Supersimple Terms and Conditions

Current as of: January 30th 2024

1. General Introduction

1.1. Supersimple offers their customers a Business-to-Business (B2B) data analytics service under the Software-as-a-Service (SaaS) model, which enables Supersimple’s customers to analyse their business data to generate insights in order to make business decisions (“Services”). Services can be accessed through Supersimple’s own customer-facing application or through an application programming interface (collectively, “Supersimple Platform”).

1.2. These Supersimple.io Terms and Conditions (“Terms”)  between Supersimple Technology OÜ as the service provider (registry code 16438035; registered address at Narva mnt 5, 10117 Tallinn, Estonia; “Supersimple”) and its customer as the recipient of the Services (“Customer”) set out the terms on the basis of which the Customer may order and use the Services, any application or functionality otherwise made available by Supersimple.

2. Provision of services

2.1. General

2.1.1. All Services provided by Supersimple to Customer will be specified in orders submitted by Customer, which are governed by  these Terms (each, an “Order”). During the purchase process, Customer selects, on the Supersimple Platform, the relevant Order package, Order term, payment and other billing terms (which are further regulated under section 3), other specifications for the Services (including the selected form of access), etc. An Order placed by the Customer and the Terms in force at the time the Order is placed are collectively referred to as the Agreement. In case of a conflict between any Order and the Terms, the terms of the Order will prevail.

2.1.2. The Services consist of data analytics of the Customer’s business data, provided under a SaaS model through the Supersimple Platform. Supersimple provides Customer with access to the Supersimple Platform, where Customer Users (as defined below) can request analytics on and explore the Customer’s data. Based on the data requested by Customer Users on the Supersimple Platform, Supersimple constructs an SQL query that Supersimple sends to the Customer’s databases for execution. Data returned by the Customer’s database is reformatted by Supersimple and returned to the Supersimple Platform, which displays the requested information using tables and/or other types of visualisations. If selected and thus agreed upon in a relevant submitted Order, Supersimple may provide the Customer with additional offered add-on Services, such as integration assistance, support services or  automated AI-generated insights regarding the Customer’s business.

2.1.3. During the validity of the Agreement and subject to compliance by Customer with these Terms, Supersimple provides Customer with the right to allow employees, directors and officers of the Customer (“Customer Users”) to access and use the Services within the scope, limits and conditions specified in the Order. Customer may also amend the scope of the Services initially ordered in the submitted Order, which may be subject to modified payment and/or billing terms as regulated under section 3. Upgrades shall take effect immediately. Downgrades shall take effect at the beginning of the next payment term.

2.1.4. Customer acknowledges and agrees that the Services have the ability to operate with services that are operated or provided by third parties (“Third Party Services”). Supersimple is not responsible for the operation of Third Party Services nor the availability or operation of the Services to the extent that such availability and operation is dependent upon Third Party Services. Customer is responsible for having the rights necessary for it to access Third Party Services.

2.1.5. In order to access the Services, Customer Users can use third-party single sign-on (“SSO”) or alternatively, they are required to create an account (“Account”). Customer remains solely responsible for all access to and use of the Services through each Account opened for Customer Users. The user identification and password associated with any Account is personal in nature and may only be used by the Customer User associated with the Account. The Customer shall be responsible for the security and safekeeping of the access credentials of each Account. The Customer must immediately notify Supersimple if the Customer becomes aware of any unauthorised use of or access to the Services.

2.2. Conditions of Use

2.2.1. Customer will not, and will undertake to ensure that any User will not:

(a)               use or attempt to use the Services except as expressly provided in this Agreement;

(b)               use the Services in any unlawful manner or in any other manner that could damage, disable, overburden or impair the Services;

(c)               alter, modify, reproduce, create derivative works of the Services or any part or element thereof, or attempt to extract the source code thereof;

(d)               distribute, sell, resell, lend, loan, lease, license, sublicense or transfer any of Customer’s rights to access or use the Services or otherwise make the Services available to any third party;

(e)               reverse engineer, disassemble, decompile, or otherwise attempt to derive the method of operation of the Services;

(f)                circumvent or overcome (or attempt to circumvent or overcome) any technological protection measures intended to restrict access to any portion of the Services;

(g)               interfere in any manner with the operation or hosting of the Services or attempt to gain unauthorised access to the Services; or

(h)               copy or attempt to copy, in whole or in part, any part of the Service, or any copy thereof, including all software, database files, algorithms, and reports.

