現行版。最終更新日は 2023 年 7 月 2 日です。
このデータ処理補足契約(「DPA」)は、ユーザーであるあなたとSmartcatの間で締結されるサービス契約、およびhttps://www.smartcat.com/terms/または利用規約が随時掲載されるその他の場所で閲覧可能なサービス利用規約の一部を構成します。
本DPAの目的は、一般データ保護規則(GDPR)およびその他のデータ保護法(これらの用語は本書で定義されます)の要件に従って個人データを処理することに関する当事者の合意を反映することです。
ここで使用される用語および定義は、文脈により別途示唆されない限り、利用規約、サービス契約、および GDPR で定義されているものと同じ意味を持ちます。
3. Processing of Your Personal Data
4. Personal Data in the Uploaded Content to Smartcat Platform
8. Scope of Instructions Given to Smartcat
10. International Data Transfers
13. Data Protection Impact Assessment
15. Your Warranties, Covenants and Undertakings
1.1. “Affiliates” means any entity that directly or indirectly controls, is controlled by, or is under common control with the Smartcat.
1.2. “Content” means any document, information, data, text, images, software, music, videos, sound, photographs, graphics, messages or other materials, including any text and/or oral communication, that a Customer wishes Smartcat to translate or process in the agreed way, provides it for translation/processing by way of uploading, assigning a task (hereinafter, “upload”) it on the Platform.
1.3. “Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
1.4. “Customer” means a User of the Platform who is a party to a Service Contract.
1.5. “Data Protection Laws” means all applicable data protection, privacy and data security laws and regulations, including the UK General Data Protection Regulation (“UK GDPR”), the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 and its implementing regulations (collectively referred to herein as the “CCPA”) and any similar or equivalent applicable laws or regulations.
1.6. “Data Subject” means the identified or identifiable natural person to whom the Personal Data relates.
1.7. “EEA” means the European Economic Area.
1.8. “EU” means the European Union.
1.9. “General Data Protection Regulation” or “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Counsel of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
1.10. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.
1.11. “Personal Data” means any information relating to the Data Subject.
1.12. “Processing of Personal Data” / “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.13. “Processor” means Smartcat which processes the Personal Data on behalf of the Controller.
1.14. “Security Measures” means any measures of the administrative, physical, and technical safeguards in the Smartcat’s information system. The list of Security Measures is mentioned in clause 6.1. of the DPA.
1.15. “Service Contract” means a customer agreement, located at https://www.smartcat.com/customer-agreement/, or paper version of the master services agreement executed between you and Smartcat.
1.16. “Service Task” has the meaning in the Service Contract.
1.17. “Services” means subscription, translation and related services, i.e., editing, post-editing, proofreading, interpreting, etc.
1.18. “Smartcat Platform” or “Platform” means Smartcat’s website and technology platform for translation workflow automation, which is located at https://www.smartcat.com/.
1.19. “Smartcat” means either Smartcat Platform Inc. – a legal entity registered under the laws of the United States of America; or Smartcat Europe B.V. – a legal entity registered in the Netherlands with registered address at Rouboslaan 36 B, 2252 TR, Voorschoten, the Netherlands, registration № 859832880. Which legal entity is going to be a contractual party to you depends on what further agreement you are becoming a party to.
1.20. “Standard Contract Clauses” or “SCC” means an agreement made using the relevant EU Standard Contractual Clauses as adopted by the EU Commission for the transfer of Personal Data to countries outside the EU/EEA.
1.21. “Sub-processor” means any entity or person appointed by or on behalf of the Processor to process Personal Data on behalf of the Processor.
1.22. “Subcontractor” means any individual freelancer or legal entity that is registered on the Platform as a supplier and wishes to perform the Service Task for the Customer.
1.23. “Supervisory authority” means an independent public authority.
