Data Processing Agreement

Version 1

Last modified: 23 May 2018

Contents

• PART I - General Provisions
  • 1. Introduction
  • 2. Definitions
  • 3. Data Controller
  • 4. Data Processor
  • 5. Data Subject
• PART II – Data Processing with Relation to Web Hosted Services
  • 6. Scope of Data Processing
  • 7. Non-Disclosure Commitment
  • 8. Security Measures
  • 9. Data Deletion
  • 10. Data Incidents
  • 11. End User’s Responsibilities
  • 12. Customer’s Requests
  • 13. Subprocessors
• PART III – Data Processing Related to Installable Software
  • 14. Technical Support
  • 15. Data Processing
• PART IV – Closing Provisions
  • 16. Liability
  • 17. Delivery of Notifications

PART I - General Provisions

1. Introduction

1. In this Data Processing Agreement (“Agreement”) “Clock” means Clock Software Ltd. registered in England, with a registered office at 27 Redcliffe Gardens, London, SW109BH, United Kingdom and with company number 08008667; Klok АD registered in Bulgaria, with a registered office at Ofis 504, Sgrada B8, Biznes Park Varna, 9009 Varna, Bulgaria, with company number 207049288, and any affiliated company of theirs. The main operating company is Klok AD, which data processing activity is regulated by the legislation of the European Union and Bulgaria.
2. Clock develops and owns various software products, including: (i) software hosted and operated on hardware under its control and various software services provided to Clock’s customers via Internet (“Web Hosted Services”); and (ii) various software products deliverable to Clock’s customers and hosted and operated on hardware under control of Clock’s customers (“Installable Software”). In particular, Clock has developed its hotel reservation system and is using it to provide services to hospitality industry (hotels, other accommodation premises, restaurants, etc.) as well as to payment processing companies and other business entities. In Clock’s General Terms and further in this Agreement Clock’s customers are named “End Users”.
3. Clock is and has always been committed to keeping confidential and to protecting the security of any information about End Users and the End Users’ Customers. Clock is especially focused on protecting the Personal Data of the individuals who contact Clock or End Users via the Services (as defined below). To that end Clock has developed its privacy policy and is doing its best to maintain and update the said policy in accordance with the applicable legislation and the leading practices in the software industry.
4. Clock provides the Services to End User under the terms of an agreement made either by signing a particular agreement, or by accepting Clock’s General Terms (as defined below) or using the Services by End User (“Main Agreement”). Such Main Agreement, if related to Web Hosted Services, is also named “Subscription” in the General Terms. By entering into Main Agreement End User accepts this Agreement and vice versa. By using the Services or by browsing Clock’s Websites End User accepts this Agreement.

2. Definitions

In this Agreement:

1. “Personal Data”, “Processing”, “Controller”, “Processor”, “Data Subject” and any other terms defined in Article 4 of the Regulation (EU) 2016/679 have the same meaning as in the said Regulation.
2. “End User”, “Services”, “Software” and any terms defined in the General Terms have the same meaning as in the General Terms.
3. “Customer” means any individual who is either End User’s customer or employee or subcontractor or other servants or other person who collaborates and communicates with End User and transmits data via the Services.
4. “Subprocessor” means any third party authorised by Clock to have logical access to and process Customer Personal Data in order to provide parts of the Web Hosted Services or technical support to Clock.
5. “Technical Support” means any and all services, delivered by Clock or its subcontractors, either personally or electronically, on-site or remotely, to End User in order to ensure and assist the functionality of the Installable Software. The said services may include, but are not limited to training, maintenance, remedy of malfunctions, training videos, product or feature setup or activation, online issue resolution, ongoing support, product articles, inline assistance resources, knowledge database records.
6. “General Terms” means Clock’s General Terms and Conditions for End-Users of Clock – Labelled Software available at the Website.
7. “Website” is Clock’s web site at the address www.clock-software.com.

3. Data Controller

3.1 Controller is the respective End User - business entity which uses Web Hosted Services and/or Installable Software for carrying out its commercial activities (for hotel reservations, payment processing etc.) on the ground of Main Agreement.

