Химчистка
Офисы, склады, промышленные помещения
Мойка окон
Муж на час, мелкий ремонт
Химчистка
Офисы, склады, промышленные помещения
Мойка окон
Муж на час, мелкий ремонт
Подарить уборку
This Data Processing Agreement ("DPA") applies to the processing of Personal Data (defined below) by the entity or individual that enters into this DPA by completing the registration or sign-up process (the "Processor"). CleanWhale Inc., a Delaware corporation ("CleanWhale" or the "Controller"), acts as the controller for purposes of this DPA. For clarity, depending on the context of the Services, the Processor may be a CleanWhale Customer or a Service Provider, as CleanWhale makes Personal Data available to each for purposes of enabling and receiving Services. The Controller and the Processor are collectively referred to herein as, the "Parties" and each, a "Party."
This DPA shall take effect when the Processor accepts or agrees to it in the same manner as the Terms of Service, including by (a) clicking or tapping an "I Agree" button or checkbox presented with this DPA or the Terms, (b) creating an account, or (c) accessing or using any part of the website, platform, apps, or services. This DPA will remain in effect as long as the Processor processes Personal Data pursuant to the Terms of Service Agreement ("Terms of Service" or "Terms") between the Parties.
This DPA is incorporated into and part of the Terms of Service between the Parties. This DPA reflects the Parties' rights and obligations with respect to Personal Data processed as part of the Services. In the event of any conflict between this DPA and the Terms of Service, this DPA shall control with respect to the processing of Personal Data. Any prior data protection agreements between the Parties are superseded and replaced by this DPA in their entirety. All capitalized terms not defined in this DPA will have the meaning given to them in the Terms.
For the purposes of this DPA, the following terms shall have the meanings specified below:
"Breach Event" means any confirmed or reasonably suspected incident where the security of Personal Data is compromised, resulting in, or creating a material risk of, accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise processed.
"Controller" means the entity that determines the purpose and means of processing Personal Data. For purposes of California law, references to Controller shall mean "business."
"Data Privacy Laws" means all applicable laws and regulations relating to the processing, privacy, and/or use of Personal Data, as applicable to either Party or the Services, including jurisdictional, industry-specific, or data-specific laws and regulations including, but not limited to: California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA); Delaware Personal Data Privacy Act (DPDPA); Virginia Consumer Data Protection Act (VCDPA; New York Stop Hacks and Improve Electronic Data Security Act (SHIELD Act); and any successor, replacement, or similar U.S. state privacy or data security laws.
"Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
"Personal Data" means any information relating to a Data Subject that is protected as personal data, personal information, or personally identifiable information under applicable Data Privacy Laws. For purposes of California law, references to Personal Data shall mean "personal information."
"Personnel" means employees, contractors, or other individuals under the Processor's authority, including those of its Subcontractors, who are authorized to process Personal Data.
"Platform" means the CleanWhale website and mobile application.
"Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including, without limitation, collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.
"Processor" means the entity that processes personal data on behalf of the Controller. For purposes of California law, Processor shall mean "service provider."
"Sensitive Personal Data" means Personal Data subject to enhanced protections under applicable Data Privacy Laws, including, without limitation, government-issued identifiers (such as Social Security numbers, driver's license numbers, or passport numbers), financial account information with access codes, racial or ethnic origin, religious beliefs, union membership, genetic or biometric data, precise geolocation, sexual orientation, health information, and any other category defined as "sensitive" or similar under applicable Data Privacy Laws.
"Services" means any products or services provided by the Processor pursuant to the Terms of Service.
"Subcontractor" means any third party appointed by the Processor to assist in fulfilling its obligations under this DPA, provided that such third party is bound by a written contract imposing obligations no less protective than those imposed on the Processor under this DPA.
The purpose of this DPA is to set forth the terms and conditions under which the Processor shall process Personal Data on behalf of the Controller, and to ensure that such Processing is carried out in compliance with applicable Data Privacy Laws.
The Processor shall process Personal Data solely for the limited and specific purposes of performing the Services under the Terms of Service, and only in accordance with the documented instructions of the Controller as set forth in this DPA.
The Processor shall not process Personal Data for any independent purpose or benefit, and shall not use Personal Data for purposes other than those expressly permitted under this DPA, the Terms of Service, or applicable Data Privacy Laws.
