Products

LLMs

Solutions

Resources

Impact on AI

Company

Talk to us

Log in

Log in

Log in

Addendum to Toloka Terms of Use

Last updated / Date of publication:  September 9, 2023
Effective Date: September 19, 2023

Data Processing Agreement

  1. The Parties hereby conclude the standard contractual clauses between controllers and processors under Article 28(7) of Regulation (EU) 2016/679 and Article 29(7) of Regulation (EU) 2018/1725 (decision (EU) 2021/915 of 4 June 2021) (“SCC”).

  2. For the purposes of Clause 1(a) of the SCC, the Parties choose the option 1.

  3. The Parties agree to include in the SCC Clause 5 (Docking Clause).

  4. The Parties agree to add the following clause (f) to Clause 7.6 of the SCC: “The controller may conduct an inspection at the premises or physical facilities of the processor only subject to a separate agreement with the processor specifying conditions of the relevant inspection.”

  5. For the purposes of Clause 7.7(a) of the SCC, the Parties choose the option 2 and specify that the processor shall specifically inform in writing the controller of any intended changes of that list through the addition or replacement of sub-processors at least thirty (30) days in advance, thereby giving the controller sufficient time to be able to object to such changes prior to the engagement of the concerned sub-processor (s). The Parties also agree that the relevant agreed list of sub-processors is provided in Annex IV to this Data Processing Agreement and may be amended by the processor from time to time at its discretion subject to Clause 7.7 of the SCC.

  6. The Parties agree to add the following clause (f) to Clause 7.7 of the SCC: “The controller may object to intended changes of the relevant agreed list of sub-processors provided that such objection is based on reasonable grounds relating to data protection by terminating the Agreement immediately upon written notice received by the processor within 20 days as of the controller is informed of the intended changes.”

  7. For the purposes of Clause 8 (c)(4) of the SCC, the Parties choose the option 1.

  8. For the purposes of Clause 9.1(b) of the SCC, the Parties choose the option 1.

  9. For the purposes of Clause 9.1(c) of the SCC, the Parties choose the option 1.

  10. For the purposes of Clause 9.2 of the SCC, the Parties choose the option 1.

  11. Each Party’s liability for any breach of this Data Processing Agreement (including the SCC) shall be subject to the limitations and exclusions of liability set out in the Agreement, provided that neither Party limits or excludes any liability that cannot be limited or excluded under applicable law.

  12. Unless data protection laws of the EU do not apply to the processing of personal data performed under the SCC, all references in the SCC to requirements of data protection laws of the EU shall be read as references to requirements of data protection laws of the EU and relevant requirements of other applicable data protection laws, including, without limitation, data protection laws of Switzerland.

  13. If data protection laws of the EU do not apply to the processing of personal data performed under the SCC, all references in the SCC to requirements of data protection laws of the EU shall be read as references to the relevant requirements of applicable data protection laws including, without limitation, data protection laws of Switzerland.

  14. The Parties agree that other clauses and additional safeguards added by this Data Processing Agreement to the SCC do not directly or indirectly contradict the SCC or detract from the fundamental rights or freedoms of data subjects.

  15. Annexes I – IV are attached to this Data Processing Agreement.

  1. The Parties hereby conclude the standard contractual clauses between controllers and processors under Article 28(7) of Regulation (EU) 2016/679 and Article 29(7) of Regulation (EU) 2018/1725 (decision (EU) 2021/915 of 4 June 2021) (“SCC”).

  2. For the purposes of Clause 1(a) of the SCC, the Parties choose the option 1.

  3. The Parties agree to include in the SCC Clause 5 (Docking Clause).

  4. The Parties agree to add the following clause (f) to Clause 7.6 of the SCC: “The controller may conduct an inspection at the premises or physical facilities of the processor only subject to a separate agreement with the processor specifying conditions of the relevant inspection.”

  5. For the purposes of Clause 7.7(a) of the SCC, the Parties choose the option 2 and specify that the processor shall specifically inform in writing the controller of any intended changes of that list through the addition or replacement of sub-processors at least thirty (30) days in advance, thereby giving the controller sufficient time to be able to object to such changes prior to the engagement of the concerned sub-processor (s). The Parties also agree that the relevant agreed list of sub-processors is provided in Annex IV to this Data Processing Agreement and may be amended by the processor from time to time at its discretion subject to Clause 7.7 of the SCC.

  6. The Parties agree to add the following clause (f) to Clause 7.7 of the SCC: “The controller may object to intended changes of the relevant agreed list of sub-processors provided that such objection is based on reasonable grounds relating to data protection by terminating the Agreement immediately upon written notice received by the processor within 20 days as of the controller is informed of the intended changes.”

  7. For the purposes of Clause 8 (c)(4) of the SCC, the Parties choose the option 1.

  8. For the purposes of Clause 9.1(b) of the SCC, the Parties choose the option 1.

  9. For the purposes of Clause 9.1(c) of the SCC, the Parties choose the option 1.

  10. For the purposes of Clause 9.2 of the SCC, the Parties choose the option 1.

  11. Each Party’s liability for any breach of this Data Processing Agreement (including the SCC) shall be subject to the limitations and exclusions of liability set out in the Agreement, provided that neither Party limits or excludes any liability that cannot be limited or excluded under applicable law.