2.3. Changes to the Services and these Terms

2.3.1. Supersimple reserves the right, at any time, to modify and update the Services, whether by making those modifications available on the Services or by providing notice as specified in these Terms, provided that there is a reasonable justification for such amendments (e.g., due to changes in applicable laws, legitimate business interests of Supersimple, improvement of the Services and other features, etc.). Customer may terminate the Agreement governing such Services upon written notice to Supersimple only if the modification materially degrades the functionality of the Services. However, Customer will be deemed to have agreed to any and all modifications through Customer’s continued use of the affected Services following the notice of modification.

2.3.2. Supersimple additionally reserves the right, at its sole discretion, to amend these Terms at any time, in particular if amendments are necessary to comply with legal obligations, due to changes in the Services (in accordance with clause 2.3.1) or any other ordinary business activities. Supersimple will provide Customer with at least 30 days’ notice of any material modifications to these Terms by using the Supersimple Platform or the contact details communicated by Customer. For the avoidance of any doubts, the modifications to the functionality of the Services under clause 2.3.1 will not be deemed as material modifications.

2.3.3. If Customer does not agree with the material modifications to these Terms, Customer may terminate the Agreement by providing a notice to Supersimple before the modifications enter into force. If Customer continues to use the Services after the deadline of 30 days has passed, it is considered that Customer has accepted the respective modifications to these Terms. This clause does not apply to the processing of personal data under the data processing agreement (“DPA”) which serves as Annex 1 to the Agreement.

3. Fees and Payment

3.1. Customer will pay Supersimple the amounts set forth in each Order for each Order term, which will be calculated on the basis of selected parameters and presented to Customer in the course of purchase process on the Supersimple Platform (“Fees”) in consideration of the Services under the Agreement. All Fees are due and payable as indicated in each submitted Order, including as per the payment term and other billing terms as selected in Order. Order term will continuously renew for successive Order terms of equal length to the initial Order term chosen by Customer, unless either Party provides the other with a notice of non-renewal at least 30 days prior to the end of the then-current Order term. In case of amending the scope of the Services initially ordered pursuant to clause 2.1.3, Customer will also be presented any modification to the payable Fees on the Supersimple Platform. Upgrades will take effect immediately and be billed pro rata based on the number of days used in the Order term. Changes to Fees for downgrades will take effect at the beginning of the following Order term.

3.2. Supersimple reserves the right to change the Fees for any Services at any time prior to the automatic renewal of the Order term. If Customer does not accept any such Fee increase, Customer may end its subscription to those Services by providing a notice of non-renewal. If Customer does not end its subscription, any Fee changes will become effective upon renewal of the applicable Order term.

3.3. Except as otherwise set forth herein, all Fees will be non-refundable once paid to Supersimple (including upon any termination or suspension of the Agreement).

3.4. In case of any late payment by the Customer, Supersimple shall be entitled to charge the Customer late payment interest on the overdue amount at the interest rate of 0.2% for each day of the delay until the outstanding debt owed is paid in full.

3.5. Customer shall reimburse Supersimple for pre-agreed reasonable expenses incurred during the provision of the Services. Reasonable expenses include, but are not limited to, travel, lodging, and meals. Expenses are billed based on actual costs incurred.

3.6. Unless otherwise indicated, the agreed Fees do not include any taxes, levies, duties, or similar governmental assessments of any nature (“Taxes”). Customer is responsible for the payment of all Taxes associated with the Fees.

4. Rights to Content

4.1. Customer Content

4.1.1. Customer is solely responsible for all information and content provided or made available by Customer and Customer Users (“Customer Content”). Supersimple will not be responsible or liable for Customer Content, except as expressly foreseen under these Terms (particularly under sections 5 and 6).

