Data Processing Agreement

Data Processing Agreement

In case of concerns related to data protection or sharing, contact us anytime via an email to [email protected] or [email protected].

Last updated on March 25, 2024

This Data Processing Agreement, including its Exhibits and Appendices (“DPA”) forms an addendum to the Subscription Agreement or Terms of Use between KrispCall and Customer for the purchase of Services, including any applicable number purchase, member add, Purchase Orders, exhibits and/or schedules (the “Agreement”).

In the course of providing the Services to Customer pursuant to the Agreement, KrispCall may process Personal Data on behalf of Customer. This DPA reflects the parties’ agreement with regard to the processing of Personal Data.

The parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith. The DPA regulates the collection, use, transfer, and sharing of personal data with the vital purpose of protecting it. KrispCall is dedicated to complying with the European General Data Protection Regulation (GDPR) by accessing, identifying, governing, protecting, and auditing the user data.

1. Data Protection Laws

1.1 Compliance with Data Protection Laws:

The Customer affirms that this Data Processing Agreement (DPA) adheres, to the best of its knowledge, to all relevant Data Protection Laws and includes all required provisions. Given the nature of the services, the Customer acknowledges that the processing of Personal Data under this DPA might be subject to various Data Protection Laws, even those not explicitly mentioned here. This depends on how extensively the Customer uses the services in different regions. The Customer is responsible for promptly informing KrispCall of any inconsistencies between this DPA and the requirements of Data Protection Laws.

1.2 EEA data protection

Both parties recognize that the General Data Protection Regulation (GDPR) applies to the processing of Personal Data, provided that the conditions outlined in Article 3 of the GDPR are met. Additionally, they acknowledge that the Federal Act on Data Protection (FADP) applies to the processing of Personal Data, provided that the conditions set forth in the FADP are satisfied.

Roles and Responsibilities. The parties recognize their roles and responsibilities under the GDPR and other laws. To the extent Customer acts as a data processor, Customer will:

(a) Ensure KrispCall assumes the same obligations as between the Customer and its data controller

(b) Ensure its instructions align with agreements between Customer and its data controller

(c) Assume the rights and duties of a data controller under this DPA

(d) Remain liable to its data controller if KrispCall breaches obligations

1.3 HIPAA Compliance

The Health Insurance Portability and Accountability Act (HIPAA) and its implementing regulations restrict KrispCall’s abilities to use and disclose protected health information.

As per the requirement of HIPAA standards, the Covered Entities must:

  • Ensure the confidentiality, integrity, and availability of all electronic personal health information (ePHI) that the Covered Entity creates, receives, maintains, or transmits.
  • Protect yourself against any reasonably anticipated threat or danger to the security or integrity of this information.
  • Protect yourself against any reasonably anticipated threat or danger to the security or integrity of this information.
  • Protect yourself against any reasonably anticipated use or disclosure of this information that is not permitted or required by privacy regulations.

KrispCall is HIPAA compliant and follows all the practices to meet HIPAA criteria, which includes;

Authentication: Each agent is assigned a specific role so that they are required to use their own unique account to access the services of KrispCall.

Encryption: Transport Layer Security (TLS), virtual private networks (VPN), and other encryption technologies are used to protect data.

1.4 Australian Data Laws:

Both parties acknowledge that Australian Data Protection Laws apply to any Personal Data collected from or held within Australia.

1.5 U.S. Federal Trade Commission enforcement

Both parties acknowledge that the U.S. Federal Trade Commission (FTC) enforcement may apply to consumer privacy, data protection, and fair business practices collected from or held within the USA. KrispCall and the Customer collectively commit to complying with FTC regulations, guidelines, and enforcement actions pertaining to the following areas:

  • Adhere to FTC regulations concerning consumer data privacy and security. This involves safeguarding personal information, responding promptly to breaches, and ensuring transparency in data practices.
  • Comply with the Children’s Online Privacy Protection Act (COPPA) when applicable, especially if their services involve collecting data from children under 13 years old. Measures will be taken to protect children’s privacy rights.
  • Commit to accurate representation and adherence to the EU-U.S. Privacy Shield Framework, as enforced by the FTC.
  • Respect the National Do Not Call Registry, refraining from contacting individuals who have opted out of telemarketing calls.

