Data Processing Agreement

Cleverly respects your privacy and is committed to protecting your personal data.

Hi, “Cleverly” app (the “App”) user. Please note:

This agreement constitutes a binding contract on you and governs the use of and access to the services by you, agents and end-users whether in connection with a paid or free trial subscription to the services offered by us.

By accepting this Agreement, either by accessing or using the Cleverly Related app, or authorizing or permitting any agent or end-user to access or use our App, You agree to be bound by this Agreement as of the date of such access or use of the App (the “Effective Date”). If You are entering into this Agreement on behalf of a company, organization or another legal entity (an “Entity”), You are agreeing to this Agreement for that Entity and representing to us that You have the authority to bind such Entity and its Affiliates to this Agreement, in which case the terms “Controller,” “You,” “Your” or a related capitalized term herein shall refer to such Entity and its Affiliates. If You do not have such authority, or if You do not agree with this Agreement, You must not use or authorize any use of the App.

This Data Processing Agreement (the “DPA“), entered into on the Effective Date by the Entity (the “Controller“) and Cleverly, Lda (the “Processor“), a Portuguese “Sociedade por Quotas”, with address at Calçada do Lavra, no. 22, 2.º floor, 1150-209 Lisbon, Portugal, registered with the Lisbon Commercial Registry with the number 515089320, with a share capital of 20,000.00€, governs the processing of Personal Data that Controller uploads or otherwise provides the Processor in connection with its use, and the use of its agents and end-users, of the App.

This DPA is incorporated into the overall agreement comprised by this DPA, the Privacy Policy and the Terms of Service (all together, the “Agreement“).

The Controller and the Processor agree the following:

This Data Processing Agreement (the “DPA“), entered into on the Effective Date by the Entity (the “Controller“) and Cleverly, Lda (the “Processor“), a Portuguese “Sociedade por Quotas”, with address at Calçada do Lavra, no. 22, 2.º floor, 1150-209 Lisbon, Portugal, registered with the Lisbon Commercial Registry with the number 515089320, with a share capital of 20,000.00€, governs the processing of Personal Data that Controller uploads or otherwise provides the Processor in connection with its use, and the use of its agents and end-users, of the App.

This DPA is incorporated into the overall agreement comprised by this DPA, the Privacy Policy and the Terms of Service (all together, the “Agreement“).

The Controller and the Processor agree the following:

1. Definitions

“Controller” means the entity which determines the purposes and means of the Processing of Personal Data.

“Customer Data” means what is defined in the Agreement as “Customer Data” or “Your Data”, provided that such data is electronic data and information submitted by or for Controller to the services.

“Data Subject” means the identified or identifiable person to whom Personal Data relates.

“Data Protection Legislation” has the meaning

  • the Regulation EU 2016/679 (General Data Protection Regulation);
  • any other applicable laws, regulations and codes of conduct in any relevant jurisdiction relating to the Processing of Personal Data, as may be amended from time to time.

“Personal Data” means any information relating to (i) an identified or identifiable natural person and, (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Legislation and regulations), where for each (i) or (ii), such data is Customer Data.

“Personal Data Breach” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to customer Personal Data.

“Process” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Processor” means the entity which Processes Personal Data on behalf of the Controller.

“Personnel” means the employees and/or contractors working for or on behalf of a party.

“Sub-processor” means any Data Processor engaged by the Processor to assist in fulfilling its obligations with respect to providing the services pursuant to the Agreement or this DPA.

“Standard Contractual Clauses” (“SCC”): the European Commission’s Standard Contractual Clauses for the transfer of Personal Data from the European Union to processors established in third countries (controller-to-processor transfers), as set out in the Annex to Commission Decision 2010/87/EU.

2. Nature of Data Processing

2.1 The Controller retains control of the Personal Data and remains responsible for its compliance obligations under the applicable Data Protection Legislation, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to the Processor.

2.2. Each party agrees to process Personal Data received under the Agreement only for the purposes set forth in the Agreement. For the avoidance of doubt, the categories of Personal Data processed and the categories of data subjects subject to this DPA are described in Annex A to this DPA.

2.3. In respect of the Processing of Personal Data by the Processor under or in connection with the Agreement, the Processor shall:

  • process the Personal Data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by applicable law; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
  • ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • take all measures required pursuant to Article 32 of the General Data Protection Regulation;
  • take into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfillment of the Controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the General Data Protection Regulation;
  • assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the General Data Protection Regulation taking into account the nature of processing and the information available to the processor;
  • at the choice of the Controller, delete or return all the personal data to the controller after the end of the provision of services relating to processing, and deletes existing copies unless applicable law requires storage of the personal data;
  • make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this clause and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller;
  • immediately inform the Controller if, in the Processor’s opinion, an instruction infringes Data Protection Legislation.

