Data Protection Agreement
This Data Protection Agreement (the “DPA”) becomes effective on January 6, 20.
The User shall make available to GURTAM and the User authorizes GURTAM to process information including Personal Data for the access to the Gurtam Space Platform under the Agreement. The parties have agreed to enter into this DPA to confirm the data protection provisions relating to their relationship and so as to meet the requirements of the applicable Data Protection Law.
1.1. For the purposes of this DPA:
“Data Protection Law” mean all applicable laws, regulations, and other legal requirements relating to (a) privacy, data security, consumer protection, marketing, promotion, and text messaging, email, and other communications; and (b) the use, collection, retention, storage, security, disclosure, transfer, disposal, and other processing of any Personal Data.;
“Personal Data” means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
“GURTAM Affiliate” means a legal entity on whose behalf the Personal Data is processing under this DPA and called:
(a) Gurtam UAB established under the law of Lithuania and registered at the address: 9-ojo Forto g.47, 2nd floor, 2-26, LT-48100 Kaunas, Lithuania; or
(b) any other Affiliate that means, with respect to a specified entity, (a) an entity that directly or indirectly, through one or more intermediaries, owns more than 50% of the outstanding voting securities of GURTAM, and (b) an entity that directly or indirectly through one or more intermediaries, is controlled by GURTAM, in each case where the term control means possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract interest or otherwise.
“Services” means any of the following services provided by GURTAM: (a) the GURTAM-branded product offerings made available via the Internet on https://gurtam.space and its subdomains, including, but not limited to: gurtam.space, oauth.gurtam.space, (b) consulting or training services provided by GURTAM either remotely via the Internet or in person, and (c) any support services provided by GURTAM, including access to the GURTAM help desk;
the terms “data controller”, “data processor”, “data subject”, “personal data”, “processing” and “appropriate technical and organisational measures” shall have the meanings given to them under applicable Data Protection Law.
2. Subject Matter, Nature and Purpose of GURTAM’s Processing of Personal Data
2.1. The subject matter, nature and purpose of the processing of Personal Data under this DPA is the GURTAM using of the Gurtam Space platform services (the “Services) as further instructed in writing by the User in its use of the Services, unless required to do so otherwise by the Data Protection Law, in which case to the extent permitted by the Data Protection Law, GURTAM shall inform the User of this legal requirement prior to carrying out the processing. GURTAM shall only collect or process Personal Data for the period of rendering of the Services to the extent, and in such a manner, as is necessary for provision of the Services and in accordance with the DPA and the Data Protection Law applicable to GURTAM.
3.1. The processing of Personal Data will be carried out by GURTAM while Gurtam Space Account of the User is in existence or as need for the using the Services by the User. Unless otherwise agreed upon in writing, after deleting a Gurtam Space Account, all Personal Data of the User must be destroyed within six months without the possibility of recovery.
4. Type of Personal Data Processed
4.1. The User may submit User Personal Data by accessing and using the Platform, the extent of which is determined and controlled by the User in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:
× Account Information. When the User signs up for a Gurtam Space Account, it is required certain information such as the name and email. GURTAM can provide the User with support to access, correct, delete, or modify the information the User provided to GURTAM and associated with the User’s Gurtam Space Account. To protect the security, GURTAM takes reasonable steps (such as requesting any legal information) to verify the identity of the User before making corrections. The User is responsible for maintaining the secrecy of the password and information of the User’s Gurtam Space Account at all times.
× Additional Profile Information. The User may choose to provide additional information as part of its Gurtam Space profile. Profile information helps the User to get more from the Gurtam Space Platform. It’s the User’s choice whether to include sensitive information on its Gurtam Space profile.
× Other Information. The User may otherwise choose to provide GURTAM information when the User fills in a form, conducts a search, updates or adds information to its Gurtam Space Account, responds to surveys, posts to community forums, participates in promotions, or uses other features of the Gurtam Space Platform (object and its location, in particular).
