Data Processing Agreement

Updated on December 14, 2023

1. VALIDITY AND SCOPE

This Data Processing Agreement (DPA) is an addendum to the Terms of service between Techinline Ltd. (Techinline) and the Customer. Techinline and Customer are individually a "party" and, collectively, the "parties". This DPA applies where and only to the extent that Techinline processes personal data on behalf of the Customer in the course of providing the SetMe service and such personal data is subject to General Data Protection Regulation ("GDPR").The parties agree to comply with the terms and conditions in this DPA in connection with such personal data.

2. SUBJECT MATTER OF CONTRACT

Techinline Ltd. offers a remote desktop solution (also referred to as "SetMe", "SetMe service", or "SetMe software") that delivers a comprehensive set of features. The SetMe software enables users to access and control remote devices and allows users to communicate with each other as well as exchange data in real-time. The SetMe service also provides the option of registering a customer account where users may enter their personal data, such as email address and full name.

3. PURPOSE

The processing of personal data by Techinline is essential to provide the SetMe service effectively, in particular to:

  • Ensure system security and stability.
  • Enable trouble-free connections and smooth communication between users of the SetMe software.
  • Provide a customer account for personalized user experience.

4. DURATION

The duration of data processing covered by this DPA shall be in accordance with the duration of the agreement.

5. TYPE OF PROCESSING

Data processing may include collection, storage, retrieval, consultation, disclosure by transmission, restriction, erasure or destruction of data.

6. DEFINITIONS

The following terms have the meanings set forth below.

6.1 "Controller" is the entity that determines the purposes and means of the processing of personal data.

6.2 "Data Protection Law" means data protection and privacy law applicable to the processing of Personal Data under the agreement as it relates to the Customer, in particular, Regulation 2016/679 (General Data Protection Regulation) ("GDPR").

6.3 "Data Subject" means an identified or identifiable natural person.

6.4 "Personal Data" means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a Data Subject or their household or device in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

7. DATA PROTECTION OFFICER

The legal entities or natural persons responsible for protecting personal data when using the SetMe software are:
Techinline Ltd.
241 Robert Hicks Dr
Toronto ON
M2R 3R3
Canada
Phone: +1 617-934-2771
Email: privacy@techinline.com

8. RESPONSIBILITY AND RIGHT TO ISSUE INSTRUCTIONS

8.1 The Controller is solely responsible for the lawfulness of data processing and for safeguarding the rights of data subjects in relation to each other.

8.2 Techinline may collect, process, or use data only within the scope of the main contract and in accordance with the instructions of the Controller; this applies to the transfer of personal data to a third country or to an international organization. If Techinline is obliged by the law of the European Union or the Member States to which it is subject to carry out further processing, it shall inform the Controller of these legal requirements prior to processing.

8.3 The Controller's instructions are initially set out in these Supplementary Terms and Conditions and may subsequently be amended, supplemented or replaced by the Controller in writing or in text form by means of individual instructions. The Controller is entitled to issue corresponding instructions at any time. This includes in particular, instructions with regard to the correction, deletion and blocking of data, provided there are no legitimate contractual interests or statutory provisions to the contrary.

8.4 The person authorized to issue instructions to the Customer as the person responsible is determined by the information provided by the Customer during the registration process or the current information in the customer account (https://profile.set.me/). In the event of a change or long-term absence of the named persons, Techinline must be informed immediately in text form of the successor or representative.

8.5 All instructions issued must be documented by both Techinline and the person responsible. Instructions that go beyond the service agreed in the main contract shall be treated as a request for a change in service.

8.6 If Techinline is of the opinion that an instruction of the Controller violates data protection provisions, Techinline shall inform the Controller of this without delay. Techinline shall be entitled to suspend the implementation of the instruction in question until it is confirmed or amended by the Controller. Techinline may refuse to carry out an obviously unlawful instruction.

8.7 Techinline shall not acquire any rights to the data and shall be obliged to surrender any stored data in a readable and processable form for the Controller at any time upon first request for the duration of the main contract. Rights of retention in relation to the data and the associated data carriers are excluded.

