Last updated: 28 October 2024
This Data Processing Agreement and its Annexes (collectively, the “DPA”) reflects the parties’ agreement with respect to the Processing of Personal Data by Dolphin AI Ltd., a company incorporated in the United Kingdom (hereinafter referred to as “Dolphin AI”, the "Processor” or “we”, and through similar words such as “us”, “our”, etc.) on behalf of you and/or the entity you represent (“Member”, “Controller”, “you” or “your”) in connection with the Services provided by Dolphin AI under the Terms of Use between you and Dolphin AI (also referred to in this DPA as the “Agreement”).
Dolphin AI and the Member may hereinafter be individually referred to as the “Party” and together as “Parties”.
Capitalized terms not otherwise defined herein have the meaning given to them in the Terms of Use.
2.1. The Parties seek to implement this DPA that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, General Data Protection Regulation (the “GDPR”); United Kingdom General Data Protection Regulation (“UK GDPR”) and the Data Protection Act 2018 (the “Act”).
2.2. This DPA is an integral part of the Agreement executed between Dolphin AI and the Member.
3.1. Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:
4.1. The Parties acknowledge that Member is the Controller of the Personal Data and Dolphin AI is acting as a Processor on behalf of Member in providing the Services. By the nature of the Services, the Data Subjects whose Personal Data is processed are both Member and Contact to the extent that they share their Personal Data with Dolphin AI. This DPA regulates the rights and obligations of the Parties in terms of the Personal Data processed within the scope of the Agreement. For the avoidance of doubt, any rights and obligations in terms of the Personal Data processed within the scope of the usage of Dolphin AI’s Services by the Contact are determined within the Terms of Use published by Dolphin AI on its Website and other Dolphin AI platforms.
4.2. The details of the Processing of Personal Data by Dolphin AI as a Processor are set out in Annex-I (“Details of Processing”) to this DPA.
4.3. Dolphin AI is not responsible for the privacy practices of the Members, and only Processes Personal Data in accordance with the Agreement it has with the Members. Members shall have sole responsibility for the legality and accuracy of Personal Data and the means by which they acquired the Personal Data.
4.4. The Parties agree that the Services are not intended for the Processing of Sensitive Data.
4.5. The Processor certifies that it understands the rules, requirements and definitions of the CCPA and agrees to refrain from selling (as such term is defined in the CCPA) any Personal Information processed hereunder without Member’s prior written consent and taking any action that would cause any transfer of Personal Information to or from Processor under the Agreement or this DPA to qualify as “selling” such Personal Information under the CCPA.
5.1. Member acknowledges and agrees that Dolphin AI may access and Process Personal Data on a global basis as necessary to provide its Services in accordance with the Agreement, and in particular that Personal Data may be transferred to other jurisdictions where Sub-Processors operate. Wherever Personal Data is transferred outside its country of origin, each Party will ensure such transfers are made in compliance with the requirements of Data Protection Laws.
5.2. If the Member is situated in a country within the EU and EEA, and Personal Data is transferred to a Sub-processor outside of the UK and EEA, the SCCs shall apply in relation to such transfer and shall be incorporated in this DPA.
5.3. If the Member is situated in the United Kingdom, and Personal Data is transferred to a Sub-processor established outside of the UK and EEA, the UK Addendum to the SCCs shall apply in relation to such transfer. In this case, the Sub-processor and the Member may use IDTA or UK Addendum to the SCCs when transferring Personal Data to the country not covered by an “adequate decision”.
6.1. Member represents and warrants that the processing of Personal Data complies with Data Protection Laws, including by establishing a lawful basis if and as required, and that the instructions provided to Dolphin AI shall comply with Data Protection Laws. In the event GDPR, UK GDPR or CCPA do not apply to the Member, then Member must abide by whatever other Data Protection Laws and at a minimum: (i) obtain and maintain any and all authorizations, permissions and informed consents, as may be necessary under applicable laws and regulations, in order to allow Dolphin AI to lawfully process and use the Member Data within the scope of the Services; and (ii) have, properly publish and abide by an appropriate privacy policy that complies with all Data Protection Laws.
6.2. Member is responsible for independently determining whether the data security provided for in the Service adequately meets the Member’s obligations under applicable Data Protection Laws.
