Privacy Policy

Review date: 11/03/2024

Introduction

Atrilio respects your right to privacy and we understand that, when you visit our websites and use our products and services or otherwise interact with us (for example, by viewing our webinars), you prefer to control the way you share your personal information (“Personal Data” as defined below) and preferences. Atrilio offers a wide range of products, including web-based services, custom, and support services. We refer to all of these software products, together with our other services and websites, as “Services” in this Privacy Policy.

For purposes of this Privacy Policy, “Atrilio”, “us,” “we,” and “our” means Atrilio Ventures S.L.

The terms “user,” “you,” and “your” refer to Sites visitors, customers and any other users of the sites and the Services. For more information about Atrilio companies please visit the company page.

The term “Personal Data” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, to an individual. It does not include aggregated or deidentified information that is maintained in a form that is not reasonably capable of being associated with or linked to an individual.

Atrilio collects, stores, uses and discloses the following categories of Personal Data:

  • Customer Data: Personal Data concerning our business customers' (“Customers”) internal focal persons who directly engage with Atrilio concerning their organizational account, and users of the Services on behalf of such Customers, e.g., the account administrators and users, billing contacts and authorized signatories on behalf of the Customer; as well as the Customer's business needs and preferences, as identified to us or recognized through our engagement with them;
  • User Data: Personal Data that we process and manage on behalf of our Customers, as part of our Services.

We process such User Data on behalf of and under the instruction of the respective Customer, in accordance with our Data Processing Agreement (described bellow) with them. Accordingly, this Privacy Policy (which describes Atrilio's privacy and data processing practices) does not apply to such processing done on its Customers' behalf. To learn about the privacy policy and practices of our Customer, please contact them directly.

  • Prospect Data: data relating to visitors of our Sites, participants at our events, and any other prospective customer, user or partner (collectively, “Prospects”) who visits or otherwise interacts with our Sites, online ads and content, emails, integrations or communications under our control.

Agreement to this Policy

Please read this Policy carefully to understand our policies and practices regarding your information and how we will treat it. If you do not agree with our policies and practices, your choice is not to use our Services. By accessing or using our Services, you confirm that you have read this Policy. This Policy may change from time to time. If You continue to use our Services after we make changes, your use is deemed to be acceptance of those changes, so please check the Policy periodically for updates. The date that this Policy was last amended is set out at the top of the Policy and is described as the Policy's “Review Date”.

GDPR Compliance

Atrilio complies with the Regulation 2016/679/EU of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”). Atrilio acts as both a data controller and a data processor under GDPR.

Atrilio has implemented the following requirements under the GDPR, including but not limited to:

  • A record of your Personal Data processing activities;
  • Adequate organizational and technical protection measures;
  • Request forms and internal instructions for Privacy by Design & Default, Data Portability, and Data Subject Rights like the Right to be Forgotten.

International Transfer of Personal Data

Your Personal Data may be collected, transferred to and stored by us in the United States of America and other countries. Your Personal Data may be processed outside of your jurisdiction wherever we or our third-party service providers operate for the purpose of providing you with the Services. The Personal Data of individuals located in the European Economic Area (EEA), the European Union (EU), Switzerland and the United Kingdom is stored and processed on servers based in Ireland and France and stored as backup in France. Regardless of where your information is stored or processed, we apply the same protections described in this Policy and ensure that the third-party recipients of your Personal Data offer an adequate level of protection and security.

We use the Data Processing Agreement (DPA), described bellow, as part of an applicable license or service agreement or other written or electronic agreement between you and Atrilio for the purchase of Atrilio Services. We also use the Standard Contractual Clauses approved by the European Commission as a means of ensuring adequate protection when transferring data outside of the EEA, EU, Switzerland and the United Kingdom.

Data Protection Officer

Our Data Protection Officer can be contacted in writing at dpo@atrilio.com.

How Atrilio determines your location

Atrilio Sites you access, can determine your physical geographical location in a few ways. Your IP address reveals your general area, unless you use a VPN. Atrilio Sites can also ask for a more precise location when you purchase Atrilio Services to determine the Atrilio Company which will provide the Services to you, process your Personal Data and how much local tax Atrilio will charge on the Services.

How Atrilio may collect information about you in our role as data controller

We collect information about you and determine the purposes and means of processing our Customers' and Prospects' Personal Data in our role as data controller when you input it into the Services or otherwise provide it directly to us.

  • Site account and Profile Information: We collect information about you when you order Services from Atrilio, register to create a site account, create or modify your profile, set preferences, sign-up for or make purchases through the Services. We keep track of your preferences when you select settings within the Services.
  • Information you provide through our support center: The Services also include our customer support, where you may choose to submit information regarding a problem you are experiencing with a Service. Whether you designate yourself as a technical contact, open a support ticket, speak to one of our representatives directly or otherwise engage with our support team, you will be asked to provide contact information, a summary of the problem you are experiencing, and any other documentation, screenshots or information that would be helpful in resolving the issue.
  • Subscription to Atrilio newsletters and webinars. We collect information about you when you subscribe to our webinars and newsletters provided through e-mail, SMS or messengers services. You can set your communication preferences from your site account or opt-out at any time.
  • Information You provide through our chat services when contact with Atrilio in a chat session.

