General Contracting Conditions for GuruSup Software
SCOPE
The following general terms and conditions (hereinafter “Contract” or “Conditions”) of GURUWALK, S.L. (hereinafter “GURUWALK” or “The Holder”), apply to your order in the current version at the moment the order is made.
The terms and conditions apply exclusively to contracts formalised through the web site on Internet and shall comply with the terms set forth in the legislation in force and, in particular, Act 7/1998, of 13th April, on general contracting conditions, Act 34/2002, of 11th July, on information society services and electronic commerce and other complementary laws.
Should a contract / agreement have been entered into with GURUWALK for the same services as the order made, the content of that contract / agreement shall prevail over the clauses of these general contractual conditions.
IDENTIFICATION OF THE HOLDER
The company with which you are entering into this contract is GURUWALK S.L., with its registered office at 12003-Castellón de la Plana, Ronda Circunvalación, no. 188, Edificio CEEI, T.I.N. B98719818, registered at the Business Registry of Valencia, Volume: 1789, Book 1350, Folio 102, sheet CS42187. GURUWALK offers its Customer Support software services (hereinafter the “Service”) through its web page gurusup.com (hereinafter the “Web Page”), as well as direct contracts arranged with companies and entrepreneurs (hereinafter “CLIENT”).
The registered office for the purposes of complaints is that stated as the registered office of the company.
These Conditions regulate the arrangement of the contractual services offered by GURUWALK, all through its Web Page, and/or directly between the CLIENT and Guruwalk, as well as the rights and obligations of the parties arising from operations to provide services arranged between them.
GURUWALK has developed and is the legitimate holder of a software (hereinafter “GuruSup” and/or “SaaS” and/or “Software”), which, among others, has two main functions: (1) the first of these is classification of tickets under “labels”, by means of a series of parameters that the CLIENT has previously registered; (2) the second is generation of replies through AI that, by means of a series of sources of information that the SaaS captures from the CLIENT, allows it to respond as one of the members of the CLIENT’s support team would.
That, by accepting these terms and conditions, GURUWALK grants a licence to the CLIENT for access to and use of the Software and to be provided other complementary services according to the Conditions stated below.
DEFINITIONS
In addition to any other term defined in these conditions, the following terms shall have the meaning provided below:
“Data Bases”: integrated set of data owned by the CLIENT included within the SAAS during the term of the Contract. In the case of processing personal data included as part of the Data Base the Data Processor Agreement included shall be applicable to them.
“GDPR”: Regulation (EU) 2016/679, of the European Parliament and of the Council, of 27th April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
“Controlling Body”, "Data Subject", “Data Controller”, “Data Processor”, “Special Data Categories” have the meaning established in the GDPR;
“Personal Data”: any personal data, as defined in the GDPR, processed pursuant to these Conditions.
“Processing”: any operation or set of operations performed on personal data or sets of personal data, either by automated procedures, or otherwise, such as collection, recording, organisation, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, diffusion, or any other means to enable access, checking or interconnection, limitation, suppression or destruction. The terms “Process” and “Processed” shall be understood to be in keeping with this definition.
“Purpose of the Processing”: Reason why the Personal Data is Processed, the intended objective of the Processing.
“AI System” or “AI”: system based on a machine designed to operate with different levels of autonomy, that may show capacity of adaptation after deployment and which establishes a manner to generate output information from the input information it receives, for specific or implicit objectives, such as predictions, content, recommendations or decisions, that may influence physical or virtual environments.
OBJECT OF THE CONDITIONS
These general conditions shall regulate the user licence that GURUWALK grants the CLIENT in relation to the SAAS, which is non-exclusive and may not be sub-licenced, with a worldwide scope and a term limited to the currency of the conditions, that shall be on condition that its price is fully paid in all cases.
These conditions also regulate provision of complementary services consisting of technical support under the terms stated (hereinafter use of the Software and set of complementary services shall jointly be called “Services”).
GURUWALK reserves the right to amend any term of these conditions, of which the CLIENT shall be notified for acceptance through the SAAS, notwithstanding updating of these conditions performed by Guruwalk.
FINANCIAL CONDITIONS, PLANS AND CONTRACTUAL RENEWAL
Subscription fee. The price of the Services is set as payment of a subscription fee (the “Fee”) which may be annual or monthly depending on the plan the CLIENT has chosen. The fee shall be that chosen for that purpose by the CLIENT in the Particular Conditions negotiated, that in turn are recorded on the web gurusup.com.
During the term of the contract, should the CLIENT wish any change to the plan subscribed, the terms and conditions published by GURUWALK on its web at the time of the change shall apply.
Conditions of the annual plan service.
