Contacter PG TELECOM Spolka z o.o.:
PG TELECOM Spolka z o.o. Address: ul. Stefana Batorego 18/108, 02-591 Warsaw
Tel: +336 44 55 55 55
During the course of delivering the Services to the Customer as outlined in the Agreement, SipSim may engage in the Processing of Personal Data on behalf of the Customer. This DPA is a reflection of the mutually agreed-upon terms and conditions pertaining to the Processing of Personal Data.
The Parties involved commit to adhering to the following provisions in relation to any Personal Data, while exercising reasonable and good-faith judgment.
- "Data Controller" and "Data Processor" shall bear the definitions attributed by the GDPR.
- "Data Subject," "Personal Data," and "Process" or "Processing" shall adopt the meanings ascribed by the GDPR. However, these definitions shall solely apply within the scope of personal data processing specified in Exhibit A of this DPA. Should the Applicable Data Protection Laws offer different definitions for these terms and the GDPR is not applicable to the Processing, the definitions established by the Applicable Data Protection Laws shall supersede the GDPR definitions. Conversely, if the Applicable Data Protection Laws provide different definitions and the GDPR applies to the Processing, the GDPR definitions shall prevail. In cases where the Applicable Data Protection Laws provide terms with identical or substantially similar meanings to "Data Controller," "Data Processor," "Data Subject," "Personal Data," and/or "Process" or "Processing," these terms shall be deemed correspondingly covered by the definitions provided herein.
- "Business Associate Agreement," "Covered Entity," and "Protected Health Information" shall adopt the meanings outlined by HIPAA and shall be interpreted in accordance with relevant regulations issued by the U.S. Department of Health and Human Services.
- "Admin User Email Address" refers to each email address associated with the Customer's account with SipSim, as registered by SipSim at the given time, identifying it as an email address of an admin user of the Customer's account.
- "Applicable Data Protection Laws" refers to all data protection laws and regulations that are relevant to the Processing of Personal Data under this DPA. Depending on the circumstances, this may include, but is not limited to, the European Data Protection Laws and/or HIPAA, as defined below.
- "Data Breach" signifies a personal data breach concerning Personal Data, which is likely to result in a risk to the rights and freedoms of the Data Subjects.
- "EEA" denotes the European Economic Area.
- "EU GDPR" corresponds to Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons concerning the processing of personal data and the free movement of such data, and the repeal of Directive 95/46/EC.
- "European Data Protection Laws" encompasses the GDPR and/or the FADP, as relevant to the Processing of Personal Data in question.
- "FADP" stands for the Federal Act on Data Protection, adopted by the Federal Assembly of the Swiss Confederation, as amended.
- "GDPR" refers to the EU GDPR and/or the UK GDPR, as pertinent to the Personal Data Processing in question.
- "HIPAA" designates the United States' Health Insurance Portability and Accountability Act of 1996.
- "EU Standard Contractual Clauses for Data Transfers to Third Countries" encompasses the standard contractual clauses approved by the European Commission's decision 2021/915 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to the EU GDPR, and any subsequent amendments.
- "Subprocessor" signifies any legal entity, including a subcontractor, that SipSim engages to Process all or a portion of the Personal Data on behalf of the Customer.
- "UK GDPR" carries the meaning ascribed to it in section 3(10) of the UK Data Protection Act 2018.
- "UK International Data Transfer Addendum" refers to the International Data Transfer Addendum to the EU Standard Contractual Clauses, issued by the Information Commissioner and laid before Parliament in accordance with s.119A of the UK's Data Protection Act 2018 on 2 February 2022, and any subsequent amendments.
1. Application of Data Protection Laws and the Terms
1.1 Compliance with Applicable Data Protection Laws
The Customer affirms that, to the best of its knowledge, this DPA aligns with all Applicable Data Protection Laws and encompasses all necessary provisions as required by these laws. Given the nature of the Services, the Customer acknowledges that the Processing of Personal Data under this DPA may be subject to various Applicable Data Protection Laws, even those not explicitly outlined in this DPA. This applicability is contingent upon the territorial scope of the Customer's use of the Services. The Customer bears the responsibility for promptly notifying SipSim of any disparities between this DPA and the requisites of the Applicable Data Protection Laws.
