Penpot

Data processing adendum (DPA)

For KALEIDOS INC SUCURSAL EN ESPAÑA S.L. (hereinafter, indistinctly, "KALEIDOS") it is very important to process personal data in a secure, fair and transparent manner. KALEIDOS therefore processes such data in accordance with the European Union's General Data Protection Regulation (hereinafter "GDPR")

In order to adequately protect the right to data protection and privacy of individuals, the following are the terms and conditions governing the processing of personal data by KALEIDOS (hereinafter referred to as "DPA"). This DPA therefore amends, supplements and/or replaces any other document of a contractual nature signed with KALEIDOS and does not require any further action.

If you do not agree with the terms and conditions indicated in this DPA, please cease to use and/or interact with KALEIDOS and any of its products, services and associated domains.

PENPOT PROCESSING TERMS AND CONDITIONS

1. DEFINITIONS

Due to the importance of new data protection regulations, it is very important that the parties understand exactly what this DPA is intended to protect and establish. All parties involved are expected to comply with generally applicable law, and to make reasonable efforts to protect the data they control and process.

KALEIDOS INC SUCURSAL EN ESPAÑA S.L. has established these definitions to improve understanding of the scope of this document:

"KALEIDOS", "We" or "Our": refers to KALEIDOS INC SUCURSAL EN ESPAÑA S.L. as a service provider of the Open Source design and prototyping platform, PENPOT (the "Services").

"You" or "Client": refers to the individual, agent or other entity that requests the KALEIDOS Services.

"Data controller" or "Controller": Has the same meaning as in the GDPR, i.e. the party who determines the purpose and means used for data processing. In this sense the Client is the Controller for the data of the individuals, both parties are Controllers for the Processing in relation to the data of their own employees.

"Data Processor" or "Processor": Shall have the same meaning as in the GDPR, i.e. the party who carries out the processing of data on behalf of and in representation of a Data Controller. KALEIDOS is the Data Processor of the users' data associated to the Data Controller.

“Party”: Shall mean KALEIDOS and/or the Client, according to the context.

"Personnel": Shall refer to persons and/or consultants engaged by KALEIDOS or by the Client as employees or independent contractors, as appropriate, and to provide services to any of the Parties involved. In some cases, these personnel may also fall into the category of data subjects, as their personal data may be shared between the Parties or with the Client's end users.

are consumers or users of the goods or services of a KALEIDOS Client (they may also be considered as "Consumers"), as well as Personnel residing in the European Union.

"Personal Data": Shall have the same meaning as in the GDPR, i.e. any data associated with a natural person that allows him/her to be identified or that makes him/her identifiable. Anonymous data, aggregated and/or compiled on a generic basis and which does not name or identify a specific individual, directly or indirectly, is not considered to be Personal Data.

"Processing" or “Data Processing”: Shall have the same meaning as in the GDPR, inter alia, the following constitute Data Processing: the collection, recording, use, storage, modification, adaptation, disclosure, transfer or transmission, structuring, use, combination and deletion or destruction of personal data.

"Incident": Shall mean (a) a complaint or a request with respect to the exercise of a person's rights under the RGPD; (b) an investigation or seizure of personal data by a competent public authority, or a specific indication that such an investigation or seizure is imminent; or (c) any breach of security and/or confidentiality as set out in this DPA leading to the accidental or unlawful destruction, loss, alteration, disclosure or unauthorized access to the personal data, or any indication that such a breach has occurred or is about to occur.

"End users" or "Client": Shall mean the users of the Controller (KALEIDOS Client) and the possible Data Subjects on whom KALEIDOS can process their personal data, according to the needs and requirements of the Controller.

2. SCOPE

The scope of application of this DPA shall be limited to cases where the Data Controller or the Data Subjects are residents in the European Economic Area (EEA) and/or Switzerland and where KALEIDOS acts as a Data Processor for a third party who is the Data Controller. The Data Controller declares, guarantees and assumes that any information, including but not limited to personal data, under its responsibility and/or ownership, which it provides to the Data Processor is not the property or responsibility of KALEIDOS and, therefore, it exempts and undertakes to hold KALEIDOS harmless from any liability and/or third-party claims regarding such information.

3. PURPOSE

KALEIDOS, in its capacity as Data Processor, will have access to certain personal data, such information shall be that which is necessary for KALEIDOS to provide its Services in the form of software as a service.

