Annex 1
GIRAFFE360 DATA PROCESSING AGREEMENT (DPA)

1. Background

  1. 1.1 This Data Processing Agreement and its annexes (the “DPA”) applies to the Clients operating in the European Economic Area (EEA) countries and the United Kingdom (UK) and reflects the Giraffe360’s and the Client’s agreement with respect to the processing of Client Data by Giraffe360 as a processor on Client’s behalf, who will act as data controller.
  2. 1.2 This DPA is incorporated into and forms part of the Giraffe360 Terms of Service between the Client and Giraffe360 (the “Agreement”). In the event of a conflict between any of the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail.

2. Definitions

Unless otherwise set out below, each capitalised term in this DPA shall have the meaning set out in the Agreement and the following capitalised terms used in this DPA shall be defined as follows:

“Client Data” means any Personal Data contained in the Giraffe360 Content and any other content or data that the Client makes available to Giraffe360 and that is hosted by Giraffe360 in connection with the provision of the Giraffe360 Service, including Property Data, Client Profile Data and Client’s Customer Data as further described in clause 3.1 of this DPA.

“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of Processing Personal Data. For the purpose of this DPA, the Controller is the Client.

“Data Protection Laws” means the GDPR, any national implementing or supplementary legislation and any other applicable legislation protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the processing of Client Data.

“Data Subject” means the individual to whom Personal Data relates.

“European Economic Area” or “EEA” means the Member States of the European Union together with Iceland, Norway, and Liechtenstein.

“GDPR” means the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council and, where applicable, the “UK GDPR” as defined in The Data Protection, Privacy and Electronic Communications (Amendment Etc.) (EU Exit) Regulations 2019.

“Instructions” means the written, documented instructions issued by the Client to Giraffe360, and directing Giraffe360 to perform a specific or general action with regard to Client Data.

“Subprocessor” means any Processor engaged by Giraffe360 who Processes Giraffe360 Client Data.

“Personal Data” means any information relating to an identified or identifiable natural person, as defined under the relevant Data Protection Laws.

“Personal Data Breach” means an accidental or unlawful destruction, loss, alteration, corruption, unauthorised disclosure of, or access to, Client Data, as defined under the relevant Data Protection Laws.

“Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of Personal Data. The terms “Process,” “Processes,” and “Processed” will be construed accordingly.

“Processor” means a natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Controller. For the purpose of this DPA, the Processor is Giraffe360.

3. Data Processing

  1. 3.1 Giraffe360 processes the following categories of Personal Data from the following Data Subjects for the purposes outlined below:
    1. Property Data: This includes images, videos, point clouds, virtual tours, floor plans, GPS location data, information provided in property showcase landing page, and other related property information captured by the Client, extracted from the Giraffe360 camera or provided by the Client as a result of the Client’s use of the Giraffe360 Service. While this information does not typically identify any natural person, in rare circumstances, it may identify property owners, individuals whose data is captured during a Scan, or the Client. It is the Client’s responsibility to ensure that the Captured Assets do not contain any Prohibited Personal Information as defined in the Terms of Service. Property Data is processed to create Giraffe360 Content.
    2. Client Profile Data: This includes Personal Data about the Client, its representatives, or employees, such as names, surnames, email addresses, phone numbers, photos, slogans, and hyperlinks to social media accounts provided by the Client through the Dashboard during their use of the Giraffe360 Service. This data is Processed to enable the following: creation of Dashboard profiles for the Client, its representatives, or employees; access to Giraffe360 Content within the Dashboard; sharing of Giraffe360 Content as well as provision of information about the Client, its representatives, or employees via the Giraffe360 Service.
    3. Client’s Customer Data: This includes the personal data of the Client’s customers, such as potential property buyers’ or tenants’ names, surnames, email addresses, phone numbers and messages. This data is made available to the Client via the Dashboard. It is captured when the Client enables Leads functionality that allows Client’s customers to leave their contact information for the Client to get in touch with them. This functionality can be disabled by the Client in the Dashboard.
  2. 3.2 The Client Data is transferred on a continuous basis in connection with the provisions of the services as set out in the Agreement and this DPA until the termination of the Agreement.

