Data Processing Amendment

Updated January 3, 2024

This Data Processing Addendum (referred to as the "DPA") is an integral supplement to the Terms of Service for the Areto Platform, accessible at www.aretolabs.com (referred to as the "Terms"), established between You (referred to as the "Controller") and Areto Labs (referred to as the "Processor"). The collective term for You and Areto Labs is the "Parties," while individually, they are referred to as a "Party."

By accepting the terms outlined in this DPA, You affirm that You possess the authority to bind the Controller to this DPA.

Whereas

  • The Parties have mutually agreed that Areto Labs will provide specific services to the Controller (referred to as the "Service"), as detailed in the Terms, with this DPA forming an integral part of the agreement.

  • As part of the Service delivery, Areto Labs will process personal data on behalf of the Controller.

  • The Parties aim to articulate their respective rights and obligations concerning the processing of personal data in this DPA.

Hereby agree as follows:

  1. Definitions

    In this DPA, the following terms, whether single or plural, shall have the meaning assigned to them in this Paragraph:

    • "Applicable Legal Requirements" encompasses all international, European Union, national, provincial, or local laws, regulations, orders, statutes, administrative orders, treaties, judgments, court orders, codes of conduct, guidance, or any other requirements of relevant governments or regulatory authorities applying to either or both Parties during the performance of the Terms.

    • "Controller Personal Data" refers to information related to an identified or identifiable natural person, supplied by the Controller to Areto Labs or collected/generated by Areto Labs under the Controller's instruction as part of the Service.

    • "Data Breach" signifies a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to Controller Personal Data processed by Areto Labs.

    • "Data Subject Request" represents the exercise by a Data Subject of their rights under the GDPR.

    • "EEA" denotes the European Economic Area.

    • "Effective Date" refers to the later of the date the Parties entered into the Terms or the date this DPA was accepted by You.

    • "EU GDPR" is Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.

    • "GDPR" comprises the UK GDPR and/or EU GDPR, together with any applicable implementing or supplementary legislation in any EEA or UK member state.

    • "Relevant Body" has distinct meanings for the UK and the EEA, representing the UK Information Commissioner’s Office and/or UK Government or the European Commission, respectively.

    • "Restricted Country" refers to a country or territory outside the UK (in the context of the UK) or outside the EEA (in the context of the EEA) that the Relevant Body has not deemed to provide an ‘adequate’ level of protection for personal data under Article 45 of the GDPR.

    • "Restricted Transfer" is the disclosure, grant of access, or other transfer of Controller Personal Data to any person, prohibited without a legal basis under Chapter V of the GDPR.

    • "Standard Contractual Clauses" signifies the standard data protection clauses issued by the European Commission for the transfer of personal data from processors to processors established in a Restricted Country (applying Module 3 thereof).

    • "Subprocessor" refers to a third party that Areto Labs utilizes to process Controller Personal Data for providing parts of the Service and/or related technical support.

    • "Supervisory Authority" signifies the UK Information Commissioner’s Office (in the context of the UK and the UK GDPR) or has the meaning given in Article 4(21) of the EU GDPR (in the context of the EEA and EU GDPR).

    • "Terms" represent the Terms of Service for the Areto Platform, including the Areto Labs Web App, available at www.aretolabs.com.

    • "UK GDPR" is the EU GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018, as amended.

    The terms "personal data," "special categories of personal data," "processing," "controller," and "processor" in this DPA have meanings given in the GDPR.

    1.2 Controller warrants and represents that the processing delegated to Areto Labs under this DPA is subject to the territorial scope of the GDPR, as determined in accordance with it (including pursuant to Article 3 of the GDPR). The Controller further agrees that if the processing is not, in fact, subject to the territorial scope of the GDPR, this DPA shall be automatically deemed void from the Effective Date without the requirement of notice.

  2. Processing instructions

    • This DPA concerns the processing of Controller Personal Data by Areto Labs on behalf of the Controller in fulfilling Areto Labs's obligations under the Terms. Additional details on such processing are outlined in ANNEX 1 – DETAILS OF PROCESSING, as required by Article 28(3) of the GDPR.

