Last updated: February 07, 2023
Effective Date: February 17, 2023
Availability – Ensuring timely and reliable access to and use of information
Confidentiality – Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information
Controller (Customer) – Person, company, or other body that determines the purpose and means of personal data processing (this can be determined alone, or jointly with another person/company/body)
Processor (Toloka) – Person, company, or other body which processes personal data on the Data Controller's behalf
Tolokers (Users) – Data subjects who perform tasks placed by Customers
Data subjects – Individual persons whose personal data is collected, held or processed under this Data Processing Agreement. Personal data is any data that can be used to identify an individual, such as a name, addresses, e-mail address, to more obscure information like their ID in service, IP addresses or internet browser data and any other information as defined by applicable law.
Encryption – The process of changing plaintext into ciphertext using a cryptographic algorithm and key
Integrity – Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity
Personal data breach – Incident wherein information is stolen or taken from a system without the knowledge or authorization of the system's owner as defined by applicable law.
Pseudonymisation – Particular type of de-identification that both removes the association with a data subject and adds an association between a particular set of characteristics relating to the data subject and one or more pseudonyms. Typically, pseudonymization is implemented by replacing direct identifiers with a pseudonym, such as a randomly generated value.
Resilience – The ability of a party to enable business acceleration (enterprise resiliency) by preparing for, responding to, and recovering from cyber threats
Sub-processors – Third party data processor engaged by a Data Processor who has or will have access to or process personal data from a Data Controller
List of parties
Controller:
Processor:
Description of the processing
Categories of data subjects whose personal data is processed
Natural persons whose personal data are contained in Customer's dataset and/or Tolokers performing Tasks
Categories of personal data processed
Any personal data contained in Customer's dataset and/or personal data of Tolokers performing Tasks
Sensitive data processed (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
Sensitive personal data contained in Customer's dataset and/or sensitive personal data of Tolokers performing Tasks. Strict purpose limitation and access restrictions are employed.
Nature of the processing
The processor provides the controller with Services specified in the Toloka Terms of Use and/or Master Services Agreement. The processor performs on behalf of the controller operations on personal data as required to provide the service: Collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, alignment or combination, restriction, erasure, and destruction. Upon request of the controller the processor may store Tolokers' consents.
Purpose(s) for which the personal data is processed on behalf of the controller
Duration of the processing
Term of the Service under Toloka Terms of Use or Master Services Agreement entered by the parties plus the period from expiry of the term until deletion of the data by the processor in accordance with this Data Processing Agreement.
Transfer of personal data
Party/Third-party | Role in process | Purpose of transfer | Operations on personal data | Duration of processing |
---|---|---|---|---|
Legal entity, or sole trader, or individual who accepted Toloka Terms of Use or signed the Master Service Agreement for the provision of Toloka Services | Controller | Execution of tasks by Tolokers; Execution of tasks by Tolokers, which, at the request of the Customer, may contain PD; Communication between the Customer and the Toloker, when the Toloker performs tasks for this customer | Collection, recording, storage, destruction, adaptation or alteration, erasure, transfer (distribution, provision, access) | Duration of the agreement on provision to the controller of the Service under the Toloka Terms of Use plus the period from expiry of the term of the agreement until deletion of personal data by the processor in accordance with this Data Processing Agreement |
IT providers | Sub-processor | Maintenance of the software/hardware/ technical infrastructure used for provision of the Services to the controller under Toloka Terms of Use or Master Services Agreement | Collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, alignment or combination, restriction, erasure, and destruction | Duration of the agreement on provision to the controller of the Service under the Toloka Terms of Use plus the period from expiry of the term of the agreement until deletion of personal data by the processor in accordance with this Data Processing Agreement |
Hosting providers | Sub-processor | Data center services | Storage, erasure, and destruction | Duration of the agreement on provision to the controller of the Service under the Toloka Terms of Use plus the period from expiry of the term of the agreement until deletion of personal data by the processor in accordance with this Data Processing Agreement |
Territorial Restrictions:
Controller may restrict the region of Tolokers (Users) for performance of its tasks via the tools of the Platform.
Technical and organizational measures including technical and organizational measures to ensure the security of the data
Description of the technical and organizational security measures implemented by the processor(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, as well as the risks for the rights and freedoms of natural persons:
For transfers to (sub-) processors, also describe the specific technical and organizational measures to be taken by the (sub-) processor to be able to provide assistance to the controller:
For transfers to sub-processors that are necessary to ensure technical measures that data subjects are afforded a level of protection that is essentially equivalent to that are implemented by the processor(s)
Description of the specific technical and organizational measures to be taken by the processor to be able to provide assistance to the controller:
Technical and organizational measures to be taken by the processor to be able to provide assistance to the controller are afforded a level of protection that is essentially equivalent to that are implemented by the processor(s)
List of sub-processors
The controller has authorized the use of the following sub-processors:
Category of sub-processor | Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorized) |
---|---|
Service developers | Processing required for maintenance of the software/hardware/technical infrastructure used for provision of the Services under Toloka Terms of Use or Master Service Agreement entered by the parties. |
Data centers | Processing required for provision to the processor of data center services. |
Retained Tolokers (Users) (as defined in the Agreement) | Processing required to perform Controller's tasks via Toloka platform |
Previous versions of the document:
https://toloka.ai/legal/dpa_usa/01082022
https://toloka.ai/legal/dpa_usa/14092021