2. Data Processing

Customer and KrispCall agree that Customer may act as either a controller or processor regarding the processing of Customer Data, while KrispCall acts as a processor. KrispCall will process Customer Data only on instructions from the Customer.

2.1 Customer’s Processing of Personal Data:

The customer determines the purposes and means for processing Personal Data under this DPA. Customers shall provide instructions for KrispCall to process Personal Data only as necessary for providing the Services. Customer’s instructions must comply with applicable data protection laws. The Agreement and Customer’s use and configuration of the Services constitute Customer’s complete instructions. Any additional instructions require KrispCall’s prior written agreement.

2.2 Processing of Personal Data:

For Customer Data, the parties acknowledge Customer is a controller and KrispCall acts as an independent controller, not a joint controller with Customer in compliance with Applicable Data Protection Laws. As a controller, KrispCall may process Customer Data for purposes such as:

(a) Managing the customer relationship

(b) Security monitoring, fraud prevention, and misuse investigation

(c) Identity verification

(d) Complying with legal obligations for data retention

(e) Other processing permitted under applicable data protection law

Such processing will comply with this DPA, the Agreement, and KrispCall’s Privacy Policy.

2.3 Purpose Limitation:

KrispCall (“Processor”) agrees to process data on behalf of the Customer (“Controller”) for the purpose of providing communication services as described in Section A of this Agreement.

2.4 Customer’s Liability:

Customer has sole responsibility for the accuracy, quality, and legality of Personal Data it provides to KrispCall. Where European or Australian data protection laws apply, Customer is responsible for:

  • Notifying data subjects about processing under this DPA, including notice of KrispCall’s Privacy Policy.
  • Complying with its obligations as data controller
  • Obtaining consent if required
  • Ensuring it and KrispCall are authorized to process the data per this DPA

2.5 Customer Instructions:

The Customer instructed KrispCall to process and handle Customer Data for the provision of services. KrispCall will carry out this processing in compliance with the Customer’s instructions, as outlined in Section A of this Agreement. Any additional instructions necessary for providing the Services to the Customer need a separate written agreement. This encompasses tasks like investigating security incidents and implementing measures to prevent spam, fraudulent activities, and breaches of the KrispCall Terms and Conditions.

2.6 Confidentiality

In accordance with applicable data protection laws, KrispCall warrants and agrees to:

(a) Maintain confidentiality commitments from personnel authorized to process Personal Data and grant access only on a need-to-know basis.

(b) Notifies Customer if any instruction infringes applicable laws

(c) Implements appropriate technical and organizational measures to ensure data security and confidentiality as described in this DPA

(d) Provide reasonable assistance to Customers related to security, breach notification, impact assessments, and consulting with regulators, considering the nature of processing and information available.

(e) Discloses information necessary to demonstrate KrispCall’s compliance with its obligations under this DPA and applicable laws.

3. Data Subject Rights

KrispCall, upon the customer’s request, will promptly offer reasonable assistance. This assistance aims to help the customer meet their data protection obligations related to data subject rights as defined by Applicable Data Protection Laws. The Customer agrees to collaborate closely with KrispCall, offering the necessary support and pertinent information to effectively address Data Subject requests. You have the following rights with respect to your Personal information:

3.1 Right to Know

You have the right to know and see what data we have collected about you, including:

  • Categories of personal information that we have collected related to you.
  • Categories of sources from which personal information is collected.
  • Commercial or business purpose of collecting your personal information.
  • Categories of third parties to whom we have shared your personal information.
  • Personal information that we have collected about you.

