GDPR: Data Processing Addendum
EFFECTIVE AS OF MAY 25, 2018
This Nekkra UG GDPR Data Processing Addendum ("DPA") amends the Terms of Service (the "Agreement") available at https://kraken.io/about/terms, entered into by and between Customer and Nekkra UG. The purpose of this DPA is to reflect the parties' agreement with regard to the processing of Personal Data in accordance with the requirements of Data Protection Legislation as defined below.
This DPA shall not replace or supersede any agreement or addendum relating to processing of Personal Data negotiated by Customer and referenced in the Agreement, and any such individually negotiated agreement or addendum shall apply instead of this DPA.
In the course of providing the Services to Customer pursuant to the Agreement, Nekkra UG may process Personal Data on behalf of Customer. Nekkra UG agrees to comply with the following provisions with respect to any Personal Data submitted by or for Customer to the Services or collected and processed by or for Customer through the Application Services. Any capitalized but undefined terms herein shall have the meaning set forth in the Agreement.
a. "Data Protection Legislation" means European Directives 95/46/EC and 2002/58/EC, and any legislation and/or regulation implementing or made pursuant to them, or which amends or replaces any of them (including the General Data Protection Regulation, Regulation (EU) 2016/679);
b. The terms "Data Subject", "Data Processor", "Processor", "Processing", "Sub-Processor" shall be interpreted in accordance with applicable Data Protection Legislation.
c. The parties agree that Customer is the Data Subject and that Nekkra UG is its Data Processor in relation to Personal Data that is processed in the course of providing the Services. Customer shall comply at all times with Data Protection Legislation in respect of all personal data it provided to Nekkra UG pursuant to the Agreement.
2. Data Protection
When Nekkra UG Processes Personal Data in the course of providing the Services, Nekkra UG will:
a. process the Personal Data as a Data Processor, only for the purpose of providing the Services in accordance with documented instructions from Customer (provided that such instructions are commensurate with the functionalities of the Services), and as may subsequently be agreed to by Customer. If Nekkra UG is required by law to Process the Personal Data for any other purpose, Nekkra UG will provide Customer with prior notice of this requirement, unless Nekkra UG is prohibited by law from providing such notice;
b. notify Customer without undue delay if, in Nekkra UG' opinion, an instruction for the processing of Personal Data given by Customer infringes applicable Data Protection Legislation.
c. notify Customer promptly, to the extent permitted by law, upon receiving an inquiry or complaint from a Data Subject relating to Nekkra UG’s Processing of the Personal Data;
d. implement and maintain appropriate technical and organizational measures to protect the Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorized or unlawful processing, accidental loss, destruction, damage or theft of Personal Data and appropriate to the nature of the Personal Data which is to be protected;
e. provide Customer, upon request, with up-to-date attestations, reports or extracts thereof where available from a source charged with auditing Nekkra UG's data protection practices (e.g. external auditors, internal audit, data protection auditors), or suitable certifications, to enable Customer to assess compliance with the terms of this Addendum;
f. notify Customer promptly upon becoming aware of and confirming any accidental, unauthorized, or unlawful processing of, disclosure of, or access to the Personal Data;
g. ensure that all Nekkra UG personnel who access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this Clause;
h. upon termination of the Agreement, upon Customer’s request, Nekkra UG will promptly initiate its purge process to delete or anonymize the Personal Data.
i. In the course of providing the Services, Customer acknowledges and agrees that Nekkra UG may use Sub-Processors to Process the Personal Data. Nekkra UG's use of any specific Sub-Processor to process the Personal Data must be in compliance with Data Protection Legislation and must be governed by a contract between Nekkra UG and Sub-Processor.
a. In the event of any conflict or inconsistency between the provisions of the Agreement and this Addendum, the provisions of this Addendum shall prevail. For avoidance of doubt and to the extent allowed by applicable law, any and all liability under this Addendum, including limitations thereof, will be governed by the relevant provisions of the Agreement. Customer acknowledges and agrees that Nekkra UG may amend this Addendum from time to time by posting the relevant amended and restated Addendum on Nekkra UG's website, available at https://www.kraken.io/about/dpa and such amendments to the Addendum are effective as of the date of posting. Customer’s continued use of the Services after the amended Addendum is posted to Nekkra UG's website constitutes Customer’s agreement to, and acceptance of, the amended Addendum. If Customer do not agree to any changes to the Addendum, is asked not continue to use the Service.
b. Save as specifically modified and amended in this Addendum, all of the terms, provisions and requirements contained in the Agreement shall remain in full force and effect and govern this Addendum. If any provision of the Addendum is held illegal or unenforceable in a judicial proceeding, such provision shall be severed and shall be inoperative, and the remainder of this Addendum shall remain operative and binding on the parties.
This DPA shall remain in effect as long as Nekkra UG carries out Personal Data processing operations on behalf of Customer.
Appendix A - List of Sub-Processors
Sub-Processor: Recurly, Inc.
Purpose: Accounting and invoicing
Sub-Processor: Amazon Web Services
Purpose: Compute, storage and backup
Purpose: Payment processing
Purpose: Customer support
Purpose: Customer support
Purpose: E-mail delivery.
Last Updated: May 24, 2018