Addendum to Toloka Terms of Offer

Effective Date: 24th of September, 2021

Data Processing Agreement

  1. The Parties hereby conclude the standard contractual clauses between controllers and processors under Article 28(7) of Regulation (EU) 2016/679 and Article 29(7) of Regulation (EU) 2018/1725 (decision (EU) 2021/915 of 4 June 2021) ("SCC").
  2. For the purposes of Clause 1(a) of the SCC, the Parties choose the option 1.
  3. The Parties agree to include in the SCC Clause 5 (Docking Clause).
  4. The Parties agree to add the following clause (f) to Clause 7.6 of the SCC: “The controller may conduct an inspection at the premises or physical facilities of the processor only subject to a separate agreement with the processor specifying conditions of the relevant inspection.”
  5. For the purposes of Clause 7.7(a) of the SCC, the Parties choose the option 2 and specify that the processor shall specifically inform in writing the controller of any intended changes of that list through the addition or replacement of sub-processors at least thirty (30) days in advance, thereby giving the controller sufficient time to be able to object to such changes prior to the engagement of the concerned sub-processor(s). The Parties also agree that the relevant agreed list of sub-processors is provided in Annex IV to this Data Processing Agreement and may be amended by the processor from time to time at its discretion subject to Clause 7.7 of the SCC.
  6. The Parties agree to add the following clause (f) to Clause 7.7 of the SCC: “The controller may object to intended changes of the relevant agreed list of sub-processors provided that such objection is based on reasonable grounds relating to data protection by terminating the Agreement immediately upon written notice received by the processor within 20 days as of the controller is informed of the intended changes.”
  7. For the purposes of Clause 8(c)(4) of the SCC, the Parties choose the option 1.
  8. For the purposes of Clause 9.1(b) of the SCC, the Parties choose the option 1.
  9. For the purposes of Clause 9.1(c) of the SCC, the Parties choose the option 1.
  10. For the purposes of Clause 9.2 of the SCC, the Parties choose the option 1.
  11. Each Party’s liability for any breach of this Data Processing Agreement (including the SCC) shall be subject to the limitations and exclusions of liability set out in the Agreement, provided that neither Party limits or excludes any liability that cannot be limited or excluded under applicable law.
  12. Unless data protection laws of the EU do not apply to the processing of personal data performed under the SCC, all references in the SCC to requirements of data protection laws of the EU shall be read as references to requirements of data protection laws of the EU and relevant requirements of other applicable data protection laws, including, without limitation, data protection laws of state of Massachusetts, the USA.
  13. If data protection laws of the EU do not apply to the processing of personal data performed under the SCC, all references in the SCC to requirements of data protection laws of the EU shall be read as references to the relevant requirements of applicable data protection laws including, without limitation, data protection laws of state of Massachusetts, the USA.
  14. The Parties agree that other clauses and additional safeguards added by this Data Processing Agreement to the SCC do not directly or indirectly contradict the SCC or detract from the fundamental rights or freedoms of data subjects.
  15. Annexes I – IV are attached to this Data Processing Agreement.
ANNEX I

List of parties

Controller:

Legal entity, or sole trader, or individual who has accepted the Toloka Terms of Offer

Processor:

Toloka AI Inc
10 State street, Newburyport, MA 01950, United States
Contact person’s name, position and contact details: toloka@support.yandex.com.
ANNEX II

Description of the processing

Categories of data subjects whose personal data is processed

Natural persons whose personal data are contained in Customer’s dataset and/or are required to perform Tasks

Categories of personal data processed

Any personal data contained in Customer’s dataset and/or required to perform Tasks

Sensitive data processed (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

Sensitive personal data contained in Customer’s dataset and/or required to perform Tasks. Strict purpose limitation and access restrictions are employed.

Nature of the processing

The processor provides the controller with Services specified in the Toloka Terms of Offer. The processor performs on behalf of the controller operations on personal data required to provide the service: Collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, alignment or combination, restriction, erasure, and destruction.

Purpose(s) for which the personal data is processed on behalf of the controller

Provision to the controller of the Services specified in the Toloka Terms of Offer.