    • During the execution of its obligations under the Terms, Areto Labs will process Controller Personal Data solely based on the instruction of the Controller. Areto Labs will not use or process Controller Personal Data for any other purpose unless required by Applicable Legal Requirements.

    • By entering into this DPA, the Controller authorizes and instructs Areto Labs to process Controller Personal Data for Permitted Purposes:

      • (i) to provide the Service and related technical support;

      • (ii) as permitted or required by the Controller’s use of the Service and/or its requests for technical support;

      • (iii) as permitted or required by the Terms, including this DPA; and

      • (iv) as further documented in any other written instructions issued by the Controller to Areto Labs.

    • Areto Labs will promptly notify the Controller if Areto Labs believes that an instruction given by the Controller would cause Areto Labs to act contrary to Applicable Legal Requirements. The Controller shall not share any special category of personal data with Areto Labs. The Controller acknowledges that Areto Labs neither requests nor requires any special category of personal data to provide the Service and does not wish to receive or store any special category of personal data.

    • The Controller warrants on an ongoing basis that, for the purposes of Article 6 of the GDPR, there is, and will be throughout the term of the Terms, a valid legal basis for the processing of Controller Personal Data by Areto Labs in accordance with this DPA and the Terms.

3. Confidentiality of Controller Personal Data:

  • Areto Labs shall ensure that all of its employees, contractors, and other personnel are subject to confidentiality undertakings or professional or statutory obligations of confidentiality concerning Controller Personal Data.

  • Areto Labs shall not disclose Controller Personal Data to any third party who is not an approved Subprocessor without the prior written consent of the Controller, except when Areto Labs must comply with Applicable Legal Requirements and is prohibited from obtaining prior written consent from the Controller under such Applicable Legal Requirements.

4. Security:

  • Considering the nature of Controller Personal Data and the associated risks, Areto Labs shall implement appropriate technical and organizational measures (the "Security Measures") to protect Controller Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access. The Security Measures consider the state of the art, the cost of implementation, and the nature, scope, context, and purposes of the processing, and are detailed in ANNEX 2 – SECURITY MEASURES.

  • The Controller agrees to be solely responsible for its use of the Service, including ensuring a security level appropriate to the risk in relation to Controller Personal Data, securing account authentication credentials, systems, and devices used to access the Service, and backing up all Controller Personal Data. The Controller understands and agrees that Areto Labs has no obligation to protect Controller Personal Data stored or transferred outside of Areto Labs’s or any Subprocessors’ systems (e.g., offline or on-premise storage). The Controller is solely responsible for evaluating whether the Service and Areto Labs’s commitments under this DPA meet its needs, including compliance with its security obligations under the GDPR and/or Applicable Legal Requirements.

5. Subprocessors:

The Controller authorizes Areto Labs to appoint Subprocessors in accordance with this Section. Areto Labs may continue to use Subprocessors already engaged as of the date of this DPA.

Areto Labs shall provide the Controller with prior written notice of the appointment of any new Subprocessor, including reasonable details of the processing to be undertaken. If, within ten (10) days of receipt of that notice, the Controller notifies Areto Labs in writing of any objections (on reasonable grounds) to the proposed appointment:

  • Areto Labs shall use reasonable efforts to make available a commercially reasonable change in the provision of the Service that avoids the use of the proposed Subprocessor; or

  • where such a change cannot be made, either Party may by written notice to the other Party with immediate effect terminate the Terms either in whole or to the extent that it relates to the Service requiring the use of the proposed Subprocessor (subject always to the provisions of the Terms).

For each Subprocessor, Areto Labs shall ensure that the arrangement between Areto Labs and the Subprocessor is governed by a written contract, including terms offering at least an equivalent level of protection for Controller Personal Data as those in this DPA, as well as the Standard Contractual Clauses (where applicable). Areto Labs remains liable to the Controller for the acts and omissions of each Subprocessor regarding Controller Personal Data.

