1. OVERVIEW
1.1 The Client and the Contractor have entered into a contract (the "Contract"), either physically or electronically, under which the Contractor undertakes to provide the services specified in the Contract, which were agreed between the Client and the Contractor. The Contract also includes terms and conditions that govern specific rights and obligations between the Client and the Contractor ("Conditions"). The Supplier provides services related to the personalized AI Kanbu Chatbot, the main functionalities of which are AI information retrieval from source data (i.e. files), providing answers in the form of a chatbot, and other features specified in the Contract ("Kanbu").
1.2 Scope of services. On the basis of the Agreement, services of implementation, modification, personalization, testing and optimization of Kanbu will be provided, including subsequent technical support agreed on the basis of the Service Level Agreements, which form an annex to the Terms ("SLAs") (all services under the Agreement and SLA will be hereinafter referred to as the "Services"). The specific scope of the Services provided results from the concluded Agreement and SLA, or from other partial orders or instructions from the Client.
1.3 Relationship to legislation. With regard to the fact that the Contractor may process personal data for the Client on the basis of the provision of Services, the Contractor acts as a personal data processor vis-à-vis the Client. An integral part of the Agreement are these terms and conditions of personal data processing within the meaning of Article 28 para. 3 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC ("GDPR"), and within the meaning of Act No. 110/2019 Coll., on the processing of personal data.
1.4 Authorization for processing. The Client hereby authorizes the Contractor to process the personal data of data subjects provided by the Client within the provision of Services. The Contractor is obliged to process personal data for the Client on the basis of its documented written instructions and to the extent necessary for the proper performance of the Contractor's obligations arising from the Contract.
1.5 Range. The processing of personal data in the provision of Services will take place to the extent determined by the Client, in accordance with the instructions given by the Client, or from the obligations arising from the Contract, the Terms and the SLA.
1.6 Client's Responsibility. The Client is responsible for fulfilling all obligations in relation to the processing of personal data, in particular for properly informing data subjects about the processing of personal data, obtaining consent to the processing of personal data, if necessary, handling requests from data subjects concerning the exercise of their rights (such as the right to information, access, rectification, erasure, restriction of processing, objection, etc.). The Contractor will assist the Client in fulfilling these obligations, within the scope of these terms and conditions of processing ("Conditions of Processing"). These Terms of Processing form an integral part of the Contract and govern the rules for the processing of personal data by the Contractor within the meaning of Article 28 of the GDPR.
2. SUBJECT OF PROCESSING, CATEGORIES OF DATA SUBJECTS AND TYPE OF PERSONAL DATA
2.1 Subject of processing and type of personal data. The subject of the processing is in particular the following personal data:
a) User data within the Kanbu interface.
b) identification data,
c) contact details,
d) records of communication during the provision of Services,
e) Payment information
f) information related to the provision of Kanbu, including recordings of chatbot communication, logs and other technical information,
g) information obtained in the course of providing technical support, operating Kanbu and other Services according to SLA (reported incidents, contents of these incidents),
h) data of the Client's data subjects or data subjects of the Client's customers, which will be stored in any interface provided during the provision of Services, will be handed over by the Client to the Contractor and which will be processed during the provision of Services under the Agreement or SLA.
2.2 Categories of data subjects. The data subjects are:
a) employees and other employees of the Client,
b) persons performing activities on the basis of cooperation agreements or similar agreements for the Client,
c) Other users who use Kanbu
d) persons to whom Services are provided and who are authorized by the Client to communicate with the Contractor;
e) customers of the Client and website visitors;
f) other persons about whom the Client will provide the Contractor with personal data, or who will be transferred or otherwise transferred during the provision of Services in accordance with the performance of the Agreement or SLA.
3. NATURE AND PURPOSE OF PROCESSING
3.1 Nature of processing. The Contractor will process personal data electronically and automatically, while the processing of personal data will consist of storing and backing up personal data on Google Cloud Platform, viewing personal data as part of ensuring analytical and implementation activities and tailor-made Kanbu adjustments, addressing the Client's requirements when providing Services according to the SLA, linking personal data when learning Kanbu for the purposes of using Kanbu by the Client.
