SMARTCAT DATA PROCESSING AGREEMENT
Current version. Last updated on February 20, 2024.
This Data Processing Agreement (“DPA”) forms part of the Service Contract executed between you and Smartcat and the Terms of Service, available at https://www.smartcat.com/terms/, or such other location as the Terms of Service may be posted from time to time, entered into by you as the User and Smartcat.
The purpose of this DPA is to reflect the parties’ agreement with regard to Processing of Personal Data in accordance with the requirements of the GDPR (as described herein) and other Data Protection Laws.
Terms and definitions used herein shall have the same meaning attributable to them in this DPA, the Terms of Service, Service Contract and GDPR, unless the context herein suggests otherwise.
1.1. “Affiliates” means any entity that directly or indirectly controls, is controlled by, or is under common control with the Smartcat.
1.2. “Content” means any document, information, data, text, images, software, music, videos, sound, photographs, graphics, messages or other materials, including any text and/or oral communication, that a Customer wishes Smartcat to translate or process in the agreed way, provides it for translation/processing by way of uploading, assigning a task (hereinafter, “upload”) it on the Platform.
1.3. “Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
1.4. “Customer” means a User of the Platform who is a party to a Service Contract.
1.5. “Data Protection Laws” means all applicable data protection, privacy and data security laws and regulations, including the UK General Data Protection Regulation (“UK GDPR”), the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 and its implementing regulations (collectively referred to herein as the “CCPA”) and any similar or equivalent applicable laws or regulations.
1.6. “Data Subject” means the identified or identifiable natural person to whom the Personal Data relates.
1.7. “EEA” means the European Economic Area.
1.8. “EU” means the European Union.
1.9. “GDPR” / “General Data Protection Regulation” means Regulation (EU) 2016/679 of the European Parliament and of the Counsel of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
1.10. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
1.11.“Personal Data” means any information related to the Data Subject.
1.12.“Processing of Personal Data” / “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.13. “Processor” means Smartcat which processes the Personal Data on behalf of the Controller.
1.14. “Security Measures” means any measures of the administrative, physical, and technical safeguards in the Smartcat’s information system. The list of Security Measures is mentioned in clause 7.1. of the DPA.
1.15. “Service Contract” means a customer agreement, located at https://www.smartcat.com/legal/customer-agreement/, or paper version of the master services agreement executed between you and Smartcat.
1.16. “Service Task” has the meaning in the Service Contract.
1.17. “Services” means subscription, translation and related services, i.e., editing, post-editing, proofreading, interpreting, etc.
1.18. “Smartcat Platform” / “Platform” means Smartcat’s website and technology platform for translation workflow automation, which is located at https://www.smartcat.com/.
1.19. "Smartcat" means either Smartcat Platform Inc. – a legal entity registered under the laws of the United States of America; or Smartcat Europe B.V. – a legal entity registered under the laws of the Netherlands with registered address at Strawinskylaan 613, 1077 XX Amsterdam, the Netherlands, registration № 859832880. Which legal entity is going to be a contractual party to you depends on what further agreement you are becoming a party to.
1.20. “Standard Contract Clauses” / “SCC” means an agreement made using the relevant EU Standard Contractual Clauses as adopted by the EU Commission for the transfer of Personal Data to countries outside the EU/EEA.
1.21. “Subprocessor” means any entity or person appointed by or on behalf of the Processor to process Personal Data on behalf of the Processor.
1.22. “Subcontractor” means any individual freelancer or legal entity that is registered on the Platform as a supplier and wishes to perform the Service Task for the Customer.
1.23. “Supervisory authority” means an independent public authority.
1.24. “United Kingdom International Data Transfer Agreement or Addendum” / “UK IDTA” means either, as applicable, (a) the International Data Transfer Agreement when used under the UK GDPR, or (b) the International Data Transfer Addendum to the EU SCCs issued by the Commissioner under S119A (1) of the Data Protection Act 2018, version A1.0, in force from March 21, 2022.
1.25. “User” means a Customer or a Subcontractor (depending on the context) registered on the Platform.
4. PROCESSING OF YOUR PERSONAL DATA
4.1. This section includes certain details of the Processing of your Personal Data.
a) Subject matter and duration of the Processing of your Personal Data are set out in the Terms of Service, Service Contract and this DPA.
b) Nature and purpose of the Processing of your Personal Data: Provision of software as a service for language translation and related services.
c) Types of your Personal Data to be processed: Name, address, photo, contact data, professional life data, other Personal Data in the uploaded Content to the Smartcat Platform.
d) Categories of the Data Subjects to whom your Personal Data relates: your customers, co-workers, employees, suppliers and other Data Subjects referred to in the uploaded Content to the Smartcat Platform.
