September 1, 2022
By registering on the terms described in the Nussknacker Cloud Service Rules (Section How to get started, subsection 1 of the Rules), you express your consent to the terms of the Data Processing Agreement below ("Agreement"). This Agreement is an integral part of the agreement entered into by and between TouK Sp. z o.o. s.k.a. with its registered office in Warsaw at Al. Bohaterów Września 9, 02-389 Warsaw, KRS 0000251363, hereinafter referred to as "TouK", and the Customer, on the terms described in the Nussknacker Cloud Service Rules.
The Customer and TouK are hereinafter also referred to separately as the "Party" or jointly as "Parties".
- Services provided to the Customer by TouK as part of Nussknacker Cloud ("Service") may require the processing of Personal Data (specified below) by TouK. the Parties want to ensure compliance of processing of Personal Data with law, in particular with the Regulation of the European Parliament and of the Council (EU) 2016 / 679 of 27 April 2016 on the protection of individuals with regard to processing of personal data and on free movement of such data, and repealing Directive 95/46 / EC ("GDPR") - from the moment it becomes applicable - and with other applicable application of legal provisions regulating protection of personal data;
- The Customer is the administrator of personal data that is processed using the Service ("Personal Data") or acts on basis of authorization of Personal Data administrator, as a processor on behalf of administrator. A description of the types of Personal Data and categories of persons to whom Personal Data relates is provided in Appendix 1;
- TouK provides the Customer with Service on the basis of the Nussknacker Cloud Service Rules ("Rules", available at https://nussknacker.io/cloud-service-rules/), of which this agreement is an integral part.
The Parties have agreed to the following:
Subject of the agreement
- Pursuant to Art. 28 sec. 3 GDPR, the Customer entrusts TouK with processing of Personal Data, and TouK accepts the entrustment.
- TouK undertakes to process Personal Data: (i) in accordance with applicable law and the Agreement; (ii) solely for the purpose of providing the Service by TouK to the Customer; (iii) within the scope, purpose and as part of the activities and nature described in Appendix 1; and (iv) from the commencement of provision of the Service until the termination of the Agreement according to section How to stop using Nussknacker Cloud of the Rules, subject to section Return or deletion of personal data of the Agreement.
- The role of TouK is limited to providing the Customer with the Service tools to be used for the processing of Personal Data. TouK has no influence on the scope of Personal Data processed by the Customer in the Service, does not determine the purposes and methods of their processing and does not monitor the scope of this data, the legality of the grounds for their processing or the correctness of processing by the Customer.
- The Customer declares that Personal Data has been obtained and is processed by them in accordance with applicable law, including the GDPR. The Customer confirms in particular that (i) they have provided data subjects with information about the processing of their data to the extent and in the manner required by the GDPR, and that (ii) they are entitled to process Personal Data and entrust them to TouK processing to the extent and for the purpose specified in Annex 1 to the Agreement. In addition, if the Customer is not the administrator of Personal Data, they confirm that they have obtained the consent of the relevant administrator required by the provisions of the GDPR to entrust TouK with further processing of Personal Data for such a purpose and scope.
- The Customer confirms that technical and organizational measures implemented by TouK, set out in Annex 2, are appropriate and sufficient to protect the rights of the Personal Data subjects and considers that TouK provides sufficient guarantees in this regard.
- Notwithstanding the foregoing, the Customer undertakes, in accordance with the principles described in the Rules, to use the Service in a safe and lawful manner, including appropriate security of the credentials for the Customer Account, ensuring the security of Personal Data when transferring it to the Service, taking appropriate activities aimed at secure encryption or self-backup of Personal Data entrusted to TouK and protection of Personal Data against unauthorized access by third parties.
- The Customer is obliged to notify TouK without undue delay of any inspection carried out by the relevant personal data protection office, in particular President of the Personal Data Protection Office ("PUODO"), which is related to the processing of the entrusted Personal Data and about each letter from the abovementioned personal data protection office or PUODO regarding the submission of explanations on Personal Data.