4.1.2. Customer Content may not:

(a)               violate the Agreement or any applicable laws;

(b)               be libelous, defamatory, obscene, abusive, pornographic or threatening;

(c)               constitute an infringement or misappropriation of intellectual property or other rights of any third party;

(d)               constitute an infringement of personal data protection laws;

(e)               be false, misleading, or inaccurate;

(f)                contain any viruses or other programming routines intended to damage the Services.

4.1.3. Customer hereby grants to Supersimple and its subcontractors a nonexclusive, royalty-free, worldwide right to use, store, copy (and reproduce), modify (and create derivative works), translate, display, and distribute all Customer Content as necessary to provide the Services and to perform the other Services under the Agreement.

4.2. Supersimple’s content and intellectual property rights

4.2.1. Other than Customer Content, all data, information, and other content available through the Services (“Supersimple Content”) is owned by Supersimple or Supersimple’s subcontractors and is provided as part of the Services. Subject to compliance with the terms of the Agreement, Customer and Customer Users may access the Supersimple Content through the Services solely for purposes of accessing and using the Services as permitted herein. Except as set forth in the Agreement, neither Customer nor any Customer Users are granted any licenses or rights in or to any Supersimple Content or any intellectual property therein or related thereto.

4.2.2. Customer acknowledges that a fundamental component of the Services is the training and use of machine learning or other process, and generating performance metrics for the purpose of providing and improving Supersimple’s products and services. For this purpose, Supersimple may collect information related to the Customer provided that such information is aggregated, de-identified or anonymized (“Aggregated Training Data”), to train its algorithms through machine learning techniques, monitor and improve performance, develop the Services, or for any other lawful purposes. Supersimple may also collect data about Customer and Customer Users’ interactions with the Services to generate analytical information and statistics on the use of Supersimple’s Services (“Usage Data”), with the aim of further developing and improving the Services. Aggregated Training Data and Usage Data will be the property of Supersimple.

4.2.3. Supersimple and its providers retain all right, title and interest, including all intellectual property rights in and to the Services, Supersimple Content, Aggregated Training Data, Usage Data and any updates, upgrades, enhancements, modifications, and improvements thereto, whether developed, created, or made by either party or any User, alone or with any third party. Customer receives no ownership interest in or to any of the foregoing. Customer is not granted any right or license to use any of the foregoing, apart from Customer’s ability to access the Services and Supersimple Content as specified in the Terms.

5. Publicity

5.1.1. Customer hereby grants to Supersimple a non-exclusive, royalty-free license to use its name and logo for the limited purpose of Supersimple stating in press releases, marketing materials and advertising on its website and in media that Customer is a customer of Supersimple and the Services. Supersimple will confirm the contents of such materials with the Customer in advance, and Customer’s consent may not be unreasonably withheld.

6. Personal data protection

6.1. The Parties acknowledge that the Supersimple will process certain personal data on behalf of the Customer while providing the Services. The processing of personal data by Supersimple on behalf of the Customer will be subject to the DPA which serves as Annex 1 to the Agreement.

6.2. Customer remains responsible for personal data and for ensuring that it has a valid legal basis to process and instruct Supersimple to process personal data as permitted under the DPA.

7. Confidentiality

7.1. Each party (the “Recipient”) may receive Confidential Information from the other party (the “Discloser”) during the validity of the Agreement.

7.2.Confidential Information” means all information provided or disclosed by Discloser regarding Discloser’s business, technology, or other affairs, whether in oral, written, or electronic form, that is either:

(a)               designated as confidential (or similar);

(b)               of a nature such that a reasonable person would recognize it as confidential; or

(c)               disclosed under circumstances such that a reasonable person would know it is confidential.  

All Supersimple Content, Aggregated Training Data, Usage Data and the Agreement shall constitute the Confidential Information of Supersimple.

