Updated: October 29, 2025
By signing this Terms of Service or using Archer’s API you agree to be bound by the terms and conditions of this Terms of Service («TOS»). If you are accepting this TOS on behalf of a company or other legal entity, you represent that you have the legal authority to bind the legal entity to this TOS, in which case “you”, “your” or the “Client” shall mean such entity and «Archer» shall mean Archer Protect Inc., a Delaware corporation existing under the Laws of the United States. If you do not have such authority, or if you do not agree with the terms and conditions outlined in this TOS, do not accept or sign this TOS, and you may not use the Services or any Services-related materials.
Archer reserves the right to change or update the TOS from time to time. In that case, you will be notified by Archer of any changes or updates. You should review the TOS regularly. They can be found at Archer’s Terms of Service (or such future URL as Archer may designate). The changes will become effective seven (7) days after they are posted, except if the changes apply to a new functionality, in which case they will be effective immediately. If you do not agree to the modified terms, you may stop using the Service at any time. If you continue to use the Service, you will be deemed to have accepted the modifications.
DEFINITIONS
«Affiliate” means an entity that controls, is controlled by, or is under common control with you or Archer.
“API Key” means the confidential unique security keys, tokens, passwords or other credentials for accessing and using the API provided by Archer to you.
“Effective Date” means the earliest to occur: the date you execute or accept this TOS, or the date you first access or use any of Archer’s Services.
“Fees” means all amounts payable to Archer for accessing the Services..
“Integration” means the process of integrating with Archer’s system or API to access any of Archer’s Service or product. During this period, you shall perform all necessary actions to ensure the implementation of the Service.
“Intellectual Property Rights” means all worldwide intellectual property rights available under applicable laws including without limitation rights with respect to patents, copyrights, moral rights, trademarks, trade names, trade secrets, know-how, and databases.
“Malicious Code” means codes, files, scripts, agents or programs intended to harm including, for example, viruses, worms, trojan horses, backdoors and malicious active content.
“Service” means software solutions and services developed by Archer to assist financial institutions with screening their customers for potential fraud risks before onboarding, assessing customer identities, setting risk indicators, and reporting fraudulent behaviour.
“Terms of Service” means this TOS, the referenced Schedules, and any accompanying or future document you accept under this TOS.
SERVICES
Services and Delivery: Archer develops software solutions and services as described in this TOS. Archer provides the Services via APIs by issuing unique API keys to each Client.
Use of APIs: You may only use the APIs to access Archer’s Services and submit relevant data or information to Archer. You agree not to share your API Keys with any third party. You further agree that you are solely responsible for all actions attributed to your API Keys and the subsequent use of Archer’s Services. You agree not to permit a third party to: (i) sublicense, distribute, re-transmit, loan, lease, sell or otherwise make available the API or the data provided by the API; (ii) decompile, disassemble, reverse engineer or otherwise attempt to discover the source code of the API; and (iii) you will not use or abuse the API or the data in any malicious way. This behaviour will cover but is not limited to: performing a distributed denial of service assault on the API or the server, sharing their security information with unauthorised third parties, trying to gain unauthorised access to the server or the data or sending corrupted, incomplete or poor quality data with the intention to influence Archer’s Service.
Modifications: Archer is constantly innovating in order to provide the best possible Service. Archer reserves the right to make changes to its algorithm in a way that will not interrupt the basic format in which the data is provided so that no new integration work will be required by the Client.
Upgrades: Any changes to the basic format of the data or to the way that you interact with the API that requires new integration work will be done in a version upgrade.
“Appropriate Conduct” You agree that you are responsible for your own conduct and content while using the Service and for any consequences thereof. Your use of the Service must be in accordance with the documentation and this TOS.
Prohibited Use: You represent and warrant that your services do not and will not infringe on the intellectual property rights of any third party and will otherwise comply with all applicable laws. You must take commercially reasonable actions and precautions consistent with the industry standards to prevent the introduction and proliferation of Malicious Code.
Integration Period: The time required to complete the integration and onboarding of the Client shall be agreed between the Client and Archer. During this period, you shall make engineering resources available and perform all necessary actions to ensure the implementation of the Service and complete the testing with Archer to start sending live data to Archer’s APIs.