4. Client’s obligations

  1. 4.1 The Client shall be responsible for complying with all requirements that apply to the Client under Data Protection Laws with respect to Client’s Processing of Personal Data.
  2. 4.2 In particular but without prejudice to the generality of the foregoing, the Client acknowledges and agrees that to be solely responsible for:
    1. the accuracy, quality, and legality of Client Data and the means by which the Client acquired such data;
    2. complying with all necessary transparency and lawfulness requirements under Data Protection Laws for the collection and use of Client Data, including providing adequate notices, obtaining any necessary consents and authorizations, and honouring opt-out preferences (particularly for use by the Client for marketing purposes); and
    3. ensuring to have the right to transfer, or provide access to, the Client Data to Giraffe360 for Processing in accordance with the terms of the Agreement (including this DPA).
  3. 4.3 The Client shall inform Giraffe360 without undue delay if the Client is not able to comply with its responsibilities under this section or Data Protection Laws.
  4. 4.4 The Client is responsible for ensuring that its Instructions to Giraffe360 regarding the Processing of Client Data comply with applicable laws, including Data Protection Laws.
  5. 4.5 The parties agree that the Agreement (including this DPA), together with the Client’s use of the Giraffe360 Service in accordance with the Agreement, constitute the Client’s complete Instructions to Giraffe360 in relation to Giraffe360’s Processing of Client Data, so long as the Client may provide additional Instructions during the Agreement term that are consistent with the Agreement and the nature and lawful use of the Giraffe360 Service.
  6. 4.6 The Client is responsible for independently determining whether the data security provided for in the Giraffe360 Service adequately meets its obligations under Data Protection Laws. The Client is also responsible for its secure use of the Giraffe360 Service.

5. Giraffe360 Obligations

  1. 5.1 As a Personal Data Processor Giraffe360 will only Process Client Data for the purposes described in this DPA or as otherwise agreed within the scope of the Client’s lawful Instructions, except where and to the extent otherwise required by applicable law, in which case, Giraffe360 shall, to the extent permitted by applicable law, inform the Client of the legal requirement before Processing that Client Data. Giraffe360 is not responsible for compliance with any Data Protection Laws applicable to the Client or Client’s industry that are not generally applicable to Giraffe360.
  2. 5.2 Giraffe360 will implement and maintain appropriate technical and organizational measures to protect Client Data as required under the Data Protection Laws (“Security Measures”). Notwithstanding any provision to the contrary, Giraffe360 may modify or update the Security Measures at its discretion provided that such modification or update does not result in a material degradation in the protection offered by the Security Measures.
  3. 5.3 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement Security Measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
    1. the pseudonymisation and encryption of personal data;
    2. appropriate Security Measures to maintain the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
    3. appropriate Security Measures to maintain the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
    4. a process for regularly testing, assessing and evaluating the effectiveness of Security Measures for ensuring the security of the Processing.
  4. 5.4 Giraffe360 will ensure that any personnel who is authorized to Process Client Data on Giraffe360’s behalf is subject to appropriate confidentiality obligations with respect to the Client Data.
  5. 5.5 Within 30 days of the termination of the Agreement, Giraffe360 will delete, or at the Client’s choice, return all the copies of Client Data processed by Giraffe360 under this DPA. The Client shall notify Giraffe360 of its choice within 14 business days of termination of the Agreement. This 30 days term will apply except where we are required by applicable law to retain some or all the Client Data.
  6. 5.6 Giraffe360 may retain and use Property Data, both during and after the termination of the Agreement, for machine learning and artificial intelligence training purposes and service improvement. Such Processing will be carried out by Giraffe360 as the data Controller and in accordance with Giraffe360’s Privacy Policy.
  7. 5.7 Giraffe360 may retain Client Data as Giraffe360 may deem necessary to prosecute or defend any legal claim, provided that such Client Data is retained only to the extent and for such period as required by applicable laws or pending resolution of any issue, and always provided that Giraffe360 shall ensure the confidentiality of all such Client Data.

