1.1 Criipto is committed to protecting the privacy and security of the users f its services (the “data subjects”). This Data Processing Agreement (“DP agreement”) describes the basis on which Criipto processes any personal data collected from the data subjects, or that data subjects or the Customer provide to Criipto.
1.2 The Customer is the data controller, and Criipto is the data processor in respect of such personal data collected, provided or transferred under the agreement. As data processor, Criipto shall comply with existing and future obligations (hereunder the coming General Data Protection Regulation) and requirements under the relevant Acts on Processing of Personal Data in Denmark, Sweden and Norway and pertaining regulations (the “Act”) in relation to such personal data and process the personal data only in accordance with the terms of this DP Agreement, the Service Order Form with the Customer and any lawful instructions reasonably given by the Customer from time to time.
1.3 The Customer further represents and warrants that the Customer has complied, and will comply, with all obligations of a data controller under applicable law.
1.4 In relation to information Criipto may hold internally (for example e-mail addresses) on data subjects which constitutes personal data for which Criipto is the data controller, Criipto shall comply with obligations under the Act in relation to such personal data and process the personal data in accordance with the terms of this DP Agreement.
1.5 Criipto shall implement (a) appropriate technical and organizational measures to safeguard the personal data against any unauthorized or unlawful access, loss, destruction, theft, use or disclosure; (b) exclusive access to the personal data for those employees who need the data to perform the Services; (c) restrictions to ensure the Services process only the personal data as specified by this DP Agreement and in accordance with the Act, and Criipto accepts its obligation not to use personal data for any purposes other than those related to the performance of the Services or pursuant to the Customer’s written instructions and Criipto shall not under any circumstances transfer or cloud personal data outside EU territory.
2.1 When authenticating users, Criipto transiently processes personal information such as name, address, and e-mail address. In some cases, Criipto may keep hashed or encrypted copies of personal data.
2.2 Criipto may further collect the following information about the user’s organization, such as name, identifiers, addresses, etc.
3.1 Criipto collects and uses personal data to provide the Services, to understand the Customer’s needs and to provide better products and services.
4.1 Criipto may share personal data with third parties who assist in providing the Services.
4.2 The Customer accepts that Criipto allows the personal data for which the Customer is the data controller to be processed by such third parties (“data processors”). The data processors shall solely act according to instructions from Criipto. By accepting these terms and conditions, the Customer authorizes Criipto to give such instructions to the data processors which are necessary for the processing of data in accordance with this DP Agreement and for the purpose of use of the Services.
4.3 The above-mentioned processing are subject to agreements ensuring that the party receiving personal data (a) has implemented appropriate technical and organizational measures to safeguard the personal data against any unauthorized or unlawful access, loss, destruction, theft, use or disclosure; (b) has limited the access to the personal data only to those employees who need the data to enable the processor to perform its services; (c) only processes the personal data as specified by this DP Agreement and in accordance with the Act, (d) will not use personal data for any purposes other than those related to the performance of the services or pursuant to our written instructions and e) shall not under any circumstances transfer personal data outside EU territory.
4.4 Criipto remains fully responsible in relation to the Customer for all work carried out with reference to this DP Agreement, performed by Criipto itself or a subcontractor.
5.1 Data subjects may, at any time, access, review, correct, update, change or delete some or all of the information registered under their profile by logging into their profile.
5.2 If a data subject wishes to know which personal data Criipto, as data controller, holds about the data subject, the purpose of the processing, who receives the personal data and the origin of the information, Criipto can be contacted. Likewise, if a data subject wishes us to correct, update, or delete such personal data, Criipto may be contacted. Criipto shall respond to quests in due time for the Customer to respond to such request within the 10-day timeframe regulated by the Act.
5.3 If a data subject’s profile is deleted, Criipto shall discontinue collection of the data subject’s personal data and the personal data held about the data subject will be deleted.
5.4 If the Customer needs assistance in complying with the rights of the data subjects for whom the Customer is the data controller, the Customer may at any time contact Criipto.
5.5 Notwithstanding the above, Criipto shall store personal data if obliged to do so by law.
6.1 The Customer or its external advisors shall, to a reasonable extent, have the right to inspect Criipto’s books and records or other material which may be relevant to assess whether Criipto is compliant with its obligations under this DP Agreement. Criipto shall take necessary actions to assist the Customer required for such control.
6.2 Criipto’s assistance to the Customer or its external advisors shall be billed according to the then agreed hourly rates.