This Data Processing Agreement (DPA) is a part of the service agreement (“Agreement") between Comparables Oy (a Finnish limited liability company with a business ID 3196103-1 “Comparables”) and Comparables’ customers (each individually a “Customer”), concerning the provision of the Service whose terms and conditions have been laid out in the Comparables Terms of Service (as provided at https://www.comparables.ai/terms-conditions).
Comparables and Customer are each individually referred to as the Party and together as the Parties
1. GENERAL
This DPA forms an integral part of the Agreement and shall apply to all processing of personal data under the Agreement in the context where Comparables processes personal data on behalf of the Customer.
Where applicable and when this DPA does not explicitly state otherwise, the terms of the Agreement, such as governing law and dispute resolution, shall be applied to this DPA. If the Agreement or any other document regulating the relationship between Comparables and the Customer as set out in the Agreement contains provisions that are in conflict with this DPA, this DPA shall have precedence.
Customer shall be considered the controller under the EU regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) and Comparables processes, by providing the Service to the Customer, such personal data on behalf of Customer as a processor for the purposes of the Agreement during the term thereof.
The Customer is responsible for the lawful processing and collection of personal data in compliance with the GDPR and other laws, regulations and directives pertaining to the processing or collection of personal data. Comparables will not monitor the Customer’s processing or collection of personal data in the Service. The Customer shall be responsible for having the required rights and necessary permissions from third parties to use and disclose personal data for the purposes set out in the Agreement. The Customer shall ensure that the Customer is entitled to transfer the relevant personal data to Comparables so that Comparables may lawfully process, use and transfer the personal data in accordance with the Agreement and this DPA.
Each Party shall be responsible for the information security of the Party’s own communications networks. Neither Party shall be responsible or liable for the information security of general communications networks, or for interferences or other disruptions, outside of the Parties influence, that may occur in general communications networks.
The subject matter, categories, and types of data as well as other details of the processing are specified in Schedule 1 of this DPA (Description of the Processing Operations).
2. PROCESSING OF PERSONAL DATA
When acting as a data processor Comparables shall process personal data in accordance with this DPA and documented instructions from Customer, unless required to do otherwise under European Union or Member State law to which Comparables is subject. In such case Comparables shall inform the Customer of that legal requirement before processing unless that law prohibits such information on important grounds of public interest.
Comparables may not use the Customer’s personal data for any other uses than for which the personal data for the provision of the Services and as otherwise instructed by the Customer. Comparables shall process information disclosed to it by the Customer in accordance with this Agreement and according to written instructions or guidelines given to it by the Customer. Customer’s instructions must be commercially reasonable, compliant with applicable data protection legislation and regulations and consistent with this Agreement. In case Comparables detects that any instruction given by the Customer is non-compliant with European Union or member state law to which Comparables is subject, Comparables shall not be obliged to comply with such instruction and shall inform the Customer of that legal requirement.
In case the Customer’s instructions require additional measures or work to be performed by Comparables, Comparables has the right to charge an hourly consulting fee from the Customer for complying with such Customer’s instructions in accordance with Comparables’s then current price for consulting services, subject to the Customer’s prior approval of such additional costs.
3. DATA SECURITY
Comparables ensures that it shall implement and maintain appropriate technical and organizational security measures to protect the personal data within its area of responsibility, in order to safeguard the personal data against unauthorized or unlawful processing or access and against accidental loss, destruction or damage, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing carried out by Comparables hereunder as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures shall include, where appropriate and relevant for each processing action:
(i) the pseudonymisation and encryption of personal data;
(ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and Service;
(iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(iv) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing;
(v) the ongoing confidentiality, integrity, availability, resilience and restoration of all processing systems and services in which personal data is stored or processed;
(vi) the pseudonymisation and encryption of personal data and communications containing personal data when it is appropriate and necessary to maintain the integrity and confidentiality of personal data.
Comparables also ensures that the persons processing personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4. ASSISTANCE OBLIGATIONS
Taking into account the nature of the processing, Comparables shall assist the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the data subject’s rights under Chapter III of the GDPR.
Taking into account the nature of the processing and the information available to Comparables, Comparables shall further provide the Customer with assistance in ensuring compliance with the Customer’s obligations set out in Articles 32 to 36 of the GDPR (e.g. to perform security and data protection impact assessments, breach notifications and prior consultations of the competent supervisory authority)
In case such assistance requires measures from Comparables, Comparables has the right to charge an hourly consulting fee from the Customer for handling such assistance requests in accordance with Comparables’s then current price for consulting services, subject to the Customer’s prior approval of such additional costs.
