DATA PROCESSING AGREEMENT – Blip | Blip Help

Index:

PERSONAL DATA OF BLIP GO!

DEFINITIONS
For the purposes of this Agreement, the following definitions shall apply, in accordance with Article 5 of Law No. 13.709/18 (General Data Protection Law - "LGPD"):

a) Personal Data: Information related to an identified or identifiable natural person; and which, when applicable, may include Sensitive Personal Data, which refers to Personal Data about racial or ethnic origin, religious beliefs, political opinions, membership in a union or in an organization of a religious, philosophical, or political nature, data related to health or sex life, genetic or biometric data, when linked to a natural person;

b) Data Subject(s): The natural person to whom the Personal Data refers, such as End Users and employees of the BLIP customer (hereinafter referred to simply as "CLIENT");

c) Controller: A natural or legal person, whether public or private, responsible for making the key decisions regarding the processing of Personal Data and for defining the purpose of such processing. Regarding Personal Data provided by the CLIENT and processed through the contracted conversational solution, the CLIENT is considered the "CONTROLLER";

d) Processor: A natural or legal person, whether public or private, who processes the data on behalf of the Controller, in accordance with the defined purpose. Regarding Personal Data provided by the CLIENT and processed through the contracted conversational solution, BLIP is considered the "PROCESSOR"; and

e) Processing: Any operation carried out with Personal Data, such as collection, production, receipt, classification, use, access, reproduction, transmission, distribution, processing, filing, storage, deletion, evaluation or control of information, modification, communication, transfer, dissemination, or extraction.

Whenever other terms defined in the LGPD are used in this Agreement, such terms will have the same meaning as defined by the law.

GENERAL CONDITIONS FOR DATA PROCESSING

In the development of any activities related to the use of the conversational solution, the Parties shall comply with the legal regime for the protection of Personal Data, making efforts to carry out the Processing of Personal Data that is deemed necessary, in strict and rigorous compliance with the LGPD and with any rules and procedures that may be published and/or required by regulatory bodies and other competent authorities, including the National Data Protection Authority (“ANPD”), ensuring that their employees, agents, consultants, subcontractors, and/or service providers also comply with the applicable legal provisions.

Legitimacy of Processing: Due to the use of the conversational solution, the CONTROLLER guarantees that the Personal Data shared with the PROCESSOR will be supported by a valid, legitimate, and adequate legal basis for the purposes of the Processing in question, in accordance with applicable law, and will keep the PROCESSOR indemnified from any liability in this regard.

Purposes of Processing: The PROCESSOR may process the Personal Data necessary for the licensing of the conversational solution, as well as for improvements and the development of the product and its related features, always aiming to provide the best experience for the CLIENT. It is the responsibility of the CONTROLLER to obtain all necessary authorizations in this regard.

Duration of Processing: The PROCESSOR shall process the Personal Data for the period necessary to achieve the purposes set forth in this Agreement. The processing will also cease upon an explicit written request by the CONTROLLER for the return and/or deletion of the Data.

The retention of the Data by the PROCESSOR is authorized for the fulfillment of legal or regulatory obligations for the applicable legal retention period, as well as for the PROCESSOR’s exclusive use, in accordance with item 2.3 above, provided that the Data is anonymized, without prejudice to other retention and storage scenarios legally provided for.

CONTROLLER'S OBLIGATIONS

Without prejudice to the other obligations set forth in this Agreement and in any separate instrument, the CONTROLLER undertakes to:

a) Ensure full compliance, legitimacy, legality, and adherence to legal principles regarding the Personal Data transferred to the PROCESSOR for Processing;

b) Ensure the existence of a valid legal basis to share the Personal Data with the PROCESSOR, as well as for the PROCESSOR to process the Data on behalf of the CONTROLLER;

c) Provide instructions and establish rules for the processing of Personal Data by the PROCESSOR, respecting both the technical limits of the conversational solution and those set forth in the LGPD;

d) Communicate to the PROCESSOR, when necessary for its actions, as quickly as possible and within a reasonable timeframe, any request for access, rectification, portability, or deletion made by the Data Subjects, as well as in the case of any request, notification, or inquiry from a competent authority;

e) Manage and control access to the conversational solution environment for its employees, observing appropriate security rules, and being responsible for all actions performed by them, as well as for requests made by them to the PROCESSOR; and

f) Assist the PROCESSOR in the preparation of any reports related to the impact on the protection of Personal Data, as well as in providing any information that may be required by competent authorities.

The CONTROLLER may be subject to compliance with regulations set forth in specific legislation related to its area of activity, which may not necessarily be mandatory for the PROCESSOR, such as differentiated data storage rules.

PROCESSOR'S OBLIGATIONS

Without prejudice to the other obligations set forth in this Agreement and in any separate instrument, the PROCESSOR undertakes to:

a) Process the Personal Data for the purposes set forth in this Agreement or for those indicated by the CONTROLLER, not using it for any other purposes;

b) Process the Personal Data in accordance with the CONTROLLER’s instructions, always taking into account the technical capacity of the contracted conversational solution;

c) Inform the CONTROLLER, as quickly as possible and within a reasonable timeframe, about the receipt of any request from the Data Subjects or a competent authority, and assist the CONTROLLER in responding to such requests, ensuring that the CONTROLLER has all the necessary information to fulfill its duties under the LGPD;

d) Inform the CONTROLLER if it is unable to comply with or is hindered from following any of the instructions provided by the CONTROLLER or any specifications set forth in the applicable legislation;

e) Not disclose or share the Personal Data with third parties without the prior written authorization of the CONTROLLER, except in the cases expressly provided for in this Agreement or in any separate instrument;

f) Carry out, within a reasonable minimum timeframe and under the express instructions of the CONTROLLER, the unequivocal deletion of the Personal Data shared due to the use of the conversational solution, respecting the cases of legal data retention and storage as provided by law; and

g) Assist the CONTROLLER in preparing any reports related to the impact on the protection of Personal Data, as well as in providing any information that may be required by the competent authorities.

