COMPANY
Contact
Signup Newsletter
©Convert Run. All Rights Reserved by ConvertRun
This Data Processing Agreement ('"DPA"') reflects the mutual understanding between [Customer] ('"Controller"') and Convertrun AG, a company registered under Turkey law with offices at Ankara, Turkey ("Processor"), regarding the processing of personal data in connection with the Convertrun Team Plan and Convertrun Business Plan, as outlined in the Convertrun Terms of Service.
This DPA is a supplement to the Terms of Service and becomes effective upon your acceptance of the Terms. In any case where there is a conflict or inconsistency between this DPA and the Terms of Service, the DPA will prevail, ensuring the protection of personal data as per the GDPR and other applicable regulations.
We may update this DPA periodically to reflect changes in our processing activities. If you hold an active Convertrun Team or Business subscription, you will be notified of these changes via email or in-app notifications.
The terms of this DPA shall remain in force for the duration of our agreement under the Terms of Service. Any terms not explicitly defined in this DPA will inherit their meaning from the Terms of Service.
1.1. The terms "Controller," "Processor," "Personal Data," "Processing," "Data Subject," "Technical and Organizational Measures," and "Supervisory Authority" shall have the same meaning as defined in the General Data Protection Regulation (EU) 2016/679 ("GDPR").
1.2. The Processor agrees to process Personal Data solely for the provision of PDF document editing, compression, conversion, and electronic signature services, as described under Article 4 (2) and Article 28 of the GDPR, and in accordance with this DPA.
1.3. The processing of Personal Data shall commence and conclude based on the duration of the Controller's use of the services provided by the Processor, as outlined in div 1.2.
2.1. The purpose of processing Personal Data under this DPA is to facilitate the provision of PDF-related services, including editing, compression, conversion, and electronic signature functionalities ("Services").
2.2. The following categories of Personal Data may be processed:
2.3. The Data Subjects involved may include, but are not limited to:
3.1. The Processor shall process Personal Data only as per the instructions of the Controller. The instructions specified in this DPA, as well as those provided by the Controller through the parametrization options within the Services, are considered binding instructions. Any additional instructions must be mutually agreed upon in writing or through a documented electronic form (e.g., email or customer support).
3.2. Any changes to the processing procedures or subject matter must be coordinated between the Controller and the Processor and documented in writing or through a suitable electronic format.
3.3. The Controller is solely responsible for assessing the legality of the processing activities, including the handling of data subject requests.
4.1. The Processor agrees to process Personal Data strictly within the scope of this DPA and as instructed by the Controller, unless otherwise required by EU or member state law. In such cases, the Processor will notify the Controller of the legal requirement before proceeding unless prohibited by law for public interest reasons.
4.2. The Processor ensures that all personnel authorized to process Personal Data are bound by confidentiality agreements or statutory obligations.
4.3. The Processor will use reasonable efforts to assist the Controller in fulfilling the data subject rights as outlined in Articles 12 to 22 of the GDPR and ensuring compliance with Articles 32 to 36 of the GDPR, considering the nature of the processing and the information available to the Processor. Should the Processor need to assist the Controller in meeting these legal obligations, any reasonable additional costs incurred by the Processor will be reimbursed by the Controller.
5.1. Upon request, the Processor will provide the Controller with necessary information to demonstrate compliance with the Processor's obligations, including the implementation of technical and organizational measures.
5.2. The Processor may provide this information through self-audit reports, external certifications, or other relevant documentation from independent bodies.
5.3. If the Controller has reasonable doubts about the provided documentation and explains these doubts, the Controller or an independent auditor appointed by the Controller may verify the Processor's compliance, including conducting an on-site inspection.
5.4. Such on-site audits must be announced at least two weeks in advance and conducted during regular business hours, considering the Processor's business interests. The Processor may require a standard non-disclosure agreement before allowing the inspection.
5.5. The Controller shall inform the Processor immediately if any errors or irregularities are detected during the audit.
5.6. The Controller will cover any additional costs incurred by the Processor due to such audits.
6.1. The Processor will immediately inform the Controller if it believes that an instruction infringes the GDPR or other applicable EU or member state data protection laws.