1.2 Applicability of European Data Protection Laws, Roles of the Parties
The parties recognize that the GDPR becomes applicable to the Processing of Personal Data if the conditions stipulated in Article 3 of the GDPR are met. Furthermore, the parties acknowledge that the FADP applies to the Processing of Personal Data if and when the conditions articulated by the FADP are satisfied. In instances where the European Data Protection Laws are applicable to the Processing of Personal Data under this DPA, the Customer may assume the roles of both Data Controller and Data Processor, while SipSim exclusively acts as a Data Processor.
In situations where the Customer functions as a Data Processor and engages SipSim as another Data Processor, as per Article 28(4) of the GDPR, the Customer:
- a) Holds the responsibility for imposing the same data protection obligations on SipSim as those delineated in the contract or any other legal agreement between the Customer and the Data Controller of the Personal Data.
- b) Ensures that the directives provided by the Customer to SipSim under Section 2.4 of this DPA adhere to the terms of the contract or any other legal agreement between the Customer and the Data Controller of the Personal Data.
- c) Assumes both the rights and responsibilities of a Data Controller concerning SipSim under this DPA. Consequently, whenever this DPA refers to a "Data Controller," the reference encompasses the Customer, and vice versa.
- d) Maintains full accountability towards the Data Controller of the Personal Data in cases where SipSim fails to fulfill its data protection obligations as stipulated herein.
1.3 Applicability of HIPAA
The Customer acknowledges and accepts that it must separately enter into and execute a Business Associate Agreement ("BAA") if:
- The Customer qualifies as a Covered Entity or Business Associate, and
- The Customer intends to provide Protected Health Information to SipSim in connection with the execution of the Agreement. This is applicable to the extent that such Protected Health Information is gathered from patients in the United States and its associated territories and possessions.
In scenarios where the parties have entered into a BAA, the provisions of the BAA shall take precedence over this DPA concerning any Protected Health Information collected from patients in the United States and its territories and possessions.
2. Processing of Personal Data
2.1 Customer’s Processing of Personal Data
The Customer determines the purposes and methods of Processing Personal Data. The Customer's instructions for Processing Personal Data must align with Applicable Data Protection Laws.
2.2 Customer’s Liability
The Customer bears sole responsibility for the accuracy, quality, and legality of the Personal Data provided to SipSim and the means by which the Customer obtained such Personal Data. If European Data Protection Laws apply to the Processing of Personal Data under this DPA, the Customer is responsible for fulfilling its obligations as a Data Controller. This includes informing Data Subjects about the Processing of their Personal Data under this DPA, obtaining their consent if necessary, and ensuring that both the Customer and SipSim have the authority to use the Personal Data in line with the defined purposes herein.
2.3 SipSim’s Processing of Personal Data
2.4 Customer’s Instructions
The Customer instructs SipSim to Process Personal Data for the provision of Services, as specified in more detail in Exhibit A. This DPA, the Agreement, instructions provided via configuration tools within SipSim’s platform, and instructions via SipSim’s dedicated customer support portal constitute the Customer's comprehensive and definitive instructions to SipSim for the Processing of Personal Data. Any additional or alternative instructions must be separately agreed upon in writing.
2.5 Obligations of SipSim
In accordance with Applicable Data Protection Laws, SipSim commits to the following:
a) Ensuring that individuals authorized to Process Personal Data are bound by confidentiality commitments or are subject to appropriate statutory confidentiality obligations. SipSim will grant access to Personal Data solely to personnel who require access to fulfill SipSim’s obligations under the Agreement.
b) Promptly informing the Customer if SipSim becomes aware that an instruction violates Applicable Data Protection Laws.
c) Taking all necessary measures to maintain the confidentiality of Personal Data and ensure the security of Processing, as further outlined in Section 3.
d) Assisting the Customer in complying with obligations related to Personal Data security, Customer’s notification and communication duties in the event of a Data Breach, conducting data protection impact assessments (or similar assessments mandated by Applicable Data Protection Laws), and consulting the supervisory authority as needed, considering the nature of Processing and the information available to SipSim.
e) Providing the Customer with all necessary information, on a reasonable basis, to demonstrate compliance with SipSim's obligations outlined in this DPA and in Applicable Data Protection Laws, if applicable.
