This Data Processing Agreement and the Annexes (in the following collectively referred to as “DPA”) reflects agreement with respect to the Processing of Personal Data between Toloka (the “Processor”) and Customer (the “Controller”), in connection with the Services Toloka provides under the Toloka Terms of Use.

This DPA is supplemental to, and forms an integral part of, the Toloka Terms of Use (the “Agreement”) concluded by the parties.

Parties may update the terms of this DPA if required by law, changed circumstances, jurisprudence or other developments. Parties will inform of these changes via email and/or other ways. Parties agree as follows:

1. ROLES

When Processing Personal Data in accordance with Customer’s instructions, the parties acknowledge and agree that Customer is acting as the Controller and Toloka is the Processor under the Agreement.

2. DEFINITIONS

2.1. “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

2.2. “CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. seq., as may be amended from time to time, including the California Privacy Rights Act.‎

2.3. The terms, "Controller", "Member State", "Processor", "Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR. The terms “Business”, “Business Purpose”, “Consumer” and “Service Provider” shall have the same meaning as in the CCPA. For the purpose of clarity, within this DPA “Controller” shall also mean “Business”, and “Processor” shall also mean “Service Provider”, to the extent that the CCPA applies.

2.5. “Data Protection Laws” means all applicable and binding privacy and data protection laws and regulations, including, but not limited to, California Consumer Privacy Act (CCPA), California Privacy Rights Act of 2020, Virginia Consumer Data Protection Act (CDPA), Colorado Privacy Act (CPA), Connecticut Act Concerning Personal Data Privacy and Online Monitoring (CTDPA), Utah Consumer Privacy Act (UCPA)) and other laws, as applicable to the Processing of Personal Data hereunder and in effect at the time of Processor’s performance hereunder

2.6. “Data Subject” means the identified or identifiable person to whom the Personal Data relates.

2.7. “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

2.8. “Personal Data” or “Personal Information” means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, to or with an identified or identifiable natural person or Consumer, which is processed by Toloka on behalf of Customer, under this DPA and the Agreement.

2.9. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by Processor and/or our Sub-Processors in connection with the provision of the Subscription Services. "Personal Data Breach" will not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

2.10. “Security Documentation” means the Security Documentation applicable to the Services purchased by Customer as made available to Customer by Toloka.

2.11. “Services” means the services provided to Customer by Toloka in accordance with the Agreement.

2.12. “Sub-processor” means any third party that Processes Personal Data under the instruction or supervision of Toloka.

3. CONTROLLER’S OBLIGATIONS

3.1. Compliance with Laws. Controller is responsible for complying with all requirements that apply to it under applicable Data Protection Laws with respect to its Processing of Personal Data and the Instructions issued to the Processor. In particular but non exclusively, the Controller acknowledges and agrees that it is solely responsible for: (i) the accuracy, quality, and legality of the data provided to Processor; (ii) complying with all necessary transparency and lawfulness requirements under applicable Data Protection Laws for the collection and use of the Personal Data, including obtaining any necessary consents and authorizations, (particularly for use by Customer for marketing purposes); (iii) ensuring it may legally transfer or provide access to, the Personal Data which Processor will be processing  in accordance with the terms of the Agreement (including this DPA); and (iv) ensuring that the instructions imparted to Processor comply with applicable laws, including Data Protection Laws. The Controller will moreover inform the Processor without undue delay if the Controller is not able to comply with its responsibilities under section or applicable Data Protection Laws.

3.2. Security Measures. Controller is responsible for a secure use of the Services offered by Processor, and it is responsible for independently determining whether the data security provided adequately meets the obligations under applicable Data Protection Laws.

4. PROCESSOR’S OBLIGATIONS

4.1. Compliance with Applicable Law and Instructions. Processor shall comply with all applicable Data Protection Laws in the Processing of Customer Personal Data; and

Processor only processes Personal Data for the purposes described in this DPA or as otherwise agreed within the scope of the lawful Instructions received from the Controller, except where and limited to the extent otherwise required by applicable law.

4.2. Instructions. If the Processor believes that the Controller's Instruction infringes Applicable Data Protection Laws (where applicable), it will inform the Controller without delay. Nevertheless, such notification will not constitute a general obligation on the part of the Data Processor to monitor or interpret the laws applicable to the Controller, and such notification will not constitute legal advice to the Controller.

4.3. Conflict of Laws. Processor will immediately notify the Controller when it becomes aware of the impossibility to process Personal Data in accordance with the instructions received by Controller due to a legal requirement under any applicable law, Processor will. In this case, if necessary, Processor will cease all processing activities, (other than merely storing and maintaining the security of the affected Personal Data) until new lawful instructions are received from the Controller. If such a situation occurs, Processor will not be liable to Controller for any non-compliance until Controller issues new lawful Instructions.

