instructions given by you that infringe the GDPR or other applicable legislation; or

9.1.3. any breach by you of your obligations under this Agreement, except to the extent that SmartCAT or Sub-Processor is liable under sub-Clause 9.2.

9.2. SmartCAT shall be liable for, and shall indemnify (and keep indemnified) you in respect of any and all action, proceeding, liability, cost, claim, loss, expense (including reasonable legal fees and payments on a solicitor and client basis), or demand suffered or incurred by, awarded against, or agreed to be paid by you arising directly or in connection with SmartCAT’s Personal Data processing activities that are subject to this Agreement:

9.2.1. only to the extent that the same results from SmartCAT’s or a Sub-Processor’s breach of this Agreement; and

9.2.2. not to the extent that the same is or are contributed to by any breach of this Agreement by you.

9.3. You shall not be entitled to claim back from SmartCAT or Sub-Processor any sums paid in compensation by you in respect of any damage to the extent that you are liable to indemnify SmartCAT or Sub-Processor under sub-Clause 1.1.

9.4. Nothing in this Agreement (and in particular, this Clause 1) shall relieve either Party of, or otherwise affect, the liability of either Party to any data subject, or for any other breach of that Party’s direct obligations under the GDPR. Furthermore, SmartCAT hereby acknowledges that it shall remain subject to the authority of the ICO and shall co-operate fully therewith, as required, and that failure to comply with its obligations as a data processor under the GDPR may render it subject to the fines, penalties, and compensation requirements set out in the GDPR.

10. Governing Law

Back to top

This agreement and its annexes shall be governed by the laws of England and Wales, excluding its conflicts-of-law rules, govern this Agreement.




ANNEX to the GDPR Data Processing Addendum

STANDARD CONTRACTUAL CLAUSES (PROCESSORS)

For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.

Customer as defined in the Customer agreement (the data exporter)

And Smartcat as defined in the Customer agreement and the Terms of Use (the data importer) each a ‘party’; together ‘the parties’, HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

Clause 1

Definitions

For the purposes of the Clauses:

  1. ‘personal data’, ‘special categories of data’, ‘process/processing’, ‘controller’, ‘processor’, ‘data subject’ and ‘supervisory authority’ shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;
  2. ‘the data exporter’ means the controller who transfers the personal data;
  3. ‘the data importer’ means the processor who agrees to receive from the data exporter personal data intended for processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;
  4. ‘the sub-processor’ means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with his instructions, the terms of the Clauses and the terms of the written subcontract;
  5. ‘the applicable data protection law’ means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;
  6. ‘technical and organisational security measures’ means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2

Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.

Clause 3

Third-party beneficiary clause

  1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
  2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
  3. The data subject can enforce against the sub-processor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
  4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4

Obligations of the data exporter

The data exporter agrees and warrants:

  1. that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
  2. that it has instructed and throughout the duration of the personal data-processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
  3. that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Appendix 2 to this contract;
  4. that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
  5. that it will ensure compliance with the security measures;
  6. that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
  7. to forward any notification received from the data importer or any sub-processor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
  8. to make available to the data subjects upon request a copy of the Clauses, with the exception of Appendix 2, and a summary description of the security measures, as well as a copy of any contract for sub-processing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
  9. that, in the event of sub-processing, the processing activity is carried out in accordance with Clause 11 by a sub-processor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses;
  10. and that it will ensure compliance with Clause 4(a) to (i).

Clause 5

Obligations of the data importer

The data importer agrees and warrants:

  1. to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
  2. that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
  3. that it has implemented the technical and organisational security measures specified in Appendix 2 before processing the personal data transferred;
  4. that it will promptly notify the data exporter about:

    (i) any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;

    (ii) any accidental or unauthorised access; and

    (iii) any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;

  5. to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
  6. at the request of the data exporter to submit its data-processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
  7. to make available to the data subject upon request a copy of the Clauses, or any existing contract for sub-processing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
  8. that, in the event of sub-processing, it has previously informed the data exporter and obtained its prior written consent;
  9. that the processing services by the sub-processor will be carried out in accordance with Clause 11;
  10. to send promptly a copy of any sub-processor agreement it concludes under the Clauses to the data exporter.

