Palgeo Data Processing Agreement
This Data Usage Policy (“DUP“) forms part of the agreement between Palgeo (part of iPalPap Software Private Limited) and customer (“Customer“) for the purchase of Palgeo Geofencing Attendance App and Services (as described at //Palgeo.com) (the “Services“) and related technical support to Customer (as amended from time to time) (the “Agreement“). This DUP reflects the parties’ agreement with respect to the terms governing Palgeo’s processing and security of Palgeo Customer Data.
Relationship of the parties: Customer (the controller) appoints Palgeo as a processor to process the Customer Data on Customer’s behalf. Palgeo shall be the controller of Account Data.
Purpose limitation: Palgeo shall process the Customer Data as a processor only as necessary to perform its obligations under the Agreement and strictly in accordance with the documented instructions of Customer (the “Permitted Purpose“), except where otherwise required by any law as applicable to both Palgeo & the Customer. In no event shall Palgeo process the Customer Data for its own purposes or those of any third party, save that Palgeo may de-identify and aggregate Customer Data (“Aggregated Data“) and may process Aggregated Data to maintain and improve Palgeo’s products and services.
Security: Palgeo shall implement appropriate technical and organisational measures to protect the Customer Data from a Security Incident.Such measures shall include, as appropriate:
- encryption of personal data;
- Palgeo shall implement appropriate technical and organisational measures to protect the Customer Data from a Security Incident.Such measures shall include, as appropriate:
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- process for regularly assessing and evaluating the effectiveness of technical measures for ensuring the security of the processing.
- Palgeo does not assume or assure it’s customer(s) that it is in anyway liable for any breach of this Clause that is caused by an act, error or omission of its subprocessor that is acting on our behalf under this DUP. If Customer refuses to consent to Palgeo’s appointment of a third-party subprocessor relating to the protection of the Customer Data, Customer may elect to suspend or terminate the Agreement, including this DUP, subject to all fees and payment due for services rendered.
Cooperation and data subjects’ rights: During the Term, Palgeo shall, in a manner consistent with the functionality of the Services and taking into account the nature of the processing, provide reasonable assistance to enable Customer to respond to: (a) any request from a data subject to exercise any of its rights (including its rights of access, deletion, restriction, correction, objection, erasure and data portability, as applicable); and (b) any other correspondence, enquiry or complaint received from a regulator or other third party in connection with the processing of the Data as required under applicable laws.
Security incidents: If Palgeo becomes aware of an actual Security Incident that involves Customer Data, Palgeo will: (a) notify Customer of the Security Incident without undue delay; (b) take appropriate steps to identify the cause of the Security Incident and minimize harm and secure the Customer Data, to the extent remediation is within Palgeo’s reasonable control; and (c) provide Customer with information, subject to our privacy and data security policies, confidentiality and legal requirements, as may be reasonably necessary to assist Customer with its notification and reporting responsibilities. Palgeo will not asses the contents of the Customer Data to identify any specific reporting or other legal obligations that are applicable to the Customer. Any and all regulatory and/or data subject reporting obligations related to the Security Incident are the responsibility of the Customer.
Palgeo’s notification of or response to a Security Incident under this DUP will not be construed as an acknowledgement by Palgeo of any liability or fault with respect to the Security Incident.
Notification(s) of any Security Incident(s) by Palgeo shall be delivered to the notification email provided in the Agreement. Customer is solely responsible for ensuring that the notification contact email is valid and accurate.
Each employee, when inducted with Palgeo, signs a confidentiality agreement and acceptable use policy, after which they undergo training in information security, privacy, and compliance. Furthermore, we evaluate their understanding through online and offline tests to determine which topics they need further training in. We provide training on specific aspects of security, that they may require based on their roles.
Deletion or return of Data: At Customer’s election, Palgeo Shall return or destroy all Customer Data in its possession or control (including in the possession of any Subprocessor) in accordance with Palgeo’s data retention and destruction procedures and timeframes unless otherwise agreed with Customer. This requirement shall not apply: (a) to the extent that Palgeo is required by any law to retain some or all of the Data, in which event Palgeo shall isolate and protect Customer Data from any further processing except to the extent required by such law or (b) to any data stored on back-ups such data will be destroyed in accordance with our standard destruction policies for back-up data due to the cost and technical difficulty of deleting back-ups.
Loss of Data : The Customer and PALGEO shall each take reasonable precautions (having regard to the nature of their other respective obligations under the terms and conditions) to preserve the integrity of the Data and to prevent any corruption or loss of the Data.
The Customer shall notify PALGEO in writing as soon as reasonably practicable after it becomes aware of any apparent errors in the Data and shall provide PALGEO with full written supporting material evidencing such error including without limitation a listing of the output and a copy of the relevant input data together with completed copies of any appropriate PALGEO data forms and the time the error was noted.
Biometric & Geofencing Data. Certain parts of the Service make use of biometric personal information (“Biometric & Geofencing Data“), such as facial recognition technology on photographs collected through the Service and geofencing data (locations). Biometric and Geofencing Data can be subject to additional laws and regulations. Accordingly, in connection with the collection, retention, and use of Biometric and Geofencing Data, you agree that:
At no point in time is the original biometric data captured, managed or stored by Palgeo. Furthermore, the algorithm by which the biometric image is converted into data is encrypted and managed by the supplier and inaccessible to Palgeo and/or third parties. Therefore, no biometric information of any user is captured, stored and managed within the entire Time & Attendance solution. The biometric image cannot be reverse engineered to produce the individual’s facial pattern.
You are the Controller of any Biometric and Geofencing Data you collect through the Service. You agree to provide appropriate notice and obtain all consents and rights necessary for us to Process the Biometric and Geofencing Data on your behalf. You recognize and agree that there are various laws that specifically govern the collection, use, and retention of Biometric and Geofencing Data, and understand that it is your responsibility to comply with all applicable laws. From time to time, we may provide reasonable assistance to you with certain obligations, when applicable, such as assisting you in responding to data subject requests and in providing relevant consent and disclosure language. Concerning assistance with consent and disclosure language, you agree that that any such assistance does not constitute legal advice, is for informational purposes only, and that it is your ultimate responsibility to ensure compliance with all applicable law.
You will use Biometric and Geofencing Data through the Service for identity verification and authentication purposes only. Any other use shall constitute a breach of this Agreement.
You will inform us if you wish to delete or otherwise change or remove any user’s Biometric and Geofencing Data from the Service for whatever reason. You agree it is your responsibility to determine when any user’s Biometric and Geofencing Information is no longer required and to notify us accordingly.
Palgeo will provide at least the same level of protection for the Data to the maximum extent it can. If Customer otherwise reasonably believes that Palgeo is not protecting the Data, Customer may either: (a) instruct Palgeo to take reasonable and appropriate steps to stop and remediate any unauthorized processing, in which event Palgeo shall promptly cooperate with Customer in good faith to identify, agree and implement such steps; or (b) terminate this DUP and the Agreement without penalty by giving notice to Palgeo.
If we reasonably believe are required by a court order, law agencies’ action, or any other legal or regulatory requirement, to disclose any Customer Data, we will provide you with notice and a copy of the demand as soon as possible, unless we are prohibited from doing so by applicable law or regulations.
This DUP, is the entire agreement between you and Palgeo and replaces all prior understandings, communications and agreements, oral or written, regarding its subject matter. If any court of law, having jurisdiction, rules that any part of this DUP is invalid, that section will be removed without affecting the remainder of the DUP. The remaining terms will be valid and enforceable.