ULTEH on sitoutunut varmistamaan asiakastietojen yksityisyyden, turvallisuuden ja säädöstenmukaisuuden. Tämä Tietojenkäsittelyn lisäsopimus (DPA) kuvaa ehdot, jotka säätelevät henkilötietojen käsittelyä, tallennusta ja suojaamista sovellettavien tietosuojalakien ja -asetusten mukaisesti. Tämä DPA on jatkoa pääsopimuksellemme Asiakkaiden kanssa ja sitä sovelletaan, kun ULTEH käsittelee henkilötietoja Asiakkaan puolesta tietojenkäsittelijänä. Se määrittelee selkeät vastuut molemmille osapuolille tietojenkäsittelyn osalta ja varmistaa asiaankuuluvien tietosuojalakien noudattamisen. Käyttämällä ULTEH-palvelua Asiakkaat hyväksyvät tässä DPA:ssa esitetyt ehdot. Jos tarvitsette allekirjoitetun kopion tästä sopimuksesta vaatimustenmukaisuustarkoituksiin, ottakaa yhteyttä meihin.
Affiliate refers to any entity that directly or indirectly controls, is controlled by, or is under common control with a party. "Control" means the direct or indirect ownership of at least 50% of the voting shares, equity interests, or similar rights in the entity, giving the ability to influence its management and policies. Affiliates are considered bound by the obligations and responsibilities outlined in this DPA to the extent they engage with the processing of Personal Data.
Authorized Sub-Processor means any third-party vendor, service provider, or contractor engaged by the Service Provider to process the Customer's Personal Data strictly on behalf of and under the instructions of the Service Provider. Authorized Sub-Processors assist in fulfilling obligations under this DPA and the main Agreement. All Sub-Processors must comply with the same data protection obligations, maintaining security, confidentiality, and regulatory compliance.
Account Data refers to all business-related information collected, stored, and processed by the Service Provider in relation to its contractual relationship with the Customer. This includes, but is not limited to, the names, email addresses, phone numbers, payment details, and access credentials of individuals authorized by the Customer to manage and operate their account on the Service Provider's platform. Account Data is used strictly for administrative, billing, and support purposes.
Data Protection Laws encompass all applicable laws, regulations, and frameworks governing the collection, processing, storage, transfer, and protection of Personal Data. This includes, but is not limited to, the General Data Protection Regulation (GDPR) of the European Union, the UK GDPR applicable to the United Kingdom, the California Consumer Privacy Act (CCPA), and any other national or international privacy laws relevant to data processing activities under this Agreement. Compliance with these laws ensures that Personal Data is handled lawfully, transparently, and securely.
Personal Data refers to any information relating to an identified or identifiable natural person ("Data Subject"). An identifiable person is one who can be directly or indirectly identified, particularly by reference to identifiers such as a name, email address, phone number, location data, an online identifier (such as IP address or cookies), or other unique factors that define their identity. Personal Data excludes anonymized or aggregated data that cannot be used to identify an individual.
Processing means any operation or set of operations performed on Personal Data, whether by automated means or manually. This includes, but is not limited to, collecting, recording, organizing, structuring, storing, adapting, altering, retrieving, consulting, using, disclosing, transmitting, restricting, erasing, or destroying Personal Data. Processing is conducted in accordance with the Customer's instructions and applicable Data Protection Laws.
Security Measures refer to the technical and organizational safeguards implemented to ensure the confidentiality, integrity, and availability of Personal Data. These measures include encryption, access controls, firewalls, data masking, pseudonymization, regular security audits, and breach notification mechanisms. Security Measures are designed to prevent unauthorized access, accidental loss, or unlawful processing of Personal Data.
Supervisory Authority refers to an independent public authority responsible for monitoring and enforcing compliance with Data Protection Laws. Examples include the European Data Protection Board (EDPB) for GDPR-related matters, the UK Information Commissioner's Office (ICO) for UK GDPR, and the California Privacy Protection Agency (CPPA) for CCPA enforcement. The Supervisory Authority has the legal power to investigate complaints, issue guidance, and impose penalties for non-compliance.
Data Subject Rights refer to the rights granted to individuals under applicable Data Protection Laws. These rights may include the right to access, rectify, delete, restrict, or transfer their Personal Data, as well as the right to object to processing and lodge complaints with a Supervisory Authority. The Service Provider assists Customers in facilitating the exercise of these rights when applicable.
The Customer may act as either a Data Controller or a Data Processor, depending on its relationship with the Data Subject and the purposes for which Personal Data is processed. In all cases, ULTEH acts as a Data Processor, processing Personal Data on behalf of and under the instructions of the Customer.
The Customer is responsible for ensuring that all data processing activities conducted using our Services comply with Applicable Data Protection Laws, including but not limited to the General Data Protection Regulation (GDPR), UK GDPR, the California Consumer Privacy Act (CCPA), and other applicable privacy regulations. The Customer acknowledges that it has the legal basis to process Personal Data and indemnifies us against any claims, liabilities, or damages resulting from non-compliance with these legal requirements.
We shall process Personal Data only in accordance with the Customer's written instructions and solely as required to provide the Services, unless otherwise mandated by law. We will not use, disclose, or share Personal Data for any purpose other than those authorized by the Customer or explicitly outlined in this Agreement.
