Data processing agreement

Effective from: July 2023

BY INSTALLING AND/OR PURCHASING AND/OR USING ANY SERVICES, YOU HEREBY CONCLUDE THE DATA PROCESSING AGREEMENT BETWEEN YOU AS A CLIENT OF Time is Ltd. s.r.o. (“Client”) AND AS A DATA CONTROLLER, THE FULL CONTENT OF WHICH IS BELOW.
YOU, AS THE DATA CONTROLLER, CAN GIVE US FURTHER INSTRUCTIONS SENT TO US TO THIS EMAIL ADDRESS:  privacy@timeisltd.com.
By doing so, you accept the possibility that we will not be able to perform the Services as introduced on the Website and after informing you accordingly our Services will not be delivered to You.

Data Processing Agreement between the user of the Time is Ltd. Service(s) as ordered by the user and the below Data Processor:
Time is Ltd. s.r.o. with the registered office at Kafkova 346/14, 160 00 Prague 6, Czech Republic, Company number: 054 46 872, VAT number: CZ05446872, represented by Jan Řežáb, Executive Director

- hereinafter referred to as Time is Ltd. -

Preamble
This Data Processing Agreement (“Agreement”) specifies the Personal Data protection obligations of the Client and Time is Ltd. in relation to any kind of use of the following products in form of the software-as-a-services: – Account Relationship Mapping and/or Analytics Platform and/or Calendar Analytics and/or OrgChart and/or Sales Analytics – as purchased under the Terms and Conditions of TIL accepted via the respective Services and/or individual Service link (“Contract”).

The Client hereby agrees that in case of an order of multiple Time is Ltd. Services either simultaneously or subsequently, the Client explicitly agrees that the Personal Data processed by Time is Ltd. for the purpose of one Service can be processed pursuant to this Agreement also for another Time is Ltd. Service(s) in the necessary extent and only as of the moment of the ordering of such additional Service. Subsequently, should one Service be cancelled, and the Personal Data do not need to be processed therefore any longer, Time is Ltd. will process only such Personal Data necessary for remaining Service(s).

It applies to all activities related to the contractual relationship in which employees of Time is Ltd. or persons commissioned by Time is Ltd. may come into contact with Personal Data of the Client and/or the Client’s personnel and/or any third parties.

Personal Data”Any Personal Data (as defined in the GDPR) processed as part of or in relation to the Services.
Processor”A Personal Data processor (as defined in the GDPR).
Recipient”A natural or legal person, public authority, agency or another body, to which the Personal Data are disclosed (as further defined in the GDPR).


TIME IS LTD. AS THE PROCESSOR

§ 1 Subject matter and duration

1. Time is Ltd. undertakes (as the Processor) the performance of the following tasks on behalf of the Client during the duration of the Contract:
a.) Takeover of the Personal Data of the Client personnel from the Client within the extent as specified in §2 (2) here under. For the avoidance of doubt, the Client hereby undertakes not to hand over any other Personal Data than agreed herein and if at any point in time the Client does share any other Personal Data, the Client is and shall remain ultimately responsible for such sharing, incl. but not limited to the fact that it is allowed to do so vis a vis Time is Ltd. in relation to the Contract. The Client shall indemnify Time is Ltd. and any of its personnel, incl. statutory bodies, for any potential claims and/or demands raised in relation thereto by any third party, incl. Personal Data subjects;
b.) Detailed description of the Personal Data processing for each type of Service is specified under the respective hyperlinks: : Account Relationship Mapping, Analytics Platform, Calendar Analytics,  OrgChart, Sales  Analytics;
c.) Further processing of the aggregate/anonymized data that do not fall under the category of the Personal Data in accordance with the Agreement and the Contract for benchmarking and future business purposes.

2. Time is Ltd. processes Personal Data on behalf or for the Client within the meaning of Art. 4 No. 2 and Art. 28 GDPR on the basis of this Agreement.

3. Terms used in this Agreement are to be understood as defined in the GDPR and/or the Contract.

4. The undertaking of the contractually agreed Processing of Data shall be carried out exclusively within a Member State of the European Union (EU) or within a Member State of the European Economic Area (EEA). Each and every Transfer of Data to a State which is not a Member State of either the EU or the EEA requires the prior consent of the Client and shall only occur if the specific Conditions of Article 44 et seq. GDPR have been fulfilled (i.e. Transfers on the basis of an adequacy decision by Commission, Standard Data Protection Clauses, approved Codes of Conduct etc.).

