In the course of providing the Services to the Customer Bellinetti may process Customer Data on behalf of the Customer.
The Parties agree to comply with the following provisions with respect to any Customer Data, each acting reasonably and in good faith:
Unless otherwise defined in this DPA, all capitalized terms have the meanings outlined below:
Adequacy decision: means a formal decision made by the EU which recognises that another country, territory, sector or international organisation provides an equivalent level of protection for personal data as the EU does.
Adequate country or countries: means countries covered by an adequacy decision issued by the EU, meaning data can flow freely between such countries.
Additional Products: means any features, products, software, programs, addons, plugins, scripts, tools or any other third-party software or content that are not part of the services but that may be accessible via the Bellinetti Client Area.
Agreement: means the Terms of Service and other relevant documents announced on our website, together with your order for the purchase/use of services and the order confirmation sent by Bellinetti, if applicable.
Controller: means the natural person or the legal entity which, alone or jointly with others, determines the purposes and means of the processing of customer data; In this agreement, it means the Customer (you).
Customer Data: means any "Personal Data" that is provided to Bellinetti by, or on behalf of the customer through its use of the services (for avoidance of doubt Personal Data part of the Customer’s Order for purchase/use of the respective service shall not be treated as Customer Data, subject to this DPA).
Data Protection Losses means all liabilities, including:
Data Protection Regulations and Laws or Data Protection Regulations means all regulations and laws, including but not limited to laws and regulations of the European Union, the European Economic Area, their member states, Switzerland and the United Kingdom, applicable to the Processing of Customer Data under this DPA.
Terms: Data Subject, Personal Data, Processing, Processor and Supervisory Authority Data Protection Authority have the same meaning as described in the applicable Data Protection Regulations.
Effective date means, as applicable:
GDPR means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of customer data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
Notification Email Address means the email address specified by the customer in the "Owner Profile Details" section in the Client Area to receive certain notifications from Bellinetti.
International Data Transfer Agreement (IDTA) means the standard data protection clauses for the transfer of Customer Data when the data subject is in the UK.
Order means any customer’s order for purchase/use of the respective service(s).
Partner means any person or entity which directly or indirectly controls, is controlled by, or is under common control with Bellinetti. Control for the purpose of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
Services means any services we offer which could involve processing of Personal Data by Bellinetti and its subcontractors.
Sub-processor means any Processor engaged by Bellinetti.
Term means the period from the Effective Date until the end of Bellinetti's provisioning of the services under the applicable Agreement, including, if applicable, any period during which the services may have been suspended and any post-termination period during which Bellinetti may continue providing services for transitional purposes.
Standard Contractual Clauses or SCCs means the standard data protection clauses for the transfer of Customer Data, as described in the GDPR.
2.2 Compliance with Laws Еach party will comply with the obligations applicable to it under the applicable Data Protection Regulations with respect to the processing of that Customer Data.
2.3 Roles of the Parties
The Parties acknowledge and agree that:
2.4 Instructions for Data Processing
Bellinetti shall process Customer Data in accordance with this DPA, which is the customer’s complete and final instructions to Bellinetti in relation to processing of Customer Data. Processing outside the scope of this DPA (if any) shall require prior written agreement between Bellinetti and customer on additional instructions for processing. By entering into this DPA, customer instructs Bellinetti to process Customer Data only in accordance with applicable Data Protection Regulations:
2.5 Subject Matter and Details of the Data Processing.
2.6 Access or Use
Bellinetti shall not access or use Customer Data, except as necessary to provide the services and related technical and other support to the customer in accordance with the DPA, the Agreement and other relevant documents, and in order to comply with the applicable legislation, including with a valid and binding order (such as court order or other binding documents) of a law enforcement agency and/or any other competent authority/state body.
2.7 Rights of the Data Subjects
2.8 Return and Deletion of Customer Data
Bellinetti shall enable the customer to delete Customer Data during the applicable Term in a manner consistent with the functionality of the used services and respective features. Retrieval or deletion of Customer Data by the customer shall constitute an instruction to Bellinetti to delete the respective Customer Data archived on backup systems in accordance with applicable law and within а maximum period of 60 calendar days. Deactivation of the services or expiry of the applicable Term shall constitute an instruction to Bellinetti to delete the Customer Data and the relevant Customer Data archived on backup systems within а maximum period of 60 calendar days. Nothing in this section varies or modifies any obligation of Bellinetti to retain some or all Customer Data as necessary to comply with the applicable legislation including with a valid and binding order (such as court order or other binding documents) of a law enforcement agency and/or any other competent authority/state body.