7.1. Compliance with Instructions. Dolphin AI undertakes to Process Personal Data only for the Purpose described in the Annex-1 to this DPA or as otherwise agreed within the scope of the Member’s lawful instructions, except where and to the extent otherwise required by applicable law.
7.2. Conflict of Laws. If Dolphin AI becomes aware that it cannot Process Personal Data in accordance with the Member’s instructions due to a legal requirement under any applicable law, it will (i) promptly notify the Member of that legal requirement to the extent permitted by the applicable law; and (ii) where necessary, cease all Processing (other than merely storing and maintaining the security of the affected Personal Data) until such time as the Member issues new instructions with which we are able to comply. If this provision is invoked, Dolphin AI will not be liable to the Member under the Agreement for any failure to perform the applicable Services until such time as the Member issues new lawful instructions with regard to the Processing.
7.3. Security. Dolphin AI implements and maintains appropriate technical and organizational measures to protect Personal Data from Personal Data Breaches, as described under Annex-3 to this DPA (“Technical and Organizational Security Measures”). Notwithstanding any provision to the contrary, the Processor may modify or update the Security Measures at the Processor’s discretion provided that such modification or update does not result in a material degradation in the protection offered by the Security Measures.
7.4. Confidentiality. The Processor ensures that any personnel whom they authorize to Process Personal Data on their behalf is subject to appropriate confidentiality obligations (whether a contractual or statutory duty) with respect to that Personal Data.
7.5. Personal Data Breaches. The Processor shall notify the Controller without undue delay after the Processor becomes aware of any Personal Data Breach and provide timely information relating to the Personal Data Breach as it becomes known or requested by the Controller within a reasonable time. At the Controller’s request, Dolphin AI will provide the Member with such reasonable assistance as necessary to enable you to notify relevant Personal Data Breaches to competent authorities and/or affected Data Subjects, if you are required to do so under Data Protection Laws.
7.6. Return or Deletion of Data. Dolphin AI shall return or securely destroy Personal Data, in accordance with the Member’s instructions, upon Member’s request or within 30 days upon the termination of Member’s account(s) or the termination of the Agreement unless such Personal Data must be retained to comply with applicable law.
7.7. Dolphin AI Assistance with Data Subject Requests. Taking into account the nature of the processing, the Service Controls are the technical and organizational measures by which Dolphin AI will assist Member in fulfilling Member’s obligations to respond to Data Subjects’ requests under the GDPR. If a Data Subject makes a request to Dolphin AI, Dolphin AI will forward such request to Member once Dolphin AI has identified that the request is from a Data Subject for whom Member is responsible. The Parties agree that Member’s use of the Services and Dolphin AI forwarding Data Subjects’ requests to Member in accordance with this Article represent the scope and extent of Member’s required assistance.
8.1. Member acknowledges and agrees and hereby authorizes Dolphin AI to engage Sub-processors that are: (a) an Affiliate of Dolphin AI; and (b) third-party Sub-processors, to process the Personal Data for and on behalf of Dolphin AI and/or an Affiliate of Dolphin AI, in each case in connection with the provision of the Services and to fulfill the obligations set forth under the Agreement.
8.2. Dolphin AI will make available to Member the current list of Sub-processors used by Dolphin AI to process Personal Data upon written request of Member within a reasonable time. The Member provides general authorisation to Dolphin AI’s use of Sub-processors to Process Personal Data on behalf of the Member, including those set out in such list.
8.3. Dolphin AI shall provide Member with notification of any intended new Sub-processor(s) by sending an e-mail to the e-mail address given by the Member. Member may reasonably object to Dolphin AI’s use of a new Sub-processor, for reasons relating to the protection of Personal Data intended to be Processed by such Sub-processor, by notifying Dolphin AI promptly in writing within 7 (seven) days after receiving the aforesaid notice. Member shall ensure that such written objection shall include the reasons for objecting to Dolphin AI’s use of such new Sub-processor. Failure to object to such new Sub-processor in writing within 7 (seven) days following Dolphin AI’s notice shall be deemed as acceptance of the new Sub-processor. In the event Member reasonably objects to a new Sub-processor, as permitted in the preceding sentences, Dolphin AI will use reasonable efforts to make available to Member a change in the Services or recommend a commercially reasonable change to Member’s configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening the Member. Until a decision is made regarding the new Sub-processor, Dolphin AI may temporarily suspend the Processing of the affected Personal Data and/or suspend access to the Member’s account applicable to the affected Agreement. Member will have no further claims against Dolphin AI (including requesting refunds for Services) as a result of or in connection with the termination of the Agreement, or any part of it, pursuant to this Article 8.3.
