Data processing agreement
Last updated: 04.04.2025
This Data Processing Agreement ("Agreement") is entered between customers and partners (the "Controller") and Kravia ("Kravia") (collectively referred to as the "Parties"). For the avoidance of doubt, the Controller has entered into this agreement with the Kravia entity in the Controller's jurisdiction.
WHEREAS, the Controller and Kravia have entered into a separate agreement or contract (the "Main Agreement") that requires the Processing of Personal Data by Kravia on behalf of the Controller; and
WHEREAS, the Parties wish to set out the terms and conditions governing the Processing of Personal Data by Kravia on behalf of the Controller, as required by applicable data protection laws and regulations.
DEFINITIONS
1.1 "Applicable Data Protection Law" shall mean Regulation (EU) 2016/679 (the "GDPR"), and the applicable national laws and regulations implementing the GDPR
1.2 "Personal Data" means any information relating to an identified or identifiable natural person, as defined by Applicable Data Protection Laws and regulations.
1.3 "Data Protection Authority" means the public authority responsible for enforcing data protection laws within a jurisdiction.
1.4 "Data Subject" means the individual to whom Personal Data relates.
1.5 "Processing" means any operation or set of operations performed on Personal Data, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, erasure, or destruction.
1.6 "Sub-Processor" means any third party engaged by Kravia to Process Personal Data on behalf of the Controller.
1.7 Other words and abbreviations shall have the meaning ascribed to them under Applicable Data Protection Law.
SCOPE, PURPOSE AND LIMITATIONS
2.1 This Agreement applies to the Processing of Personal Data by Kravia on behalf of the Controller, in connection with the performance of the obligations under the Main Agreement. This Agreement sets out the rights and obligations of the Parties according to Applicable Data Protection Law. The Main Agreement shall be regarded as the instructions of the Controller.
2.2 Under the Main Agreement, Kravia Processes Personal Data on behalf of the Controller in order to provide the Kravia software platform, wherein the Controller has access to ongoing case management and reporting on the status of outstanding claims. Kravia Processes Personal Data on behalf of the Controller for the purposes of providing these software services, including management of invoices issued by the Controller up until an outstanding claim under such invoice is made subject to debt collection by Kravia. In this capacity as a processor, Kravia may Process Personal Data such as name, address, telephone number, and email address. Personal identification numbers and relevant details related to the basis of the claims may also be included.
2.3 If included in the services provided under the Main Agreement, Kravia may also Process the data set out above as well as other general ERP-data made available to Kravia by the Controller for analytics and advisory services. This may include Processing data from the accounts receivable ledger. The purpose of this processing is to provide insights, analytics and recommendations to the Controller.
ROLES OF THE PARTIES
3.1 Kravia acting in its capacity as a sub-processor
3.1.1 The Controller and Kravia acknowledge that while designated as, respectively, a "controller" and "processor" under this Agreement, the execution of the Main Agreement may entail that Kravia acts as a sub-processor on behalf of the Controller, who in turn is acting as the primary processor in relation to its client. This applies when the Controller's customer is defined as the controller under Applicable Data Protection Law. The Parties agree that the provisions of this Agreement shall apply between them accordingly, irrespective of whether Kravia acts as a processor or sub-processor.
3.2 Kravia acting in its capacity as a controller
3.2.1 When Kravia contacts Data Subjects, initiates invoicing and debt collection , it acts in its capacity as a debt collector licensed to carry out such activities by the financial supervisory authorities, and is considered a controller for the Personal Data Processing in that respect. As a controller, Kravia independently Processes Personal Data to fulfill its role as a debt collector and determines the purposes and means of Processing the Personal Data necessary for executing debt collection actions. As a controller, Kravia may process additional Personal Data received from the Controller, directly from the Data Subject or other third parties such as public registries. This Processing includes, but is not limited to, the collection, storage, organization, adaptation, and use of Personal Data necessary for executing invoicing and debt collection services, planning debt collection actions, conducting credit checks, and implementing legal measures to protect rights and claims related to debt collection services. Kravia's Processing of Personal Data in its capacity as a controller in connection with debt collection is further described in Kravia's Privacy Policy.
THE PARTIES' OBLIGATIONS
4.1 The Parties acknowledge and agree that they will comply with their respective obligations under the Applicable Data Protection Law.
4.2 The Controller shall provide Kravia with the up-to-date Personal Data necessary for the execution of the Main Agreement or other legal obligation(s). This Personal Data may be uploaded to Kravia's service system and shall be deleted by the Controller where there is no legal basis for the Processing.
4.3 Kravia shall maintain a description of the service and Processing operations, including categories of Personal Data and Data Subjects, storage periods, and other relevant details, as required by Applicable Data Protection Law.
4.4 If, in Kravia's opinion, an instruction from the Controller is in violation of Applicable Data Protection Law or other mandatory national or EU/EEA law, Kravia shall immediately notify the Controller thereof.
CONFIDENTIALITY AND DATA PROTECTION
5.1 The Personal Data shall be treated as confidential, and each party shall ensure that their personnel entitled to Process the Personal Data are committed to a contractual and/or statutory duty of confidentiality. Kravia shall ensure that the Personal Data are Processed solely by reliable personnel who are:
5.2 The Parties will ensure that appropriate technical and organizational measures and practices have been implemented to protect the confidentiality of the Personal Data. Kravia will implement and maintain appropriate technical and organizational security measures to protect the Personal Data from accidental or unlawful destruction, accidental loss, alteration, unauthorized disclosure or access, and any other breach of security in accordance with Article 32 of the GDPR and any other relevant requirements under Applicable Data Protection Law.
