Data Processing Agreement

Please read this Data Processing Agreement as it forms a contract between you; the Customer and us; Fonicom, due to the provision of the Service as defined in the Raiseaticket Terms of Services ("Terms", "Principal Contract").

Fonicom provides the Raiseaticket Service to You, the Customer who may then use the platform to provide another service to End-Users. Such End-Users may submit Personal Data to You the Customer through this platform. You will determine the purposes of the processing of this Service Data (as defined in the Terms). This Service Data may constitute Personal Data and will therefore be subject to the General Data Protection Regulation in the EU (GDPR). This makes us, Fonicom as Your Processor and by virtue of the GDPR we have to set out our function as your independent contractor and Processor.

This data processing addendum ("DPA" or "Agreement") is a supplement to the Service Terms and is entered into between Us, the Processor, Fonicom Limited (C 43620) a Limited Liability Company registered in Malta, operating under the Laws of Malta with registered address at Centris Business Centre, Triq il-Palazz l-Ahmar, Mriehel, Birkirkara, BKR 3000, MALTA and You the Customer, having the same meaning and definition as found in the Service Terms.

  1. Definitions.

    1. In this DPA, unless the text specifically notes otherwise, the below words shall have the following meanings: -

      "Consent" of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal Data relating to him or her;

      "Data Protection Laws" means all applicable Data Protection Laws, including the General Data Protection Regulation (GDPR) (EU 2016/679), and, to the extent applicable, the data protection or privacy laws of any other country;

      "Personal Data" means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

      "GDPR" means the General Data Protection Regulation (GDPR) (EU) (2016/679);

      "Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;

      "Third-party" means a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process Personal Data;

      "Sub-Processor" means any person or entity appointed by or on behalf of the Processor to process Personal Data on behalf of the Controller;

      "Supervisory Authority" means an independent public authority which is established by a Member State pursuant to Article 51 of the GDPR.

  2. Obligations and Rights of the Processor

    1. The processor shall comply with the relevant Data Protection Laws and must: -
      1. only act upon request of the Controller and for purposes of adherence to the Principal Contract;
      2. ensure that people processing the data are subject to a duty of confidence;
      3. use appropriate industry standards to safeguard and protect all Personal Data from unauthorised or unlawful processing, including accidental loss, destruction or damage and will ensure the security of processing through the implementation of appropriate technical and organisational measures as specified in Schedule 1 of this DPA;
      4. ensure that, notwithstanding being hereby granted with a general authorisation to engage a Sub-Processor, where a Sub-Processor is appointed, the Processor: -
        1. informs the controller of any intended changes concerning the addition or replacement of Sub-Processors;
        2. implements an agreement containing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the Processing will meet the requirements of the Data Protection Laws;
        3. understands that where any Sub-Processor is used on their behalf, that any failure on the part of the sub-processor to comply with the Data Protection Laws or the relevant data processing agreement, the Processor remains fully liable to the Controller for the performance of the Sub-Processor’s obligations;
      5. assist the Controller in providing subject access and allowing data subjects to exercise their rights under the Data Protection Laws;
      6. assist the data Controller in meeting its data protection obligations in relation to the investigation and notification of Personal Data breaches related to the data processed by the Processor on behalf of the Controller;
      7. delete or return all Personal Data to the Controller as requested at the end of the Principal Contract subject to the Principal Contract which sets out that Service Data will be kept up to a period of six (6) months on a rolling basis;
      8. make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in the relevant Data Protection Laws and allow for, and contribute to audits, including inspections conducted by the Controller;
      9. inform the Controller without undue delay if in the Processor’s opinion, an instruction, infringes Data Protection Law;
      10. co-operate with Supervisory Authorities in the performance of its tasks;
      11. notify the Controller of any Personal Data breach without delay following notice of such breach.
    2. The Processor shall maintain a record of all categories of Processing activities carried out on behalf of the Controller, containing, if applicable: -
      1. the name and contact details of the Controller on behalf of which the Processor is acting, and, where applicable, the data protection officer;
      2. the categories of Processing carried out on behalf of the Controller;
      3. transfers of Personal Data to a third country or an international organisation, including the identification of that third country or international organisation and, the documentation of suitable safeguards;
      4. a general description of the technical and organisational security measures referred to in Article 32(1).
    3. The Processor shall maintain records of processing activities in writing, including in electronic form and shall make the record available to the supervisory authority on request.
    4. When assessing the appropriate level of security and the subsequent technical and operational measures, the Processor shall consider the risks presented by any processing activities, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed.
  3. Obligations and Rights of the Controller

