Data Processing Addendum (DPA)
Last updated, 22th of October 2024
This Data Processing Addendum ("DPA") is entered into between Swift B.V., a company incorporated in the Netherlands with offices at Singel 126, 1015AE Amsterdam ("Swift AI", "we", "us", "our") and the Customer identified in the relevant Order Form ("Customer") (each a "Party" and together the "Parties"). This DPA is supplemental to, and forms part of, your Contract and the Terms of Service or other written agreement between Swift and Customer (in either case, the "Agreement"). This DPA becomes legally binding upon receipt by Swift of the validly completed DPA (the "DPA Effective Date").
1. Definitions
In this DPA, the following terms have specific meanings:
- "Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity.
- "Applicable Data Protection Law" means any data protection and privacy laws applicable to the respective Party in its role in the Processing of Personal Data under the Agreement, including the GDPR, UK Data Protection Laws, Swiss Data Protection Laws, and any other relevant data protection laws.
- "Controller" means the entity which determines the purposes and means of the Processing of Personal Data.
- "Customer Data" refers to all electronic data, content, or information that the Customer submits to the Services.
- "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
- "Personal Data" means any information relating to an identified or identifiable natural person.
- "Processing" means any operation or set of operations performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment, combination, restriction, erasure, or destruction.
- "Processor" means the entity that Processes Personal Data on behalf of the Controller.
- "Sub-processor" means any entity engaged by Swift AI or its Affiliates to Process Personal Data in connection with the Services.
2. Processing of Personal Data
Customer shall, in its use of the Services and provision of instructions, Process Personal Data in compliance with applicable Data Protection Laws. Customer has sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired such data.
Swift shall Process Personal Data only for the following purposes:
- Processing in accordance with the Agreement and applicable Order Form(s);
- Processing initiated by Authorized Users in their use of the Services;
- Processing to comply with instructions provided by the Customer, where such instructions are consistent with the terms of the Agreement.
Swift shall ensure that all personnel authorized to Process Personal Data are subject to confidentiality obligations.
3. Sub-processors
Customer acknowledges and agrees that Swift may engage third-party Sub-processors to Process Personal Data. Swift shall enter into written agreements with Sub-processors that impose data protection obligations that provide the same level of protection for Personal Data as those in this DPA.
A current list of Sub-processors for the Services, including the identities of those Sub-processors and their country of location, is accessible via List of Sub-processors. Customer consents to these Sub-processors, their locations, and Processing activities as they pertain to Personal Data.
Customer may object to Swift's use of a new Sub-processor by notifying Swift promptly in writing within ten (10) business days after receipt of notice. If Customer reasonably objects and Swift cannot accommodate the objection, Customer may terminate the affected Services.
Swift shall be liable for the acts and omissions of its Sub-processors to the same extent Swift would be liable if performing the Services directly under this DPA.
4. Data Subject Rights
Swift shall, to the extent legally permitted, notify Customer if Swift receives a request from a Data Subject to exercise rights under Data Protection Laws. Swift shall assist Customer in responding to such requests, to the extent possible and as required by Data Protection Laws.
Swift shall promptly notify Customer of any correspondence from a Supervisory Authority or other regulatory authority related to Personal Data, unless prohibited by law.
5. Security
Swift shall implement appropriate technical and organizational measures to protect the security, confidentiality, and integrity of Personal Data. These measures shall include encryption, access controls, and regular security assessments. Swift will not materially decrease the overall security of the Services during the subscription term.
Swift shall notify Customer without undue delay of any breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data ("Security Incident"). Swift AI shall take reasonable steps to mitigate the effects of the Security Incident and prevent further incidents.
6. Data Transfers
To the extent that Customer makes a transfer of Personal Data subject to EU, Swiss, or UK Data Protection Laws, the Parties agree to be bound by the relevant Standard Contractual Clauses, which shall be incorporated into this DPA.
7. Audits and Certifications
Upon Customer's request, Swift shall make available information regarding its compliance with the obligations set forth in this DPA in the form of third-party certifications or audit reports. Summaries of these are always accessible through the Trust Center.
Customer may conduct an audit of Swift's compliance with this DPA. Audits shall be conducted at Customer's expense and shall not disrupt Swift AI's business operations.
8. Return and Deletion of Personal Data
Upon termination of the Services, Swift shall, at the choice of Customer, return all Personal Data or delete all Personal Data from its systems, unless applicable law requires the retention of such data.
9. Governing Law and Jurisdiction
This DPA shall be governed by and construed in accordance with the laws of the Netherlands. Any disputes arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts located in Amsterdam, Netherlands.