7.3. The following information will not be considered Confidential Information:

(a)               information that is publicly available through no fault of the Recipient;

(b)               information that was known by Recipient prior to commencement of discussions regarding the subject matter of the Agreement;

(c)               information that was independently developed by Recipient; and

(d)               information rightfully obtained by Recipient without continuing restrictions on its use or disclosure.

7.4. Recipient agrees to protect from disclosure such Confidential Information with the same degree of care that it affords its own confidential information, but in no event with less than reasonable care. The Recipient will also refrain from disclosure of any Confidential Information to any third party, except for its professional advisers, employees and contractors as necessary for the performance or use of the Services under the Agreement. Recipient may also disclose Confidential Information to the extent necessary to comply with an order or requirement of a government authority, provided that Recipient promptly notifies Discloser and allows Discloser sufficient time to oppose such disclosure, unless such notification is prohibited under applicable laws.

7.5. Customer acknowledges and confirms that the generation and use of Aggregated Training Data by Supersimple in accordance with clause 4.2.2 does not constitute a breach of the confidentiality obligation.

7.6. The Parties undertake to ensure that their representatives, employees and contractors, and any Customer Users acting on behalf of the Customer, who will have access to Confidential Information, are informed of the confidentiality obligation and are bound by a confidentiality obligation at least equivalent to the obligation hereunder.

7.7. This section will remain in force for the duration of the Agreement and for 10 years after its expiry, and thereafter shall continue for as long as information remains Confidential Information under clause 7.2.

8. Warranties and disclaimers

8.1. Each Party represents and warrants to the other that:

(a)               it has the legal right and authority to enter into the Agreement;

(b)               the Agreement forms a binding legal obligation on its behalf; and

(c)               it has the legal right and authority to perform its obligations under the Agreement and to grant the rights and licenses described in these Terms.

8.2. Customer represents and warrants to Supersimple that:

(a)               Customer’s use of and access to the Services will comply with all applicable laws and will not cause Supersimple or its providers to violate any applicable laws;

(b)               it is a professional buyer of Services and has evaluated and confirmed the suitability of Services to its needs. For the avoidance of doubt, Supersimple is not responsible for evaluating the suitability of the Services to the Customer’s sector of operation and the compliance of the Services for the specific legal requirements applicable to the Customer.

8.3. Supersimple makes all reasonable efforts to ensure the high quality and security of Services, but provides no warranty that (i) Services are uninterrupted, error-free or secure, or (ii) the Services are compatible with all hardware and software configurations, or (iii) the Services meet all of Customer’s requirements and needs, or (iv) the implementation, documentation or instructional materials for the Services are complete and error-free.

8.4. The Services and Supersimple Content are provided “as is” and “as available”, and Supersimple makes no other warranties regarding the Services. All other warranties except those given under these Terms regarding the Services are excluded, including any warranties as to the suitability or fitness of the Services for any particular purpose of the Customer, or as to the merchantability, title or non-infringement. Supersimple and its providers do not warrant or guarantee the accuracy, completeness, adequacy or currency of any services or technology.

9. Indemnification and liability

9.1. Customer will, at Customer’s own expense, indemnify, defend, and hold Supersimple harmless from and against any and all claims, costs, damages, liabilities, and expenses (including attorneys' fees, court costs, damage awards, and settlement amounts) based on or arising out of (a) the access to or use of the Services by Customer or any User; (b) Customer Content; or (c) breach of any representation or warranty or other provision of the Agreement by Customer.

9.2. Supersimple will, at Supersimple’s own expense, indemnify, defend, and hold Customer harmless from and against all claims, costs, damages, liabilities, and expenses (including attorneys' fees, court costs, damage awards, and settlement amounts) based on any claims alleging that the Services infringe any copyright or patent issued as of the date of entry into the Agreement. If Customer is, or Supersimple reasonably believes that Supersimple will become, subject to any such claim, Supersimple will at its option and expense: (a) procure for Customer the right to continue using the Services; (b) replace or modify the Services so they no longer infringe; or, if (a) and (b) are not commercially reasonable, (c) terminate the Agreement.

