THEYMES Data Processing Agreement
This Data Processing Agreement (“DPA”) is a part of the Agreement on the use of the Theymes service between Theymes and the Customer.
GENERAL
This DPA forms an integral part of the Agreement and shall apply to all processing of personal data under the Agreement. Where applicable and if not explicitly otherwise stated, the terms of the Agreement, such as governing law and dispute resolution, apply to this DPA. If the Agreement or any other document contains provisions regarding the processing of personal data that conflict with this DPA, this DPA shall have precedence.
The Customer is the data controller under the General Data Protection Regulation (EU 2016/679, “GDPR”) and Theymes processes personal data on behalf of the Customer as a processor when providing the Service. If and to the extent the Customer acts as a processor in relation to another data controller, Theymes shall act as a subprocessor.
The data controller is responsible for the lawful processing of personal data as well as compliance with the GDPR and other legislation regarding the processing of personal data. The data controller directs and instructs the data processor to carry out the processing activities, both by this DPA and possible later instructions. Where applicable, the Customer is responsible for acquiring and having the required rights and necessary permissions to use and disclose personal data to Theymes for the purposes of the Agreement.
The subject matter, categories, types of data and other details of the processing are described in Schedule 1 of this DPA (Description of the Processing).
This Data Processing Agreement shall become effective as the Agreement is entered into and shall be effective for as long as processing activities continue. Upon end of processing activities this DPA shall automatically terminate.
PROCESSING OF PERSONAL DATA
Theymes shall process personal data in accordance with this DPA and documented instructions from the Customer unless required otherwise by EU or member state legislation.
The Customer’s instructions for the processing are primarily set forth in the Agreement and this DPA. Any other instructions must be commercially reasonable, compliant with applicable legislation, and consistent with the Agreement. In case the Customer’s instructions require additional work by Theymes, Theymes has the right to charge reasonable costs of complying with the instructions from the Customer.
Controller has the obligation to ensure its instructions follow the law of the European Union and all applicable member states. In case Theymes considers any instruction given by the Customer to be in contravention to EU or member state legislation, Theymes shall not be obliged to comply with such instruction and shall inform the Customer.
end of processing activities
Personal data shall be processed only for the term of the Agreement.
After the expiry or termination of this DPA, the personal data processed under the Agreement shall be returned to data controller upon request, deleted or anonymized.
SECURITY
Theymes shall implement appropriate technical and organisational measures to protect the personal data within its area of responsibility in order to safeguard the data against unauthorized or unlawful processing or access and against accidental loss, destruction of personal data, taking into account the costs of implementation as well as the nature, scope, context and purposes of processing carried out by Theymes, as well as the risks for the rights and freedoms of natural persons. The measures shall include, where appropriate and depending on the context: (i) the pseudonymization and encryption of personal data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and the Service; (iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (iv) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
Theymes shall ensure the persons processing personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
ASSISTANCE
Taking into account the nature of the processing and where possible, Theymes shall assist the Customer with appropriate technical and organisational measures to fulfil the Customer’s obligation to respond to requests regarding the data subject’s rights under Chapter III of the GDPR.
Taking into account the nature of the processing and the information available to Theymes, Theymes shall assist the Customer in ensuring compliance with the Customer’s obligations set out in Articles 32 to 36 of the GDPR (e.g. to perform security and data protection impact assessments, breach notifications and prior consultations of the competent supervisory authority).
INTERNATIONAL TRANSFERS
Theymes provides the Service mainly from the EEA. In case the Customer operates outside the EEA or personal data is otherwise transferred outside the EEA to a country not recognized by the European Commission as having an adequate level of data protection, Theymes and the Customer shall ensure the transfer complies with Chapter V of the GDPR by using a valid transfer mechanism, such as standard contractual clauses adopted by the European Commission, and if necessary, implementing additional safeguards and carrying out a transfer impact assessment to ensure an appropriate level of protection of the personal data.
