BotGuard Raises EUR 45mm Round B Led By Dawn Capital, Rebrands to Blackwall   

Personal Data Processing

1. Introduction

1.1. This Data Processing Agreement (“DPA”) supplements and specifies data protection obligations for the Terms of Service and all current and future contracts, including but not limited to partner agreements, service agreements, and proofs of concept (collectively referred to as “Agreement” or “Agreements”) under which Botguard OÜ (“Provider”) provides Bot Traffic Management Services (“Services”) to its customers (“Customer”).

1.2. The Provider and the Customer are each referred to as a “Party” and collectively as the “Parties.”

In connection with the Services, the Provider processes certain personal data on behalf of the Customer. To ensure secure, correct, and lawful processing of personal data, the Parties agree to supplement the Agreement with this DPA, which serves as an annex to the Agreement.

1.4. In case of any conflict regarding the processing of personal data, the provisions of this DPA shall take precedence over the Agreement.

1.5. The terms used in the Data Processing Agreement are used in the meaning given to them in the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council (“GDPR”) or in the meaning given to them in the Agreement.

2. Areas of Responsibility

2.1. In accordance with Article 4 of the GDPR, the Customer is the data controller of the personal data provided to the Provider during the provision of the Services, including those activities which are specified in the Agreements, and the Provider is the data processor.

2.2. The Customer is solely responsible within the scope of the Agreements for compliance with the legal provisions on data protection, in particular for the lawfulness of the processing itself as well as for the data transfer to the Provider as processor. For the avoidance of doubt, the Provider is not responsible (without limitation) for selecting or ensuring the existence of an appropriate lawful basis for the personal data processing carried out under the Agreements and this DPA, for informing the data subjects of the relevant processing, or for fulfilling the data controller's obligation to conduct a data protection impact assessment, if required.

3. Obligations of the Provider as a Data Processor

3.1. The Provider shall process personal data in compliance with applicable laws, the terms of the Agreement, and the provisions of this DPA.

3.2. The Provider shall process personal data solely for the purposes specified in Annex 1.

3.3. The Provider shall maintain records of all categories of data processing activities conducted on behalf of the Customer, in accordance with GDPR requirements.

3.4. At the Customer’s request, the Provider shall assist the Customer: (i) in responding to requests from data subjects exercising their rights under Chapter III of the GDPR; (ii) in conducting data protection impact assessments; (iii) If required by applicable law, assist in consulting the competent supervisory authority. The technical and organizational measures employed, along with the scope and extent of the assistance, may be further detailed in the appendix.

4. Obligations of the Customer as Data Controller

4.1. The Customer confirms and warrants that upon using the Services and making available any personal data to the Provider, the Customer has acquired all necessary authorisations and permits as required for that by applicable law and GDPR.

4.2. The Customer must promptly and fully inform the Provider upon identifying any errors or deviations in the processing results that may relate to data protection regulations.

4.3. In the event of a claim against the Provider by a data subject under Article 82 of the GDPR, the Customer shall provide the Provider with the best possible support in defending against the claim.

5. Confidentiality

5.1. The Provider shall adopt measures necessary to safeguard the confidentiality of the personal data processed on behalf of the Customer. Inter alia, the Provider shall adopt measures to ensure that all the representatives and employees of the Provider and other persons who through the Provider come into contact with the personal data processed on behalf of the Customer maintain full confidentiality of the personal data and that they are subject to the confidentiality obligation assumed under a contract or the law.

6. Security Measures

6.1. The Provider shall assess the appropriate level of security when providing the Service. It shall take security measures deemed necessary to ensure appropriate level of security appropriate to the risks of the data processing under Article 32 of the GDPR.

6.2. Upon the application of appropriate technical and organisational measures, the Provider shall consider the capacity of the applied processing measures to ensure the ongoing confidentiality, integrity, availability and resilience of personal data.

6.3. At Customer’s request, the Provider shall assist the Customer in assessing its appropriate level of security and appropriate technical and organizational measures related to the Service.

6.4. The Customer has the right to authorise an auditor to audit the activity of the Provider with regard to the performance of the Data Processing Agreement in accordance with the GDPR. The Customer shall notify the Provider of the audit at least 60 days in advance. The Customer or an auditor appointed by the Customer shall carry out the audit during regular working hours and so that the audit interferes with the regular business activity of the Provider as little as possible.

7. Personal Data Protection

7.1. In case of a personal data breach, the Provider shall notify the Customer of this without undue delay.

7.2. The Provider shall cooperate with the Customer for the purposes of preventing personal data breaches. If a personal data breach occurs, the Provider shall cooperate with the Customer to address the personal data breach as efficiently and quickly as possible and/or mitigate its possible adverse effects.

7.3. The Provider will assist the Customer, if required by the applicable law, in (i) notification of the data breach to the competent supervisory authority and (ii) communication of the breach to the data subjects.