4.2. Smartcat may process Personal Data provided to Smartcat and/or uploaded by you on Smartcat Platform pursuant to the Terms of Service and Service Contract for the following purposes:
providing, supporting and improving Smartcat’s services, using appropriate technical and organizational security measures; and
for the purposes set forth in the Terms of Service and Service Contract.
5. SCOPE OF INSTRUCTIONS GIVEN TO SMARTCAT
5.1. This DPA, the Terms of Service and the Service Contract set out your complete and final instructions to Smartcat in relation to the Processing of your Content containing Personal Data. Processing outside the scope of these instructions (if any) shall require prior written agreement between you and Smartcat. Smartcat will not use or process the Personal Data for any other purpose other than this DPA, the Terms of Service,and the Service Contract.
6. PERSONAL DATA IN THE UPLOADED CONTENT TO SMARTCAT PLATFORM
6.1. You acknowledge and accept that Smartcat may not be aware of the presence of Personal Data in the Content uploaded by you to the Smartcat Platform unless you explicitly notify Smartcat in this regard. In this case, the responsibility of protecting such Personal Data remains with you.
7. SECURITY MEASURES
7.1. Smartcat Security Measures are the following:
Smartcat is SOC 2 Type II certified;
Usage of Tier IV data centers in the U.S., EU and China, run by AWS and Microsoft Azure, which are SOC-1, SOC-2, and SOC-3 compliant;
Passwords are stored in hashed and salted form (and several external authorized services are supported via OAuth 2.0);
Passwords in the production configuration files are encrypted and certificates required to decrypt configs are installed on the production machines by administrators and not accessible for engineers with lower levels of access;
Smartcat employees, agents and Subprocessors are required to enter into appropriate security, confidentiality and privacy contract terms;
Smartcat employees are thoroughly checked by our security team and can only use Personal Data when necessary as part of their work as well as their access is limited by authorization procedures and infrastructure, which does not allow employees with insufficient rights to access your Personal Data;
Smartcat employees have completed appropriate training regarding data security;
Smartcat maintains policies and procedures to detect, monitor, document and respond to actual or reasonably suspected security incidents;
Full list of Smartcat Security Measures is located at https://www.smartcat.com/legal/smartcat-security-program/.
7.2. These Security Measures may be updated or modified provided that such updates and modifications do not result in the degradation of the overall security of Smartcat Platform.
8.1. To the extent the CCPA applies to the Processing governed by this DPA, the Processor acknowledges that Processor serves as a service provider or contractor, as applicable, with respect to Personal Data Processed by Processor hereunder. Processor acknowledges that Controller is only disclosing Personal Data to Processor for the service(s) identified in the Terms of Service or Service Contract (“Business Purpose”).
8.2. Processor further acknowledges and agrees that:
Processor shall only retain, use, or disclose such Personal Data for the Business Purpose (which means that Processor may not use Personal Data outside of the direct business relationship with Controller or combine Personal Data obtained from Controller with Personal Data that Processor may obtain from other sources);
Processor shall not sell or “share” (as defined in the CCPA) Personal Data or otherwise use Personal Data for any other purpose unless expressly authorized under the CCPA;
Processor shall notify Controller as soon as possible if it determines that it can no longer meet its obligations under this section of the DPA; and
Controller shall have the right, upon notice, to take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Data by Processor.
9.1. You acknowledge and agree that a) Smartcat’s Affiliates may be retained as Subprocessors and b) Smartcat and Smartcat’s Affiliates respectively may engage third party Subprocessors in connection with the provision of the Services
9.2. You hereby authorize Smartcat to engage with the following Subprocessors with the understanding that if you entered into SCC or UK IDTA, this authorization would constitute your prior written consent to the subcontracting by Smartcat of the Processing of Personal Data if such consent is required under the SCC.
EU data center – Personal Data of all Smartcat Users provided to Smartcat upon registration on the Platform and Content uploaded by Customers residing in Europe (including EEA), Australia and Africa.