3.2 Right to Access

You have the right to obtain a copy of your personal information, along with the explanation, purpose, and details of the collected data. You can have information on;

  • Categories of personal information that we have collected related to you.
  • Categories of sources from which personal information is collected.
  • Commercial or business purpose of collecting your personal information.
  • Categories of third parties to whom we have shared your personal information.

3.3 Right to Correct

You have the right to correct or update your personal information stored by us.

3.4 Right to Report

You are entitled to report complaints to the supervisory authority if you believe your privacy is being violated.

3.5 Right to Delete

You are entitled to suspend the processing of your personal data if the data processing is unlawful or the accuracy of your data is contested. For instance, you can delete call recordings, SMS/Call logs by connecting to our API, which will be removed entirely from our databases.

After 15 days post-termination, KrispCall will delete all Customer data processed solely on behalf of and for Customer, unless applicable law requires retention. Customer consents to such deletion after the 15-day export period and understands exported data will be Customer’s sole record of their data after that point.

Any of Customer’s data that KrispCall holds or processes as an independent data controller will be retained and deleted in accordance with KrispCall’s Privacy Policy.

3.6 Regulatory Actions

If KrispCall receives any claims, complaints, requests, or other regulatory actions relating to Personal Data processed under this DPA, then to the extent required by applicable law, KrispCall will:

(a) Send a notification to Customer via email to the designated contact address, providing reasonable details to allow Customer to respond appropriately;

(b) Deliver reasonable assistance and cooperation to Customer in relation to the Regulatory Action;

(c) Refrain from responding to the Regulatory Action unless required by law or authorized in writing by Customer, in which case Customer will provide reasonable cooperation and assistance to KrispCall.

4. Sub-Processors

Customer acknowledges that KrispCall may involve subprocessors to facilitate its services. A comprehensive list of the Sub Processors currently employed by KrispCall can be found here. By accepting this Data Processing Agreement (DPA), the Customer grants KrispCall the authority to engage the Sub Processors listed on the provided webpage.

4.1 Authorization:

By accepting this Data Processing Agreement (DPA), Customer additionally grants KrispCall to involve other sub processors (add or replace) in the list. KrispCall will promptly inform the Customer of any modifications related to changes in sub-processors.

4.2 Objection Right

Customers have the right to raise objections to KrispCall’s selection or replacement of a sub-processor, provided such objections are made in writing and are based on valid data protection concerns. In such a situation, the Customer and KrispCall will engage in good-faith discussions to explore reasonable alternative solutions. If no resolution is reached within 15 days from the date of the Customer’s written objection, the Customer may discontinue the use of the affected KrispCall services by providing written notice to KrispCall. Such discontinuation will not affect any fees incurred by the Customer before the discontinuation of the affected services. If no objections are raised prior to KrispCall replacing or appointing a new sub-processor, the Customer will be considered to have authorized the new sub-processor.

5. International Data Transfer Policies

5.1 Data processing Location:

KrispCall hereby assures that the processing of Personal Data under this Data Processing Agreement (DPA) will occur solely within KrispCall’s country of operation and in locations specified in the list of KrispCall’s Sub Processors in this DPA.

The location and transfer of data may include countries outside EEA, UK, and Switzerland where data protection laws might differ. KrispCall acknowledges that certain locations referred to as “Locations Subject to Appropriate Safeguards” may not provide the same level of data protection as required by European Data Protection Laws. In such cases, KrispCall commits to implementing necessary measures to ensure compliance with European Data Protection Laws before transferring Personal Data. This includes adopting safeguards to protect data during international transfer

5.2 EU Standard Contractual Clauses

When KrispCall processes personal data transferred from a customer subject to EU GDPR or Swiss FADP, the EU Standard Contractual Clauses for Data Transfers to Third Countries are applied to ensure data protection compliance, even if KrispCall operates in a differen