The Processor warrants that all Processing activities performed on behalf of the Controller shall be conducted in compliance with applicable Data Privacy Laws. The Processor shall promptly notify the Controller in writing, and in no event later than five (5) business days, if it determines that it can no longer comply with its obligations under applicable Data Privacy Laws or this DPA. Such notice shall describe the nature of the non-compliance and any remedial measures the Processor proposes.
Each Data Subject remains solely responsible for the quality and accuracy of the Personal Data they provide, and for ensuring that such Personal Data is supplied lawfully. The Controller shall not be liable for any inaccuracies, errors, or omissions in Personal Data provided by a Data Subject. The Controller remains responsible only for determining the lawful basis for the collection and use of Personal Data, including compliance with transparency, notice, and consent requirements under applicable Data Privacy Laws
Nothing in this Section relieves the Processor of its independent obligations under this DPA, including obligations to assist the Controller in ensuring compliance with applicable Data Privacy Laws as set forth in Sections 8 (Instructions for Processing), 13 (Data Security), 15 (Limitations on Use), 17 (Destruction or Return of Data), and 18 (Audits and Compliance).
This DPA shall take effect upon execution of this DPA and the Terms of Service and shall remain in force for so long as the Processor processes Personal Data on behalf of the Controller.
Termination or expiration of the Terms of Service shall not relieve the Processor of its obligations under this DPA with respect to Personal Data, which shall continue until all Personal Data has been deleted or returned in accordance with Section 17 (Destruction or Return of Data).
Without limiting the foregoing, the obligations of confidentiality (Section 11), restricted use (Section 15), data security (Section 13), audit and compliance (Section 18), record keeping (Section 19), and indemnification/liability shall survive termination or expiration of this DPA and the Terms of Service for so long as the Processor retains or has access to Personal Data. For the avoidance of doubt, the obligations of the Processor shall continue to apply for so long as the Processor retains any copy of Personal Data, including in archival or backup systems, whether actively used or not.
All rights, title, and interest in and to the Personal Data remain with the Data Subject to the extent recognized under applicable Data Privacy Laws. Nothing in this DPA shall be construed as granting the Processor any rights in or to the Personal Data other than the limited rights necessary to process Personal Data on behalf of the Controller as set forth herein.
For the avoidance of doubt, the Controller retains control over, and responsibility for, the determination of the purposes and means of Processing of Personal Data in accordance with applicable Data Privacy Laws. The Processor shall not acquire any ownership, license, or other rights in the Personal Data by virtue of this DPA or the performance of the Services.
The Processor shall only process the categories of Personal Data described in this Section or otherwise documented in writing by the Controller in connection with the Services.
The Processor may process the following categories of Personal Data, as reasonably necessary for the provision and receipt of Services through the Platform:
CleanWhale does not intentionally collect Sensitive Personal Data. However, if Sensitive Personal Data (as defined in Section 2.10) is provided by a Customer, Service Provider, or Data Subject in connection with the Services, such data shall be treated as Personal Data subject to this DPA, and the Processor shall implement all protections required by applicable Data Privacy Laws, including restrictions on use and disclosure.
For clarity, the categories of Personal Data processed under this Section are further subject to the obligations and limitations set forth in Section 8 (Instructions for Processing) and Section 15 (Limitations on Use).
The Processor shall only process Personal Data in accordance with this DPA and the documented instructions of the Controller, except where otherwise required by applicable law (in which case the Processor shall immediately notify the Controller in writing of the legal requirement before processing, unless expressly prohibited by law from doing so). The Processor shall immediately notify the Controller if any instruction infringes or may infringe applicable Data Privacy Laws and shall suspend the affected Processing until the Controller provides lawful instructions. Upon notice from the Controller that a Data Subject has exercised rights under applicable Data Privacy Laws, the Processor shall promptly cease or restrict processing of such Personal Data as instructed by the Controller.
