Version 3.4. Last updated 2023-03-30.
1. BACKGROUND
1.1 This Data Processing Agreement and its Schedules (the “DPA”) forms part of the Connectel Customer Agreement between Connectel AB (company registration number 556755-6559, having its registered address at Kungsängsgatan 14, 743 22 Uppsala) and the Customer for the purchase of Service Provider’s Services (the “Agreement”).
1.2 By signing the Agreement, Customer enters into this DPA.
1.3 All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
1.4 In the course of providing the Services to Customer pursuant to the Agreement, the Service Provider will process personal data on behalf of the Customer and the Parties agree that the following provisions shall apply with respect to any personal data.
1.5 All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
1.6 Terms such as “personal data”, “processing” and “data subject” and other expressions not defined in this DPA or the Agreement shall have the same meaning as set out in in the Regulation of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the “GDPR”), as may be amended, updated, replaced or superseded from time to time, if not expressly stated otherwise.
1.7 In case of conflict between the Agreement and the DPA, this DPA shall take precedence in matters relating to the protection of personal data.
2. Customer’s Obligations
2.1 The Customer shall ensure that it:
(i) in its use of the Service, process personal data in accordance with the requirements of applicable data protection laws;
(ii) provide the relevant information to its end-customers under applicable laws about the processing of personal data, and where appropriate direct such end-customers to the Service Provider’s privacy notice;
(iii) gives instructions for the processing of personal data which comply with applicable data protection laws.
2.2 The Customer has the sole responsibility for the accuracy, quality, and legality of personal data provided by the Customer to the Service Provider and the means by which the Customer acquired the personal data.
2.3 The Customer is responsible for ensuring that the security measures agreed in accordance with section 3.1(iii) complies with the Customer’s data security obligations pursuant to applicable laws as regards the personal data processed.
2.4 As part of carrying out its obligations under this Agreement, the Service Provider will process personal data pertaining to Customer’s personnel as a controller, collected either directly from the personnel or as provided by the Customer. The Service Provider will also process personal data used within the Service for its own purposes. The Service Provider’s processing activities are described in the Service Provider’s Privacy Notice, available on the Service Provider’s website (www.connectel.io). When the Customer transfers personal data to the Service Provider, the Customer shall ensure that it can lawfully transfer personal data about its personnel and end-customers to the Service Provider, and that it has informed the individuals which the personal data pertains to that information about the Service Provider’s processing of personal data can be found in Supplier’s Privacy Notice.
3. Service Provider’s obligations
3.1 The Service Provider shall to the extent any personal data is processed by the Service Provider on behalf of the Customer under the Agreement:
(i) only process personal data in accordance with the Customer’s documented instructions specified in Schedule 1 of this DPA, unless when required to do so under applicable European Union (“EU”) or Member State law to which the Service Provider is subject. The Service Provider shall in such case inform the Customer of such legal obligation unless prohibited by law. The Service Provider has no obligation to monitor the compliance of the Customer’s use of the Services with the GDPR, though the Service Provider shall immediately inform the Customer if the Customer’s documented instructions, in Service Provider’s opinion, are infringing applicable laws, rules and regulations. Such information shall not be considered as legal advice provided by the Service Provider. Instructions not foreseen in or covered by the Agreement shall be treated as requests for changes. If the Customer requests an amendment of the security measures, the Service Provider shall be entitled to reasonable compensation for abiding with the amended instructions;
(ii) ensure that the employees/agents/sub-contractors or other third parties that are authorized to process personal data are subject to an obligation of confidentiality with regards to the personal data. The Service Provider is only allowed to disclose personal data to third parties if the Customer has given its written consent or if it is required by applicable law;
(iii) implement appropriate technical and organizational measures required pursuant to Article 32 of the GDPR, as set out in Schedule 2;
(iv) not disclose or otherwise reveal any personal data covered by the DPA to a data subject or third party, unless otherwise stated in the Agreement or required by law or a court of official authority’s decision. In the event that the Service Provider must disclose such data due to law or a court or official authority’s decision, the Service Provider shall notify the Customer of the disclosure, unless this is prohibited by applicable law or a court or official authority’s decision;