9.1. Controls for the Protection of Personal Data. Dolphin AI shall maintain industry-standard technical and organizational measures for the protection of Personal Data processed hereunder including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data, confidentiality and integrity of Personal Data, including those measures set forth in the Annex-3 Technical and Organizational Measures, as may be amended from time to time. Upon the Member’s reasonable request, Dolphin AI will reasonably assist Member, at Member’s cost in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR and/or UK GDPR taking into account the nature of the Processing and the information available to Dolphin AI.
9.2. Audits and Inspections. Upon Member providing at least 14 days prior written request (no more than once every 12 months) at Member’s expense, Dolphin AI shall:
9.3. Upon Dolphin AI’s request, Member shall return all records or documentation in Member’s possession or control provided by Dolphin AI in the context of the audit and/or the inspection. Nothing in this paragraph 8.2 varies or modifies the Standard Contractual Clauses nor affects any Supervisory Authority’s or Data Subject’s rights under the Standard Contractual Clauses.
9.4. In the event of an audit or inspections as set forth in paragraph 8.2, Member shall ensure that it (and each of its mandated auditors) will not cause (or, if it cannot avoid, minimize) any damage, injury or disruption to Dolphin AI’s premises, equipment, personnel and business while conducting such audit or inspection.
This DPA will enter into force as of the date of acceptance or signature (the “Commencement Date”) hereof and shall continue in full force and effect until the termination of the Purpose as defined in Annex-1.
This DPA is governed by the same laws as the same jurisdiction which governs the Agreement.
12.1. Severability. If any term or provision in this DPA shall be held to be illegal or unenforceable, in whole or in part, under any enactment or rule of law, such term or provision or part shall to that extent be deemed not to form part of this DPA but the enforceability of the remainder of this DPA shall not be affected.
12.2. Waiver. The failure by the Parties to exercise any right, power, or privilege under the terms of this DPA will not be construed as a waiver of any subsequent or future exercise of that right, power, or privilege or the sole or partial exercise of any other right, power, or privilege.
12.3. Amendments. Notwithstanding anything else to the contrary in the Agreement and without prejudice to the ‘Compliance with Instructions’ or ‘Security’ sections of this DPA, Dolphin AI reserves the right to make any updates and changes to this DPA.
12.4. Notices. Any notice, letter or other communication contemplated by this Agreement shall be communicated in writing via registered mail to the registered addresses of the Parties or via electronic mail, delivery and read receipt requested.
Data exporter:
Name: The Member, as defined in the Dolphin AI Terms of Use
Role: Controller
Data importer:
Name: Dolphin AI Ltd.
Role: Processor
Activities relevant to the data transferred under these Clauses: Processing of Personal Data in connection with Member’s use of the Dolphin AI Services under the Agreement.
Personal Data will be Processed in accordance with the Agreement including this DPA and may be subject to the following Processing activities:
Subject to any paragraph of the DPA and/or Terms of Use dealing with the duration of the Processing and the consequences of the expiration or termination thereof, Dolphin AI as Processor will Process Personal Data pursuant to the DPA and Terms of Use for the duration of Terms of Use, unless otherwise agreed upon in writing.
Personal details (e.g. name, business address), contact information (e.g. e-mail, organization), (stored in a de-identified format), general user feedback data manually uploaded to the application or manually imported through an integration with the application by the Member.
During the performance of the Services, the Personal Data relating to the following categories of Data Subjects may be Processed:
Please review the Third-Party Service Providers list below for the list of Sub-processors.
This Technical and Organizational Security Measures sets out the measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services, the measures for ensuring the ability to restore the availability and access to Personal Data.
All capitalized terms not otherwise defined herein will have the meanings as set forth in the General Terms.
The following policies are maintained by Dolphin AI in order to ensure the measures set forth above; the policies are updated on an ongoing basis and reviewed annually for gaps:
For more information about this DPA, you may contact us at team@getdolphin.ai.
