Identification of the parties:
This Data Processing Agreement ("DPA") is entered into on the date of acceptance by the User, by and between Fintellect ("Controller") and Nordigen and Google ("Processors").
Description of the personal data:
The Processors will process on behalf of the Controller personal data provided by the User as part of the account registration process, including name, last name, email, phone and country, as well as any additional personal data that may be required for the use of PSD2 and social authentication services.
Data protection obligations of the processors:
The Processors shall:
a) process the personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by Union or Member State law;
b) ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
c) implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including as appropriate, the pseudonymization and encryption of personal data;
d) taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement appropriate technical and organizational measures to ensure that, by default, only personal data which are necessary for each specific purpose of the processing are processed.
e) at the choice of the controller, delete or return all the personal data to the controller after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the personal data;
f) make available to the controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the controller or another auditor mandated by the controller.
The Processors shall not engage another processor without prior specific or general written authorisation of the controller. Where the processors engage another processor for carrying out specific processing activities on behalf of the controller, the same data protection obligations as set out in the DPA shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of this Regulation.
The Processors shall promptly notify the controller if it becomes aware of a personal data breach. The notification shall describe the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the personal data records concerned. The Processor shall promptly take all necessary steps to contain and mitigate the personal data breach, and shall provide the Controller with all information necessary to comply with its own notification obligations under the applicable data protection laws.
Technical and organizational measures:
The Processors shall implement appropriate technical and organizational measures to protect the personal data against unauthorized or unlawful processing and against accidental loss, destruction or damage. The Processors shall regularly review and assess the effectiveness of the technical and organizational measures implemented. Nordigen’s information security management system is ISO 27001 certified, meaning there are specific processes in place to add an extra layer of information security.
The Controller shall have the right to conduct audits, including inspections, to ensure compliance with this DPA. The Controller shall provide the Processor with reasonable prior notice of any such audit, and the Processor shall cooperate fully with the Controller in connection with any such audit.
Return or destruction of personal data:
Upon termination of this DPA, the Processors shall, at the choice of the Controller, either return or securely destroy all personal data in their possession or control.
This DPA shall be governed by and construed in accordance with the laws of the European Union, without giving effect to any principles of conflicts of law.
Term and termination:
This DPA shall remain in effect until terminated by either party upon written notice to the other party.