5. GURTAM Obligations
5.1. GURTAM agrees and/or warrants:
(a) to process the Personal Data only on behalf of the User and in compliance with its instructions and the DPA; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the User of its inability to comply, in which case the User is entitled to suspend the transfer of data and/or terminate the use of the Platform;
(b) that all Personal Data processed on behalf of the User remains the property of the User and/or the relevant Data subjects;
(c) that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the User and its obligations under the DPA and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the DPA, it will promptly notify the change to the User as soon as it is aware, in which case the User is entitled to suspend the transfer of data and/or terminate the use of the Platform;
(d) that it has implemented the technical and organizational security measures specified in Appendix 1 before processing the Personal Data transferred;
(e) that it will promptly notify the User about:
i. any legally binding request for disclosure of the Personal Data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
ii. any accidental or unauthorized access; and
iii. any request received directly from the data subjects without responding to that request, unless it has been otherwise authorized to do so;
(f) to deal promptly and properly with all inquiries from the User relating to its processing of the Personal Data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
(g) at the request of the User to submit its data-processing facilities for audit of the processing activities covered by the DPA;
(h) that, in the event of sub-processing, it has previously informed the User and obtained its prior written consent;
(i) that the processing services by the sub-processor will be carried out in accordance with Section 8;
(j) to appoint a data protection officer, who performs his/her duties in compliance with the Data Protection Law. The data protection officers contact details are available at GURTAM web page.
(k) to entrust only such employees with the data processing outlined in this DPA who have been bound to confidentiality and have previously been familiarized with the data protection provisions relevant to their work. GURTAM and any person acting under its authority who has access to Personal Data, shall not process that data unless on instructions from the User, unless required to do so by the Data Protection Law;
(l) to monitor periodically the internal processes to ensure that processing within GURTAM area of responsibility is in accordance with the requirements of the Data Protection Law and the protection of the rights of the data subject.
6. User Obligations
6.1. The User agrees and/or warrants:
(a) that the processing, including the transfer itself, of the Personal Data has been and will continue to be carried out in accordance with the relevant provisions of the Data Protection Law and does not violate the relevant provisions;
(b) that it has instructed and throughout the duration of the personal data-processing services will instruct GURTAM to process the Personal Data transferred only on the User’s behalf and in accordance with the Data Protection Law and the DPA;
(c) that GURTAM will provide sufficient guarantees in respect of the technical and organizational security measures specified in Appendix 1 to this DPA;
(d) that after assessment of the requirements of the Data Protection Law, the security measures are appropriate to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
(e) that it will ensure compliance with the security measures;
(f) to access and use the Platform only for legal, authorized, and acceptable purposes. The User will not use (or assist others in using) the Platform in ways that: (a) violate, misappropriate, or infringe the rights of GURTAM, its users, or others, including privacy, publicity, intellectual property, or other proprietary rights; (b) are illegal, obscene, defamatory, threatening, intimidating, harassing, hateful, racially, or ethnically offensive, or instigate or encourage conduct that would be illegal, or otherwise inappropriate; (c) involve publishing falsehoods, misrepresentations, or misleading statements; (d) impersonate someone; (e) involve sending illegal or impermissible communications such as bulk messaging, auto-messaging, auto-dialing, and the like; or (f) involve any other use of the Platform prescribed in this DPA unless otherwise authorized by GURTAM;
(g) do not to (or assist others to) access, use, copy, adapt, modify, prepare derivative works based upon, distribute, license, sublicense, transfer, display, perform, or otherwise exploit the Platform in impermissible or unauthorized manners, or in ways that burden, impair, or harm GURTAM, the Platform, systems, other users, or others, including that the User will not directly or through automated means: (a) reverse engineer, alter, modify, create derivative works from, decompile, or extract code from the Platform; (b) send, store, or transmit viruses or other harmful computer code through or onto the Platform; (c) gain or attempt to gain unauthorized access to the Platform or systems; (d) interfere with or disrupt the integrity or performance of the Platform; (e) create accounts for the Platform through unauthorized or automated means; (f) collect the information of or about other users in any impermissible or unauthorized manner; (g) sell, resell, rent, or charge for the Platform; or (h) distribute or make the Platform available over a network where it could be used by multiple devices at the same time;
(h) that the User is responsible for keeping the User’s Gurtam Space Account safe and secure, and the User will notify GURTAM promptly of any unauthorized use or security breach of the User’s Account or the Platform;
(i) that GURTAM grants the User a limited, revocable, non-exclusive, non-sublicensable, and non-transferable license to use the Platform. This license is for the sole purpose of enabling the User to use the Platform, in the manner permitted by this DPA. No licenses or rights are granted to the User by implication or otherwise, except for the licenses and rights expressly granted to the User.
7. Technical and Organizational Measures
7.1. GURTAM shall take the appropriate technical and organizational measures to adequately protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, described under Appendix 1. Such measures include but not limited to physical and IT measures, and organizational measures to:
(a) the prevention of unauthorized persons from gaining access to Personal Data processing systems (physical access control),
(b) the prevention of Personal Data processing systems from being used without authorization (logical access control),
(c) ensuring that persons entitled to use a Personal Data processing system gain access only to such Personal Data as they are entitled to accessing in accordance with their access rights, and that, in the course of processing or use and after storage, Personal Data cannot be read, copied, modified or deleted without authorization (data access control),
(d) ensuring that Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media, and that the target entities for any transfer of Personal Data by means of data transmission facilities can be established and verified (data transfer control),
(e) ensuring the establishment of an audit trail to document whether and by whom Personal Data have been entered into, modified in, or removed from Personal Data processing systems (entry control),
(f) ensuring that Personal Data is protected against accidental destruction or loss (availability control).
