1. Interpretation

Capitalized terms have meanings defined under the following conditions. The following definitions shall have the same meaning regardless of whether they appear in singular or plural. All references to privacy in the DPA will have the meanings defined in (EU) 2016/679 (General Data Protection Regulation or GDPR), as may be amended, superseded, or replaced.

2. Definitions

For this DPA:

• DPA means this Data Processing Agreement that forms the entire agreement between the Controller and the Processor regarding the processing of personal data in connection with the Agreement. Unless the Parties negotiate another DPA in good faith, this is the current DPA.
• Agreement means the trial Software license agreement in which Alice has the role of Processor (as defined below).
• Software means the software program provided by the Company which is used by the Controller with the features defined on the website https://www.alicebiometrics.com/products under the Agreement. The Software may include one or more of the following products:
  • KYC Standard
  • KYC Extended     
  • Document OCR
  • AML Search
  • AML Monitoring
  • Time Stamping
• Data Processor (referred to as either “Company“, “Processor” or “Alice” in this DPA) refers to ALICE BIOMETRICS, S.L., C.I.F. B27872217, Carretera do Vilar 56, 36214, Vigo, Spain, in its role as the data processor.
• Personal Data means any information relating to an identified or identifiable living natural person, for example, an identity document and a selfie image captured through our customer’s identity verification device or other information that may be uploaded, linked, or otherwise made available by the Controller, regardless of the form of such content.
• Data Controller (or the “Controller”) means the company or other legal entity that accesses or uses the Software and has entered into an Agreement with Alice for a license to use the Software temporarily.
• Parties means collectively referred to Alice and Controller.
• Applicable Data Protection Regulations shall mean all rules applicable to the Parties that regulate privacy, in particular, the (EU) 2016/679 (General Data Protection Regulation or GDPR), the Spanish complementary and development regulations, specifically Organic Law 3/2018 of 5 December on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter, the LOPDGDD),  and any regulation applicable to specific Data Subjects, as may be amended, superseded or replaced

3. Purpose of the processing

The purpose of this DPA is to define, by the provisions of Article 28 of the GDPR and other applicable personal data protection regulations, the conditions under which the Data Processor will carry out the processing of personal data necessary for the provision of the services under the Agreement on behalf of the Controller. The scope, nature, and purpose of the data processing to be carried out by the Processor, as well as the type of personal data and categories of data subjects to which such processing affects, are those detailed in Appendix I of this DPA, as well as, if applicable, in the successive updates that the Parties may agree upon with respect thereto.

4. Duration

The DPA takes effect from the start of the processing of Personal Data under the Agreement. Upon termination of this DPA, the Processor shall return the Personal Data and copies in its possession, if any, to the Controller or destroy them at the request of the Controller.

5. Obligations of the Processor

The Data Processor and all its personnel are obliged to:

5.1 Use the Personal Data subject to processing, or those collected for inclusion, only for this DPA. Under no circumstances may the Processor use the data for its purposes or those of third parties, or for purposes other than the purpose of providing the service covered by the Agreement.

5.2 Process the data by the instructions of the Controller.
If the Processor considers that any of the instructions infringes the GDPR, the LOPDGDDD, or any other data protection provision of the Union or the Member States, the Processor shall immediately inform the Controller.

5.3 Keep, in writing, a record of all categories of processing activities carried out on behalf of the Controller, containing:

1. The name and contact details of the Processor and each controller on behalf of whom the Processor acts and, if applicable, of the representative of the controller or the person in charge and the Data Protection Officer.
2. The categories of processing are carried out on behalf of each data controller.
3. Where applicable, transfers of personal data to a third country or international organization, including the identification of such third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49(1) of the GDPR, documentation of appropriate safeguards.
4. A general description of the technical and organizational security measures relating to:
   • a. Pseudonymization and encryption of Personal Data.
   • b. The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
   • c. The ability to restore availability and access to Personal Data quickly in the event of a physical or technical incident.
   • d. The process of regular verification, evaluation, and assessment of the effectiveness of technical and organizational measures to ensure the security of processing.

