Data Processing Agreement
Last updated September 2024
This data processing agreement (DPA) forms part of the AEC Systems Ltd (“Speckle”, “Us”, “We”, “Our”) Terms and Conditions (the “MSA”).
WHEREAS, Speckle shall provide the Software and the Services as set forth in the MSA for you (collectively, “You”, "Your”); and
WHEREAS, In the course of providing the Software and the Services pursuant to the MSA, Speckle may process Personal Data on your behalf, in the capacity of a “Data Processor” and the Parties wish to set forth the arrangements regarding such processing.
NOW THEREFORE, in consideration of the above, the Parties agree as follows:
1. INTERPRETATION AND DEFINITIONS
- The headings contained in this DPA are for convenience only and shall not be interpreted to limit or otherwise affect the provisions of this DPA. References to clauses or Sections are references to the clauses or Sections of this DPA unless stated otherwise. Words used in the singular include the plural and vice versa, as the context may require. Capitalized terms not defined in this Section 1.2 or elsewhere in this DPA shall have the meanings assigned to such terms elsewhere in the MSA.
- Definition:
- “Data Protection Laws” means all laws and regulations of the European Union, the European Economic Area and their Member States and the United Kingdom, applicable to the Processing of Personal Data under the MSA.
- “Data Subject” means the identified or identifiable person to whom the Personal Data relates.
- “Member State” means a country that belongs to the European Union and/or the European Economic Area. “Union” means the European Union.
- “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
- “Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- “Customer Data” means Personal Data that is provided to us by You or on Your behalf or otherwise obtained or processed by or on behalf of us throughout Your and Your personnel’s use of the Software and the Services, e.g. when uploading or creating Personal Data throughout one of your projects that we host on our Platform. Customer Data excludes Customer Relationship Data.
- “Process(ing)” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- “Processor” or “Data Processor” means the entity which Processes Personal Data on behalf of the Controller.
- “Customer Relationship Data” means all data provided to us by You or on Your behalf or otherwise obtained or processed by or on behalf of us through an engagement with Speckle to obtain the Software and the Services, including pseudonymized, aggregated and/or statistical data relating to or derived from Your and Your personnel’s use of the Software and the Services, such as analytics, metadata and audit logs.
- “Security Documentation” means the Security Documentation applicable to the specific Software or Service You purchased, as updated from time to time and available at https://speckle.systems/security/.
- “Sub-processor” means any Processor engaged by Speckle and/or Speckle’s Affiliates.
- “Supervisory Authority” means an independent public authority which is established by an EU Member State pursuant to the GDPR or pursuant to the UK GDPR in the United Kingdom (UK).
- “UK GDPR” means the Data Protection Act 2018, as updated, amended, replaced or superseded from time to time.
- “UK Standard Contractual Clauses” or “UK SCCs” means the standard contractual clauses for the transfer of Personal Data to Data processors established in third countries which do not ensure an adequate level of protection as set out by the ICO, as available here, as updated, amended, replaced or superseded from time to time by the ICO.
2. PROCESSING OF PERSONAL DATA
- Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Customer Data, Speckle is a Data Processor.
- Your Processing of Personal Data. You shall, in Your use of the Software and Services, Process Personal Data in accordance with the requirements of Data Protection Laws and comply at all times with the obligations set out therein. You shall have the sole responsibility for how You acquire Personal Data and for ensuring that Your instructions for the Processing of Personal Data and Your and Your users’ use of the Software and the Services shall at all times comply with Data Protection Laws. Without limitation, You shall comply with all transparency-related obligations (including displaying any and all relevant and required privacy notices or policies) and shall have all required legal bases to collect, Process and transfer to Speckle the Personal Data for Processing in accordance with this DPA.
3. SPECKLE’S PROCESSING OF CUSTOMER DATA
- Speckle shall Process Customer Data solely in accordance with Your documented instructions, as necessary for the provision of the Software and the Services, and for the performance of the MSA, this DPA and Data Protection Laws, unless otherwise required by law; in such a case, Speckle shall inform You of the legal requirements before Processing, unless applicable law prohibits such information on important grounds of public interest. The duration, nature and purpose of the Processing, as well as the types of Customer Data Processed and categories of Data Subjects are also specified in Schedule 1 to this DPA.
