Last updated: 30th of August, 2024.
This Data Processing Addendum (“DPA”) supplements the Ledidi Subscription Agreement and the Terms of Service governing the use of the Services.
This DPA is an agreement between The Customer or User as the “Controller” and Ledidi as the “Processor” (together referred to as the “Parties”).
Introduction
In the event of a conflict between this DPA and the Subscription Agreement or the Terms of Service, this DPA shall prevail.
The parties have agreed to this DPA to establish the respective Parties’ rights and obligations regarding Processing of Personal Data.
All capitalized terms in this Data Processing Addendum relating to the Processing of Personal Data shall have the same meaning as set out in EU Regulation 2016/679 (“GDPR”) and its applicable national implementation.
Roles and Responsibilities
Ledidi is the Processor of Personal Data as a result of the Controller's use of Ledidi's Services Ledidi is only processing Personal Data included in the User Content on behalf of the Controller in accordance with the Controller’s instructions and this DPA and will comply with all applicable data protection legislation.
The Controller warrants that it has a legal basis for all Data Processing for which Ledidi is instructed to carry out on behalf of the Controller under this DPA.
Taking into account the nature of the processing, Controller agrees that it is unlikely that Ledidi would become aware that Controller Data transferred under the Standard Contractual Clauses is inaccurate or outdated.
For Personal Data related to the User's use of the Services that is not User Content, Ledidi will act as Controller. Please refer to Ledidi’s Privacy Policy.
Data Processing
The Processor will always act on the Controller’s instruction.
1. Subject matter. The subject matter of the data processing under this DPA is personal data included in the “User Content”, which refers to the data the User enters into a project using the User’s Ledidi user account. It also includes any other personal data related to the User's use of Ledidi's Services that is not specifically mentioned in the Privacy Policy where Ledidi is the Controller.
2. Duration of the Processing. The duration of the processing shall be in accordance with the Controller's instructions and the terms of this DPA.
3. Purpose. The purpose of the data processing under this DPA is the provision of the Services initiated by the Controller.
4. Nature of the processing. Compute, storage and other Services as described in the Documentation and initiated by the Controller.
5. Type of Personal Data. The types of Personal Data processed by Ledidi when providing the Services include Personal Data that the Controller elects to upload to the Controller’s Ledidi account.
6. Categories of data subjects. The data subjects could include the Controller’s employees, patients, healthy controls, suppliers, collaborators and end-users or any other categories of data subjects as identified in the data (User Content) that is uploaded to and processed in connection with use of the Services by the Controller
Sub-processors
Ledidi uses Amazon Web Services, Inc. (AWS) as the only sub-processor under this DPA. All data stored and processed by Ledidi resides on AWS data centres located in Frankfurt, Germany and in Stockholm, Sweden. Ledidi will notify the Controller by email with a minimum of three months' notice in advance of any planned change or replacement of its sub-processor(s) to allow an evaluation of the technical and legal effects of such a change. Ledidi will ensure that the new sub-processor is subject to obligations and limitations at least as strict as those imposed on Ledidi according to this DPA. Ledidi will remain fully liable towards the Controller for the performance of the sub-processor’s obligations. The Controller has the opportunity to oppose the change in question. If the Controller has not opposed the change within seven days from receipt of such a notice, the change shall be deemed accepted. If the Controller opposes the change and Ledidi is not able to fulfil the Controller's requirements with measures that are commercially reasonable and technically feasible, Ledidi has the right to terminate the Subscription Agreement with one month's written notice.
International data transfer
For any transfer of Personal Data to sub-processors located in a country which is deemed not to provide an adequate level of protection for Personal Data within the meaning of GDPR (a “third country”), Ledidi will enter the EU Standard Contractual Clauses (“SCC”) with such sub-processors (acting as data importers). Ledidi is currently only using AWS as a sub-processor under this DPA and has entered into a data processing agreement with AWS which includes the SCC, and which is available to the Controller upon request. The Controller accepts Ledidi's use of AWS as a sub-processor.
Assistance
Ledidi will assist the Controller as necessary to ensure compliance with its legal obligations under applicable data protection laws, such as in connection with the Controller’s compliance with the Data Subjects’ rights pursuant to GDPR chapter 3, and with the Controller’s compliance with GDPR articles 32 to 36. Compensation for such assistance shall be subject to a reasonable compensation based on Ledidi’s standard hourly rates for such assistance, or if no such standard rates exist, based on an hourly rate as agreed between the parties. Ledidi will keep accurate records of the Processing activities performed on behalf of the Controller in compliance with this DPA and applicable data protection laws.
Security
Ledidi will, in accordance with the GDPR article 32, implement planned, systematic, and appropriate technical and organisational measures to ensure a level of security appropriate to the risk regarding the confidentiality, integrity and accessibility of the Processing of Personal Data. Information about Ledidi’s security measures is provided on Ledidi’s website. A more detailed description is available to the Controller upon request.
Confidentiality
Ledidi will not access or use, or disclose to any third party, any of the Controller’s Data, except on the Controller's instruction or as necessary to comply with the law or a valid and binding order of a governmental body.
Ledidi will ensure that persons authorised to Process Personal Data, keep confidential all Personal Data and other confidential information provided to them under the Terms of Service and this DPA.
Personal Data Breach notification
Ledidi shall notify the Controller without undue delay upon Ledidi becoming aware of a Personal Data Breach affecting Controller’s Personal Data and provide the Controller with sufficient information to allow the Controller to meet any obligations to report or inform relevant Supervisory Authorities and Data Subjects of the Personal Data Breach under applicable data protection laws.
Audits
Ledidi will, by itself or through a third-party auditor, regularly conduct security audits on its organisational and technical measures relevant for the Processing of Personal Data pursuant to this Data Processing Addendum.
The Controller has the right to demand security audits performed by an independent third party at the Controller’s cost. Ledidi will allow for and contribute to the performance of such third-party audits. Ledidi shall be entitled to claim reasonable compensation for assisting the third-party auditor in accordance with an hourly rate as agreed between the Parties.
The results of any audits shall be documented and made available to the Controller upon request. The Controller is entitled to submit the results of the audit to the Supervisory Authority.
Ledidi will make available to the Controller all information necessary to demonstrate compliance with this DPA upon request.
Changes
Ledidi may change the terms of this DPA upon written notice to the Controller in accordance with the terms regarding changes in the Terms of Service.
Duration
This DPA shall apply for as long as Personal Data is processed by Ledidi on the Controller's instruction.
After termination of the Subscription Agreement, Ledidi will irreversibly delete all Personal Data and all backups in accordance with the data retention policy as set out in the Terms of Service.