5.4 Not to communicate the data to third parties, except with the express authorization of the Controller, in legally admissible cases.

The Processor may communicate the data to other data processors of the same Controller, by the instructions of the Controller. In this case, the Controller will identify, in advance and in writing, the entity to which the data must be communicated, the data to be communicated and the security measures to be applied to proceed with the communication.

If the Processor is required to transfer personal data to a third country or an international organization under applicable Union or Member State law, it shall inform the Controller of such legal requirement in advance, unless such law prohibits it for important reasons of public interest.

5.5 Subcontracting 

The Controller acknowledges and agrees that Processor may engage Subprocessors to process Customer Personal Data on the Controller’s behalf. The Controller authorizes the Processor to subcontract the currently engaged.

Subprocessors

1. Google Cloud EMEA Limited.
   • a. Applicable to all services.
   • b. Tax identification number: IE3668997OH 
   • c. Contact details and address:
     • 70 Sir John Rogerson’s Quay, Dublin 2, Ireland
   • d. Service description: data storage in the cloud. 
   • e. Google Cloud EMEA Limited is responsible for not transferring any Personal Data to any unsuitable country unless such party ensures (a) that the transfer is at all times subject to one of the appropriate safeguards permitted by Article 46 of GDPR and (b) that in all respects the transfer complies with GDPR. Inappropriate Country means a country that is (a) outside the European Economic Area and (b) is not a country that has been determined by the Commission as ensuring an adequate level of protection for Article 45 of GDPR. 
2. AC Camerfirma, S.A.
   • a. Applicable to qualified time-stamping service.
   • b. Tax identification number: A-82743287
   • c. Contact details and address:
     • Ribera del Loira 12, 28043 Madrid, España
   • d. Description of service: sellado de tiempo calificado.
3. Regulatory DataCorp, Ltd.
   • a. Applicable to the AML search and tracing service.
   • b. Company number: 08739364
   • c. Contact details and address:
     • Citypoint 16th Floor, One Ropemaker Street, Londres EC2Y 9AW, Inglaterra
   • d. Service description: user consultation and monitoring in the Sanctions List or PEP List (Politically Exposed Person) database, or both.
   • e. The Provider is responsible for not transferring any Personal Data to any unsuitable country unless such party ensures (a) that the transfer is at all times subject to one of the appropriate safeguards permitted by Article 46 of GDPR and (b) that in all respects the transfer complies with GDPR. Inappropriate Country means a country that is (a) outside the European Economic Area and (b) is not a country that has been determined by the Commission as ensuring an adequate level of protection for Article 45 of GDPR.
4. Elastic International, B.V
   • a. Applicable to all services.
   • b. Company number: 54656230
   • Contact details and address:
     • Keizersgracht 281 1016 ED Amsterdam Países Bajos.
   • Service description: Searching and filtering features inside the Cloud Services.

To subcontract with other companies, the Processor must inform the Controller in writing, clearly and unequivocally identifying the subcontracting company and its identification and contact details. Processor notification shall be through email communications to Controller. The subcontracting may be carried out if the Controller does not express its opposition within 30 days.

The subcontractor, who also has the status of data processor, is also obliged to comply with the obligations established in this document for the Processor and the instructions issued by the Controller. It is up to the Processor to regulate the new relationship, so that the new processor is subject to the same conditions (instructions, obligations, and security measures) and with the same formal requirements, regarding the proper processing of Personal Data and the guarantee of the rights of the data subjects. 

In the event of non-compliance by the sub-processor, the Processor shall remain fully liable to the Controller for the fulfillment of the obligations.