3.2 Any and all Customer Personal Data shall be processed via the Web Hosted Services and/or the Installable Software for the sole purpose of End User’s business. End User sets all terms and conditions for processing Customer Personal Data (particular categories of data, purpose of processing, duration of storage etc.).

3.3 All Customer Personal Data processed via Services shall be property of End User.

4. Data Processor

4.1 Clock is a Processor for and on behalf of End User who utilizes Web Hosted Services.

4.2 End User who utilizes only Installable Software processes Personal Data on its own.

4.3 Clock shall process Customer Personal Data submitted, stored, sent or received by End User via the Services solely for provision of the Web Hosted Services and/or the Technical Support to End User in accordance with the Main Agreement.

5. Data Subject

Customer is a Data Subject.

PART II – Data Processing with Relation to Web Hosted Services

6. Scope of Data Processing

6.1 Categories of Data

Customer Personal Data submitted, stored, sent or received by End User or Customer via the Web Hosted Services may include the following categories of data: names, ID number, address, age, email, telephone, documents, credit card details, presentations, images, calendar entries, tasks and other data.

6.2 Duration of the Processing

Clock shall process Customer Personal Data for the entire duration of the Main Agreement plus the subsequent period of 12 months, unless otherwise agreed between Clock and End User or required by the applicable legislation. This Agreement shall remain valid until the deletion of all Customer Personal Data.

7. Non-Disclosure Commitment

7.1 Clock, without End-User’s prior explicit approval in writing, shall not:

1. disclose a copy of Customers Personal Data to any third party;
2. use Customers' Personal Data for any purposes different from providing Services to End User;

unless such disclosure or use is required by a competent authority in accordance with the applicable legislation.

7.2 Without prejudice to the above Clause 7.1 Clock shall be entitled to disclose Customer Personal Data to Subprocessors, consultants and other service providers. The disclosed Customer Personal Data shall be subject to the respective recipients of data protection policy.

8. Security Measures

Clock shall implement and maintain security measures to protect Customer Personal Data against unauthorized disclosure or access, accidental or unlawful destruction, loss, alteration. Clock will be continuously monitoring the functionality and the adequacy of the security measures and may from time to time modify and update the security measures.

8.1 Data centres

8.1.1 Clock maintains all Customer Personal Data and processing on servers hosted at data centres of Amazon Web Services (AWS). AWS demonstrate compliance with rigorous international standards, such as ISO 27001 for technical measures, ISO 27017 for cloud security, ISO 27018 for cloud privacy, SOC 1, SOC 2 and SOC 3, PCI DSS Level 1, and EU-specific certifications such as BSI’s Common Cloud Computing Controls Catalogue (C5). AWS continues to pursue the certifications. AWS’s Terms of Use, Privacy Policy and AWS Customer Agreement are available at AWS’s web site: https://aws.amazon.com/.

8.1.2 All Customer Personal Data based in the European Union are processed and stored on servers in the European Union or in other countries which maintain high standards of data protection.

8.1.3 For the purpose of this Agreement the servers used by Clock shall be referred to as Clock’s servers.

8.1.4 Clock monitors Clock’s servers to ensure that there is no unauthorised access to any data stored thereon. Clock implements various methods and technologies for prevention and detection of any intrusion or intrusion attempt to the servers and data.

8.2 Clock’s staff control

8.2.1 Clock has implemented and maintains a data security policy for its staff and provides security training as part of the training package for its staff. Clock’s employees and partners are required to conduct themselves in a manner consistent with Clock’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards.

8.2.2 Only authorised staff will have access to Customer Personal Data only in relation with the execution of their direct duties on operating and supporting the Services. Each member of the staff has signed special data security addenda to their agreements and undergoes periodic instructions and trainings about data security. Clock’s staff will not process Personal Data without authorization.

8.2.3 Clock’s security staff is responsible for the ongoing monitoring of Clock’s security infrastructure, the review of the Software and Services, and responding to security incidents.

8.3 On-site control

Clock controls and restricts the access to its premises, hardware and documentation. Clock’s premises require electronic cod key access and are monitored by TV cameras. Only authorized employees and contractors have access to these premises. Entrants are required to identify themselves.

