Data processing agreement

This Data Processing Agreement (the "DPA") is an integral part of the agreement or other document that contains a reference to the DPA.

1. TERMS AND DEFINITIONS

The following terms are used in the DPA:

1. Agreement — an agreement or other document that contains a reference to the DPA.

2. Service — a product and/or service listed on the following pages:

The Service may also refer to a product and/or service not listed on the above pages, if such product and/or service are named in the Agreement.

3. User — a person who has entered into a service agreement, a license agreement for the use of the Services, or another agreement with the Positive or its authorized representative (such as a distributor or partner).

4. Positive — one of the legal entities named in the Agreement:

  • Joint Stock Company Positive Technologies, 107061, Moscow, Preobrazhenskoye Municipal District, Preobrazhenskaya sq., 8, room 60, OGRN (Primary State Registration Number): 1127746201087;
  • Joint Stock Company Positivnye Technologii, 107061 Moscow, Preobrazhenskoye Municipal District, Preobrazhenskaya sq., 8, room 60, OGRN (Primary State Registration Number) 1127746201087;
  • Public Joint Stock Company Positive Group, 107061 Moscow, Preobrazhenskoye Municipal District, Preobrazhenskaya sq., 8, room 60, OGRN (Primary State Registration Number): 5177746006510.
  • Joint Stock Company TRIZTECH, 107061 Moscow, Preobrazhenskoye Municipal District, Preobrazhenskaya sq., 8, room 62, OGRN (Primary State Registration Number): 1257700453075.
  • Joint Stock Company NNS, 107061 Moscow, Preobrazhenskoye Municipal District, Preobrazhenskaya sq., 8, room 60, OGRN (Primary State Registration Number): 1257700533727.

5. Parties — the Positive and the User.

The terms "data controller," "personal data," "data subject", "special categories of personal data" and "biometric personal data" are used within the meanings provided by Federal Law No. 152-FZ On Personal Data of July 27, 2006 or other applicable data protection legislation.

The term "sensitive data" refers to special categories of personal data and biometric personal data.

Any reference to a law or regulation is a reference to it, as amended or modified from time to time.

In the event of uncertainty about the meaning of a term in the DPA, the interpretation of the term should be determined first by applicable law, secondly by the website https://ptsecurity.com/, and then by the established (generally used) interpretation on the internet.

2. GENERAL PROVISIONS

2.1. Subject matter of the Agreement: the DPA governs the processing of personal data when providing Services to the User under the Agreement. It comes into effect upon commencement of the provision of the Service to the User and supersedes any terms previously applicable to the processing of personal data when providing the Service to the User.

2.2. The DPA applies to any personal data processed during the Positive's interactions with the User and/or processed when providing Services to the User.

2.3. The DPA does not apply to the processing of personal data unless the relevant Agreement contains a reference to this DPA.

2.4. The terms for personal data processing for Users from the Republic of Belarus are contained in the Section 6 of the DPA.

3. PERSONAL DATA PROCESSING

3.1. Personal data processing by independent data controllers.

For the following purposes, the Parties are recognized as independent data controllers:

Purpose of personal data processingConclusion and execution of contracts with counterparties of the Positive
Legal basis for processingPerformance of a contract to which the data subject is a party; legitimate interest.
Categories of data subjects

Data subjects whose personal data are processed in connection with the provision of the Service to the User, including:

  • Counterparties of the Positive and (or) their authorized representatives.
Categories of personal dataLast name, first name, phone number, email address, messenger identifiers, job position, company name, information about interactions with the Positive.
For counterparties, which are natural persons, additionally: passport details, registration and residential addresses, insurance number (such as SNILS), taxpayer identification number (INN), and bank account details.
Processing operationsCollection, recording, systematization, accumulation, storage, clarification (updating or changing), extraction, use, transfer (provision, or access), anonymization, blocking, deletion, and destruction.
Retention periodUntil the purposes of processing have been achieved, unless a different retention period is provided by the Agreement, applicable law, or other relevant document.
Purpose of personal data processing

Provision of the Service to the User:

  • PT Fusion
Legal basis for processingPerformance of a contract to which the data subject is a party, consent; legitimate interest
Categories of data subjectsData subjects whose personal data is processed as part of providing the Service to the User, including:
the User's employees; representatives of the User's counterparties; other data subjects whose data may be accessed by the Positive in the course of providing the Service to the User.
Categories of personal dataFirst name, last name, email address, and other information contained in files uploaded by the User to the Service that constitutes personal data under applicable law (e.g., phone number, photo, messaging identifiers, job position, place of employment).
Processing operationsCollection, recording, systematization, receipt,
accumulation, storage, clarification (updating or changing), electronic copying, extraction, use, anonymization, blocking, deletion, and destruction.
Retention periodDuring the User's use of the Service, unless otherwise specified in the Agreement.
Purpose of personal data processingAuthorization and registration of the User's representatives in the Services (in particular, through the use of the Positive portal) (https://myportal.ptsecurity.com/)
Legal basis for processingPerformance of a contract to which the data subject is a party; legitimate interest
Categories of data subjectsSubjects whose personal data is processed as part of providing access to the Positive portal (https://myportal.ptsecurity.com/) or to the functionality of a specific Service: employees and other representatives of the User.
Categories of personal dataLast name, first name, patronymic, job position, company name, email address, phone number, location of the personal data subject.
Processing operationsCollection, recording, systematization, receipt,
accumulation, storage, clarification (updating or changing), electronic copying, extraction, use, anonymization, blocking, deletion, and destruction.
Retention periodDuring the User's use of the relevant Service, and after the expiration of such use, for three (3) years after termination of the relevant Agreement, unless otherwise provided by applicable law.

3.1.1. When transferring personal data from one Party to another, the responsibility for ensuring the legal basis for processing of the personal data, including obtaining consent in due form and notifying data subjects of the terms of processing of their personal data, is on the disclosing such personal data Party. Upon request by the receiving Party, the disclosing Party undertakes to provide confirmation of compliance with the aforementioned obligations.

3.1.2. When processing personal data, the Parties shall take the necessary legal, organizational, and technical measures in accordance with applicable law or ensure their implementation to protect personal data from unauthorized or accidental access, destruction, modification, blocking, copying, disclosure, distribution, and other illegal actions.

3.1.3. Information regarding the processing of personal data by the Positive as an independent personal data controller is contained in the Policy available at: https://ptsecurity.com/legal/privacy-policy/.

3.2. Processing under the authority of the User as a data controller (the Positive is a processor)

3.2.1. Except as otherwise provided in Clause 3.1 of this DPA, the Positive shall process personal data on behalf of the User for the purpose of providing the Services under the Agreement, subject to the following terms:

Purpose of processing of personal data on behalf of the User and further processing by the PositiveProvision of the Service to the User (except as specified in Clause 3.1 of this DPA)
Categories of the data subjects whose personal data is processed on behalf of the UserData subjects whose personal data is processed in connection with the provision of the Services to the User (including the User's employees, contractors, and other data subjects)
Categories of personal data processed on behalf of the User
  • Last name, first name, patronymic, place of employment, email address, job position
  • Information relating to the activities of Data Subjects (log data)
  • Other personal data, the scope of which depends on the nature of the relationship between the User and the Positive and may be further specified in the Agreement
Processing operationsCollection, recording, systematization, accumulation, storage, clarification (updating or changing), extraction, use, transfer (provision, or access), anonymization, blocking, deletion, destruction, receipt, search, copying, comparison (comparison), unification (linking) of personal data.
Duration of processing of personal data by the Positive on behalf of the UserUntil the purposes of processing of personal data have been achieved.

3.2.2. The Positive shall delete personal data processed on behalf of the User under this DPA in the cases provided for in the Agreement and as required by applicable law.

3.2.3. Engagement of Sub-processors

3.2.3.1. The Positive shall process personal data under this DPA either independently or can engage third parties to process personal data (hereinafter referred to as "Sub-processors") on the basis of agreements concluded with such Sub-processors, without prior notice to or approval from the User. The Positive shall remain fully liable to the User for the performance of its obligations under this DPA and for any acts or omissions of its Sub-processors. In particular, such Sub-processors include:

  • Limited Liability Company Yandex.Oblako, 119021, Moscow, Leo Tolstoy Street 16, Premises 528, OGRN (Primary State Registration Number): 1187746678580;
  • Limited Liability Company Svyaz VSD, 127083, Moscow, Marta Street 8, Building 1, OGRN (Primary State Registration Number): 1037713010444;
  • Joint Stock Company Data Storage Center, 127282, Moscow, Chermyansky Passage 5A, Building 1, OGRN (Primary State Registration Number): 1247700651461.

3.2.3.2. The Sub-processors shall be bound by data protection obligations no less protective than those set out in this DPA and shall comply with the applicable data protection laws and regulations, including obligations relating to the confidentiality and security of personal data.