2.3. The Processor will ensure that all its employees and other agents:

  • are informed of the confidential nature of the Personal Data and are bound by confidentiality obligations and use restrictions in respect of the Personal Data;
  • have undertaken training on the Data Protection Legislation relating to handling Personal Data and how it applies to their particular duties; and
  • are aware both of the Processor’s duties and their personal duties and obligations under the Data Protection Legislation and this DPA.

3. Compliance with the Laws

The parties shall each comply with their respective obligations under all applicable Data Protection Legislation.

4. Sub-processors

4.1. Appointment of Sub-processors. The Controller hereby authorises the Processor to engage Sub-processors in connection with the provision of the services.

4.2. when engaging a Sub-Processor, the Processor shall ensure that any Sub-Processors have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, as well as ensure that any such Sub-Processor is under the same data protection obligations set out in this DPA and in the Data Protection Legislation;

4.3. The Processor remains responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-Processor that cause the Processor to breach any of its obligations under this DPA.

4.4. List of current Sub-Processors and changes to Sub-Processors. The Processor shall (i) provide an up-to-date list of the Sub-Processors it has appointed upon written request from the Controller; and (ii) notify the Controller (for which email shall suffice) if it adds or removes Sub-processors at least 10 days prior to any such changes.

4.5. Objection Right for New Sub-Processors. The Controller may object in writing to the Processor’s appointment of a new Sub-Processor within five (5) calendar days of such notice, provided that such objection is based on reasonable grounds relating to data protection. In such event, the parties shall discuss such concerns in good faith with a view to achieving resolution. If this is not possible, the Controller may suspend or terminate the Agreement (without prejudice to any fees incurred by the Controller prior to suspension or termination).

5. Third Party Data Processors

The Controller acknowledges that in the provision of some services, the Processor, on receipt of instructions from the Controller, may transfer its customer’s Personal Data to and otherwise interact with third party data processors. The Controller agrees that if and to the extent such transfers occur, the Controller is responsible for entering into separate contractual arrangements with such third party data processors binding them to comply with obligations in accordance with Data Protection Legislation. For avoidance of doubt, such third party data processors are not Sub-processors.

6. Security Measures

6.1. Protection of Customer Data. The Processor maintains appropriate organizational and technical security measures (including with respect to personnel, facilities, hardware and software, storage and networks, access controls, monitoring and logging, vulnerability and breach detection, incident response, encryption of the Controller’s customer Personal Data while in transit and at rest) to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of the Controller’s customer Personal Data;

6.2. Controls for the protection of Customer Data. The Processor is responsible for the sufficiency of the security, privacy, and confidentiality safeguards of all its personnel with respect to the Controller’s customer Personal Data and is liable for any failure by such the Processor’s personnel to meet the terms of this DPA;

6.3. Customer Data Incident Management and Notification. Cleverly shall notify the Controller of any of its customers’ Personal Data Breach by Cleverly, its Sub-processors, or any other third-parties acting on Cleverly’s behalf without undue delay and in any event within 48 hours of becoming aware of a Personal Data Breach.

7. Data Transfers

7.1 The Controller consents to the appointment by the Processor of subcontractors located outside the European Economic Area (EEA), provided the following provisions are complied with.

7.2 Should the Processor appoint a subcontractor located outside the EEA, the subcontractor may only process, or permit the processing, of Personal Data outside the EEA under the following conditions:

  • the subcontractor is processing Personal Data in a territory which is subject to a current finding by the European Commission under the Data Protection Legislation that the territory provides adequate protection for the privacy rights of individuals; or
  • the subcontractor participates in a valid cross-border transfer mechanism under the Data Protection Legislation, so that the Processor (and, where appropriate, the Controller) can ensure that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Article 46 of the General Data Protection Regulation ((EU) 2016/679); or
  • the transfer otherwise complies with the Data Protection Legislation.

7.3 If any Personal Data transfer between the Controller and the Processor requires execution of SCC in order to comply with the Data Protection Legislation (where the Controller is the entity exporting Personal Data to the Processor outside the EEA), the parties will complete all relevant details in, and execute, an SCC-based agreement and take all other actions required to legitimise the transfer.