7.2. The technical and organizational measures are subject to technical progress and further development. In this respect GURTAM may implement alternative adequate measure, however, the security level of the defined measures must never be reduced. Major changes must be documented.
8.1. The User agrees that GURTAM may engage GURTAM Affiliate or third parties to process Personal Data in order to assist GURTAM to render the Services on behalf of the User (“Sub-processors”). GURTAM has or will enter into written agreement with each Sub-processor containing data protection obligations not less protective than those in this DPA to the extent applicable to the nature of the services provided by such Sub-processor. If the Sub-processor processes the services outside the EU/EEA, GURTAM shall ensure that the transfer is made pursuant to European Commission approved standard contractual clauses for the transfer of Personal Data which the User authorizes GURTAM to enter into on its behalf, or that other appropriate legal data transfer mechanisms are used.
8.2. GURTAM shall notify the User thirty (30) days’ in advance of any intended changes concerning the addition or replacement of any Sub-processor during which period the User may raise objections to the Sub-processor’s appointment. Any objections must be raised promptly (and in any event no later than fourteen (14) days following GURTAM’s notification of the intended changes). Should GURTAM choose to retain the objected to Sub-processor, GURTAM will notify the User at least fourteen (14) days before authorizing the Sub-processor to process Personal Data and then the User may immediately discontinue using the relevant part of the Platform and may terminate the use of the relevant part of the Platform.
8.3. For the avoidance of doubt, where any Sub-processor fails to fulfill its obligations under any sub-processing agreement or under applicable law GURTAM will remain fully liable to the User for the fulfillment of its obligations under this DPA.
9.1. In order to confirm compliance with this DPA, the User shall be at liberty to conduct an audit by assigning an independent third party who shall be obliged to observe confidentiality in this regard. Any such audit must occur during GURTAM’s normal business hours and will be permitted only to the extent required for the User to assess GURTAM’s compliance with this DPA. In connection with any such audit, the User will ensure that the auditor will: (a) review any information on GURTAM’s premises; (b) observe reasonable on-site access and other restrictions reasonably imposed by GURTAM; (c) comply with GURTAM’s policies and procedures, and (d) not unreasonably interfere with GURTAM’s business activities. GURTAM reserves the right to restrict or suspend any audit in the event of any breach of the conditions specified in this Section.
9.2. In the event the User, a regulator or data protection authority requires additional information or an audit related to the Platform, then, GURTAM agrees to submit its data processing facilities, data files and documentation needed for processing Personal Data to audit by the User (or any third party such as inspection agents or auditors, selected by User) to ascertain compliance with this DPA, subject to being given notice and the auditor entering into a non-disclosure agreement directly with GURTAM. GURTAM agrees to provide reasonable cooperation to User in the course of such operations including providing all relevant information and access to all equipment, software, data, files, information systems, etc. used for the performance of the Services, including processing of Personal Data. Such audits shall be carried out at the User’s cost and expense.
9.3. The audit may only be undertaken when there are specific grounds for suspecting the misuse of Personal Data, and no earlier than two weeks after the User has provided written notice to GURTAM.
9.4. The findings in respect of the performed audit will be discussed and evaluated by the parties and, where applicable, implemented accordingly as the case may be by one of the parties or jointly by both parties. The costs of the audit will be borne by the User.
10. Notification of a Data Breach
10.1. In the event of GURTAM aware of any breach of security that results in the accidental, unauthorized or unlawful destruction or unauthorized disclosure of or access to Personal Data GURTAM shall to the best of its ability, notify the User thereof with undue delay, after which the User shall determine whether or not to inform the Data subjects and/or the relevant regulatory authority(ies). This duty to report applies irrespective of the impact of the leak. GURTAM will endeavour that the furnished information is complete, correct and accurate.
10.2. If required by law and/or regulation, GURTAM shall cooperate in notifying the relevant authorities and/or Data subjects. The User remains the responsible party for any statutory obligations in respect thereof.
10.3. The duty to report includes in any event the duty to report the fact that a leak has occurred, including details regarding:
the (suspected) cause of the leak;
the (currently known and/or anticipated) consequences thereof;
the (proposed) solution;
the measures that have already been taken.