This Privacy also applies to the processing of Personal Data collected by us when you:

  • Visit our branded social media pages;
  • Register for, attend or take part in our events, webinars, programs or contests;
  • Participate in community; or
  • Participate in surveys, research or other similar data collection facilitated by us.

Information we collect automatically when you use the Services

We collect information about you when you use our Services, including browsing our websites and taking certain actions within the Services.

Your use of the Services: We keep track of certain information about you when you interact with any of our Services. This information includes the features you use; information about the system configuration, PowerPoint version you use; time you spent using the Services; the links you click on; the type, size and filenames of attachments you upload to the Services; frequently used search terms; and how you interact with others on the Services.

Device and Connection Information: We collect information about your computer, phone, tablet, or other devices you use to access the Services. This device information includes your connection type and settings when you install, access, update or use our Services. We also collect information through your device about your operating system, browser type, IP address, URLs of referring/exit pages, device identifiers, and crash data. We use your IP address and/or country preference in order to approximate your location to provide you with a better Service experience.

Cookies: Atrilio uses essential first-party cookies to provide functionality of the Sites and to recognize you across different Services and devices, and third-party cookies for analytics and content-sharing. Atrilio uses Google Analytics (Google LLC, US) cookies to generate statistical data on how the visitor uses the website. These cookies allow us to track and analyze data traffic and are used to track the behavior of the user, to improve the user experience.

For more information, please see our Cookie Policy, which includes information on how to control or opt-out of the cookies and other tracking technologies.

Information we receive from other sources

We receive information about you from other Service users, from third-party services, from our related companies, and from our business partners.

Other users of the Services: Other users of our Services may provide information about you when they submit content through the Services. For example, you may be mentioned in a support ticket opened by someone else. We also receive your email address from other Service users when they provide it in order to invite you to the Services. Similarly, an administrator may provide your contact information when they designate you as the billing or technical contact on your company's site account.

Atrilio Partners: We work with a global network of partners who help us to market and promote our products, generate leads for us, and resell our products. Some of these partners provide consulting, training, and other services connected to our products. We receive information from these partners, such as contact information, company name, what Atrilio products you have purchased or may be interested in, evaluation information you have provided, what events you have attended, and what country you are in.

Other Partners: We receive information about you and your activities on the Services from third-party partners, such as advertising and market research partners who provide us with information about your interest in and engagement with our Services and online advertisements.

Information we receive from third-party integrations. If, when using the Atrilio Web services, You or Your administrator choose to use or connect to third-party integrations (e.g., YouTube, Vimeo, Zoom) through the Atrilio web services, such third parties may allow Atrilio to have access to and store additional information about Your interaction with those services as it relates to your use of the Atrilio web services. If You initiate these connections, You also understand that Atrilio will share information about You that is required to enable Your use of the third-party integration through the Atrilio web services. If You do not wish to have this information shared, do not initiate these connections. By enabling these connections, You authorize Atrilio to connect and access the information provided through these connections, and You understand that the privacy policies of these third parties govern such connections.

What information Atrilio may collect about you in our role as data controller

  • Your name, email address, phone number, company name, title and business/private address;
  • Your Atrilio site account information - such as Atrilio Services you ordered, domain name registration information, the IP addresses assigned to you, the use of Atrilio Services or any other information related to your site account;
  • Your contact with Atrilio - such as a note or recording of a call you make to Atrilio, a chat record when you engage in a chat session with Atrilio through a chat service, SMS or a messenger, an email or letter you send to Atrilio or other records of any contact you have with Atrilio;
  • The e-mail addresses of the users who receive the results of the test or dialogue simulations if the software product with test or dialogue simulations functionality uses the function of collecting user data with sending to an
  • The e-mail addresses of the users who pass tests or dialogue simulations created using the software product with test/simulation functionality if the software product uses the function of collecting user data with sending to e-mail addresses. You may create tests or simulations with a user input form by sending the test results to the server. Then Atrilio does not receive any data, and all the data will be sent immediately to Your server;
  • The e-mail addresses of the users (instructors) who receive the results of the test or dialogue simulations of other users to review the test or quiz. You are responsible for submitting the correct e-mail addresses while using this functionality;
  • Information provided by you to Atrilio when you notify Atrilio of a (suspected) breach of acceptable use of Atrilio Services;
  • Your photo when you send us a testimonial and video footage of you when we record your video review about Atrilio Services;
  • The information you provide using YouTube API Features and functionality;
  • The information you provide using the Zoom Apps features and functionality.
  • The information you provide using the Vimeo features and functionality.

Why Atrilio processes your personal information in our role as data controller

Atrilio processes your Personal Data for the following purposes:

  • Processing of orders and provision of Services;
  • Sending test or dialogue simulations results to You or users of the test or dialogue simulations;
  • Conducting market research, conducting retention and customer satisfaction surveys, conducting marketing activities (including through e-mail, SMS and messengers newsletters, social media and onsite/offsite and online/offline advertisement), conducting sales activities (including analyzing your Personal Data and your use of Atrilio Services for making (personalized) offers and quotes with the aim of entering into a customer relationship, and/or maintaining, renewing or expanding a customer relationship);
  • Communicating with customers (a) to provide information about Services of Atrilio and affiliated companies, (b) to provide information about offers, orders, provision of Services, order status and payment, (c) to provide support and maintenance services, (d) to handle complaints, (e) to answer questions from (potential) customers, and (f) to remind you of subscription expirations by sending you e-mail/SMS/messengers notifications. These communications are part of the Services and in most cases, you cannot opt out of them. If an opt out is available, you will find that option within the communication itself or in your account settings.
  • Investigating and processing suspected violations of acceptable use of Atrilio Services;
  • Complying with statutory obligations, including (a) provision of data to authorized authorities in the context of criminal investigations, (b) complying with (applicable) data retention obligations, and (c) the provision to third parties of Personal Data concerning customers in connection with an infringement of these third parties' rights.

