Data Protection Policy
Last update: 23.03.2023
Please read this DPP carefully before accessing and/or using the Services. If You do not agree to all Upwex.io Documents, You may not access or use the Services.
The terms “controller”, “data subject”, “personal data breach”, “processing” (including “processed” and “process”), “processor” and “supervisory authority” have the meanings given to those terms in the GDPR.
In order to ensure an appropriate level of personal data protection, Upwex implements various measures, including the DPP, designed to ensure an appropriate level of protection of personal data of customers at Upwex.
Upwex provides services that rely on the processing of (personal) data, and the purpose of the DPA is to regulate the use of personal data of the Client, acting as a data controller (the “Client”), by Upwex, acting as a processor (the “Processor”) under the DPP.
The DPP applies to all processing of Customer personal data carried out by Upwex as a processor, including transfers within the EEA, from the EEA to third countries, from third countries to the EEA, and transfers between third countries. The DPP apply to the following categories of data transfers: controller-to-processor transfers and processor-to-(sub)processor transfers.
The Processor undertakes and certifies that it complies with all provisions of the applicable data protection rules, which include the General Data Protection Regulation (the “GDPR”; Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data) and the Law of Ukraine (Law of Ukraine of 01.06.2010 No.2297-VI on Personal Data Protection).
If local data protection legislation requires a lower level of protection for personal data than the DPP, the Processor is committed to complying with the level set out in the DPP.
The Processor shall collect compliance evidence and demonstrate compliance with applicable law (principle of “accountability”). That includes various forms of evidence:
- electronic records of consent or being informed;
- contracts and agreements;
- records of processing, registries of specific processing operations, transfers, or disclosures;
- archive of emails or other communications;
- archived logs or screencasts;
This evidence may be retained for certain periods, as required or implied by applicable law.
The Processor declares to offer all the sufficient safeguards to meet the requirements of the applicable data protection rules and, more particularly, to guarantee the confidentiality and protection of the Client’s data.
The Processor declares and undertakes to only use the Client’s data on its documented instructions described in the DPA. The Client undertakes to inform the Processor of any modification of the instructions that may be done regarding the use of its personal data. The Processor must notify the Client, in writing and without delay, if the latter’s documented instructions constitute a breach of the applicable data protection rules.
Bindingness upon Synapse Team LLC Associates
All associates of Synapse Team LLC are bound by this document through their obligation to comply with the Upwex policies, of which the DPP is a part. These obligations are reflected in all employment or cooperation contracts.
Upwex Associates are made aware of the DPP during onboarding, training, and regular review. Violation of the DPP may lead to sanctions according to applicable local laws, including dismissal of the relevant Associate.
The Processor declares and certifies that all of its associates who process the Client’s personal data are bound by a confidentiality clause or by any other legal act that guarantees the confidentiality of the Client’s personal data. The Processor undertakes to regularly train its associates on the applicable data protection rules.
In terms of Article 33(2) of the GDPR, the Processor shall notify the Client without undue delay after becoming aware of a personal data breach. The notification must specify all information necessary for the Client to process the data breach described in Article 28 of the GDPR. In the event of a data breach, the Processor undertakes to take all required measures to remedy the impact of the data breach. Unless the Client has given its express, prior and written consent, the Processor is not authorised to notify data breaches to the supervisory authority and to the persons concerned by the processing carried out under the DPA.
The Processor certifies and undertakes to guarantee the security of the Client’s personal data and to implement all technical and organisational measures required to prevent any risk of data breach. In addition, upon written request of the Client, the Processor shall provide all necessary information for the Privacy Impact Assessment (“PIA”). The Processor is not obliged to ensure or monitor the Client’s security or to conduct a PIA on behalf of the Client. Any additional request for information may be rejected and, if necessary, an additional fee for this service may be charged.
Data transfers to third countries
The Processor certifies and undertakes to do all the necessary to not transfer the Client’s personal data outside the European Union or recruit any Sub Processor located outside the European Union. However, in rare cases, the Processor may transfer personal data to countries that do not provide an adequate level of personal data protection only if appropriate safeguards, such as standard contractual clauses, are established.
