Data Processing Agreement

This Data Processing Agreement ("DPA") is part of the main Agreement between SpaceSoft Limited (doing business as “Apploye”) and you (the "Customer"). This DPA governs how Apploye processes Personal Data on behalf of the Customer in connection with the Services. It follows all the same rules as the main Agreement.

This DPA replaces any old DPA you might have had with us. When you use our Services or create an account, you agree to follow this Agreement.

If we use a word with a capital letter and don't explain it here, you can find what it means in the main Agreement. Also, whenever we say "Agreement," we mean both the main Agreement and this DPA together.

1. Subject of the Agreement

1.1. Under this Agreement, Apploye provides services to you (the Customer). We call these "Services."

1.2. When we provide these Services, Apploye may handle your Protected Data (explained later in this document). We do this on your behalf.

1.3. Both parties agree to follow the rules in this DPA. These rules apply when we collect or handle any Protected Data for you. This includes all data we process while providing or receiving the Services. It also covers Protected Data subject to Data Protection Laws.

2. Definitions

2.1. “Affiliate” means any entity that controls the subject entity, is controlled by it, or is under the same control as it. This can be direct or indirect.

2.2. "Agreement" means this Data Processing Agreement, plus the Apploye Terms of Service, Privacy Policy, Business Associate Agreement (“BAA”), Refund Policy, Spam Guidelines, Affiliate Terms, and any other electronic or written agreement that applies between Apploye and Customer. Together, these documents explain how Apploye provides the Service to Customer. Apploye may update these documents from time to time.

2.3. “Customer Users” means the Data Subjects listed in Appendix I.

2.4. “CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and its related regulations.

2.5. “Data Controller” means the entity that decides why Personal Data is processed and how it is processed.

2.6. “Data Processor” means the entity that processes Personal Data for the Data Controller. This includes, when relevant, a “service provider” as that term is defined by the CCPA.

2.7. “Data Subject” means the person who is identified, or can be identified, from the Personal Data.

2.8. “Data Subject Request” means a request from a Data Subject to use their rights under Data Protection Laws.

2.9. “Data Protection Laws” means all laws and rules about personal data that apply to processing under the Agreement. This includes laws in the European Union, the European Economic Area and their member states, Switzerland, the United Kingdom, and the United States and its states. These laws may change over time. This also includes EU Data Protection Laws and Non-EU Data Protection Laws.

2.10. “Europe” means, for this DPA, the European Union, the European Economic Area (“EEA”) and/or their member states, Switzerland, and the UK.

2.11. “EU Data Protection Laws” means the main privacy and data protection laws in Europe. This includes: (i) GDPR (Regulation 2016/679); (ii) Directive 2002/58/EC about privacy in electronic communications; (iii) the Swiss Federal Act on Data Protection; (iv) local laws that put (i) and (ii) into effect; and (v) for the United Kingdom (“UK”), any local law that replaces or brings GDPR into UK law after the UK left the EU, including UK GDPR and the Data Protection Act 2018.

2.12. “Non-EU Data Protection Laws” means privacy and data protection laws outside the EU. This includes the California Consumer Privacy Act (“CCPA”) and other broad US state privacy laws. It also includes Canada’s PIPEDA, Brazil’s LGPD (Federal Law no. 13,709/2018), and Australia’s Privacy Act 1988 (Cth), as updated (“Australian Privacy Law”).

2.13. “Personal Data” means information about (i) an identified or identifiable natural person and (ii) an identified or identifiable legal entity, when the law protects that information like personal data or personally identifiable information. For both (i) and (ii), the data must be Protected Data.

2.14. “Protected Data” means Personal Data about Customer Users that Customer shares (at any time) with Apploye or Sub-Processors. This happens in connection with Apploye providing Services under the Agreement.

2.15. “Personal Data Breach” means a real security breach that causes Protected Data to be destroyed, lost, changed, shared without permission, or accessed without permission. This can happen by accident or unlawfully.

2.16. “Supervisory Authority” means any government or official body that oversees or enforces Data Protection Laws. This can be local, national, or multinational.

2.17. “Process” and “Processing” mean doing anything with Personal Data, whether done by hand or by a system. For example, it includes collecting, recording, organizing, storing, changing, reading, using, sharing, combining, limiting access, deleting, or destroying it.

2.18. “Sub-Processor” means a third-party service provider that Apploye uses. Apploye shares Protected Data with this provider so the provider can process it for Customer. However, Sub-Processors do not include third parties that Customer tells Apploye to work with or share data with. This includes third parties connected through Apploye services or products. In those cases, Apploye is not responsible for the third party. Customer is responsible for the third parties it chooses to use or share Protected Data with.