9.3. The Parties will not be liable for any indirect damages arising from any breach of the Agreement, including for loss of profits, business, and revenue, punitive damages or immaterial damages, including loss of goodwill. Supersimple will only be liable for direct patrimonial damages caused to the Customer as a result of the breach of the Agreement and only insofar as Supersimple is culpable for the breach.

9.4. The total cumulative liability of Supersimple in connection with the Agreement will not exceed 50% of the amounts actually paid by Customer to Supersimple under the relevant Order that was in force during the event giving rise to the liability.

9.5. The limitations and exclusions of liability in this section shall not exclude or limit: (i) the Parties’ liability for death or personal injury caused by any employees, agents or other natural persons; (ii) the Parties’ liability caused by infringement of Intellectual Property rights, (iii) the liability of the Parties’ under the indemnities given in the Agreement (iv) any other liability of the Parties that cannot be excluded or limited under applicable law.

10. Term and termination

10.1. Unless otherwise stated in the Order, the term of the Agreement begins on the date of submitting of the Order by Customer. The Agreement will continue for an unspecified term, until the Agreement is terminated (including by providing a notice of non-renewal of the Order in accordance with section 3)

10.2. Either Party may terminate the Agreement effective immediately upon written notice to the other Party if the other Party materially breaches these Terms and fails to cure such material breach within 30 days following notice thereof from the non-breaching Party.

10.3. Without limiting Supersimple’s right to terminate the Agreement, Supersimple may also suspend access to any Account and any affected Service upon any actual, threatened, or suspected breach of the Agreement or any applicable law or upon any other conduct deemed by Supersimple to be unlawful or detrimental to Supersimple, any User, or any other third party. Supersimple will use commercially reasonable efforts to provide Customer with prior notice of any such suspension. The suspension of any Account or any affected Service shall be in force for as long as the Customer provides proof of compliance with the Agreement or any applicable law, and such proof is deemed appropriate by Supersimple at its sole discretion.

10.4. As a rule, no refund of any portion of any Fees shall be due upon termination of the Agreement. In the event of termination for cause by Customer of the Agreement (not based on the fault of Customer), , a pro rata refund of the fees will be made for the failed and/or unused portion of the Service.

11. Applicable law and jurisdiction

11.1. The Agreement and any documents relating thereto (including the Orders and the DPA) shall be governed by and construed in accordance with the laws of the Republic of Estonia.

11.2. All disputes arising from or related to the Agreement or the use of Services shall be finally settled in the courts of the Republic of Estonia, with the court of first instance being the Harju County Court (Harju Maakohus).

12. Notices

12.1. All notices and communications producing a legal effect under the Agreement shall be given at least in a format reproducible in writing and delivered as follows:

(a)               If sent to Supersimple: hi@supersimple.io;

(b)               If sent to Customer: as specified under the Order.

12.2. Informative notices not producing a legal effect under the Agreement may be given orally.

13. Miscellaneous

13.1. Neither Party may assign or transfer the Agreement or any of the rights or obligations hereunder without the prior written approval of the other Party, provided however that the Agreement and/or the rights or obligations contained herein may be assigned without the Customer’s consent by Supersimple to any other entity who directly or indirectly, controls, is controlled by or is under common control with Supersimple.

13.2. The Parties shall act solely as independent contractors. The Agreement shall not be construed as creating an agency, partnership, joint venture, or any other form of legal association between the Parties, and the Customer shall not represent to the contrary, whether expressly, by implication, appearance or in any other way.

13.3. All provisions of the Agreement which by their nature should survive termination will survive the termination of the Agreement, including, without limitation, ownership provisions, warranty disclaimers, indemnity and limitations of liability.

13.4. If any part of the Agreement is held invalid or unenforceable, the remaining portions will remain in full force and effect.

13.5. Any failure to enforce any provision of the Agreement will not be considered a waiver of the right to enforce such provision. Any waivers by must be made in writing or confirmed in writing.