(v) hereby be given a general authorization to engage other processors (“Sub-processors”) for the processing of personal data on behalf of the Customer. Where the Service Provider engages a Sub-processor under this clause, the Service Provider undertakes to ensure that the contract entered into between the Service Provider and any Sub-processor shall impose, as a minimum, data protection obligations not less stringent than those set out in this DPA. The Service Provider shall notify the Customer of any intended changes concerning the addition or replacement of Sub-processors, to which the Customer may object. If the Customer has made no such objection within twenty (20) days from the date of receipt of the notification, the Customer is assumed to have made no objection;
(vi) have the right to cure an objection from the Customer as described in (v) above, at Service Providers sole discretion. If no corrective option is reasonably available and the objection has not been cured within sixty (60) days after receiving the objection, either Party may terminate the affected service or the Agreement with reasonable written notice;
(vii) be allowed to transfer personal data to third countries outside the EU or European Economic Area (“EEA”) in accordance with the Customer’s documented instructions. When personal data is transferred to a country that does not ensure an adequate level of data protection, the Service Provider ensures that the transfer is made subject to adequate safeguards as stated in Chapter V GDPR being in place. The Service Provider may for this purpose rely on the standard contractual clauses set forth in the annex to the European Commission’s Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“SCCs”), or decisions and clauses that may replace or amend these. The Customer acknowledges and agrees that the Service Provider or Sub-processor, as applicable, may utilize different modules of the SCCs as applicable, and that module 3 of the SCCs in most cases will be the applicable module. To the extent legally required, the Service Provider will perform a risk assessment in relation to a transfer of data to a third country. Should the requirement to perform such assessment instead lay with a Sub-processor appointed by the Service Provider, the Service Provider will request that the Sub-processor performs such assessment. Some Sub-processors may publish information in this regard, such as risk assessments, on their respective websites which lays beyond the Service Provider’s control. The Customer hereby acknowledges that such information, including any assessments made, lays beyond the Service Provider’s control and that the reliance of such information and assessments is accepted;
(viii) taking into account the nature of the processing and the information available for the Service Provider, assist the Customer in its obligation to respond to requests from data subjects pursuant to chapter III in the GDPR by implementing appropriate technical and organizational measures, insofar as this is possible;
(ix) taking into account the nature of processing and the information available to the Service Provider, assist the Customer to fulfill its obligations pursuant to Articles 32 to 36 in the GDPR;
(x) on termination or expiration of the Agreement or on instruction from the Customer, upon written request and at the Customer’s choice, return or delete all personal data processed under the Agreement, unless Service Provider is required to retain the personal data by applicable laws, rules and regulations. Unless the Customer makes such written request for the return of all personal data within fourteen (14) days from the Agreement’s termination or expiration, the Service Provider assumes that the Customer wishes that the Service Provider shall delete the personal data; and
(xi) upon the Customer’ request, make available all information necessary to demonstrate Service Provider’s compliance with the obligations laid down in Article 28 in the GDPR and in this DPA and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer and accepted by the Service Provider. The Service Provider shall not unreasonably withhold its acceptance. The audit shall be carried out maximum once (1) per calendar year unless the Customer demonstrates reasonable cause for further audits, and a written notice shall in all cases be sent to the Service Provider with a notice period of at least sixty (60) days before the audit commences. The audit shall be conducted during the Service Provider’s normal working hours without disturbance to the normal operations of the Service Provider. If the Service Provider’s personnel are required to assist the Customer during the audit, the Service Provider shall be entitled to reasonable compensation for such assistance.
(xii) Customer shall reimburse the Service Provider for reasonable business expenses incurred in the performance of its duty to assist the Customer under clause 3.1(viii), 3.1(ix), 3.1(x) and 3.1(xi) in the DPA.