5. Duration:
a.) The duration of this Agreement corresponds to the duration of the Contract between the Parties mentioned above, i.e. during the performance of the Services by Time is Ltd..
b.) The Agreement ends automatically and without the need for termination if Time is Ltd. no longer carries out any processing of Personal Data for the Client.
c.) The Client may terminate this Agreement at any time without notice in case of a serious breach by Time is Ltd. of any Personal Data protection regulations or the provisions of this Agreement, or in case Time is Ltd. cannot or does not want to execute instructions from the Client or Time is Ltd. repudiates the supervisory rights of the Client pursuant to this Agreement. Especially, non-compliance with the obligations agreed in this Agreement and derived from Art. 28 GDPR constitutes a serious infringement.

§ 2 Nature and purpose of Personal Data processing, type of Personal Data and categories of data subjects:
1. Nature and Purpose of processing of Personal Data by Time is Ltd. for the Client (according to the definition of Art. 4 No. 2 GDPR): provision of Services under the Contract

2. Categories of data subjects’ personal data (according to definition of Art. 4 No. 1 GDPR):

a.) All Services: first and middle names, surnames, business contact data, incl. email addresses of individual users/Personal Data subjects, and any information provided for the purpose of provision of the Services by the Client or by the data subjects (relevant staff members, representatives, contractors and clients directly).
b.) OrgChart Service use/purchase in addition to ad a) also the job position, supervisor, start/end day, working hours, language skills, location, probation period;
c.) Account Relationship Mapping Service use/purchase in addition to ad a) frequency of communication between individual users/Personal Data subjects in relation to individual accounts/Client's customers while using Salesforce Plugin application.The Client can only share with TIL and ask TIL to process on Client‘ s behalf such categories of personal data processing of which by the Client as a controller and by TIL as Client’s processor within the scope of the Services is meeting the conditions specified in art. 8 of GDPR.

The aggregate data (anonymized) as specified in § 1 (1) c) may be further processed and used by Time is Ltd. for the statistical, future business operations and benchmarking purposes, whereas the results and any outcomes thereof can be used by Time is Ltd. for the purpose of its future business operations without any restrictions, including for business purposes.

§ 3 Rights and obligations and supervisory functions of the Client
1. Within the scope of the Personal Data processing agreed upon in this Agreement, the Client reserves the right to give extensive instructions regarding the nature, scope and procedure of the Personal Data processing, which it can substantiate by individual instructions sent via email to privacy@timeisltd.com. If any such instructions are impossible to fulfil by Time is Ltd. due to any reason, including lack of technical capabilities, capacity reasons or extensive costs, Time is Ltd. can terminate the Contract and this Agreement without any negative consequences to Time is Ltd. For the avoidance of doubt, no fees paid in accordance with the Contract are refundable and will not be returned by Time is Ltd. in such circumstances.

2. The Client issues the instructions in an email form. Changes to the purpose of processing and procedural changes must be made via the email. Verbal instructions must be confirmed immediately in an email format. The instructions are to be kept for their period of validity and subsequently for three full calendar years.

3. The assessment of the lawfulness of the processing according to Art. 6 para. 1 GDPR as well as the assurance of the rights of the data subjects according to Art. 12 to 22 GDPR is at the sole discretion and responsibility of the Client. Nevertheless, Time is Ltd. is obliged to forward all requests concerning processing of Personal Data to the Client without undue delay, if such requests are clearly directed to the Client.

4. The Client has the right, before starting the Personal Data processing and afterwards on regular basis, to carry out inspections to ensure that obligations under this Agreement, in particular the adherence to the technical and organizational measures taken by Time is Ltd., are observed. The Client can also have such inspections carried out by a third party chosen by Time is Ltd. Time is Ltd. undertakes to fully assist the Client in carrying out inspections and within a reasonable time (at the latest within 14 calendar days) provide the necessary information and evidence for the carrying out the inspections. All such inspections will be on the Client costs. Insofar as the inspection of Time is Ltd. results in a necessity for adjustment, this must be implemented by mutual agreement.

