Agreement concerning data processing by a processor in accordance with Art. 28 GDPR Version: February 24th, 2021

The controller:

User/customer (Hereinafter referred to as client)

Subject matter of the agreement:

Netflairs Technology Pvt. Ltd.
173, Salt lake city, Sector - 2, Block - CL,
India - 700091
(Hereinafter referred to as contractor)

1 Subject of the Contract

1.1 The subject matter of this agreement is the implementation of the following tasks: Automated processing of image data (incl. metadata) as well as integration, monitoring and troubleshooting of image-related processes.

This agreement is to be considered a supplementary document to the processors General Terms and Conditions.

1.2 The following data categories are processed: Contents of image files, their metadata and processing instructions.

1.3 The following categories of data subjects are subject to this processing: Persons that are referred to in data provided by the client, e.g. customers of the client.

2 Duration of the agreement

2.1The agreement does not have a defined endpoint and can be ended by either party with a notice period of one month on the last day of the month. The option to terminate due to exceptional circumstances remains unaffected.

3 Obligations of the contractor

3.1 The contractor commits himself to process the data and the processing results exclusively within the scope of the written assignment of the client. Should the contractor be required to release data of the client by request of the authorities, then he has to – as far as it is legally permitted - inform the client of the above without delay and refer the authorities to the client. Likewise, the processing of data for the contractor’s own benefit requires written approval by the client.

3.2 The contractor declares legally binding that he has obligated all persons, assigned to process the data, to adhere to the confidentiality practices, prior to the beginning of the task, or that they are bound by an appropriate, legal non-disclosure obligation. The non-disclosure obligations are upheld, even when their assignment is completed and the contractor no longer employs them.

3.3 The contractor declares that he has taken all required steps to ensure that the security of the processing is upheld in accordance with Art. 32 GDPR (for specifications see appendix 1)

3.4 The contractor implements the appropriate technical and organisational measures so that the client can comply with the rights of the affected individuals as per chapter III of the GDPR (information, access, rectification and erasure, data portability, objection as well as automated individual decision-making) at any time and within the legal deadlines and will submit all necessary information to the client. Should a relevant request be sent to the contractor and should this request show that the sender of the request mistakenly considers him the controller of the processing operated by the contractor, then the contractor must forward this request to the client without delay and notify the sender of the above.

3.5 The contractor supports the client with adhering to the obligations, as outlined in Art. 32 to 36 GDPR (data security, notification of a personal data breach to the supervisory authority, communication of a personal data breach to the data subject, data protection impact assessment, consultation).

3.6 The contractor is made aware that he must maintain a record of processing activities for the data processing in question in accordance with Art. 30 GDPR.

3.7 With regard to the provided data, the client is entitled to view and check the data processing facilities at any time, whether in person or via a commissioned third party. The contractor is obligated to provide the client with all necessary information to monitor the compliance with the obligations as outlined in this agreement.

3.8 Following the termination of this agreement, the contractor is obligated to destroy, at his request, all processing results and documents that contain data.

3.9 The contractor must inform the client immediately, if he is of the opinion that an instruction of the client constitutes a violation of the data protection regulations of the Union or of the Member States.

4 Place of performance of data processing

4.1Data processing is, at least in part, also executed outside of the EU or the EEA, namely in the USA. The appropriate data protection level is established on the basis of an adequacy decision by the European Commission in accordance with art 45. GDPR.

5 Sub-Processors

5.1 The contractor can employ sub-processors. He must inform the client of the planned use of a sub-processor in such a timely manner, that the client can forbid it. The contractor enters into an arrangement with the sub-processor in accordance with Art. 28 para. 4 GDPR. In doing so, he must ensure that the sub-processor adheres to the same obligations as the contractor, with regard to this agreement. Should the sub-processor not comply with his data protection obligations, then the contractor is liable vis-a-vis the client for the compliance with obligations of the sub-processor.

5.2 The contractor can employ the following sub-processor: CloudFlare Inc. 101 Townsend Street San Francisco, CA 94107 United States of America (for the purpose of hosting cloud infrastructure and services).

Appendix 1 – Technical-organizational measures
A. Confidentiality

Entry control: Avoidance of unauthorized entry to data processing facilities by Key, electric door opener, video surveillance, Follow-up of visitors on company premises

Access control: Password (including relevant policies), Encryption of data carriers, Automated locking mechanisms, Two-factor authentication.

Avoidance of unauthorized reading, copying, changing or deleting within the system through: Standard authorization profiles on a "need to know basis", Standard process for assigning authorizations, Safe storage of data carriers, Regular checks of the assigned authorizations and of administrative user accounts in particular, Privacy-compliant reuse of data carriers, Privacy-compliant disposal of data carriers that are no longer needed.

Pseudonymization: If possible for the data processing operation, the primary identifiers are removed from within the data processing operation and saved elsewhere.

Data classification scheme: Based on legal obligations or self-assessment (secret/confidential/internal/public).

B. Data Integrity

Control of data transfer: No unauthorized reading, copying, changing or deleting during electronic transfer or transport by way of: Encryption of data carriers, Encryption of data transmissions.

Data entry control: Determination of whether and by whom personal data has been entered into the data processing system, changed or deleted by: Logging, Document management.

C. Availability and Resilience

Availability control: Protection against wilful destruction (negligent and/or wilful) or loss through: Back-up strategy (online/offline; on-site/ off-site).

Rapid recoverability ensured.

D. Procedures for regular testing, assessing and evaluating

Data protection management, including regular employee training courses.

Incident response management.

Data protection by design.

Data processing control: No data processing in the sense of Art. 28 GDPR without specific instruction by the client through definitive contract design.