5.3 The security measures as mentioned above shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures may include, as appropriate:
5.4 The security measures implemented and maintained by Kravia in accordance with the above are further described in Kravia's Information Security Policy, an updated summary of which is available upon request.
5.5 Upon becoming aware of any Personal Data breach, Kravia shall, without undue delay after having become aware of the incident, notify the Controller and provide all information and cooperation that the Controller may reasonably require in order for the Controller to fulfil its Personal Data breach requirements under Applicable Data Protection Law. Further, Kravia shall take such measures and actions necessary to remedy and mitigate the effects the Personal Data breach.
DATA SUBJECT RIGHTS AND COOPERATION
6.1 Kravia shall provide reasonable assistance to the Controller, including by appropriate technical and organizational measures, to enable the Controller to fulfil its obligations pursuant to Articles 32 through 36 of the GDPR, and to enable the Controller to respond to (i) any request from a Data Subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a Data Subject, Data Protection Authority or other third party in connection with the Processing of the Personal Data. Kravia reserves the right to be compensated by the Controller for any assistance under this section which exceeds what may reasonably be required by the Controller, provided that such assistance is not required from Kravia by a relevant Data Protection Authority.
6.2 In the event that any such request, correspondence, enquiry or complaint is made directly to Kravia, Kravia shall inform the Controller thereof without undue delay. Notwithstanding the preceding, in the event that the Controller receives any such request, correspondence, enquiry or complaint related to Processing of Personal Data for which Kravia is the controller cf. section 3.2, the Controller shall inform Kravia thereof without undue delay. It is acknowledged that one party cannot act as a representative for the other party when dealing with Data Protection Authorities.
SUBPROCESSING
7.1 Kravia may engage Sub-Processors to carry out specific Processing activities on behalf of Controller and, subject to the terms set out below, the Controller hereby provides its general authorization to the use thereof. Kravia shall ensure that any Sub-Processor engaged provides sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of Applicable Data Protection Laws. For the avoidance of doubt, the use of Sub-Processors does not in any way relieve Kravia from any obligations and responsibilities pursuant to the Agreement.
7.2 Kravia maintains an updated list of Sub-Processors which is available here. Kravia shall provide details of any new or replacement Sub-Processors within a reasonable time prior to the implementation of such Sub-Processor. Such notification will be provided to the Controller by email or as a notification in the Kravia dashboard. If Controller has reasonable concerns about a new Sub Processor, both Parties will collaborate in good faith to address them promptly. Any such concerns shall be conveyed to Kravia no later than 14 (fourteen) days after notification is provided. If the Parties are unable to mutually agree on a solution within a reasonable time of the Controller voicing its objection, the Controller may terminate the Main Agreement.
TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES
8.1 Kravia may engage Sub-Processors or otherwise cause Personal Data to be Processed outside the EEA. Kravia shall carry out necessary assessments and implement necessary safeguards for any such Processing. Such measures may include (without limitation), Kravia and/or any Sub-Processor signing the appropriate standard contractual clauses for international data transfers issued by the European Commission or such other valid transfer mechanism which may be applicable.
AUDITS AND COMPLIANCE REVIEW
9.1 Kravia shall maintain accountability documentation in relation to the Personal Data Processed under this Agreement (as may be defined, described or required pursuant to Applicable Data Protection Law), including written records of all Personal Data Processing carried out on behalf of the Controller by Kravia and its Sub-Processors.
9.2 Kravia shall permit the Controller to access such accountability documentation, and otherwise assist in any way necessary and reasonably requested for the Controller to comply with Applicable Data Protection Law requirements. Kravia shall also provide its reasonable assistance with respect to audits, including inspections, of the Processing activities covered by this Agreement. Any such audit shall be carried by an independent third party acceptable to Kravia, subject to appropriate confidentiality undertakings and be limited to once per annum, unless more frequent audits are required by a Data Protection Authority. Kravia shall be provided with reasonable notice for any such audit. Any participation by Kravia in audits under this section which exceeds what may reasonably be required by the Controller shall be provided at the Controller's expense.
TERM AND TERMINATION
10.1 The Agreement shall remain in effect for as long as Kravia Processes Personal Data on behalf of the Controller for the purposes described in this Agreement and in connection with the Main Agreement. If the Main Agreement is terminated, the Agreement shall remain in effect for as long as Kravia Processes Personal Data on behalf of the Controller.
DATA RETENTION
11.1 Upon termination of this Agreement, Kravia shall return to the Controller all of the Personal Data which Kravia is Processing or has Processed on behalf of the Controller or securely destroy the same. Where Personal Data is located on servers, it shall be deleted during the next backup maintenance.
11.2 Notwithstanding the above, Kravia may retain such Personal Data as Kravia may be required to retain pursuant any legal requirements according to national law or EU/EEA law to which the Kravia is subjected.
11.3 For the avoidance of doubt, section 11.1 does not apply to Personal Data processed by Kravia in its capacity as a controller cf. section 3.2.
LIABILITY
12.1 The liability of the Parties shall be governed by the Main Agreement.
GOVERNING LAW AND DISPUTE RESOLUTION
13.1 The choice of law and legal venue are set out in the Main Agreement. The same shall apply after the termination or expiry of the Agreement.