Upon termination of the Agreement or the Customer's request, we shall, at the Customer's discretion, either: (a) Securely delete all Personal Data processed under this Agreement, ensuring that no copies remain unless required by law, or (b) Return the Personal Data to the Customer in a structured, commonly used, and machine-readable format before deletion. The Customer must provide such requests within a reasonable timeframe before termination.
If we are legally required to retain Personal Data beyond termination, we will notify the Customer (unless legally prohibited from doing so) and ensure that such data remains protected in compliance with Data Protection Laws.
ULTEH is committed to protecting the security and confidentiality of Personal Data processed on behalf of the Customer. To ensure data integrity and security, we implement and maintain industry-leading security measures designed to prevent unauthorized access, disclosure, alteration, or destruction of Personal Data.
These security measures include, but are not limited to:
Any individual, including employees, contractors, and authorized service providers, who processes Personal Data on our behalf is bound by strict confidentiality obligations. This includes signing legally enforceable non-disclosure agreements (NDAs) and adhering to internal data handling policies to ensure compliance with data privacy and security standards.
We will promptly notify the Customer of any confirmed security breach that may result in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to Personal Data. Such notifications will include details of the incident, potential impact, and remediation efforts taken to mitigate risks.
We continuously review and update our security measures in accordance with evolving industry standards and regulatory requirements to ensure the ongoing protection of Customer data.
ULTEH may engage third-party Sub-Processors to assist in providing and maintaining the Services. These Sub-Processors perform specific functions such as data storage, infrastructure hosting, analytics, or customer support. We ensure that all engaged Sub-Processors adhere to strict data protection obligations equivalent to those outlined in this DPA.
We maintain an up-to-date list of Sub-Processors, including their roles and processing locations. Customers may request information about the current Sub-Processors at any time by contacting us.
Customer Rights & Objections:
We remain fully responsible and liable for the actions of our Sub-Processors and ensure that they comply with:
We reserve the right to update or replace our Sub-Processors as needed, with due consideration for Customer concerns and ongoing compliance obligations.
ULTEH may transfer Personal Data outside the European Economic Area (EEA), the United Kingdom (UK), or Switzerland to facilitate the provision of Services. When such transfers occur, we ensure that appropriate legal safeguards are in place to protect the transferred data in compliance with applicable Data Protection Laws.
We rely on recognized data transfer mechanisms, including but not limited to:
Customer Rights & Assistance: We are committed to assisting the Customer in ensuring compliance with the rights of Data Subjects under applicable Data Protection Laws. This includes, but is not limited to:
We continuously monitor global privacy regulations to ensure compliance with cross-border data transfer requirements and will notify the Customer if changes in the legal framework impact our data processing obligations.
ULTEH recognizes and respects the rights of Data Subjects under applicable Data Protection Laws. We will assist the Customer, as the Data Controller, in responding to requests from individuals regarding their Personal Data.
Data Subjects may exercise the following rights:
Customer Responsibilities: The Customer, acting as the Data Controller, is responsible for handling Data Subject requests. We will provide reasonable assistance upon request, ensuring that responses are handled promptly and in compliance with applicable laws.
We shall not respond directly to a Data Subject request unless legally required to do so or explicitly authorized by the Customer.
ULTEH takes security seriously and implements preventative measures to safeguard Personal Data. However, in the event of a Personal Data Breach, we shall act swiftly and transparently.
Data Breach Response Plan: If we become aware of a confirmed Personal Data Breach that may result in the unauthorized access, loss, alteration, or disclosure of Personal Data, we will:
Customer Responsibilities: The Customer is responsible for determining whether to notify regulatory authorities and Data Subjects in compliance with applicable Data Protection Laws.
We shall document all breaches and maintain records of our investigation, mitigation efforts, and remediation actions.
ULTEH retains Personal Data only for as long as necessary to fulfill its obligations under this Agreement or as required by applicable laws.
Data Retention Policy:
Customer-Controlled Data Deletion:
Exceptions to Data Deletion: In certain cases, we may retain Personal Data beyond the agreed retention period, including:
We ensure that secure deletion procedures are followed, preventing any unauthorized recovery or misuse of Personal Data.
This Data Processing Addendum (DPA) shall be governed by and interpreted in accordance with the same laws and jurisdiction as defined in the main agreement between ULTEH and the Customer.
Dispute Resolution Process: If any dispute arises regarding this DPA, both parties agree to follow a structured resolution process, including:
In the event of any conflict between this DPA and the main agreement, the terms of this DPA shall take precedence solely concerning data protection matters, ensuring compliance with applicable Data Protection Laws.
This Data Processing Addendum forms an integral part of the overall agreement between ULTEH and the Customer. By continuing to use the Services, the Customer acknowledges and accepts the terms of this DPA.
If any provision of this DPA is found to be invalid or unenforceable, the remaining provisions shall continue in full force and effect. The parties agree to replace any unenforceable provision with one that reflects the original intent as closely as possible while remaining compliant with applicable laws.
Amendments & Updates: We reserve the right to modify or update this DPA to reflect changes in applicable Data Protection Laws, industry practices, or operational needs. Customers will be notified of any material changes, and continued use of the Services constitutes acceptance of the updated terms.
Contact Information: For any questions, concerns, or to request a signed copy of this DPA, Customers may contact us at: [email protected].