Renewal of the contract. On the expiry date of the annual plan, that is, when one calendar year has elapsed from choosing the plan, the contract shall be considered automatically renewed by annual periods, the application of the terms and conditions in force at that moment being applicable, these being available to the CLIENT on gurusup.com, except if the CLIENT specifically expresses that they do not intend to renew the plan subscribed at least thirty (30) days prior to the end date of the initial period or that of any of its extensions.
You may exercise your right not to renew, for which it shall suffice to submit notification by electronic mail sent to GURUWALK at the following address: victor@guruwalk.com.
Cancellation of the service. Within the currency of the conditions agreed, the CLIENT may terminate the contract, although such cancellation shall not provide entitlement to any reimbursement whatsoever of the sums already paid to GURUWALK. The CLIENT may exercise its right not to renew, for which it shall suffice to submit notification by electronic mail to GURUWALK at the following address: victor@guruwalk.com.
Conditions of the monthly plan service.
Selection of the Monthly Fee. On initial selection or a change of plan to monthly, the monthly fee for the plan selected shall immediately be charged.
Update of the Monthly Fee. GURUWALK may freely change the fee and/or conditions of the monthly plans, providing 60 calendar days notice of the changes to be made, prior to their effective application, granting the CLIENT the right to cancel the service, if they do not accept the new conditions, as long as this is notified at least 30 days following said notice.
Should they not notify this with the advance notice stated, GURUWALK shall proceed to apply the new conditions, including the new rates, 60 days after the notification; in the event of the last day of that term not coinciding with the last calendar day of the month for the purposes of calculating full months, that term shall be extended until the first calendar day of the following month.
Cancelation of the service. The CLIENT shall be entitled to terminate the agreement, although its cancellation shall not provide entitlement to reimbursement of any amounts already paid to GURUWALK. Termination of the contract must be notified with a minimum advance notice of thirty (30) days prior to the end date of the initial period or any of its extensions.
The CLIENT may exercise its right not to renew, for which it shall suffice to provide notice by electronic mail to GURUWALK at the following address: victor@guruwalk.com
CONDITIONS FOR USE OF THE SERVICE
User Rights. GURUWALK grants the CLIENT a license for personal, non-exclusive, non-transferrable and non-sublicensable use of the SAAS and the rest of the Services, worldwide, during the term of these conditions and their renewal, exclusively for the purposes of their professional activity, in consideration for the price. Under no circumstance shall this license be considered a cession of the ownership of the rights to exploit the Software, or authorisation to commercialise or distribute the program.
Restrictions on Use. The CLIENT may not: (a) perform reverse engineering, decompile, dissemble or attempt to obtain or derive the source code, the underlying ideas, the algorithms, the file formats or the non-public API of the Services, as well as translate, modify or create derivative works from the SAAS, the Services or any part thereof, except to the extent that this is allowed by the applicable legislation; (b) copy / reproduce, lend, sell, rent, sublicense, issue, distribute, edit, transfer to third parties or facilitate access to the SAAS, as well as adapt the Services or any part thereof in any manner; (c) use the Services for the benefit of any third party; (d) use the Service for any commercial purpose, or in a product or service that the CLIENT provides third parties; (e) circumvent, modify, eliminate, erase, alter or in any other way manipulate any security technology or program, encryption or any other kind that forms part of the Services; (f) access or use the SAAS or the Services in order to perform analysis of competitors or create a similar or competing product or service; (g) use the SAAS for any illegal purpose or one that is not authorised by GURUWALK, including unsolicited advertising and spam; (h) create, compile, transmit, store, use or process any data through the SAAS which breaches any applicable law or infringes intellectual property rights or other rights of any third party; (i) insert or distribute content or software (viruses and malware) that may cause damage to the computer systems of GURUWALK, its technological service providers or third party users; (j) encourage, allow or aid any third party to do any of the above; or (k) to allow use of the SAAS by unauthorised users.
Liability. Not abiding by the restrictions stated above, or any other use that is contrary to the terms and conditions of the SAAS or contractual good faith by the CLIENT shall cause the claims for compensation established in the Conditions.
Updates and new versions. Updates, successive versions of the SAAS that are provided to the CLIENT during the term of the Conditions, shall be subject to the same terms.
TECHNICAL SUPPORT SERVICES AND AVAILABILITY
Technical Support Services. GURUWALK shall provide the CLIENT telephone or electronic support during the working hours of GURUWALK to aid the CLIENT to resolve doubts, locate and correct issues related to the SAAS using the electronic mail victor@guruwalk.com or the chat included within the actual SAAS. During provision of the service, the CLIENT authorises GURUWALK, through its staff, and with prior request to the CLIENT, to be able to access the CLIENT’s accounts and its platform to carry out the appropriate actions to resolve doubts or incidents arising with the SAAS.