8.4 Encryption

8.4.1 All data records in the databases are protected with credentials and all data transmission between End User’s and Customer’s hardware and Clock’s servers is encrypted, so that it is only readable through the graphical user interface (“GUI”) or the application programming interface (“API”) and only after a successful submission of valid credentials, e.g. username, password, PIN, multi-factor authentication, API secret key, etc. Open public features may not require customers to submit credentials in order to visualise data intended for public visualisation.

8.4.2 Clock applies data encryption that meets the highest requirements for encryption and encrypting keys. The new class of encryption complies with the strict and practice-oriented requirements of Payment Card Industry Data Security Standards (PCI DSS).

8.5 Credit card data security

Credit card data storing and retention is a subject of specific regulations like PCI DSS or End User’s agreement with respective payment processor or acquirer. End User shall collect, process, access and destroy credit card data according to all applicable standards, agreements, guidelines and regulations. End User shall follow Clock’s PCI DSS guidance (available at the Website) and meet its obligations stipulated there.

8.6 End User control

Clock shall assist the End User in ensuring compliance with the End User’s obligations as to Personal Data protection. In order to assist End User Clock shall implement and maintain application features which shall included as but shall not limited to those listed below.

8.6.1 Levels of access

Clock has redesigned the Software to enable End User precisely determine the level of access of its employees to Customer Personal Data. For example, the staff having the lowest level of access shall be able to work with anonymized (masked) Customer Personal Data only. Generally the levels of access shall be:

1. Prohibited access. Employees will only see [********] instead of Personal Data.
2. Basic access. Employees will partially see Customer’s details in order to process Customer’s booking of End User’s services (hotel booking, card payment etc.) but will not be able to identify the Customer.
3. Operational access. Employees will be able to view full Personal Data of each Customer on the booking, profile and other screens.
4. Full access. Employees will be able to view, export and copy full Personal Data of each Customer.

8.6.2 Access Control

End User and End User’s administrators are required to authenticate themselves via an authentication system in order to use the Services. Software checks credentials in order to allow the display of data to an authorized End User or authorized End User’s administrator.

8.6.3 Anonymisation

Partially masking or restricting the visible information of each Customer on the screens and in the reports to the minimum. The Customer Personal Details are hidden in the below manner and are only accessible when having additional access rights:

• A first name initial and surname [J Smith].
• The first 4 letters of the email address [ jsmi********])
• The last 4 digits of the telephone number [ ********1234 ]

8.6.4 Consent to marketing emails or giving information to third parties

In the creation of a booking, a field and related consent text will be displayed in the WRS customer self-service portal, customer profiles and any other point where personal data is collected for the first time in relation with the particular booking to ask for the Customers' permission to send them marketing emails and/or provide their data to third parties. In the Guest Mailer, Clock has also added an option to filter Customers who have not agreed to receive marketing emails.

9. Data Deletion

9.1 Unless otherwise explicitly agreed in writing between Clock and End User, Clock shall delete all Customer Personal Data from its systems not later than 3 months of expiry of the Main Agreement.

9.2 Clock shall enable End User to delete Customer Personal Data prior to expiry of the Main Agreement. End User shall be able to search for and erase Customer Personal Data from bookings and profiles without deleting the bookings. Furthermore End User shall have the option to forbid automatic deletion for certain profiles (e.g. participants in End User’s client loyalty programmes).

9.3 Upon End User’s explicit request in writing Clock shall delete Customer Personal Data from Clock’s systems prior to expiry of the Main Agreement, not later that 3 months of receipt of the request.

9.4 Without prejudice to the above Clauses Clock may store Customers’ Personal Data if such a storage is required by the applicable legislation.

10. Data Incidents

10.1 If Clock becomes aware of a data incident, Clock shall notify End User promptly and without unreasoned delay; and shall promptly take reasonable steps to minimize harm and secure Customer Personal Data.

10.2 End User shall be solely responsible for complying with applicable incident notification legislation and fulfilling its notification obligations related to data incidents (incl. notification of the persons concerned the data incident).

10.3 Clock’s notification of or response to a data incident shall not be construed as an acknowledgement of any fault or liability with respect to the data incident.