How we share your personal information in our role as data controller

Atrilio is not using your personal information with the purposes of selling. There are, however, certain circumstances in which Atrilio may share and disclose Personal Data with certain third parties without further notice to you, as described below.

Please contact us at support@atrilio.com to opt out of the information sharing with a third party:

  • Atrilio may engage selected third-party companies to perform services complementary to our own. Such service providers include hosting and server co-location services, communications and content delivery networks, chat and messengers services, data security services, billing and payment processing services, fraud detection and prevention services, web and product analytics, e-mail distribution and monitoring services, session or activity recording services, remote access services, content transcription and analysis services, performance measurement, data optimization and marketing services, social and advertising networks, content and data enrichment providers, event production and hosting services, e-mail, voicemails, support, enablement and customer relation management systems (collectively, “Service Providers“). Our Service Providers may have access to personal information, depending on each of their specific roles and purposes in facilitating and enhancing our Services, and may only use the data as determined in our agreements with them. In such instances, our Service Providers processing such data will assume the role of “data sub-processor”;
  • Atrilio may share and disclose your Personal Data to authorized resellers, partners involved in delivering the Services, so that they can provide timely, helpful information about Atrilio Services. Atrilio resellers and partners are contractually obligated to abide by Atrilio privacy policy, preventing them from sharing your information with any other third parties.

You may choose to use a third-party service to integrate with our Services, for example in order to upload or retrieve Personal Data to or from the Services, or to enrich the data you have processed on either service or enhance your usage thereof (provided that such integration is supported by our Services). The provider of this integrated third-party service may receive certain relevant data about or from your account on the Services, or share certain relevant data from your account on the third-party provider's service with our Services, depending on the nature and purpose of such integration. This could include your Customer Data and/or User Data;

Atrilio may share Personal Data internally within Atrilio Companies, for the purposes described in this Privacy Policy. In addition, should Atrilio Companies or any of its subsidiaries or affiliates undergo any change in control or ownership, including by means of merger, acquisition or purchase of substantially all or part of its assets, Personal Data may be shared with or transferred to the parties involved in such an event. Atrilio may disclose personal data to a third-party during negotiation of, in connection with or as an asset in such a corporate business transaction. Personal data may also be disclosed in the event of insolvency, bankruptcy or receivership;

An Atrilio customer, if you notify Atrilio that this customer's use of Atrilio Services violates the acceptable terms of use of Atrilio Services or applicable law;

A third party that has claimed that your use of the Atrilio Services violates the acceptable use of Atrilio Services or applicable law (to the extent such sharing is required by law);

Should Atrilio sell, merge or transfer any part of Atrilio business, part of that sale may include your Personal Data. In the event of a corporate sale, merger, reorganization, dissolution or similar event, Personal Data may be part of the transferred assets;

In certain situations, Atrilio may be required to disclose Personal Data in response to lawful requests by law enforcement agencies, regulatory organizations, courts or public authorities to the extent required by law, including to meet national security or law enforcement requirements.

Atrilio in its role as data processor

Atrilio is the “data processor” of User Data, which we process on behalf of our Customer (who is the “data controller” of such data; and our Service Providers who process such User Data on our behalf are the “sub-processors” of such data.

Atrilio is both a “data controller” and “data processor” of Customer Data. Such data is processed by Atrilio for its own purposes (as described above), as an independent ‘controller'; whilst those certain portions of it which are included in User Data will be processed by us on our Customer's behalf, as a ‘data processor'.

Accordingly, Atrilio processes User Data strictly in accordance with our Customer's reasonable instructions and as further stipulated in our Data Processing Agreement and other commercial agreements with such Customer.

Personal information and content you provide through Atrilio web-based services

Atrilio Customers are solely responsible for determining whether and how they wish to use our Services, and for ensuring that all individuals using the Services on the Customer's behalf or at their request, as well as all individuals whose personal data may be included in Customer Data processed through the Services, have been provided with adequate notice and given informed consent to the processing of their personal data, where such consent is necessary or advised, and that all legal requirements applicable to the collection, recording, use or other processing of data through our Services are fully met by the Customer, including specifically in the context of an employment relationship. When Customers and Atrilio partners use Atrilio web-based services to process Personal Data in their content, Atrilio acts as a data processor. The Customer of Atrilio that owns an account in Atrilio web-based services will be responsible for determining the purposes and means of the processing of the content and any Personal Data provided by Users of the account, and this Atrilio Customer (or its end users) will be the data controller in regards to such processing.

Personal information and content you provide using YouTube API, Vimeo API and the Zoom Apps features and functionality. When customers and Atrilio partners use YouTube API and the Zoom App integrated into Atrilio Web-based services to process Personal Data in their content, Atrilio acts as a data processor. The customer of Atrilio that owns an account in Atrilio web-based services will be responsible for determining the purposes and means of the processing of the content and any Personal Data provided by end-users using YouTube API, Vimeo Api and the Zoom Apps, and this Atrilio customer (or its end users) will be the data controller in regards to such processing.