8. Subprocessors and Data Transfers

8.1. The Customer authorizes the Provider to engage sub-processors to support the performance of the Services. These sub-processors may include entities such as the Provider’s group companies, accounting firms, software providers, hosting service providers, customer relationship management tool providers, email service providers, and other service providers essential for facilitating the Provider’s operations or Services.

8.2. The Provider maintains an up-to-date list of all sub-processors involved in the processing of personal data. Upon request, the Provider provides the Customer with a copy of the current list of sub-processors.

8.3. Any sub-processor may only be engaged by written (including electronic) contract made between the Provider and sub-processor. The Provider shall designate the Customer as third-party beneficiary regarding the Customer’s personal data in the agreement with the right to enforce the agreement against the sub-processor in the case of the Provider’s bankruptcy.

8.4. The Provider may transfer personal data to countries outside the European Union (EU) or the European Economic Area (EEA) only if such transfer is compliant with Chapter V of the GDPR. When the Provider transfers personal data to countries outside the EU/EEA, the Provider will ensure adequate safeguards are in place to protect personal data as required by applicable data protection laws and regulations. These safeguards may include (but are not limited to): Standard Contractual Clauses: the Provider may use standard contractual clauses approved by the European Commission or other relevant data protection authorities to ensure the protection of personal data during transfer. Binding Corporate Rules (BCRs): Where applicable, the Provider may rely on BCRs adopted by the Provider’s organization to ensure the protection of personal data transferred across borders within the Provider’s corporate group. Data Protection Agreements: the Provider may enter into agreements with recipients of personal data outside the EU/EEA, imposing obligations on them to protect personal data to the same standards required in the EU/EEA. Certification Mechanisms: the Provider may rely on certification mechanisms such as the EU-US Data Privacy Framework, where applicable, to ensure that third-party recipients of personal data provide an adequate level of protection.

9. Liability

The Provider shall not be liable for any breach of this DPA or applicable law if such breaches arise from the Customer’s action or inaction.

9.2.This DPA does not exempt the Parties from any obligations to which they are subject pursuant to the applicable laws.

10. Validity

10.1. This Data Processing Agreement shall become effective upon the conclusion of the Agreement between the Parties and shall remain in effect until the Provider ceases processing personal data on behalf of the Customer or until the termination of the Agreement, whichever occurs later.

11. Jurisdiction

11.1. The DPA is governed by the laws of the Republic of Estonia. Disputes arising from this DPA will be resolved by negotiations or in Estonian courts, Harju County Court being the court of first instance.

ANNEXES

Annex 1 - Processing Specification


ANNEX 1 - PROCESSING SPECIFICATION

1. Purpose Of Data Processing

1.1. The Provider shall process personal data only (i) for the Provision of the Services to the Customer in accordance with the Agreement, including for the purpose stated in Clause 1.2 below or (ii) on written (including electronic) instructions from the Customer or (iii) when required to do so by the applicable law.

1.2. The Customer hereby gives the Provider general authorisation to use personal data for the purposes that are directly related to the improvement of the Services offered to the Customer (for example for test running, analytics and organising the customer satisfaction surveys among the users).

1.3. The Parties agree that the Customer shall be responsible for notifying the data subjects about the relevant data processing stated in Clause 1.2 above. The notification from the Customer shall indicate that the processing stated in Clause 1.2 above is carried out by the Provider on its own behalf (i.e. as data controller) as part of enhancing the software used to deliver the Services, referencing the Provider’s general contact details.

2. Data Subjects

2.1. Any natural person entering the webpage using the Services.

3. Categories Of Data

3.1. IIP-address used to enter to the webpage, country of location, internet service provider of the person entering the Customer’s webpage,

3.2. full HTTP(S)-request of the software and the operating system used by the person entering the Customer’s webpage,

3.3. metadata about the connection (TLS handshake data, various properties of network packets) of the person entering the Customer’s webpage,

3.4.device and movement data such as:

  • device motion events,
  • mouse movements (coordinates and acceleration) and button dn/up/hold events,
  • mobile device support (touch, click, tap, shake, multi finger support, gyroscope, compass; no location data is collected),
  • property collector (time zone, browser props, cursor coordinates, button events, velocity, device angle, distinguish between "normal" browsers and headless browsers),
  • key events (keypress dn/up), typing speed, and key press time (without being able to identify what is being typed).

4. Processing Operations

4.1. The Provider processes the data in order to provide the Services in accordance with the terms of the Agreement. Specifically, as a result of data processing the Provider shall determine whether the person accessing the webpage of the Customer is human user, legitimate search engine bot, a malicious bot or hacker and access to the webpage by malicious bot or hacker will be denied.

5. Data Retention

5.1. Data collected about each person accessing the webpage shall be retained for a maximum of 3 months and shall then be automatically deleted by the system, unless there is another legitimate purpose to retain the data longer (e.g. dispute resolution) or the Customer has authorized the Provider to store the data for a longer period of time.

5.2. The retention period is calculated from the day following the access to the webpage.