Privacy Policy


Last updated: 1.03.2021

ShortPixel belongs to ID SCOUT SRL, hereinafter referred to as the "Company" or ”we”. The Company respects your privacy rights and recognizes the importance of protecting the Personal Data (as defined below) provided by you.
This Privacy Policy describes how the Company processes the Personal Data you provide to us through the Company's website and it also describes your rights pursuant to the data protection regulations, including the choices available regarding the Company's use of Personal Data or the actions you can take to access this information and request the correction or deletion of such personal information.

The data controller for the processing of personal data through the website shortpixel.com (the “Website”) is ID SCOUT SRL and can be contacted at:
Address: Bucuresti, Str. Transilvaniei nr.2, Camera 5, Bl.5, Ap.19, Sector 1, 010798
Phone: 0726 112 185
E-mail: support@shortpixel.com

1. GENERAL INFORMATION

ACKNOWLEDGMENT: By using the Website, you acknowledge that you have read this Privacy Policy and that you understand the practices described herein with respect to the Company's processing of your Personal Data. Also, when creating an account on the Website, you expressly declare that you acknowledged the provisions of this Privacy Policy. This is the Company's entire and exclusive Privacy Policy and it supersedes any earlier version.

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC - the GDPR  - is the European law that regulates the data protection processing operations performed through the Website. Our Declaration of Conformity can be found here.

Terms used in this document:

“User/you” the individual or entity who registered on the Website and thus owns a ShortPixel account.
“Visitor” the individual or entity who visits the Website without creating an account.
“Customers” Users that purchased paid plans or installed the product.
“Third Parties” are other companies and the services they provide us.
“Data Subject” any identified or identifiable, directly or indirectly, natural person. The Users and Visitors defined above may act as data subjects should they be an identified or identifiable natural person.
“Processor” the entity acting under the authority and instructions of the controller. For example, the Company acts as a processor for our Customers defined supra.
“Personal Data” all information which relates to an identified or identifiable natural person. This includes, e.g., items like the name, postal address, e-mail address or telephone number, but also usage data like your IP address.
“Processing” every process carried out with or without automated assistance or every sequence of such processes in connection with personal data, e.g. obtaining, capturing, organizing, ordering, saving, adjusting or modifying, sorting, accessing, using, disclosing by transmission, distributing or any other form of making available, comparing or connecting, limiting, deleting or destroying.

We Process all personal data in accordance with GDPR principles, as follows:

  • Lawfulness, fairness and transparency”: the personal data is Processed fairly in relation to the data subject, based on a legal basis provided by GDPR at art. 6, and the data subject is informed on the Processing as requested by art. 13 and art. 14 GDPR.
  • Purpose limitation”: the purpose for which we Process the personal data is specific, explicit, and legitimate. We do not collect and use data for other purposes than the ones we informed the data subject about.
  • Data minimization”: we Process the minimum amount of personal data we need; the personal data we collect are adequate, relevant and limited to what is necessary in relation to the purposes for which they are Processed.
  • Accuracy”: the personal data Processed is accurate and where necessary kept up to date. We do not retain old and outdated data in our system.
  • Storage limitation”: we established and documented the necessary retention period for the personal data we collect and Process for specific objectives. After the retention period is met, the personal data shall be deleted, destroyed, or anonymized.
  • Integrity and confidentiality”: we handle personal data in a manner ensuring appropriate security, which include protection against unlawful Processing or accidental loss, destruction or damage.
  • Accountability”: as data controller, we are responsible for proving compliance with the principles of the GDPR mentioned above.


2. WHAT PERSONAL DATA WE COLLECT, HOW WE COLLECT IT AND WHAT WE DO WITH THE COLLECTED PERSONAL DATA



2.1. Creating your account

When the Visitors of our Website sign-up for a ShortPixel account, we collect their email, their IP address and store the new generated API keys.
The legal ground for this Processing is the performance of a contract, in accordance with Art. 6 (1) b) GDPR.

2.2. Running the Service

We Process the Personal Data for taking the necessary actions to offer our Customers the Company’s products (e.g. for the proper running of our image optimization service, to connect our servers to our Customers’ servers, where the images needing compression are hosted, for maintenance and for building appropriate tools for our clients, etc.), pursuant to Art. 6 (1) b) GDPR, for the performance of a contract and Art. 6 (1) f) GDPR, on the basis of our legitimate interest.
From the Users of our WordPress plugin and from those who use our API tools, we Process the following Personal Data: name and surname, identification data, email, processed images.