13.6. The Agreement (including any annexes and Orders), contains the whole agreement and supersedes any prior written and oral agreements between the Parties relating to the subject matter of the Agreement.


Annex 1: Supersimple Data Processing Agreement

Current as of: January 30th 2024

1. Introduction and subject-matter

1.1. This Data Processing Agreement (“DPA”) forms an integral part of the Supersimple.io Terms and Conditions (“Terms”), and enters into force concurrently with the Agreement. The purpose of this DPA is to ensure lawful and purposeful processing of personal data in compliance with the requirements of applicable data protection law, in particular the General Data Protection Regulation (EU) 2016/679 (“GDPR”).

1.2. In the course of providing the Services in accordance with the Terms, Supersimple may process the personal data on behalf and according to the documented instructions of the customer as the service recipient (“Customer” or “controller”), and thereby the Customer shall act as the controller and Supersimple as the processor. The details of processing are provided in the schedule(s) to this DPA.

1.3. Unless indicated otherwise, capitalised terms in this DPA shall have the meaning set out in the Terms, or if not defined in the Terms, they shall have the meaning set out in the GDPR.

2. Obligations of the controller

2.1. The controller shall ensure compliance with the requirements of the applicable data protection law in relation to the personal data disclosed to the processor, including the provision of lawful documented instructions to the processor and the provision all applicable notices to the data subjects as required under applicable data protection law.

2.2. The Agreement and this DPA shall be considered as the controller’s complete and final documented instructions provided to the processor with respect to the processing the personal data, and any additional instructions shall require prior written agreement between the Parties.

3. Obligations of the processor

3.1. General

3.1.1. The processor shall process personal data to the extent and in the manner necessary for the provision of the Services under the Terms, and in accordance with the documented instructions of the controller. Processor informs the controller if in its opinion, any instruction of the controller infringes applicable data protection law.

3.2. Security and confidentiality

3.2.1. The processor shall keep personal data confidential and shall not use or disclose them for any purpose other than permitted by this DPA or the Terms. Processor ensures that only persons that directly require access to personal data in order to fulfil the processor’s obligations under the Terms have access to such information. Processor ensures that persons authorised to process personal data have concluded a respective confidentiality agreement or are under a statutory obligation of confidentiality.

3.2.2. The processor shall implement appropriate technical and organisational measures to protect the personal data against unauthorised or unlawful processing, accidental loss or destruction or damage. The processor’s security controls shall comply with applicable data protection law and take into account industry standards, the nature of the personal data, and the risks represented by the given processing.

3.3. Assisting the controller

3.4. The processor shall reasonably assist the controller in relation to any request and/or enquiry, investigation or assessment relating to the processing of the personal data as required under the applicable data protection law, including for the preparation of a data protection impact assessment and cooperation in case of a data breach.

3.5. Requests by data subjects and supervisory authorities

3.6. The processor shall inform the controller of any enquiries received from data subjects, competent supervisory authorities or any other third parties by forwarding them to the controller and, where necessary (if the enquiry relates to the processor's systems and the controller does not have all the necessary information), assist in responding to them. The processor, when handling such enquiries, may not in any way act on behalf of or as a representative of the controller;

4. Sub-processors

4.1. The controller authorises the processor to engage the sub-processors for the processing of the personal data on the condition that the processor only uses sub-processors who give sufficient guarantees of compliance with the applicable data protection law. The processor shall ensure that sub-processors are bound by a contractual obligation to comply with the personal data processing requirements that are at least equivalent to those contained in this DPA. In any case, the processor shall remain fully liable to the controller for any acts and omissions of the sub-processors.

4.2. The current list of sub-processors engaged by the processor is available at https://www.supersimple.io/subprocessors. By entering into this DPA, the controller agrees to the engagement of sub-processors listed at the time of entry into this DPA.