5. The Client is obliged to treat all knowledge of business secrets and Personal Data security measures of Time is Ltd. acquired within the framework of the Contract as confidential.

§ 4 Duties of Time is Ltd.
1. Time is Ltd. processes Personal Data in accordance with this Agreement and with the documented via email instructions of the Client, unless Time is Ltd. is legally obliged to perform certain processing within the meaning of Art. 28 para. 3 lit. a GDPR. Time is Ltd. shall inform the Client immediately if it considers that an instruction violates any Personal Data protection regulation. Time is Ltd. shall then be entitled to suspend the execution of the relevant instructions until the Client confirms or changes them.

2. Time is Ltd. ensures that it knows the relevant general Personal Data protection requirements. It observes the principles of proper Personal Data processing.

3. Time is Ltd. undertakes to strictly observe confidentiality during processing, especially confidentiality in accordance with Art. 28 para. lit 3 b GDPR. Time is Ltd. entrusts only such employees with the Personal Data processing outlined in this Agreement who have been bound to confidentiality and have previously been familiarized with the Personal Data protection provisions relevant to their work, as far as they are not already legally subject to a relevant confidentiality obligation. Upon request, Time is Ltd. shall provide to the Client free of charge relevant evidence of such compliance.

4. Time is Ltd. guarantees to fulfill its obligation under Art. 32 para. 1 lit. d. GDPR. It shall periodically monitor the internal processes and the technical and organizational measures to ensure that processing within its area of responsibility is in accordance with the requirements of applicable Personal Data protection law and the protection of the rights of the data subject. 

5. Based on its area of responsibility, Time is Ltd. is obliged to keep a detailed documentation about the processing of Personal Data and to make these available to the Client at first request. Time is Ltd. is obliged to provide the information for the Client’s record of processing activities pursuant to Art. 30 para. 1 GDPR. For the avoidance of doubt Time is Ltd. is an organization to which Art. 30 of the GDPR is not applicable. 

6. Time is Ltd. assists the Client in complying with the duties of the Client regulated in Art. 32 to 36 GDPR. For this purpose, Time is Ltd. will provide the Client with all necessary documents, deeds and evidence required for Art. 32 GDPR upon first request, at the latest within 14 calendar days. Time is Ltd. will also assist the Client in the implementation and compliance with the Personal Data protection impact assessment pursuant to Art. 35 GDPR.

7. Time is Ltd. corrects or deletes the Personal Data, if instructed so by the Client. If a deletion or a corresponding limitation of the Personal Data processing, which is compliant with Personal Data protection requirements, is not possible, Time is Ltd. undertakes to destroy the data carriers and other materials in accordance with Personal Data protection requirements on the basis of an individual assignment by the Client or returns these data carriers to the Client. In special cases, to be determined by the Client, a storage or transfer of the Personal Data takes place. Remuneration and protective measures for this purpose must be agreed separately, unless already agreed in this Agreement.  

8. The Client shall be informed without undue delay of any inspections and measures conducted by the supervisory authority, especially according to Art. 58 GDPR. This also applies insofar as Time is Ltd. is under investigation or is a party to an investigation by a competent authority regarding the processing of Personal Data under this Agreement.

9. In case of a claim by a data subject with regard to any entitlement under Art. 82 GDPR, Time is Ltd. shall make reasonable effort to support the Client.

10. Time is Ltd. is not obliged, as far as required by law, to appoint a Personal Data protection officer who carries out its activity in accordance with Art. 37 and 38 GDPR. The contact details of the contact person for Personal Data protection issues for the purpose of direct contact are specified below. Time is Ltd. will inform the Client immediately about any changes of the contact person.

The contact for Personal Data protection issues arising under this Agreement is: privacy@timeisltd.com.

11. The fulfillment of obligations under this § 4 is free of charge for Time is Ltd. 

§ 5 Technical and Organizational Measures
1. Time is Ltd. will, in its area of responsibility, design the internal organization measures in such a way that it meets the requirements of Personal Data protection. It will take technical and organizational measures to adequately protect the Personal Data of the Client, which satisfies the requirements of Art. 32 GDPR. The measures to be taken are measures of Personal Data security and measures that guarantee a protection level appropriate to the risk concerning confidentiality, integrity, availability and resilience of the systems.