OBLIGATIONS AND COMMITMENT
Data Sharing: Data is a key aspect of any counter fraud activity, requiring a combination of personal and transactional data to be shared often. The Client agrees to share all necessary data including its fraud data with Archer in order to enable Archer to leverage its systems to notify the Client of potential fraudulent customers within its network. Archer might also request for additional data such as historical data or missing data for the improvement of the Service. The Client shall obtain relevant authorisations to share the data with Archer towards the legitimate purpose of countering fraud activities. You and Archer agree to comply with applicable data protection legislation in the effort to counter fraud.
Credential Security Responsibilities: The Client acknowledges and agrees that it is responsible for: (a) protecting the security of all the credentials used to access Archer’s Services; and (b) securing any Client systems to a high standard.
Archer’s Responsibilities: Archer acknowledges and agrees that, as between the Parties and except to the extent caused by the action or intentional or negligent inaction of Client, Client’s employees or contractors, including without limitation any customizations or configurations of the Services by Client or anything specified as Client’s responsibility, Archer is primarily responsible for: (1) the operation of the Services (including the user interface); and (2) implementing reasonable technical and organisational measures designed to protect the security of the foregoing.
Restriction of Use: You will not: (a) copy, modify, disassemble, decompile, reverse engineer, or attempt to view or discover the source code of Archer’s Services, in whole or in part, or permit or authorise a third party to do so, except to the extent such activities are expressly permitted by this TOS or by law; (b) transfer or assign any of your rights hereunder except as permitted in writing by Archer; or (c) during any free trial period granted by Archer, use the Services for any purpose other than to evaluate whether to purchase the Services.
Contact Obligation: Client is responsible for ensuring that Archer at all times has updated and accurate contact information for the appropriate person for Archer to notify regarding data security issues relating to the Services, with such contact information to be updated and communicated to Archer via support email in the event of any change. Changes to the Client’s contact information shall not be deemed to have been updated unless the changes have been acknowledged by Archer.
FEES, INVOICING AND PAYMENT TERMS
Our pricing and payment details are contained in the form sent to you by Archer.
Archer may revise the fees at anytime. However, Archer will provide with you with at least 30 days’ advance notice before the revised fees become applicable to you.
All fees charged by Archer excludes any taxes, duties, tariffs or other similar charges. The Client agrees to pay any and all applicable taxes and provide Archer with receipts of payment upon receipt. If the transaction contemplated is exempt from a tax noted on an invoice, Client shall provide Archer with a valid exemption certificate or other evidence of such exemption in a form reasonably acceptable to Archer. The Parties shall cooperate with each other in complying with relevant tax laws.
INTELLECTUAL PROPERTY
Except for the limited licences expressly set forth in this TOS, Archer retains all Intellectual Property Rights and all other proprietary rights related to the Services. The Client will not delete or alter the copyright, trademark, or other proprietary rights notices or markings appearing within the Services as delivered to you. The Client agrees that the Services are provided on a non-exclusive basis and that no transfer of ownership of Intellectual Property Rights will occur. The Client further acknowledges and agrees that portions of the Services, including but not limited to the source code and the specific design and structure of individual modules or programs, constitute or contain trade secrets and other Intellectual Property Rights of Archer and its licensors.
ADVERTISING
Use of your name and logo: You shall permit Archer to display your official corporate logo or name on Archer’s websites and marketing materials, in a manner consistent with the display of other logos of Archer’s clients.
DATA PROTECTION
Terms governing data protection and data sharing are set out in the Data Sharing Agreement in Schedule A.
LIABILITY AND WARRANTIES
To the fullest extent permitted by applicable law in no event shall either Party’s cumulative and aggregate liability under this Agreement for damages exceed the fees paid to Archer by Client in the 12 months preceding the event giving rise to the liability. The exclusions and limitations in this Section apply whether the alleged liability is based on contract, tort, negligence, or any other basis, even if the non-breaching Party has been advised of the possibility of such damage.
The limitation of liability as set out in this Clause will not apply in case of:
any proven theft, fraud or fraudulent misrepresentation by Archer, the Client or their employees; or
wilful misconduct and gross negligence; or
Client’s payment obligations to Archer.