3.2.4. The User shall:
a. Ensure the existence and validity of appropriate legal bases for the processing of personal data, as required under applicable law, sufficient to allow the Positive to process personal data in the scope and for the duration specified in this DPA. This includes, without limitation, obtaining all necessary consents and duly informing data subjects whose personal data are processed in connection with the provision of the Service to the User.

b. Ensure the accuracy of personal data processed, as well as their adequacy and relevance in relation to the purposes of processing, and keep such personal data up to date.

c. Respond to requests and inquiries from data subjects relating to the processing and protection of personal data, in accordance with applicable data protection laws.

d. Independently respond to requests and inquiries from competent supervisory authorities relating to the processing and protection of personal data under this DPA.

e. Establish and maintain appropriate technical and organizational measures to ensure the security of personal data, in accordance with applicable law, including Article 19 of Federal Law No. 152-FZ "On Personal Data" of July 27, 2006.

f. Refrain from taking any actions that may result in the Positive obtaining access to special categories of personal data or other categories of restricted information, including information constituting legally protected secrets (such as state secrets or banking secrecy), as defined under applicable law, including Federal Law No. 149-FZ "On Information, Information Technologies and Information Protection" of July 27, 2006.

g. Provide the Positive, within no later than ten (10) business days from receipt of the Positive's request, with information and/or documentation confirming the existence of valid legal grounds for instructing the Positive to process personal data in accordance with this DPA, including, where required under applicable law, duly obtained consents from data subjects authorizing the Positive to process their personal data. The scope and content of such information and/or documentation shall be determined by the Parties in accordance with applicable law and with due regard to the rights and legitimate interests of data subjects, the Parties, and other relevant persons.

3.2.5. The Positive shall:

a. Process personal data in accordance with the User's instructions.

b. Comply with the principles and rules for processing personal data stipulated by Federal Law No. 152-FZ "On Personal Data" of July 27, 2006.

c. Maintain the confidentiality of personal data and ensure its security.

d. Process personal data using databases located within the Russian Federation.

e. To the extent provided by law, ensure the application of the measures specified in Articles 18.1 and 19 of Federal Law No. 152-FZ "On Personal Data" of July 27, 2006. Depending on the method and context of personal data processing, the Positive applies the following measures:

  • appointing a person responsible for organizing the processing of personal data;
  • issuing documents defining the Positive's policy regarding the processing of personal data, the Positive's local regulations on personal data processing, defining for each purpose of personal data processing the categories and list of personal data to be processed, the categories of subjects whose personal data is processed, the methods and timeframes for processing and storage, the procedure for the destruction of personal data upon achieving the processing objectives or upon the occurrence of other legal grounds, as well as local regulations establishing procedures aimed at preventing and identifying violations of personal data legislation and eliminating the consequences of such violations;
  • implementing internal control and/or auditing of personal data processing compliance with applicable personal data legislation, personal data protection requirements, and local regulations of the Positive;
  • assessing the harm, in accordance with the requirements established by the authorized body for the protection of the rights of personal data subjects in the Russian Federation, that may be caused to subjects in the event of a violation of the requirements of applicable personal data legislation;
  • familiarizing persons engaged (admitted) by the Positive to process personal data with the requirements of applicable personal data legislation, including personal data protection requirements, and local regulations on personal data processing, and (or) training such persons;
  • identifying threats to the security of personal data that may arise during their processing in personal data information systems;
  • applying organizational and (or) technical measures to ensure the security of personal data during their processing, including in personal data information systems, necessary to ensure the ongoing confidentiality, integrity, availability, and sustainability of processes and/or systems related to the processing of personal data;
  • the use of information security tools that have undergone the established compliance assessment procedure, when the use of such tools is necessary to neutralize current threats to the security of personal data and information technologies used in personal data information systems;
  • prohibiting the merging of databases with personal data information systems or the recording of personal data on a single tangible medium if the processing of personal data is carried out for incompatible purposes;
  • detecting instances of unauthorized access to personal data information systems and taking appropriate measures, including measures to detect, prevent, and mitigate the consequences of computer attacks on personal data information systems related to the processing of personal data, and to respond to computer incidents in them;
  • restoring personal data modified or destroyed due to unauthorized access to them or another incident;
  • establishing rules for access to personal data processed in personal data information systems, as well as ensuring the registration and accounting of all actions performed with personal data in personal data information systems;
  • monitoring the measures taken to ensure the security of personal data and the level of protection of personal data information system;
  • establishing and approving the list of persons (positions) involved (admitted) by the Positive in the automated and/or non-automated processing of personal data, including in personal data information systems, and restricting access to personal data for other persons;
  • organizing a security regime for premises where personal data is processed and/or where software and hardware used for processing personal data are located;
  • creating a structural unit responsible for ensuring the security of personal data in the Positive's information systems, or assigning functions for ensuring such security to one of the existing structural units.