4.3. In case of any intended changes concerning the addition of replacement of sub-processors, the processor shall provide the details on new sub-processors to the controller at least in a format that can be reproduced in writing, thereby giving the controller the opportunity to object to such changes. Any objection must be reasonably justifiable and based on applicable data protection law. If the controller does not object to such changes within 7 days in a format that can be reproduced in writing, the controller shall be deemed to have accepted the changes to the list of sub-processors. In case of a reasonably justifiable objection from the controller, the processor and controller shall act in good faith to solve the objection. If the controller and processor cannot reach a solution and mutual agreement regarding the objection and if the new sub-processor is essential for the processor in order to provide its Services, the processor may terminate the agreement with the controller by giving a 7 days advance notice.

5. International transfers

5.1. Where the personal data is transferred from the processor to a controller in a country or territory which does not ensure an adequate level of data protection within the meaning of the GDPR (“Restricted Transfer”), the Parties shall apply module four of the EU Processor-to-Controller Standard Contractual Clauses (“SCCs”) as adopted by the European Commission in the Annex to the Commission Implementing Decision (EU) 2021/914 of 4 June 2021. The SCCs shall be deemed to be incorporated into this DPA by the reference herein, and applied accordingly. The relevant Annexes of the SCCs shall be deemed be completed as set forth in the Schedule 2 to this DPA. The Parties further agree that: (i) Clause 7 (Docking clause) is not incorporated; (ii) Clause 11 (Redress) optional section is not incorporated; (iii) Clauses 17 (Governing Law) and 18 (Choice of Forum and Jurisdiction) follow the governing law and choice of forum and jurisdiction as stipulated under the Terms. To the extent a conflict exists between the terms of the SCCs and any terms of this DPA with respect to Restricted Transfers, the terms of the SCCs shall take precedence over the terms of this DPA.

6. Data Breaches

6.1. In case a data breach occurs when the processor is processing personal data on behalf of the controller, the processor will, taking into account the nature of processing and the information available to the processor, assist the controller in ensuring compliance with the controller’s obligations under Article 33 of the GDPR. Further, the processor will notify the controller without undue delay, but not later than 24 hours after becoming aware of a data breach. All such notifications shall be referred by the processor to the controller by using the following contact details: privacy@supersimple.io.

7. Audits and inspections

7.1. At the request of the controller, the processor shall make available to the controller all the information and shall allow the controller or an auditor authorised by the controller to carry out audits or inspections necessary to verify compliance with the obligations laid down in this DPA, and shall provide assistance therefor. To exercise the right to audit or inspect, the controller shall coordinate the time and scope of the audit or inspection with the processor at least 30 days prior to the audit or inspection

7.2. Information disclosed to the controller or its authorised representative in the course of an audit or inspection shall be confidential unless the information has been made publicly available by the processor or can be retrieved from public registers. Information obtained in the course of an audit or inspection may not be used for any purpose other than performing the audit or taking measures allowed under this DPA and the Terms.

7.3. The costs of an audit or inspection, including any costs incurred by the processor, shall be covered by the controller, unless otherwise agreed between the Parties. The controller must further ensure that such audit or inspection is undertaken during normal business hours of the processor with minimal disruption to the processor’s business and the business of other customers of the processor.

8. Liability

8.1. The processor’s liability to the controller is limited in accordance with the provisions of the Terms, taking into account the applicable data protection law and circumstances and scope of the personal data processing.

8.2. If the processor is subject to a damage claim from a data subject or penalties applied by a supervisory authority or courts for a breach of this DPA or applicable data protection law caused by the controller, the controller will remedy the processor for such damages.

8.3. Where the Parties are involved in the same processing of the personal data that results in them being responsible for any damage caused to data subjects by the processing of personal data, and where either of the Parties has paid compensation for damage suffered, the paying Party shall be entitled to claim back from the other Party involved in the data processing the part of compensation corresponding to that other Party’s part of responsibility for the damage.

9. Term and Termination

9.1. This DPA enters into force concurrently with the Agreement and remains valid for the validity of the Agreement or as long as the processor processes the personal data on behalf of the controller. The termination of this DPA is subject to the provisions regulating the termination of the Agreement under the Terms, and any additional grounds for termination under this DPA shall apply in addition to those agreed in the Terms.