Warranties: Archer and the Client represent and warrant as follows:
that it is duly registered and has the full capacity and corporate authorisations to accept or sign the TOS and carry out its obligations;
it has the technical know-how and resources to carry out its obligations under this TOS; and
agreeing to this TOS will not result in the breach of any existing contract with a third-party.
INDEMNITY
You agree to hold harmless and indemnify Archer from and against any third party claim arising from or in any way related to your use of the Service, violation of this TOS or any other actions connected with use of Archer’s services, including any liability or expense arising from all claims, losses, damages (actual and consequential), suits, judgments, litigation costs and attorneys’ fees, of every kind and nature. In such a case, Archer will provide you with written notice of such claim, suit or action.
TERMINATION AND SURVIVAL
This TOS will become effective on the Effective Date and will continue in full force and effect until terminated by either Party pursuant to this Section 10.
Should either Party be in a material breach of any provision of this TOS, the aggrieved Party shall be at liberty to terminate this TOS if the breaching Party fails to cure the breach within a period of 30 days.
Archer may terminate this TOS and withdraw its services if any fees or payment owed to Archer remains outstanding for over 30 days.
If a change in Data Protection Legislation (as defined in the Data Sharing Agreement) prevents either Party from fulfilling all or part of its obligations under this TOS, the Parties shall suspend the processing of Personal Data (as defined in the Data Sharing Agreement) until the erring Party complies with the new requirements. If either Party is unable to comply with the said new requirements within thirty (30) days, either Party may terminate this TOS with immediate effect on the issuance of written notice to the other Party.
This TOS will remain in full force and effect so long as the Client maintains an integration with Archer. Each Party retains any Personal Data in its possession or control towards accessing or providing the Services.
In the event of any termination of this TOS for any reason, terms regarding Intellectual Property, Confidentiality, Data Protection and Limitation of Liability and shall survive termination. Neither Party shall be liable to the other Party for damages of any sort resulting solely from terminating this TOS in accordance with its terms.
GENERAL PROVISIONS
Entire Agreement: This TOS embodies the entire understanding between you and Archer with respect to the subject matter hereof and supersedes any and all prior understandings and agreements, oral or written, relating thereto.
Governing Law: This TOS shall be governed by and construed in accordance with the laws of the jurisdiction where Archer Protect Inc. is incorporated (State of Delaware, United States of America), without regard to its conflict of laws principles. Notwithstanding the foregoing, Archer may elect to apply or comply with local data protection or regulatory laws applicable to the Client’s jurisdiction where reasonably necessary to deliver the Service or to comply with local regulatory obligations.
Any disputes arising from this TOS shall exclusively be referred to the competent court within the relevant jurisdiction. The Client, Archer and their legal representatives agree to use the English language when allowed by the circumstances.
Third Party Beneficiaries: Nothing in this TOS should be construed to confer any rights to third party beneficiaries.
Notices: All notices and other communications provided for herein shall be in writing and shall be delivered either by courier service, either mailed by certified or registered mail to the primary contact persons (except otherwise agreed for individual issues) or sent by electronic mail.
Severability: Should any provision of this TOS be held to be void, invalid, unenforceable or illegal by a court, the validity and enforceability of the other provisions shall not be affected thereby.
Interpretation and Scope: Capitalised terms have the meanings attributed to them in this TOS. In case of a conflict between the provisions of the general terms of the this TOS or any other documents agreed between Archer and the Client, such conflict will be resolved in accordance with this order of priority: ; this TOS; Other Exhibits and its Schedules any other document incorporated by a reference in the TOS or the relevant Exhibit.
Applicability of TOS: This TOS applies to any legal entity or organization that accesses Archer’s Services, regardless of jurisdiction, unless prohibited by applicable law.
Terms of Service
By agreeing with these Terms of Service you also acknowledge that you have read and agree with Archer’s Privacy Policy.
Schedule A
DATA SHARING AGREEMENT
This Data Sharing Agreement (the “Agreement”) is intended to govern the transfer and processing of Personal Data between Archer and the Client in line with Applicable Data Protection Legislation. It is hereby incorporated into the TOS.
Archer and the Client shall individually be referred to as a “Party” and jointly as the “Parties”.