  12. Unless data protection laws of the EU do not apply to the processing of personal data performed under the SCC, all references in the SCC to requirements of data protection laws of the EU shall be read as references to requirements of data protection laws of the EU and relevant requirements of other applicable data protection laws, including, without limitation, data protection laws of Switzerland.

  13. If data protection laws of the EU do not apply to the processing of personal data performed under the SCC, all references in the SCC to requirements of data protection laws of the EU shall be read as references to the relevant requirements of applicable data protection laws including, without limitation, data protection laws of Switzerland.

  14. The Parties agree that other clauses and additional safeguards added by this Data Processing Agreement to the SCC do not directly or indirectly contradict the SCC or detract from the fundamental rights or freedoms of data subjects.

  15. Annexes I – IV are attached to this Data Processing Agreement.

  1. The Parties hereby conclude the standard contractual clauses between controllers and processors under Article 28(7) of Regulation (EU) 2016/679 and Article 29(7) of Regulation (EU) 2018/1725 (decision (EU) 2021/915 of 4 June 2021) (“SCC”).

  2. For the purposes of Clause 1(a) of the SCC, the Parties choose the option 1.

  3. The Parties agree to include in the SCC Clause 5 (Docking Clause).

  4. The Parties agree to add the following clause (f) to Clause 7.6 of the SCC: “The controller may conduct an inspection at the premises or physical facilities of the processor only subject to a separate agreement with the processor specifying conditions of the relevant inspection.”

  5. For the purposes of Clause 7.7(a) of the SCC, the Parties choose the option 2 and specify that the processor shall specifically inform in writing the controller of any intended changes of that list through the addition or replacement of sub-processors at least thirty (30) days in advance, thereby giving the controller sufficient time to be able to object to such changes prior to the engagement of the concerned sub-processor (s). The Parties also agree that the relevant agreed list of sub-processors is provided in Annex IV to this Data Processing Agreement and may be amended by the processor from time to time at its discretion subject to Clause 7.7 of the SCC.

  6. The Parties agree to add the following clause (f) to Clause 7.7 of the SCC: “The controller may object to intended changes of the relevant agreed list of sub-processors provided that such objection is based on reasonable grounds relating to data protection by terminating the Agreement immediately upon written notice received by the processor within 20 days as of the controller is informed of the intended changes.”

  7. For the purposes of Clause 8 (c)(4) of the SCC, the Parties choose the option 1.

  8. For the purposes of Clause 9.1(b) of the SCC, the Parties choose the option 1.

  9. For the purposes of Clause 9.1(c) of the SCC, the Parties choose the option 1.

  10. For the purposes of Clause 9.2 of the SCC, the Parties choose the option 1.

  11. Each Party’s liability for any breach of this Data Processing Agreement (including the SCC) shall be subject to the limitations and exclusions of liability set out in the Agreement, provided that neither Party limits or excludes any liability that cannot be limited or excluded under applicable law.

  12. Unless data protection laws of the EU do not apply to the processing of personal data performed under the SCC, all references in the SCC to requirements of data protection laws of the EU shall be read as references to requirements of data protection laws of the EU and relevant requirements of other applicable data protection laws, including, without limitation, data protection laws of Switzerland.

  13. If data protection laws of the EU do not apply to the processing of personal data performed under the SCC, all references in the SCC to requirements of data protection laws of the EU shall be read as references to the relevant requirements of applicable data protection laws including, without limitation, data protection laws of Switzerland.

  14. The Parties agree that other clauses and additional safeguards added by this Data Processing Agreement to the SCC do not directly or indirectly contradict the SCC or detract from the fundamental rights or freedoms of data subjects.

  15. Annexes I – IV are attached to this Data Processing Agreement.

ANNEX I

List of parties

Controller (Customer): Legal entity, or sole trader, or individual who accepted Toloka Terms of Use or signed the Master Service Agreement for the provision of Toloka Services (each referred as "Agreement").

Processor (Toloka): Toloka AI AGWerftestrasse 4, 6005 Luzern, SwitzerlandContact person’s name, position and contact details: privacy@toloka.ai.

ANNEX II

Description of the processing


Categories of data subjects whose personal data is processed


Natural persons whose personal data are contained in Customer’s dataset and/or are required to perform Tasks.


Categories of personal data processed


Any personal data contained in Customer’s dataset and/or required to perform Tasks.


Sensitive data processed (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.


Sensitive personal data contained in Customer’s dataset and/or required to perform Tasks. Strict purpose limitation and access restrictions are employed.


Nature of the processing


The processor provides the controller with Services specified in Toloka Terms of Use or Master Service Agreement for the provision of Toloka Services entered by the Parties. The processor performs on behalf of the controller operations on personal data required to provide Toloka Services: Collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, alignment or combination, restriction, erasure, and destruction.