How we store and secure information we collect

Information storage. We use data hosting service providers in the United States, Ireland and France to host the information we collect, and we use technical measures to secure your data.

Technical and organizational security procedures and data transfers. We observe reasonable procedures to prevent unauthorized access to and the misuse of your Personal Data. We use appropriate business systems and procedures to protect and safeguard your Personal Data. We also use security procedures and technical and physical restrictions for accessing and using the Personal Data on our servers. Only authorized personnel are permitted to access Personal Data in the course of their work.

How long we keep information (retention procedures)

Atrilio will store your personal information for as long as reasonably necessary in order to maintain and expand our relationship and provide you with our Services and offerings; in order to comply with our legal and contractual obligations; or to protect ourselves from any potential disputes (i.e. as required by laws applicable to log-keeping, records and bookkeeping, and in order to have proof and evidence concerning our relationship, should any legal issues arise following your discontinuance of use), all in accordance with our data retention policy and this Policy. After such time, we will either delete or anonymize your information or, if this is not possible (for example, because the information has been stored in backup archives), then we will securely store your information and isolate it from any further use until deletion is possible.

To determine the appropriate retention period for Personal Data, we consider the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes for which we process your personal data and the applicable legal requirements.

How You Can Access and Control Your Information

Subject to some limits, you have certain rights regarding your Personal Data and the processing thereof. PLEASE NOTE THAT OUR CUSTOMERS CONTROL AND MAINTAIN ACCESS TO THEIR DATA THAT IS STORED BY Atrilio, AND WE MAY NOT HAVE ACCESS TO THE DATA MAINTAINED BY OUR CUSTOMERS OR EVEN KNOW WHAT DATA IS BEING MAINTAINED.

You have the right to request a copy of your information, to object to our use of your information (including for marketing purposes), to request the deletion or restriction of your information, or to request your information in a structured, electronic format. If you are an end-user and the Services are administered for you by an administrator (see section "Notice to End Users" below), you may need to contact your administrator to assist with your requests first. For all other requests, you may contact us as provided in the Contact Us section below to request assistance.

Your Rights:

  • You can access and update your information in your site account at any time;
  • You can deactivate your site account if you no longer wish to use our Services;
  • You can request the information Atrilio has collected about you;
  • You can request that we make changes to the Personal Data you have seen, but cannot change in your site account;
  • You also have the right to obtain from us the erasure of your Personal Data (right to be forgotten);
  • In addition, you may, under certain circumstances, have the right to restriction of the processing of your Personal Data;
  • You have the right to object, on grounds relating to your particular situation, at any time to processing of your Personal Data;
  • You have the right to receive your Personal Data, which you have provided to us, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller when the processing is based on your consent or is necessary for the performance of a contract (the right to data portability);
  • You can opt-out of promotional communications from us by using the unsubscribe link within each email, updating your email preferences within your site account settings menu, or by contacting us as provided below to have your contact information removed from our promotional email list or registration database. Even after you opt-out of receiving promotional messages from us, you will continue to receive transactional messages from us regarding our Services. You can opt-out of some notification messages in your site account settings;
  • You can opt out of our use of cookies: relevant browser-based cookie controls are described in our cookie policy.

Accessing Personal Information

Atrilio acknowledges that you have the right to access the personal information that we maintain about you. If you seek access, or seek to correct, amend, or delete inaccurate data, you should direct your query to support@atrilio.com. If requested to remove data, we will respond within a reasonable timeframe.

Consent and Withdrawal of Consent

You are entitled to withdraw your consent at any time by giving us notice. Upon receipt of a notice where your consent is withdrawn, we will without undue delay stop processing your Personal Data to the extent it is required under the law. Please use the contact information at the bottom of the page should you wish to withdraw your consent given under this privacy statement. To limit the use and disclosure of your personal information, please submit a written request to support@atrilio.com.

United States - California Residents

This section provides additional details about the personal information Atrilio collects about California customers as well as the rights of California consumers under the California Consumer Privacy Act (CCPA).

How Atrilio Collects, Uses, and Discloses Your Personal Data

The section “What information Atrilio may collect about you in our role as data controller” describes in detail the Personal Data Atrilio may have collected over the last 12 months, including identification information, internet activity information. Atrilio have collected such Personal Data directly from you and from your interaction with the site and the Services.

Atrilio collects this information for the purposes described in the “What information Atrilio may collect about you in our role as data controller” and “Why Atrilio processes your personal information in our role as data controller" sections. Atrilio shares this information with the categories of third parties described in the “How we share your personal information in our role as data controller” and “Information we receive from third-party integrations” sections. Atrilio uses cookies, as described in Atrilio Cookie Policy. Atrilio does not sell (as defined by the CCPA) your Personal Data.

Your CCPA Rights and Choices

As a California customer and subject to certain limitations under the CCPA, you have choices regarding our use and disclosure of your personal information:

  • Exercising the right to know.
  • Exercising the right to delete.
  • Opt out of sales.
  • Non-discrimination.

How to Exercise Your Privacy Rights Under the CCPA

To exercise your rights under the CCPA, please submit a written request to support@atrilio.com, please indicate which right your request is for and provide a description to help us understand the nature of your request. Your authorized agent may submit requests in the same manner.