9. COLLECTION OF PERSONAL DATA FOR INFORMATION USE (WEBSITE VISITORS)

When you visit the website for informational purposes (i.e. if you do not log into the SetMe service, register a SetMe account, or otherwise provide us with information), we do not collect any personal data, except for the data transmitted by your browser that enables you to access the website. This includes:

  • IP address
  • Date and time of the request
  • Time zone
  • Content of the request (specific site)
  • Access status / HTTP status code
  • Volume of data transmitted each time
  • Website from which the request comes
  • Browser
  • Operating system and its interface
  • Language and version of the browser software
  • The country of origin for the visitor
  • Time spent on website
  • Total number of pages viewed

Techinline's purpose in collecting the above information is to better understand how SetMe's website visitors use and interact with the website. Techinline does not use the collected information to identify its visitors and does not disclose the collected information other than under the circumstances described in our Privacy Policy.

Your IP Address is also collected by our systems for security reasons in order to detect anomalous activity. Anomalous activity includes, but is not limited to, DNS attacks, scam detection and other activities that could compromise the security or availability of our systems.

10. ACCOUNT REGISTRATION

If you decide to sign up for a free trial of the SetMe software, we will ask you to provide the following personal information:

  • Email address
  • Full name

You are only required to provide your email address during the registration process. We process this information to complete the free trial contractual obligation. Full name is optional and can be specified to personalize the user experience when using the SetMe software.

Upon the registration, and all subsequent successful log in attempts, we will collect your IP and MAC addresses for auditing and licensing purposes.

11. INFORMATION COLLECTED FROM PAYING CUSTOMERS AND BUSINESS PARTNERS

Techinline has partnered with 3rd party e-commerce payment processing systems, Paddle and Bright Market LLC, to handle its billing matters. If you buy the SetMe software through our websites, depending on the selected payment method our billing partner will collect and store your contact data (name, address, and email address), as well as the payment method you have chosen in order to be able to fulfill its obligations under the resulting business relationship. If you provide them, Techinline and our billing partner will also store your company name, phone number, as well as the selected country. This data will be deleted after fulfillment of the contract and the tax and commercial storage periods.

Insofar as we are in a contractual, quasi-contractual or pre-contractual business relationship with you, i.e. if you are already a paying customer, business partner or are interested in such a legal relationship ("contractual partner"), we process the following data as necessary:

  • Personal data (e.g. names, addresses, company)
  • Payment data (e.g. bank details, invoices, payment history)
  • Contract data (e.g. subject matter of the contract, type of license, term, login email)
  • Usage data (e.g access times, time and duration of the respective remote data connection (session), data volume transferred, online status of the client)
  • Meta-/communication data (e.g. device information, device ID, IP and MAC addresses)
  • Content of communication directed at us (e.g. product or contract inquiries, error messages, responses to our surveys)

We will inform you in a transparent manner before or during data collection as to extent of data that is required for this purpose. We process the data:

  • to be able to address you in communication,
  • to answer your questions,
  • to establish and fulfill our contractual obligations,
  • to protect our rights,
  • to protect against unauthorized use and misuse of our offers,
  • for related administrative tasks, and
  • for the purposes of business organization.

Your data is processed, in particular, to allow you to select, acquire or order the selected software (licenses to use our software and any associated services), as well as to enable payment and processing. During the registration process required to acquire a license, we will create an account for you on in our systems ("customer account" or "user account"). During registration, we will point out which of the above-mentioned details are required for this purpose, in particular to verify registration or the respective use of our login functions and the use of the user account, and to prevent any possible misuse of the customer account. The customer account (portal.set.me) gives you access to your connection data, the contract/license information, information about the SetMe users that are linked to the license, your master data as a customer, invoices, and any settings for payment methods. SetMe user accounts are not public and cannot be indexed by search engines. We may use email or in-app messaging to inform users about processes relevant to their user account (such as technical changes) or to invite them to participate in surveys.

The legal basis for the processing is therefore:

  • For contract performance and pre-contractual inquiries - Art. 6 (1) (b) GDPR
  • With regard to legal obligation - Art. 6 (1) (c) GDPR
  • Otherwise, with regard to our legitimate interests - Art. 6 (1) (f) GDPR

Techinline will disclose personal data only to those of its employees and third parties that (1) need to know such information in order to process it on Techinline's behalf or (2) to provide services as outlined in our Privacy Policy.

12. PROTECTIVE MEASURES OF THE PROCESSOR

12.1 The data security measures described in Annex 1 are defined as binding. They define the minimum owed by Techinline.

12.2 The data security measures may be adapted in line with technical and organizational developments as long as they do not fall below the level agreed here. Techinline must implement any changes required to maintain information security without delay. The person responsible must be notified of any changes.

12.3 Techinline guarantees that the data processed on behalf of the customer will be strictly separated from other data stocks.

12.4 Copies or duplicates are not created without the knowledge of the Controller. This does not apply to technically necessary, temporary copies, provided that there is no impairment of the level of data protection agreed here.