3.2 Automated decision-making. The Client declares that it will not use Kanbu for automated decision-making, including profiling of data subjects. In the event that this occurs on the part of the Client, the Client undertakes to inform the data subjects of this fact, and is obliged to independently ensure the fulfilment of all rights under the GDPR.
3.3 Purpose of processing. The purpose of processing is defined by the purpose of performing the Agreement and the SLA, i.e. ensuring the provision of Services and technical support.
4. PROCESSING TIME
4.1 Processing time. The processing of personal data will take place for the duration of the Contract, or for the period necessary for the provision of the Services. The Contractor undertakes to fulfil the Contractor's obligations regarding the protection of personal data throughout the term of the Contract, unless it follows from the Terms of Processing that they are to continue even after the termination of its effectiveness.
5. OTHER OBLIGATIONS OF THE SUPPLIER
5.1 Summary of duties. When processing personal data, the Supplier is obliged to:
a) to process personal data exclusively on the basis of the Client's documented instructions; for the avoidance of doubt, the processing of personal data in accordance with the Contractor's
obligations agreed under the Agreement, the Terms and the SLA shall be deemed to be carried out in accordance with the Client's instructions; instructions for the processing of personal data are also considered to be instructions made through tools designed to handle the Client's requests, any interface provided during the provision of Services or other communication channels used by the Client and the Contractor in the provision of Services;
b) to follow the Client's instructions regarding the transfer of personal data to a third country or an international organization, unless such processing is already imposed by the law of the European Union or a member state to which the Contractor is subject; in such a case, the Contractor shall inform the Client of this legal requirement prior to processing, unless such legal regulations prohibit such information for important reasons of public interest;
c) ensure that persons authorised to process personal data have undertaken a confidentiality undertaking or are subject to a legal obligation of confidentiality;
d) taking into account the nature of the processing, to assist the Client by means of appropriate technical and organizational measures, if possible, to meet the Client's obligation to respond to requests for the exercise of the rights of data subjects;
e) in ensuring compliance with the Client's obligations to assist the Client (i) to ensure the level of security of processing, (ii) to report personal data breaches to the Office for Personal Data
Protection and, where applicable, to data subjects, (iii) to assess the impact on personal data protection and (iv) to carry out prior consultations with the Office for Personal Data Protection, taking into account the nature of the processing and personal data, available to the Supplier;
f) in accordance with the Client's decision, to either delete all personal data or return it to the Client after the provision of performance under the Agreement has been terminated, and to delete
existing copies, unless the law of the European Union or a Member State requires the storage of the personal data; The Client confirms that it has been informed that the Contractor will use anonymous data obtained from the provided Services for the purpose of improving the Services;
g) to enable the Client or a person authorized by the Client to check (including audit or inspection) compliance with these Terms of Processing, in particular the obligations for the processing of
personal data arising therefrom, and to contribute to these inspections according to the reasonable instructions of the Client or the inspecting person; The specific rules for audits are set
out in Art. 5.2 and 5.3 these Terms of Use.
5.2 Audits. The Client is obliged to send any request for an audit exclusively to the Supplier's e-mail address kanbu@utima.cz. Upon receipt of the audit request, the Contractor and the Client will agree in advance on: (a) the possible date of the audit, security measures and the method of ensuring compliance with confidentiality obligations during the audit, and (b) the expected start, scope and duration of the audit. In the event that an agreement is not reached within 30 days from the date of sending the request, the Contractor will determine the conditions of the audit.
5.3 Objections to the auditor. The Contractor may raise written objections against any auditor who has been appointed by the Client if, in the opinion of the Contractor, the auditor is not sufficiently qualified, is not independent, is in a competitive position vis-à-vis the Contractor or is otherwise manifestly unsuitable. Based on the objection raised, the Client is obliged to appoint another auditor or to perform the audit itself.
