Data Processing Agreement (US)
1. Information About the Parties
| Name: | App User | Readdle Limited |
| Role in the processing: | Controller | Processor |
| Registered Address: | Glandore Business Centre, Grand Canal House, 1 Grand Canal Street Upper, Dublin 4, D04 Y7R5, Ireland |
|
| Company Number: | 630281 | |
| Email: | rdsupport@readdle.com – for general inquiries
dpo@readdle.com – for privacy inquiries |
This Data Processing Agreement (“DPA”) is an integral part of the Terms of Service (“Terms”) and governs the personal information processing activities between Readdle Limited (“Readdle” or “we”) and App Users that are the residents of the United States of America, and constitutes a binding agreement between the Controller and the Processor. In this DPA, Readdle and the App User shall be jointly referred to as the “Parties” and each separately as a “Party”.
2. Applicability
The App User is the individual that has downloaded the Readdle application named PDF Expert (“App”) available via:
- https://pdfexpert.com/;
- https://apps.apple.com/ua/app/pdf-expert-edit-and-sign-pdf/id1055273043?l=uk&mt=12;
- https://apps.apple.com/us/app/pdf-expert-pdf-editor-reader/id743974925;
to which the App User is being granted access under the Terms.
Unless defined in this DPA, all capitalised terms used herein shall have the meaning given to them in the Terms. In the event of any conflict between the Terms and this DPA, the terms of this DPA shall prevail in relation to the processing of personal data set out in this DPA.
This DPA shall apply to the processing by Readdle of the personal information (“Personal Information”) of the third parties (“Third Parties”) provided in the files uploaded to the App by the App User.
3. Purpose of Information Processing
The App User uploads the files containing the Personal Information into the App and Readdle processes this Personal Information solely for the purpose of Readdle providing the functionality of the App to the App User.
4. Processing of Personal Information
Following the purposes of the processing of the Personal Information, it shall include, but is not limited to, the following:
- transferring of the information between the Parties or by the Party with a third party under the “Details of processing” sections of the DPA;
- storing of the Personal Information on servers;
- subcontracting the processing of the Personal Information to the sub-processors;
- granting third parties rights to access the Personal Information;
- deletion or return of the Personal Information;
- using the Personal Information for the purpose of fulfilling the Terms.
5. Personal Information
Readdle processes the Personal Information the App User provides in App. The amount of the Personal Information is determined by the App User solely, and it may contain any personal information of the Third Parties including, but not limited to, special categories of data.
The Parties will notify each other without undue delay if they become informed by the Third Party of inaccuracies in the Personal Information.
6. Personal Information Storage Term
Readdle Limited shall store the Personal Information received from the Controller for the periods specified in the PDF Expert Privacy Notice for App, available following the link https://pdfexpert.com/legal/privacy-app, and in the backup for 1 week thereafter.
After that, Readdle shall delete or return all Personal Information to the App User.
Notwithstanding anything to the contrary in this section, Readdle may retain Personal Information, or any portion of it, if required by applicable law, provided such Personal Information remains protected in accordance with the Terms, this DPA, and applicable laws and regulations.
7. Details of Processing
| Type of data | Reasons for processing | Legal basis |
| Personal Information contained in files uploaded by the App User. | Providing the App User with the App’s functionality with regard to these files. | Performance of the contract. |
8. Sensitive Information
Sensitive information may be transferred for processing at the discretion of the Controller. The Processor shall implement safeguards to protect it (read more in Data Protection Measures).
9. Limitation of the Processing
Readdle shall not collect, retain, use, transfer, disclose, or otherwise process the Personal Information for any purpose other than providing the functionality of the App.
Readdle shall process the Personal Information only as necessary to provide the App functionality and to fulfill the obligations set out in the Terms.
Readdle does not use Personal Information outside of direct contractual relations.
10. The Frequency of the Transfer for Processing
Personal Information will be transferred for processing on a continuous basis.
11. Nature of the Processing
Readdle collects the Third Parties’ Personal Information to process it upon the App User’s request.
