Addendum to Toloka Terms of Use

Last updated / Date of publication:  September 9, 2023
Effective Date: September 19, 2023

Data Processing Agreement

  1. The Parties hereby conclude the standard contractual clauses between controllers and processors under Article 28(7) of Regulation (EU) 2016/679 and Article 29(7) of Regulation (EU) 2018/1725 (decision (EU) 2021/915 of 4 June 2021) (“SCC”).
  2. For the purposes of Clause 1(a) of the SCC, the Parties choose the option 1.
  3. The Parties agree to include in the SCC Clause 5 (Docking Clause).
  4. The Parties agree to add the following clause (f) to Clause 7.6 of the SCC: “The controller may conduct an inspection at the premises or physical facilities of the processor only subject to a separate agreement with the processor specifying conditions of the relevant inspection.”
  5. For the purposes of Clause 7.7(a) of the SCC, the Parties choose the option 2 and specify that the processor shall specifically inform in writing the controller of any intended changes of that list through the addition or replacement of sub-processors at least thirty (30) days in advance, thereby giving the controller sufficient time to be able to object to such changes prior to the engagement of the concerned sub-processor (s). The Parties also agree that the relevant agreed list of sub-processors is provided in Annex IV to this Data Processing Agreement and may be amended by the processor from time to time at its discretion subject to Clause 7.7 of the SCC.
  6. The Parties agree to add the following clause (f) to Clause 7.7 of the SCC: “The controller may object to intended changes of the relevant agreed list of sub-processors provided that such objection is based on reasonable grounds relating to data protection by terminating the Agreement immediately upon written notice received by the processor within 20 days as of the controller is informed of the intended changes.”
  7. For the purposes of Clause 8 (c)(4) of the SCC, the Parties choose the option 1.
  8. For the purposes of Clause 9.1(b) of the SCC, the Parties choose the option 1.
  9. For the purposes of Clause 9.1(c) of the SCC, the Parties choose the option 1.
  10. For the purposes of Clause 9.2 of the SCC, the Parties choose the option 1.
  11. Each Party’s liability for any breach of this Data Processing Agreement (including the SCC) shall be subject to the limitations and exclusions of liability set out in the Agreement, provided that neither Party limits or excludes any liability that cannot be limited or excluded under applicable law.
  12. Unless data protection laws of the EU do not apply to the processing of personal data performed under the SCC, all references in the SCC to requirements of data protection laws of the EU shall be read as references to requirements of data protection laws of the EU and relevant requirements of other applicable data protection laws, including, without limitation, data protection laws of Switzerland.
  13. If data protection laws of the EU do not apply to the processing of personal data performed under the SCC, all references in the SCC to requirements of data protection laws of the EU shall be read as references to the relevant requirements of applicable data protection laws including, without limitation, data protection laws of Switzerland.
  14. The Parties agree that other clauses and additional safeguards added by this Data Processing Agreement to the SCC do not directly or indirectly contradict the SCC or detract from the fundamental rights or freedoms of data subjects.
  15. Annexes I – IV are attached to this Data Processing Agreement.
ANNEX I

List of parties

Controller (Customer):

Legal entity, or sole trader, or individual who accepted Toloka Terms of Use or signed the Master Service Agreement for the provision of Toloka Services (each referred as "Agreement").

Processor (Toloka):

Toloka AI AG
Werftestrasse 4, 6005 Luzern, Switzerland
Contact person’s name, position and contact details: privacy@toloka.ai.
ANNEX II

Description of the processing

Categories of data subjects whose personal data is processed

Natural persons whose personal data are contained in Customer’s dataset and/or are required to perform Tasks.

Categories of personal data processed

Any personal data contained in Customer’s dataset and/or required to perform Tasks.

Sensitive data processed (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

Sensitive personal data contained in Customer’s dataset and/or required to perform Tasks. Strict purpose limitation and access restrictions are employed.

Nature of the processing

The processor provides the controller with Services specified in Toloka Terms of Use or Master Service Agreement for the provision of Toloka Services entered by the Parties. The processor performs on behalf of the controller operations on personal data required to provide Toloka Services: Collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, alignment or combination, restriction, erasure, and destruction.

Purpose(s) for which the personal data is processed on behalf of the controller

  • Provision to the controller of the Services specified in the Agreement, namely - execution of Tasks by Users (or "Tolokers"), which, at the request of the Customer, may contain personal data;
  • Communication between the Customer and the Toloker, when the Toloker performs Tasks for this Customer.