5.4 Requests from entities. In the event of receipt of any request of a third party concerning the processing of personal data, in particular a request of the data subject or the Client's customer, concerning the exercise of its rights, the Contractor undertakes to inform the Client immediately, but no later than within 5 days of receipt, of such fact and to provide the Client with the necessary cooperation for its settlement in accordance with the GDPR. This is without prejudice to the provisions of Article 3.2 of these Terms of Processing.
5.5 Involvement of other processors. The Client grants general consent to the involvement of other processors in the processing of personal data by the Contractor. The Customer hereby agrees that the Supplier will engage the sub-processors listed on the Supplier's website at: http://kanbu.ai/#technologies. Prior to the involvement of another processor, the Supplier shall inform the Client in writing (in the form specified by the Supplier or by updating the list of involved processors pursuant to the previous sentence) of this involvement, and the Client may object to the involvement of another processor within 10 days. If the Client does not respond within the deadline, the Contractor will engage this additional processor. If the Client raises an objection, the Contractor will assess it and, if it finds it justified, it will not involve another processor. In such a case, however, the Contractor is entitled to terminate the provision of Services to the extent linked to another processor, while the Client is not entitled to compensation for damage or a discount from the provided Services.
5.6 Commitment to other processors. If the Contractor engages another processor in the processing of personal data, it must contractually bind this other processor to comply with the same obligations for the protection of personal data as agreed between the Client and the Contractor in these Terms of Processing, in particular to implement appropriate technical and organizational measures.
6. PERSONAL DATA SECURITY AND FINAL PROVISIONS
6.1 Generally about safety measures. The Contractor has adopted and maintains such technical and organizational measures to prevent unauthorized or accidental access to personal data, their change, destruction or loss, unauthorized transfers, other unauthorized processing, as well as other misuse of personal data.
6.2 Specific security measures. In particular, the contractor has taken and maintains the following measures to ensure an adequate level of security:
a) pseudonymization and encryption of personal data when storing personal data;
b) the ability to ensure the continued confidentiality, integrity, availability and resilience of processing systems and services – the measures put in place and their correct functioning will be regularly reviewed;
• servers on which personal data are stored are secured so that they cannot be accessed by unauthorized persons;
• access authorizations of the Contractor's employees to the Client's data are granted on the basis of need-to-know authorizations and access is logged;
• Contractor employees use unique login data, the use of general accounts is prohibited;
• Contractor employees and other persons who participate in the provision of Services by the Contractor are bound to confidentiality, at least to the extent of the processed personal data;
c) the ability to restore the availability of and access to personal data in a timely manner and in the event of physical or technical incidents;
• the backup process, mechanism and tools are set up in accordance with the rules 3-2-1;
• the recovery procedure, data readability and integrity of backups are regularly tested;
• access to data in backups is limited to authorized personnel;
d) the process of regular testing, assessment and evaluation of the effectiveness of the technical and organisational measures implemented to ensure the security of processing;
6.3 Security incidents. In the event that the Contractor discovers a breach of personal data security, it shall report it to the Client without undue delay, no later than within 48 hours, and the Contractor shall make reasonable efforts to provide the Client with all information known to the incident, in particular to the extent pursuant to Article 33 par. 3 GDPR.
6.4 Cost. The Contractor is entitled to bill the Client for the efficiently incurred costs associated with the handling of any request, specified in particular in Article 5 of these Terms and Conditions (including the handling of all requests in ensuring compliance, assistance in the performance of other activities, audits). These costs shall be agreed upon by the Parties on the basis of mutual communication.
6.5 Responsibility. In the event that the Client gives the Contractor an instruction on the basis of which the obligations under the GDPR are breached, and the Contractor will be sanctioned by the supervisory authority on the basis of this instruction, or will be obliged to compensate the data subjects for damages, the Client undertakes to compensate the Contractor and compensate him for all demonstrably incurred damage.
6.6 Limitation of liability. In the event that the Contractor is obliged to pay any compensation for damage to the Client, this obligation will be limited to a maximum of 100% of the price that the Client paid to the Contractor under the Contract in the month before the damage occurred.
6.7 Form. In the event that these terms and conditions of personal data processing require the Contractor or Client to do something in writing, this form is also maintained in the case of electronic communication or the use of an e-mail address.