Purpose(s) for which the personal data is processed on behalf of the controller

  • Provision to the controller of the Services specified in the Agreement, namely - execution of Tasks by Users (or "Tolokers"), which, at the request of the Customer, may contain personal data;

  • Communication between the Customer and the Toloker, when the Toloker performs Tasks for this Customer.


Duration of the processing


The processor will retain Personal data for the term of the Agreement plus the period from expiry of the term of the Agreement until deletion of Personal data by the processor in accordance with this Data Processing Agreement.

For processing by (sub-) processors, also specify subject matter, nature and duration of the processing.

In relation to transfers to sub-processors, the subject matter, and nature of the processing is set forth in Annex IV of the DPA. The duration of the processing by sub-processors is the duration of the Agreement, unless agreed otherwise in the Agreement and/or the DPA.

ANNEX III

Technical and organisational measures including technical and organizational measures to ensure the security of the data


Description of the technical and organizational security measures implemented by the processor(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, as well as the risks for the rights and freedoms of natural persons:

  • For the secure storing and processing of personal data, we use the Microsoft Azure platform, which provides the highest level of data protection in the industry. The platform is certified according to the basic information security standards: CSA, SOC2, ISO 27001 and etc.

  • Information security management system has been implemented and certified with ISO 27001 and ISO 27701;

  • TLS is used to protect data during transmission. TLSv1.3 is supported;

  • Centralized authentication system implemented in Azure and used to ensure secure user management. Access control process has been implemented;

  • All data bases are encrypted at rest;

  • Backups are performed daily. All backups are encrypted;

  • The processor has developed and adopted a number of policies, including but not limited to:

    • Information Security Policy

    • Sensitive User Data Usage Policy

    • Incident Management Policy

    • Malware Protection Policy

    • Regulations for Access Control


For transfers to (sub-) processors, also describe the specific technical and organizational measures to be taken by the (sub-) processor to be able to provide assistance to the controller:


For transfers to sub-processors that are necessary to ensure technical measures that data subjects are afforded a level of protection that is essentially equivalent to that are implemented by the processor(s).


Description of the specific technical and organizational measures to be taken by the processor to be able to provide assistance to the controller:


Technical and organizational measures to be taken by the processor to be able to provide assistance to the controller are afforded a level of protection that is essentially equivalent to that are implemented by the processor(s).

* User means Toloker(s) and/or AI Tutor(s)

* User means Toloker(s) and/or AI Tutor(s)

ANNEX IV

List of sub-processors

The controller has authorised the use of the following sub-processors:

1

Name:

Toloka does not intentionally collect any information on Your protected classifications, but Toloka may learn your protected classifications inadvertently (e.g. Your age)

Address:

Record of services with Toloka

Hosting location:

Only in case of performing "field tasks" (at your choice)

Contact person's name, position and contact details:

E-Wallet number. Note that Toloka uses third party payment processors as set forth in Section 3 to facilitate Your payments and Toloka does not store Your payment information.

Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorised):

None

2

Name:

Databricks, Inc.

Address:

160 Spear Street, 13th Floor San Francisco, CA 94105

Hosting location:

EU

Contact person's name, position and contact details:

Scott Starbird, General Counsel, Public Affairs and Strategic Partnerships, dpa@databricks.com

Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorised):

Product data analytics

3

Name:

Sentry.io (Functional Software, Inc.)

Address:

45 Fremont Street, 8th Floor, San Francisco, CA 94105

Hosting location:

US

Contact person's name, position and contact details:

Virginia Badenhope, General Counsel, legal@sentry.io

Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorised):

Error monitoring

4

Name:

Zendesk (Zendesk, Inc.)

Address:

989 Market Street San Francisco, CA 94103, United States

Hosting location:

US

Contact person's name, position and contact details:

euprivacy@zendesk.com or privacy@zendesk.com

Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorised):

Support service (ticketing system)

5

Name:

Toloka d.o.o. Beograd

Address:

Starine Novaka 23, Sprat 4, Belgrade (Palilula). 11000, Belgrade, Serbia

Hosting location:

Serbia

Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorised):

Support and Maintenance of Toloka Services

6

Name:

Tolokers (as defined in the Agreement) who will be engaged to perform Controller's tasks via Toloka Platform. List of Tolokers that were engaged to complete a Task of the controller can be seen using the interface of the Toloka Platform in the form of hashes assigned to the Toloker. The controller may restrict the region of Tolokers (Users) for performance of its tasks via the tools of Toloka Platform.

7

Name:

OpenAI, L.L.C.

Address:

3180 18th St, San Francisco, CA 94110

Hosting location:

USA

Contact person's name, position and contact details:

privacy@openai.com

Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorised):

LLM Services Provider

Previous versions of the document: https://toloka.ai/legal/dpa_sag/28082023

© 2024 Toloka AI BV

Manage cookies

Privacy Notice

Terms of Use

Code of Conduct