12.5 If processing takes place in private residences, Techinline must ensure that a level of data protection and data security corresponding to this contract is maintained.

12.6 Techinline ensures a procedure for the regular review, assessment, and evaluation of the effectiveness of the technical and organizational measures to ensure the security of the processing in accordance with Art. 32 para. 1 lit. d GDPR.

12.7 The persons employed by Techinline for data processing shall be prohibited from collecting, processing, or using personal data without authorization. Techinline shall obligate all persons entrusted by it with the processing and fulfillment of this contract (hereinafter referred to as employees) accordingly (obligation of confidentiality, Art. 28 para. 3 lit. b GDPR) and ensure compliance with this obligation with due care. These obligations must be formulated in such a way that they remain in force even after termination of this contract or the employment relationship between the employee and Techinline. Evidence of the obligations must be provided to the Controller in an appropriate manner upon request.

13. INFORMATION AND COOPERATION OBLIGATIONS OF TECHINLINE

13.1 In the event of disruptions, suspected personal data breach or breaches of contractual obligations by Techinline, suspected security incidents or other irregularities in the processing of personal data by Techinline, by persons employed by Techinline within the scope of the order or by third parties, Techinline shall inform the Controller immediately in writing or text form. The same applies to audits of Techinline by the data protection supervisory authority. The notification of a personal data breach shall contain at least the following information:

(i) a description of the nature of the personal data breach, including, where possible, the categories and number of data subjects concerned, the categories and number of personal data records concerned.

(ii) a description of the measures taken or proposed to be taken by Techinline to remedy the breach and, where appropriate, measures to mitigate its possible adverse effects. In addition, Techinline shall immediately take the necessary measures to secure the data and to minimize possible adverse consequences for the data subjects, inform the Controller thereof and request further instructions.

13.2 Techinline is obliged to provide the Controller with information at any time if the data is affected by a breach in accordance with paragraph 1.

13.3 Techinline must inform the Controller immediately of any significant changes to the security measures.

13.4 The Controller must be informed immediately of any change in the person of the company data protection officer.

13.5 Techinline shall keep a record of all categories of processing activities carried out on behalf of the Controller, which shall contain all information pursuant to Art. 30 para. 2 GDPR. The register shall be made available to the Controller upon request.

13.6 Techinline shall cooperate to an appropriate extent in the creation of the process directory by the Controller. It shall provide the Controller with the necessary information in an appropriate manner.

14. CONTROL RIGHTS OF THE PERSON RESPONSIBLE

14.1 The Controller shall satisfy itself of Techinline's technical and organizational measures before commencing data processing and regularly thereafter. For this purpose, they may, for example, obtain information from Techinline, obtain existing certificates from experts, certifications pursuant to Art. 42 GDPR or internal audits.

14.2 Techinline undertakes to make available to the Controller, at the Controller's verbal or written request and within a reasonable period of time, all information and evidence required to carry out a check of the technical and organizational measures.

14.3 In the case of subcontracted data processing (i.e., the Customer is already the Processor of a third party; Techinline as a subcontractor), the Controller undertakes to grant the aforementioned control rights directly to the third party.

15. THE USE OF THIRD-PARTY SERVICES

To provide the services and improve our official websites, we may engage the services of third-party vendors, such as YouTube, Capterra, G2, and others. In the process of supplying such website services through our official website, these third-party vendors may collect your full name and company name.

Besides collecting this information, it is beyond the control of Techinline to determine and dictate in what way the third parties will store and handle your personal data. Requests to exercise your rights in regards to personal data processing should be sent directly to the respected third parties.

16. REQUESTS AND RIGHTS OF DATA SUBJECTS

16.1 Where possible, Techinline shall support the Controller with suitable technical and organizational measures in fulfilling its obligations under Art. 12-22 GDPR and Art. 32 - 36 GDPR.

16.2 If a data subject asserts rights directly against Techinline, such as the right to information, correction or deletion of their data, Techinline shall not respond independently, but shall refer the data subject immediately to the Controller and await the Controller's instructions.

17. LIABILITY

17.1 The Controller and Techinline are jointly and severally liable to data subjects pursuant to Art. 82 GDPR.

17.2 Insofar as the damage was caused by the correct implementation of the commissioned service or an instruction issued by the Controller, the Controller shall indemnify Techinline on first demand against all third-party claims asserted against Techinline in connection with the commissioned processing.