6.2. The Processor will provide adequate support to the Controller concerning the Controller's obligations under Articles 33 and 34 of the GDPR.
6.3. Any reasonable additional costs incurred by the Processor while assisting the Controller under div 6.2 will be reimbursed by the Controller.
7.1. The Processor is entitled to engage sub-processors to fulfill its contractual obligations. Upon request, the Processor will provide the Controller with a list of sub-processors involved in data processing under this DPA.
7.2. The Processor will notify the Controller promptly when appointing a new sub-processor, allowing the Controller to object within 14 days based on significant reasons. If the Controller objects, the Processor may terminate the relevant services without penalty by giving written notice.
7.3. The Processor will ensure that any sub-processors are bound by obligations at least equivalent to those in this DPA.
7.4. The Processor remains fully responsible for its sub-processors' compliance with this DPA.
If the Processor transfers personal data to a third country outside the European Union/European Economic Area, it will ensure compliance with Articles 44 et seq. of the GDPR.
9.1. The Processor will implement appropriate technical and organizational measures under Article 32 of the GDPR to ensure a level of security appropriate to the risks. The Processor will assist the Controller in ensuring compliance with Article 32 of the GDPR.
9.2. The technical and organizational measures implemented by the Processor under Article 32 of the GDPR are detailed in Annex 1.
Upon termination of data processing under this DPA, the Processor is obligated, upon written notice from the Controller, to either delete or return the personal data, unless retention of the data is required by applicable laws.
In the event of any contradictions between this DPA and other agreements concluded between the Parties, the provisions of this DPA shall take precedence.
The Processor has implemented the following technical and organizational measures, which may be updated periodically to reflect technological advancements:
The data centers utilized by the Processor are secured with physical barrier controls, electronic access validations, and/or human security personnel at key access points. ID badges, restricted access privileges, and electronic intrusion detection systems are also in place. Relevant access points are monitored with video surveillance and kept in a secure, locked state. All physical access to these data centers is logged. Additionally, the Processor's business premises are secured with key control measures, requiring additional keys for accessing critical information.
Network protection measures for the data centers include access controls, firewalls, and authentication protocols. User access to IT systems is regulated through personal user accounts with secure passwords, adhering to a strict password policy. Two-factor authentication is enforced for critical services and key personnel. The Processor employs a need-to-know and least privilege approach for granting access. Company policy mandates the use of laptops with encrypted disk storage, and the connection of external hard drives (e.g., USB, SD card) is prohibited. Unauthorized external access to critical systems is prevented via VPN and two-factor authentication, with all access logged. Separate environments are maintained for staging and production.
Access to data centers is logged and protected from unauthorized access. VPN is required for accessing the staging environment, with individual credentials issued to each employee. Both staging and production environments utilize HTTPS to secure data in transit. Uploaded files are deleted within a specific timeframe unless otherwise retained per user request, in accordance with the Processor's deletion policy. Internal documentation tracks who receives or alters critical data through log files. All data in transit is encrypted.
The Processor has implemented a backup strategy for the data centers to ensure data recovery in case of an emergency. These centers are also equipped with electronic intrusion prevention systems. Firewalls and antivirus protection are employed, and regular security and data protection training is provided to employees. An emergency recovery plan is in place.
The Processor maintains a standard Data Processing Agreement, privacy policies for data subjects, and is ISO 27001-certified. Processes are in place to fulfill data subject rights requests and conduct data protection impact assessments as needed. A GDPR training program, data protection officer, and GDPR representatives in the UK and EU are also established.
The Processor has a well-defined internal process for handling security incidents.
User files are deleted in accordance with user choices and the Processor's data retention scheme. Processes are established to fulfill data subject rights requests, and data access is limited based on a need-to-know and least privilege approach.
No data processing within the meaning of Art. 28 GDPR is carried out without corresponding instructions from the Controller. This includes pre-evaluation and selection of providers and order management. Data Processing Agreements are signed with each supplier who has access to personal data. The Processor has a process for selecting providers that meet privacy requirements, and contract conclusions are documented. Compliance of suppliers with access to personal data is regularly audited.