USA data center - Content uploaded by Customers residing in North and South America
China data center - Content uploaded by Customers residing in APAC region
Smartcat marketplace Subcontractors (i.e. translators, editors, proofreaders)
To be selected by the Controller
Translation and related services
9.3. Smartcat may update the list of Subprocessors above from time to time sending you a 15 days prior written notice.
9.4. Subprocessor only accesses and uses any Personal Data, provided to Smartcat and/or uploaded by you to Smartcat Platform, to the extent required to perform the obligations subcontracted to such Subprocessor.
9.5. Smartcat remains fully liable for all obligations subcontracted to, and all acts and omissions of Subprocessors.
9.6. If within 15 days after notice of a new Subprocessor, you notify Smarctat in writing that you object to Smartcat’s appointment of such new Subprocessor based on reasonable data protection concerns, the Parties will discuss such concerns in good faith. If the Parties are unable to reach a mutually agreeable resolution to your objection to a new Subprocessor, you, as its sole and exclusive remedy, may terminate this DPA and the Service Contract.
10. INTERNATIONAL DATA TRANSFERS
10.1. Smartcat (and its Affiliates) may process and transfer Personal Data globally as necessary to provide the Services.
10.2. For the avoidance of doubt, if you reside in the European Union, your Content will be stored on the EU data center and will not leave the EU unless you:
10.2.1 Assign a Service Task to a Subcontractor residing outside the EU, therefore your Content will become available to such non-EU Subcontractor.
10.2.2. Instruct Smartcat to use non-EU servers of Machine translation engines or OCR service mentioned in the table in section 9.2.
10.2.3. Choose a Machine Translation engine or OCR service mentioned in the table in section 9.2. with a non-US server yourself.
10.3. The SCC or UK IDTA are incorporated into this DPA and apply where the application of the SCC or UK IDTA, as between the parties, is required under applicable Data Protection Laws for the transfer of personal data. The SCC or UK IDTA shall be deemed completed as follows:
10.3.1. As mentioned above you act as a Controller and Smartcat acts as Processor with respect to your Personal Data, therefore Module 2 of the SCC applies.
10.3.2. Clause 7 (the optional docking clause) is not included.
10.3.3. Under Clause 9 (Use of Subprocessors), the parties select Option 2 (General written authorization). The time period of the notification regarding any intended changes to the list of Subprocessors is at least 24 hours in advance.
10.3.4. Under Clause 11 (Redress), the optional language will not apply.
10.3.5. Under Clause 17 (Governing law), the parties choose Option 1 and select the law of the Netherlands.
10.3.6. Under Clause 18 (Choice of forum and jurisdiction), the parties select the courts of the Netherlands.
10.3.7. Annexes I, II and III of the SCC are set forth in Appendix below.
11. DATA SUBJECT RIGHTS
Taking into account the nature of the Processing, Smartcat shall assist you by implementing appropriate technical and organizational measures for the fulfillment of your obligations, as reasonably understood by you, to respond to requests to exercise Data Subject rights under the General Data Protection Regulation as well as any Data Protection Laws.
11.1. Smartcat shall promptly notify you if Smartcat receives a request from a Data Subject, any Supervisory authority under any Data Protection Law in respect of your Personal Data as well as to cooperate as requested by you in order to comply with any Data Protection Laws regarding your Personal Data.
11.2. If Smartcat receives any request from a Data Subject in relation to Personal Data, provided to Smartcat and/or uploaded by you to Smartcat Platform, subject to section 11.1., you will be responsible for responding to any such request including, where necessary, by using the functionality of Smartcat Platform.
12. PERSONAL DATA BREACH
12.1. Smartcat shall notify you without undue delay, but not later than forty-eight (48) hours after Smartcat becoming aware of a Personal Data Breach affecting your Personal Data, providing you with sufficient information to allow you to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws. Smartcat shall cooperate with you and take reasonable commercial steps, including as directed by you to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
12.2. Smartcat’s obligation to report or respond to a Personal Data Breach incident is not and will not be construed as an acknowledgement by Smartcat of any fault or liability of Smartcat with respect to the Personal Data Breach incident.
12.3. Smartcat hereby declares and you agree that an unsuccessful security incident will not be reported to you. An unsuccessful security incident is one that results in no unauthorized access to Personal Data or to any of Smartcat’s equipment or facilities storing Personal Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing or similar incidents.