The PROCESSOR will not be obliged to comply with or follow the CONTROLLER’s instructions if they are in violation of the LGPD.

INFORMATION SECURITY

The Parties shall adopt the necessary and appropriate technical and administrative security measures to protect the Personal Data in terms of its confidentiality, availability, and integrity, including, but not limited to, protection against unauthorized access and accidental or unlawful situations of destruction, loss, alteration, disclosure, or any form of improper, unlawful, or non-compliant processing with the technical and regulatory guidelines of regulatory agencies, such as the National Data Protection Authority (ANPD).

In evaluating the appropriate level of security, the Parties shall take into account the state of the art, the costs of implementation, the nature, scope, context, purposes of Processing, and the risks involved in the Processing for the Data Subjects.

The CONTROLLER acknowledges and agrees that, for the purpose of conducting security tests and assessments, whether automated or manual, such as vulnerability analysis and/or intrusion testing (or Pentest), on the PROCESSOR's products, services, or infrastructure, the CONTROLLER must request, in a well-founded and written manner, express authorization from the PROCESSOR, with the PROCESSOR being entitled to deny the requested authorization if there are valid technical reasons for doing so.

SECURITY INCIDENTS

In the event of a Security Incident (unauthorized access, accidental or unlawful destruction, loss, alteration, disclosure, or dissemination) ("Incident") involving the Personal Data processed in the scope of using the conversational solution, the violating Party shall notify the other Party as soon as possible upon becoming unequivocally aware of the Incident.

The notification should, whenever possible, include the following details:
(i) Date and time the violating Party became aware of the Incident; (ii) List of the types of data affected by the Incident; (iii) Number of affected users (volume of the Incident); (iv) Contact information of the data protection officer or another person who can provide more information about the event; (v) Description of the potential consequences of the event; and (vi) Measures taken to contain the Incident.

The notification must be sent, if to the CONTROLLER, to their registered email address in the contracted conversational solution; and if to the PROCESSOR, to the emails [email protected] and [email protected].

The Parties agree not to disclose any information about the Incident to third parties, except in the following cases: (i) If both Parties expressly and previously authorize the disclosure; (ii) If there is a legal obligation requiring such disclosure; or (iii) If a regulatory authority mandates such disclosure.

In the case of an Incident, regardless of the nature, the Parties further commit to analyzing all the circumstances involved and deciding, jointly, whether it meets the legal requirement to be communicated to the National Data Protection Authority (ANPD).

If the CONTROLLER identifies any Incident in their environment or in their interaction with the contracted conversational solution that jeopardizes the security, integrity, or stability of the product, any of the services provided by the PROCESSOR, or their infrastructure, such as, but not limited to, ransomware attacks, service compromise, or denial of service, the CONTROLLER must immediately notify the PROCESSOR, with a detailed description of the occurrence, as well as the actions taken to reverse or mitigate the effects of the Incident, so that the PROCESSOR can evaluate the adoption of any necessary security measures, without transferring the responsibility of the Incident to the PROCESSOR.

DATA SHARING

The PROCESSOR shall grant access to Personal Data to its personnel only to the extent strictly necessary for the implementation, management, and monitoring of the licensing of the conversational solution contracted by the CLIENT. It shall also ensure that those authorized to process the Personal Data have committed to confidentiality or are subject to a legal confidentiality obligation that is appropriate.

The CONTROLLER acknowledges and authorizes that, for the execution of the licensing of the conversational solution, the PROCESSOR may engage third-party data processors with whom it may share the Personal Data received from the CONTROLLER, such as cloud service providers and customer support tools.

In all cases, the PROCESSOR shall be responsible for all its sub-processors and shall require them to comply with the obligations and information security levels in accordance with the provisions of this Agreement.

RESPONSIBILITY

Responsibility for non-compliance with any of the obligations set forth herein shall be determined in accordance with the provisions of the LGPD, without prejudice to the liability limitations of BLIP set forth in separate instruments.

The CONTROLLER acknowledges that the Processing of Personal Data under the conditions set by it, as outlined in this Agreement and its instructions, exempts the PROCESSOR from liability for any unlawfulness of the Processing carried out by the CONTROLLER, and the CONTROLLER shall assume full responsibility for any losses or damages suffered by the PROCESSOR and/or third parties.

GENERAL PROVISIONS

The clauses herein should be read and interpreted in light of the provisions of the LGPD, so as not to conflict with the obligations established by the law and in any separate instrument executed by the Parties.

In the event of any contradiction between these clauses and the provisions of other terms maintained between the Parties and in effect at the time these clauses were agreed upon or accepted, these clauses shall prevail with respect to the subject matter addressed in this Agreement.

For more information, visit the discussion on this topic in our community or the videos on our channel. 😃