In order to fulfill requests for any rights exercise, Atrilio is required to verify your identity so please be aware that Atrilio may need to request additional information that will be used for that purpose.

Notice to End Users

Our web-based services are intended for use by organizations. Where the web-based services are made available to you through an organization (e.g., your employer), that organization is the administrator of the web-based services and is responsible for the accounts in web-based services over which it has control. If this is the case, please direct your data privacy questions to your administrator, as your use of the web-based services is subject to that organization's policies. We are not responsible for the privacy or security practices of an administrator's organization, which may be different than this policy.

Administrators are able to:

  • Reset your account password;
  • Restrict, suspend or terminate your access to the web-based services;
  • Access information in and about your account;
  • Access or retain information stored as part of your account;
  • Install or uninstall third-party apps or other integrations.

Please contact your organization or refer to your administrator's organizational policies for more information.

Our Policy Towards Children

The Services are not directed to individuals under age of 16. We do not knowingly collect personal information from children under age of 16. If we become aware that a child under age of 16 has provided us with personal information, we will take steps to delete such information. If you become aware that a child has provided us with personal information, please contact our support services.

Changes to this Policy

We may change this Policy from time to time. We will post any privacy policy changes on this page and, if the changes are significant, we will provide more prominent notice by adding a notice on the Services homepages, login screens, or by sending you an email notification. We will also keep prior versions of this Policy in an archive for your review. We encourage you to review our privacy policy whenever you use the Services to stay informed about our information practices and the ways you can help protect your privacy.

If you disagree with any changes to this privacy policy, you will need to stop using the Services and deactivate your account(s), as outlined above.

Contact Us

If you have any questions regarding this privacy policy or our processing of personal data, or want to contact us regarding your personal data, please contact dpo@atrilio.com.

Data Processing Agreement

Review Date: 11/03/2024

ATTENTION: YOU (THE “CUSTOMER”) HEREBY ASKED TO ACCEPT THE TERMS AND CONDITIONS OF THE DATA PROCESSING AGREEMENT (THE "AGREEMENT") WHICH WILL GOVERN THE PROCESSING OF THE CUSTOMER'S PERSONAL DATA BY ATRILIO AND ITS AFFILIATES FURTHER DEFINED HEREIN AS “Atrilio”.

BY CLICKING THE BUTTON WHILE REGISTERING YOUR Atrilio ACCOUNT, YOU ARE CONSENTING TO BE BOUND BY THE TERMS OF THIS AGREEMENT AND ARE BECOMING A PARTY TO THIS AGREEMENT AND AGREE THAT THIS AGREEMENT IS ENFORCEABLE LIKE ANY WRITTEN NEGOTIATED AGREEMENT SIGNED BY YOU. IF YOU ARE ENTERING INTO THIS AGREEMENT ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY, YOU ASSERT THAT YOU HAVE THE AUTHORITY TO BIND STATED ENTITY AND ITS AFFILIATES TO THESE TERMS AND CONDITIONS, IN WHICH CASE THE TERM “CUSTOMER” SHALL REFER TO STATED ENTITY AND ITS AFFILIATES. IF YOU DO NOT HAVE SUCH AUTHORITY, OR IF YOU DO NOT AGREE AND ACCEPT THE TERMS, YOU HAVE NO RIGHT TO USE THE Atrilio WEB SERVICES.

This Data Processing Agreement, including Annexes (the “DPA”) forms part of the Atrilio Web Services Subscription Agreement (link a condciiones de uso plataforma online) or other written or electronic agreement between Atrilio and Customer for the purchase of Atrilio software products (including any software program, web service or services made available by Atrilio for purchase) from Atrilio (identified either as “Products” or otherwise in the applicable agreement, and hereinafter defined as “Products”) (the "Principle Agreement") to reflect the Parties' agreement with regard to the Processing of Personal Data.

Customer enters into this DPA on behalf of itself and, to the extent required under applicable Data Protection Laws and Regulations, in the name and on behalf of its authorized Affiliates. For the purposes of this DPA only, and except where indicated otherwise, the term “Customer” shall include Customer and authorized Affiliates. All capitalized terms not defined herein shall have the meaning set forth in the Principal Agreement. In the course of providing the Products to Customer pursuant to the Principal Agreement, Atrilio may Processing Personal Data on behalf of Customer and the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.

This DPA consists of two parts: the main body of the DPA, and Annexes 1 and 2.

If the Customer entity entering into this DPA is a party to the Principle Agreement, this DPA is an addendum to and forms part of the Principal Agreement. In such case, the Atrilio Customer that is party to the Principal Agreement is party to this DPA.

If the Customer entity entering into this DPA is not a party to the Principal Agreement directly with Atrilio, but is instead a customer indirectly via an authorized reseller of Atrilio Products, this DPA is not valid and is not legally binding. Such Customer entity should contact the authorized reseller to discuss whether any amendment to its agreement with that reseller may be required.

Definitions

1.1. In this DPA, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

1.1.1. “Affiliate” means any person or entity that, directly or indirectly, controls, is controlled by, or is under common control with the subject entity; “control” (including, with its correlative meanings, “controlled by” and “under common control with”) means possession, directly or indirectly, of the power to direct or cause the direction of management or policies (whether through ownership of securities or partnership or other ownership interests, by contract or otherwise).

1.1.2. “CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations.

1.1.3. “Controller” means the entity which determines the purposes and means of the Processing of Personal Data.