Bellinetti shall not disclose Customer Data to any government, law enforcement agencies and other authorities, except as necessary to comply with the applicable legislation or a valid and binding order (such as court order or other binding documents) of a law enforcement agency and/or any other competent authority/state body. Upon receipt of an order by the authorities of a third country, Bellinetti will act in accordance with clause 15 of the Standard Contractual Clauses. Bellinetti may also disclose Customer Data to third parties in the event that Bellinetti sells or buys any business or assets, in which case Bellinetti may disclose Customer Data to the prospective seller or buyer, or in case Bellinetti sells, buys, merges, is acquired by, or partners with other companies or businesses, or sells some or all of its assets.
2.10 Bellinetti's Personel
Bellinetti restricts its personnel from processing Customer Data without authorisation by Bellinetti. Access to Customer Data is limited to those personnel whose role and responsibilities are connected to the provision of Services. Bellinetti imposes appropriate contractual obligations upon its personnel, including relevant obligations regarding confidentiality, data protection and data security. Bellinetti ensures that these confidentiality obligations survive the termination of the personnel engagement.
2.11 Data Protection Officer
In compliance with the applicable Data Protection Legislation Bellinetti has appointed a Data Protection Officer (DPO), who can be reached at firstname.lastname@example.org
3.1 Consent to Sub-processor Engagement/Appointment of Sub-processors.
The Customer acknowledges and agrees that:
3.2 Information about Sub-processors
3.3 Requirements for Sub-processor engagement
When engaging any Sub-processor, Bellinetti shall:
3.4 Objection Right for Sub-processor(s)
Upon customer’s request, Bellinetti shall provide the customer with reasonable cooperation and assistance needed to fulfil the customer’s obligation under the applicable Data Protection Regulations to carry out a data protection impact assessment (DPIA) related to the customer’s use of services, to the extent the customer does not otherwise have access to the relevant information, and to the extent that such information is available to Bellinetti. Bellinetti shall provide reasonable assistance to the customer in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks relating to this DPA, to the extent required under the Data Protection Regulations.
5.1 Data Centers
Bellinetti may processes Customer Data in Data Centers located inside and outside the European Union, EEA and the UK. Information about the Data Centers locations is available here. Bellinetti reserves the right to update it from time to time. The customer may specify the Data Center location where its hosting account content will be stored. The customer agrees that Bellinetti may change the locations of the Data Centers and move customer’s hosting account to another Data Center at its sole discretion. Bellinetti shall inform the customer at least 15 calendar days before moving customer’s hosting account at its sole discretion to a new Data Center either by sending an email to the Notification Email Address or via the Client Area. If the change of the Data Center results in storing the Customer Data located in the customer’s hosting account under a different jurisdiction, the customer may object to such change by terminating the Agreement immediately and upon written notice to Bellinetti, on condition that the customer provides such notice within 10 calendar days of being informed of the change of the Data Center. The customer can move its hosting account to another Data Center location at any time, provided that the functionality of the services allows it and in exchange of additional fees.
5.2 Processing Locations
To the extend the Customer Data is located in a Data Center outside the EU, European Economic Area or the UK, and to the extend Bellinetti provides the services and related technical and other support, the customer agrees that Bellinetti may, subject to section 5, transmit, access and process Customer Data in the EU, EEA, UK, Asia, Australia, and the United States and any other countries where Bellinetti and/or its partners and Sub-processors have Data Centers, facilities or maintain data processing operations. This type of international data transfer operations may occur upon provision of any of the services provided by Bellinetti, including Content Delivery Network (CDN) service. The geographical locations of the servers to which the above-mentioned data transfer may happen are listed on our website and are subject to changes at our sole discretion. If the storage and/or processing of Customer Data involves processing of Customer Data outside of the EEA and the EU GDPR applies, then this DPA, containing the Standard Contractual Clauses, will automatically apply as a contractual safeguard of the international data transfer. If the storage and/or processing of Customer Data involves processing of Customer Data outside of the UK, and the UK GDPR applies, then this DPA, containing the International Data Transfer Agreement, will automatically apply as a contractual safeguard of the international data transfer.