Availability. GURUWALK shall make commercially reasonable efforts to ensure the SAAS has 99% availability and shall make commercially reasonable efforts to notify the CLIENT at least 48 hours in advance of scheduled maintenance within usual working hours.
Access to the Account. The CLIENT must maintain the security of the access codes to the SAAS. GURUWALK shall not be held liable in any case for any loss of information or damage caused by breach of this security obligation.
Restrictions. It is not permitted: (i) to share user accounts on the SAAS; and (ii) account creation by “bots” or other automated methods. The CLIENT shall be held liable for all actions performed and for all the data uploaded to the SAAS.
INTELLECTUAL AND INDUSTRIAL PROPERTY
Intellectual and Industrial Property in relation to the Services. GURUWALK shall conserve its position as holder of all the intellectual and industrial property rights related to all the components of the Services, including the SAAS, and any other development, improvement, update or works arising from this Agreement. The intellectual and industrial property rights shall cover all the data, source code and object, scripts, designs, concepts, applications, texts, images, any related documentation, copies, modifications and documents, or documentation arising from the above (fully or partially) and all related authors’ rights, patents, brands, trade secrets and other property rights, that are and shall continue to be the exclusive property of GURUWALK and/or its license holders.
Intellectual and Industrial Property of the CLIENT. All the rights, titles and interests in relation to the Data Base, brands, trade names and logos of the CLIENT, as well as those that may exist in its own computer system, shall remain the property of the CLIENT. The CLIENT specifically authorises GURUWALK to make use of its brand and trade name to include this in the web sites owned by GURUWALK merely for advertising purposes.
CONFIDENTIALITY
Definition of Confidential Information. “Confidential Information” is understood as any material or information disclosed verbally or in writing that is labelled or classified as confidential or that, due to its nature, may reasonably be understood to be confidential, and that has been delivered or provided by any of the Parties to the other due to these conditions, including information regarding the computer systems and systems architecture of the systems foreseen or existing of the Parties, including the hardware, software, the actual SAAS, the Documentation, the Data Base, the processing methods, corporate secrets, intellectual and industrial property and operating methods.
Exceptions. The Confidential Information shall not include information that (i) was in the public domain at the moment when disclosed to the Party receiving; (ii) entered the public domain by use, publication or similar, after disclosure to the Party receiving, without any blame or act whatsoever by the Party receiving; (iii) that was in the possession of the Party receiving in a legitimate manner and free of any confidentiality obligation at the moment when disclosed to the Party receiving; (iv) that is legitimately communicated to the Party receiving by a third party that is entitled to disclose such Confidential Information, after the moment when disclosed to the Party receiving.
Duty of confidentiality. The Parties undertake not to use, disclose, copy, publish, utilise, exploit, broadcast or distribute the Confidential Information of the other Party, nor allow the Confidential Information received to be exploited or distributed by third parties without prior written consent by the Party disclosing, except to the extent that this is necessary to comply with its obligations or exercise its rights by virtue of the contract. The Parties undertake to process the Confidential Information with the same degree of care that they use to protect their own Confidential Information, and under no circumstance with a lower degree of care to that which is reasonable. The confidentiality obligation shall remain in force indefinitely and also covers the employees and representatives of the Parties, as well as the external advisors that any of the Parties may have retained in relation to this contract. Due to the mere fact of having been disclosed, information does not cease to be the property of the relevant Party.
Disclosure of Confidential Information. The Parties may only disclose Confidential Information in the following cases: (i) in response to an order by a court or other governmental body, or as required by law, (in this case, the Party disclosing that potential disclosure shall previously be notified, and such disclosure shall be limited to the maximum extent possible); (ii) when the Party receiving such Confidential Information must disclose it to their employees, representatives or external advisors (if such exist) who they have hired in order to fulfil their obligations under this contract and only granting them access to it to the necessary extent; (iii) when a Party has received specific written authorisation from the other Party to disclose its Confidential Information (or part thereof).
Breach of the duty of confidentiality. Breach of the confidentiality obligations recorded in this contract, or deceitful or culpable actions carried out by any of the Parties, their employees or executives, shall entitle the Party in breach to file a legal claim for direct or indirect liabilities, or against third parties, including judicial and extrajudicial expenses and costs of defence that the Party in breach may cause, as well as to compensate the damages and losses such a breach may have caused the Party that is not in breach.
DATA PROTECTION
Data of the parties to the contract. The Parties mutually inform each other that the personal data of the parties signing, as well as the persons who work for the respective Parties, and the contact data provided for the purposes of notifications, shall be subject to processing by the other Party for the sole purpose of managing and performing the contractual relationship. The data shall be conserved while the relationship remains in force and, once it has concluded, this shall only be conserved for the necessary time to satisfy fulfilment of tax, legal and administrative obligations by which the Parties are bound.