1.24. “United Kingdom International Data Transfer Agreement or Addendum” or “UK IDTA” means either, as applicable, (a) the International Data Transfer Agreement when used under the UK GDPR, or (b) the International Data Transfer Addendum to the EU SCCs issued by the Commissioner under s119A (1) of the Data Protection Act 2018, version A1.0, in force from March 21, 2022.
1.25. “User” means a Customer or a Subcontractor (depending on the context) registered on the Platform.
2.1. You acknowledge that you are aware of the Data Protection Laws that may affect you when you receive or collect any Content from your Customers containing Personal Data and when you further upload that Content containing Personal Data on Smartcat Platform.
2.2. Smartcat is a “processor” within the meaning of article 4 of the GDPR.
3.1. This section includes certain details of the Processing of your Personal Data as required by Article 28(3) GDPR.
a) Subject matter and duration of the Processing of your Personal Data are set out in the Terms of Service, Service Contract and this DPA.
b) Nature and purpose of the Processing of your Personal Data: Provision of software as a service for language translation and related services.
c) Types of your Personal Data to be processed: Name, address, photo, contact data, professional life data, other Personal Data in the uploaded Content to the Smartcat Platform.
d) Categories of the Data Subjects to whom your Personal Data relates: Customers, co-workers and Data Subjects referred to in the uploaded Content to the Smartcat Platform.
3.2. Smartcat may process Personal Data provided to Smartcat and/or uploaded by you on Smartcat Platform pursuant to the Terms of Service and Service contract for the following purposes:
providing, supporting and improving Smartcat’s services, using appropriate technical and organizational security measures; and
for the purposes set forth in the Terms of Service and Service contract.
4.1 お客様は、お客様が Smartcat プラットフォームにアップロードしたコンテンツに個人データが含まれていることを Smartcat に明示的に通知しない限り、Smartcat がそれを認識できない場合があることを認め、これに同意するものとします。この場合、そのような個人データを保護する責任はお客様にあります。
5.1. Smartcat shall take reasonable steps to ensure the reliability of any employee, agent or contractor who may have access to your Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know the relevant Controller Personal Data in order for Smartcat to perform its obligations under the Terms of Service and the Service Contract.
5.2. Smartcat ensures that:
5.2.1. Employees, agents or contractors are subject to statutory obligations of confidentiality and confidentiality undertakings at least as restrictive as those described under this DPA.
5.2.2. Employees are thoroughly checked by our security team and can only use Personal Data when necessary as part of their work as well as their access is limited by authorization procedures and infrastructure, which does not allow employees with insufficient rights to access your Personal Data
5.2.3. All employees have completed appropriate training regarding Personal Data.
6.1. Security Measures:
Smartcat is SOC 2 Type II certified
Use of Tier IV data centers in the U.S., EU and China, run by AWS and Microsoft Azure, which are SOC-1, SOC-2, and SOC-3 compliant;
All passwords are stored in hashed and salted form (and several external authorized services are supported via OAuth 2.0);
All passwords in the production configuration files are encrypted and certificates required to decrypt configs are installed on the production machines by administrators and not accessible for engineers with lower levels of access;
Sub-processors are required to enter into appropriate security, confidentiality and privacy contract terms;
Smartcat maintains policies and procedures to detect, monitor, document and respond to actual or reasonably suspected security incidents;
Full list of Smartcat security measures is located at https://www.smartcat.com/smartcat-security-program/.
6.2. These Security Measures may be updated or modified provided that such updates and modifications do not result in the degradation of the overall security of Smartcat Platform.
7.1. To the extent the CCPA applies to the Processing governed by this DPA, the Processor acknowledges that Processor serves as a service provider or contractor, as applicable, with respect to Personal Data Processed by Processor hereunder. Processor acknowledges that Controller is only disclosing Personal Data to Processor for the service(s) identified in the Terms of Service or Service Contract (“Business Purpose”).