- TouK is obliged to process Personal Data only in accordance with the instructions provided by the Customer, unless the law of the European Union or the law of a Member State provides otherwise. In the latter case, section TouK's declarations and obligations, subsection 6a of the Agreement shall apply.
- The Customer's instructions are included in the Agreement or are ordered and executed via the functionalities provided by TouK in the Service. The Customer is obliged to ensure that all instructions provided to TouK comply with the applicable provisions on the protection of personal data.
- Any further instructions that go beyond those specified in par. 2 above, must relate to the subject of the Agreement or the Service provided, in accordance with the Rules. If the implementation of further instructions results in costs for TouK, TouK will inform the Customer about such costs together with an explanation of the amount of costs before executing the instruction. After the Customer confirms that they will bear the costs of carrying out the order and after payment by the Customer, TouK is obliged to carry out further instructions, provided that it is allowed by the technical and organizational capabilities of TouK. The Customer gives further instructions in writing, unless an urgent nature or other special circumstances justify giving orders in electronic form. Orders in any form other than in writing should be properly documented immediately.
- TouK shall immediately inform the Customer if, in its opinion, the instruction violates the GDPR or other generally applicable law of the European Union or a Member State, and shall request the Customer to withdraw, amend or confirm the questioned instruction. Pending the decision of the Customer, TouK is entitled to suspend the execution of the questioned instruction. In the event that the execution of the Customer's instruction, despite the submission of explanations, would violate generally applicable provisions of the European Union or Member State law, TouK is entitled to refrain from carrying out this instruction.
TouK's Declarations and obligations
- Taking into account the risk of violating the rights and freedoms of natural persons and the state of technical knowledge, implementation costs, scope, nature, context and purposes of processing Personal Data, TouK declares that, in accordance with Art. 32 GDPR, it has implemented appropriate technical and organizational measures to secure the processing of Personal Data. A description of the implemented measures is provided in Annex 2. TouK may change the implemented measures at any time, provided that they do not provide a lower level of protection than the measures in force at the time of concluding the Agreement. Information on current technical and organizational measures along with information on changes in the implemented measures will be available on https://nussknacker.io. At the justified request of the Customer, TouK will provide the Customer with further information necessary for the Customer to demonstrate compliance with the obligations set out in Art. 28 GDPR. Provision of §4 section 5, last sentence, shall apply accordingly.
- TouK undertakes to protect Personal Data against disclosure to unauthorized persons, removal by an unauthorized person, damage, destruction or loss, and will take all necessary steps to keep Personal Data secret and to protect them in accordance with applicable Rules.
- TouK declares that all persons authorized to process Personal Data have undertaken to keep them secret or are subject to a relevant statutory obligation of secrecy, in accordance with Art. 28 sec. 3 letter b GDPR, and TouK is responsible for their actions or omissions as for its own.
- It is the Customer's responsibility to comply with the requests of the persons to whom the Personal Data relates, and to prepare responses to these requests. TouK undertakes to support the Customer, as far as possible and reasonably, in fulfilling this obligation, in particular by applying appropriate and possible technical and organizational measures necessary for the Customer to enable persons to exercise their rights under Chapter III. of GDPR.
- TouK is obliged to support the Customer in performing the tasks provided for in Art. 32 - 36 GDPR in relation to the Service, providing the Customer with the necessary information. With regard to supporting the Customer in carrying out a data protection impact assessment (Article 35 GDPR) and prior consultations with the supervisory authority (Article 36 GDPR), TouK is obliged to provide assistance only to the extent that the Customer's obligations cannot be fulfilled by the Customer by other means. TouK will inform the Customer about the costs of such assistance and after the Customer confirms that these costs have been incurred, TouK will provide the required support.
- TouK is obliged to notify the Customer without undue delay:
- on the obligation of TouK or its subcontractor under the law of the European Union or the law of the Member State to which it is subject, to process Personal Data in a way that goes beyond the Customer's instructions; in such a case, before the commencement of such processing, TouK will inform the Customer about this legal obligation, unless the law prohibits such information being provided due to important public interest; in this case, the notification to the Customer will specify the legal requirement resulting from the law of the European Union or a Member State;
- about a breach of Personal Data protection by TouK or its subcontractor, which affects the Customer's Personal Data covered by the Agreement. In this case, TouK is obliged to support the Customer in the fulfillment by the Customer of the obligations of informing the supervisory body or the data subject, if applicable, by providing information available to TouK in accordance with Art. 33 §3 GDPR.