The authority for such processing is the legitimate interest in managing the contractual relationship between the parties. The data shall not be communicated or ceded to third parties except for that which is essential for the actual performance of the contract (necessary service providers) and to comply with the legal obligations (Public Administrations, Auditors, financial institutions, insurance companies, when appropriate, among others).
In the case of necessary service providers, they may possibly have their seat outside the EU and an international data transfer may take place. In that case, the Parties undertake to ensure that their international providers ensure adequate guarantees pursuant to the applicable regulations.
The Parties may request exercise of their rights of access, correction, suppression, opposition, limitation and portability at the address provided in this contract, or the electronic address privacidad@guruwalk.com, clearly stating the right they wish to exercise. Likewise, the Parties are mutually informed that they are entitled to submit a claim to the Spanish Data Protection Agency (www.aepd.es). Notwithstanding this, the Parties shall provide their best resources and shall attempt to resolve any matter regarding personal data in an amicable manner.
Data Base included by the CLIENT. Processing personal data contained in the Data Base that shall be carried out by GURUWALK as a consequence of providing the Services shall be regulated by the Processing Commission Agreement recorded in these conditions.
Processing Commission. In order to provide the services contained in the SAAS, GURUWALK shall hold the status of data processor pursuant to the data protection regulations, while the CLIENT shall be responsible for the processing. Addendum I includes a Data Processor Agreement where it is recorded.
GUARANTEES
Ownership guarantee. GURUWALK guarantees the CLIENT that it is the legitimate owner or holder of all the necessary intellectual property rights to provide the Services and the SAAS.
Exclusions. Except as specifically established in the preceding paragraph, the Software is provided “AS IS” and “as available” and GURUWALK excludes any other kind of guarantee, including, among others, implicit guarantees of availability, performance, non-infringement, saleability or fitness for a specific purpose, without prejudice to, if appropriate, the guarantees required by the law. The CLIENT accepts that it is the sole party responsible for the results obtained by use of the Services and their features. Claims shall not be accepted for supposed specifications that the CLIENT considers the SAAS or Services must fulfil.
LIABILITIES
Limitation of Liabilities. The CLIENT agrees to compensate and maintain indemnity for GURUWALK with regard to any claim, action or direct or indirect, incidental or consequential suit filed by third parties, as well as for any expense, liability, damages, agreements or fees that might arise from misuse of the SAAS or the Services by the CLIENT, or due to breach of any of the terms of this contract. Nor shall GURUWALK be held in any way liable for any claims, losses or damages arising from use by the CLIENT or any User of any third-party product, services, software or web sites accessed through the referrals or links from the SAAS or the web page of GURUWALK.
Indirect damages. GURUWALK shall not be held liable (except if the law provides otherwise) to the CLIENT for any damages, compensation or indemnity based on indirect damages (including, but not limited to emergent damage, loss of use, loss or imprecision of data, lost profit, failure of security mechanisms, interruption of business, delay costs) or any special, incidental or consequential damages of any kind, even if they are informed of the possibility of such damages in advance.
Maximum liability. The maximum liability of GURUWALK for any claim arising from this contract, either due to breach of contract, breach of guarantee, negligence or otherwise, and the sole recourse of the CLIENT, is limited to direct damages in an amount that does not exceed the proportional part of the sum of amounts and Annual or Monthly Fees paid or payable by the CLIENT to GURUWALK by virtue of this contract in the last twenty-four (24) months preceding the claim.
Force Majeure. Neither of the Parties shall be held liable to the other for breach of the obligations contracted by virtue of the conditions to the extent that such a breach or delay is the result of a cause or circumstance that is beyond the reasonable control of the Party affected and that could not have been avoided or overcome by acting in a reasonable and cautious way (such as, for example, but not being limited to fires, floods, strikes, labour conflicts or other industrial action, war - declared or not -, embargoes, blockades, legal restrictions, uprisings, insurrections, governmental regulations).
Regulatory compliance. The CLIENT shall be the sole party responsible for complete fulfilment of all the laws applicable to its business within its jurisdiction. Merely contracting the Services is not equivalent to, nor in any way whatsoever guarantees fulfilment of the regulations applicable to management of the working day.
TERMINATION
GURUWALK reserves the right to terminate the Contract to full legal effect, without prior notice or compensation, in the event of the CLIENT compromising the integrity of the SAAS in any way, the intellectual and industrial property rights of GURUWALK to the Services or the reputation of the GURUWALK brands or products, or performs any of the actions foreseen in the Clause.