The Client is informed of these technical and organizational measures. The technical and organizational measures taken by Time is Ltd. are set out in Appendix 1 to this Agreement.

2. The technical and organizational measures may be adapted to the technical and organizational development in the course of the Contract. Significant changes must be agreed upon by the Parties.

3. Insofar as the security measures taken by Time is Ltd. do not meet the requirements of the Client, it shall inform Time is Ltd. immediately.

§ 6 Subcontracting (Art. 28 para. 3 GDPR)
1. Time is Ltd. may commission subcontractors (data sub-processors) only after prior explicit documented consent (email form) from the Client. A subcontractor relationship subject to approval exists if Time is Ltd. commissions further contractors with all or part of the performance of agreed Services between the Parties. Where Time is Ltd. engages another subcontractor resp. processor, it is obliged to impose the obligations under this Agreement by way of a contract on such processors.
2. The rights of the Client shall be also exercised effectively against any subcontractor. In the contract with the subcontractor, the details must be specified in such a way that the responsibilities of Time is Ltd. and the subcontractor are clearly separated from each other. If several subcontractors are commissioned, this also applies to the responsibilities between these subcontractors. In particular, the Client must be entitled, if necessary, to carry out appropriate inspections of the subcontractors.
3. The contract with the subcontractor must be concluded in writing, including in electronic form (Art. 28 para. 4 and para. 9 GDPR).
4. The transfer of Personal Data from the Client to the subcontractor and the subcontractor’s commencement of the Personal Data processing shall only be undertaken after compliance with all requirements has been achieved, especially according to Art. 29 and Art. 32 para 4 GDPR.
5. Time is Ltd. must verify compliance with the obligations of the subcontractor(s). The result of the checks must be documented and made available to the Client upon request.
6. Time is Ltd. shall be liable to the Client for ensuring that the subcontractor complies with the Personal Data protection obligations in performing Time is Ltd.’s obligations under this Agreement.
7. At the moment, Time is Ltd. has engaged the subcontractors listed in Appendix 2 in the processing of Personal Data to the extent specified therein. The Client agrees to their commissioning.
8. Time is Ltd. shall inform via email the Client of any intended change in relation to the engagement of new or the replacement of existing subcontractors, thereby giving the Client the opportunity to object to such changes (Art. 28 para 2 GDPR).
9. The Client may revoke the consent to the engagement of a subcontractor at any time, in particular in the event of a breach of the law or otherwise. Time is Ltd. must stop subcontracting the processing with undue delay, however in such case the Client confirms that should such subcontractor is essential for the provision of the Services under the Contract, Time is Ltd. shall be free to terminate the Contract and this Agreement with an immediate effect without any negative consequences to the Time is Ltd. whatsoever.
10. If the subcontractor provided the agreed service outside the EU/EEA, Time is Ltd. shall ensure compliance with GDPR by appropriate measures according to Art. 44 GDPR.

§ 7 Notification obligations in case of processing disruptions and Personal Data breaches
Time is Ltd. is obliged without undue delay to notify the Client of any disruptions and violations of the Personal Data protection provisions by Time is Ltd. or persons employed or engaged by it. This also applies in particular with regard to any notification obligations of the Client according to Art. 33 and Art. 34 GDPR. Time is Ltd. confirms that the Client will be adequately supported in its duties under Art. 33 and 34 GDPR if necessary (Art. 28 para. 3 lit. f GDPR). Notifications pursuant to Art. 33 or 34 GDPR may only be made by Time is Ltd. in accordance with prior instructions by the Client.

§ 8 Observance of the rights of data subjects
If a data subject requests the information about the Personal Data or its correction, deletion, restriction or portability etc., Time is Ltd. will refer the person concerned to the Client, if it is possible to allocate the data subject. Time is Ltd. forwards any request of the data subject to the Client without undue delay. Time is Ltd. will support the Client fully and free of charge with appropriate technical and organizational measures to fulfill its obligations regarding data subject rights. Time is Ltd. is not liable if the request of the data subject is not answered, is answered incorrectly or not in due time by the Client.

§ 9 Obligations of Time is Ltd. after termination of the Agreement, Art. 28 para. 3 lit. g GDPR
After conclusion of the contracted work, Time is Ltd. shall hand over to the Client or – subject to prior instruction – destroy all documents, processing and utilization results, and data sets related to the contract that have come into Time is Ltd.’s possession or to its subcontractors, in a Personal Data-protection compliant manner.