Definition
Archer Database means the database containing personal data which the Client uses to screen its customers to identify and mitigate potential risks and fraud through its platform;
Agreement means this Data Sharing Agreement;
Applicable Law means all laws, regulations, directives issued by a regulatory authority which is applicable to either Party to this Agreement;
Applicable Data Protection Legislation means all applicable data protection and privacy laws, including but not limited to the EU General Data Protection Regulation (GDPR), the UK Data Protection Act 2018, the California Consumer Privacy Act (CCPA), or equivalent national laws governing personal data in the Client’s jurisdiction.
Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed;
Data Controller means the Party that determines the purpose and means of processing Personal Data. Either Party to this Agreement may be the Data Controller, as the case may be;
Data Subject is an identifiable natural person whose data is processed;
Data Processor means the party that processes Personal Data on behalf of or at the instruction of a Data Controller or another Data Processor. Either Party may be the Data Processor, as the case may be;
Force Majeure means any event or circumstance beyond the reasonable control of a Party that is not foreseeable, is unavoidable and its origin is not due to negligence or lack of care on the part of a Party. Such events include but are not limited to acts of God, fire, flood, invasion, war, revolution, uprising, insurrection, social/public unrest, public disturbance, epidemics, lock-outs, strikes, riots, disaster, storm, hacker’s invasion, virus invasion, temporary shutdown due to government control, except for controls resulting from such party’s fault, acts of terrorism and any other circumstance which may hinder or delay the performance of the obligations of a Party under this Agreement;
Independent Data Controller shall have the same meaning as Data Controller.
Intellectual Property means copyright and related rights, trademarks, trade secrets, trade names, and domain names, right to inventions, goodwill, right to sue for passing off, rights in designs, rights in computer software, rights in topography, right to preserve the confidentiality of information, and in each case whether such rights are registered or unregistered;
Personal Data means any information relating to an identified or identifiable natural person that is shared between the Parties as a result of, or in connection with, the TOS. An identifiable natural person can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Processing means any activity involving Personal Data or as Applicable Data Protection Legislation may otherwise define processing, processes or process. It includes any operation or set of operations that are performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing also includes transferring Personal Data to third parties;
Purpose means the processing of Personal Data to screen Customer identity before onboarding, in order to prevent fraud, reduce risk rate and report fraudulent behaviour;
Supervisory Authority means an independent public authority that is established under any Applicable Data Protection Legislation to oversee compliance with such legislation, including but not limited to a supervisory authority; and
Services: as defined in the TOS.
Interpretation
In this Agreement, reference to:
A person includes natural persons, firms and corporations and other organisations with legal personality;
Words in the singular include the plural and vice versa, and words importing one gender shall include all genders;
The words “including” and “in particular” shall be deemed to be followed by the expression “but not limited to”.
Scope of Processing/Purpose
The Parties shall process Personal Data for the Purpose set out in this Agreement and shall engage only Data Processors and sub-processors that are compliant with the Applicable Data Protection Legislation including the DPA and any directive issued by the Supervisory Authority..
Personal Data Types
The Personal Data provided by or on behalf of either Party must not be irrelevant or excessive with regard to the Purpose. Each Party shall ensure that the Personal Data provided by it is to the best of its knowledge and records are accurate and up-to-date. Where either Party becomes aware that the Personal Data provided under this Agreement is no longer accurate or up-to-date, it shall within twenty-four (24) hours, notify the other Party of such inaccuracy and provide the relevant accurate or updated Personal Data to the other Party.
Obligations of Parties
Each Party hereby undertakes as follows:
to comply with the obligations that apply to it as an Independent Data Controller under any Applicable Data Protection Legislation in relation to the Personal Data processed pursuant to this Agreement;
to use the Personal Data strictly for the Purpose and not to use the Personal Data for any illegal or fraudulent activities;
to ensure the contact information for their data protection officer is always accurate, up to date and easily available to Data Subjects;
to maintain a privacy policy that informs Data Subjects of the nature of the data processing and the legal basis of the processing;
to share relevant information pertaining to individuals identified as potential fraudsters for the purpose of enhancing security measures, reducing risk rate and preventing fraudulent activities; and
to implement and maintain all necessary and appropriate technical and organisational measures to ensure the safety and security of the shared data. This includes safeguards against unauthorised access, data breaches, and any potential threats to the integrity of the data.