11. End User’s Responsibilities

11.1 Clock’s commitments under this Agreement shall not release End User from its obligations as Controller. End User undertakes to develop, implement, control update its internal data protection and privacy policies.

11.2 End User undertakes to comply with any requirements of the applicable legislation as well as to follow Clock’s instructions related to data protection. End user shall continuously take all reasonable security action, such as but not limited to implementing virus protection software, network security policies or periodic update of passwords, to improve the general system security of your hardware and networks which are in a direct relation with the data protection.

11.3 Customer is solely responsible for its use of the Services, including:

1. setting the character of Customer Personal Data to be processed;
2. making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Customer Personal Data;
3. securing the account authentication credentials, systems and devices End User uses to access the Services; and
4. backing up its Customer Personal Data;
5. securing Customer Personal Data that End User elects to transfer or store outside of Clock’s systems.
6. evaluating for itself whether the Web Hosted Services, including Cock’s security measures and control meets End User’s needs and obligations as a Controller.

11.4 Clock has no obligation to protect Customer Personal Data that End User elects to store or transfer outside of Clock’s systems (for example, offline or on-premise storage).

11.5 End User accepts and agrees that Clock provides a level of security appropriate to the risk in respect of the Customer Personal Data and meets all requirements of the data protection legislation of the country where End User’s business is based. If the said legislation requires from Clock any registration, permission or licensing End User shall promptly notify Clock and Clock shall be entitled to terminate Main Agreement at its sole discretion without any liability for Clock. Failing to notify, End User shall indemnify Clock against any penalties imposed or damages incurred in relation with any inconformity with the said legislation.

11.6 End User accepts and agrees that despite Clock’s reasonable efforts data incidents are possible (for example, as a result of technical malfunction, programming error, or hacker attack etc.) End User shall implement all reasonable efforts to protect itself against consequences of such data incidents, which measures shall include but shall not be limited to:

1. downloading periodically the report exports, available in the Software;
2. taking appropriate measures to minimise the impact of data incident to Customers and any third parties.

12. Customer’s Requests

If Clock receives any request from a Customer in relation to Customer Personal Data, Clock will advise the Customer to submit his/her request to End User. End User shall be solely responsible for responding to any such request including, where necessary, by using the Services. As far as it is possible and practical Clock will assist End User in fulfilling any obligation to respond Customer’s requests.

13. Subprocessors

13.1 End User specifically authorizes Clock to engage any Subprocessors. Clock shall make information about Subprocessors, including their functions and locations, available at its Website.

13.2 Clock will ensure that any Subprocessor has an access and uses Customer Personal Data to the extent required to perform the obligations subcontracted to it.

13.3 If End User disagrees with appointment of a Subprocessor End User may terminate main Agreement by a 3-months notice in writing, with no liability for Clock.

PART III – Data Processing Related to Installable Software

14. Technical Support

14.1 The Technical Support provided by Clock to End User normally does not require and therefore shall not include processing of Personal Data.

14.2 Clock shall not commence any action of Technical Support without a request from End User

14.3 If in the due course of any action of Technical Support any Personal Data becomes visible to Clock, such Personal Data shall not be recorded, copied, stored, modified, deleted, transmitted or in any other manner processed by Clock.

14.4 Only Clock’s authorised staff will be involved in the Technical Support. Each member of the staff has signed special data security addenda to their agreements and undergoes periodic instructions and trainings about data security. Clock’s staff will not process Personal Data without authorization.

15. Data Processing

Without prejudice to Clause 15 if End User elects to transmit to or to provide Clock with temporary access to End User’s database, file or device containing Personal Data, via any form of online connection or online support tools, or by any other mean discloses Personal Data to Clock, Clock shall become be a Data Processor for the time it has assess or stores such Personal Data on Clock’s technical devices and Part II of this Agreement shall automatically apply.

PART IV – Closing Provisions

16. Liability

Liability clauses of main Agreement shall apply to Clock’s liability under this Agreement.

17. Delivery of Notifications

Notifications under this Agreement shall be delivered to the announced postal address notification email address of the recipient party. Recipient party is solely responsible for ensuring that is notification address/email address is current and valid.