- If and to the extent Speckle cannot comply with an instruction from You or where Speckle considers such an instruction to be unlawful, (i) Speckle shall inform You providing reasonable details of the issue, (ii) Speckle may, without any kind of liability towards You, temporarily cease all Processing of the affected Customer Data (other than securely storing those data), and (iii) if the Parties do not agree on a resolution to the issue in question and the costs thereof, each Party may, as its sole remedy, terminate the contract relating to the affected Software and Services and this DPA with respect to the affected Processing, and You shall pay to Speckle all unpaid amounts owed to Speckle up to termination effective date. You will have no further claims against Speckle (including, without limitation, requesting refunds for Software or Services) due to the termination of the contract relating to the affected Software and Services and the DPA in the situation described in this paragraph.
- We shall notify You without undue delay if, in our opinion, your instructions do not comply with Data Protection Legislation. Speckle will not be liable in the event of any claim brought by a third party, including, without limitation, a Data Subject, arising from any act or omission of Speckle, to the extent that such is a result of Your instructions.
4. SPECKLE PERSONNEL
Confidentiality. Speckle shall grant access to the Customer Data to persons under its authority (including, without limitation, its personnel) only on a need to know basis and ensure that such persons engaged in the Processing of Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Speckle may disclose and Process Customer Data (a) as permitted hereunder (b) to the extent required by a court of competent jurisdiction or other Supervisory Authority and/or otherwise as required by applicable laws or applicable Data Protection Laws (in such a case, Speckle shall inform You of the legal requirement before the disclosure, unless that law prohibits such information on important grounds of public interest), or (c) on a “need-to-know” basis under an obligation of confidentiality to legal counsel(s), data protection advisor(s), accountant(s), investors or potential acquirers.
5. SECURITY
- Controls for the Protection of Customer Data. Speckle shall maintain all industry-standard technical and organizational measures required pursuant to Article 32 of the UK GDPR for security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Data), confidentiality and integrity of Customer Data, as set forth in the Security Documentation, which is hereby approved by You. Speckle regularly monitors compliance with these measures and shall notify You of any material changes to the Security Documentation. Upon Your request Speckle shall demonstrate the implementation of such measures. Speckle will reasonably assist You in complying with Articles 32 to 36 of the UK GDPR, taking into account the nature of the processing and the information available to Speckle.
- Third-Party Certifications and Audits. Upon Your written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement and this DPA, Speckle shall allow for and contribute to audits at Your cost and expense, and make available to You a copy of Speckle’s then most recent third-party audits or certifications, as applicable, provided, however, that such audits, certifications and the results therefrom, including the documents reflecting the outcome of the audit and/or the certifications, shall only be used by You to assess compliance with this DPA and/or with applicable Data Protection Laws, and shall not be used for any other purpose or disclosed to any third party without Speckle’s prior written approval and, upon Speckle’s first request, You shall return all records or documentation in Your possession or control provided by Speckle in the context of the audit and/or the certifications. Notwithstanding anything to the contrary, such audits and/or inspections shall not contain any information, including without limitation, Personal Data that does not belong to You. If and to the extent You commission third parties to carry out such audits, such third parties must (i) not be competitors of Speckle and (ii) be subject to at least industry standard confidentiality obligations for the protection of Speckle's trade and business secrets.
6. AUTHORIZATION REGARDING SUB-PROCESSORS
- List of Current Sub-processors and Notification of New Sub-processors. Speckle's current list of Sub-processors (“Sub-processor List”) is attached as Schedule 2 and hereby, authorized by You. Customer hereby grants a general authorization to Speckle to appoint new Sub-processors, and Speckle shall comply with the conditions of Section 6.2.