Status
Each Party understands and agrees that with respect to the Personal Data that it discloses, it is an Independent Data Controller, and accordingly, each Party shall determine the purposes and means of Processing, subject to Applicable Data Protection Legislation.
Compliance with Data Protection Legislation
Each Party shall ensure that all Personal Data is processed pursuant to the Applicable Data Protection Legislation and that the disclosure to the other Party does not breach the Applicable Data Protection Legislation;
Each Party shall ensure that it obtains relevant consents and issue all the necessary notices required for the lawful processing of the Personal Data for the Purpose;
Each Party shall give full information to any Data Subject whose Personal Data may be processed under this Agreement of the nature of such processing. This includes giving notice that, on the termination of this Agreement, Personal Data relating to them may be retained by or, as the case may be, transferred to other recipients, their successors and assignees, provided that each Party may only exercise this right with respect to Personal Data that they have received directly from the Data Subject;
Neither Party shall disclose or allow access by any unauthorised third party to Personal Data shared by the other Party;
Each Party shall ensure that all third parties, data processors or sub-processors are subject to written contractual obligations concerning the Personal Data (including obligations of confidentiality), which are no less onerous than those imposed by this Agreement. Each Party shall remain responsible for its appointed Processor/Sub-processor’s compliance with the obligations of this Agreement and the Applicable Data Protection Legislation;
Each Party shall implement appropriate technical and organisational measures in accordance with Appendix 2 to protect the Personal Data from any possible or actual unauthorised access or disclosure, unauthorised, unlawful or accidental loss, destruction, acquisition of or damage to Personal Data, or any other breach of applicable Data Protection Legislation or this Agreement in relation to the Processing of Personal Data by any current or former employee, contractor or agent of Party or by any other person or third party;
Each Party shall carry out any annual mandatory data protection and compliance audit under the Applicable Data Protection Legislation; and
Each Party shall ensure that its staff members are appropriately trained to handle and process the Personal Data provided (or to be provided) under this Agreement under the required technical and organisational security measures together with applicable Data Protection Legislation.
Data Breaches
Any actual Data Breach must be reported to a Supervisory Authority as soon as identified by either Party within 24 (twenty -four) hours and no later than 48 (forty-eight) hours of becoming aware of the Data Breach where 24 (twenty-four) hours is impracticable. The Parties shall meet any required obligation to report the Data Breach to the Supervisory Authority. The reporting shall be done in the format outlined in Appendix 1 of this Agreement.
Parties agree that Archer shall not contact any Data Subject whose Personal Data has been disclosed by the Client without the Client’s prior written consent.
Immediately following any unauthorised or unlawful Personal Data processing or Data Breach, the Parties will coordinate with each other to investigate the breach. The Parties shall reasonably cooperate in resolving the matter, including:
assisting each other with any investigation, reasonable cooperation and completing a risk assessment;
where required, providing each other with physical access to any facilities and operations affected after ample notice is given;
facilitating interviews with employees, former employees, and others involved;
making available all relevant records, logs, files, data reporting and other materials containing Personal Data of that Party required to comply with Applicable Data Protection Legislation or as otherwise reasonably required by the other Party; and
taking reasonable and prompt steps to mitigate the effects and to minimise any resulting damage.
Deletion and Return of Personal Data
Each Party shall, at the end of the data processing activities or upon the written request of the other Party, as far as is technically and lawfully possible:
promptly and in any event, within 30 (thirty) days delete, or remove access to the Personal Data received from the other Party including all outcomes, copies, extracts, or other reproductions (regardless of the form in which such reproductions are maintained) unless the party has received similar or identical Personal Data from a different Client ; or
Each Party shall upon request, within thirty (30) business days of the cessation of this Agreement, provide written confirmation of such destruction, and will not process the relevant Personal Data further unless permitted by Applicable Data Protection Law or other applicable law.
Data Transfer to Foreign Jurisdiction
Either Party may transfer Personal Data to a third country if it complies with the provisions on the transfer of Personal Data to third countries under the applicable Data Protection Legislation. Where Personal Data is transferred, the transfer should not be done without a legally recognised transfer mechanism under the applicable Data Protection Legislation; subject to compliance with the provisions of the Applicable Data Protection Legislation.