4.4. Security. Processor implements and duly maintains appropriate technical and organizational measures to protect Personal Data, as described under Annex II to this DPA ("Security Measures"). Processor may modify or update the Security Measures at its own discretion provided that such modification or update does not result in a material degradation in the protection offered by the Security Measures.

4.5. Confidentiality. Processor ensures that all employees authorized to process Personal Data on our behalf is subject to appropriate confidentiality obligations with respect to that Personal Data.

4.6. (Personal) Data Breaches. Processor will notify the Controller without undue delay after it becomes aware of any Personal Data Breach and will provide the necessary information relating to the Personal Data Breach as requested by the Controller. At Controller’s request, the Processor will promptly provide reasonable assistance as necessary to enable the Controller to notify relevant Personal Data Breaches to the competent authorities and/or to the affected Data Subjects, if required under Data Protection Laws.

4.7. Deletion or Return of Personal Data. Processor will delete or return, at the free choice of the Controller, all Personal Data processed on behalf of the Controller, (including copies thereof), on termination or expiration of the Services provided under the Agreement within reasonable timeframes specified by Controller. As a sole exception Processor will retain (part of) the Personal Data in case and within the limit such is required by applicable law.

4.8. Data Protection Impact Assessments and Supervisory Authorities. To the extent that the required information is reasonably available to us, and Controller has no otherwise access to the required information, Processor will provide reasonable assistance with any data protection impact assessments, and prior consultations with supervisory authorities (for example, the state Attorney General) or other competent data privacy authorities to the extent required by Applicable Data Protection Laws.

5. DATA SUBJECT REQUESTS
5.1. Considering the nature of the Processing, Processor shall assist Controller by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer obligations, as reasonably understood by Customer, to respond to requests to exercise Data Subject rights under the Data Protection Laws.

5.2. When a Data Subject Request or other communication regarding the Processing of Personal Data under the Agreement is received directly by the Processor, the Processor will promptly inform the Controller and ask the Data Subject to submit their request to the Controller. The Controller will be solely responsible for addressing and responding to any such Data Subject Requests.

6. SUB-PROCESSORS

6.1. Engaging. Controller allows engaging Sub-Processors (including Tolokers). When engaging Sub-Processors, Processor will impose data protection terms on these Sub-Processors providing at least the equivalent level of protection for Personal Data as those in this DPA, to the extent applicable to the nature of the services provided by such Sub-Processors. Processor remains responsible for Sub-Processor’s compliance with the obligations of this DPA.

6.2. List. Controller hereby agrees Processor may engage Sub-Processors to Process Personal Data on its behalf, a list of the current Sub-Processor is enclosed as Annex IV of this DPA.

6.3. Changes. If Processor adds or changes one or more Sub-Processor, it will notify Controller at least 30 days prior to any such change and provide Controller the opportunity to object to the engagement of new Sub-Processors on reasonable grounds relating to the protection of Personal Data within 15 days. In case Controller notifies Processor of such an objection, both parties will discuss the concerns in good faith, aiming at achieving a reasonable solution. If no such solution can be reached, Processor will either not appoint the intended new Sub-Processor or allow Controller to terminate the Service in accordance with the termination provisions of the Service Agreement without prejudice to any fees incurred by Controller prior to suspension or termination, but without liability to either party.

6.4. Engaging of Users. List of Users that were engaged to complete a Task of Controller can be seen using the interface of the Toloka Platform in the form of hashes assigned to the User(s). Controller may restrict the region of Users for performance of its Tasks via the tools of Toloka Platform.

6.5. Standard Contractual Clauses. For compliance with Article 46 GDPR, Article 46 UK GDPR and Article 17 FADP Processor ensures to conclude Standard Contractual Clauses (SCC) as applicable. Standard Contractual Clauses must be incorporated in accordance with Commission Implementing Decision (EU) 2021/914 of 4 June 2021. The Customer and Processor agree that the following options shall be used in the SCCs concluded with any Sub-Processors:

                 i. in Clause 11(a) Option shall apply;

                Ii. in Clause 17 Option 2 shall apply.

6.6. In relation to Personal Data that is subject to the GDPR:

                 i. Processor is the "data exporter" and Sub-Processor is the "data importer";

                Ii. the Module Three terms apply.

6.7. In relation to Personal Data that is subject to the UK GDPR, the Standard Contractual Clauses will apply in accordance with the following modifications:

                    i. the Standard Contractual Clauses will be modified and interpreted in accordance with the UK Addendum, which will be incorporated by reference and form an integral part of the Agreement.