7.2. Processor further acknowledges and agrees that:
Processor shall only retain, use, or disclose such Personal Data for the Business Purpose (which means that Processor may not use Personal Information outside of the direct business relationship with Controller or combine Personal Information obtained from Controller with Personal Data that Processor may obtain from other sources);
Processor shall not sell or “share” (as such term is defined in the CCPA) Personal Data or otherwise use Personal Data for any other purpose unless expressly authorized under the CCPA;
Processor shall notify Controller as soon as possible if it determines that it can no longer meet its obligations under this section of the DPA; and
Controller shall have the right, upon notice, to take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Data by Processor.
8.1. This DPA, the Terms of Service and the Service Contract set out your complete and final instructions to Smartcat in relation to the Processing of your Content containing Personal Data and Processing outside the scope of these instructions (if any) shall require prior written agreement between you and Smartcat. Smartcat will not use or process the Personal Data for any other purpose other than the Terms of Service, this DPA and the Service Contract.
8.2. You understand that within the provision of Services by Smartcat, you may select Smartcat’s Subcontractors on the Smartcat Platform and grant them access to Personal Data in your uploaded to the Smartcat Platform Content (if such Personal Data is present in the uploaded Content) directly through the Platform by way of assigning respective Subcontractor to the Service Task. Subject to section 9.2. such assignment constitutes your authorization and consent to process Personal Data by the selected Subcontractor, who will act as the Sub-processor in the meaning of GDPR.
9.1. You acknowledge and agree that a) Smartcat’s Affiliates may be retained as Sub-processors and b) Smartcat and Smartcat’s Affiliates respectively may engage third party Sub-processors in connection with the provision of Services As a condition to permitting a third party Sub-processor to process Personal Data, Smartcat or a Smartcat Affiliate will enter into a written agreement with each Sub-processor containing data protection obligations that provide at least the same level of protection for Personal Data as those in this Agreement, to the extent applicable to the nature of the services provided by such Sub-processor.
9.2. You hereby authorize Smartcat to engage with the following Sub-processors with the understanding that if you entered into SCC, this authorization would constitute your prior written consent to the subcontracting by Smartcat of the Processing of Personal Data if such consent is required under the SCC.
名前 | 位置 | 目的 |
|---|---|---|
アマゾン | EU - すべての Smartcat ユーザーの個人データと、ヨーロッパおよびアフリカに居住する顧客がアップロードしたコンテンツ。 | ホスティング |
グーグル | 欧州、米国 | 機械翻訳 |
マイクロソフト | 欧州、米国 | 機械翻訳 |
ディープL | EU | 機械翻訳 |
インテント | アメリカ合衆国 | 機械翻訳 |
モダンMT | EU | 機械翻訳 |
ヤンデックス | EU | 機械翻訳 |
アビー | 欧州、米国 | OCRサービス |
Smartcatマーケットプレイス 下請け業者/フリーランサー(翻訳者、編集者、校正者など) | コントローラーによって選択される | 翻訳および関連サービス |
9.3. Smartcat shall not engage any other Sub-processors than the Sub-processors indicated above, without your prior written consent.
9.4. Sub-processor only accesses and uses any Personal Data, provided to Smartcat and/or uploaded by you to Smartcat Platform, to the extent required to perform the obligations subcontracted to such Sub-processor.
9.5. Smartcat remains fully liable for all obligations subcontracted to, and all acts and omissions of Sub-processors.
10.1. As indicated above this DPA includes transfers of Personal Data out of the European Economic Area and the GDPR applies to the transfers of such data.
10.2. For the avoidance of doubt, if you reside in the European Union, your Content will be stored on the EU data center and will not leave the EU unless you assign a Service Task to a Subcontractor residing outside the EU, therefore your Content will become available to such non-EU Subcontractor.
10.3. The SCC are incorporated into this DPA and apply where the application of the SCC, as between the parties, is required under applicable European Data Protection Legislation for the transfer of personal data. The SCC shall be deemed completed as follows:
10.3.1. As mentioned above you act as a Controller and Smartcat acts as Processor with respect to your Personal Data, therefore Module 2 of the SCC applies.