5.6 Maintain confidentiality for the Personal Data to which it has had access by this DPA, even after its termination.

5.7 Ensure that the persons authorized to process the Personal Data on behalf of the Data Controller have undertaken in writing to observe confidentiality or are subject to a suitable statutory obligation of confidentiality.

5.8 Keep at the Controller’s disposal the documentation accrediting compliance with the obligation established in the previous section.

5.9 Ensure the necessary training in the protection of personal data for persons authorised to process the Personal Data.

5.10 Assist the Controller in responding to the exercise of the rights of:

1. Access, rectification, suppression, and opposition.
2. Limitation of treatment.
3. Data portability.
4. Not to be subject to automated individualised decisions (including profiling)

The Processor must communicate to the Controller, within two working days of receipt of the request, the requests to exercise the rights listed.

5.11 Right of information: Controller shall provide the information regarding the processing to the data subjects at the time of data collection of their Personal Data.

5.12 Notification of Personal Data breach

The Processor shall notify the Controller, without undue delay, and in any case within a maximum period of 36 hours, and by e-mail or any other means that prove the receipt of the communication, the personal data breaches under its responsibility of which it becomes aware, together with all the relevant information for the documentation and communication of the incident.

The Controller shall communicate any personal data breach to the Data Protection Authority. The communication shall contain, as a minimum, the following information:

1. Description of the nature of the personal data breach, including, where possible, the categories and an approximate number of data subjects affected, and the categories and an approximate number of personal data records affected.
2. Name and contact details of the data protection officer or another point of contact where further information can be obtained.
3. Description of the possible consequences of the personal data breach.
4. Description of the measures taken or proposed to be taken to remedy personal data breach, including, if applicable, measures taken to mitigate the possible negative effects.

he Controller shall also communicate to the data subject, if necessary, without undue delay, personal data breach, when the breach is likely to pose a high risk to the rights and freedoms of natural persons. The communication should be in clear and plain language and shall, as a minimum:

1. Explain the nature of the personal data breach.
2. Indicate the name and contact details of the data protection officer or another point of contact where further information can be obtained.
3. Describe the possible consequences of the personal data breach.
4. Describe the measures taken or proposed by the controller to remedy the personal data breach, including, if applicable, measures taken to mitigate potential adverse effects.

5.13 Provide support to the Controller in conducting impact assessments related to data protection, where appropriate.

5.14 Provide support to the Controller in carrying out prior consultations with the supervisory authority, when appropriate.

5.15 Make available to the Controller all information necessary to demonstrate compliance with its obligations, as well as for the performance of audits or inspections carried out by the Controller or another auditor authorized by it.

The Controller, with prior notice of four (4) working days, if possible, may visit the premises of the Processor and, where appropriate, of the sub-processors, to carry out the controls and audits it deems appropriate to verify compliance with data protection regulations. The maximum number of audits to be carried out shall be 1 per calendar year unless the Controller accredits a legitimate interest that justifies a greater repetition.

5.16 Implement the following security measures:

• Strong user authentication through passwords or biometric systems;
• Logical access control to resources and Personal Data, so that only employees duly authorized by the Data Processor can access the data;
• Logical access control to resources and Personal Data, so that only employees duly authorized by the Data Processor can access the data;
• Logging of security incidents and events; and
• Performing daily backups. 

In any case, following the provisions of art. 32 of the RGPD, the Processor must implement mechanisms to:

• Ensure the ongoing confidentiality, integrity, availability, and resilience of treatment systems and services;
• Restore availability and access to personal data quickly in the event of a physical or technical incident;
• Verify, evaluate and assess, regularly, the effectiveness of the technical and organizational measures implemented to ensure the security of the processing; and
• Pseudonymize and encrypt personal data, if applicable.

Likewise, the Processor shall adopt all those technical and organizational measures that, according to the risk analysis carried out by the Controller, considers necessary to guarantee an adequate level of security, taking into account the state of the art and the cost of its application for the risks and the nature of the personal data to be protected. In this case, it shall be the obligation of the Controller to communicate the additional measures to be implemented by the Processor.  