1.1.4. “Customer” means an individual consumer or a legal entity who activates the Product provided by Atrilio and assumes payment responsibility for Atrilio.

1.1.5. “Customer Data” means electronic data and information (including Personal Data) submitted by or for Customer to the Products pursuant to or in connection with the agreement related to the provision of the Products by Atrilio to Customer under the terms of the Principal Agreement;

1.1.6. “Data Protection Laws and Regulations” means all laws and regulations, including laws and regulations of the European Union (EU), the European Economic Area (EEA) and their member states, Switzerland, the United Kingdom (collectively “Europe”) and the United States and its states, applicable to the Processing of Personal Data under the Principal Agreement as amended from time to time;

1.1.7. “Data Subject” means the identified or identifiable person to whom Personal Data relates.

1.1.8. “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), including as implemented or adopted under the laws of the United Kingdom.

1.1.9. “Personal Data” means any information relating to (i) an identified or identifiable natural person and, (ii) an identified or identifiable legal entity (where such information is protected similarly as Personal Data or personally identifiable information under applicable Data Protection Laws and Regulations), where for each (i) or (ii), such data is Customer Data.

1.1.10. “Processing” or “Process” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.1.11. “Processor” means the entity which Processes Personal Data on behalf of the Controller, including as applicable any “service provider” as that term is defined by the CCPA.

1.1.12. “Public Authority” means a government agency or law enforcement authority, including judicial authorities.

1.1.13. “Services” means the services and other activities to be supplied to or carried out by or on behalf of Atrilio or its authorized Affiliates for the Customer;

1.1.14. “Standard Contractual Clauses” means Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eurlex.europa.eu/eli/dec_impl/2021/914/oj ;

1.1.15. “Sub-processor” means any Processor (including any third party and any Atrilio Affiliate, but excluding an employee of Atrilio or any of its sub-contractors) engaged by or on behalf of Atrilio or any Atrilio Affiliate to Process Personal Data on behalf of Customer; and

1.2. The word "include" shall be construed to mean include without limitation, and cognate terms shall be construed accordingly.

2. Authority

Atrilio warrants and represents that, before any Atrilio Affiliate Processes any Customer Data on behalf of the Customer, Atrilio's entry into this DPA as agent for and on behalf of that Atrilio Affiliate will have been duly and effectively authorized (or subsequently ratified) by that Atrilio Affiliate.

3. Processing of Customer Data

3.1. The Parties undertake to comply with the applicable Data Protection Laws and Regulations.

  • 3.1.1. Customer, as Controller, appoints Atrilio as a Processor to process Customer Data on Customer's behalf.
  • 3.1.2. Customer remains responsible for all declarations, notifications and authorizations that may be necessary for the Processing of the Customer Data.
  • 3.1.3. as Processor, Atrilio will only process the Customer Data on behalf of Customer and in compliance with Customer's instructions.

3.2. Atrilio and each Atrilio Affiliate shall:

  • 3.2.1. comply with all applicable Data Protection Laws and Regulations in the Processing of Customer Data; and
  • 3.2.2. not Process Customer Data other than on the Customer's documented instructions unless Processing is required by applicable Data Protection Laws and Regulations to which the relevant Processor is subject, in which case Atrilio or the relevant Atrilio Affiliate shall to the extent permitted by applicable Data Protection Laws and Regulations inform the Customer of that legal requirement before the relevant Processing of that Personal Data.

3.3. Customer:

  • 3.3.1. instructs Atrilio and each Atrilio Affiliate (and authorizes Atrilio and each Atrilio Affiliate to instruct each Sub-processor commissioned by Atrilio according to the requirement set forth in Section 6.4. of this DPA) to:
    • 3.3.1.1. Process Customer Data; and
    • 3.3.1.2. in particular, transfer Customer Data to any country or territory, as reasonably necessary for the provision of the Products. Transfer of personal data to third countries may only take place if the requirements of applicable Data Protection Laws and Regulations are met accordingly; and
  • 3.3.2. warrants and represents that it is and will at all relevant times remain duly and effectively authorized to give the instruction set out in section 3.3.1.

3.4. Details of the Processing. The subject-matter of Processing of Personal Data by Atrilio is the provision of the Products pursuant to the Principal Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Annex 1 to this DPA. Customer may make reasonable amendments to Annex 1 by written notice to Atrilio from time to time as Customer reasonably considers necessary to meet those requirements. Nothing in Annex 1 (including as amended pursuant to this section 4) confers any right or imposes any obligation on any party to this Agreement.

4. Atrilio and Atrilio Affiliate Personnel

Atrilio and each Atrilio Affiliate shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Processor who may have access to the Customer Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Customer Data, as strictly necessary for the purposes of providing the Products, and to comply with the applicable Data Protection Laws and Regulations in the context of that individual's duties to the Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

5. Security

5.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Atrilio and each Atrilio Affiliate shall in relation to the Customer Data implement and maintain appropriate technical and organizational measures for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Data), confidentiality and integrity of Customer Data. Atrilio regularly monitors compliance with these measures. Atrilio will not materially decrease the overall security of the Products during a subscription term.

6. Subprocessing

6.1. Customer authorizes Atrilio and each Atrilio Affiliate to appoint (and permit each Sub-processor appointed in accordance with this section 6 to appoint) Sub-processors in accordance with this section 6.