    1. The Controller is responsible for verifying the validity and suitability of the Processor before entering into a business relationship and shall onboard processors with an assessment of the mandatory Data Protection Law requirements.
    2. The Controller shall not provide Personal Data to the Processor which may reasonably be expected to expose the Processor to liability, such as but not limited to, Personal Data which the data subject had notified to the Controller that it does not wish the Controller to provide to any other party.
    3. The Controller shall obtain Consent from the data subject whenever required and howsoever required by Data Protection Laws, for authorisation to provide the Processor with Personal Data and the Processing by the Processor of such.
    4. The Controller shall inform the Processor without delay of any subject access requests or requests by any Supervisory Authority concerning the Personal Data being processed or processed by the Processor.
    5. The Controller shall not reject the Processor’s appointment of a Sub-Processor save where it is reasonable to do so for the protection of the Personal Data.
    6. The Controller may provide the Personal Data through a third-party technical platform and require that Personal Data will be received by the Controller from the Personal Data via the same third-party technical platform:
      Provided that in such cases, the Processor shall not be held liable and the Controller shall indemnify the Processor for any misuse of the Personal Data by any other party obtaining access to the third-party technical platform. The Parties agree that the third-party technical platform is exclusively utilised for purposes of API communication between the Parties.
  4. Penalties & Termination

    1. By signing this DPA, the Parties confirm that they understand the legal and enforcement actions that they may be subject to should they fail to uphold the DPA terms or breach the Data Protection Laws. If a Party fails to meet its obligations, it may be subject to: -
      1. investigative and corrective powers of Supervisory Authorities under Article 58 of the GDPR;
      2. an administrative fine under Article 83 of the GDPR;
      3. a penalty under Article 84 of the GDPR;
      4. pay compensation under Article 82 of the GDPR.
    2. This DPA shall terminate concurrently with the Terms or when directed by the Controller.
  5. Miscellaneous

    1. The Parties agree that any applicable law giving obligations to a Party in relation to anti-money laundering and due diligence, and/or instruction by a court or tribunal, and/or Supervisory Authority shall supersede the obligations under this DPA

      IN WITNESS below of the parties or their duly authorised representatives have signed this DPA in accordance with all its clauses and on the day, month and year stated at the top of this DPA.

      Signed on behalf of the Processor:

      Signed: FONICOM LIMITED

      Signed on behalf of the Controller:

      Name and Surname:

      Date:

      Company Name:

      Position:

  6. PLEASE NOTE THAT THIS ELECTRONIC SUBMISSION IS CONTRACTUALLY BINDING


SCHEDULE 1

  1. Processing Details

    1. The Controller has appointed the Processor with regard to specific processing activity requirements. These requirements relate to the processing required for performance of the Processor’s obligations to arrange for the provision of travel and booking services and/or event management services as applicable.
    2. The duration of the processing of the content submitted by End-Users shall be limited in certain cases to the extent identified in the Principal Contract.
    3. The duration of the processing of the content submitted by End-Users shall be limited in certain cases to the extent identified in the Principal Contract.
    4. The processing activities relate to Processor’s services under the Principal Contract and are for the purpose of providing a platform to End-Users.
    5. The requirement for the Processor to act on behalf of the Controller is with regard to the below type(s) (one or more) of Personal Data and categories of data subjects: -

      Personal Data of Users and End-Users, contained in electronic data, text, messages or other materials, submitted to the Service(s) by Controller through Controller’s Account in connection with Controller’s use of the Service.

      The parties do not anticipate the transfer of special categories of data.

    6. The processor can demonstrate and provide sufficient guarantees as to the implementation of appropriate technical and organisational measures taken to ensure data security and protection
      1. Organisational Measures:
        1. Access rights on a need to know basis;
        2. Confidentiality clauses in employee contracts;
        3. Agreements with sub-processors where required;
        4. GDPR compliance exercise by external and independent legal advisors.
      2. Infrastructure Raiseaticket hosts the infrastructure in the European Union Data Center designed to provide state-of-the-art security through the entire information processing lifecycle of the helpdesk portals. The data center is ISO 27001:2013 certified for information security. The infrastructure is built to provide secure delivery of helpdesk portal services, secure storage of data with end-user privacy safeguards, secure communications between applications over the Internet and safe private operation by administrators, developers and testers.
      3. Encryption Raiseaticket uses encryption to protect data in transit and at rest. Data in transit to Raiseaticket Infrastructure is protected using HTTPS, which is activated by default for all helpdesk portals. Our platform encrypts customer content stored at rest using one or more encryption mechanisms and algorithms.
      4. Access Controls Access rights and levels are based on job function and role, using the concepts of least-privilege and need-to-know to match access privileges to defined responsibilities. Requests for additional access follow a formal process that involves a request and an approval from a data or portal owner, manager. The administrators, developers, operational managers connect to the Raiseaticket platform through a secure tunnel to ensure private safe operation and administration of the infrastructure.
      5. Vulnerability Management We scan for software vulnerabilities using a combination of commercially and open source tools and do intensive manual penetration testing internally and externally on a regular basis.


Control your support experience, all in one platform.

Provide support and answers on your products, services, updates, incidents and issues with your experts on our free helpdesk cloud platform.


Get started for free