Data Processing Agreement
Elvo and the data controller have signed a service agreement that specifies that Elvo will both store and process personal data as a data processor on behalf of the data controller. The parties have therefore agreed to a processing agreement according to the following terms:
Information Disclosure
Elvo shall have its privacy policy publicly available and accessible during the term of the agreement. The privacy policy is hosted at elvo.is/privacy. The policy shall be accessible on the Elvo website homepage so that the customers and managers of the data controller can access information about the processing and their rights regarding it.
Data Processing
- Elvo may only process personal data in accordance with documented instructions from the data controller, including the provisions in the appendix accompanying these terms (Appendix I).
- If Elvo is legally permitted, the company shall notify the data controller immediately if Elvo is unable to fulfill its obligations under this processing agreement or if Elvo believes that instructions from the data controller violate laws or regulations regarding data protection.
- Elvo is responsible for the data processing as a data processor and shall ensure that such processing complies with data protection laws and regulations.
- The transfer of personal data outside the EEA shall be subject to prior written consent from the data controller. Elvo shall ensure that such transfer complies with the provisions of data protection laws by satisfying at least one of the following conditions: (i) Transfer to a country recognized by the European Union's executive body as providing adequate protection for personal data (Adequacy Decision) (ii) If data is transferred to a country not recognized by the European Union, Elvo shall implement appropriate safeguards.
Confidentiality
Elvo shall ensure that its customers and other parties working with Elvo have the necessary authorization to process personal data and are bound by confidentiality obligations in accordance with applicable laws and regulations regarding data protection.
Security
Elvo shall implement all necessary security measures in accordance with data processing requirements as specified by laws and regulations regarding data protection. Data shall be stored encrypted, and all communications to and from Elvo's servers shall also be encrypted. Further information about the security measures implemented by Elvo is available at elvo.is/security.
Assistance
Elvo shall assist the data controller in implementing appropriate technical and organizational measures to ensure adequate security considering the risks associated with the processing, such as reporting data breaches, conducting impact assessments, seeking prior consultation from the Data Protection Authority, and responding to requests from data subjects to exercise their rights under relevant laws and regulations. Elvo is entitled to a reasonable period of preparation, and the data controller shall reimburse Elvo for the costs incurred in providing such assistance.
Transparency
Elvo shall provide the data controller with access to all necessary information to confirm compliance with its obligations under this processing agreement and data protection laws and regulations. Elvo shall also assist in audits and inspections conducted by the data controller or a third party authorized by the data controller and bound by confidentiality obligations. Elvo is entitled to a reasonable period of preparation for audits or inspections, and the data controller shall reimburse Elvo for the costs incurred in such audits or inspections.
Subprocessors
- Elvo is authorized to use subprocessors to fulfill its obligations under the service agreement and this processing agreement. Elvo shall notify the data controller in writing if it intends to change subprocessors with at least ten days' notice. The data controller has the right to object to such change if it believes that the new subprocessor does not fulfill the obligations specified in data protection laws and regulations.
- Elvo is responsible for all processing carried out by subprocessors on personal data, and the same obligations regarding data protection shall apply to Elvo as specified in this agreement, laws, and other legal regulations.
Data Breach
Elvo shall promptly notify the data controller if the security or confidentiality of personal data is compromised. Elvo shall inform the data controller of the nature of the breach, its likely consequences, and the measures taken to mitigate and prevent its recurrence.
Liability
Penalties imposed by public authorities under data protection laws and regulations shall be borne by the party to whom the penalty is imposed.
Handling of Data upon Termination
- When the service agreement expires, Elvo shall either return all personal data to the data controller upon request or securely delete all personal data belonging to the data controller. However, responses from customers to inquiries shall always be deleted when the service agreement expires and shall never be shared with the data controller to ensure the anonymity of customers. Elvo retains customer responses while this service agreement is in effect to provide the data controller with insights into customer satisfaction and related factors over time. This is always done in an anonymous manner to prevent the data controller from tracing responses back to individual customers.
Changes to Terms
- Elvo reserves the right to modify these terms but shall notify the data controller at least 15 days in advance. Elvo shall notify customers of changes to the terms by email and by making the new terms accessible at elvo.is/processing-agreement.
- If the customer rejects the changes to the terms within 15 days of receiving the notification by email, the customer accepts the modified terms. If the customer rejects the modified terms within the specified period, such rejection shall be deemed equivalent to termination of the agreement according to the aforementioned provisions, and the terms that were in effect between the parties with the consent of both shall apply during the notice period.
Appendix I
Further description of data processing
I.A General Description
Elvo and the data controller have entered into a service agreement where personal data about the data controller's customers is stored and processed. Elvo will process the personal data on behalf of the data controller.
I.B Purpose
The purpose of the processing is to store and allow the data controller to process personal data of customers to assess their customer support and related factors. Elvo enables the data controller to work with the information securely and in compliance with the terms of laws and regulations regarding data protection.
I.C Types of Personal Data
The types of personal data processed are determined by the data controller and may vary depending on the services used by the data controller. Examples of the information processed may include national identification numbers, names, email addresses, phone numbers, gender, and employment age of the data controller's customers. Elvo also stores and processes customer responses to inquiries about customer support and related factors.
I.D Data Owners
The owners of the personal data are the customers and managers of the data controller.
I.E Duration
The processing will take place during the term of the service agreement.
I.F Deletion/Return of Personal Data
When the service agreement expires, Elvo shall immediately cease processing all personal data belonging to the data controller. Elvo shall, upon the data controller's request: (i) return all personal data to the data controller; or (ii) securely delete all personal data. However, responses from customers to inquiries shall always be deleted and never returned to the data controller to ensure the anonymity of customers. Deletion or return shall take place within 30 days after the service agreement expires.
I.G Subprocessors
All data is stored in a data center in Frankfurt, Germany.
Subprocessors:
- Vercel (hosting)
- AWS (data storage)
- Postmark (email delivery)