KALEIDOS will process personal data in accordance with the purposes set out in this document, without prejudice to any additional purposes indicated by the Client during the contractual relationship; these must be requested by means of express written authorization from the Client (which, if granted, would be included as an appendix to this annex and would become part of this annex from the date on which it is incorporated).

The provision of these services will require KALEIDOS to carry out the following processing activities:

  • Collecting (capture information containing personal data).
  • Recording (enter or record information in automated or non-automated system or device for subsequent processing).
  • Structuring (order and structure data for ease of processing).
  • Alteration (change or alter the data).
  • Storage (keep information for a specific term).
  • Consultation (search for data on the system or device where it is recorded).
  • Erasure (delete or remove information from the system or device where it is originally recorded).

4. CATEGORIES OF PERSONAL DATA AND CATEGORIES OF DATA SUBJECTS

The following types of personal data will be processed:

  • a) Names and surnames of employees of the Controller.
  • b) Email of the employees
  • c) Any other category of data provided the employee through the enabled channels.

5. TERM AND DATA RETENTION POLICY

The term of this DPA will be that of the main agreement which describes the contracted services. The cancellation, termination or extinction of the contractual relationship for the provision of services between the Client and KALEIDOS will entail the deletion of the personal data and the removal of any copies in KALEIDOS's possession.

KALEIDOS, hereby informs you that in cases where the Controller terminates and/or interrupts its relationship with KALEIDOS, the procedure for the suppression and, where appropriate, blocking of the information may take up to ninety (90) days depending on the cause for which the relationship between the Parties has ended or been interrupted.

Notwithstanding the provisions of the previous paragraph, the Data Processor will be able to store any processed data and information that has been duly blocked while any liability may be claimed regarding the Data Processor's relationship with the Data Controller.

Once the limitation period for bringing a claim in connection with data retention has elapsed, the Data Processor must destroy the data by the means stated above.

The termination of this DPA does not imply the termination of rights and obligations relating to confidentiality and the protection of confidential information in accordance with the provisions of this DPA and/or any other applicable documents in this regard.

This obligation is of a generic nature and applies generally to data and information provided within the KALEIDOS's Services provision to the Client.

6. DATA CONTROLLER'S OBLIGATIONS

The Controller undertakes to:

  • a) Deliver the Personal Data for processing to the Processor.
  • b) Notify the Processor as soon as possible of any changes to the processing or processed personal data which entail it must implement different or additional security measures to those described in this DPA.
  • c) Comply with its obligations under data protection laws in force at any given time, and to supervise processing activities, where necessary, and carry out inspections and audits when required to do so. This is to include, but not be limited to, the following issues: (i) Establishing the lawfulness, legitimacy and validity of the data processing, which will be carried out by performing Data Protection Impact Assessments and complying with the accountability principle before Data Subjects and Data Protection Authorities, (ii) Ensuring insofar as possible that the consent granted by legal representatives of those Data Subjects that are under fourteen (14) years of age is appropriately obtained, (iii) Undertaking reasonable steps to ensure that Data Subjects are aware of their data protection rights and (iv) Developing and implementing internal protocols and procedures designed to prove that the processing of data is consistent with this DPA and in compliance with applicable regulations.

7. DATA PROCESSOR'S OBLIGATIONS

KALEIDOS undertakes to:

  • a) To process the personal data provided by the Data Controller following the instructions set in this DPA and not to use the data for different processing purposes. More specifically, KALEIDOS undertakes to process the personal data in accordance with the instructions it receives from the Data Controller at any given time, as well as with the provisions of the applicable data protection regulations.
  • b) Not to perform any other processing operation regarding the personal data, as well as not to apply or use the data for any purpose other than the provision of the service referred to in this Contract, or to use such data for its own purposes.
  • c) Keep a Record of Processing Activities carried out on behalf of the Controller, where necessary, in accordance with Article 30 of the GDPR.
  • d) Provide assistance to the Controller in carrying out Data Protection Impact Assessments, as well as prior consultations from the Data Protection Authorities, where appropriate.
  • e) Make available to the Data Controller, if requested, the necessary information to prove compliance with its obligations, as well as to allow and actively assist in the performance of audits or inspections carried out by the Data Controller and/or by an authorized auditor.Audits will be carried out with a maximum frequency of one per year and must be notified thirty (30) days in advance, all expenses, fees, taxes and charges arising from the conduct of such an audit shall be borne by the Controller.Moreover, and notwithstanding the above, KALEIDOS conducts internal and external audits sporadically.
  • f) To preserve the confidentiality and professional secrecy of all personal data processed under this DPA, as well as the duty to keep it secret during the term of the main agreement and after its termination, while the personal data processed are of such confidential nature. Therefore, the Data Processor shall ensure that the persons authorized to process personal data undertake to uphold said confidentiality and comply with the appropriate security measures, of which the Data Processor shall inform them as necessary.