3. Security of Personal Data
3.1 Technical and Organizational Measures
SipSim, considering the prevailing technological capabilities, implementation costs, the nature, extent, context, and purposes of Processing, as well as the potential risks to the rights and freedoms of Data Subjects arising from Processing, will establish appropriate technical and organizational safeguards outlined in Exhibit B.
3.2 Reviews and Updates
SipSim will periodically assess and update the technical and organizational safeguards as necessary. The Customer consents to SipSim making unilateral updates to these measures, provided such updates do not significantly diminish the level of Personal Data protection. SipSim's commitment under Section 3.1 remains unchanged.
Upon the Customer's request, SipSim will furnish additional details about securing, accessing, and utilizing Personal Data.
4. Rights of Data Subjects and Other Regulatory Actions
4.1 Data Subjects' Right to Information
The Customer shall be responsible for furnishing Data Subjects with information regarding the processing of their Personal Data.
4.2 Exercise of Data Subjects' Rights
SipSim will assist the Customer, to the extent feasible under Applicable Data Protection Laws, in meeting its obligations to address requests from Data Subjects, including but not limited to the right of access, rectification, erasure, objection, restriction of processing, data portability, and the right not to be subjected to automated individual decisions (including profiling).
4.3 Regulatory Action
In the event that SipSim becomes aware of a Regulatory Action related to the Personal Data processed under this DPA, SipSim shall, as mandated by Applicable Data Protection Laws, take the following steps:
a) Notify the Customer promptly through an email sent to the Admin User Email Address, providing adequate information about the Regulatory Action, including pertinent correspondence copies for the Customer's handling.
b) Offer the Customer reasonable cooperation and support through suitable technical and organizational means concerning the Regulatory Action.
c) Refrain from responding to any Regulatory Action, unless explicitly instructed to do so in writing by the Customer or as compelled by Applicable Data Protection Laws.
5.1 List of Subprocessors
SipSim utilizes Subprocessors as part of its service provision. The current list of Subprocessors engaged by SipSim can be found on SipSim's website. By accepting this DPA, the Customer provides authorization for SipSim to engage the Subprocessors listed on the website.
5.2 General Authorization
By executing this DPA, the Customer grants SipSim a general authorization to engage additional Subprocessors or make changes to the existing list of Subprocessors. If SipSim intends to modify the list, the Customer will be notified of the changes via email to the Admin User Email Address. This communication will clearly outline the processing activities to be subcontracted, as well as the name and contact information of the intended Subprocessor.
Where Applicable Data Protection Laws grant the Customer the right to object to proposed modifications involving the addition or replacement of Subprocessors, the Customer may reasonably object to such changes. Failure to raise objections in writing within ten (10) days of receiving the information will be deemed as the Customer's acceptance of the new Subprocessors. In the event of objections, both Parties will collaborate to find a mutually satisfactory solution.
5.4 Same Obligations
When SipSim engages another Subprocessor, it will establish a contract that imposes the same obligations on the Subprocessor as those imposed on SipSim under this DPA. SipSim will ensure the Subprocessor's compliance with the obligations stipulated in this DPA and the Applicable Data Protection Laws.
5.5 Subprocessor Agreements
As required by the Applicable Data Protection Laws and permitted by SipSim's confidentiality commitments, SipSim may furnish the Customer with a copy of the Subprocessor agreement, including subsequent amendments, upon the Customer's request.
In accordance with the provisions of the Applicable Data Protection Laws, SipSim shall bear responsibility towards the Customer for the actions and omissions of its Subprocessors to the same extent that SipSim would be held directly liable if it were performing the services of each Subprocessor under the terms of this DPA.
6. International Data Transfers
6.1 Locations of Processing
SipSim commits to Processing Personal Data exclusively within its country of establishment and the countries specified in the list of SipSim's Subprocessors, as maintained under Section 5.1 of this agreement.
6.2 European Personal Data Transfers Subject to Appropriate Safeguards
The locations mentioned in Section 6.1 above may include countries situated outside the EEA, UK, and Switzerland. For the purposes of the applicable European Data Protection Law, these countries have either not been officially recognized by the relevant authority as providing an adequate level of personal data protection, as described in European Data Protection Law, or they are not covered by a suitable framework acknowledged by relevant authorities or courts as offering an adequate level of protection for personal data ("Locations Subject to Appropriate Safeguards"). When Processing Personal Data under European Data Protection Law, the Parties shall not transfer Personal Data to any Location Subject to Appropriate Safeguards unless they have taken the necessary measures to ensure compliance with the applicable European Data Protection Law.