6. Data Subject Rights:

Considering the nature of the processing, Areto Labs shall provide the Controller with reasonable assistance, as necessary and technically possible, to fulfill its obligation to respond to Data Subject Requests. Areto Labs shall promptly notify the Controller upon receiving a Data Subject Request and not respond to any such request except on the written instructions of the Controller or as required by Applicable Legal Requirements.

7. Data Breach Notification:

  • Areto Labs shall promptly notify the Controller upon becoming aware of a suspected or actual Data Breach with respect to Controller Personal Data. Such notification shall be provided promptly and without undue delay after the detection of the (suspected) Data Breach.

  • Areto Labs shall provide information to the Controller, to the extent reasonably possible, including the nature of the Data Breach, affected Data Subject(s), identified and suspected consequences, and measures taken or proposed to mitigate the effects.

  • Upon the Controller's request, Areto Labs will cooperate to inform the competent Supervisory Authority(ies) and/or Data Subject(s) of the Data Breach. The Controller is solely responsible for complying with any Data Breach notification requirements, and Areto Labs’s notification or response does not constitute an acknowledgment of fault or liability.

8. Data Protection Impact Assessments, Prior Consultation, and Audits:

  • Areto Labs shall assist the Controller, at the Controller’s cost, with any data protection impact assessments and prior consultations with Supervisory Authorities required by Article 35 or Article 36 of the GDPR, relating to the processing of Controller Personal Data by Areto Labs.

  • Areto Labs shall provide requested information to demonstrate compliance with this DPA. If the Controller provides evidence that the information made available is insufficient, Areto Labs shall allow and contribute to audits, including on-premise inspections, by the Controller or an auditor mandated by the Controller.

  • The Controller shall give Areto Labs reasonable notice of any audit or inspection and use its best efforts to avoid causing damage, injury, or disruption to Areto Labs’s premises, equipment, personnel, data, and business.

  • The Controller shall bear third-party costs and reimburse Areto Labs for costs incurred in connection with any inspection or audit.

9. Restricted Transfers of Personal Data:

Where applicable, any transfer of Controller Personal Data from the Controller in the UK to Areto Labs in The Netherlands is covered by the adequacy regulations issued by the Relevant Body under Paragraph 5 of Schedule 21 of the UK Data Protection Act 2018 and, as such, does not constitute a Restricted Transfer.

In the event of a Restricted Transfer of Controller Personal Data from the Processor to any Subprocessor, the Processor will guarantee that such transfer complies with the safeguards outlined in Articles 46 and subsequent articles of the GDPR. This includes explicit reference to the Standard Contractual Clauses designed for the transfer of personal data to Processors established in third countries, as specified in the Commission Decision 2021/914/EU dated June 4, 2021, wherein:

  • The Processor acts as the 'data exporter.'

  • The Subprocessor acts as the 'data importer.'

10. Deletion of Controller Personal Data:

Upon the cessation of any Service involving the processing of Controller Personal Data, the Processor shall promptly halt all processing of Controller Personal Data for any purpose other than storage. The Controller acknowledges and accepts that, given the nature of the Service and the processed Controller Personal Data, returning such data (as opposed to deletion) is not reasonably practicable in the circumstances.

Considering this, the Controller is deemed to have unequivocally opted for the deletion of Controller Personal Data over its return. The Processor and any Subprocessor may retain Controller Personal Data as required by applicable law, for the duration specified by such law. However, the Processor and any Subprocessor shall ensure:

  • The confidentiality of the retained Controller Personal Data.

  • That the retained Controller Personal Data is solely processed as necessary for the purpose(s) specified in the applicable law requiring its storage and for no other purpose.

11. Term and Termination:

This DPA becomes effective on the Effective Date. It is an integral part of the Terms and remains valid until the expiration or termination of the Terms, for any reason.

12. Miscellaneous:

In the event of any inconsistency regarding the processing of Controller Personal Data between a provision of this DPA and the Terms, the provision of this DPA will take precedence. If Applicable Legal Requirements necessitate an amendment to this DPA, either Party may propose a modification. The Parties will engage in good-faith negotiations to reach an agreement ensuring continued compliance of the DPA with Applicable Legal Requirements.