8. WARRANTIES AND DATA PROTECTION RIGHTS

In the processing of personal data, KALEIDOS, as Data Processor, undertakes to ensure and protect the public freedoms and fundamental rights of individuals and, in particular, their honor and their personal and domestic privacy.

KALEIDOS will cooperate with the Data Controller in order to comply with the data subjects' data protection rights requests and shall inform them that they may exercise their rights of access, erasure, rectification, opposition, restriction of processing and/or portability by means of a letter addressed to the Data Controller at the postal address and/or e-mail address that may be applicable in each case.

Should a Data Subject exercise any of the rights set out in the preceding paragraph directly before KALEIDOS, it undertakes to forward the request to the Data Controller within a maximum of ten (10) business days upon receipt of the request.

9. DUTY OF INFORMATION

Both Parties agree that, unless otherwise provided for in the applicable regulations, it is the Data Controller's duty to comply with the right of information of the Data Subjects at the time of collecting their personal data, and to ensure that it obtains lawful consent or that any other legitimate basis is applicable and, therefore, allows for the data to be processed for such purposes. If the data is not collected directly by the Data Controller, it also declares that it holds the necessary rights and authorizations for the use of such data.

10. SUBCONTRACTING

The Controller grants the Processor a general authorization to engage subcontractors (subprocessors) to carry out ancillary services required for the proper performance of the contracted services (including, but not limited to, network infrastructure and hosting services providers as well as anti-fraud, analysis and reporting services, and any other providers which may be necessary for the proper provision of the service).

KALEIDOS informs you that no international data transfers are foreseen for the provision of the above-mentioned Services.

KALEIDOS has implemented the necessary and appropriate security measures and procedures to:

  • a) Ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • b) Restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
  • c) Regularly test, assess and evaluate the effectiveness of technical and organizational measures to ensure the security level of the processing.
  • d) Where necessary, pseudonymize and encrypt personal data.

11. SECURITY BREACH NOFITICATIONS

Both Parties undertake to notify each other, without undue delay, and in any case before the maximum term of forty-eight (48) hours, of any incident relating to breaches of security of personal data under their respective control that comes to their attention, including all the relevant information for the purpose of recording and reporting the incident.

Where the Client is required to notify any incident to KALEIDOS, it shall do so via the e-mail address provided for this purpose: [email protected] providing the following information:

  • a) A detailed description of the nature of the incident, where possible the category and approximate number of data subjects involved.
  • b) The contact details of an information or coordination point from which to obtain further information concerning the incident.
  • c) A description of the most probable consequences of the incident.
  • d) A description of the measures undertaken or to be undertaken regarding the incident and, where appropriate, further measures and procedures to be implemented to mitigate the adverse effects of the incident

12. LIABILITY AND INDEMNITY

Both Parties (hereinafter, individually, the "Indemnifying Party") mutually undertake to hold the other Party (hereinafter, where applicable, the "Indemnified Party") harmless against any third-party claims, losses, damages and/or expenses incurred as a result of a breach of or in connection with this DPA by the Indemnifying Party.

13. NOTIFICATIONS

All notices between the Parties shall be in writing and through one of the following means:

  • a) Registered mail with acknowledgement of receipt.
  • b) Bureaufax with acknowledgement of receipt.
  • c) E-mail with confirmation of delivery and reading.

Notifications made to Client, with reference to this DPA, shall be sent to the following address:

Calle Fortuny, 19, 1º IZQ, 28010 Madrid, Spain

18. GOVERNING LAW AND JURISDICTION

This agreement shall be governed by and construed in accordance with the EU General Data Protection Regulation.

The parties waive their own jurisdiction or any other jurisdiction to which they may be entitled by law and agree to be bound by the courts of Madrid for the purpose of settling any disputes arising between the parties in connection with this DPA.

Last updated: January 31st 2023