9.2. Upon termination of the Agreement, the processor shall either return or destroy the controller’s personal data upon the controller’s request and within a reasonable period of time. The processor shall not destroy or cease to process the personal data which the processor is required to process under the applicable data protection law.

10. Miscellaneous

10.1. Matters not regulated under this DPA are governed and regulated by the Terms.

10.2. In the event of contradictions, inconsistencies, or discrepancies between this DPA and the Terms, the provisions of this DPA shall take precedence.

10.3. The processor reserves the right, at its sole discretion, to amend this DPA at any time, in particular if amendments are necessary to comply with legal obligations, due to changes in the Services or any other ordinary business activities. The processor will provide the controller with at least 30 days’ notice of any modifications to this DPA by using the Supersimple Platform or the contact details communicated by controller. If controller does not agree with the material modifications to this DPA, it may terminate the Agreement and this DPA by providing a notice to the processor before the modifications enter into force. If controller continues to use the Services after the deadline of 30 days has passed, it is considered that controller has accepted the respective modifications to this DPA.

Schedule 1 to Data Processing Agreement

SUBJECT MATTER AND DETAILS OF THE PROCESSING

A.    SUBJECT MATTER OF THE PROCESSING

Provision of the Services by Supersimple to the Customer under the Agreement.

B.    DURATION OF THE PROCESSING

During the validity of the Agreement.

C.    NATURE AND PURPOSE OF THE PROCESSING

The personal data may be processed for the provision of the Services in accordance with the Agreement. The overarching purpose is the business analytics of Customer’s business data. Customer shall determine which data points and categories will be analysed by Supersimple.

D.    CATEGORIES OF THE DATA SUBJECTS

Customer’s clients. May also include customer’s employees to a limited extent if determined by the Customer.

E.    TYPES OF THE PERSONAL DATA

As determined by Customer.

F.     TECHNICAL AND ORGANISATIONAL MEASURES

-       Encryption in transit

-       Encryption at rest

-       Access controls

-       Contractual safeguards

Schedule 2 to Data Processing Agreement

Annex to the SCCs

For the avoidance of doubt, this Schedule 2 applies only insofar as Section 5 of the DPA applies.

A. List of Parties

Data Exporter

Name: The legal  entity defined as “Supersimple” under the Terms.

Address: The  address of Supersimple as specified under the Terms.

Contact person’s name, position and contact details: As provided  in Section 12 of the Terms.

Activities relevant to the data transferred under SCCs: Provision of the Services to the Customer  under and in accordance with the Agreement and the DPA to which these SCCs  are attached.

Signature and date: As provided in the Agreement and  DPA.

Role: Processor

Data Importer

Name: The legal entity defined as “Customer” who is a party to the Agreement and specified in the Order.

Address: The address of the Customer as specified in the Order.

Contact person’s name, position and contact details: As provided in the Order.

Activities relevant to the data transferred under SCCs: Receipt of the Services from Services under and in accordance with the Agreement and the DPA to which these SCCs are attached.

Signature and date: As provided in the Agreement and DPA.

Role: Controller

B. Description of Transfer

Categories of data subjects whose personal data is transferred: As set out in Schedule 1 of this DPA.

Categories of personal data transferred: As set out in Schedule 1 of this DPA.

Sensitive data transferred (if applicable) and applied restrictions or safeguards: As set out in Schedule 1 of this DPA.

The frequency of the transfer: On a continuous basis during the provision of the Services under the Agreement.

Nature of the processing: As set out in Schedule 1 of this DPA.

Purpose(s) of the data transfer and further processing: As set out in Schedule 1 of this DPA.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Upon termination or expiry of the provision of the Services under the Agreement, the data exporter shall promptly delete any personal data it has processed on behalf of the data importer in connection with the provision of the Services, unless the data exporter is required to keep the personal data for legal and/or regulatory reasons.

For transfers to (sub-)processors, also specify subject matter, nature and duration of the processing: Not applicable. Transfer occurs from a processor located in the EEA to a controller located outside the EEA.