Use of subcontractors (further entry)
- In order to ensure the proper provision of the Service, the Customer agrees to TouK's use of subcontractors and further entrusting them with the processing of Personal Data. Without limiting the general consent given to TouK in the preceding sentence, the Customer expresses their consent to the subcontractors indicated in Appendix 3.
- All subcontractors listed in Appendix 3 to whom TouK transfers Personal Data, process the Personal Data in European Economic Area (EEA) countries.
- For the avoidance of doubt Parties hereunder agree that persons pursuing their activity on behalf of TouK in an employed or self-employed capacity, won’t be understood as subcontractors.
- The current list of TouK's subcontractors will be available on the website https://nussknacker.io. TouK will inform the Customer about any planned changes in the scope of subcontractors to whom it will further entrust the processing of Personal Data. The Customer is informed 7 days in advance, by means of the information provided via website https://nussknacker.io. The Customer has the right to object by e-mail to TouK's use of the indicated subcontractor within 7 days following the notice given by TouK according to the description given in the previous sentence. If the Customer does not object within the above mentioned period, it shall be construed as the Customer’s approval of such changes. However, if the Customer decides to object to use of the new subcontractor indicated by TouK, such objection shall be construed as termination of the agreement entered into as described in the section How to get started, subsection 1 of the Rules as well as the Agreement, with immediate effect.
- Further entrusting the processing of Personal Data may only take place within the limits and for the purpose of providing the Service. TouK declares that (i) the subcontractors selected by TouK will meet all the requirements resulting from the GDPR and the relevant provisions on the protection of personal data, (ii) in accordance with Art. 28 sec. 4 GDPR TouK will concluded agreements with subcontractors in the field of Personal Data processing and that they will contain provisions obliging subcontractors to similar obligations as set out in the Agreement towards TouK and that (iii) the standard of personal data protection in force at the subcontractors cooperating with TouK will be at least equal to the standard of data protection in force at TouK (iv) if the subcontractor selected by TouK processes Personal Data in a third country within the meaning of the GDPR, TOUK shall be obliged to comply with its obligations set in Chapter V of GDPR.
Customer control rights
- The Customer has the right to control the compliance of the processing of Personal Data by TouK with the provisions of the Agreement ("Audit"). The audit may also take place through an independent auditor authorized by the Customer, provided that a confidentiality agreement is agreed between the auditor and TouK.
- The Customer undertakes that an entity conducting direct or indirect activity competitive to the activity conducted by TouK will not be appointed as an authorized auditor.
- The audit is subject to the following conditions: (i) it may only apply to Personal Data entrusted to TouK processing under the Agreement and will be limited to the headquarters of TouK and devices used to process Personal Data and personnel involved in processing activities covered by the Agreement; (ii) will take place no more than once a year, unless the Audit is required by law or by the competent supervisory authority, or takes place immediately after finding a material breach of Personal Data processed under the Agreement, (iii) may be performed during normal working hours of TouK, in a manner that does not interfere with the business activities of TouK and in accordance with TouK's security policies; (iv) The Customer shall notify TouK of the intention to conduct the Audit by electronic means or by letter at least 14 business days before the planned date of the Audit. In the event of the inability to conduct the Audit in the scheduled time or of any other unexpected obstacles beyond TouK's control, TouK will notify the Customer of such circumstances and propose a new date for the Audit, but this will be no later than within 7 working days from the date indicated by the Customer; (vi) the Customer bears all costs arising from or incurred in connection with the Audit, except in cases where a serious breach of the security of Personal Data concerning or threatening the Customer's Personal Data is revealed; (vii) The audit may not be aimed at or lead to the disclosure of legally protected secrets (including TouK's business secrets). The Customer is obliged to create an Audit report summarizing the findings of this audit. The report will be provided to TouK and will constitute confidential information about TouK, which may not be disclosed to third parties without the consent of TouK, unless required by applicable law.