12. Sub-processors
The App User agrees that Readdle may engage sub-processors to process the Personal Information on behalf of the App User, providing the necessary safeguards.
Readdle may engage the sub-processor at any time at its sole discretion.
Readdle shall make available to App User, upon its request, a current list of sub-processors engaged in connection with the provision of the App’s functionality.
Readdle transfers the Personal Information to its sub-processors solely for processing.
13. Recipients
The Personal Information may only be disclosed to the following recipients or categories of recipients and only if appropriate safeguards are in place:
- advisers, contractors, consultants, and other professional experts;
- partners;
- team members;
- third parties.
14. No Sale of Personal Information under the California Consumer Privacy Act
The Parties shall not have, derive, or exercise any rights or benefits regarding processing the Personal Information and may use and disclose the Personal Information solely for the purposes for which such the Personal Information was provided to it, as stipulated in this DPA.
The Parties certify that they understand the rules, requirements, and definitions of the California Consumer Privacy Act (“CCPA”) and agree to refrain from selling any Personal Information nor taking any action that would cause any transfer of the Personal Information to qualify as “selling” such Personal Information under the CCPA.
15. Data Protection Measures
The Processor shall implement appropriate technical and organizational measures to protect the Personal Information.
Implemented measures must be appropriate to the scope and risks of Personal Information processing. Relevant technical measures must be implemented on every device and data storage the Processor uses to access and process Personal Information.
The Processor must ensure that its employees, agents, and contractors:
- can access the Personal Information only when access is strictly necessary for the purposes of the DPA;
- are informed of the confidential nature of the Personal Information;
- are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
The Processor must implement at least the following safeguards:
| Physical measures | |
|---|---|
| Limited access to premises | |
| Organizational measures | |
Policies and instructions
|
Transfer protection
Agreements
|
| Contractor and staff training |
Privacy Protection:
|
|
Regular access and policy review Code review |
|
| Technical measures | |
|
Encryption technologies: encryption in transit, backup encryption, state-of-the-art methods of cryptographic keys |
Backup We ensure the availability of data in several ways. For example, there is a regular backup of the entire system. This can be used if the other availability measures fail. Critical services are operated redundantly in multiple data centers and controlled by a high-availability system. |
| Two-factor authentication | |
| Static Analysis | Quality Assurance |
| Regular Patch Management | Dependency and Supply Chain Vulnerability Check |
| Stress-tests | |
16. Data Breach Management and Notification
In a case of a data loss or breach incident affecting the security of Personal Information, Readdle shall notify the App User via the email address provided by the App User for the use of the App, without undue delay, but in no event later than 72 hours after identifying any potential or actual loss or breach.
Readdle shall make reasonable efforts to identify and take those necessary and reasonable steps to remediate or mitigate the cause of such data loss or breach incident.
Readdle shall provide reasonable assistance to App User in the event that the App User is required under applicable law to notify a regulatory authority or any data subjects impacted by such data loss or breach incident.
17. Applicable Legislation
Both Parties shall meet the requirements of the U.S. federal laws and privacy laws of states to the extent they may be applied as follows:
- Federal Trade Commission Act;
- California Consumer Privacy Act of 2018 (CCPA);
- California Privacy Rights Act;
- Colorado Privacy Act;
- Connecticut Data Privacy Act;
- Delaware Online and Personal Privacy Protection;
- Maine Privacy Law;
- Nevada Privacy Law;
- New York State Personal Privacy Protection Law (PPPL);
- Ohio Data Protection Act;
- Utah Consumer Privacy Act;
- Virginia Consumer Data Protection Act.
Regardless of the federal and state regulations and laws, the Processor is regulated by and meets the General Data Protection Regulation (GDPR) standards.
18. Change of Law
If there is a change of any relevant privacy laws, regulations, or rules, which affect the Terms of Service and this DPA in particular, the Processor shall amend it to comply with the law.
20. Competent Supervisory Authority
Сompetent supervisory authority is the Irish Data Protection Commission (DPC). For further information, please visit: https://www.dataprotection.ie/.