4. Sub-processor terms
Where the Service Provider engages a Sub-processor with whom the same terms as this DPA cannot reasonably be imposed or negotiated (for example, but not limited to, where the Sub-processor operates on fixed, non-negotiable terms) but where such terms are consistent with the obligations on processors under Article 28 of the GDPR, provided the Service Provider has notified Customer in writing of the relevant sub-processor terms in Schedule 2 or otherwise in writing, those Sub-processor terms shall, as updated from time to time by the Sub-processor: (i) apply to the processing carried out by the Sub-processor; and (ii) be deemed to state the entire set of obligations, responsibility and liability of the Service Provider with respect to the relevant processing, as though the Service Provider were carrying out that processing under those sub-processor terms in place of the Sub-processor.
5. Limitation of liability and Indemnification
5.1 The Service Provider’s liability shall be limited in accordance with what is set out in the Agreement. This includes, for example, claims from data subjects and administrative penalties or fines issued by relevant courts or data protections authorities.
5.2 The Customer shall indemnify and hold harmless the Service Provider from any liability arising as a result of the Customer’s infringement of the GDPR or other applicable laws or as a result of the Customer’s instructions to the Service Provider which is in breach with the provisions of the GDPR or other applicable laws.
6. Miscellaneous
6.1 This DPA is valid for as long as the Service Provider is processing personal data on behalf of the Customer.
6.2 This DPA shall be governed in accordance with what is set out in the Agreement.
Schedule 1 – Customer’s instructions
1. General
This DPA and the following is the complete instructions from the Customer to the Service Provider for the processing of personal data, which is covered in this DPA, as of the commencement of the Agreement.
While delivering the Service, the Service Provider will process personal data and can do so as a controller or a processor.
In most scenarios, Service Provider will act as a processor of personal information on behalf of the Customer. The Service Provider delivers a software as a service and is not responsible for the data collected in the platform, and is only responsible for how it is processed according to the DPA and the Customer’s instructions. When the Customer initiates a phone call towards its end-customer, the Service Provider carries the interaction on behalf of the Customer. The Service Provider will act as a processor of personal data, while the customer will act as the controller.
The Service Provider can also act as a controller. Such processing of personal data is outlined in section 3.4 of this Schedule 1.
The Customer understands and accepts that all data may be used by the Service Provider for the purpose of improving the Service. The Service Provider is the controller for such processing.
2. Retention of personal data
There are two types of removal processes: manual and automatic. The manual removal is triggered by the Customer. Automatic removal is triggered automatically and will remove data older than the timespan defined in relation to the personal data. The number of days in this timespan is configured by request of the Customer.
The purpose of automatic removal is to delete personal data after a given time period. Examples of data that is removed are customer telephone numbers, contents of interactions and recordings.
Upon service termination data will be handled according to section 3.1(x) of the DPA.
3. Information about the processing
The following constitutes the Customer’s initial instructions to the Service Provider.