- Objection Right for New Sub-processors. Speckle shall notify You reasonably before authorizing a new Sub-processor(s) to Process Customer Data in connection with the provision of the Software and the Services. You may reasonably object to Speckle’s use of a new Sub-processor for reasons related to the UK GDPR and/or GDPR by notifying Speckle promptly in writing within ten (10) business days after receipt of notice thereof. Failure to such object to a new Sub-processor in writing within such time shall be deemed as acceptance of the new Sub-Processor. In the event You reasonably object to a new Sub-processor, Speckle will apply reasonable efforts to recommend a commercially reasonable change to Your use of the Services to avoid Processing by the objected-to new Sub-processor. If Speckle is unable to make such change within thirty (30) days, You may, as a sole remedy, terminate the contract relating to the affected Software and Services and this DPA by providing written notice to Speckle, following which all unpaid amounts shall be duly paid to Speckle. Until a decision is made regarding the new Sub-processor, Speckle may temporarily suspend the Processing of the affected Customer Data. You will have no further claims against Speckle due to the termination of the contract relating to the affected Software and Services (including, without limitation, requesting refunds) and/or the DPA in the situation described in this Section.
7. TRANSFERS OF DATA TO THIRD COUNTRIES
- Transfers to countries that offer adequate level of data protection. Customer Data may be transferred from the United Kingdom to countries that offer an adequate level of data protection pursuant to an adequacy decision published by the competent data protection authorities of the UK, without any further safeguard being necessary.
- Transfers to Third Countries. If the Processing of Customer Data includes transfers from the UK to countries which do not offer an adequate level of data protection (“Third Countries”), the Parties shall comply with Article 44 ff. of the UK GDPR, including, if necessary, executing the standard data protection clauses adopted by the relevant Data Protection Authorities or comply with any of the other mechanisms provided for in the UK GDPR for transferring Personal Data to such Third Countries.
8. RIGHTS OF DATA SUBJECTS
Data Subject Request. If Speckle receives a request from a Data Subject to exercise its data subject rights (“Data Subject Request”), Speckle shall, to the extent legally permitted, promptly notify and forward such Data Subject Request to You. Taking into account the nature of the Processing, Speckle shall use commercially reasonable efforts to assist You by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Your obligations to respond to a Data Subject Request under Data Protection Laws. To the extent legally permitted, You shall be responsible for any costs arising from Speckle’s provision of such assistance.
9. CUSTOMER DATA INCIDENT MANAGEMENT AND NOTIFICATION
To the extent required under applicable Data Protection Laws, Speckle shall notify You without undue delay, if feasible within 48 hours, after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, transmitted, stored or otherwise Processed by Speckle or its Sub-processors of which Speckle becomes aware (a “Data Incident”). Speckle shall make reasonable efforts to identify the cause of such Data Incident and take those steps as Speckle deems necessary, possible and reasonable in order to remediate the cause of such a Data Incident to the extent the remediation is within Speckle’s reasonable control. Except for the notification, the obligations herein shall not apply to Data incidents caused by You or Your users. In any event, You will be the responsible for notifying Supervisory Authorities and/or Data Subjects (where required by Data Protection Laws and Regulations).
10. RETURN AND DELETION OF CUSTOMER DATA
Speckle shall, at Your choice, after the end of the provision of the Software and/or Services, delete or return the Customer Data to You and shall delete existing copies unless applicable law requires further storage of the Customer Data. In any event, to the extent permitted by applicable law, Speckle may retain one copy of the Customer Data for evidence purposes and/or for the establishment, exercise or defense of legal claims and/or to comply with applicable laws and regulations. The Customer Data shall be returned in the format generally available for Speckle’s customers. The obligations to delete or return Customer Data pursuant to this Section 10 shall not apply if and to the extent You can retrieve and/or delete Your Customer Data yourself using the features of the Software and/or Services provided in this regard.
11. TERMINATION
This DPA shall automatically terminate upon the termination or expiration of the agreement under which the Software and/or the Services are provided. Sections 2.2 and 12 shall survive the termination or expiration of this DPA for any reason.
12. LIABILITY LIMITATIONS
The liability limitations set out in the MSA shall apply accordingly to this DPA. For the avoidance of doubt, the liability of Speckle towards data subjects under applicable Data Protection Laws shall not be limited.