Effects of the resolution. On expiry of the contract or its termination for any reason: (i) The CLIENT shall not be reimbursed any of the sums paid to GURUWALK by virtue of this agreement and it shall bill all the fees it is owed for the remaining time of the current year; (ii) at the request of the CLIENT, GURUWALK undertakes to provide the CLIENT a copy of the Data Base in a standard technical format. That request must be made within a term of one (1) month from termination of the contract; (iii) all the provisions hereof shall cease to have effect, except for the provisions of this contract that, due to their nature, must remain in force, even though the contract is declared terminated, including the provisions regarding confidentiality matters, intellectual property and data protection.
SUNDRY
Headings. The headings of the clauses are only provided for the purpose of illustration and shall not have any legal effect.
Notifications. The Parties assign designated electronic mail addresses; in the case of GURUWALK the electronic mail address enabled is privacidad@guruwalk.com
Term. The term of the user license shall be linked to the contract remaining in force and payment of the fees GURUWALK establishes from time by the CLIENT. GURUWALK shall not continue to provide the service once the term of the software user licence has ceased to be in force.
Assignment. The CLIENT may not assign or transfer this contract without prior written consent by GURUWALK. However, the contract may be assigned or transferred by GURUWALK without consent by the CLIENT being required, for which prior written notice to the CLIENT shall suffice for the assignment to take effect. Once the assignment is formalised, any reference to the assignor Party contained in this agreement must be understood as a reference to the assignee entity or entities.
Audits. GURUWALK reserves the possibility of conducting audits of the CLIENT to check that it complies with the terms and conditions of the license. Such audits shall be performed with an advance notice of fifteen (15) days and shall be at GURUWALK’s expense, unless breach of the Conditions is detected, in which case the CLIENT must bear such expenses. The scope of the audit shall only be regarding the use of the SAAS by the CLIENT.
Renunciation. No delay in exercising a right shall be considered a renunciation of such, nor shall renouncing a right or recourse in a specific case constitute a renunciation of such a right or recourse in general.
Partial invalidity. Should any of the provisions of this contract be declared inapplicable or invalid, the remaining provisions of this contract shall not be affected and shall remain in full force and effect.
Independence. This contract has mercantile status, there not being any labour link whatsoever between the Parties in any case, and these shall be independent to all ends.
Rebus sic stantibus. This software user license agreement is entered into under the present financial, technological and legal circumstances. In the event of such circumstances changing in a significant, unforeseeable manner, substantially affecting the obligations and profit of GURUWALK, it may request review or termination of the agreement, notifying the CLIENT in writing. GURUWALK and the CLIENT shall negotiate in good faith regarding the necessary amendments; if an agreement is not reached within a reasonable term, GURUWALK shall be entitled to terminate agreement without incurring any penalty whatsoever.
APPLICABLE LAW AND JURISDICTION
Applicable law. The terms of this contract shall be governed and interpreted pursuant to Spanish law in all aspects.
Applicable jurisdiction. The Parties jointly declare that, to the reasonable extents, all disputes arising in relation to this agreement, or which are derived from it, shall be resolved by negotiations and mutual consultation. Should a satisfactory solution not be reached, the dispute shall be submitted to the courts of the city of Valencia.
ADDENDUM I. PROCESSING COMMISSION AGREEMENT
This Processing Commission Agreement (hereinafter “PCA”), forms part of the general conditions, hereinafter the “Conditions”, subscribed by GURUWALK S.L., that shall have the status of data processor (hereinafter “Data Processor”) and the CLIENT, that shall have the status of data controller (hereinafter “Data Controller”) and which records the terms and conditions applicable to the services provided by GURUWALK, S.L. (the “Services”).
WITNESSETH
Whereas, the Parties have signed a license to use the software SaaS GuruSup and services by virtue of which the Data Processor shall provide certain services (hereinafter the “Services” that shall involve access to personal data controlled by the Data Controller.
Whereas, Regulation (EU) 2016/679, of the European Parliament and of the Council, of 27th April 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter “GDPR”) imposes regulation of the obligations related to data protection undertaken by the Parties to the Contract.
Whereas, pursuant to the terms stated, the Parties agree to enter into and sign this Processing Commission Agreement that shall be governed according to the terms established in Article 28 of the GDPR, and by the following:
CLAUSES
Object
In order to provide the features arising from the Contract and provide the Services in an effective manner, the Data Processor may have access to personal data for which the Data Controller is responsible.
Identification of the information concerned
In order to perform the services arising from fulfilment of the object of this Processing Commission Agreement, the Data Controller provides the Data Processor the information described below:
Personal data:
Name and surname of the Data Controller’s clients.
Name and surname of the Agent acting on behalf of the Data Controller.
Voice recording of participants in a call, if appropriate.
Electronic mail of the Data Controller’s clients.