10.3.2. Clause 7 (the optional docking clause) is not included.
10.3.3. Under Clause 9 (Use of sub-processors), the parties select Option 2 (General written authorization). The time period of the notification regarding any intended changes to the list of sub-processors is at least 24 hours in advance.
10.3.4. Under Clause 11 (Redress), the optional language will not apply.
10.3.5. Under Clause 17 (Governing law), the parties choose Option 1 and select the law of the Netherlands.
10.3.6. Under Clause 18 (Choice of forum and jurisdiction), the parties select the courts of the Netherlands.
10.3.7. Annexes I, II and III of the SCC are set forth in Appendix below.
10.4. Smartcat will, if specifically requested by you, enter as the data importer of the Personal Data into UK IDTA with you as the data exporter of such data, and that the transfers are made in accordance with such UK IDTA.
Taking into account the nature of the Processing, Smartcat shall assist you by implementing appropriate technical and organizational measures for the fulfillment of your obligations, as reasonably understood by you, to respond to requests to exercise Data Subject rights under the General Data Protection Regulation as well as any Data Protection Laws.
11.1. Smartcat shall promptly notify you if Smartcat receives a request from a Data Subject, any Supervisory authority under any Data Protection Law in respect of your Personal Data as well as to cooperate as requested by you in order to comply with any Data Protection Laws regarding your Personal Data.
11.2. If Smartcat receives any request from a Data Subject in relation to Personal Data, provided to Smartcat and/or uploaded by you to Smartcat Platform, subject to section 11.1., you will be responsible for responding to any such request including, where necessary, by using the functionality of Smartcat Platform.
12.1. Smartcat shall notify you without undue delay, but not later than forty-eight (48) hours after Smartcat becoming aware of a Personal Data Breach affecting your Personal Data, providing you with sufficient information to allow you to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws. Smartcat shall cooperate with you and take reasonable commercial steps, including as directed by you to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
12.2. Smartcat’s obligation to report or respond to a Breach of Personal Data incident is not and will not be construed as an acknowledgement by Smartcat of any fault or liability of Smartcat with respect to the Breach of Personal Data incident.
12.3. Smartcat hereby declares and you agree that an unsuccessful security incident will not be reported to you. An unsuccessful security incident is one that results in no unauthorized access to Personal Data or to any of Smartcat’s equipment or facilities storing Personal Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing or similar incidents.
13.1. Smartcat shall provide reasonable assistance to you with any data protection impact assessments, and prior consultations with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) in the Netherlands (“Supervising Authorities”) or other competent data privacy authorities, which you reasonably consider to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of your Personal Data by and taking into account the nature of the Processing and information available to the Sub-processors.
13.2. Upon termination of the Terms of Service or Service Contract executed between you and Smartcat, Smartcat shall upon your request return to you all Personal Data that belongs to you and copies of such data or securely destroy them and reasonably demonstrate to you that Smartcat has taken such measures unless applicable law prevents Smartcat from returning or destroying all or part of your Personal Data.
14.1. Controller reserves the right to perform an audit related to Smartcat’s compliance to obligations set out in this DPA if required and appropriate, yet not without prior written notification to Smartcat, and without creating a business disturbance for Smartcat. Assessment may be performed by you and/or another auditor mandated by you and the information obtained during the assessment shall be treated with utmost confidentiality.
14.2. To request an audit you must submit a detailed audit plan to Smartcat at least thirty (30) days in advance of the proposed audit date, describing the proposed scope, duration, and start time of the audit. Following the receipt by Smartcat of a request for an audit, Smartcat and you will discuss and agree in advance on: (1) the reasonable start date, (2) scope and duration of and security and confidentiality controls applicable to any audit.
14.3. You will be responsible for any fees you incur, including any fees charged by any auditor appointed by you to execute any such audit.
14.4. Smartcat may object in writing to an auditor appointed by you if the auditor is in Smartcat’s reasonable opinion, not suitable, qualified or independent, a competitor of Smartcat, or otherwise unsuitable. Any such objection by Smartcat will require you to appoint another auditor or conduct the audit yourself.
