Data Processing Agreement

The following Data Processing Agreement is valid from and last updated on January 1, 2022.

This Data Processing Agreement is entered into between the Service Provider and the Customer and is incorporated into and governed by the Terms of Service.

1. Definitions

1.1. Unless the context explicitly requires otherwise, the following capitalised terms in this Data Processing Agreement will have the following meanings:

Compliance WebsiteDokobit website’s section available at www.dokobit.com/compliance.
CustomerAny natural person or legal entity that uses the Services.
Customer DataAny data uploaded or provided by the Customer. In order to provide the Services, we store, process and transmit your uploaded documents and information related to them. This data is processed solely in accordance with the directions provided by you (Customer or User). We are acting as a data processor for this information. All this information is stored and processed within the European Union/European Economic Area (EU/EEA).
Data BreachAny accidental or unlawful breach of personal data security resulting in accidental or unlawful destruction, loss, alteration or unauthorised disclosure (without authorisation) of or access to processed Customer Data.
Data ControllerMeans the entity which determines the purposes and means of the processing of personal data. Customer acts as a Data Controller under this Data Processing Agreement.
Data ProcessorMeans the entity which processes personal data on behalf of the Data Controller. Service Provider (Dokobit) acts as a Data Processor under this Data Processing Agreement.
Documented InstructionsSuch instructions are communicated by the Customer by way of configuration of service settings when using the Services, as well as the requirements set forth in this Data Processing Agreement and Terms of Service. 
GDPRRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
ProcessingHas the meaning given to it in the GDPR and “process”, “processes” and “processed” will be interpreted accordingly.
ServicesServices enabling the Customer to upload, store, manage as well as e-sign and archive documentation and validate e-signatures and seals (including qualified and non-qualified service). We may provide integrable API (Application Programming Interface) solutions that we offer to our Customers. The Customer and the Service provider may agree on additional and (or) other Services provision.

Particular functionalities, scope of the Services and (or) specific conditions on the provision of the Services may be defined in:

Standard Service and Pricing Plans offered by us on our website and (or) provided to the Customer through other means of electronic communication and accepted (ordered, subscribed) by the Customer;

specific Services for special pricing offered by us to the Customer through other means of electronic communication and accepted (ordered, subscribed) by the Customer. For the avoidance of doubt, such specific Services may be provided upon your acceptance (order, subscription) in addition to (on top of) any Services, Pricing Plans already ordered and used by you;

the Special Terms agreed upon the Customer and us.

The Services may be provided on a one-time basis as well for specific term subscription basis.
Sub-ProcessorAny legal entity operating in European Economic Area engaged by Dokobit for the processing of Customer Data on behalf of Dokobit and in accordance with its instructions to the extent and for the purposes specified in Data Processing Agreement.
Terms of ServiceSet of rules and regulations governing the provision of the Services, available at the Compliance Website.

1.2. Capitalised terms not defined above will have the same meaning as defined in the Terms of Service, unless the context explicitly requires otherwise.

2. Purpose and scope

2.1. Dokobit shall provide Services to the Customer in accordance with the Terms of Services. In providing the Services, Dokobit shall process the Customer Data on behalf of the Customer. Customer Data may include personal data. Therefore, the Customer shall be: 

(i) Data Controller with respect to the Customer Data; or

(ii) Data Processor, where the Customer processes personal data on behalf of a third party. For the purposes of this Data Processing Agreement and Terms of Service, Dokobit is a data processor. The Data Processor will process and protect such Personal Data in accordance with the terms of this Data Processing Agreement and Terms of Service.

2.2. This Data Processing Agreement shall apply only to the processing of the Customer Data, where Dokobit processes such data on behalf of the Customer and under its instructions as well as in providing Services. In such cases, where Dokobit processes the Customer Data as a data controller instead of on behalf of the Customer or under its instructions, this Data Processing Agreement shall not apply; instead, Privacy Policy and other Dokobit documents shall apply.

3. Processing Conditions

3.1. Dokobit shall process the Customer Data in order to provide Services.

3.2. Dokobit shall process personal data of such categories of data subjects that the Customer uploads or submits when using the Services. This may include, but is not limited to, name, surname, organisation, position, date of birth, personal code, phone number etc. Please note that this is a non-exhaustive list and may vary in every case, including, but not limited to, depending on the nature and contents of the Customer Data provided by the Customer (or third party where the Customer acts as a data processor) to Dokobit when using the Services.

3.3. Dokobit shall process the Customer Data from the moment the Customer uploads or submits it when using the Services until the removal thereof by the Customer but no longer than specified in Article 13.2 of this Data Processing Agreement.