Queries submitted by the Data Controller’s clients to the support centre.
Replies by the Agent acting on behalf of the Data Controller.
Any other information regarding a natural person indicated by the Data Controller that may be necessary to perform the service.
This Processing Commission Agreement shall come into force on the date the conditions of the Agreement are accepted. This Processing Commission Agreement is accessory to the main service provision agreement, so its term is linked to its duration.
Obligations of the Data Controller
It is the remit of the Data Controller, in addition to fulfilling all obligations it is assigned throughout this Processing Commission Agreement, to perform the following tasks:
To comply with all the technical and organisational measures required to guarantee secure processing, the premises, equipment, systems, programs and persons involved in processing the aforementioned personal data, as stipulated by the regulations in force and those applicable from time to time.
To deliver the Processor the necessary data to perform the service, as well as the necessary instructions to carry out processing of the data under the terms established by the Controller.
To respond to applications by the data subjects to exercise their processing-related rights, such as the rights of access, correction, deletion and opposition, limitation of processing, data portability, and not to be subject to automated individual decisions, in reasonable collaboration with the Processor.
As appropriate, to perform an evaluation of the impact of the processing operations to be performed by the Processor on protection of the personal data.
To safeguard, previously and during processing, compliance with the applicable regulations on data protection by the Processor.
To supervise the processing, including inspections and audits.
To notify the Processor of any variation that may arise in the personal data provided, in order for it to proceed to update such.
To comply with the duty of information to the parties concerned at the moment of this being gathered, or processing the data subject to processing, complying with the terms foreseen in Article 12, 13 and 14 of the GDPR, as appropriate.
To have a legitimate basis for processing the appropriate personal data that complies with the principles of effectiveness, need and proportionality, attending to the existence of other means of protection that may be less invasive, avoiding discriminatory effects and establishing adequate guarantees.
Under no circumstance shall the Data Processor be held liable for failure to fulfil or for defective fulfilment of the duty of information or application of an appropriate basis for legitimation.
Obligations of the Data Processor.
The Data Processor declares and guarantees to the Data Controller as follows:
That it shall use the personal data subject to processing, or that it gathers for inclusion, solely for the purpose described in the Conditions. Under no circumstance may it use the data for its own purposes;
That it shall process and use the personal data to which it has access solely according to the instructions given by the Data Controller, and pursuant to the purposes regulated in the Contract. Instructions regarding processing of data and actions the Processor is commissioned to perform must be transmitted to the Processor in writing. If the Data Processor considers that fulfilment of a specific instruction by the Controller may amount to a breach of the data protection regulations, it shall immediately inform the Controller. In that notification, the Processor shall request the Controller to amend, withdraw or confirm the instruction provided and may suspend its compliance while awaiting a decision by the Controller.
That it shall keep a record of all the categories of processing activities performed on behalf of the Controller, which contains all the information foreseen in Article 30 GDPR.
That it shall maintain confidentiality and secrecy regarding the personal data to which it obtains access due to provision of the Services, including the Processor’s staff and collaborators.
That it shall not communicate such to third parties except with specific authorisation from the data controller, and in the legally admissible cases. The Processor may communicate data to other data processors acting for the same controller, according to instructions provided by the latter. In that case, the controller shall identify, beforehand and in writing, the entity to which the data must be communicated, the data to be communicated and the security measures to be applied to proceed to the communication.
That it shall provide the Data Controller the necessary, relevant information to prove fulfilment of the obligations established in the Agreement.
That it shall provide the reasonable, relevant assistance required by the Controller to carry out audits or inspections, performed by the Data Controller or by another auditor authorised by the Data Controller. The audit shall be limited to matters, documentary proof without direct access to the system, or the Software of the Data Processor. The Parties shall mutually agree the scope, schedule and duration of the audit, that shall always be carried out during the usual working hours of the Data Processor and shall not involve risks to the confidentiality obligations the Data Processor has with third parties. The Data Controller shall bear its own expenses in relation to said audits.
That it shall guarantee that the persons authorised to deal with personal data have undertaken, specifically and in writing, to comply with the security measures established, and to respect the confidentiality of the data. Fulfilment of this obligation shall be documented by the Data Processor and made available to the Data Controller.
That it has appointed a data protection officer (“DPO”) whose contact data is as follows: privacidad@guruwalk.com.
That it shall reasonably collaborate in fulfilment of the Data Controller’s obligations, and shall offer it support, when appropriate, and thus requested by the Data Controller, to perform (i) impact evaluations related to the personal data to which it has access; (ii) prior consultation to the controlling body.
Disposal of the Data.
On conclusion of the Services, the Data Processor shall return or destroy the personal data to which it has had access and any existing copy, following instructions from the Data Controller. The officer shall have a term of 90 days to execute the decision by the Data Controller, confirming the return or destruction as appropriate.