The Controller may make available to the Processor, through the Platform, such Personal Data as is reasonably necessary for the Processor to evaluate, accept, schedule, and perform the Services, and to enable the Data Subject on the other side of the transaction to do the same. Depending on the context, this may include disclosure of limited Personal Data about a Customer to a Service Provider (e.g., name, service location, and contact details) or disclosure of limited Personal Data about a Service Provider to a Customer (e.g., name, business name, and general location). The Processor shall access and use such Personal Data solely through the Platform and solely for the purposes authorized under this DPA and the Terms of Service. The Processor shall not download, copy, export, or retain such Personal Data outside the Platform except as expressly authorized by the Controller for the performance of the Services, including the limited retention permitted under Section 8.5 and Section 17.
The Processor shall process Personal Data exclusively for the purposes set forth in the Terms of Service and this DPA. The Processor may create intermediate, temporary, or duplicate files only as reasonably necessary for technical, security, or operational reasons in connection with the Services, and shall delete such files in accordance with Section 8.5.
The Processor may share Personal Data with authorized Subcontractors only as necessary for the provision of the Services, provided that the Processor ensures by written contract that each Subcontractor is bound by data protection obligations no less protective than those set forth in this DPA. The Processor shall ensure that all Subcontractors comply with the deletion and return obligations in Section 17.
Upon completion of an individual Service, the Processor shall delete the Personal Data related to that Service. Notwithstanding the foregoing, if there is a confirmed, scheduled, upcoming Service with the same Data Subject, the Processor may retain only the minimum Personal Data necessary to perform that next scheduled Service and must delete it promptly upon completion of that Service. All deletion and return obligations shall be carried out in accordance with Section 17.
Upon receipt of a verifiable request from a Data Subject to exercise rights of access, correction, deletion, portability, restriction, opt-out of sale, sharing, or targeted advertising, or to limit the use of Sensitive Personal Data, the Controller shall respond in accordance with applicable Data Privacy Laws. Unless retention is required by law, the Controller shall fulfill the request within forty-five (45) days, subject to any permitted extensions.
If the Processor receives such a request directly from a Data Subject, the Processor shall:
The Processor shall promptly notify the Controller through the Platform of any request received from a Data Subject to exercise their rights under applicable Data Privacy Laws and shall assist the Controller in responding to such requests in accordance with Section 8 of this DPA.
Data Subjects may have rights under applicable Data Privacy Laws, which may include rights of access, correction, deletion, portability, restriction, and rights to opt out of the sale, sharing, targeted advertising, or other restricted uses of their Personal Data. These rights shall be exercised through the Controller, subject to the Controller's obligations under applicable law, including requirements to retain certain data.
For Processors subject to the CCPA/CPRA, the Processor shall take reasonable and appropriate steps to enable the Controller to comply with consumer rights requests, including passing through and honoring instructions from the Controller regarding such requests. This includes ensuring that any Subcontractors engaged by the Processor likewise provide the information and cooperation reasonably necessary for the Controller to comply. Neither the Processor nor any Subcontractor shall impose any fees or charges for assisting the Controller in responding to Data Subject requests, except as expressly agreed in writing by the Controller.
The Processor shall, upon the Controller's request, promptly provide all information and cooperation reasonably necessary for the Controller to conduct data protection impact assessments or other risk assessments required under applicable Data Privacy Laws. Such information shall include, without limitation, details about data transmittal, data storage, methods of processing, security measures (including encryption and access controls), Subcontractor involvement, and data destruction procedures.
Where a risk assessment or Data Protection Impact Assessments (DPIA) identifies a material risk that requires mitigation, the Processor shall, at its own cost, implement additional safeguards as directed by the Controller.
The Processor shall ensure that its Subcontractors provide the same cooperation and information necessary for the Controller to meet its obligations under applicable Data Privacy Laws.
The Processor's obligations under this Section are without prejudice to, and shall operate in addition to, the Controller's rights under Section 18 (Audits and Compliance).
Each Party shall treat as confidential and safeguard from unauthorized use or disclosure all Personal Data and any other confidential information disclosed in connection with this DPA or the Services ("Confidential Information"). Neither Party shall use or disclose such Confidential Information except as expressly permitted by this DPA, the Terms of Service, or as required by applicable law. To the extent of any inconsistency between this Section and the general confidentiality provisions of the Terms of Service, the stricter obligation shall govern with respect to Personal Data.
The Processor shall ensure that only those of its Personnel who have a strict "need-to-know" for the purpose of performing the Services are given access to Personal Data, and only to the minimum extent necessary. The Processor shall ensure that all such Personnel are subject to binding, written confidentiality obligations that survive the termination of their engagement.