6.4 UK Personal Data Transfers to SipSim
In cases where the Processing of Personal Data involves the transfer of Personal Data from a Customer subject to the UK GDPR to SipSim, located in a Location Subject to Appropriate Safeguards and not subject to the UK GDPR, the UK International Data Transfer Addendum shall apply. In accordance with clause 17 of this addendum, the Parties agree to modify the format of the information outlined in Part 1 of the addendum as follows:
a) Table 1 shall be considered complete with the information provided or referenced in the Agreement, including references in Section 6.3 of this DPA.b) For the purposes of table 2, the UK International Data Transfer Addendum shall be appended to the EU Standard Contractual Clauses for Data Transfers as defined in Section 6.3 of this DPA (including module and option selections and the exclusion of optional clauses as defined in Section 6.3 of this DPA).c) The appendix information listed in table 3 shall be considered complete with the information provided or referenced in Section 6.3 hereof.d) For the purposes of table 4, either the data importer or data exporter may terminate this addendum as outlined in clause 19 of the Addendum.
6.5 European Personal Data Onward Transfers
In scenarios where the Processing of Personal Data includes the transfer of Personal Data from SipSim, acting as a data exporter subject to European Data Protection Law, to a third party located in a Location Subject to Appropriate Safeguards and not subject to European Data Protection Law, and this third party acts as a data importer (including Subprocessors), SipSim may transfer Personal Data to the third party only if the conditions specified in Section 6.2 of this agreement are satisfied.
In case of any conflict or inconsistency between this DPA and the EU Standard Contractual Clauses for Data Transfers to Third Countries incorporated herein, the EU Standard Contractual Clauses for Data Transfers to Third Countries shall take precedence.
7. Data Breaches
SipSim will promptly inform the Customer of any Data Breach following its discovery by SipSim. In cases where European Data Protection Law is applicable, SipSim will notify the Customer within a maximum of 24 hours after detecting the Data Breach. The notification will be sent via email to the Admin User Email Address.
7.2 Provided Information
SipSim commits to providing the Customer with all necessary cooperation and assistance, along with comprehensive details of the Data Breach. These details are essential for the Customer to fulfill its obligations under the Applicable Data Protection Laws concerning the Data Breach.
8. Audit Privileges
8.1. Customer's Right to Audit
If the Applicable Data Protection Laws grant the Customer the right to conduct audits, the Customer or an independent third-party auditor, acceptable to SipSim (provided they are neither a competitor of SipSim nor lacking in suitable qualifications or independence), may audit the processes related to the handling of Personal Data by SipSim under the following conditions:
a) The Customer has valid reasons, substantiated in advance to SipSim, to suspect that SipSim is not handling Personal Data in accordance with this Data Processing Agreement or the Applicable Data Protection Laws, or if a Data Breach has been identified; or
b) The Customer's data protection authority formally requests an audit; or
c) The Applicable Data Protection Laws explicitly grant the Customer the direct right to conduct an audit.
8.2. Audit Frequency.
The Customer may perform an audit at most once within any twelve-month period, unless the Applicable Data Protection Laws necessitate more frequent audits.
8.3. Advance Notice.
The Customer shall provide SipSim with a minimum of thirty days' prior notice of any audit, unless a mandatory Data Protection Law or a competent data protection authority prescribes a shorter notice period. The frequency and scope of such audits will be mutually agreed upon by the parties in a reasonable and cooperative manner.
8.4. Audit Costs.
Each party shall bear its own expenses related to audits conducted under this Agreement.
9. Return and Removal of Customer Data
9.1. Data Export and Deletion.
Upon the termination of the Agreement, SipSim will allow the Customer, at their own expense, to export the Personal Data processed under this Data Processing Agreement, in accordance with the functionalities provided by the Service, within a thirty (30) day period following the termination.