6.2. Atrilio and each Atrilio Affiliate may use those Sub-processors already engaged by Atrilio or any Atrilio Affiliate as at the date of this DPA and appoint new Sub-processors, subject to Atrilio and each Atrilio Affiliate in each case as soon as practicable meeting the obligations set out in section 3.

6.3. Atrilio or an Atrilio Affiliate has entered into a written agreement with each Sub-processor containing, in substance, data protection obligations no less protective than those in the DPA with respect to the protection of Customer Data to the extent applicable to the nature of the Services provided by such Sub-processor.

6.4. Atrilio may only commission Sub-processors with the prior express written or documented consent of the Customer. The Atrilio is obliged to carefully select Sub-processors according to their suitability and reliability. The Atrilio has to engage Sub-processors in accordance with the provisions of this DPA and ensure that the Customer can exercise its rights under this DPA (in particular its audit and control rights) directly towards the Sub-processors.

6.5. In this respect, the Customer has so far agreed to commission the Sub-processors indicated in Annex 2 “List of Sub-Processors” under the condition of a contractual agreement as required by the applicable Data Protection Laws and Regulations.

6.6. If the Sub-processor provides the agreed performance outside the EU/EEA, Atrilio must ensure that the respective Sub-processor provides an adequate level of data protection within the meaning of Art. 44 et seq. GDPR.

7. Data Subject Rights

7.1. Taking into account the nature of the Processing, Atrilio and each Atrilio Affiliate shall assist Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer's obligations, as reasonably understood by Customer, to respond to requests to exercise Data Subject rights under the applicable Data Protection Laws and Regulations.

7.2. Atrilio shall:

  • 7.2.1. promptly notify Customer if any Processor receives a request from a Data Subject under any applicable Data Protection Laws and Regulations in respect of Customer Data; and
  • 7.2.2. ensure that the Processor does not respond to that request except on the documented instructions of Customer or as required by applicable Data Protection Laws and Regulations to which the Processor is subject, in which case Atrilio shall to the extent permitted by applicable Data Protection Laws and Regulations inform Customer of that legal requirement before the Processor responds to the request.

8. Customer Data Incident

8.1. Atrilio shall notify Customer with 24 (twenty-four) hours upon Atrilio or any Sub-processor becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, including Personal Data, transmitted, stored or otherwise Processed by Atrilio or its Sub-processors of which Atrilio becomes aware (the “Customer Data Incident”) affecting Customer Data, providing Customer with sufficient information to allow Customer to meet any obligations to report or inform Data Subjects of the Customer Data Incident under the applicable Data Protection Laws and Regulations.

8.2. Atrilio shall cooperate with Customer and take such reasonable commercial steps as are directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

9. Data Protection Impact Assessment and Prior Consultation

9.1. Atrilio and each Atrilio Affiliate shall provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with Public Authorities or other competent data privacy authorities, which Customer reasonably considers to be required of Customer by the applicable Data Protection Laws and Regulations, in each case solely in relation to Processing of Customer Data by, and taking into account the nature of the Processing and information available to, the Processors.

Government Access Requests

Atrilio requirements. In its role as a Processor, Atrilio shall maintain appropriate measures to protect Personal Data in accordance with the requirements of the applicable Data Protection Laws and Regulations, including by implementing appropriate technical and organizational safeguards to protect Personal Data against any interference that goes beyond what is necessary in a democratic society to safeguard national security, defense and public security. If Atrilio receives a legally binding request to access Personal Data from a Public Authority, Atrilio shall, unless otherwise legally prohibited, promptly notify Customer including a summary of the nature of the request. To the extent Atrilio is prohibited by law from providing such notification, Atrilio shall use commercially reasonable efforts to obtain a waiver of the prohibition to enable Atrilio to communicate as much information as possible, as soon as possible. Further, Atrilio shall challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful. Atrilio shall pursue possibilities of appeal. When challenging a request, Atrilio shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the Personal Data requested until required to do so under the applicable procedural rules. Atrilio agrees it will provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request. Atrilio shall promptly notify Customer if Atrilio becomes aware of any direct access by a Public Authority to Personal Data and provide information available to Atrilio in this respect, to the extent permitted by law. For the avoidance of doubt, this DPA shall not require Atrilio to pursue action or inaction that could result in civil or criminal penalty for Atrilio such as contempt of court.

Sub-processors requirements. Atrilio shall ensure that Sub-processors involved in the Processing of Personal Data are subject to the relevant commitments regarding Government Access Requests in the Standard Contractual Clauses.

10. Deletion or return of Customer Data

10.1. Subject to sections 10.2 and 10.3 Atrilio and each Atrilio Affiliate shall promptly and in any event within thirty (30) days of the date of cessation of any Products involving the Processing of Customer Data (the "Cessation Date"), delete and procure the deletion of all copies of those Customer Data.

10.2. Subject to section 10.3, Customer may in its absolute discretion by written notice to Atrilio within thirty (30) days of the Cessation Date require Atrilio and each Atrilio Affiliate to (a) return a complete copy of all Customer Data to Customer by secure file transfer in such format as is reasonably notified by Customer to Atrilio; and (b) delete and procure the deletion of all other copies of Customer Data Processed by any Processor. Atrilio and each Atrilio Affiliate shall comply with any such written request within thirty (30) days of the Cessation Date.

