This Agreement is formally closed between Twipe and Customers as part of written Collaboration Agreements, but can be consulted below for information purposes
Data Processing Agreement for Twipe Digital Publishing Services
v1.0 May 2018
- For the purposes of this Agreement, controller, processor, data subject, personal data and processing (and cognate terms) shall have the meaning given to them in GDPR (Article 4 of Regulation (EU) 2016/679), and ICO means the Information Commissioner’s Office. Security Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
- In respect of the Processing of Customer Personal Data by Twipe under this agreement, the Parties hereby acknowledge that Customer shall be the controller, and Twipe shall be the processor and Parties agree to comply with all corresponding obligations as per applicable data protection law.
- Twipe will only Process Customer Personal Data insofar as necessary for the performance of the Services and in accordance with documented instructions from Customer, unless the Processing is required by applicable data protection law in which case Twipe will inform Customer before such Processing, unless it is prohibited by law to provide such information on important grounds of public interest. Appendix A of this Data Processing Agreement sets out the details of the Processing.
- Twipe will not appoint a sub-processor without Customer’s consent and in the event that Customer does provide such consent Twipe will ensure that sub-processor is bound by the terms of this Annex as it applies to Twipe hereunder. Currently Twipe makes use of the following categories of sub-processors in order to ensure the performance of the Services to the Data Subjects:
- Infrastructure sub-processors, such as, but not limited to, Amazon Web Services (AWS), Google Cloud Platform (GCP), and Microsoft Azure Cloud;
- Contracted support agents;
- Freelance consultants that deliver services on behalf of Twipe.
- Twipe will not transfer Customer Personal Data outside the European Economic Area without Customer’s prior written consent.
- Twipe will provide reasonable assistance to Customer in complying with its obligations under applicable data protection law in respect of the Customer Personal Data, including assisting Customer in complying with a data subject’s right to access and to portability.
- Twipe will extract and/or delete Customer Personal Data when asked in writing by Customer. When a Service Subscription expires or terminates, Twipe will retain any Customer Personal Data that was not deleted for at least 90 days so that it may be extracted. Following the expiration of this retention period, Twipe will delete all Customer Personal Data, including any cached or back-up copies, within 30 days of the end of the retention period. The Customer agrees that Twipe has no additional obligation to continue to hold, export or return Customer Personal Data and that Twipe has no liability whatsoever for deletion of Customer Personal Data pursuant to these terms. Twipe retains the right to anonymise or pseudonimise the Customer Personal Data for the following internal purposes:
- To further improve the services delivered by Twipe
- Statistical analysis
- Legal reasons
- Twipe will promptly comply with any request from Customer requiring Twipe to amend, transfer or delete the Customer Personal Data.
- In the event that Twipe receives any complaint, notice or communication (from either the ICO or a data subject) which relates directly or indirectly to the Processing of the Customer Personal Data or to either Party’s compliance with applicable data protection law, Twipe shall notify Customer without undue delay and it shall provide Customer and the ICO (if applicable) with full co-operation and assistance in relation to any such complaint, notice or communication;
- Twipe shall not disclose the Customer Personal Data to any data subject or to a third party other than at Customer’s request.
- Twipe shall notify Customer without undue delay upon becoming aware of any unauthorised or unlawful Processing, loss of, damage to or destruction of any the Customer Personal Data.
- Twipe shall maintain records of Processing carried out in respect of the Customer Personal Data.
- Twipe shall ensure that all individuals, parties, employees or other persons/entities with access to Customer Personal Data are bound by industry standard confidentiality obligations which include keeping the Customer Personal Data confidential.
- Twipe will comply with the requirements under GDPR regarding security measures and encryption, and take appropriate technical and organisational measures against the unauthorised or unlawful Processing of the Customer Personal Data, and against the accidental loss or destruction of, or damage to the Customer Personal Data.
- Customer shall have the right (but not the obligation) to audit Twipe to ensure Twipe’s compliance with its obligations under this Data Processing Agreement maximum once a year. Such audit shall include Twipe providing any information and files (whether in electronic copy or hard copy) requested by Customer and Customer (or Customer’s nominated auditors) gaining access during business hours to Twipe’s premises and systems. Any audit must be notified in writing 4 weeks in advance. The notification must include the name of the auditor, a description of the purpose, scope and manner of the audit.
- All costs incurred by Twipe relating to audits, inquiries, or executing other instructions, will be charged to the Customer. Additionally, eventual costs charged by sub-processors will be cross-charged to the Customer.
- This Data Processing Agreement is an Annex to the Master Services Agreement concluded between both Parties, or to the General Terms & Conditions of Twipe, which govern the contractual relationship in the absence of a signed Master Services Agreement. In case of any conflicts between these agreements and this Data Processing Agreement, this Data Processing Agreement prevails.
- This Data Processing Agreement is governed by Belgian law. Any dispute arising out of or in connection with this Data Processing Agreement will be settled by the competent court in Leuven.
Appendix A: Description of Customer Personal Data Processing
Categories of data subjects
The Customer Personal Data concern the following categories of Individuals:
- (Potential) / (ex) subscribers/customers
- (Ex) employees
Categories of data processed
The Customer Personal Data concern the following categories of data:
- Communication data (e.g. name, e-mail address, title, position)
- Contractual data (e.g. contractual relationship, subscription access)
- Usernames and other log-in data
- Technical information (e.g. device information, app information, remote address)
Twipe does not process any special categories of data, such as data revealing racial or ethnic origin, political or religious opinions, or any biometric information.
Purpose of data processing
As a data processor for customer, Twipe may process data for the following purposes:
- Fulfilling the contractual relationship
- Statistical reporting
- Big data analyses
- Technical improvements and better user experience
- Sending alerts and push notifications
Further Data Processing Clarifications for EngageReaders
- The data for EngageReaders is stored on Amazon Web Services (AWS) in Europe, and will not be stored with another provider unless with explicit consent by Customer.
- Twipe’s relationship with Amazon is governed by the AWS Data Processing Addendum of May 2018.
- The data Twipe processes is not stored, sent, or shared externally, unless upon request from the Customer. Some data can be temporarily stored on the secure development infrastructure of Twipe for development purposes.
- Unless specified differently, detailed reader time logs of individual reading sessions are kept for a period of 2 days, using the anonymized User Reference provided by the Customer. Twipe keeps the main calculated aggregates of the data indefinitely. These aggregates do not contain the anonymized User References.
For any questions linked to this Data Protection Agreement please reach out to us at firstname.lastname@example.org.