13. DATA PROTECTION IMPACT ASSESSMENT
13.1. Smartcat shall provide reasonable assistance to you with any data protection impact assessments, and prior consultations with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) in the Netherlands or other competent data privacy authorities, which you reasonably consider to be required by articles 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of your Personal Data by and taking into account the nature of the Processing and information available to the Subprocessors.
14. DATA RETURN OR DELETION
14.2. Post Termination. Upon your written request Smartcat shall securely destroy or return such Personal Data or Content, provided to Smartcat, to you within a maximum period of 30 days.
14.3. Notwithstanding the foregoing, Smartcat may retain your Personal Data or Content: (i) as required by Data Protection Laws, or (ii) in accordance with its standard backup procedures meaning that it will be deleted in due course, provided that, in either case, Smartcat will (x) maintain the confidentiality of, and otherwise comply with the applicable provisions of this DPA with respect to, retained Personal Data and Content and (y) not further Process retained Personal Data and Content except for such purpose(s) and duration specified in such applicable Data Protection Laws.
15. RIGHT TO AUDIT
15.1. Controller reserves the right to perform an audit related to Smartcat’s compliance to obligations set out in this DPA if required and appropriate, yet not without prior written notification to Smartcat, and without creating a business disturbance for Smartcat. Assessment may be performed by you and/or another auditor mandated by you and the information obtained during the assessment shall be treated with utmost confidentiality.
15.2. To request an audit you must submit a detailed audit plan to Smartcat at least thirty (30) days in advance of the proposed audit date, describing the proposed scope, duration, and start time of the audit. Following the receipt by Smartcat of a request for an audit, Smartcat and you will discuss and agree in advance on: (1) the reasonable start date, (2) scope and duration of and security and confidentiality controls applicable to any audit.
15.3. You will be responsible for any fees you incur, including any fees charged by any auditor appointed by you to execute any such audit.
15.4. Smartcat may object in writing to an auditor appointed by you if the auditor is in Smartcat’s reasonable opinion, not suitable, qualified or independent, a competitor of Smartcat, or otherwise unsuitable. Any such objection by Smartcat will require you to appoint another auditor or conduct the audit yourself.
16. YOUR WARRANTIES, COVENANTS AND UNDERTAKINGS
16.1. You covenant and undertake to Smartcat:
to comply at all times with Data Protection Laws prescribed for data Controllers or data Processors (as the case may be) in respect of any Personal Data you provide to Smartcat and/or upload on Smartcat Platform pursuant to the Terms of Service and Service Contract;
if required by law to be a party to SCC, IDTA or other cross-border transfer mechanisms;
that you are solely responsible for complying with incident notification laws applicable to you and fulfilling any third party notification obligations related to any Personal Data Breach..
16.2. You warrant to Smartcat:
if you are a Processor, then your instructions and actions with respect to the Personal Data provided to Smartcat have been authorized by the relevant Controller;
that the Security Measures (as detailed above) implemented and maintained by Smartcat as set out herein provide a level of security appropriate to the risk in respect of the Content you provide to Smartcat and/or upload to Smartcat Platform pursuant to the Terms of Service and Service Contract.
17. WARRANTIES, COVENANTS AND UNDERTAKINGS OF SMARTCAT
17.1. Smartcat covenants and undertakes to you:
to comply at all times with Data Protection Laws in respect of any Personal Data provided to Smartcat and/or uploaded by you to Smartcat Platform pursuant to the Terms of Service or the Service Contract;
to notify you as the User if, in Smartcat’s opinion, an instruction for the Processing of Personal Data given by you infringes applicable Data Protection Laws;
to inform you in writing if Smartcat cannot comply with the requirements under this DPA, in which case you as the User can terminate this DPA or take any other reasonable action, including suspending Processing of Personal Data operations.
18. GENERAL TERMS
18.1. Liabilities. Any and all liabilities of Smartcat under this DPA are, without exception, limited to the amount of limitation cap indicated in (a) the Service Contract, or (b) the Terms of Service if the Service Contract is not executed with you.
18.2. Notices. All notices required or permitted under this DPA shall be in writing addressed to the respective parties at their email addresses unless another address shall have been designated. All notices addressed to the User shall be sent to the email set forth at the User’s account dashboard. All notices addressed to Smartcat shall be sent to https://www.smartcat.com/contact-support/.
