This Data Processing Agreement (the “DPA”) forms an Annex to the Terms and Conditions (the “Terms”) between you as the customer (the “Customer”) and Toofr LLC (“Toofr”). Toofr and the Customer are jointly referred to as the “Parties”.
The definitions of capitalized terms included in the Terms shall also apply in this DPA, unless otherwise specifically stated herein. This DPA is intended to ensure mutual compliance by Toofr and the Customer with applicable legislation concerning privacy and data protection, and to guarantee an appropriate level of protection of personal data.
SCOPE & PURPOSE OF PROCESSING
The data, which may be processed and submitted during the course of the Customer’s use of the Site and the Service (the “Customer Data”), may contain personal data. In principle, the Customer is responsible for determining the purpose and means for the processing of such personal data. Therefore, the Customer shall be regarded as the “Controller” of personal data, as defined in European privacy legislation. Toofr shall be regarded as the Customer’s “Processor”.
Toofr undertakes to process Customer Data solely to provide and improve the Site and the Service for the Customer.
Toofr may carry out scientific or statistical research into how the Site and the Service is used in order to improve the Site and the Service. As a general principle, all data is anonymous or anonymized as much and as soon as possible.
DIVISION OF RESPONSIBILITY
Under this DPA, Toofr is solely responsible for its processing of personal data as a part of delivering the Service to the Customer in accordance with the Customer’s instructions and under the express (final) responsibility of the Customer.
The Customer is responsible for acquiring any opt-in permission from the data subjects as may be required pursuant to applicable privacy legislation.
Toofr will continuously implement and update adequate technical and organizational security measures to prevent loss and unlawful processing of personal data, given the state of the art, the sensitivity of the personal data and the costs related to the security measures. Toofr cannot guarantee, however, that the security measures will be effective under all circumstances.
Both Parties shall exercise proper care with respect to the user login details, in order to avoid unauthorized access to and use of the Site and the Service, and any Customer Data.
The Customer shall require its Authorized Users to exercise proper care with respect to their user login details.
OBLIGATION TO NOTIFY OF SECURITY BREACHES
In case Toofr becomes aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, and such breach is likely to materially affect the Customer, Toofr shall promptly inform the Customer hereof. Toofr shall also have the right to inform any data subject adversely affected by the breach directly, as well as any competent authority, if Toofr in good faith understands this to be its legal or moral obligation.
In case the Customer discovers vulnerability on the Site and/or the Service that may lead to loss or unauthorized processing of Customer Data, the Customer shall inform Toofr thereof without delay. Toofr shall then investigate without delay whether or not the alleged vulnerability does in fact exist and notify the Customer of its findings.
The Customer shall not, nor allow its Authorized Users to, engage in any activity that may pose a risk to the availability, integrity and security of the Site and/or the Service, even if such activity would be carried out for the purpose of evaluating the security of the Site and/or the Service (e.g. a penetration test). Prior written authorization by Toofr is at all times required to engage in any activities as described in this clause.
CUSTOMER DATA RETENTION TERM
The Customer Data is stored for as long as necessary to provide the Service and its features to the Customer and its Authorized Users. Customer Data will be deleted after expiry or termination of the relevant account with Toofr. The Customer may request the Customer Data of an expired account with Toofr to be deleted before the regular retention term for the Customer Data has expired.
TERM AND TERMINATION
This DPA shall come into effect at the same time as the Terms. This DPA shall remain in force until the Terms have expired or been terminated, and Toofr no longer is in the possession of the Customer’s Customer Data.