Notwithstanding the foregoing, the Processor may carry out its risk analysis and propose to the Controller the adoption of additional or substitute security measures to those proposed by the Controller, provided that such measures result in an adequate level of security. 

The Processor shall make available to the Controller the documentation accrediting what is established in the previous paragraph.

5.17 Data retention

The Data Processor will retain the user’s data (evidence provided and the result of the evaluation) for the duration of the contractual relationship. The data will be stored under best security practices and will be made available to the Controller at no additional cost. 

Upon expiration of this Agreement, the Controller shall have 7 days to retrieve the user data it needs to retain. 

After this period, the Data Processor will proceed to the total erasure of the Controller’s user data, and may also store the blocked data for a period longer than the term of this Agreement when there is a legitimate interest in legal compliance

6. Obligations of the Data Controller

It corresponds to the Data Controller: 

6.1 To allow the Processor access to the data being processed by the provisions of the Agreement.

6.2 To carry out the risk analysis that may arise from the processing activity to be commissioned and, based on such analysis, indicate to the Processor the technical and organizational measures to be implemented for the provision of the service entailed by the processing commission.

6.3 To assess the impact on the protection of personal data of the processing operations to be carried out by the Processor, if necessary. 

6.4 To carry out the corresponding prior consultations.

6.5 To ensure, before and throughout the processing, compliance with the GDPR by the Processor.

6.6 Supervise the processing, including conducting inspections and audits.

6.7 To notify the security measures of the Processor as it deems necessary at any given time.

7. Statement of the Controller

The Controller guarantees the truthfulness and accuracy of the information provided to the Processor in all its aspects, and specifically, declares to have complied, before the subscribing of this DPA, with its obligations as Controller. Specifically, it declares to have provided the information required by art. 13 of the GDPR to the data subject as well as to have obtained the informed consent of the data subject to carry out the processing of the data under the Agreement. The Controller shall inform the Processor of any news, modification, or alteration that may occur concerning the information provided. The Processor may carry out periodic audits to verify compliance with the above, and the Controller undertakes to provide the information evidencing compliance.

8. Liability

The Parties undertake to hold harmless and assume all liability in connection with any claim, penalty or loss, damage to third parties or liability incurred arising, directly or indirectly, from the breach of the obligations recognized to each Party in this DPA or deriving from regulatory provisions.

9. Entry into force and termination

This DPA enters into force on the date of execution of the contract for which it is intended.

This DPA may be terminated for the following reasons:

• By mutual agreement of the Parties, expressed in writing.
• Due to supervening impossibility to develop the activities foreseen in this DPA.
• For the breach of the commitments assumed in the DPA by any of the Parties.
• For the termination or fulfillment of the time stipulated in the Agreement.

10. Modification

This DPA may only be expressly modified by mutual agreement between the Parties by signing the corresponding addendum. Parties agree that may exist some specifications regarding the DPA in the Agreement.

11. Communications and notifications

This DPA may only be expressly modified by mutual agreement between the Parties by signing the corresponding addendum. Parties agree that may exist some specifications regarding the DPA in the Agreement.

• a) Communications addressed to the Data Controller:
  We will use the contact information provided by the Controller at the time of contracting. If that the Controller modifies the address for notification purposes and/or contact emails for the same purposes, the Controller must give written notice to the Processor with a prior 15 days’ notice.
• b) Communications addressed to the Data Processor shall be sent to: dpo@alicebiometrics.com.  
• c) Communications in cases of personal data breaches shall be addressed, with a copy to the functional manager concerned, to the following email address:
   dpo@alicebiometrics.com. 

12. Jurisdiction and applicable law

Under the provisions of the Agreement, any controversy between the Parties arising from the interpretation, execution and termination of this DPA shall be subject to the jurisdiction of the competent Courts in Vigo and Spanish law shall govern.