DPA

This Data Processing Agreement (“DPA”) is incorporated into, and is subject to the terms and conditions of the Runnr.ai Terms of Services (available at: https://runnr.ai/general-terms-condition/) or other agreement between Runnr.ai and Customer governing Customer’s use of the Services (the “Agreement”).

1 – Definitions

“Data Protection Laws” means, where applicable: (i) the General Data Protection Regulation (“GDPR”); (ii) national implementations of the GDPR in the European Union (“EU”) and European Economic Area (“EEA”); (iii) the Data Protection Act 2018 and the GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (“UK Data Protection Law”); (iv) EU ePrivacy Directive 2002/58/EC; as amended by Directive 2009/136/EC; and (v) Swiss Federal Data Protection Act on 19 June 1992 and its Ordinance (“Swiss DPA”).

“Model Clauses” means the standard contractual clauses for the transfer of Personal Data to third countries adopted under the GDPR, and as may be amended or superseded from time to time.

“Personal Data” means any information relating to an identified or identifiable individual where such information is contained in Customer Content.

“Personal Data Breach” means a breach of security that has resulted in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed by Runnr.ai and/or its Sub-Processors in connection with the provision of the Services.

“Restricted Transfer” means a transfer of Personal Data to a Third Country.

“Sub-Processor” means any Data Processor engaged by Runnr.ai to assist in fulfilling Runnr.ai’s obligations under the Agreement.

“Third Country” means (a) to the extent the GDPR applies to the processing of Personal Data by Runnr.ai, a country outside of the EEA which is not subject to an adequacy decision by the European Commission; (b) to the extent the UK Data Protection Law applies to the processing of Personal Data by Runnr.ai, country which is not subject to an adequacy decision pursuant to Section 17A of the United Kingdom Data Protection Act 2018; and (c) to the extent the Swiss DPA applies to the processing of Personal Data by Runnr.ai, a country outside the EEA and/or Switzerland not subject to an adequacy decision by the Swiss Federal Data Protection and Information Commissioner (“FDPIC”).

“UK Addendum” means the International Data Transfer Addendum issued by the Information Commissioner’s Office under s.119(A) of the UK Data Protection Act 2018, as may be amended or superseded from time to time.

The terms ”Data Controller”, “data subject”, “Data Processor” and “processing” will have the meaning given to them under Data Protection Laws and “process”, “processes” and “processed” will be interpreted accordingly. Any other terms not expressly defined here have the same meanings as in the Agreement.

2 – Purpose and Scope

1. This DPA governs the processing of Personal Data by Runnr.ai as a Data Processor on behalf of Customer, the Data Controller.
2. The purpose of this DPA is to ensure compliance with Data Protection Laws as they may be amended, replaced or supplemented from time to time.
3. The details of the processing operations, in particular the categories of Personal Data, the categories of data subjects, and the purposes for which Personal Data is processed by Runnr.ai, are specified in Annex 1.

3 – Processing by Runnr.ai

1. Runnr.ai will process Personal Data only on documented instructions from Customer, unless required to do so by local law to which Runnr.ai is subject, such as EU or EU Member State law. In this case, Runnr.ai will inform Customer of that legal requirement before processing, unless the law prohibits this.
2. Runnr.ai will process the Personal Data only for the specific processing purpose(s) as included in Annex 1, unless it receives further written instructions from Customer.
3. Runnr.ai will immediately inform Customer if, in Runnr.ai’s opinion, instructions given by Customer infringe Data Protection Laws.

4 – Assistance to Customer

1. Data Subject Request. Runnr.ai will promptly notify Customer of any request it receives from a data subject under Data Protection Laws (“Data Subject Request”). Runnr.ai will not respond to any Data Subject Request itself, unless authorized to do so by Customer. Runnr.ai will assist Customer in fulfilling its obligations to respond to data subjects’ requests to exercise their rights, taking into account the nature of the processing.
2. Data Protection Impact Assessment. Runnr.ai will assist the Customer with Customer’s obligation under Data Protection Laws to carry out a data protection impact assessment related to Customer’s use of the Services, taking into account the nature of processing and the information available to Runnr.ai.
3. Consultations by supervisory authorities. Runnr.ai will assist the Customer in the cooperation or prior consultation with a supervisory authority, taking into account the nature of processing and the information available to Runnr.ai.