3.4. Dokobit shall ensure that the Customer Data is processed in the European Economic Area and shall not engage Sub-Processors operating outside of the European Economic Area.

4. Customer Data Confidentiality

4.1. Dokobit shall use the Customer Data only for the provision of the Services and implementation of its rights under the Terms of Service. Unless otherwise required by the law, Dokobit shall not disclose the Customer Data to third parties.

4.2. Dokobit shall ensure that the access to the Customer Data would be granted only to those employees or suppliers of Dokobit which require such data for performing work functions or providing services to Dokobit.

4.3. Dokobit shall ensure that the employees or suppliers of Dokobit processing Customer Data would comply with this Data Processing Agreement and would undertake to observe the confidentiality clause or would be subject to relevant confidentiality obligation establish under the laws.

4.4. If under the requirements of the laws Dokobit is obliged to disclose the Customer Data to third parties (e.g. law enforcement authorities), Dokobit shall immediately notify the Customer about the requirements to disclose the Customer Data, unless otherwise required by the laws.

4.5. Such confidentiality obligations shall remain in force indefinitely and following the expiry of this Data Processing Agreement.

5. Customer Documented Instructions

5.1. Dokobit shall process the Customer Data only according to Documented Instructions of the Customer. The Customer shall ensure that appropriate legal basis for processing of Customer Data by Dokobit exists. Dokobit shall also comply with the obligations imposed on Data Processors by the GDPR or other legislation.

5.2. Additional Customer instructions outside the scope of the Documented Instructions (if any) require prior written agreement between the Parties, including agreement on any additional fees payable by Customer to Dokobit for carrying out such instructions, including, but not limited to:

(i) assistance with the Data Controller’s obligation to respond to data subject requests;

(ii) implementation of any additional technical and organisational measures not set forth by this Data Processing Agreement;

(iii) assistance with the Data Controller’s obligation to carry out a data protection impact assessment and/or prior consultation with the supervisory authority. 

5.3. Dokobit shall immediately inform the Customer if the Customer’s instructions are in conflict with the GDPR or other applicable legislation governing the protection of personal data. This clause does not in any way impose Dokobit with the duty to monitor Customer Data and/or to take any additional steps and/or to acquire additional information to evaluate the lawfulness of the Customer’s instructions.

6. Technical and Organisational Measures

6.1. In processing the Customer Data, Dokobit shall implement appropriate technical and organisational measures to protect the Customer Data. Dokobit shall select technical and organisational measures taking into consideration the level of development of technical possibilities, costs of implementation and the nature, scope, context and purpose of data processing, as well as risks of various probability and seriousness with respect to rights and freedoms of natural persons associated with data processing. 

6.2. Dokobit has also implemented and certified by accredited auditor information security management system according to international security standard ISO/IEC 27001. The information security management system provides for a number of security measures, including, but not limited to:

(i) pseudonymisation and encryption of personal data;

(ii) measures to ensure the ongoing confidentiality, integrity, availability and resilience of data processing systems and services; 

(iii) measures to ensure the timely restoration of availability and access to personal data in the event of a physical or technical event;

(iv) measures to protect access (including remote access) to personal data;

(v) measures for the physical security of the facilities where personal data is processed and retained;

(vi) measures for safe remote work from home. The effectiveness of these security measures is evaluated at least annually. 

6.3. The Parties agree that security measures indicated in clause 6.2. shall be considered as appropriate and maximum technical and organisational measures necessary to achieve goals specified in Item 6.1. Dokobit shall undertake to comply with the requirements of this or equivalent security standards during the entire validity period of this Data Processing Agreement. The Parties agree that Dokobit has implemented technical and organisational measures appropriate for processing of Customer Data under this Data Processing Agreement and Dokobit shall not be obliged to take into consideration any unreasonable additional Customer instructions regarding technical and organisational measures.

7. Cooperation

7.1. Taking into consideration the nature of Services provided and the processing of processed data and available information, Dokobit shall cooperate with the Customer to ensure the performance of obligations specified in GDPR Articles 32–36. For this purpose and only to the extent specified in this Data Processing Agreement, Dokobit shall provide requested information to the Customer which is necessary for proper performance of obligations of the Customer under GDPR.

8. Data Processing Audit

8.1. To verify whether Dokobit properly processes the Customer Data, the Customer shall have the right to conduct inspections of such processing under the procedure provided for in Article 8.