Clients requesting services from Upwex will receive written information about the use of a sub-processor*, and must provide their prior written consent or objection to the use of a sub-processor. In the absence of an undertaking by the Processor to modify the Sub Processor within three months from receiving the objection, the Client may terminate the DPA subject to prior written notice of six (6) months and without compensation. In any event, the Processor shall remain liable for the actions of the Sub Processor under the DPA.
*Where the Processor engages Sub-Processors, the Processor will enter into a written contract with the subcontractor that contains terms substantially the same as those set out in DPA (including where appropriate Standard Contractual Clauses). Processor remains responsible for each Sub-Processors performance of its obligations and for any acts of omissions of such Sub-processor that cause Processor to breach any of its obligations under DPA.
Suspension of Processing
The Client shall inform the Processor, in writing and at the latest one month before the end of the DPA, of its choice:
- (option 1) to return the personal data to the Processor and then to erase the personal data and all existing copies, or
- (option 2) to erase the personal data and all existing copies directly, or
- (option 3) to transfer the personal data to a new provider and then to delete the personal data and all existing copies.
Unless otherwise provided in the DPA, option 3 must be subject to an estimate by the Processor. If the Client fails to inform the Processor of its choice within the specified period, the Processor reserves the right to erase the data and all copies directly (option 2). The Processor shall attest in writing to the Client that the personal data and all copies thereof have been effectively erased.
At least once a year, the Processor will conduct site audits of its Personal Data processing practices and the information technology and information security controls for all facilities and systems used in complying with its obligations under this DPP. Client (and/or via its third-party representatives, a data protection authority or any other regulatory body) shall be permitted to audit Processor systems and facilities during normal business hours provided that:
- Client shall provide at least 30 days’ prior written notice of its intention to carry out an audit;
- All expenses incurred by Processor shall be promptly discharged by Client;
- The Processor may request that any third-party representative performing an audit on behalf of Client shall provide written confidentiality undertakings to the reasonable satisfaction of Processor and Processor shall be entitled to refuse access to any of its premises or records (in any form) until such time as it has received such undertakings; and
- Nothing in DPA shall entitle the Client to access or inspect any records which contain information relating to any other Clients of Processor and Processor shall be entitled to restrict or prevent access to any part of its premises (including, without limitation, its server farms or data centres) which it considers in its sole discretion could compromise the security of any information or data relating to such other Clients.
The Processor will promptly address any exceptions noted in the audit reports with the development and implementation of a corrective action plan by the Provider’s management.
Cooperation with supervisory authorities
Regarding processing implemented under the DPA, the Processor undertakes to provide, on request, all the necessary information for the Client to cooperate with the competent supervisory authority.
Lawfulness of processing
The Processor shall only process personal data if there is a legal basis for doing so. Upwex processes personal data on behalf of the Processor, if necessary, DPA on the processing of personal data may be concluded between the Processor and the Client, i.e.:
- Data Processing Agreement made to satisfy Article 28(3) of the GDPR; and/or
- Standard Contractual Clauses made to satisfy Article 46(2)(c) of the GDPR.
Any claims brought in connection with DPA will be subject to the terms including, but not limited to, the exclusions and limitations set out in the DPA.
Rights Request Procedure
All Client requests should be sent in writing by email to email@example.com.
The Processor, who are data controllers, must process each request within 30 days, unless the relevant laws allow for an extension of this period.
In the event of the invalidity of the DPA, regardless of the reason, the Client shall notify the Processor in writing within 30 days of the invalidity of the DPA of its decision on the fate of its data in accordance with the Suspension of Processing section.
The Client reserves the right to amend this DPA in the event of modifications in the applicable data protection rules which would have the effect of modify in gone of its provisions.
If you have any questions about this Data Protection Policy, please contact us at firstname.lastname@example.org.