8. Return or Deletion of Customer Data

The parties agree that on the termination of the data processing services or upon the Controller’s reasonable request, the Processor shall, and shall cause any Sub-processors to, at the choice of the Controller, return all the Controller’s customers Personal Data and copies of such data to the Controller or securely destroy them and demonstrate to the satisfaction of the Controller that it has taken such measures, unless Data Protection Legislation prevent the Processor from returning or destroying all or part of the Controller’s customers Personal Data disclosed. In such case, the Processor agrees to preserve the confidentiality of the Controller’s customers Personal Data retained by it and that it will only actively process such Controller’s customers Personal Data after such date in order to comply with applicable laws.

9. Cooperation

9.1. The Processor shall provide the Controller with a number of controls that the Controller may use to retrieve, correct, delete or restrict Controller’s customers data, which the Controller may use to assist it in connection with its obligations under the General Data Protection Regulation, including its obligations relating to responding to requests from data subjects or applicable data protection authorities. To the extent that Controller is unable to independently access the relevant Controller’s customers data within the services, the Processor shall (at the Controller’s expense) provide reasonable cooperation to assist Controller to respond to any requests from individuals or applicable data protection authorities relating to the processing of Personal Data under the Agreement. In the event that any such request is made directly to the Processor shall not respond to such communication directly without the Controller’s prior authorization, unless legally compelled to do so. If the Processor is required to respond to such a request, the Processor shall promptly notify the Controller and provide it with a copy of the request unless legally prohibited from doing so.

9.2. If a law enforcement agency sends the Processor a demand for Customer Data (for example, through a subpoena or court order), the Processor shall attempt to redirect the law enforcement agency to request that data directly from the Controller. As part of this effort, the Processor is hereby authorised provide the Controller’s basic contact information to the law enforcement agency. If compelled to disclose Customer Data to a law enforcement agency, then the Processor shall give the Controller reasonable notice of the demand to allow the Controller to seek a protective order or other appropriate remedy unless the Processor is legally prohibited from doing so.

9.3. To the extent the Processor is required under the Data Protection Legislation, the Processor shall (at Controller’s expense) provide reasonably requested information regarding the services to enable the Controller to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.

10. Term

This DPA shall remain in effect as long as the Processor carries out Personal Data processing operations on behalf of the Controller or until the termination of the Agreement (and all Personal Data has been returned or deleted in accordance with Section 8 above).

11. Warranties

The Controller warrants and represents that the Processor’s expected use of the Personal Data for the purposes stated herein and as specifically instructed by the Controller is lawful and will comply with the Data Protection Legislation.

12. Indemnification

The Controller agrees to indemnify, keep indemnified and defend at its own expense the Processor against all costs, claims, damages or expenses incurred by the Processor or for which the Processor may become liable due to any failure by the Controller or its employees, subcontractors or agents to comply with any of its obligations under this Agreement or the Data Protection Legislation.

13. Governing Law, Jurisdiction, and Venue

Notwithstanding anything in the Agreement to the contrary, this DPA shall be governed by the laws of Portugal, and any action or proceeding related to this DPA (including those arising from non-contractual disputes or claims) will be brought in Lisbon, Portugal.

ANNEX A – Description of the Transfer

1. Nature and Purpose of Processing

The Processor will Process Personal Data as necessary to perform the services pursuant to the Agreement, as further specified in the Terms of Service, and as further instructed by Controller in its use of the services.

2. Data Subjects

The Controller may submit Personal Data to the Processor, the extent of which is determined and controlled by the Controller in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:

  • Prospects, customers, business partners and vendors of Controller (who are natural persons)
  • Employees or contact persons of the Controller prospects, customers, business partners and vendors or other third parties that have, or may have, a commercial relationship with the Controller (e.g. advertisers, customers, corporate subscribers and contractors).
  • Employees, agents, advisors, freelancers of the Controller (who are natural persons)
  • The Controller’s users authorized by the Controller to use the services
  • Sales and marketing leads of the Controller

3. Purposes of the transfer.

The transfer is intended to enable the Controller to use and take advantage of, as the Controller sees fit, the Processor’s products to support the customer service, self-service, educational, or other business practices of the Controller.

4.Type of Personal Data.

The Personal Data transferred is expected to concern only the following categories of data: first name, last name, title, position, email address, contact information, connection data, localization data, ID data, CRM data concerning sales leads, prospects and customer lists, and any notes provided by the Controller regarding the foregoing.

5. Recipients.

The Personal Data transferred may be disclosed only to the following recipients or categories of recipients: employees and other representatives of the Processor who have a legitimate business purpose for the processing of such Personal Data.

6. Sensitive Data (if appropriate).

The Controller will not transfer any sensitive personal data to the Processor. The Processor does not expect to receive any sensitive personal data and will erase any such personal data received under this DPA.

7. Additional useful information (storage limits and other relevant information).

The Personal Data transferred between the parties may only be retained for the period of time permitted under the Agreement.