11. Deletion and Return of Personal Data
11.1. The parties agree that on the termination of the provision of data-processing services, the GURTAM and its subcontractors shall, at the choice of the User, return all the Personal Data transferred and the copies thereof to the User or shall destroy all the Personal Data and certify to the User that it has done so, unless legislation imposed upon GURTAM prevents it from returning or destroying all or part of the Personal Data transferred. In that case, GURTAM warrants that it will guarantee the confidentiality of the Personal Data transferred and will not actively process the Personal Data transferred anymore. GURTAM and its subcontractors warrant that upon request of the User and/or of the supervisory authority, it will submit its data-processing facilities for an audit of the measures referred to in Section 9.
12. Governing Law/Forum
12.1. This DPA shall be governed by and interpreted in accordance with the laws of Lithuania.
12.2. Any and all claims, disputes or controversies arising under, out of, or in connection with this DPA, breach, termination or validity thereof, which have not been resolved by good faith negotiations between GURTAM and the User within period of thirty (30) calendar days after receipt of a notice from one party to the other requesting negotiations shall be resolved by final and binding arbitration in the Vilnius Court of Commercial Arbitration in accordance with its Rules of Arbitration as in force and effect on the date of the DPA. Disputes shall be settled by a single arbitrator. Arbitration proceedings shall be held in Vilnius, Lithuania. The place of arbitration shall be Vilnius, Lithuania. The language of arbitration shall be English. Relevant documents in other languages shall be translated into English if the arbitrators so direct. All expenses and costs of the arbitrators and the arbitration in connection therewith will be shared equally, except that GURTAM and the User will each bear the costs of its own prosecution and defense, including without limitation attorney’s fees and the production of witnesses and other evidence. Any award rendered in such arbitration shall be final and may be enforced by either party.
12.3. The parties agree to keep all details of the arbitration proceedings and arbitral award strictly confidential and shall use all reasonable efforts to take such action as may be appropriate to prevent the unauthorized disclosure of the proceedings, any information disclosed in connection therewith and the award granted.
Appendix No. 1
Description of the technical and organizational measures implemented by GURTAM:
GURTAM shall implement the measures described in this appendix, provided that the measures directly or indirectly contribute or can contribute to the protection of Personal Data during the period of the use of the Platform by the User. If GURTAM believes that a measure is not necessary for the Platform or part thereof, GURTAM will justify this and come to an agreement with the User.
The technical and organizational measures are subject to technical progress and development. In this respect GURTAM is permitted to implement alternative adequate measures. The level of security must align with industry security best practice and not less than, the measures set forth herein. All major changes are to be agreed with the User and documented.
1. Risk management
1.1. Security risk management
1. GURTAM shall identify and evaluate security risks related to confidentiality, integrity and availability and based on such evaluation implement appropriate technical and organizational measures to ensure a level of security which is appropriate to the risk.
2. GURTAM shall have documented processes and routines for handling risks within its operations.
3. GURTAM shall periodically assess the risks related to information systems and processing, storing and transmitting information.
1.2. Security risk management for personal data
1.2.1. GURTAM shall identify and evaluate security risks related to confidentiality, integrity and availability and based on such evaluation implement appropriate technical and organizational measures to ensure a level of security which is appropriate to the risk of the specific Personal Data types and purposes being processed by GURTAM, including inter alia as appropriate:
× The pseudonymisation and encryption of Personal Data;
× The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
× The ability to restore the availability and access to the User’s Data in a timely manner in the event of a physical or technical incident;
× A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
1.2.2. GURTAM shall have documented processes and routines for handling risks when processing Personal Data on behalf of the User.
1.2.3. GURTAM shall periodically assess the risks related to information systems and processing, storing and transmitting Personal Data.
1.3. Information security policies
1.3.1. GURTAM shall have a defined and documented information security management system including an information security policy and procedures in place, which shall be approved by GURTAM’s management. They shall be published within GURTAM´s organization and communicated to relevant GURTAM personnel.
1.3.2. GURTAM shall periodically review GURTAM’s security policies and procedures and update them if required to ensure their compliance with this Appendix.
2. Organization of information security
× GURTAM shall have defined and documented security roles and responsibilities within its organization.
× GURTAM shall appoint at least one data protection officer who has appropriate security competence and who has an overall responsibility for implementing the security measures under this Appendix and who will be the contact person for the User’s security staff.
3. Human resource security
× GURTAM shall ensure that GURTAM personnel handles information in accordance with the level of confidentiality required under the DPA.
× GURTAM shall ensure that relevant GURTAM personnel is aware of the approved use (including use restrictions as the case may be) of information, facilities and systems under the DPA.