f. Upon the User's request, during the validity period of the DPA, including prior to processing personal data, provide documents and other information confirming the implementation of the measures stipulated by the DPA.

g. Without undue delay, notify the User of the cases specified in Part 3.1 of Article 21 of Federal Law No. 152-FZ "On Personal Data" of July 27, 2006 namely the establishment of an unlawful or accidental transfer (provision, distribution, or access) of personal data, resulting in a violation of the rights of personal data subjects and occurring through the fault of the Positive. The Positive will provide the User with the necessary and sufficient information and support related to such an event, which may be necessary for the User to fulfill their legal obligations, as well as to mitigate the negative consequences that may arise from such an event. Under no circumstances will the Positive's notifications and provision of such information and support to the User be construed by the Parties as an acknowledgement or confirmation of the Positive's liability for unauthorized access (to third parties), transfer (to third parties), or distribution (to third parties) of personal data processed by the Positive on behalf of the User under the DPA. To the extent permitted by applicable law, the Positive will not, without the User's prior permission, notify the relevant authorized bodies and/or entities of the relevant incident or make any public statements or otherwise notify any persons of such incident without first taking reasonable steps to consult with the User. If this is not possible, the Positive will not, without the User's prior permission, use the name of the User and/or its affiliates in such notification or in any public statements.

h. In the event of requests from a personal data subject for the information specified in Part 7 of Article 14 of Federal Law No. 152-FZ "On Personal Data" of July 27, 2006 or requests from a subject to clarify their personal data, block it, or destroy it if the personal data is incomplete, outdated, inaccurate, illegally obtained, or is not necessary for the stated purpose of processing, or other requests from personal data subjects, forward these requests to the User (unless otherwise provided by law).

i. No later than 5 (five) business days from the date of receipt of the User's request regarding the personal data specified in this request, processed by the Positive within the DPA, perform or ensure (if third parties are involved in the processing of the personal data by the Positive) the clarification (updating, modification), transfer (provision, access), blocking, deletion, or destruction. These actions in accordance with this section of the DPA are assumed to be performed, and the Positive is not obligated to notify the User of the results of these actions.

j. Allow its employees, contractors, and other third parties access to processed personal data only when strictly necessary for the processing of personal data under the DPA, and when appropriate steps have been taken to ensure compliance with security and confidentiality measures.

3.2.6. The Positive shall not abuse the right set out in Clause 3.2.5(g) of this DPA and shall exercise such right solely where obtaining the relevant information and/or documentation is necessary to ensure timely and proper compliance with applicable law or to prevent potential violations thereof.

4. LIABILITY

4.1. Liability of the Parties for personal data processing as independent data controllers (Clause 3.1 of the DPA)

4.1.1. Each Party shall be independently liable for its own acts and omissions in connection with the processing of Personal Data.

4.1.2. Except as provided in Clause 3.1.1 of the DPA and in cases involving a breach by a Party of its obligations under the DPA, none of the Parties shall not be liable for the acts or omissions of each other. In the event of any claims, demands, or legal actions brought by third parties, including data subjects and supervisory authorities, each Party shall handle and resolve such matters independently without involving the other Party.

4.2. Liability of the Parties when the Positive is a processor and the User is a controller (Clause 3.2 of the DPA)

4.2.1. The Positive shall be liable to the User within the limits established by the Agreement and the DPA for any culpable actions related to the processing of personal data under the DPA including for the actions (or inactions) of its employees who have access to personal data processed on behalf of the User, resulting in the disclosure of such personal data. Positive's liability is limited to compensating the User for actual damages only. However, the Positive's total liability under the DPA shall under no circumstances exceed 100,000 (one hundred thousand) rubles (RUB) including any claims, damages, expenses and other types of liability.

4.2.2. The Positive shall not be liable for ensuring the lawfulness of personal data processing, which may include obtaining consent from personal data subjects and informing them of the terms of personal data processing as well as for determining the scope of personal data.

4.2.3. The User as the controller shall be liable to personal data subjects and regulatory government agencies for the actions taken by the Positive in executing the assignment. In particular, the User is responsible for responding to requests from personal data subjects and from regulatory authorities.