18.3. Order of Precedence. In the event of any conflict or inconsistency among the following documents, the order of precedence will be: (1) any Standard Contractual Clauses or other measures to which the parties have agreed (Cross-Border Transfer Mechanisms) or , (2) this DPA and (3) the Service Contract and the Terms of Service. To the fullest extent permitted by Data Protection Laws, any claims brought in connection with this DPA will be subject to the terms and conditions, including, but not limited to, the exclusions and limitations, set forth in the Service Contract.
18.4. Changes to the DPA. We reserve the right at all times to remove or modify any part of this DPA unilaterally. We shall notify you by e-mail or via the Platform about the amended and restated DPA to ensure that you stay informed of any such amendments and restatements. Your use of the Platform after the date of notification or the effective date of changes indicated in the notification shall mean your acceptance of the amended and restated DPA, unless you accepted them otherwise earlier. In case you use a corporate account, only the administrator of that corporate account will be notified. The administrator of the corporate account and not Smartcat is solely responsible for further notification of changes to other members of the corporate account.
A. LIST OF PARTIES
Customer as defined in the Service Contract
Activities relevant to the data transferred under these Clauses: Obtaining the Services on Smartcat Platform from Data importer
Smartcat as defined in section 1 of the DPA
Activities relevant to the data transferred under these Clauses: Providing the Services on Smartcat Platform to Data Exporter
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
Prospects, customers, business partners and vendors of data exporter (who are natural persons)
Employees or contact persons of data exporter’s prospects, customers, business partners and vendors
Employees, agents, advisors, freelancers of data exporter (who are natural persons)
Data exporter’s Users authorized by data exporter to use the Smartcat Platform.
Categories of personal data transferred
The personal data transferred concern but is not limited to the following categories of Personal Data:
Professional life data
Disclosed Information (from third parties, e.g. Credit Reference Agencies or from Public Directories).
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
Data exporter may submit special categories of data to the Smartcat, the extent of which is determined and controlled by the data exporter in its sole discretion and which is for the sake of clarity Personal Data with information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life.
Data importer determines the type and level of access granted to individual employees based on the “principle of least privilege”. This principle states that employees are only granted the level of access absolutely required to perform their job functions and is dictated by data importer’s business and security requirements. Permissions and access rights not expressly granted shall be, by default, prohibited.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
On continuous basis, during the Terms of Service or Service Contract executed between Data exporter and Data importer remain in effect.
Nature of the processing
Data importer will process Data exporter Personal Data in order to provide Services to Data exporter in accordance with provisions of the DPA.
Purpose(s) of the data transfer and further processing
Data importer will transfer and process Data exporter Personal Data for the purposes of providing Services to Data exporter in accordance with provisions of the DPA.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
The Data exporter Personal Data will be retained as long as required to provide Services to pursuant to the valid Terms of Service or Service Contract executed between Data exporter and Data importer. The Data exporter Personal Data will be destroyed or returned to the Data exporter in accordance with the provisions of the DPA.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
Data importer will transfer Data exporter Personal Data to sub-processors pursuant to section 9 of the DPA.
C. COMPETENT SUPERVISORY AUTHORITY
The Dutch Data Protection Authority (Autoriteit Persoonsgegevens)
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Data importer will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data uploaded on the Smartcat Platform, as described in the documentation applicable to the specific Services purchased by data exporter, and accessible via https://www.smartcat.com/ or otherwise made reasonably available by Data importer. Data importer will not materially decrease the overall security of the Services during a term of the Terms of Service or Service Contract executed between Data exporter and Data importer.
Security Measures are specified in section 7.1. of the DPA.
LIST OF SUB-PROCESSORS
List of sub-processors is specified in section 9.2. of the DPA.
UK DATA TRANSFER MECHANISM
The UK Data Transfer Mechanism is incorporated into the DPA by reference at clause 1.24 and by reference to the information required to complete the UK Data Transfer Mechanism, the Parties agree to the following:
1. In Table I of the UK Data Transfer Mechanism, the names and addresses of the parties as defined in the Service Contract shall be incorporated into the UK Data Transfer Mechanism, it being understood that Customer shall be the "data exporter" and Controller, and the Smartcat receiving the data shall be the "data importer" and Processor;
2. In Table 2 of the UK Data Transfer Mechanism, Module 2 is selected, with the information required to complete Module 2 in the DPA and Annex I;
3. In Table 3 of the UK Data Transfer Mechanism, the information required to complete Table 3 is as listed in the DPA and Annex I, II and III; and
4. In Table 4 of the UK Data Transfer Mechanism, the information required to complete Table 4 is in the DPA and Annex II.