17.3 Techinline shall only be liable to the person responsible in the event of gross negligence or intent.

18. EXTRAORDINARY RIGHT OF TERMINATION

18.1 Both parties may terminate the main contract in whole or in part without notice if the other party fails to comply with its obligations under this contract, intentionally or grossly negligently violates provisions of the GDPR or Techinline is unable or unwilling to carry out an instruction of the Controller.

18.2 In the case of simple - i.e., neither intentional nor grossly negligent - breaches, one party shall set the other a reasonable deadline within which it can remedy the breach.

19. DATA DELETION

19.1 Upon termination of the contractual relationship or at any time at the request of the Controller, Techinline shall either destroy the data processed on behalf of the Controller or hand it over to the Controller and then destroy it. All existing copies of the data shall also be destroyed.

19.2 Techinline may retain documentation that serves as proof of the orderly and proper dissemination of the data even after the end of the main contract for evidentiary purposes.

20. REMUNERATION

The remuneration is conclusively regulated in the main contract. There is no separate remuneration or reimbursement of costs under this contract.

21. FINAL PROVISIONS

21.1 Should the references to statutory provisions referenced in this contract change during the term of the contract, these references shall also apply to the respective successor provisions.

21.2 Should the data at Techinline be jeopardized by seizure or confiscation, by insolvency or composition proceedings or by other events or measures of third parties, Techinline shall inform the Controller thereof without delay, unless it is prohibited from doing so by court or official order. In this context, Techinline shall immediately inform all competent bodies that the Controller has exclusive decision-making authority over the data.

21.3 This Agreement will be governed by and construed in accordance with Irish Law and subject to the jurisdiction of the courts of the Republic of Ireland.

21.4 Should specific parts of this agreement be invalid, this shall not affect the validity of the remainder of the agreement.

22. ANNEX 1: DATA SECURITY MEASURES

Call for action Legal requirement Implementation
Access Control Preventing the use of data processing equipment by unauthorized persons All staff computers have virus protection. To gain access to data processing systems, staff must identify themselves with at least user ID and a strong password. Screens are automatically locked after a short period of inactivity. Each staff member has their own user account with individual access rights. The number of login attempts is logged and after exceeding the maximum number of incorrect login attempts, the user account is locked. Unlocking is only possible by an administrator after authentication of the employee. After unlocking, the user is prompted to enter a personal password. Remote work for employees is secured by a VPN. All end devices and data carriers are encrypted, if possible. The company networks are secured by firewalls. The network segments are separated by a firewall. The firewall settings are checked regularly. A policy on the departure of employees (revocation of rights) and a password policy have been adopted.
Admission Control Ensuring the use of a DP system and the stored data according to the authorization All access options and user roles are recorded in authorization concepts and regulated analogously. All employees are bound to data secrecy. Certificates are issued for authentication and access is logged. In addition, protocols are used that include transport encryption.
Transfer Control/ Transmission Control Data may only be transferred to authorized recipients Transport encryption is used. Data records are identified by IDs rather than by plain names or other personal data. The principle of data minimization is observed. A standardized process for destroying data media in a data protection-compliant manner is followed.
Plausibility check/ Transaction control Ensuring traceability of (intentional and unintentional) data manipulations Plausibility checks are carried out.
Order Control/ Contract Conformity Control Ensuring the processing of data on behalf of the client in accordance with instructions In order to protect personal data, contractors are carefully selected with regard to technical and organizational measures and corresponding order processing contracts are concluded. The company's own technical and organizational measures are reviewed on a regular basis.
Availability Control Securing data against accidental destruction or loss Availability, rapid recoverability and protection against losses are ensured by uninterruptible power supply (UPS) with surge protection, RAID solutions and daily backups. All offices and server rooms are equipped with fire and smoke detection systems. An analysis of the server room situation has been carried out; server rooms are airconditioned. Regular updates are carried out on all systems.
Data Segregation Control/Client Separation Control Ensuring the separation of data collected for different purposes Development/test and productive environments are separated from each other and data processing systems are separated from each other for specific purposes. Only those personal data are collected that are necessary for the respective purpose. During the development process of new software, it is already ensured that it is realized in a data protection-friendly manner.
Procedures for regular review, Assessment and evaluation of effectiveness Responsibilities for data privacy and information security are defined. A DPO has been appointed. Regular internal controls of the security measures take place in the PDCA cycle. Management is regularly informed about the status of data privacy and information security as well as possible risks and consequences due to missing measures. In the event of a negative outcome of the aforementioned review, the security measures are adjusted, renewed and implemented on a risk-related basis.