2.19. Under the CCPA or similar state laws, these terms in this DPA also include related terms: “Data Controller” includes “Business”; "Data Processor" includes “Service Provider”; “Data Subject” includes “Consumer”; “Personal Data” includes “Personal Information”.

2.20. In this DPA, if a Data Protection Law is replaced, changed, expanded, re-enacted, or combined with another law, then the references in this DPA change too. The terms will refer to the updated law and the matching terms in that law.

3. Roles of the Parties

3.1. The parties agree on their roles when handling Protected Data under Data Protection Laws. Here's how it works: You (the Customer) are the Data Controller. This means you're in charge of the data. Apploye is the Data Processor. This means we handle your data for you. We follow the processing details described in Appendix I. Also, any third parties that Apploye uses to help process your data are called Sub-Processors. The parties must agree in writing if they want to change these roles.

3.2. Apploye will only process your Protected Data based on your written instructions in this DPA. You're instructing us to process Protected Data for the Permitted Service Purposes (we call this your "Documented Instructions"). However, you agree that we may also process your data for these business purposes: (i) to improve, analyze, develop, or fix our products and services; (ii) for reporting or data optimization; (iii) to follow the law (including requests from law enforcement); (iv) to keep our products and services secure, prevent fraud, reduce risk, and protect information; (v) to protect the interests of Apploye or you; and (vi) for any other purposes allowed by this Agreement, DPA, or the law. We call each of these a "Permitted Service Purpose," and together they are the "Permitted Service Purposes."

3.3. You promise the following things: (i) You follow all laws, including Data Protection Laws. Your instructions to us also follow all laws. (ii) You have given all required notices. You have also received all needed consents and rights under Data Protection Laws. This allows us to process Protected Data for the Permitted Service Purposes. You will keep doing this in the future. You are solely responsible for making sure the Protected Data is accurate, good quality, and legal. You're also responsible for how you got this data. Additionally, you agree to follow all laws (including Data Protection Laws). This includes getting consents or other legal permission when needed. You need this permission to use our Services, give us Protected Data, or upload Protected Data to our Services.

3.4. You promise that when Apploye processes Protected Data following your instructions, we won't break any laws or rules. This includes Data Protection Laws. Apploye is not responsible for any processing done according to your instructions. Even if the Agreement says something different, you agree to fully protect and defend Apploye and its Affiliates. This means you'll cover any losses, damages, costs, or fees (including attorney's fees) that happen because you broke your promises or obligations under this DPA.

3.5. To be clear, you agree that Apploye does not act as a Processor for business contact information. This "Business Contact Data" includes information about your employees and representatives. We interact with these people to manage or communicate about our services. Instead, both parties act as independent Controllers for this Business Contact Data. Each party is responsible for following its own legal obligations. The parties do not have a joint controller relationship.

4. Obligations of the Processor

4.1. Apploye will handle Protected Data for the Customer. Here's what Apploye must do:

a) Apploye will only use the Protected Data based on the Customer's written instructions.

b) Apploye will limit who can access and use the Protected Data. Only authorized Apploye workers can access it. Also, they can only use it for the allowed service purposes. All Apploye workers who handle Protected Data must sign a confidentiality agreement. This means they promise to keep the data private. Or, they must have a legal duty to keep it private.

c) Apploye will take reasonable security steps as required by Article 32 of GDPR. The Customer has reviewed Apploye's security measures. The Customer agrees these measures meet their needs.

d) When the law requires it, Apploye will help the Customer follow Data Protection Laws. The Customer pays for this help. Apploye will assist with:

e) When the Agreement ends, Apploye may delete all Customer data, including Protected Data. Apploye will not be responsible for this deletion. The Customer understands and agrees that:

4.2. Apploye will tell the Customer if any data processing instruction breaks Data Protection Laws. However, Apploye won't notify the Customer if the law forbids it. Also, Apploye will notify the Customer if it cannot meet its duties under this DPA or Data Protection Laws anymore. In this case, Apploye may end the Services. Apploye will not be penalized for this.

4.3. Apploye may remove identifying information from Protected Data. Or, Apploye may combine it with other data. This is part of providing the Services in this DPA and the Agreement.

4.4. Apploye will only use Protected Data for its direct business relationship with the Customer. Apploye will not use it for other purposes unless the law allows it.