| DATA SUBJECTS: CUSTOMER EMPLOYEE (“AGENT”) | |||
| Type of personal data | Purposes for the processing | Retention time | |
| Name: | The “agent name”-field acts as the agent identifier used by the system to handle interactions. Will also serve as a unique login for the agent in question. This information is required to manage interactions within the system. The agent identifier is also used when displaying historical (Insights) & real-time statistics (Skyview). It is a required field, but it does not have to contain a real name. | Manually removed upon employee termination, changes in security clearance, or termination of agreement. | |
| Telephone number: | Act as the agent direct number for telephone calls. The agent’s number is assigned to them. Use of personal numbers may occur and is decided by the Customer on behalf of the agent. The agent direct number is also used when performing outbound calls both for displaying information to the answering part and also stored for billing purposes together with time of occurrence. | Manually removed upon employee termination, changes in security clearance, or termination of agreement. | |
| Email address: | Used for password recovery features and could also be used for login identifiers in surrounding systems used for an example to display historical statistics or customer satisfaction surveys. | Manually removed upon employee termination, changes in security clearance, or termination of agreement. | |
| Recorded phone call: | The Customer may choose to record calls. Should the end-customer give consent to this action the recording will be stored in order to follow-up on enquiries and to verify what has been said in that dialogue. Customer employee consent should be handled separately by the Customer. It may also be used for training purposes and quality assurance. | Automatic removal supported, and it can be configured by the Customer. Default value: indefinitely | |
| Conversa-tions: | When an end-customer initiates a conversation via e-mail, chat or any other available channel towards the system the content of the conversation is stored in order to follow-up on enquiries and to verify integrity of the dialogue in question towards the end-customer. For an example the content of a specific chat dialogue can verify what has been done and said in that interaction. A chat conversation could contain all kinds of personal data that the agent chooses to disclose. | Automatic removal supported, and it can be configured by the Customer. Default value: indefinitely | |
| IP-address: | When an agent uses the services the IP-address of the originating network will be stored for audit reasons. | Automatic deletion after a maximum of 30 days. | |
| Other data | Other data that may be subject to processing includes data and/or information uploaded by the Customer. For an example, data uploaded as part of a contact in the Contact List module will be processed as well as custom data retrieved in an IVR module. The Service Provider will not assess the content of such personal data in order to identify information subject to specific legal requirements. The Customer takes full responsibility that the data uploaded to the system is in line with this DPA, the GDPR, and any other applicable laws and regulations. | Other data uploaded by the Customer’s user may or may not be supported for automatic removal. Default value: indefinitely. | |
| DATA SUBJECT: END-CUSTOMER | |||
| Type of personal data | Purposes for the processing | Retention time | |
| Name: | When an end-customer initiates an email dialogue or a chat dialogue with an agent the name may be stored depending on what the end-customer has submitted in the initial request. For email address the address in question can be of such character that the name of the end-customer can be read. For chat conversations the name may be a required field depending on the Customer configuration. | Automatic removal supported, and it can be configured by the Customer. Default value: indefinitely | |
| Telephone number: | When an end-customer dials into the system the system will store that number in order to present the number to the agent and for follow-up purposes. The end-customer telephone number will also be stored if an agent decides to make an outbound call to a given destination. The number is also saved for support purposes and billing purposes together with time of occurrence. | Automatic removal supported, and it can be configured by the Customer. Default value: indefinitely | |
| Email-address: | When a party sends an email into the system or sending an email for support enquiries the email address will be saved in order for the receiving agent to handle the request and reply to the end-customer. The email address may also be saved when initiating a chat. | Automatic removal supported, and it can be configured by the Customer. Default value: indefinitely | |
| Conversa-tions: | When the Customer initiates a conversation via e-mail, chat or any other available channel towards the system the content of the conversation is stored in order to follow-up on enquiries and to verify integrity of the dialogue in question towards the end-customer. For an example the content of a specific chat dialogue can verify what has been done and said in that interaction. A chat conversation could contain all kinds of personal data that the agent chooses to disclose. | Automatic removal supported, and it can be configured by the Customer. Default value: indefinitely | |
| Recorded phone call: | The Customer may choose to record calls. Should the end-customer give consent to this action the recording will be stored in order to follow-up on enquiries and to verify what has been said in that dialogue. Customer employee consent should be handled separately by the Customer. It may also be used for training purposes and quality assurance. | Automatic removal supported, and it can be configured by the Customer. Default value: indefinitely | |
| Statistics of interacti-ons, and time of occurren-ce, etc: | When an end-customer initiates a dialogue with an agent the type of interactions (voice, email, chat etc) is stored together with the time and date of the interaction. This is used to gather statistics on the interactions within the system. It may also be used for quality assurance and to identify the time an interaction took place with a specific agent. The interactions are also used for billing purposes. | Automatic removal supported for customer identifiers (such as telephone number, email address etc.), and it can be configured by the Customer. Default value: indefinitely | |
| Other data | Like other data that may be subject to processing includes data and/or information uploaded by the Customer. For an example, data uploaded as part of a contact in the Contact List module will be processed as well as custom data retrieved in an IVR module. The Service Provider will not assess the content of such personal data in order to identify information subject to specific legal requirements. The Customer takes full responsibility that the data uploaded to the system is in line with this DPA, the GDPR, and any other applicable laws and regulations. | Other data uploaded by the system user may or may not be supported for automatic removal. Default value: indefinitely | |
3.1 Backups and retention
Service critical information and data is part of an automatic backup. Backups are stored for 90 days and can be obtained on customer request or system failure.