Duration of the processing

Duration of the agreement on provision to the controller of the Service under the Toloka Terms of Offer plus the period from expiry of the term of the agreement until deletion of personal data by the processor in accordance with this Data Processing Agreement.

For processing by (sub-) processors, also specify subject matter, nature and duration of the processing.

Yandex.Technologies LLC, Yandex LLC: Maintenance of the software used for provision to the controller of the Services under Toloka Terms of Offer. Operations on personal data: The same as those performed by the processor. Duration of the processing is the same as for the processor.

Yandex LLC, Yandex Oy, Yandex DC LLC, Yandex DC Vladimir LLC, Yandex DC Kaluga LLC: Data center services. Operations on personal data: Storage, erasure, and destruction. Duration of the processing is the same as for the processor.

ANNEX III

Technical and organisational measures including technical and organisational measures to ensure the security of the data

Description of the technical and organisational security measures implemented by the processor(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, as well as the risks for the rights and freedoms of natural persons:

  • TLS is used to protect data during transmission. TLSv1.3 is supported.
  • Centralised authentication system Yandex ID is used to ensure secure user management. Yandex ID is AICPA SOC 2 and 3 certified (https://yandex.com/support/id/security/soc-2.html). 2FA and 2SV are supported. Passwords are stored using Argon2 KDF.
  • Backups are performed daily.
  • Physical security. Only authorized personnel have access to the premises. Access is managed with access control systems and video surveillance.
  • The Company has developed and adopted a number of policies, including but not limited to:
    • Information Security Policy
    • Sensitive User Data Usage Policy
    • Incident Management Policy
    • Malware Protection Policy
    • Regulations for Physical Access Control

For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller: the same.

Description of the specific technical and organisational measures to be taken by the processor to be able to provide assistance to the controller: the same.

ANNEX IV

List of sub-processors

The controller has authorised the use of the following sub-processors:

1
Name:
Yandex.Technologies LLC
Address:
16 Lva Tolstogo st., Moscow, 119021, Russia
Contact person’s name, position and contact details:
Anton Karpov, Head of Security Department, +7 (495) 739-70-00, zapret-info@yandex-team.com
Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorised):
Processing required for maintenance of the software used for provision to the controller of the Services under Toloka Terms of Offer.
2
Name:
Yandex Oy
Address:
Moreenikatu 6, 04600 Mantsala, Finland
Contact person’s name, position and contact details:
Alfred Alexander de Cuba, Member of the Board of Directors, +040 743 1775
Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorised):
Processing required for provision to the processor of data center services.
3
Name:
Yandex DC LLC
Address:
Room 5B68, 82 Sadovnicheskaya st., Building 2, Moscow, 115035, Russia
Contact person’s name, position and contact details:
Anton Karpov, Head of Security Department, +7 (495) 739-70-00, zapret-info@yandex-team.com
Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorised):
Processing required for provision to the processor of data center services.
4
Name:
Yandex DC Vladimir LLC
Address:
600902, Vladimir region, Vladimir, Microdistrict Energetik, 1 Poiskovaya str., building 2
Contact person’s name, position and contact details:
Anton Karpov, Head of Security Department, +7 (495) 739-70-00, zapret-info@yandex-team.com
Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorised):
Processing required for provision to the processor of data center services.
5
Name:
Yandex DC Kaluga LLC
Address:
248002, Kaluga region, Kaluga, Boldina str. 57, office 406
Contact person’s name, position and contact details:
Anton Karpov, Head of Security Department, +7 (495) 739-70-00, zapret-info@yandex-team.com
Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorised):
Processing required for provision to the processor of data center services.
6
Name:
Yandex LLC
Address:
16 Lva Tolstogo st., Moscow, 119021, Russia
Contact person’s name, position and contact details:
Anton Karpov, Head of Security Department, +7 (495) 739-70-00, zapret-info@yandex-team.com
Description of the processing (including a clear delimitation of responsibilities in case several sub-processors are authorised):
Processing required for maintenance of the software used for provision to the controller of the Services under Toloka Terms of Offer.
Processing required for provision to the processor of data center services.