The Parties shall ensure that the Personal Data is adequately protected and meets the requirements set by applicable Data Protection Legislation;
Any transfer of Personal Data not subject to the applicable Data Protection Legislation provisions will be a breach of this Agreement, and the violating Party shall indemnify the other Party under the terms and conditions of this Agreement.
Data Subject Right Requests
Where a Party receives any Personal Data-related request from a Data Subject or their legal guardian regarding the Processing under this Agreement, such Party shall immediately notify the other Party of the request and obtain authorisation from that Party before responding to the request.
The Parties each agree to provide such assistance as is reasonably required to enable the other Party to comply with requests from Data Subjects to exercise their rights under the Applicable Data Protection Legislation within the time limits imposed by the Applicable Data Protection Legislation.
Each Party is responsible for maintaining a record of individual requests from Data Subjects, the decisions made, and any information that was provided. Records must include copies of the Data Subject’s request, details of the data accessed and shared, and, where relevant, notes of any meeting, correspondence, or phone calls relating to the request.
Audit
Each Party may, at its expense, either by itself or through a third-party representative to audit the other Party’s operations to determine its compliance with its obligations under this Agreement and Applicable Data Protection Legislation.
The requesting Party shall give the other Party a thirty (30) days prior written notice of the audit.
The audited Party undertakes to give the other Party the necessary support and information during the audit, in particular, to demonstrate the implementation of the audited Party’s organisational and technical measures. The assistance may include, but is not limited to:
physical and/or remote electronic access to the Personal Data records and any other information held at such Party’s premises or on systems storing Personal Data; and/or
the inspection of the records and the infrastructure, electronic data or systems, facilities, equipment, or application software used to store, process, or transmit the Personal Data Processed under this Agreement.
The Parties shall notify the other of any inability to disclose such information if precluded by any law or any other obligation under Applicable Data Protection Legislation.
The audit shall be limited to this Agreement’s relevant assets and processing areas.
The audit report generated shall be the sole and exclusive property of the requesting Party and the other Party shall treat such audit report as confidential information and shall not disclose any part of the audit report to any third party without the prior written authorization of the audited Party.
Representations and Warranties
Authority: Each Party warrants that it is duly registered, validly existing and has the legal capacity and authority to enter into this Agreement.
No Violations: Each Party represents to the other that the disclosure of the Personal Data will not violate any privacy rights of third parties and that the disclosure will not violate any contractual obligations which it may have to any third party.
Warranty: The Personal Data is provided «as is.» Each Party shall ensure that it provides the other Party with the true and most accurate Data in its possession. and further warrant to notify the other party promptly of any material change to such information. However, due to possible glitches, technical faults, errors in computer programs, and so on, each Party makes no warranties, express or implied, regarding the accuracy or completeness of the Personal Data.
The Parties warrant to keep each other indemnified against all actions, claims, proceedings, and all legal costs or other expenses arising out of any breach of the above representations.
Liability and Indemnity
Each Party shall indemnify the other against all liabilities, costs, expenses, damages and losses, including fines and penalties, suffered or incurred by the indemnified party arising out of or in connection with the breach of the Applicable Data Protection Legislation and this Agreement by the indemnifying party, its employees or agents. The indemnified party shall give to the indemnifier prompt notice of such claim, full information about the circumstances giving rise to it, reasonable assistance in dealing with the claim and sole authority to manage, defend, and/or settle it.
The Parties shall not be liable to each other in contract, tort, negligence, breach of statutory duty or otherwise for any loss, damage, costs or expenses of any nature whatsoever incurred or suffered by that other Party of an indirect, special or consequential nature, including but not limited to loss of profits and revenue, lost sales, business, loss of reputation/ goodwill, or loss of time, arising from or related to a breach of this Agreement and the Applicable Data Protection Legislation.
Data Protection Impact Assessment (DPIA)
Each Party shall be responsible for undertaking data protection impact assessments relevant to its processing activities under the Applicable Data Protection Legislation;
Each Party agrees to provide the other Party with reasonable assistance on request from, and at the expense of, such other Party in connection with undertaking a data protection impact assessment.