By default, voice recordings are not part of this automatic backup.
3.2 Integration services
The Service Provider may come to access, and thereby process, personal data when performing integration services in accordance with the Agreement. Such processing shall be limited to what is necessary to perform the integrations.
3.3 Consultancy services as an add-on
If the Customer and Service Provider has agreed that the Service Provider shall provide consultancy services to the Customer, this DPA shall govern and control the Service Provider’s processing of personal data on the Customer’s behalf in connection with providing such consultancy services. The details of the processing operations, such as the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects may be set out in a separate agreement, work order, statement of work, or similar, which refers to this DPA as the contract governing the processing of such personal data and setting out the rights and obligations of the Customer.
3.4 Personal data processed by the Service Provider as the controller
Information necessary to operate the service and troubleshoot problems, which typically includes contact information to the Customer’s employees.
Traffic data which the Service Provider must store pursuant to applicable laws, which includes the participants of communication, the time of the communication; and the length of the communication.
The Service Provider may use all personal data processed on behalf of the Customer to create aggregated and/or anonymised statistics. This includes but is not limited to statistics of interactions, and time of occurrence, and other data which the Customer may upload for the Service Provider to process. Such processing is limited to the data subjects outlined in Schedule 1, 3. The purpose of this processing includes:
(i) statistics on service usage and utilization
(ii) troubleshooting
(iii) improve and tailor the service towards the customer needs and demands
The Service Provider may use all personal data processed on behalf of the Customer o for its own it-security purposes. This includes maintaining the security of the Service Provider’s Services, as well as when necessary help the Customer protect its Agents.
The names of and the email addresses to agents, and other Customer users, will be used by the Service Provider as a controller, for the purposes of sending information such as news and updates about the service, notifications regarding upcoming trainings and seminars, and similar. The Service Provider’s criteria for determining what information to send is that it should be relevant for the recipient in their professional role or beneficial to the Customer.
Schedule 2 – sub-processors
1.1 The subprocessors below are used for the services stated for each Sub-processor.
| Name: | Amazon Web Services, Inc. |
| Location: | Customers with operations within the EU/EEA will have their data processed and stored within the EU/EEA. Customers outside of the EU/EEA will have their data processed and stored in a datacenter closest to their location. |
| Purpose: | Data Hosting |
| Personal data categories: | All categories set out in Schedule 1 |
| Services: | All |
| Name: | GlobalConnect AB |
| Location: | Sweden |
| Purpose: | Data Hosting |
| Personal data categories: | All categories set out in Schedule 1 |
| Services: | All |
| Name: | Xenialab s.r.l. |
| Location: | EU |
| Purpose: | Provide third-level development support and troubleshooting. |
| Personal data categories: | All categories set out in Schedule 1 |
| Services: | Support & Third-level development |
1.2 Additional Modules & Integration Services from parties other than the Service Provider
The Customer may activate and/or enable modules, features and/or integration services from third parties (any such entity being a ”Third Party”) within the Service Provider’s services. Such Third Parties will become processors to the Customer, and they shall not be considered as Sub-processors to the Service Provider. Any terms and conditions or similar, and data processing agreements, will be entered into between the Customer and the Third Party.
The Service Provider shall process personal data on behalf of the Customer in order to enable the Customer’s use of the Third Party’s services, but shall not be liable for that Third Party’s performance of its obligations with regards to the Customer.