15.1. You covenant and undertake to Smartcat:
to comply at all times with Data Protection Laws prescribed for data Controllers or data Processors (as the case may be) in respect of any Personal Data you provide to Smartcat and/or upload on Smartcat Platform pursuant to the Terms of Service and Service Contract;
if required by law to be a party to SCC or UK IDTA;
that you are solely responsible for complying with incident notification laws applicable to you and fulfilling any third party notification obligations related to any Breach of Personal Data, provided to Smartcat and/or uploaded by you on Smartcat Platform pursuant to the Terms of Service or Service Contract.
15.2. You warrant to Smartcat:
if GDPR applies to the Processing of Personal Data and you are a Processor, then your instructions and actions with respect to the Personal Data provided to Smartcat have been authorized by the relevant Controller;
that the Security Measures (as detailed above) implemented and maintained by Smartcat as set out herein provide a level of security appropriate to the risk in respect of the Content you provide to Smartcat and/or upload to Smartcat Platform pursuant to the Terms of Service and Service Contract.
16.1. Smartcat covenants and undertakes to you:
to comply at all times with Data Protection Laws in respect of any Personal Data provided to Smartcat and/or uploaded by you to Smartcat Platform pursuant to the Terms of Service or the Service Contract;
to process Personal Data (i) only for the purpose of providing, supporting and improving Smartcat’s services, using appropriate technical and organizational security measures; and (ii) for the purposes set forth in the Terms of Service or Service Contract;
to process Personal Data contained in any of your Content only in accordance with the written instructions from you (submitted via your User’s profile on Smartcat Platform or by e-mail);
to notify you as the User if, in Smartcat’s opinion, an instruction for the Processing of Personal Data given by you infringes applicable Data Protection Laws;
to inform you in writing if Smartcat cannot comply with the requirements under this DPA, in which case you as the User can terminate this DPA or take any other reasonable action, including suspending Personal Data Processing operations;
that Smartcat will, in a manner consistent with the functionality of Smartcat Platform, enable you to access, rectify and restrict Processing of Personal Data, provided to Smartcat and/or uploaded by you on Smartcat Platform pursuant to the Terms of Service and Service Contract;
upon your written request shall securely destroy or return such Personal Data, provided to Smartcat and/or uploaded by you on Smartcat Platform pursuant to the Terms of Service or Service Contract, to you within a maximum period of 30 days, unless applicable legislation or legal process prevents it from doing so.
17.1. This DPA and SCC shall remain in effect as long as the Terms of Service or Service Contract remain in effect.
17.2. Any and all liabilities of Smartcat under this DPA are, without exception, limited to the amount of limitation cap indicated in the Service Contract.
17.3. All notices required or permitted under this Agreement shall be in writing addressed to the respective parties and shall be delivered by hand or by registered or certified mail, postage prepaid or by electronic mail with confirmation of receipt.
17.4. This agreement and its annexes shall be governed by the laws of the Netherlands, excluding its conflicts-of-law rules, govern this Agreement.
17.5. Any breach of this DPA shall constitute a material breach of the Terms of Service and service contracts executed between you and Smartcat.
17.6. With regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and any other agreements between the parties, including but not limited to the Terms of Service, service contracts executed between you provisions of this DPA shall prevail with regard to the Parties’ data protection obligations for Personal Data of a Data Subject from a Member State of the EU.
17.7. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
17.8. We reserve the right at all times to remove or modify any part of this DPA unilaterally. We shall notify you by e-mail or via the Platform about the amended and restated DPA to ensure that you stay informed of any such amendments and restatements. Your use of the Platform after the date of notification or the effective date of changes indicated in the notification shall mean your acceptance of the amended and restated DPA, unless you accepted them otherwise earlier. In case you use a corporate account, only the administrator of that corporate account will be notified. The administrator of the corporate account and not Smartcat is solely responsible for further notification of changes to other members of the corporate account.