4.2.4. In the event that the Positive is presented with any claims, demands, or lawsuits from third parties, including personal data subjects and regulatory authorities, in connection with the execution of the order, which arose due to the User's violation of obligations under the DPA, as well as in connection with the User's violation of the statutory procedure for processing personal data (including failure to obtain consent for such processing), the User shall:

  • independently and at its own expense resolve such claims and legal actions, while keeping the Positive informed of the progress of such resolution and providing prior notice of any intended actions;
  • if the Positive's participation in the settlement of such claims, demands, or lawsuits is necessary, or if the Positive is held liable for violating any laws and regulations regarding personal data, upon the Positive's request, compensate Positive for property losses in accordance with Article 406.1. Civil Code of the Russian Federation or any other applicable law, and, at Positive's request, to participate in the settlement of such claims, demands, and suits.

4.2.5. Scope of indemnified losses.

The User's indemnification obligations in Clause 4.2.4 of the DPA shall include, without limitation, indemnification for:

  • the amount of fines, penalties, compensation, and other payments to any third parties that the Positive will be obligated to make in the event of such circumstances (including the amount of damages that may be recovered from Positive or third parties engaged by it to fulfill its obligations under the Agreement) based on a court decision, arbitration tribunal, or international commercial arbitration (including a settlement agreement approved by the said bodies), or a decision of a competent government agency;
  • the amount of legal and consulting costs incurred by the Positive to protect its rights and interests in connection with the occurrence of the circumstances specified in Clause 4.2.4 of the DPA.

The User shall reimburse Positive for any indemnified losses within ten (10) business days following receipt of Positive's written notice of the claim and reasonable supporting documentation evidencing such losses.

5. MISCELLANEOUS

5.1. The DPA shall be governed by, applied, and interpreted in accordance with, the laws of the Russian Federation, without regard to its conflict of law's provisions.

5.2. The Parties undertake to resolve any disputes that may arise between them in the manner and within the timeframes established by the relevant Agreement.

5.3. The current version of the DPA is posted online at the following permanent address: https://ptsecurity.com/legal/data-protection-agreement/.

5.4. The Positive reserves the right to unilaterally amend the DPA by publishing a new version of the DPA at the address specified in clause 5.3 of the DPA. The User undertakes to monitor the current status of the DPA. The User is deemed to have received notice on the date the new version is posted. The Positive reserves the right to notify the User of material changes to the DPA. Such changes shall take effect upon their publication at the address specified in clause 5.3 of the DPA.

6. JURISDICTION-SPECIFIC TERMS

6.1. DPA Terms for Users from the Republic of Belarus

6.1.1. Personal data processing by independent data controllers:
The Parties shall be considered independent data controllers with respect to the purposes of personal data processing specified in the clause 3.1 of this DPA. When carrying out such processing, the Parties shall comply not only with the terms of this DPA but also with the applicable data protection laws and regulations of the Republic of Belarus regarding personal data.

6.1.2. Processing under the authority of the User as a data controller (the Positive is a processor)

a. The terms of Sections 1–5 of this DPA shall apply to the relationship between the Positive and User from the Republic of Belarus, to the extent they do not conflict with the personal data legislation of the Republic of Belarus.

b. The purposes of personal data processing and the list of actions to be performed with personal data by the Positive are specified in Clause 3.2 of the DPA.

c. The Positive undertakes to maintain the confidentiality of personal data. The Positive shall not disseminate and (or) provide personal data that became known to it in connection with the execution of the DPA and (or) the Agreement, including after the termination of processing, without a legal basis provided for by applicable laws.

d. The Positive shall implement appropriate technical and organizational measures to ensure the security of personal data as required under Article 17 of the Law of the Republic of Belarus No. 99-Z dated 7 May 2021 "On Personal Data Protection". More information regarding such security measures is set forth in Clause 4.2 of this DPA.

e. For the purpose of enabling the User to verify the Positive's compliance with personal data protection requirements pursuant to Article 17 of the Law of the Republic of Belarus No. 99-Z dated 7 May 2021 "On Personal Data Protection," the Positive shall, upon the User's request, provide information necessary to demonstrate the implementation of such measures within the timeframes agreed in connection with the relevant request.

f. If the Positive receives a request from a data subject to provide information as provided for under Chapter 3 of the Law of the Republic of Belarus No. 99-Z dated 7 May 2021 "On Personal Data Protection," the Positive shall forward such request to the User within a reasonable period after receipt. The User shall be solely responsible for responding to data subject requests relating to the processing and protection of personal data.

g. In order to enhance the protection of personal data during processing, the Positive may apply anonymization or de-identification measures using organizational and/or technical means that prevent the identification of a data subject without the use of additional information.

h. The Positive shall cease processing of personal data under this DPA and shall delete or block such personal data in the cases provided for under the Agreement and applicable legislation of the Republic of Belarus.