PERSONAL DATA BREACH
In case of a personal data breach concerning personal data processed on behalf of the Customer, Theymes shall notify the Customer without undue delay upon becoming aware of a breach. Theymes shall provide the Customer with all appropriate information it has available to it in order to allow the Customer to meet its obligations under the applicable data protection legislation. If all information is not available at once, Theymes may supplement the information later without undue delay.
AUDITS
The Customer or an auditor appointed by the Customer shall have the right to audit the processing activities of Theymes under this DPA to assess the compliance with this DPA and the applicable data protection legislation. The audit shall take place during ordinary business hours of Theymes and with at least thirty (30) calendar days prior written notice. The Customer shall bear all costs for any audits. Where an audit may lead to the disclosure of business or trade secrets of Theymes, the Customer shall employ an independent expert to carry out the audit, and the expert shall agree to be bound by confidentiality to Theymes’s benefit.
At the Customer’s request, Theymes shall make available information necessary to support data controller to demonstrate compliance with the GDPR.
SUBPROCESSORS
The Customer gives its general authorization for Theymes to engage subprocessors to process personal data in connection with the provision of the Service.
Theymes shall be free to choose and change its subprocessors. The list of subprocessors included in the processing on the Effective Date is included in Schedule 1 of this DPA. In case there is a later change in subprocessors, Theymes shall either notify the Customer of such change and allow the Customer to object to the change on reasonable grounds related to data protection. If Theymes is not willing or able to change the subprocessor objected to by the Customer, both Parties shall have the right to terminate the Agreement and this DPA.
Where Theymes uses a subprocessor for the processing of personal data, it shall ensure data protection obligations of at least the same level as set out in this DPA shall apply to the subprocessor. Where a subprocessor fails to fulfil its data protection obligations, Theymes shall remain liable to the Customer for the performance of the subprocessor’s obligations.
LIABILITY
Each Party’s liability for the damages incurred by any data subject in connection with the processing of Personal Data under the Agreement and this DPA shall be defined in accordance with Article 82 of the GDPR, or another corresponding and applicable provision of compulsory data protection legislation.
Theymes shall not be liable for any indirect or consequential loss or damage caused in connection with this DPA. Otherwise, the liability terms of the Agreement shall apply to processing of the Personal Data by Theymes on behalf of the Customer.
Schedule 1: Description of the Processing
Subject-matter and duration of the processing
Personal data is processed to provide the Service for the Customer’s use under the Agreement. Personal data shall be processed for the duration of the Agreement term.
Nature and purpose of the processing
Personal data is processed for the purpose of carrying out the obligations of the Agreement and providing the Service, including managing user rights to the Service and providing the functionalities of the Service, such as priority support and the upkeep of the support portal and other Customer Content that may contain personal data.
Transfers outside of the eea
Personal data is transferred outside of the EEA. The countries where processing takes place can be found in section 5 “Subprocessors”. Impact on data subjects has been assessed and is estimated to be low. Personal data is processed in countries of adequate data protection as accepted by the European Commission, or otherwise secured by contractual obligations and utilization of additional security safeguards.
Categories of data subjects and types of personal data
The data subjects are the users and end users of the Service and any persons whose data is included in the Customer Content by the Customer. The personal data consists of user account details and any data that is included in the Customer Content, such as contact information, usernames, and end user interactions with the Service where the interactions are considered personal data.
Subprocessors
Sub-Processor | Location | Services |
Amazon Web Services (AWS) | EU | Data hosting services, Email services |
OpenAI, Inc. | US | AI / LLM services |
Cohere | EU | AI / LLM services (via AWS Bedrock) |
PostHog | EU | Product analytics |
Astrodon Corporation (Loops) | US | Email marketing |
Vainu Finland Oy | EU | Analytics |
Google Analytics, Alphabet | US | Customize and analyze the use of services |
Theymes uses Google Analytics, which tracks and shares with us and our partners some user information, which includes some personal data. In short, Google Analytics collects, measures, and reports website and app user data to help us understand and analyze the behavior, needs and interactions of our users. For further information on this, please consult website provided by Google: https://policies.google.com/technologies/partner-sites?hl=en-US.