4.5. When Data Protection Laws require it, Apploye will not mix Protected Data with other Personal Data. This includes data from other sources or from interactions with consumers. Apploye will only do this if the law allows it.

4.6. When Data Protection Laws require it, the Customer can take steps to stop Apploye from misusing Protected Data. The Customer must tell Apploye what they want to stop and why. Apploye will consider these requests fairly. Then, Apploye will tell the Customer how it plans to respond. Apploye may choose to take no action. If Apploye follows the Customer's suggestions, Apploye is not responsible for any problems.

4.7. Apploye will follow all Data Protection Laws. When needed, Apploye will protect Protected Data at the same level as the Customer must protect it. Apploye will follow the standards listed above. Also, Apploye will follow any extra standards the parties agree to in writing.

4.8. When Data Protection Laws require it, Apploye will not sell or share Protected Data. This follows the definitions of "sell" and "share" in Data Protection Laws, including CCPA.

4.9. All Apploye workers who handle Protected Data must complete information security training every year.

5. Data Subject Rights Requests

5.1. When Customer receives a Data Subject Request, Customer should first try to handle it on their own. Then, if Customer asks for help, Apploye will work with Customer to solve the request. However, Customer must pay for this help. This support helps Customer follow Data Protection Laws for Protected Data. Also, Apploye may give Customer special tools through the Service. These tools help Customer manage and answer these requests by themselves.

5.2. Sometimes, Apploye may receive a complaint or request from a Data Subject. If this happens, and the request is about Customer's Protected Data, Apploye will tell Customer right away. Additionally, Apploye will share all the details about that request.

5.3. When needed, Apploye may respond to a Data Subject Request. For example, Apploye might send a message to confirm they received it. Or, Apploye might tell the Data Subject to contact Customer directly. Apploye will do this if the law requires it.

5.4. If Customer asks Apploye to delete certain data, Apploye will try their best to delete that Protected Data. Instead, Apploye might give Customer tools through the Services to delete the data themselves. However, if Apploye cannot delete the Protected Data or help with a Data Subject Request, Apploye will inform Customer.

6. Records, Information, and Audit

6.1 Apploye will keep written records. These records will show all Processing activities that Apploye does for Customer. Customer agrees that Appendix I to this DPA is the official record. This means Appendix I fully meets this requirement.

6.2 Apploye will check its security measures once per year. Sometimes the law may require more checks. If so, Customer will pay for the extra checks. During these checks, Apploye will review its protections for Protected Data. This includes physical protections, technical protections, and administrative protections. Apploye may do the check itself. Or, Apploye may hire someone else to do the check. When Customer asks, Apploye will share information. This information will show that Apploye follows Data Protection Laws and this DPA. Apploye will share copies of its recent security audits. It will also share penetration tests, security scans, or other reviews. However, Apploye only shares what it normally shares with all customers. Also, Apploye only shares what is available at the time. Additionally, Apploye does not control Sub-Processors. This includes cloud providers. Therefore, Apploye is not responsible for how Sub-Processors protect information or data. Apploye does not have to audit Sub-Processors. Apploye also does not have to report on Sub-Processors.

6. Records, Information, and Audit

6.1 Apploye will keep written records. These records will show all Processing activities that Apploye does for Customer. Customer agrees that Appendix I to this DPA is the official record. This means Appendix I fully meets this requirement.

6.2 Apploye will check its security measures once per year. Sometimes the law may require more checks. If so, Customer will pay for the extra checks. During these checks, Apploye will review its protections for Protected Data. This includes physical protections, technical protections, and administrative protections. Apploye may do the check itself. Or, Apploye may hire someone else to do the check. When Customer asks, Apploye will share information. This information will show that Apploye follows Data Protection Laws and this DPA. Apploye will share copies of its recent security audits. It will also share penetration tests, security scans, or other reviews. However, Apploye only shares what it normally shares with all customers. Also, Apploye only shares what is available at the time. Additionally, Apploye does not control Sub-Processors. This includes cloud providers. Therefore, Apploye is not responsible for how Sub-Processors protect information or data. Apploye does not have to audit Sub-Processors. Apploye also does not have to report on Sub-Processors.

7. Sub-Processors

7.1. Customer understands that Apploye needs to use Sub-Processors to provide the Services. Customer agrees that Apploye can use Sub-Processors to Process Protected Data for Customer. However, Sub-Processors do not include third parties that Customer chooses to connect with through the Apploye Services or tools. Customer understands and agrees that Apploye is not responsible for any problems with these third-party connections that Customer sets up. You can see the current list of Sub-Processors that Apploye uses at https://apploye.com/subprocessors. This list may change over time.

