DATA PROCESSING AGREEMENT
Last Updated: May 2024
This Data Processing Agreement ("Agreement") forms part of the Contract for Services ("Principal Agreement").
WHEREAS
- The Customer acts as a Data Controller.
- The Customer wishes to use Weaviate's services which involve the processing of personal data.
- The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the GDPR.
- The Parties wish to lay down their rights and obligations.
IT IS AGREED AS FOLLOWS:
1. Definitions
- Agreement means this Data Processing Agreement and all Schedules.
- Data Controller Personal Data means any Personal Data Processed by a Contracted Processor on behalf of the Data Controller pursuant to or in connection with the Principal Agreement.
- Contracted Processor means a Subprocessor.
- Data Protection Laws means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country.
- EEA means the European Economic Area.
- EU Data Protection Laws means EU Directive 95/46/EC as transposed into domestic legislation of each Member State and as amended, replaced, or superseded from time to time including by the GDPR and laws implementing or supplementing the GDPR.
- GDPR means EU General Data Protection Regulation 2016/679.
- Data Transfer means: (A) a transfer of Data Controller Personal Data from the Data Controller to a Contracted Processor; or (B) an onward transfer of Data Controller Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor, in each case where such transfer would be prohibited by Data Protection Laws.
2. Processing of Company Personal Data
- The Processor shall comply with all applicable Data Protection Laws in the Processing of Company Personal Data and not Process Company Personal Data other than on the relevant Company’s documented instructions.
3. Security
- Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall in relation to the Company Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk.
4. Subprocessing
- The Processor shall not engage, appoint, or disclose any Personal Data of the Company to any Subprocessor without the express written consent of the Company. Notwithstanding the foregoing, the Subprocessors listed at www.weaviate.io/subprocessors are hereby pre-approved by the Company upon the execution of this Agreement.
5. Data Subject Rights
- Taking into account the nature of the Processing, the Processor shall assist the Company by implementing appropriate technical and organizational measures for the fulfillment of the Company's obligations to respond to requests to exercise Data Subject rights under the Data Protection Laws.
6. Personal Data Breach
- Processor shall notify the Company without undue delay upon becoming aware of a Personal Data Breach affecting Company Personal Data.
7. Data Protection Impact Assessment and Prior Consultation
- Processor shall provide reasonable assistance to the Company with any data protection impact assessments and prior consultations with Supervising Authorities or other competent data privacy authorities.
8. Deletion or Return of Company Personal Data
- Subject to this section, Weaviate shall promptly and in any event within 10 business days of the date of cessation of any Services involving the Processing of Company Personal Data delete and procure the deletion of all copies of those Company Personal Data.
9. Data Transfer
- Weaviate may not transfer or authorize the transfer of Data to countries outside the EU and/or the European Economic Area (EEA) without the prior written consent of the Company.
10. Governing Law and Jurisdiction
- This Agreement is governed by the laws of The Netherlands. Any dispute arising in connection with this Agreement which the Parties will not be able to resolve amicably will be submitted to the exclusive jurisdiction of the courts of Amsterdam, The Netherlands.