6.8. In relation to Personal Data that is subject to the Swiss DPA, the Standard Contractual Clauses will apply in accordance with the following modifications

                    i. references to "Regulation (EU) 2016/679" will be interpreted as references to the Swiss DPA.

6.9. Any dispute arising from SCC shall be resolved by the courts [For EU: of the Netherlands] / [For Swiss: of Switzerland] / [For UK: Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts].

7.     REPORTS, SECURITY & AUDITS

7.1. Controls for the Protection of Personal Data. Processor represents and warrants that it has implemented and will maintain all appropriate technical and organizational measures for protection of Personal Data Processed hereunder (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data, confidentiality and integrity of Personal Data, including those measures set forth in the Security Documentation).

7.2. Records of Processing. Processor will duly maintain records of its Processing activities performed on behalf of Controller.

7.3. Audits and Inspections. Upon prior written request and reasonable prior notice during regular business hours to ensure compliance with the terms of this DPA and applicable law, and subject to confidentiality undertakings by Controller, Processor shall make available to Controller (or Controller’s independent third-party auditor subject to their confidentiality undertakings) all reasonable information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, conducted by them. The scope of the audit shall be limited to the systems, procedures and documentation relevant to the processing of Personal Data. If and to the extent that the Standard Contractual Clauses apply, nothing in this Section 7.3 varies or modifies the Standard Contractual Clauses nor affects any Supervisory Authority’s or Data Subject’s rights under the Standard Contractual Clauses. In the event of an audit or inspections as set forth above, Controller shall take reasonable steps to avoid causing (or, if it cannot avoid, minimize) any disruption to Processor’s operations while conducting such audit or inspection.

7.4. Reports. Upon written request made by Controller and limitedly to once a year, except if substantial elements arise indicating the non-compliance of Processor with the requirements of Applicable law and of this DPA, Processor will provide Controller with a report demonstrating Processor's compliance with its obligations under this DPA and Applicable Law.

8. GENERAL PROVISIONS

8.1. Additional Provisions for California Personal Information
i. Scope. The 'Additional Provisions for California Personal Information' section of the DPA will apply only with respect to California Personal Information.
ii. Roles. When processing California Personal Information in accordance with Customer Instructions, Parties acknowledge and agree that Controller is a Business, and Processor is a Service Provider for the purposes of the CCPA.
iii. Responsibilities. Processor certifies that it will Process California Personal Information as a Service Provider strictly for the purpose of performing the Services under the Agreement (the "Business Purpose") or as otherwise permitted by the CCPA.  Further, Processor certify that:
(a) will not Sell or Share Personal Information;
(b) will not Process California Personal Information outside the direct business relationship between Parties, unless required by applicable law; and
(c) will not combine the Personal Information included in Customer Data with personal information that Processor collects or receives from another source (other than information Process receives from another source in connection with our obligations as a Service Provider under the Agreement).
iv. Compliance. Processor will (i) comply with obligations applicable to it as a Service Provider under the CCPA and (ii) provide California Personal Information with the same level of privacy protection as is required by the CCPA. Processor will notify Controller if Processor makes a determination that it can no longer meet our obligations as a Service Provider under the CCPA.
v. CCPA Audits. Controller will have the right to take reasonable and appropriate steps to help ensure that the Processor uses California Personal Information in a manner consistent with Customer’s obligations under the CCPA. Upon notice, the Controller will have the right to take reasonable and appropriate steps in accordance with the Agreement to stop and remediate unauthorized use of California Personal Information.
vi. Not a Sale. Parties acknowledge and agree that the disclosure of California Personal Information by the Customer to Processor does not form part of any monetary or other valuable consideration exchanged between Parties.
8.2. Duration of Processing.  Processing obligations under this DPA will begin on date specified in the preamble of this DPA and run until the end of the Processor’s provision of Services to the Controller].

8.3. Severability. If any individual provisions of this DPA is invalid or unenforceable, the validity and enforceability of the other provisions of this DPA will not be affected.
8.4. Limitation of Liability. Each Party and each of their Affiliates' liability, taken in aggregate, arising out of or related to this DPA (including any other DPAs between the parties) and the Standard Contractual Clauses, where applicable, will be subject to the limitations and exclusions of liability set out in the Agreement.
8.5. Governing Law. This DPA will be governed by and construed in accordance with laws specified in clause 10.1. of the Agreement.
8.6. Any dispute arising in connection with this Agreement, which the Parties will not be able to resolve amicably, shall be resolved in accordance with clause 10.2. of the Agreement.