Addendum to Toloka Terms of Use
Last updated / Date of publication: September 9, 2023
Effective Date: September 19, 2023
Data Processing Agreement
ANNEX I
List of parties
Controller (Customer): Legal entity, or sole trader, or individual who accepted Toloka Terms of Use or signed the Master Service Agreement for the provision of Toloka Services (each referred as "Agreement").
Processor (Toloka): Toloka AI AGWerftestrasse 4, 6005 Luzern, SwitzerlandContact person’s name, position and contact details: privacy@toloka.ai.
ANNEX II
Description of the processing
Categories of data subjects whose personal data is processed
Natural persons whose personal data are contained in Customer’s dataset and/or are required to perform Tasks.
Categories of personal data processed
Any personal data contained in Customer’s dataset and/or required to perform Tasks.
Sensitive data processed (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
Sensitive personal data contained in Customer’s dataset and/or required to perform Tasks. Strict purpose limitation and access restrictions are employed.
Nature of the processing
The processor provides the controller with Services specified in Toloka Terms of Use or Master Service Agreement for the provision of Toloka Services entered by the Parties. The processor performs on behalf of the controller operations on personal data required to provide Toloka Services: Collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, alignment or combination, restriction, erasure, and destruction.
Purpose(s) for which the personal data is processed on behalf of the controller
Provision to the controller of the Services specified in the Agreement, namely - execution of Tasks by Users (or "Tolokers"), which, at the request of the Customer, may contain personal data;
Communication between the Customer and the Toloker, when the Toloker performs Tasks for this Customer.
Duration of the processing
The processor will retain Personal data for the term of the Agreement plus the period from expiry of the term of the Agreement until deletion of Personal data by the processor in accordance with this Data Processing Agreement.
For processing by (sub-) processors, also specify subject matter, nature and duration of the processing.
In relation to transfers to sub-processors, the subject matter, and nature of the processing is set forth in Annex IV of the DPA. The duration of the processing by sub-processors is the duration of the Agreement, unless agreed otherwise in the Agreement and/or the DPA.
ANNEX III
Technical and organisational measures including technical and organizational measures to ensure the security of the data
Description of the technical and organizational security measures implemented by the processor(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, as well as the risks for the rights and freedoms of natural persons:
For the secure storing and processing of personal data, we use the Microsoft Azure platform, which provides the highest level of data protection in the industry. The platform is certified according to the basic information security standards: CSA, SOC2, ISO 27001 and etc.
Information security management system has been implemented and certified with ISO 27001 and ISO 27701;
TLS is used to protect data during transmission. TLSv1.3 is supported;
Centralized authentication system implemented in Azure and used to ensure secure user management. Access control process has been implemented;
All data bases are encrypted at rest;
Backups are performed daily. All backups are encrypted;
The processor has developed and adopted a number of policies, including but not limited to:
Information Security Policy
Sensitive User Data Usage Policy
Incident Management Policy
Malware Protection Policy
Regulations for Access Control
For transfers to (sub-) processors, also describe the specific technical and organizational measures to be taken by the (sub-) processor to be able to provide assistance to the controller:
For transfers to sub-processors that are necessary to ensure technical measures that data subjects are afforded a level of protection that is essentially equivalent to that are implemented by the processor(s).
Description of the specific technical and organizational measures to be taken by the processor to be able to provide assistance to the controller:
Technical and organizational measures to be taken by the processor to be able to provide assistance to the controller are afforded a level of protection that is essentially equivalent to that are implemented by the processor(s).
ANNEX IV
List of sub-processors
The controller has authorised the use of the following sub-processors:
1
Name:
Toloka does not intentionally collect any information on Your protected classifications, but Toloka may learn your protected classifications inadvertently (e.g. Your age)
Address:
Record of services with Toloka
Hosting location:
Only in case of performing "field tasks" (at your choice)
Contact person's name, position and contact details:
E-Wallet number. Note that Toloka uses third party payment processors as set forth in Section 3 to facilitate Your payments and Toloka does not store Your payment information.
Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorised):
None
2
Name:
Databricks, Inc.
Address:
160 Spear Street, 13th Floor San Francisco, CA 94105
Hosting location:
EU
Contact person's name, position and contact details:
Scott Starbird, General Counsel, Public Affairs and Strategic Partnerships, dpa@databricks.com
Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorised):
Product data analytics
3
Name:
Sentry.io (Functional Software, Inc.)
Address:
45 Fremont Street, 8th Floor, San Francisco, CA 94105
Hosting location:
US
Contact person's name, position and contact details:
Virginia Badenhope, General Counsel, legal@sentry.io
Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorised):
Error monitoring
4
Name:
Zendesk (Zendesk, Inc.)
Address:
989 Market Street San Francisco, CA 94103, United States
Hosting location:
US
Contact person's name, position and contact details:
Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorised):
Support service (ticketing system)
5
Name:
Toloka d.o.o. Beograd
Address:
Starine Novaka 23, Sprat 4, Belgrade (Palilula). 11000, Belgrade, Serbia
Hosting location:
Serbia
Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorised):
Support and Maintenance of Toloka Services
6
Name:
Tolokers (as defined in the Agreement) who will be engaged to perform Controller's tasks via Toloka Platform. List of Tolokers that were engaged to complete a Task of the controller can be seen using the interface of the Toloka Platform in the form of hashes assigned to the Toloker. The controller may restrict the region of Tolokers (Users) for performance of its tasks via the tools of Toloka Platform.
7
Name:
OpenAI, L.L.C.
Address:
3180 18th St, San Francisco, CA 94110
Hosting location:
USA
Contact person's name, position and contact details:
Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorised):
LLM Services Provider
Previous versions of the document: https://toloka.ai/legal/dpa_sag/28082023
© 2024 Toloka AI BV