5 – Confidentiality

Runnr.ai will grant its personnel access to the Personal Data only to the extent strictly necessary for implementing, managing and monitoring of the Agreement. Runnr.ai will ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

6 – Security

Runnr.ai will at least implement the technical and organizational measures listed at https://runnr.ai/security/ (“Security Measures”) to ensure the security of the Personal Data. This includes protecting the data against a Personal Data Breach. In assessing the appropriate level of security, the parties will take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks involved for the data subjects. Runnr.ai may implement alternative adequate Security Measures from time-to-time while making sure the security level of the defined measures is not reduced.

7 – Personal Data Breach

1. In the event of a Personal Data Breach affecting Customer’s Personal Data, Runnr.ai will notify Customer without undue delay after Runnr.ai has become aware of the Personal Data Breach. Such notification will contain, at least:
   1. a description of the nature of the Personal Data Breach;
   2. communicate the contact point where more information about the Personal Data Breach can be obtained;
   3. its likely consequences of the Personal Data breach; and
   4. the measures taken or proposed to be taken to address the Personal Data Breach, including to mitigate its possible adverse effects.
2. When it is not possible for Runnr.ai to provide all this information at the same time, the initial notification will contain the information available at that time. Any further information will, as it becomes available, subsequently be provided without undue delay. Runnr.ai will also take appropriate and reasonable steps to contain, investigate, and mitigate any Personal Data Breach.

8 – Documentation and Compliance

1. Runnr.ai will promptly and adequately handle any inquiries from Customer about the processing of Personal Data in accordance with this DPA.
2. Runnr.ai will make available to Customer all information necessary to demonstrate compliance with the obligations under this DPA or applicable Data Protection Laws. At Customer’s request, Runnr.ai will also permit and contribute to audits of the processing activities covered by this DPA, at reasonable intervals or if there are indications of non-compliance.
3. Customer may choose to conduct the audit by itself or mandate an independent auditor. Audits may also include inspections at the premises or physical facilities of Runnr.ai if mutually agreed and with reasonable notice.

9 – Use of Sub-Processors

1. Runnr.ai has Customer’s general authorization for the engagement of Sub-Processors listed at https://runnr.ai/subprocessors/. At least 5 days prior to authorizing any new Sub-Processor to process Personal Data, Runnr.ai will provide written notice to Customer (via email) to enable Customer to object to such changes. When Customer objects, the parties will discuss Customer’s concerns in good faith with the intention to achieve a commercially reasonable solution. If the parties are not able to find a solution, Runnr.ai and Customer each have the right to terminate the Agreement, including any related Order, without liability to either party.
2. Where Runnr.ai engages a Sub-Processor, it will do so by way of a contract which imposes on the Sub-Processor, in substance, the same data protection obligations as the ones imposed on Runnr.ai in accordance with this DPA. Runnr.ai will ensure that the Sub-Processor complies with the obligations to which Runnr.ai is subject pursuant to this DPA and applicable Data Protection Laws.
3. Runnr.ai will remain fully responsible to Customer for the performance of the Sub-Processor’s obligations in accordance with its contract with Runnr.ai.

10 – International Data Transfers

1. Any transfer of Personal Data to a Third Country or to an international organization by Runnr.ai will be done only on the basis of documented instructions from Customer or in order to fulfill a specific requirement under local law to which Runnr.ai is subject and will take place in compliance with Data Protection Law. Runnr.ai may transfer Personal Data to its Sub-Processors located in a Third Country, subject to the notification requirements of Section 9.
2. Customer agrees that where Runnr.ai engages a Sub-Processor for carrying out specific processing activities under the Agreement and those activities involve a transfer of Personal Data to any Third Country, Runnr.ai and the Sub-Processor can ensure compliance with Data Protection Laws by using the Model Clauses and, where relevant, the UK Addendum, provided the conditions for the use of those Model Clauses are met.

10 – Termination and Deletion

When the Agreement is terminated, Runnr.ai will delete all Personal Data processed on behalf of Customer or, if requested by Customer, return all Personal Data to Customer and delete existing copies unless Data Protection Laws require storage of the Personal Data. Until the data is deleted or returned, Runnr.ai will continue to ensure compliance with this DPA.