8.2. Dokobit shall inspect, at least once per calendar year, at its own initiative and expense, whether applicable technical and organisation measures are in line with the nature, scope, context and purposes of data processing, as well as risks associated with data processing with respect to the rights and freedoms of natural persons. Dokobit shall engage an independent inspector for the inspection with the instructions to prepare inspection report (hereinafter – Report).

8.3. At the request of the Customer and according to an additional agreement by the Parties regarding the protection of confidential information, Dokobit shall submit a Report to the Customer. Upon performance of this obligation by Dokobit, it shall be considered that the Customer has exercised its right provided for in Item 8.1 of this Data Processing Agreement and GDPR Article 28(3)(h).

8.4. In accordance with the applicable legislation, Dokobit may be required to provide information related to this Data Processing Agreement to competent regulatory or government institutions, but only upon a lawful and legitimate request.

8.5. If the Customer wishes to additionally and/or by means other than specified in Article 8 inspect how Dokobit processes personal data and/or performs its obligations under this Data Processing Agreement, such inspection may be conducted upon consent of Dokobit and the agreement of the Parties on the scope, method, time and price of the inspection. In any case, if the Parties agree on such additional inspection, it will have to comply with the following requirements: 

(i) the inspection must be related only to the processing of the Customer Data;

(ii) the Customer must inform Dokobit about the wish to conduct additional inspection within a reasonable time period which must be at least 4 weeks;

(iii) additional inspection must be conducted in a way it would not interfere with daily activities of Dokobit;

(iv) additional inspection must be conducted at the expense of the Customer; 

(v) additional inspection must be conducted by an independent person whose candidacy must be approved in advance by Dokobit and such person must undertake to protect confidential information of Dokobit.

8.6. Dokobit shall have the right to receive remuneration for assistance in conducting additional inspection. The size of such remuneration will be determined by Dokobit taking into consideration costs incurred by Dokobit with respect to additional inspection. Dokobit shall provide information to the Customer about the size of remuneration before the inspection.

8.7. In the event the Customer is not satisfied with the information provided in the Report and/or the Parties fail to agree on additional inspection as provided for in Items 8.5–8.6 of this Data Processing Agreement, the Customer shall have the right to unilaterally, under out-of-court procedure, terminate this Data Processing Agreement and the Terms of Service. In this case, the termination of the agreements will be the only measure that can be applied by the Customer and Dokobit will not be obliged to compensate damages to the Customer.

8.8. Parties agree that proper processing of Customer Data by Dokobit Sub-Processors shall be ensured by Dokobit in accordance with section 9 of this Data Processing Agreement.

9. Sub-Processors

9.1. The Customer hereby gives general consent to Dokobit to engage Sub-Processors which will process Customer Data on behalf of Dokobit according to the scope and purposes specified in this Data Processing Agreement. Dokobit shall engage only those Sub-Processors which will ensure the following:

(i) implementation of appropriate technical and organisational measures;

(ii) data processing in compliance with GDPR requirements; and

(iii) protection of the rights of the data subject.

9.2. Dokobit shall ensure that a written agreement has been concluded with Sub-Processors engaged under which Sub-Processors shall undertake to comply with responsibilities of the data processor established in this Data Processing Agreement at least to the extent applicable to Dokobit. Dokobit shall be liable against the Customer for the performance of obligations of Sub-Processors engaged.

9.3. Up-to-date list of engaged Sub-Processors will be published by Dokobit on the Compliance Website. Dokobit shall notify the Customer about its plans to replace or engage a new Sub-Processor by making such information available on the Compliance Website no later than 14 days prior to the planned event. The Customer may subscribe to an RSS feed of the Compliance Website to be notified automatically when there are changes to the list of Sub-Processors engaged by Dokobit.

9.4. If the Customer continues using the Services following the replacement or involvement of a new Sub-Processor and notification of the Customer under the procedure provided for in Item 9.3 of this Data Processing Agreement, does not object to it within ten (10) days, it shall be considered that the Customer agreed to such actions of Dokobit. If the Customer disagrees with such replacement or involvement of the Sub-Processor, the Customer shall have the right to unilaterally, under out-of-court procedure, terminate this Data Processing Agreement and the Terms of Service. In this case, the termination of the agreements will be the only measure that can be applied by the Customer and Dokobit will not be obliged to compensate damages to the Customer.

9.5. If the Customer withdraws its general consent to engage Sub-Processor, Dokobit shall have the right to unilaterally, under out-of-court procedure, terminate the Terms of Service, and such termination shall be considered to have been made for important reasons and the Customer shall be deemed not to have suffered any damage due to such termination.