The Processor shall provide appropriate training to its Personnel regarding their confidentiality and data protection obligations and shall take reasonable steps, including monitoring and disciplinary measures, to ensure ongoing compliance.
If the Processor is required by law, regulation, or valid legal process to disclose any Personal Data or other Confidential Information, it shall (a) provide prior written notice to the Controller without undue delay, unless prohibited by law, and (b) disclose only the minimum amount of information required by law.
The confidentiality obligations set forth in this Section shall survive termination or expiration of this DPA and the Terms of Service for so long as the information remains confidential in nature, and shall continue to apply until all Personal Data has been deleted or returned in accordance with Section 17 (Destruction or Return of Data).
The Processor shall ensure that any Subcontractors or other third parties engaged in processing Personal Data on its behalf are bound by written confidentiality obligations no less protective than those set forth in this Section. The Processor shall take reasonable and appropriate steps to verify and monitor such compliance on an ongoing basis.
The confidentiality obligations under this Section expressly include compliance with the technical and organizational security measures required under Section 13 (Data Security). The Parties agree that the duty to maintain confidentiality cannot be met without maintaining security measures appropriate to the nature and sensitivity of the Personal Data.
CleanWhale's total liability under both the Terms of Service and this DPA shall not exceed the limitation of liability set out in the Terms, unless such limitation of liability is restricted, limited, or prohibited by applicable law, in which case such applicable law shall govern.
Except as otherwise provided in this Section, each Party shall be liable only for damages directly caused by its breach of this DPA. Nothing in this Section shall limit or exclude the Processor's liability for:
The Processor, including any of the Processor's Subcontractors, shall indemnify, defend, and hold harmless the Controller against:
The indemnification and liability obligations in this Section shall survive termination or expiration of this DPA and the Terms of Service.
The Processor shall, at all times, implement and maintain reasonable and appropriate technical, organizational, and administrative security measures to ensure a level of security appropriate to the nature, scope, context, and purposes of processing and the risks to the rights of Data Subjects. Such measures shall, at a minimum, meet the requirements of applicable Data Privacy Laws (including the CCPA/CPRA, the New York SHIELD Act, and other similar state laws), and shall provide protections no less protective than those maintained by the Controller with respect to Personal Data of the same type.
Security measures shall include, where appropriate and without limitation:
The Processor shall review and update its security measures on an ongoing basis to maintain compliance with applicable Data Privacy Laws and industry standards. Any material changes that could adversely affect the protection of Personal Data shall require prior written approval by the Controller.
Except as agreed by the Parties by way of a binding variation of this DPA, the Processor may not make any change to the security measures it applies to Personal Data that would reduce the level of protection required under this DPA or applicable law.
The Processor shall obtain and maintain, at its own cost, current industry-recognized security certifications appropriate to the scope of its business and processing activities, including without limitation SOC 2 Type II and/or ISO 27001 certifications (where such certifications are commercially reasonable and customary for organizations of similar size and nature). Upon the Controller's request, the Processor shall promptly provide evidence of such certifications and any relevant audit reports.
The Processor shall notify the Controller without undue delay, and in any event within twenty-four (24) hours of becoming aware of a Breach Event involving the Controller's Personal Data.
The initial notice shall include all information then available to the Processor, and the Processor shall provide the Controller with additional details as they become available, including, where reasonably possible:
The Processor shall keep the Controller fully informed of the status of investigation, containment, recovery, and remediation efforts and shall provide reasonable cooperation to the Controller in meeting its legal obligations, including obligations to notify regulators, affected Data Subjects, and/or other third parties as required by applicable law.
The Processor shall not make any notification to regulators, affected individuals, or the public regarding the Breach Event without the Controller's prior written approval, unless required by applicable law.
The Processor shall not use, retain, or disclose Personal Data for any purpose other than: (a) as necessary to perform the Services in accordance with the Terms of Service and this DPA, or (b) as otherwise expressly permitted by applicable Data Privacy Laws.
Without limiting the generality of Section 15.1, the Processor is specifically prohibited from:
The Processor certifies that it understands and will comply with the restrictions and obligations set forth in this Section 15 and elsewhere in this DPA, including compliance with applicable Data Privacy Laws.
