This Data Processing Agreement (the DPA) forms part of any services agreement, order form, or other written agreement (the Agreement) between (i) the entity receiving services (the Customer) and (ii) Mabyduck Ltd (Mabyduck).
This DPA applies where Mabyduck processes Personal Data on behalf of the Customer in providing subjective testing, annotation, labelling, rating, or related services (the Services).
Applicable Data Protection Law means the EU General Data Protection Regulation (Regulation (EU) 2016/679) (EU GDPR), the UK GDPR (as defined in the Data Protection Act 2018) (UK GDPR), the Data Protection Act 2018, and any other applicable data protection or privacy laws, in each case as amended, updated, or replaced from time to time.
Customer Personal Data means Personal Data processed by Mabyduck on behalf of the Customer in connection with the Services.
Personal Data, Processing, Controller, Processor, Data Subject, Personal Data Breach, and Supervisory Authority have the meanings given in Applicable Data Protection Law.
The Customer is the Controller of Customer Personal Data.
Mabyduck is the Processor of Customer Personal Data.
Mabyduck will process Customer Personal Data only on documented instructions from the Customer and only to provide the Services, unless Mabyduck is required to do otherwise by applicable law.
Mabyduck does not determine the purposes of processing and does not sell, reuse, aggregate, analyse, or commercialise Customer Personal Data or annotations for its own purposes.
All annotations, labels, ratings, metadata and outputs generated through the Services are the exclusive property of the Customer.
SUBJECT MATTER: annotation and subjective testing services.
NATURE OF PROCESSING: accessing, hosting, displaying, annotating, labelling, reviewing, storing, and transmitting data provided by the Customer for the purpose of providing the Services.
PURPOSE: to provide the Services in accordance with the Customer’s documented instructions.
DURATION: for the term of the Agreement, plus any limited period necessary for secure deletion, backup lifecycle deletion, or to comply with legal obligations.
TYPES OF PERSONAL DATA: may include images, video, audio, text, metadata, and other content provided by the Customer. Datasets may include personal data and may (depending on content) include identifiers in images or voice.
CATEGORIES OF DATA SUBJECTS: as determined by the Customer and may include end users, employees, contractors, customers, or individuals appearing in the Customer’s datasets.
Mabyduck does not independently verify the dataset content and processes Customer Personal Data solely as instructed by the Customer.
Mabyduck will implement appropriate technical and organisational measures to protect Customer Personal Data, taking into account the nature of the data and risks of processing.
These measures include, as appropriate: access controls; confidentiality obligations for authorised personnel; encryption in transit (and at rest where appropriate); secure infrastructure and hosting; and logical separation of Customer data environments.
Mabyduck will ensure that persons authorised to process Customer Personal Data are subject to confidentiality obligations.
The Customer provides general authorisation for Mabyduck to use sub-processors to deliver the Services (for example, cloud hosting providers, security providers, and rater sourcing providers).
Mabyduck will ensure that sub-processors are engaged under written agreements that provide data protection safeguards consistent with this DPA.
Mabyduck remains responsible for the acts and omissions of its sub-processors.
Where Customer Personal Data is transferred outside the UK or EEA, Mabyduck will ensure that appropriate safeguards are in place in accordance with Applicable Data Protection Law (for example, Standard Contractual Clauses and/or the UK Addendum where required).
If Mabyduck receives a request from a Data Subject relating to Customer Personal Data, Mabyduck will promptly notify the Customer.
Mabyduck will not respond directly to a Data Subject request unless required by law or authorised by the Customer.
Mabyduck will provide reasonable assistance to enable the Customer to respond to Data Subject requests, taking into account the nature of the processing and information available to Mabyduck.
If Mabyduck becomes aware of a Personal Data Breach affecting Customer Personal Data, Mabyduck will notify the Customer without undue delay.
Mabyduck will provide available information about the breach (including what happened, what data may be affected, and mitigation steps taken or planned) and will take reasonable steps to contain and remediate the breach.
Upon termination or expiration of the Services, Mabyduck will, at the Customer’s choice, delete Customer Personal Data or return it to the Customer, unless retention is required by law.
Backup copies will be deleted in accordance with standard retention cycles and will not be used for any purpose other than backup restoration and disaster recovery.
Upon reasonable request, Mabyduck will provide information reasonably necessary to demonstrate compliance with this DPA.
Formal audits will only be required where legally necessary or in the event of a confirmed Personal Data Breach affecting Customer Personal Data.
Liability under this DPA is subject to the liability limitations in the Agreement, unless prohibited by Applicable Data Protection Law.
This DPA is governed by the law governing the Agreement.
If there is any conflict between this DPA and the Agreement regarding data protection matters, this DPA will prevail to the extent of the conflict.
This DPA becomes effective on the effective date of the Agreement and applies automatically to all processing of Customer Personal Data by Mabyduck in connection with the Services.