7.2. Apploye will make a written agreement with each Sub-Processor. These agreements will include rules about protecting data. These rules help Apploye follow the promises made in this DPA. The rules apply based on what service each Sub-Processor provides. If a Sub-Processor fails to protect data properly, Apploye will still be responsible to Customer for any problems this causes.

7.3. Customer gives Apploye general permission to use third parties for sub-Processing. This helps Apploye provide the Services and support the Permitted Service Purposes. These third parties include data center operators, email service providers, fraud detection services, support providers, and others. Apploye will keep Customer informed about all Sub-Processors by updating the list at https://apploye.com/subprocessors. Customer can object to new Sub-Processors if there are good reasons. These reasons must be based on the Sub-Processor not following Data Protection Laws or creating a serious risk of not following these laws.

8. Security

8.1. Apploye shall use and keep technical and organizational security measures. These measures are made to protect Protected Data from Personal Data Breaches. They are also made to keep Protected Data secure and confidential. These measures are listed in Appendix II of this DPA. Customer acknowledges and agrees that it has reviewed these security measures. Customer also agrees that the measures meet Customer’s requirements. In addition, Customer agrees that the measures help Customer comply with the law, when relevant.

8.2. Even with the above, Customer agrees that, except as provided by this DPA, Customer is responsible for using the Service in a secure way. For example, Customer must protect its account authentication credentials. Also, Customer must protect Protected Data while it is sent to and from the Service. In addition, Customer must take appropriate steps to encrypt or back up any Protected Data uploaded to the Service.

9. International Data Transfers

9.1. Customer agrees that Apploye may transfer and Process Protected Data in the United States and in other countries. Also, Apploye may do this wherever Apploye, its Affiliates, or its Sub-Processors have data Processing operations. Apploye will always make sure these transfers follow the rules in this DPA. In addition, the rules in this DPA are Customer’s instructions for these transfers.

10. Obligations of the Customer

10.1. Customer represents and warrants that Customer will not unreasonably refuse, delay, or add conditions to any change to this DPA that Apploye asks for. This helps the Services, Apploye, and each Sub-Processor follow Data Protection Laws.

10.2. Customer represents and warrants that it has the rights it needs to give the Personal Data to Apploye. Customer may also permit or cause others to provide the Personal Data. This is for the Processing under the Agreement. If a Data Subject tells Customer that they withdraw consent for Personal Data Processing, then Customer must tell Apploye. After that, Customer is still responsible for carrying out any Customer instructions about future Processing of that Personal Data.

11. Reporting Personal Data Breaches

If Apploye becomes aware of a Personal Data Breach, Apploye shall:

12. Limitation of Liability

Each party and its Affiliates have limits on how much they can be held responsible for. These limits come from the main Agreement. They also apply to this DPA. If something goes wrong, the limits from the Agreement will control how much money can be claimed. Also, only the Customer who signed the Agreement can make claims against Apploye or its Affiliates. This means no one else can sue or make claims about this DPA.

13. General Provisions

13.1. This DPA and its attachments make up the complete agreement between the parties about this topic. It replaces all previous talks, promises, and agreements, whether spoken, electronic, or written. The Agreement stays the same except for the changes made by this DPA. The Agreement continues to work fully.

13.2. Both parties agree that this DPA will replace any old DPA or similar data agreement they signed before for the Services. Any changes to this DPA must be made in writing. Both Apploye and Customer must agree to the changes. The written agreement must clearly say it is changing this DPA. This same rule also applies if someone wants to waive this requirement.

13.3. This DPA stays active as long as Apploye handles Protected Data Processing for Customer. It also stays active until the Agreement ends. Only the parties who signed this DPA (and their successors and approved assignees) can enforce its terms. No one else has this right.

13.4. Sometimes this DPA and the Apploye Terms of Service might say different things. When this happens, these documents will control in this order: (i) first, this DPA wins; and then (ii) the Apploye Terms of Service wins.

13.5. The same laws and jurisdiction rules from the Agreement will govern this DPA. However, Data Protection Laws may require different rules. In that case, those laws will apply instead.

13.6. If any part of this DPA is found to be void or unenforceable, that part will be removed. The rest of the DPA will still work. However, if the Limitation of Liability section is void or unenforceable, then Apploye's liability will be limited to the maximum amount the law allows. This includes limits on both type and amount.

13.7. Both parties understand and agree that this Agreement and DPA do not create any third-party beneficiaries.

Appendix I: Subject Matter and Details of the Data Processing