The log of the destruction or deletion shall be confirmed in writing or electronic form by the Client.

The above is not applicable to the Personal Data that Time is Ltd. is obliged to archive/keep under the applicable laws and to the aggregated data as specified in §2(3) of this Agreement.

§ 10 Liability
1. Time is Ltd. shall be liable to the Client for damages culpably caused by it, its employees or the contractors commissioned by it in performing the contractual obligations under this Agreement.
2. Time is Ltd. and the Client are liable for Personal Data processing in accordance with the provisions of Art. 82 GDPR up to the amount of the fees agreed in the Contract, if the fees are agreed on a time and material basis, then up to the amount of the fees paid by the Client during the 12 months preceding the breach hereof.
3. The Client indemnifies Time is Ltd. against all costs, expenses (including legal expenses), damage, loss (incl. loss of business or loss of profits), liabilities, demands, claims, actions or proceedings, which Time is Ltd. may incur arising out of  Time is Ltd.’s compliance with this Agreement and/or any instruction given by the Client to Time is Ltd. in relation to the Personal Data processing (including instructions in connection with requests from individuals exercising their rights under the GDPR and any instruction to retain, disclose, amend or otherwise process Personal Data).

TIME IS LTD. AS THE CONTROLLER


§ 11 Information on Data Processing by Time is Ltd.
1. The parties acknowledge that the Personal Data provided by the Client or its staff members and representatives will be processed by Time is Ltd as a Controller, for the purpose of, or in connection with:
(i) compliance with the applicable legal regulatory requirements; (ii) addressing requests and communications from competent authorities;
(iii) Contract administration, financial accounting, internal compliance and risk analysis, and client relationship purposes, incl. new offerings and developments in the area of business operations of Time is Ltd. or analysis of productivity of various businesses in general;
(iv) utilization of systems and applications (hosted or internal) for information technology and information system services (the “Purposes”).
The Personal Data may include Personal Data regarding the Client’s representatives, personnel, project team members, suppliers and contractors, as well as the Personal Data included in the information obtained by Time is Ltd in relation to the Contract and this Agreement.
2. In relation to the here above (§11 (2)) specified Personal Data, the Client agrees as a Controller that Time is Ltd as another Controller to process such Personal Data in an aggregate format (anonymized) may be further processed and used by Time is Ltd. for the statistical, future business operations and benchmarking purposes, whereas the results and any outcomes thereof can be used by Time is Ltd. based on its legitimate interests for the purpose of its future business operations without any restrictions, including for business purposes.
3. For the Purposes indicated above, the Personal Data may be disclosed/transferred to and processed by the Recipients of Personal Data (including the Personal Data Controllers and Personal Data Processors) as indicated in the applicable Time is Ltd Privacy Notice. The transfers of Personal Data may include transfers outside of the European Economic Area (EEA) but only provided that the legal obligations as stipulated by the GDPR for such transfers are fulfilled.
4. The above is a summary of the applicable Time is Ltd privacy notice (the “Privacy Notice”) and is not a complete reflection of the Privacy Notice, which is available at http://www.timeisltd.com/privacy-notice-for-clients/. To the extent that it does not involve a disproportionate effort, the Client shall ensure that the Privacy Notice is brought to the attention of data subjects (its relevant staff members, representatives, contractors and clients).
5. Data Retention: The engagement documentation, incl. the Contract, including the Personal Data shall be retained for a period of 10 years following the expiration of the Contract or as required by the relevant regulations or any other applicable laws and regulations.
6. Each Party shall comply with the GDPR when processing Personal Data. The Client confirms that all the Personal Data provided to Time is Ltd has been collected lawfully, fairly and in a transparent manner and in accordance with the applicable laws.

§ 12 Severability
Should any individual provision of this Agreement be or become wholly or partially invalid, or should there prove to be an omission, this shall not affect the validity of the remaining provisions of this Agreement.