Clause 6

Liability

  1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or sub-processor is entitled to receive compensation from the data exporter for the damage suffered.
  2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his sub-processor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract of by operation of law, in which case the data subject can enforce its rights against such entity.
  3. The data importer may not rely on a breach by a sub-processor of its obligations in order to avoid its own liabilities.

  4. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the sub-processor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, the sub-processor agrees that the data subject may issue a claim against the data sub-processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the sub-processor shall be limited to its own processing operations under the Clauses.

Clause 7

Mediation and jurisdiction

  1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:

    (a) to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;

    (b) to refer the dispute to the courts in the Member State in which the data exporter is established.

  2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8

Cooperation with supervisory authorities

  1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
  2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any sub-processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
  3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any sub-processor preventing the conduct of an audit of the data importer, or any sub-processor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5(b).

Clause 9

Governing law

The Clauses shall be governed by the law indicated in the DPA.

Clause 10

Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.

Clause 11

Sub-processing

  1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the sub-processor which imposes the same obligations on the sub-processor as are imposed on the data importer under the Clauses. Where the sub-processor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the sub-processor’s obligations under such agreement.
  2. The prior written contract between the data importer and the sub-processor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the sub-processor shall be limited to its own processing operations under the Clauses.
  3. The provisions relating to data protection aspects for sub-processing of the contract referred to in paragraph 1 shall be governed by the law indicated in the DPA.
  4. The data exporter shall keep a list of sub-processing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.

Clause 12

Obligation after the termination of personal data-processing services

  1. The parties agree that on the termination of the provision of data-processing services, the data importer and the sub-processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
  2. The data importer and the sub-processor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data-processing facilities for an audit of the measures referred to in paragraph 1.

Parties may reproduce definitions and meanings contained in Directive 95/46/EC within this Clause if they considered it better for the contract to stand alone.

Mandatory requirements of the national legislation applicable to the data importer which do not go beyond what is necessary in a democratic society on the basis of one of the interests listed in Article 13(1) of Directive 95/46/EC, that is, if they constitute a necessary measure to safeguard national security, defence, public security, the prevention, investigation, detection and prosecution of criminal offences or of breaches of ethics for the regulated professions, an important economic or financial interest of the State or the protection of the data subject or the rights and freedoms of others, are not in contradiction with the standard contractual clauses. Some examples of such mandatory requirements which do not go beyond what is necessary in a democratic society are, inter alia, internationally recognised sanctions, tax-reporting requirements or anti-money-laundering reporting requirements.

This requirement may be satisfied by the sub-processor co-signing the contract entered into between the data exporter and the data importer under this Decision.

Clause 13

Confidentiality and non-disclosure

Restrictions. Smartcat acknowledges that, in order to perform the Services or to provide Supplementary Services, it shall be necessary for Customer to disclose to Smartcat certain Confidential Information (defined below) of Customer. Smartcat agrees that it shall not disclose, transfer, use, copy, or allow access to any such Confidential Information to any third parties, except as authorized by Customer. Customer hereby authorizes Smartcat to provide Confidential Information to Suppliers, translation service providers, marketing services providers and infrastructure and development service providers, including those located in jurisdictions without adequate protection of personal data, on the terms established by Smartcat provided that Smartcat shall implement technical and organizational security measures in respect of processing of such data.

Definition. Information disclosed by Customer, including, but not limited to, information that relates to existing and future products or services, designs, business plans, business opportunities, finances, research, development, know-how, personnel, personal data or third party confidential information will be considered and referred to collectively in this Agreement as “Confidential Information.” Confidential Information, however, does not include information that (a) is now or subsequently becomes generally available to the public through no fault or breach by Smartcat; (b) Smartcat can demonstrate to have rightfully had in its possession prior to disclosure by Customer; or (c) Smartcat rightfully obtains from a third party who has the right to transfer or disclose it.