The Data Processor may conserve a copy with the data duly blocked as long as liabilities may arise from performance of providing the Services.
Notification of data security breaches.
The Data Controller shall notify the Data Processor, without undue delay, of any suspected or confirmed incident regarding data protection within its field of responsibility. The notification must be accompanied by all the relevant information to document and notify the incident to the relevant authorities or data subjects affected.
The Data Processor shall also provide all reasonable, relevant assistance to the Data Controller in relation to the notification obligations pursuant to the GDPR (in particular, Articles 33 and 34 of the GDPR) and any other applicable regulations, present or future, that may amend or complement such obligations.
Exercise of rights by the data subjects
The Data shall provide the information and/or documentation that the Data Controller may request from it to respond to requests to exercise rights that the Data Controller may receive from the data subjects whose data is being processed. The Data Processor must facilitate such information within reasonable terms and, in any case, enough time in advance for the Data Controller to be able to comply with the legally applicable terms to respond to exercise of such rights.
Security
With regard to the technical and organisational measures for security, the Data Processor must implement mechanisms to:
Guarantee permanent confidentiality, integrity, availability and resilience of the processing systems and services.
Restore the availability and access to the personal data in a swift manner, in the case of a physical or technical incident.
Regularly verify, evaluate and value the effectiveness of the technical and organisational measures implemented to guarantee processing security.
Pseudonymize and encrypt personal data, if appropriate.
In particular, the Parties have agreed on a list of measures that the Data Processor must implement, set forth in Addendum III to this Processing Commission Agreement.
If, after formalisation of the Agreement, the Data Controller requires the Data Processor to adopt or maintain security measures that differ from those agreed in this Addendum III, or if these are made mandatory by any future regulation and this were to significantly affect the costs of providing the Services, the Data Processor and the Data Controller shall agree the contractual measures to deal with the effect such changes may have on the price of the Services.
Subcontracting
The Data Controller hereby grants a general authorisation for the Data Processor to be able to subcontract part of the Services to third-party entities or subcontractors (the “Sub-processor”). The Data Processor shall inform the Data Controller of the processing it intends to subcontract, clearly and unequivocally identifying the subcontractor company and its contact data. The subcontracting may be carried out if the controller does not express its opposition within the term of 15 days.
The Data Processor shall apply due diligence to choose only sub-processors who provide sufficient guarantees to apply appropriate technical and organisational methods so the subcontracted processing complies with the requisites of the regulations in force and protection of data subject rights is guaranteed.
El Sub-processor, which shall also have data processor status, shall also be bound to comply with the obligations imposed on the Data Processor and the instructions provided by the Data Controller, as set forth in this Processing Commission Agreement. It corresponds to the Data Processor to regulate the new contractual relations in a contract signed by the Data Processor and Sub-processor, so that the Sub-processor is subject to the same conditions (instructions, obligations, security measures ...) and with the same formal requisites as the initial Data Processor, with regard to adequate processing of the personal data and guarantee of the rights of the persons affected. In the event of breach by the Sub-processor, the Data Processor shall continue to be held fully responsible to the Data Controller with regard to fulfilment of the obligations included in this Processing Commission Agreement.
The list of sub-processors authorised by the Data Controller is attached to this Processing Commission Agreement as Addendum II.
International data transfers
The Data Processor shall not perform any international transfers of personal data to which it has access for which the Data Controller is responsible, except if it has obtained prior authorisation by the Data Controller or if these are duly regularised as set forth in Articles 45, 46 or 47 of the GDPR. Notwithstanding the authorised sub-processors listed in Addendum II who perform certain processing on behalf of the processor in territories outside the European Economic Area, shall have signed the relevant standard contractual clauses (“SCC”) approved by the European Commission with the data processor, in an agreement signed by both companies in which the company outside the European Union guarantees that it applies equivalent data protection standards to the European ones.
Liability
The Data Processor shall be held liable for processing in the event of it assigning the data this Commission Agreement concerns to other purposes, if it communicates or uses such in breach of the clauses of this Commission Agreement, being held liable for infringements it may have personally committed.
The Data Controller must immediately inform the Data Processor of penalisation proceedings initiated against the Data Controller by the Spanish Data Protection Agency (AEPD) or any other competent authority, for such breaches or defective fulfilment, in order for the Data Processor to be able to take charge of the legal defence, and at all times it must act in coordination with the Data Controller and preserve its public image and reputation.
Each Party shall maintain indemnity for the other against claims, compensations, actions and expenses arising from claims that the Party is bound to honour by final judgment or ruling handed down by a competent court, or by virtue of an agreement reached between one Party and third-party claimants that is a consequence of breach or defective fulfilment of an applicable regulation, taking into account the limit to liability recorded in the Conditions.
