This document lays out the responsibilities of Savio Technology Inc. to its customers with regards to data protection in general and the European Union’s General Data Protection Regulation (GDPR) specifically.
1. Savio Technology Inc. as Data Processor, Definitions
Savio Technology Inc. is a Data Processor operating on behalf of its customers.
- "Customers" are individuals or organizations paying money to use the Savio Technology Inc. service. Free users of the Savio Technology Inc. Service are not Customers.
- Savio Technology Inc.’s Customers are Data Controllers.
- “Personal Data” means any information relating to an identified or identifiable person.
- “Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR.
- “Services” means the Savio Technology Inc. service including web app accessed via the browser-based user interface and API (application program interface) and the professional services provided by Savio Technology Inc.
- “Sub-processor” means any Data Processor engaged by Savio Technology Inc.
- “Data Subject” means the individual to whom Personal Data relates.
2. Processing of Personal Data
- Use of the service implies that Savio Technology Inc. may process personal data on behalf of the Data Controller in accordance with the requirements of Data Protection Laws. The Data Controller will ensure that instructions to their users for the processing of personal data comply with Data Protection Laws. The Data Controller has sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which it acquires personal data.
- The data supplied to the Savio Technology Inc. Service by the Data Controller’s users are stored only to the degree necessary for the purpose of providing the core functionality of the the Savio Technology Inc. service.
- The data supplied to the Savio Technology Inc. Service is stored in a centralised database. Data may also be stored on other services where required to adequately perform the service’s functionality.
- Savio Technology Inc. lays out a description of its data protection practices on its website at https://www.savio.io/privacy/. This description is updated from time to time as and when practices change.
3. Rights of Data Subjects
- Savio Technology Inc. will, to the extent legally permitted, promptly notify the Data Controller if it receives a request from a Data Subject for access to, or deletion of, that person’s personal data. Savio Technology Inc. will not respond to a Data Subject request without the Data Controller’s prior written consent except to confirm that the request relates to the Data Controller. The Data Controller is solely responsible for completing such request as required by law.
- Savio Technology Inc. ensures that its personnel engaged in the processing of personal data are informed of the confidential nature of the personal data, have received appropriate training on their responsibilities and have agreed to confidentiality obligations that survive the termination of that persons’ employment or engagement by Savio Technology Inc.
- Savio Technology Inc. shall take commercially reasonable steps to ensure the reliability of any Savio Technology Inc. personnel engaged in the processing of personal data and that access to personal data by Savio Technology Inc. is limited to those Savio Technology Inc. personnel who require such access to perform the Services.
- Savio Technology Inc.’s data protection officer can be reached by email at firstname.lastname@example.org.
- The Data Controller agrees Savio Technology Inc. may engage third-party Sub-processors to provide the Services and such Sub-processors may access personal data, and appoint additional levels of Sub-processors, only for purposes of providing the services Savio Technology Inc. retained them to provide and not for any other purpose.
- Savio Technology Inc. agrees to be liable for the acts and omissions of its Sub-processors to the same extent Savio Technology Inc. would be liable if performing the services of each Sub-processor directly under the terms of this agreement.
- Savio Technology Inc. agrees to implement and maintain the administrative, technical, and physical safeguards of personal data stored using the Services.
7. Security Breach Management and Notification
- If Savio Technology Inc. becomes aware of unlawful access to the Data Controller’s personal data stored through the Services, or unauthorized access to the Services resulting in loss, disclosure, or alteration of the Data Controller’s personal data (“Security Breach”), Savio Technology Inc. will promptly: (a) notify the Data Controller of the Security Breach; (b) investigate the Security Breach and provide the Data Controller with information known to Savio Technology Inc. about the Security Breach; and (c) follow its policies and procedures to mitigate the effects and to minimize any damage resulting from the Security Breach.
- The Data Controller agrees that an unsuccessful Security Breach attempt will not be subject to Section 7.1 above. An unsuccessful Security Breach attempt is one that results in no unauthorized access to the Data Controller’s personal data or to the Services storing the Customer’s Personal Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond IP addresses or headers) or similar incidents.
- Notification(s) of Security Breaches, if any, will be delivered to one or more of the Customer’s business, technical or administrative contacts by any means Savio Technology Inc. selects, including via email. It is the Customer’s sole responsibility to ensure it maintains accurate contact information on Savio Technology Inc.’s support systems at all times.
- Savio Technology Inc.’s report of and/or response to a Security Breach under this Section will not be construed as an admission by Savio Technology Inc. to fault or liability with respect to the Security Breach.
8. Deletion of Customer Data
- Savio Technology Inc. agrees to delete Customer personal data in accordance with Savio Technology Inc.’s procedures and Data Protection Laws.
- At a Customer’s request, Savio Technology Inc. will provide the Customer with a certification of deletion of personal data.
9. Legal Effect
- This agreement comes into effect from the 11th of September 2019 for all existing customers, or from the time of purchase of a Savio Technology Inc. subscription. It expires with cessation of the Customer’s Savio Technology Inc. subscription.