Smartcat Proprietary Information. Customer shall treat as confidential and agrees not to disclose to any third party without the prior written consent of Smartcat, any information learned by Customer within the scope of the Services relationship with Smartcat that would appear to a reasonable person to be confidential or proprietary. Names and rates of Suppliers will be considered confidential information of Smartcat pursuant hereto.

Personal Data. The Parties shall comply with the terms of Smartcat’s Data Processing Agreement if, and solely to the extent, that the Services require personal data processing by the Parties. Smartcat may modify the terms of Data Processing Agreement unilaterally at any time with or without notice to Customer, provided, however, that such modifications shall become effective and binding on Customer upon the earlier of (a) notice to Customer, or (b) access by Customer of its account on the Platform. If Customer does not accept such modified terms of the Data Processing Agreement, Customer may terminate the Customer agreement unilaterally for convenience within two (2) weeks following the effective date thereof (as determined in accordance with the preceding sentence).

Clause 14

All Smartcat intellectual property rights such as text, graphics, editorial content, data, formatting, graphs, designs, HTML, look and feel, photographs, music, sounds, images, software, videos, designs, typefaces and other content (collectively “Proprietary Material”) that Users see or read through the Platform is owned by Smartcat, excluding any User-generated content licensed to Smartcat pursuant to this TOS. Proprietary Material is protected in all forms, media and technologies now known or hereinafter developed. Smartcat owns all Proprietary Material, as well as the coordination, selection, arrangement and enhancement of such Proprietary Materials as a collective work under the applicable intellectual property legislation. The Proprietary Material is protected by the domestic and international laws on copyright, patents, and other proprietary rights and laws. User may not copy, download, use, redesign, reconfigure, or retransmit anything from the Platform without Smartcat’s express prior written consent and, if applicable, the holder of the rights to the User content. Any use of such Proprietary Material, other than as permitted therein, is expressly prohibited without Smartcat prior permission and, if applicable, the holder of the rights to the User content.

Smartcat service marks and trademarks, including, without limitation, Smartcat logos are service marks owned by Smartcat. Any other trademarks, service marks, logos and/or trade names appearing on the Platform are the property of their respective owners. User may not copy or use any of these marks, logos or trade names without the express prior written consent of the owner.


Appendix 1 to the Standard Contractual Clauses


This Appendix forms part of the Clauses.

The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix. Data exporter

Data exporter

The data exporter is Customer as defined in the Customer agreement:

Data importer

The data importer is Smartcat as defined in the Customer agreement and the Terms of Use which is a SaaS platform which processes personal data upon the instruction of the data exporter in accordance with the terms of the Customer agreement published at www.smartcat.com.

Data subjects

The personal data transferred concern the following categories of data subjects (please specify):

  • Prospects, customers, business partners and vendors of data exporter (who are natural persons)
  • Employees or contact persons of data exporter’s prospects, customers, business partners and vendors
  • Employees, agents, advisors, freelancers of data exporter (who are natural persons)
  • Data exporter’s Users authorized by data exporter to use the Smartcat Platform.

Categories of data

The personal data transferred concern but is not limited to the following categories of Personal Data:

  • Personal Data
  • Contact Data
  • Professional life data
  • Disclosed Information (from third parties, e.g. Credit Reference Agencies or from Public Directories.

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data (please specify):

Data exporter may submit special categories of data to the Smartcat, the extent of which is determined and controlled by the data exporter in its sole discretion and which is for the sake of clarity Personal Data with information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.

Processing operations

The personal data transferred will be subject to the following basic processing activities set forth in the Customer agreement published at www.smartcat.com.


Appendix 2 to the Standard Contractual Clauses


This Appendix forms part of the Clauses and must be completed and signed by the parties.

Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):

Data importer will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data uploaded on the Smartcat, as described in the Documentation applicable to the specific Services purchased by data exporter, and accessible via https://www.smartcat.com/ or otherwise made reasonably available by data importer. Data Importer will not materially decrease the overall security of the Services during a term of the contract with the data exporter.