10.3. Each Processor may retain Customer Data to the extent required by the applicable Data Protection Laws and Regulations and only to the extent and for such period as required by the applicable Data Protection Laws and Regulations and always provided that Atrilio and each Atrilio Affiliate shall ensure the confidentiality of all such Customer Data and shall ensure that such Customer Data is only Processed as necessary for the purpose(s) specified in the applicable Data Protection Laws and Regulations requiring its storage and for no other purpose.

11. Audit rights

11.1. Subject to section 11.2, Atrilio and each Atrilio Affiliate shall make available to Customer on a written request all information necessary to demonstrate compliance with this DPA, and shall allow for and contribute one (1) remote audit during a current calendar year by Customer or an auditor mandated by the Customer in relation to the Processing of the Customer Data by the Processors.

11.2. Information and audit rights of the Customer only arise under section 11.1 to the extent that the Principal Agreement does not otherwise give them information and audit rights meeting the relevant requirements of the applicable Data Protection Laws and Regulations (including, where applicable, article 28(3)(h) of the GDPR).

12. International transfers

12.1. Customer authorizes Atrilio to transfer Customer Data when strictly necessary in providing Products to Customer. As of the Effective Date of the Principal Agreement, Atrilio has no reason to believe that the laws and practices in any third country of destination applicable to its Processing of the Personal Data prevent Atrilio from fulfilling its obligations under this DPA. If Atrilio reasonably believes that any existing or future enacted or enforceable laws and practices in the third country of destination applicable to its Processing of the Personal Data ("Local Laws") prevent it from fulfilling its obligations under this DPA, it shall promptly notify Customer. In such a case, Atrilio shall use reasonable efforts to recommend a commercially reasonable change to Customer's configuration or use of the Products to facilitate compliance with the Local Laws without unreasonably burdening Customer.

Europe Specific Provisions

GDPR. Atrilio will Process Personal Data in accordance with the GDPR requirements directly applicable to Atrilio's provision of its Products.

Customer Instructions. Atrilio shall inform Customer immediately (i) if, in its opinion, an instruction from Customer constitutes a breach of the GDPR and/or (ii) if Atrilio is unable to follow Customer's instructions for the Processing of Personal Data.

Transfer mechanisms for data transfers. If, in the performance of the Products, Personal Data that is subject to the GDPR or any other law relating to the protection or privacy of individuals that applies in Europe is transferred out of Europe to countries which do not ensure an adequate level of data protection within the meaning of the Data Protection Laws and Regulations of Europe, the transfer mechanisms listed in the Standard Contractual Clauses shall apply to such transfers and can be directly enforced by the Parties to the extent such transfers are subject to the Data Protection Laws and Regulations of Europe.

13. General Terms

Governing law and jurisdiction

13.1. Without prejudice to clauses 7 (Mediation and Jurisdiction) and 9 (Governing Law) of the Standard Contractual Clauses:

13.1.1. the parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Principal Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity; and

13.1.2. this DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Principal Agreement.

13.1.3. if the Principal Agreement is not governed by an EU Member State law, the Standard Contractual Clauses will be governed by either (i) the laws of Spain; or (ii) where the Agreement is governed by the laws of the United Kingdom, the laws of the United Kingdom.

Order of precedence

13.2. Nothing in this DPA reduces Atrilio's or any Atrilio Affiliate's obligations under the Principal Agreement in relation to the protection of Personal Data or permits Atrilio or any Atrilio Affiliate to Process (or permit the Processing of) Personal Data in a manner which is prohibited by the Principal Agreement. In the event of any conflict or inconsistency between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

13.3. Subject to section 13.2, with regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and any other agreements between the parties, including the Principal Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the Parties) agreements entered into or purported to be entered into after the date of this DPA, the provisions of this DPA shall prevail.

Severance

13.4. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties' intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

ANNEX 1: DETAILS OF PROCESSING OF CUSTOMER DATA

This Annex 1 includes certain details of the Processing of Customer Data.

Subject matter and duration of the Processing of Customer Data

The subject matter and duration of the Processing of the Customer Personal Data are set out in the Principal Agreement and this DPA.

The nature and purpose of the Processing of Customer Data

Hosting, caching, routing, transmitting, storing, copying, performing, displaying, erasure of Customer Personal Data for the provision of the Services for Customer pursuant to the Principal Agreement

The categories of Data Subject to whom the Customer Data relates

Customer may submit Personal Data to the Products, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of Data subjects:

  • Prospects, customers, business partners and vendors of Customer (who are natural persons);
  • Employees or contact persons of Customer's prospects, customers, business partners and vendors;
  • Employees, agents, advisors, freelancers of Customer (who are natural persons);
  • Customer's Users authorized by Customer to use the Products.

The categories of Personal Data Transferred

Customer may submit Personal Data to the Products, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:

  • First and last name
  • Title
  • Position
  • Contact information (company, email, phone)

Sensitive Data Transferred (Not Applicable)

Sub-processors Transfers

Sub-processor will Process Personal Data as necessary to provide the Products pursuant to the Principal Agreement for the duration of the Principal Agreement, unless otherwise agreed in writing.

The obligations and rights of Customer and Customer Affiliates

The obligations and rights of Customer and Customer Affiliates are set out in the Principal Agreement and this DPA.

Technical and Organizational Measures

Atrilio will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data uploaded to Atrilio Products. Data Subject Requests shall be handled in accordance with section 7 of this DPA.