A. 当事者のリスト
データ エクスポーター:
顧客契約で定義された顧客
本条項に基づいて転送されるデータに関連する活動: データ インポータから Smartcat プラットフォーム上のサービスを取得する
データ インポーター:
DPA のセクション 1 で定義されている Smartcat
本条項に基づいて転送されるデータに関連する活動: Smartcat プラットフォーム上のサービスをデータ エクスポーターに提供する
B. 転送の説明
個人データが転送されるデータ主体のカテゴリ
データ輸出者の見込み客、顧客、ビジネス パートナー、およびベンダー (自然人)
データ輸出者の見込み客、顧客、ビジネス パートナー、およびベンダーの従業員または連絡担当者
データ輸出者の従業員、代理人、アドバイザー、フリーランサー (自然人)
Smartcat プラットフォームを使用することをデータ輸出者によって承認されたデータ輸出者のユーザー。
転送される個人データのカテゴリ
転送される個人データは、以下のカテゴリの個人データに限定されません。
個人データ
連絡先データ
職業生活データ
開示情報 (信用照会機関などの第三者から、または公開ディレクトリから)。
機密データを転送し (該当する場合)、データの性質と関連するリスクを十分に考慮した制限または保護措置を適用します。たとえば、厳密な目的の制限、アクセス制限 (特別なトレーニングを受けたスタッフのみのアクセスを含む) などです。データへのアクセスの記録、転送の制限、または追加のセキュリティ対策。
データ輸出者は、特別なカテゴリのデータを Smartcat に提出することができます。その範囲は、データ輸出者が独自の裁量で決定および管理し、明確にするためのものです。または哲学的信念、労働組合への加入、健康や性生活に関するデータの処理。
データ インポーターは、「最小権限の原則」に基づいて、個々の従業員に付与されるアクセスの種類とレベルを決定します。この原則は、従業員には、職務を遂行するために絶対に必要なレベルのアクセスのみが許可されることを示しており、データ インポーターのビジネスおよびセキュリティ要件によって決定されます。明示的に付与されていない許可およびアクセス権は、デフォルトで禁止されるものとします。
転送の頻度 (たとえば、データが 1 回限りまたは継続的に転送されるかどうか)。
継続的に、利用規約の間、またはデータ輸出者とデータ輸入者の間で締結されたサービス契約は有効なままです。
処理の性質
データ輸入者は、DPA の条項に従ってデータ輸出者にサービスを提供するために、データ輸出者の個人データを処理します。
データ転送とその後の処理の目的
データ輸入者は、DPA の条項に従って、データ輸出者にサービスを提供する目的で、データ輸出者の個人データを転送および処理します。
個人データが保持される期間、またはそれが不可能な場合は、その期間を決定するために使用される基準
データ輸出者の個人データは、データ輸出者とデータ輸入者の間で締結された有効な利用規約またはサービス契約に従ってサービスを提供するために必要な限り保持されます。データ輸出者の個人データは、DPA の条項に従って破棄されるか、データ輸出者に返還されます。
(サブ) 処理者への転送の場合は、処理の対象、性質、および期間も指定してください
データ輸入者は、DPA のセクション 9 に従って、データ輸出者の個人データを復処理者に転送します。
C. 管轄監督当局
オランダのデータ保護機関 (Autoriteit Persoonsgegevens)
データのセキュリティを確保するための技術的および組織的措置を含む技術的および組織的措置
データ輸入者は、データ輸出者が購入した特定のサービスに適用され、 https:/ /www.smartcat.com/またはその他の方法でデータ インポーターが合理的に利用できるようにします。データ輸入者は、データ輸出者とデータ輸入者の間で締結されたサービス条件またはサービス契約の期間中、サービスの全体的なセキュリティを大幅に低下させることはありません。
セキュリティ対策は、DPA のセクション 6 で指定されています。
サブプロセッサーのリスト
サブプロセッサーのリストは、DPA のセクション 9 に指定されています。