ADDENDUM II. LIST OF SUB-PROCESSORS
NAME OF THE SUB-PROCESSOR REGISTERED OFFICE ADDRESS PRESENT PROCESSING LOCATION LINK TO THE SUB-PROCESSOR’S SECURITY POLICYAmazon Web Services410 Terry Avenue North, Seattle, WA 98109-5210, ATTNFrance (Amazon Brétigny-sur-Orge 91220 Brétigny-sur-Orge)https://aws.amazon.com/es/compliance/MongoDB, Inc1633 Broadway38th FloorNew York, NY 10019MongoDB is certified to the EU-US Data Privacy Frameworkhttps://www.mongodb.com/legal/privacy/privacy-policy
ADDENDUM III. – SECURITY MEASURES
Our infrastructure is mainly Cloud based; we use various providers for better failure tolerance, and are constantly subject to an improvement process.
Our application has a distributed architecture, which allows us to maintain separate front, API and other necessary services for the application to operate. It also allows us greater scalability of the service, as we may separately control what part of the infrastructure needs to bear a greater load.
On the other hand, we have a virtualised development environment which allows our team to perform all the changes in a parallel, controlled manner using a GIT version control system which allows us to ensure the integrity of the system, as well as continuous integration flow with Github.
Development methodologies
Unit Tests
Hexagonal Architecture
Multiple authentication
Programming languages
Backend
FastAPI
Python
MongoDB
Frontend
VueJS
Tailwind
Infrastructure
We have the following technologies in infrastructure to process all the information:
Debian 10
Docker
AWS
Our systems department will ensure that the servers have the necessary package sets for the application to function correctly.
Incremental backup copies are made daily.
We save a copy of the whole content of the web server and copies of critical service configuration files.
Security measures on the infrastructure
Datacenter
We have leased servers in MongoDB Atlas, the number one in non-relational data bases.
We also have leased services on AWS. AWS have been Cloud Computing pioneers since 2006, creating a cloud infrastructure that allows safer creation and faster innovation. Its data centres are designed to protect them from natural and man-made risks. Controls are implemented, automated systems are developed and submitted to third-party audits to confirm their security and compliance.
The data centres are designed to foresee and tolerate errors while the service levels are maintained. In the event of error, automated processes reroute the traffic from the area affected. The main applications are implemented in an N+1 standard, so in the event of an error arising at a data centre, there will be sufficient capacity to be able to balance out the traffic load among the other sites.
AWS monitors and performs preventive maintenance of the electric and mechanical equipment to maintain constant functioning of the systems installed in the AWS data centres. The equipment maintenance procedures are carried out by qualified personnel and they are performed to a documented maintenance programme.
Protection against attacks
Our services use the anti-DDoS infrastructure deployed by MongoDB to protect the services 24 hours a day against any kind of DdoS attack, regardless of their duration and scope.
The aim of a DDoS attack is to knock out a server, a service or an infrastructure by sending multiple simultaneous requests from multiple points on the network.
The intensity of this “cross-fire” destabilises the service or, even worse, incapacitates it. This infrastructure allows:
Analysis of all the packages in real time and at great speed.
Uptake of traffic entering the server.
Mitigation, that is, to identify all illegitimate IP packages, although allowing legitimate IP packages through.
Security
GURUWALK is highly aware of security, data processing as well as information leakage from such. That is why it works day by day to improve its security, maintaining clear objectives in that regard. We shall thus provide more in-depth detail below of the different aspects we deal with in security matters, both in the application as well as the infrastructure:
Cloud providers: GURUWALK has different cloud providers to ensure maximum availability and scalability possible in the application.
Access by those providers shall only be subject to employees with a very high accreditation level in the company, nearly always by an area or systems manager.
Servers: Access to the servers shall be restricted to employees with a high level of accreditation. For access to these, it shall use RSA encrypted pairs of 2048 bits and shall include a nominal user password which allows access by that user to be restricted, as well as a detailed log of changes or alterations in such machines for possible subsequent auditing.
Third-party tools: GURUWALK uses third-party security tools such as Sentry which takes charge of forming inventories of all our machinery and the domains we use, periodically launching vulnerability and intrusion audits. Thus, every week our experts have new reports available to inform them of possible security breaches, which will be patched according to the Tenable AI algorithm in the recommended order of priority.
Patching policy
All the services and the infrastructure that supports them, accessible by Internet, whether for internal use by the company or our clients, follow an agile security update policy. These services are patched when knowledge of a major bug or vulnerability is known. In the case of non-critical updates, monthly or quarterly patching is scheduled according to our needs and those of the application.