5.3 Transfer Mechanism
To the extent Bellinetti processes or transfers (directly or via onward transfer) Customer Data under this DPA from the European Union, the European Economic Area, UK to countries which do not ensure an adequate level of data protection within the meaning of applicable Data Protection Regulations of the foregoing territories, the parties agree that:
The Customer acknowledges that Bellinetti is required under the applicable Data Protection Regulations to:
7.1 Security measures
Bellinetti shall implement and maintain technical and organisational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access (the “Security Measures”). The "Security Measures" include measures to provide encrypted transmission of Customer Data outside the service environment; to help ensure ongoing confidentiality, integrity, availability and resilience of Bellinetti’s systems and services; to help restore timely access to Customer Data from an available backup copy, provided either by Bellinetti Backup Services or customer’s own backup copy following an incident; and for regular testing of effectiveness. Bellinetti may update or modify the "Security Measures" from time to time provided that such updates and modifications do not result in the degradation of the overall security of the services.
7.2 Customer’s Security Responsibilities and Assessment
The customer agrees that, without prejudice to Bellinetti’s obligations under section 7 (Security Responsibilities of Bellinetti) and other relevant sections in this DPA:
Under the applicable Data Protection Regulations:
9.1 Bellinetti maintains security incident management policies and procedures and shall notify the customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, including Customer Data transmitted, stored or otherwise processed by Bellinetti or its Sub-processors of which Bellinetti becomes aware and which affects the rights and freedoms of any Data Subjects (“Customer Data Incident”). Bellinetti shall make reasonable efforts to identify the cause of such Customer Data Incident and take the steps as Bellinetti deems necessary and reasonable in order to remediate the cause of such a Customer Data Incident to the extent the remediation is within Bellinetti’s reasonable control. The obligations herein shall not apply to incidents that are caused by the customer, customer’s usage of the services, customer’s actions or activities or customer’s users.
9.2 Notifications made pursuant to this section shall describe, to the extent possible, details of the Customer Data Incident, including steps taken to mitigate the potential risks and steps Bellinetti recommends the customer to undertake in order to address the Customer Data Incident.
9.3 Notification(s) of any Customer Data Incident(s) shall be delivered to the Notification Email Address. The customer is solely responsible for ensuring that the Notification Email Address and its contact information specified in ‘Owner Profile Details’ section of its Client Area is correct and valid.
9.4 Bellinetti shall not assess the content of the Customer Data in order to identify information subject to any specific legal requirements. Customer is solely responsible for complying with incident notification laws applicable to the customer and for fulfilling any third party notification obligations related to any Customer Data Incident(s).
9.5 Bellinetti’s notification of or response to a Customer Data Incident under this Section 9 shall not be construed as an acknowledgement by Bellinetti of any fault or liability with respect to the Customer Data Incident.
10.1 The customer shall indemnify and keep indemnified Bellinetti with respect to all data protection breaches and losses suffered or incurred by, arising from or in connection with:
10.2 Bellinetti shall be liable for data protection breaches and losses caused by processing of Customer Data only to the extent directly resulting from Bellinetti’s failure to comply with its obligations as Data Processor under Data Protections Laws and Regulations. Bellinetti’s liability under the DPA will be subject to the exclusions and limitations of liability set out in the Agreement.
This DPA will take effect from the Effective Date until the end of Bellinetti's provisioning of the services under the applicable Agreement, including, if applicable, any period during which the services may have been suspended and any post-termination period (namely maximum 60 calendar days) during which Bellinetti may continue processing Customer Data for transitional purposes (“Term”). Nothing in this Section 11 varies or modifies any obligation of Bellinetti to retain some or all Customer Data as necessary to comply with the applicable legislation or with a valid and binding order (such as a subpoena or a court order) of a law enforcement agency and/or any other competent authority/state body. The DPA will automatically be terminated upon termination of the Agreement and deletion of all Customer Data by Bellinetti.
12.1 To the extent of any conflict or inconsistency between the terms of this DPA and the ones of the applicable Agreement related to the Processing of Customer Data, the terms of this DPA shall prevail. For clarity, if the customer has entered more than one Agreement, this DPA shall amend each of the Agreements separately.
12.2 Bellinetti may modify the terms of this DPA at any time. If we make material changes to this DPA, we will notify you here, by email, or by means of a notice via our website or via your Client Area, at least ten (10) calendar days before the changes take effect. Non-material changes of this DPA shall have immediate effect.