The Customer (i.e., the controller) accepts and acknowledges that it has taken part of the respective Third Party’s privacy statement(s) and other information regarding data protection, and that the Customer understands the Third Party’s means of processing their personal data, before activating or enabling that Third Party’s services. The Service Provider may, on behalf of the Customer and upon the Customer’s request, enable additional modules, sub-processor and/or integration services to fulfill the Agreement or any additions made to the Agreement after its execution. The Service Provider is not obliged to inform the Customer which privacy statements and other information that apply to a specific module, sub-processor and/or integration service that is included in this Schedule 2, section 1.3.
By default, all modules, features and/or integration services defined in this Schedule 2, section 1.3 (below), are disabled and can only be enabled by the Customer, or by request to the Service Provider made by the Customer.
1.3 List of additional Modules, Sub-processor & Integration Services
| Name: | Google LLC |
| Modules: | Chatbot Dialogflow, IVR Block for Speech & Text recognition, Dialogflow (Google Cloud TTS, GoogleTTS, GoogleASR, DialogflowV2), E-mail account setup if using Gmail. |
| Name: | Amazon Web Services (AWS) |
| Modules:: | IVR Block for Speech & Text recognition (AWSPolly, AWSLex), AI Tools for voice transcription. |
| Name: | Zendesk, Salesforce, Freshdesk, SugarCRM, Desk, Zoho, vTiger, Dynamics365, ServiceNow, Freshsales |
| Modules: | Integration Services, Integrations. |
| Name: | Office365, Hotmail, Yahoo |
| Modules: | Integration Services, E-mail. |
| Name: | |
| Modules: | Integration Services, Communication |
| Name: | Twilio, Skebby, ClickSend, Plivo, Infobip, Clickatell, CSCTelecom, Intelepeer, Bandwidth |
| Modules: | Integration Services, SMS |
| Name: | Open Channel |
| Modules: | The Open Channel integration module allows the customer to integrate with any services via APIs and provide communication between users & end-users. Such services include Facebook, Instagram etc. |
Schedule 3 technical and organisational measures
1. Access rights and access control
As an organization, we are committed to ensuring that your private data is never accessed by unauthorized personnel or for unauthorized reasons.
Access by technical personnel is limited only to members of the Operations team who need access for maintaining the security and availability of the service
1.1 Organisational and technical security measures
· Data isolation: Personal data stored within services are isolated from each other. Ensuring access protection.
· Application isolation: Customer application access is controlled network isolation (See Network isolation).
· Network isolation: Data and application are stored on separate networks with separate and customer tailored firewall configurations.
· Periodic software penetration testing
· Encryption for data in transit and at rest whenever possible
Service implementations also follow physical access protection, strict firewall rules and encrypted communication when transmitting data. Access by technical personnel is limited only to members of the Operations team who need access for maintaining the security and availability of the service.
1.2 Physical access control
| Supplier
datacenter access |
Only authorized and approved employees are allowed access to the facilities. All employees who need data center access must apply for access and provide a valid business justification. Requests are reviewed and approved by authorized personnel and are revoked after the requested time expires. Once granted admittance, individuals are restricted to areas specified in their access request. |
| Govcloud
access (US Only) |
Physical access to data centers in the US region is restricted to employees who have been validated as being US citizens. |
| Surveillance | Physical access points to server rooms are recorded by CCTV. Images are retained according to legal and compliance requirements. Physical access is controlled at building ingress points by professional security staff utilizing surveillance, detection and other electronic means. |
1.3 Access control for personal data
Physical access is guarded by the means explained in section (Physical access control)
Soft access is based on organizational security levels. An audit of these is performed 2 times per year. Once personnel end employment or for any reason changes security level/clearance, access rights are revoked and/or adjusted
1.4 Access list for personal data via software access
Service Provider Operations employees has full access to the system data as the system maintainers and users.
Xenialab Software (ITA) employees has full access to the system data as the software maintainers.
1.5 Access list for personal data via hardware access
Validated Service Provider Operations employees as defined in “Physical access control”