After this thirty-day period, SipSim will proceed to delete all Personal Data that was stored or processed by SipSim solely on behalf of the Customer, along with any associated copies, unless there exists a legal requirement for the retention of such personal data. The Customer explicitly agrees to this deletion process and acknowledges that after the specified thirty-day period, SipSim will no longer be able to facilitate the export of Personal Data to the Customer.
10. Term and Amendments
10.1. Start Date and Previous Agreements.
This Data Processing Agreement (DPA) comes into effect on the date when the Customer accepted its terms and supersedes any previously applicable data processing provisions concerning the handling of Personal Data by SipSim on behalf of the Customer, starting from the same date.
This DPA will remain in effect for the same duration as the Agreement.
The Customer explicitly acknowledges and agrees that this DPA may be modified in the same manner as mutually determined by the parties for amending the Agreement. This includes SipSim's right to periodically update the terms of the Agreement, its policies, and this DPA at its sole discretion, with prior notice to the Customer sent to the Admin User Email Address.
11.1. SipSim’s Combined Liability.
The total liability of each party and all its related companies, collectively, arising from or connected to this Data Processing Agreement (DPA) and all other DPAs between related companies and SipSim, whether in contract, tort (including negligence), or based on any other legal theory, is subject to the 'Limitation of Liability' section found in the Agreement (or the section within the Agreement that addresses the exclusion and limitation of liability, even if it lacks that specific heading). Any mention in such a section regarding a party's liability refers to the overall liability of that party and all of its related companies under the Agreement and all DPAs together.
11.2. Liability to Customer’s Related Companies.
To avoid any doubt, the total liability of SipSim and its related companies for all claims made by Customer and all of its related companies stemming from or relating to the Agreement and all Data Processing Agreements, whether in contract, tort (including negligence), or under any other legal theory, will be applied collectively for all claims under both the Agreement and the Data Processing Agreements established under the Agreement or otherwise concluded between SipSim and the Customer and/or any related company, and, specifically, shall not be interpreted as applying individually and separately to Customer and/or any related company that is a contractual party to, or otherwise entitled to make claims under, any such Data Processing Agreement.
12. Governing Law and Jurisdiction
12.1. Applicable Law.
While acknowledging the mandatory applicability of Applicable Data Protection Laws and recognizing their potential priority, the laws of the country or territory specified in the Agreement for this purpose shall govern and interpret this DPA. Each of the Parties agrees to accept the chosen jurisdiction as outlined in the Agreement concerning any claim or matter arising from or related to this DPA.
12.2. Dispute Resolution
To amicably resolve any disputes arising from the interpretation, execution, or termination of this DPA, the Parties agree to engage in negotiations following receipt of a notice from one of the Parties. The objective is to reach an amicable resolution within thirty (30) days after one Party notifies the other of the dispute, explicitly referring to this provision. If the Parties fail to reach an amicable settlement by executing a settlement agreement during this period, they shall refer the dispute to the relevant court with jurisdiction to adjudicate the matter.
EXHIBIT A: Description of the Processing
SipSim is authorized to process, on behalf of the Customer, the necessary personal data for providing SipSim products and related services.
Purposes of the Processing:
Provision of SipSim products and services:
- Operation of SipSim's infrastructure necessary for the processing of inbound and outbound calls and for secure and high-quality running of the platform.
- Transfer of personal data between MNO, MVNE, storage on SipSim's backend, processing for visualization, and personal settings, as well as monitoring for potential errors.
- Analysis of data on how the platform is used by users to provide statistics on the dashboard.
- Creation and maintenance of user accounts, coordination of phone number allocation to users.
- Client identity verification where required under local laws for provision of telephone numbers and, where applicable, creation of an identity validation stamp for future number procurement in the same location.
- Call routing and manual analysis of call status (from logs) for quality assurance and issue resolution.
- Analysis of data pulled from APIs regarding crashes and bugs to assist in issue resolution.
- Integration of SipSim product with other tools:
- Sharing customer personal data with integration partners if the customer installs an integration with a particular tool and authorizes the tool to access customer's data processed by SipSim or authorizes SipSim to access customer's data processed in the respective tool.
- Transfer of personal data from SipSim to the respective tool provider and vice versa. SipSim's processing of personal data on behalf of the customer is limited to the processing performed in the SipSim environment.
Nature of Operations Carried Out on the Personal Data:
- Collection or recording of the Personal Data.