Dealing with the Supervisory Authority
Each Party shall promptly notify the other of any dispute, claim or query brought by the Supervisory Authority or Data Subject concerning the Processing of Personal Data provided under this Agreement.
Each Party agrees to co-operate and provide reasonable assistance and information to the other Party in dealing with any dispute, claim or query brought by the Supervisory Authority or Data Subject in connection with this Agreement, to settle them amicably and in a timely fashion.
The Parties agree to respond to any generally available non-binding mediation procedure initiated by a Data Subject or by a Supervisory Authority. If they do participate in the proceedings, the Parties may, if the Supervisory Authority allows, elect to do so remotely (such as by telephone or other electronic means), if permitted. The Parties also agree to consider participating in any other arbitration, mediation, or other dispute resolution proceedings for data protection disputes.
Appendix 1
Data Breach Management
Under clause 8.1, the Parties must report any incidents to each other within 24 hours after they are discovered. This applies to incidents involving the data processor and any sub-processor. The following persons may be contacted in connection with reporting incidents:
Details | Archer contact person | Client contact person |
Data Protection Officer |
|
|
| ||
Phone number |
|
|
Table B.1: Incident management contact information for the Parties
In reporting each incident to each other, the Parties will use the following format or at least provide the information referred to in the table below.
Reporting Party’s contact information | |||
Name |
| ||
Title |
| ||
E-mail address |
| ||
Telephone number |
| ||
Information about the incident | |||
Summary of the incident | [What happened (theft or loss of data, malware/hack/DDoS, accidental publication of data and so forth) and in which way [through, for instance, the internet, e-mail, external attack and so on), and how the incident was discovered] | ||
Nature of the incident | [For example, inspection by unauthorised persons, data copied/downloaded, changes made, date deleted or destroyed, theft of data, or not known yet] | ||
Date and time of the incident | [When or during which period the incident occurred] | ||
Date and time of discovery | [When the incident was discovered] | ||
Data subjects | [The persons whose data was involved in the incident] | ||
Number of data subjects | [If appropriate, an estimate of the minimum/maximum number of people] | ||
Which types of personal data (Select those applicable) |
| Yes | No |
Name, address, city/town (business and/or private) |
|
| |
Contact information (telephone number, e-mail address and so on) |
|
| |
Date and place of birth (hence, nationality, too) |
|
| |
Gender |
|
| |
Identification information (log-in, password) |
|
| |
Financial or Human Resources Management data |
|
| |
Personal numbers (citizen service number, student number or the like) |
|
| |
Criminal information (convictions, reprimands and so forth) |
|
| |
Copy of passport |
|
| |
Photograph |
|
| |
Medical information or sexuality |
|
| |
Religion, political preference, trade union membership |
|
| |
Other, specifically: | |||
Potential consequences (Select those applicable) |
| Yes | No |
Stigmatisation or exclusion |
|
| |
Harm to health |
|
| |
Exposure to identity or other fraud |
|
| |
Exposure to spam or phishing |
|
| |
Other, specifically: | |||
Which actions have been taken | [Description of which actions have been taken to address the incident and to prevent further incidents] | ||
Which measures have been taken | [Description and explanation of which security measures apply to the personal data in question; has this data, for instance, been encrypted, hashed, pseudonymised or otherwise made inaccessible?] | ||
International aspects | [Does the incident relate to persons in other countries?] | ||
Table B.2: Information which must be furnished when an incident is reported
Appendix 2
Details of Technical and Organisational Measures
The Parties should provide a description of the technical and organisational measures implemented to ensure an appropriate level of security, taking into account the nature, scope, context, and purpose of the processing and the risks to the rights and freedoms of natural persons.
Examples of possible measures:
Measures for ensuring the ongoing confidentiality, integrity, availability, and resilience of processing systems and services
Pseudonymisation and encryption of personal data
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing
Measures for user identification and authorisation
Measures for the protection of data during transmission
Measures for the protection of data during storage
Measures for ensuring the physical security of locations at which personal data are processed
Measures for ensuring system configuration, including default configuration
Measures for internal IT and IT security governance and management
Measures for certification/assurance of processes and products
Data minimisation measures
Measures for ensuring data quality
Measures for ensuring limited data retention
Measures for ensuring accountability
Measures for allowing data portability and erasure