10. Customer Obligations

10.1. The Customer, at its own discretion and responsibility, shall determine the categories of the data subjects (including, but not limited to, employees, contractors, business partners, service providers) whose personal data and the categories of personal data to be provided to Dokobit and shall provide to Dokobit only personal data necessary for proper provision of the Services by Dokobit. The Customer shall assume all related risks, including risks in cases where Dokobit receives more personal data than is necessary.

10.2. The Customer represents and warrants that it has obtained and shall retain during the entire validity period of the Terms of Service all necessary permissions and authorisations required for the provision of the Customer Data to Dokobit and engage Dokobit for the processing of personal data under the Terms of Service and this Data Processing Agreement.

11. Data Breach

11.1. Dokobit shall notify the Customer, without undue delay, but no later than within 36 hours after becoming aware about the Data Breach, and taking into consideration the nature of provided Services and the processing of personal data and available information, shall provide the following information to the Customer:

(i) the nature of the Data Breach, including, where possible, the categories of the data subjects and approximate number thereof;

(ii) possible consequences of the Data Breach;

(iii) measures implemented by Dokobit or proposed to be taken to address the Data Breach, including, where appropriate, measures for mitigating possible negative consequences of the Data Breach; 

(iv) full name and contact information of data protection officer or any other contact person that could provide further information. In cases where notifying the Customer about a Data Breach is not feasible (e.g. Dokobit is unable to contact the Customer) or due to the scope of the Data Breach it would be ineffective, Dokobit may provide this information to the Customer by making it available on the Compliance Website.

11.2. Dokobit shall document all Data Breaches, including facts pertaining to the Data Breach, its impact and corrective actions taken. In cases provided for in legislation, Dokobit shall provide such documents to supervisory authority.

11.3. The Customer shall be responsible for the compliance with legislation regulating the delivery of notifications or information to the data subjects about the Data Breach.

12. Liability

12.1. Taking into consideration the nature, scope, context and purposes of data processing, Dokobit liability under this Data Processing Agreement shall be limited to and in any case may not exceed the amount the Customer has paid to Dokobit in 12 months.

12.2. Limitation of liability shall not apply if Dokobit breaches this Data Processing Agreement due to gross negligence or intentional misconduct.

12.3. During this Data Processing Agreement, Dokobit shall undertake to insure its civil liability. The insurance includes coverage for privacy and cybersecurity liability. The copy of insurance policy containing the amount of the insurance will be published on the Compliance Website.

13. Validity and Termination

13.1. This Data Processing Agreement shall come into force upon the entry into force of the Terms of Service and shall be valid for as long as the latter remains in force.

13.2. Upon termination or expiry of the Data Processing Agreement, Dokobit shall destroy the Customer Data no later than within 30 days, unless there are grounds to process or manage the Customer Data other than those arising out of this Data Processing Agreement.

14. Applicable Law and Dispute Resolution

14.1. This Data Processing Agreement shall be subject to the law of the Republic of Lithuania.

14.2. Each dispute, disagreement or claim arising out of or related to this Data Processing Agreement, its violation, termination and validity shall be settled by negotiating. If the Parties are unable to reach an agreement within 30 days from the occurrence of the dispute, disagreement or claim, such dispute, disagreement or claim shall be settled in the court of the Republic of Lithuania.

15. Final Provisions

15.1. All notifications of the Customer to Dokobit related to this agreement shall be sent via e-mail dpo@dokobit.com and shall be deemed to be received when Dokobit confirms the receipt thereof by replying to the Customer’s e-mail or within thirty (30) days of the receipt of the e-mail, whichever is earlier.

15.2. Dokobit notifications to the Customer related to this Data Processing Agreement shall be published by Dokobit on the Compliance Website. Dokobit shall notify the Customer about any changes to this Data Processing Agreement by making such information available on the Compliance Website. The Customer may subscribe to an RSS feed of the Compliance Website to be notified automatically when there are changes related to this Data Processing Agreement.

15.3. The amendments to this Data Processing Agreement shall come into force following publication thereof on the Compliance Website. Dokobit shall announce about intended amendment of the Data Processing Agreement at least 30 days prior to the planned amendment via e-mail. If the Customer continues using the Services following the publication of amendments to the Data Processing Agreement, it shall be deemed that the Customer agrees with the amendments to the Data Processing Agreement. If the Customer disagrees with the amendments, the Customer will not be able to use Services and shall have the right to terminate the Terms of Service.

15.4. Relevant version of the Data Processing Agreement may be downloaded here.


Versions

Valid from January 1, 2022

Download
Older Versions

28.06.2019-31.12.2021