5. INTERNATIONAL TRANSFERS
The Customer accepts that Comparables may have personal data processed and accessible by Comparables or its subprocessors outside the European Economic Area (“EEA”) to provide the Service. If personal data is transferred from the EEA for processing in any country outside the EEA that is not recognized by the European Commission as providing an adequate level of protection for personal data, the Customer authorizes Comparables to enter, on behalf of the Customer, into the standard contractual clauses adopted or approved by the European Commission applicable to processing outside the EEA, or Comparables shall provide for other appropriate safeguard for the protection of the personal data transferred outside the EEA as set out in the GDPR.
6. AUDITS
The Customer or an auditor appointed by the Customer shall with the assistance of Comparables have the right to audit the processing activities of Comparables under this DPA to assess the compliance of Comparables with its contractual obligations under this DPA and applicable data protection legislation during ordinary business hours of Comparables and with 30 days’ prior written notice. If Comparables’s employees or other representatives participate in such audits at the request of the Customer, the Customer shall compensate Comparables for the expenses caused by such participation. Otherwise, each Party shall bear its own costs for any such audit. Where an audit may lead to the disclosure of business or trade secrets of Comparables or threaten intellectual property rights of Comparables, the Customer shall employ an independent expert to carry out the audit, and the expert shall agree to be bound by confidentiality to Comparables’s benefit.
Where an audit may, in Comparables’s sole opinion, lead to the disclosure of business or trade secrets of Comparables or threaten the intellectual property rights of Comparables, the Customer shall employ an independent auditor, that is not a competitor of Comparables, to carry out the audit, and the auditor shall agree to be bound to confidentiality to Comparables’s benefit.
Comparables makes available to the Customer, at the Customer’s request, information necessary to demonstrate compliance with the GDPR. In case the Customer’s request requires measures or work to be performed by Comparables, Comparables has the right to charge an hourly consulting fee in accordance with its then current price for consulting services for handling such requests, subject to the Customer’s prior approval of such additional costs.
6. SUBPROCESSORS
The Customer gives its general authorization to allow Comparables to engage subcontractors as subprocessors to process personal data in connection with the provision of the Service.
Comparables is free to choose and change its subprocessors. Upon request, Comparables shall inform Customer of subprocessors currently involved. In case there is a later change of a subprocessor (addition or replacement), Comparables shall notify the Customer of such change, thereby giving the Customer the opportunity to object to such change. If Comparables is not willing to change the subprocessor the Customer has objected to, both Parties shall have the right to terminate the Agreement and this DPA.
Where Comparables engages a subprocessor for carrying out specific processing activities on behalf of the Customer, the same data protection obligations as set out in this DPA shall be included in the DPA between Comparables and that subprocessor. Where a subprocessor fails to fulfil its data protection obligations, Comparables shall remain liable to the Customer for the performance of the subprocessor’s obligations as further stipulated in the Agreement.
Schedule 1 - Description of the Processing Operations
Categories and Types of Personal data
In connection to the provision of Service, the customer data includes first name, last name, email, and if provided by the customer: title, organization, country and primarily field of work.
Duration of the Processing
The data may be processed during the time period the service is used by the customer. It may be processed up to six months after the customer has terminated the service contract unless the customer explicitly requests to delete their data before that.
Transfers Outside of the EU or the EEA
All our data is currently stored on servers in the US. For testing and development purposes, some data samples may be transferred between Europe and Pakistan.
List of Subprocessors
Company | Purpose | Country of Processing
Amazon Web Services | Cloud infrastructure | USA
Microsoft Azure | Cloud computing services | USA
Google Cloud Platform & Analytics | Cloud computing services and analytics (app) | USA, EU
ByteSol Ltd | Software development | Pakistan
HubSpot, Inc | CRM software with marketing automation | EU
Mixpanel, Inc | Analytics (app) | EU
Hotjar | Analytics (app) | EU
Stripe Payments Europe Limited | Collecting payments | EU
Slack Technologies Limited | Communication platform | EU
Atlassian Corporation Plc | Project management (Jira, Bitbucket, Confluence, Miro) | EU