The Processor may engage a Subcontractor to process Personal Data. The Processor shall provide the Controller with written notice of the intended engagement (or replacement) of a Subcontractor at least seven (7) days prior to the proposed engagement, including the Subcontractor's name, location, and processing activities, which shall be sent to [●].
The Processor shall ensure that each Subcontractor is bound by a written contract that imposes obligations no less protective than those set forth in this DPA, including, without limitation, obligations relating to confidentiality, data security (Section 13), breach notification (Section 14), limitations on use (Section 15), and destruction or return of Personal Data (Section 17).
The Processor shall remain fully liable to the Controller for the performance of any Subcontractor's obligations and for any breach of this DPA caused by a Subcontractor.
The Processor shall ensure that all Subcontractors comply with applicable Data Privacy Laws in connection with the processing of Personal Data and the provision of the Services, and shall monitor Subcontractor compliance on an ongoing basis.
At the Controller's written direction, the Processor shall, within thirty (30) days, securely delete or return all Personal Data in its possession or control, including copies, unless applicable law requires retention. The Processor shall notify the Controller of the specific legal requirement necessitating such retention and shall securely delete the Personal Data as soon as retention is no longer required.
Upon termination or expiration of the Terms of Service, or upon completion of Services, the Processor shall securely delete or return all Personal Data in accordance with this Section. A limited retention exception for confirmed upcoming Services shall apply only where the Terms of Service remain in effect and the business relationship between the Controller and the Processor continues; it shall not apply if the Terms of Service have been terminated or expired.
The Processor shall ensure that any Subcontractors it engages delete or return Personal Data in accordance with this Section 17. The Processor shall remain liable for ensuring such deletion or return.
Upon request, the Processor shall provide the Controller with a written certification that it and its Subcontractors have deleted or returned all Personal Data in accordance with this Section 17.
All confidentiality, restricted-use, and security obligations applicable to Personal Data under this DPA shall survive termination or expiration of the Terms of Service and continue in effect until all Personal Data has been deleted or returned in accordance with this Section 17, including for so long as the Processor retains any copy of Personal Data (such as in archival or backup systems), whether actively used or not.
The Processor shall permit the Controller, or an independent auditor appointed by the Controller, to conduct audits or inspections, on reasonable prior notice during regular business hours, as reasonably necessary to verify the Processor's compliance with this DPA and applicable Data Privacy Laws. The scope of any audit shall be limited to systems, procedures, and documentation relevant to the processing of Personal Data on behalf of the Controller. The Processor shall provide the Controller with all necessary cooperation, access, and support to conduct such audits. Audit findings shall be treated as Confidential Information under Section 11.
Where required under the California Consumer Privacy Act (as amended by the CPRA) or other applicable Data Privacy Laws, the Controller shall have the right to take reasonable and appropriate steps to:
The Processor shall promptly address and remediate any deficiencies identified in an audit or compliance review, including implementing corrective actions reasonably required by the Controller. The Processor shall not be entitled to any payment or reimbursement for its cooperation or assistance in connection with any audit or compliance review. If an audit or compliance review reveals any material violation of this DPA or applicable Data Privacy Laws by the Processor or its Subcontractors, the Controller may require the Processor to bear the reasonable costs and expenses of such audit or compliance review. In addition, if such violations are not fully remedied within a reasonable period specified by the Controller, the Controller may suspend the processing of Personal Data by the Processor or terminate this DPA (and the associated Terms of Service) with immediate effect.
The Processor shall maintain complete, accurate, and up-to-date written records of all categories of processing activities carried out on behalf of the Controller. Such records shall include, at a minimum:
The Processor shall retain such records for the duration of the Terms of Service and this DPA, and for at least three (3) years thereafter, unless applicable law requires a longer period.
The Processor shall make copies of such records available to the Controller promptly upon written request. Such provision of records shall be without prejudice to the Controller's rights under Section 18 (Audits and Compliance).
This DPA shall be governed by, and construed in accordance with, the laws of the State of Delaware, without regard to conflict of law principles, except to the extent that applicable Data Privacy Laws require otherwise. The Parties irrevocably submit to the exclusive jurisdiction of the state and federal courts located in Delaware, and any action or proceeding arising out of or relating to this DPA shall be brought exclusively in such courts, except where applicable Data Privacy Laws require otherwise.