Duration of the processing

The processor will retain Personal data for the term of the Agreement plus the period from expiry of the term of the Agreement until deletion of Personal data by the processor in accordance with this Data Processing Agreement.

For processing by (sub-) processors, also specify subject matter, nature and duration of the processing.

In relation to transfers to sub-processors, the subject matter, and nature of the processing is set forth in Annex IV of the DPA. The duration of the processing by sub-processors is the duration of the Agreement, unless agreed otherwise in the Agreement and/or the DPA.

ANNEX III

Technical and organisational measures including technical and organizational measures to ensure the security of the data

Description of the technical and organizational security measures implemented by the processor(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, as well as the risks for the rights and freedoms of natural persons:

  • For the secure storing and processing of personal data, we use the Microsoft Azure platform, which provides the highest level of data protection in the industry. The platform is certified according to the basic information security standards: CSA, SOC2, ISO 27001 and etc.
  • Information security management system has been implemented and certified with ISO 27001 and ISO 27701;
  • TLS is used to protect data during transmission. TLSv1.3 is supported;
  • Centralized authentication system implemented in Azure and used to ensure secure user management. Access control process has been implemented;
  • All data bases are encrypted at rest;
  • Backups are performed daily. All backups are encrypted;
  • The processor has developed and adopted a number of policies, including but not limited to:
    • Information Security Policy
    • Sensitive User Data Usage Policy
    • Incident Management Policy
    • Malware Protection Policy
    • Regulations for Access Control

For transfers to (sub-) processors, also describe the specific technical and organizational measures to be taken by the (sub-) processor to be able to provide assistance to the controller:

For transfers to sub-processors that are necessary to ensure technical measures that data subjects are afforded a level of protection that is essentially equivalent to that are implemented by the processor(s).

Description of the specific technical and organizational measures to be taken by the processor to be able to provide assistance to the controller:

Technical and organizational measures to be taken by the processor to be able to provide assistance to the controller are afforded a level of protection that is essentially equivalent to that are implemented by the processor(s).

ANNEX IV

List of sub-processors

The controller has authorised the use of the following sub-processors:

1
Name:
Microsoft Azure (Microsoft Ireland Operations, Ltd.)
Address:
One Microsoft Place, South County Business Park Leopardstown, Dublin 18, D18 P521, Ireland
Hosting location:
EU or US (chosen by the Customer)
Contact person's name, position and contact details:
Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorised):
Processing required for provision to the processor of data center services.
2
Name:
Databricks, Inc.
Address:
160 Spear Street, 13th Floor San Francisco, CA 94105
Hosting location:
EU
Contact person's name, position and contact details:
Scott Starbird, General Counsel, Public Affairs and Strategic Partnerships, dpa@databricks.com
Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorised):
Product data analytics
3
Name:
Sentry.io (Functional Software, Inc.)
Address:
45 Fremont Street, 8th Floor, San Francisco, CA 94105
Hosting location:
US
Contact person's name, position and contact details:
Virginia Badenhope, General Counsel, legal@sentry.io
Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorised):
Error monitoring
4
Name:
Zendesk (Zendesk, Inc.)
Address:
989 Market Street San Francisco, CA 94103, United States
Hosting location:
US
Contact person's name, position and contact details:
Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorised):
Support service (ticketing system)
5
Name:
Toloka d.o.o. Beograd
Address:
Starine Novaka 23, Sprat 4, Belgrade (Palilula). 11000, Belgrade, Serbia
Location:
Serbia
Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorised):
Support and Maintenance of Toloka Services
6
Name:
Tolokers (as defined in the Agreement) who will be engaged to perform Controller's tasks via Toloka Platform. List of Tolokers that were engaged to complete a Task of the controller can be seen using the interface of the Toloka Platform in the form of hashes assigned to the Toloker. The controller may restrict the region of Tolokers (Users) for performance of its tasks via the tools of Toloka Platform.
7
Name:
OpenAI, L.L.C.
Address:
3180 18th St, San Francisco, CA 94110
Location:
USA
Contact person's name, position and contact details:
Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorised):
LLM Services Provider

Previous versions of the document:
https://toloka.ai/legal/dpa_sag/28082023
https://toloka.ai/legal/dpa_sag/29052023
https://toloka.ai/legal/dpa_sag/01082022
https://toloka.ai/legal/dpa_sag/14092021

Subscribe to get 
notifications about our updates

Fractal