6. Subprocessors

  1. 6.1 The Client hereby issues a general written authorisation to Giraffe360 to engage Subprocessors to assist in providing Giraffe360 Service. Giraffe360 shall ensure that all Subprocessors are bound by contractual obligations that provide at least the same level of data protection as required by this DPA and applicable Data Protection Laws. A current list of Subprocessors, including their name, location, and purpose, is maintained at Giraffe360 website (“Subprocessor List”).
  2. 6.2 Giraffe360 reserves the right to update the Subprocessor List as necessary. Any additions or replacements to the Subprocessor List will be reflected on the website at least 15 days prior to the new Subprocessor being authorized to process Client Data. Clients are encouraged to review the Subprocessor List periodically.
  3. 6.3 If a Client reasonably objects to a new Subprocessor due to legitimate concerns related to data protection, the Client must notify Giraffe360 in writing within 15 days of the update being posted. Upon receiving an objection, Giraffe360 will discuss the Client’s concerns and work in good faith to find a mutually agreeable solution. If no objection is received within the 15-day notification period, the Client is deemed to have accepted the updated Subprocessor.
  4. 6.4 Giraffe360 shall at all times remain responsible for compliance with its obligations under the DPA and will be liable to the Client for the acts and omissions of any Subprocessor as if they were the acts and omissions of Giraffe360.

7. International Transfers

  1. 7.1 Giraffe360 shall not transfer Client Data to a recipient in a country or territory outside the EEA or the UK unless:
    1. the recipient, or the country or territory in which it processes or accesses Client Data, provides an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of Client Data, as determined by the European Commission; or
    2. the transfer is based on the Standard Contractual Clauses (processors) approved by Commission Implementing Decision (EU) 2021/914, or any subsequent version thereof, or another legally recognized transfer mechanism.

8. Data Security, Audits and Security Notifications

  1. 8.1 The Client may, upon reasonable notice and at reasonable times, audit (either by itself or using independent third-party auditors) Giraffe360’s compliance with the Security Measures, including by conducting audits of Giraffe360’s data processing facilities. Giraffe360 shall assist with and contribute to any audits conducted in accordance with this DPA, provided that such audits are not carried out more than once a year.
  2. 8.2 Upon the Client’s request, Giraffe360 shall make available all information reasonably necessary to demonstrate compliance with this DPA and the Data Protection Laws.
  3. 8.3 Where required under Article 28(3)(h) of the GDPR, Giraffe360 shall immediately notify the Client in the event that Giraffe360 believes the Client’s Instructions conflict with the requirements of any Data Protection Laws or other EU, UK or EEA Member State laws.
  4. 8.4 Giraffe360 shall notify the Client in writing without undue delay upon becoming aware of any Personal Data Breach relating to Client Data and Processing carried out pursuant to this DPA. Giraffe360 shall provide reasonable assistance to the Client to ensure compliance with applicable Data Protection Laws in relation to the Personal Data Breach, including support with any regulatory investigations, notifications to supervisory authorities and/or Data Subjects.
  5. 8.5 When reporting a Personal Data Breach, Giraffe360 will communicate in clear and simple language, at a minimum and to the extent possible given the information available: an explanation of the nature of the Data Breach, the name and contact details of the Data Protection Officer (“DPO”) or other contact point where further information can be obtained, a description of the possible consequences of the Personal Data Breach, and a description of the measures taken or proposed to remedy the Personal Data Breach, including, where appropriate, measures taken to mitigate any possible adverse effects.

9. Access Requests and Data Subject Rights

  1. 9.1 Save as required (or where prohibited) under applicable law, Giraffe360 shall notify the Client of any request received by Giraffe360 from a Data Subject, whether directly or through a Subprocessor, in respect of their Personal Data included in the Client Data and shall not respond to the Data Subject.
  2. 9.2 Giraffe360 shall provide the Client with the ability to correct, delete, block, access or copy the Client Data in accordance, and to the extent possible, with the functionality of the Giraffe360 Service.
  3. 9.3 Giraffe360 shall notify the Client of any request for the disclosure of Client Data by a governmental or regulatory body or law enforcement authority (including any data protection supervisory authority) unless otherwise prohibited by law or a legally binding order of such body or agency.
  4. 9.4 Where applicable, taking into account the nature of the Processing, and to the extent required under applicable Data Protection Laws, Giraffe360 shall:
    1. use all reasonable endeavours to assist Client by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Client’s obligation to respond to requests for exercising data subject rights laid down in the GDPR; and
    2. provide reasonable assistance to the Client with any data protection impact assessments and with any prior consultations to any supervisory authority of the Client, in each case solely in relation to Processing of Client Data and taking into account the information available to Giraffe360.