- If TouK has the certification referred to in Art. 42 GDPR or the application of the code of conduct referred to in Art. 40 of the GDPR, the Customer's control rights may also be exercised by TouK's reference to the results of monitoring the certification rules or the code of conduct. In such a case, the Audit will only concern issues that cannot be sufficiently clarified by presenting such results by TouK.
Return or deletion of personal data
- After the end of the entrustment relationship with the processing of Personal Data, TouK, at the Customer's decision, will delete the Personal Data (by deleting all existing copies of Personal Data) unless the law requires or authorizes TouK to store personal data on an independent legal basis for a longer period.
- The Customer is solely responsible for ensuring that necessary operations (such as back up) to the preservation of Personal Data are performed, notably before termination of the Agreement.
- In respect of the above mentioned, the Customer is informed that the termination of Nussknacker Cloud for any reason, as well as certain maintenance operations of Nussknacker Cloud may automatically result in the irreversible deletion of all content (including information, data, files, etc.) that is reproduced, stored, hosted or otherwise used by the Customer within the scope of Nussknacker Cloud, including any potential backup.
- The Customer may obtain a copy of the existing Personal Data processed when using the Service provided in accordance with the Rules, but not later than within 60 (sixty) days after the Account deactivation, during which time Personal Data will be processed by TouK solely for the purpose of potential reactivating the account by the Customer. TouK undertakes to process Personal Data within 60 (sixty) days after the Account deactivation only by storing Personal Data for the Customer, excluding any other operations on these Data, subject to TouK's different obligations indicated in applicable law or imposed on TouK by authorized bodies. After this deadline, Personal Data will be removed and it will not be possible to recover it.
- TouK is not liable for direct and indirect damages, regardless of their source (in particular, such as: losses from income, profit, interest or other lost profits; pure financial losses), except in the case of willful misconduct of TouK. Total responsibility of TouK, regardless of the number and basis of claims of the Customer or any other third party, is limited to the total amount paid by the Customer for the use of the Service over the course of the billing period immediately preceding the date on which the customer made a claim to TouK. The customer hereby releases TouK from any liabilities exceeding the above-mentioned limit.
- TouK is not liable for damages (direct and indirect) incurred by the customer and caused by:
- force majeure,
- interference of third parties, especially in connection with the use of the Account by third parties using the login details to the Account,
- malfunctions of factors independent of TouK,
- Force majeure is understood as any extraordinary, external event, which could not be foreseen at the time of the conclusion of the Agreement and which could not be prevented. The circumstances constituting force majeure include, in particular, war, natural disasters, epidemic, strikes, breakdowns, DDoS attacks or other disruptions in the operation of the telecommunications network or ICT infrastructure, as well as extraordinary government and administrative actions and actions of entities affecting the provision of the service by TouK.
- Parties unanimously agree that the Customer is responsible for satisfying the claims of persons whose Personal Data are processed for damages caused as a result of improper processing of Personal Data under the Agreement, unless it proves that the damage resulted from the sole fault of TouK or its subcontractors. If the above is not provided, the Customer is obliged to unconditionally release TouK from liability for any claims submitted by entities whose Personal Data is processed by TouK under the Agreement, in connection with the processing of such data under the Agreement. In the event of initiating court proceedings against TouK, the Customer is obliged, at TouK's request, to join such proceedings as a party and assume responsibility for the reported claim.
- The Parties agree that, subject to the exceptions specified in the Agreement, TouK's remuneration for activities performed under the Agreement is included in the remuneration due for the provision of the Service to the Customer.
- The Agreement was concluded for an indefinite period, with the provision that the Agreement shall be terminated at the latest on the date of removal or return of Personal Data in accordance with the provisions of section Return or deletion of personal data of the Agreement.
- The Agreement replaces any existing agreements between the Parties regarding the entrustment of Personal Data that the Parties have previously concluded in connection with the Service, regardless of the form of such agreements.