§ 13 Applicable law, jurisdiction
This Agreement is subject to Czech law. Place of jurisdiction is the registered office of Time is Ltd.
Appendix 1: The technical and organizational measures in accordance with § 5
Appendix 2: Approved subcontractors

Appendix 1 – The technical and organizational measures (Art. 32 GDPR)
The following defines the minimum of technical and organizational measures to ensure Personal Data protection and Personal Data security, which must be established and maintained by Time is Ltd. The aim is to ensure, in particular, the confidentiality, integrity and availability of the information processed by Time is Ltd. on behalf of the Client.

1. Measures to ensure the integrity and confidentiality of systems and services (Art. 32 Abs. 1 lt. b GDPR)
a.) Equipment access control: deny unauthorized persons access to processing equipment used for processing
Only authorized users have access to the Google Cloud account and processing resources. We are using the access control mechanism of the Google Cloud.
b.) Data media control: prevent the unauthorized reading, copying, modification or erasure of data media
Only authorized users have access to the Google cloud account and processing resources. We are using the access control mechanism of the Google Cloud
c.) Storage control: prevent the unauthorized input of Personal Data and the unauthorized inspection, modification or deletion of stored Personal Data
The storage is encrypted and only users with authorization can process the data in the database.
d.) User control: prevent the use of automated processing systems by unauthorized persons using data communication equipment
All automatic processing pipelines are accessible only with authorized account.
e.) Data access control: ensure that persons authorized to use an automated processing system have access only to the Personal Data covered by their access authorization
All users have level access to the data and the access is restricted based on the level access.
f.) Communication control: ensure that it is possible to verify and establish the bodies to which Personal Data have been or may be transmitted or made available using data communication equipment
All access and transmission of the data are logged.
g.) Input control: ensure that it is subsequently possible to verify and establish which Personal Data have been input into automated processing systems and when and by whom the Personal Data were input
All operations are logged
h.) Transport control: ensure that the confidentiality and integrity of Personal Data are protected during transfers of Personal Data or during transport of data media
All data are always encrypted during the transfer
i.) Processing control: ensure that Personal Data processed on behalf of the controller can only be processed in compliance with the controller’s instructions
All data are always processed based on the agreement or contract with controller’s instructions
j.) Separability: ensure that Personal Data collected for different purposes can be processed separately
All sources have a separated storage, database or table and we can ensure the

2. Measures to ensure the availability and resilience of systems and services (Art. 32 Abs. 1 lt. b GDPR)
a.) Reliability: ensure that all system functions perform and that the appearance of faults in the functions is reported
The reliability of the Google Cloud system is ensured by the SLA
b.) Integrity: ensure that stored Personal Data cannot be corrupted by means of a malfunctioning of the system
The reliability of the Google Cloud system is ensured by the SLA
c.) Availability control: ensure that Personal Data are protected against loss and destruction
The data availability control of the Google Cloud system is ensured by the SLA

3. Measures to rapidly restore the availability and access to Personal Data following a physical or technical incident (emergency)

Recovery: ensure that installed systems may, in the case of interruption, be restored

The data recovery of the Google Cloud system is ensured by the SLA

Appendix 2 – Approved subcontractors of Time is Ltd. as the Processor under the Agreement and Contract
The current list:
Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, Google Privacy Terms
Auth0, Inc., 10800 Northeast 8th Street, Suite 600, Bellevue, WA 98004, USA, Auth0 Privacy& Cookie Policy
Elasticsearch Inc. 800 W. El Camino Real, Suite 350, Mountain View, CA 940 40, USA, Privacy Statement
Time is Ltd Inc, 3500 South Dupont Highway, Dover, Delaware 199901, EIN 86-3794470
Time is Ltd Limited, Bluebell House, Brian Johnson Way, Preston, United Kingdom, PR2 5PE, Company number 11750189
Google Workspace Marketplace, Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland, Google Privacy Terms
Salesforce appexchange, Salesforce, Inc. Salesforce Tower, 415 Mission Street, 3rd Floor, San Francisco, CA 94105, United States, Privacy Information
Webex App Hub, Cisco Systems, Inc., c/o Corporation Service Company, 251 Little Falls Drive, Wilmington, Delaware 19808-1674 , USA, Privacy Policy
Paddle.com Market Limited, Judd House, 18-29 Mora Street, London, EC1V 8BT, United Kingdom, Privacy Policy
Stripe Payments Europe, Limited, The One Building, 1 Grand Canal Street Lower, Dublin 2, Co. Dublin, Ireland, Privacy policy