× GURTAM shall ensure that any GURTAM personnel performing assignments under the Agreement is trustworthy, meets established security criteria and has been, and during the term of the assignment will continue to be, subject to appropriate screening and background verification.
× GURTAM shall ensure that GURTAM personnel with security responsibilities is adequately trained to carry out security related duties.
× GURTAM shall provide or ensure periodical security awareness training to relevant GURTAM personnel. Such GURTAM training shall include, without limitation:
(a) How to handle User information security (i.e. the protection of the confidentiality, integrity and availability of information);
(b) Why information security is needed to protect Users information and systems;
(c) The common types of security threats (such as identity theft, malware, hacking, information leakage and insider threat);
(d) The importance of complying with information security policies and applying associated standards/procedures;
(e) Personal responsibility for information security (such as protecting User’s privacy-related information and reporting actual and suspected data breaches).
4. Access control
GURTAM shall have a defined and documented access control policy for facilities, sites, network, system, application and information/data access (including physical, logical and remote access controls), an authorization process for user access and privileges, procedures for revoking access rights and an acceptable use of access privileges for GURTAM personnel in place.
GURTAM shall have a formal and documented user registration and de-registration process implemented to enable assignment of access rights.
GURTAM shall assign all access privileges based on the principle of need-to-know and principle of least privilege.
GURTAM shall use strong authentication (multi-factor) for remote access users and users connecting from an untrusted network.
GURTAM shall ensure that GURTAM personnel has a personal and unique identifier (user ID), and use an appropriate authentication technique, which confirms and ensures the identity of users.
5. Physical and environmental security
GURTAM shall protect information processing facilities against external and environmental threats and hazards, including power/cabling failures and other disruptions caused by failures in supporting utilities. This includes physical perimeter and access protection.
6. Operations security
GURTAM shall have an established change management system in place for making changes to business processes, information processing facilities and systems. The change management system shall include tests and reviews before changes are implemented, such as procedures to handle urgent changes, roll back procedures to recover from failed changes, logs that show, what has been changed, when and by whom.
GURTAM shall implement malware protection to ensure that any software used for granting access to the Platform for the User is protected from malware.
GURTAM shall make backup copies of critical information and test back-up copies to ensure that the information can be restored as agreed with the User.
GURTAM shall log and monitor activities, such as create, reading, copying, amendment and deletion of processed data, as well as exceptions, faults and information security events and regularly review these. Furthermore, GURTAM shall protect and store (for at least 6 months or such period/s set by Data Protection Law) log information, and on request, deliver monitoring data to the User. Anomalies / incidents / indicators of compromise shall be reported according to the data breach management requirements as set out in clause 9, below.
GURTAM shall manage vulnerabilities of all relevant technologies such as operating systems, databases, applications proactively and in a timely manner.
GURTAM shall establish security baselines (hardening) for all relevant technologies such as operating systems, databases, applications.
GURTAM shall ensure development is segregated from test and production environment.
7. Communications security
GURTAM shall implement network security controls such as service level, firewalling and segregation to protect information systems.
8. GURTAM relationship with sub-suppliers
GURTAM shall reflect the content of this Appendix in its agreements with Sub-processors that perform tasks assigned under the DPA.
GURTAM shall regularly monitor, review and audit Sub-processor’s compliance with this Appendix.
GURTAM shall, at the request of the User, provide the User with evidence regarding Sub-processor’s compliance with this Appendix.
9. Data breach management
GURTAM shall have established procedures for data breach management.
GURTAM shall inform the User about any data breach (including but not limited to incidents in relation to the processing of Personal Data) as soon as possible but no later than within 36 hours after the data breach has been identified.
All reporting of security-related incidents shall be treated as confidential information and be encrypted, using industry standard encryption methods.
The data breach report shall contain at least the following information:
(a) The nature of the data breach,
(b) The nature of the Personal Data affected,
(c) The categories and number of data subjects concerned,
(d) The number of Personal Data records concerned,
(e) Measures taken to address the data breach,
(f) The possible consequences and adverse effect of the data breach, and
(g) Any other information the User is required to report to the relevant regulator or data subject.
To the extent legally possible, GURTAM may claim compensation for support services under this clause 9 which are not attributable to failures on the part of GURTAM.
10. Business continuity management
GURTAM shall identify business continuity risks and take necessary actions to control and mitigate such risks.
GURTAM shall have documented processes and routines for handling business continuity.
GURTAM shall ensure that information security is embedded into the business continuity plans
GURTAM shall periodically assess the efficiency of its business continuity management, and compliance with availability requirements (if any).