- Any communication between the parties regarding the Agreement will only take place to the addresses listed below:
- TouK - firstname.lastname@example.org
- Customer - the e-mail address used by the Customer to make the notification referred to in section How to get started, subsection 1 of the Rules.
- The law applicable to the Agreement is the law of the Rules. In matters not covered by the Agreement, the provisions of the GDPR and other relevant provisions of Polish law will apply, as well as the provisions of the Policy and the Rules available on the website https://nussknacker.io. Capitalized terms that are not defined in the Agreement have the meaning given to them in the Rules. In the event of non-compliance of the provisions of the Rules with the Agreement, the provisions of the Agreement with regard to the protection of personal data shall prevail.
Appendix No. 1 - Description of the processing of Personal Data
Purpose of processing of entrusted Data
Personal Data will be processed by TouK in order for the Customer to use the Service provided by TouK.
Nature of processing activities
The processing by TouK will be automated and non-automated. The processing of Personal Data by TouK will take place using IT systems provided as part of the Service and will include the following processing activities: collecting, recording, storing, developing, changing, sharing, backing up Personal Data, as well as other operations necessary to perform the Service.
As part of the processing of Personal Data, TouK will not communicate directly with the data subjects on behalf of the Customer.
The role of TouK is limited to providing the Customer with the Service tools to be used for the processing of Personal Data. TouK has no influence on the scope of Personal Data processed by the Customer in the Service, does not determine the purposes and methods of their processing and does not monitor the scope of such Data.
Categories of data subjects and categories od Personal Data
Categories of data subjects processed by Touk are determined and controlled by the Customer at its sole discretion.
As a rule, the Service is not intended for the processing of special categories of personal data referred to in Art. 9 of the GDPR, personal data related to criminal convictions and infringements of the law referred to in Art. 10 of the GDPR, or the personal data of children. However, the decision as to the scope of categories of Personal Data provided by the Customer to TouK in the Service rests with the Customer. By deciding to include such data in the service, the Customer confirms that the security measures implemented by TouK are, in its opinion, sufficient to protect the entrusted Personal Data.
Appendix No. 2. Description of implemented organizational and technical measures for the protection of personal data
Organizational security measures
- General and specific standards of organization security, information security, and security of information systems have been defined, in which the basic goals of activities related to the implementation of policies are defined.
- The standards are subject to periodic reviews and updates approved by the top management of the Company.
- The system for monitoring changes in the applicable legal provisions regarding the rules for the processing of personal data has been developed, implemented and ensured that the continuity of operation is maintained.
- In order to ensure an appropriate level of personal data protection, persons processing personal data on behalf of TouK have received an authorization to process personal data.
- All persons authorized to process personal data have been obliged to maintain confidentiality during the employment relationship and after its termination.
- A system for managing access rights to data carriers, rooms and elements of IT infrastructure and networks was developed.
- It has been ensured that persons authorized to process personal data are assigned minimum access rights, depending on the tasks performed.
- TouK has implemented the Information Security Management System (ISMS). It ensures data protection, integrity and availability by adopting a risk management process.
- Principles of selecting subcontractors and suppliers have been developed to ensure an adequate level of technical and organizational security of the services provided and the tasks performed.
Technical security measures
- A minimum scope of technical security measures has been established to ensure the security of personal data. The type and scope of the applied additional technical security measures is determined individually depending on the identified threats, the required degree of protection and technical possibilities.
- TouK monitors for new vulnerabilities in software used in Nussknacker Cloud and analyses their impact on systems and operations. Then, TouK deploys mitigation measures to define and implement corrective action plans, as applicable.
- A hardening process is in place to ensure a secure configuration of all applications.
- Nussknacker Cloud infrastructure is security tested on a regular basis. This includes automatic vulnerability scans and penetration testing performed by external auditors.
- A monitoring system for all Nussknacker Cloud services is in place to ensure availability and integrity of the resources being monitored.
Appendix No. 3 - List of TouK subcontractors
|Entity name||Registered address|
|DigitalOcean, LLC||101 Avenue of the Americas, 10th Floor New York 10013, United States|
|Aiven Oy||Antinkatu 1, 6th Floor, Helsinki 00100, Finland|