- Hosting or conservation of the Personal Data.
- Use of the Personal Data.
- Communication of the Personal Data by transmission, diffusion, or any other means.
- Deletion or destruction of the Personal Data.
Categories of Data Subjects:
- Employees, agents, and representatives of Customer.
- Users' contacts and other individuals involved in communication via SipSim (Call/SMS recipients, callers, senders).
Types of Personal Data:
- Customer account data.
- Customer contact data (from contact lists).
- Information about users.
- Call/SMS/MMS/Mobile Data content and metadata.
- Additional call-related data.
- Customer identity verification data.
- Customer provided documentation.
EXHIBIT B: Security Measures
As of the effective date of this DPA, SipSim, when Processing Personal Data on behalf of the Customer, has implemented and maintains the following technical and organizational security measures for the Processing of such Personal Data:
- Information Security Program:
SipSim maintains a reasonable information security program constructed around principles laid down in the information security industry standards. This program covers topics including Policies and Procedures, Access Control, Business Continuity, HR Security, Network Infrastructure Security, Third-Party Security, Vulnerability Management, Vendor and Risk Management, as well as Incident Response.
- Security Certifications:
SipSim selects an independent, qualified third-party auditor to conduct at least an annual audit of the security of the Services and environments, in accordance with SOC 2, Type II standards or its equivalent.
- Physical Access Controls:
SipSim takes reasonable measures to prevent physical access, such as secured buildings and offices, to prevent unauthorized persons from gaining access to Personal Data.
- System Access Controls:
SipSim takes reasonable measures to prevent Personal Data from being used without authorization. These controls may include authentication via passwords and/or two-factor authentication, documented authorization processes, documented change management processes, and logging of access on multiple levels.
- Data Access Controls:
SipSim ensures that Personal Data is accessible and manageable only by properly authorized staff. Direct database query access is restricted, and application access rights are established and enforced to ensure that authorized personnel only have access to relevant Personal Data. Personal Data cannot be read, copied, modified, or removed without proper authorization during Processing.
- Transmission Controls:
SipSim ensures that Personal Data cannot be read, copied, modified, or removed without authorization during electronic transmission or transport. Personal Data is encrypted in transit over public networks when communicating with SipSim user interfaces (UIs) and application programming interface (APIs) via industry-standard HTTPS/TLS (TLS 1.2 or higher). Personal Data is encrypted at rest by SipSim's Subprocessor and managed services provider, Amazon Web Services Inc., using AES-256.
- Input Controls:
SipSim provides the ability to check and establish whether and by whom Personal Data has been entered into data processing systems, modified, or removed.
- Data Backup:
Back-ups of the databases in the Service are taken on a regular basis, secured, and encrypted to ensure that Personal Data is protected against accidental destruction or loss when hosted by SipSim.
- Human Resources Security:
SipSim employees undergo an extensive third-party background check before formal employment offers. All SipSim employees must sign non-disclosure agreements before gaining access to Personal Data. New employees receive information security and privacy training during onboarding, with continuous training provided to cover security policies, best practices, and privacy principles.
- Vendor Management:
SipSim maintains a vendor management program to ensure appropriate security controls are in place. Vendors are periodically reviewed based on security and business continuity standards, including data access, necessary controls, and legal/regulatory requirements.
- Platform Security Measures:
SipSim separates its system into distinct networks to enhance the protection of sensitive data and separate public services from internal services. Personal Data is only allowed within the production network. SipSim conducts penetration testing at least annually, using independent third-party entities to conduct application-level tests. Security threats and vulnerabilities are promptly prioritized and resolved. SipSim also maintains a bug bounty program to ethically discover security flaws in its system and protect against sophisticated attacks.
- Business Continuity:
SipSim maintains and operates a Business Continuity and Disaster Recovery system based on best practices to provide reliability and availability to operational phone systems and effective recovery in case of disruptive events. Recovery strategies are tested at least annually.
- Data Center Security:
SipSim primarily hosts Personal Data in data centers that are certified as ISO 27001, PCI DSS Service Provider Level 1, and/or SOC2 compliant. Data centers infrastructure services include backup power, HVAC systems, and fire suppression equipment. It also employs on-site security measures such as security guards, fencing, intrusion detection technology, and more.