2.2.1. Google Drive optimization app

This service is curently in closed beta testing. If you want to test the application free of charge, please contact us here.

We offer our users the possibilty to optimize their images stored in Google Drive, from their personal space on our website. In order to optimize these images, the user needs to create an account with ShortPixel.com. Then the ShortPixel website Google Drive optimization application needs to be allowed access to the users Google Drive in order to view, download, upload, modify, add files as a different file type at your request or overwrite files. In order to aquire this permission, upon the first usage, the logged-in ShortPixel user will be asked to connect their account to the Google Drive Account, using Google OAuth 2.0 (note that the email used to register the ShortPixel account can be different from the one of the Google Account). Since optimization may take a while, the app needs offline access to your Google Drive Account, and, as consequence, it requests your consent for Refresh Token, which allows the app to continuously access your Google Drive Account while you are not present in the app. After the authorization, ShortPixel will only store the Refresh Token (provided by Google OAuth 2.0) in order to communicate with Google OAuth 2.0 and access users files from Google Drive. After user grants access to the application, the user can browse the content of their Google Drive from their private space on ShortPixel.com and select the folder for optimization by using the contextual menu of the app. When the user selects a folder for optimization, the name and ID of that folder are stored in the ShortPixel's optimization queue to be processed in the background. Upon optimization, the application first downloads the content of the Google Drive folder to the ShortPixel servers, filtered by accepted file types and starts optimizing them. "Filtered by accepted file types" means only files of the following types will be downloaded: JPEG, PNG, GIF, BMP, TIFF, PDF. After the optimization is complete on ShortPixel's cloud, the application uploads the optimized files back to Google Drive, overwriting the old files or adding it as a different file type at your request. Files are then deleted from ShortPixel servers and the user receives an email - at their address from their ShortPixel account - letting them know that the optimization is done.
The statistics of the folder optimization (folder name, number of files - total, optimized, already optimal, failed - and the optimization percent) are kept in ShortPixel's database and used for future reference.
Please be aware that Refresh Token allows the app to continuously access your Google Drive Account while you are not present in the app and it expires after 6 months. If you don’t want to permit the app to access your Google Drive after optimization, you must revoke the access here or delete your ShortPixel account

2.3. Customer Support

The Personal Data is also Processed for offering support to Customers, at their request, pursuant to Art. 6 (1) b) GDPR for the performance of a contract and to Art. 6 (1) f) GDPR, on the basis of our legitimate interest. In order to help our Customers, we need to use their Personal Data for user identification, for debugging reasons and in order to communicate with the Customers that need assistance. For this purpose, we use a feature called Beacons for helping the Users of our ShortPixel plugin for WordPress. This feature is made by HelpScout, a Third Party service provider we use for customer support. Through this feature we gather the following Personal Data: name, e-mail address, other information provided by clients during the support operations.

We also added the Beacon feature to our Website (ShortPixel.com and sub-domains). This info helps us understand the issues of our Users. We will communicate with you in response to your inquiries, to provide the products and services you request, and to manage your account. We will communicate with you by e-mail, live chat or telephone, in accordance with your wishes.

We offer our Users the possibility to easily formulate their requests to the Company or regarding the Company’s products. Quriobot built and maintains a chatbot tool that we are using to offer customer support to our Users.
The Personal Data Processed for the above scopes consists of: name, e-mail address, other information provided by the Customer.

2.4. Marketing information

For transmission of commercial communications by electronic means, we use our servers, a customer communication platform. In this regard, the following data may be Processed: name and surname, e-mail address.

We also send newsletters to our Users about deals and promotions. Our marketing campaigns could promote other services as well, if we believe that they are compatible with our service, and that they could be useful for our Users. We try to keep these types of messages at a maximum of two emails per user/ each month.

The legal basis for this Processing is your consent, according to Art. 6 (a) GDPR and your legitimate interest, in accordance with Art. 6 (f) GDPR.

If you no longer wish to receive the Company's promotional communications, you may "opt-out" from receiving them by following the instructions included in each communication. Please note that the withdrawal and ensuing changes are valid only for the future and will be effective or, as it may be, implemented by no later than 48 hours from withdrawal. This is for reasons of a technical nature, which do not permit faster implementation.

2.5. Functional communications

We send emails to inform our Users about new features, service changes, interruptions of our service, possible errors or bugs. These messages are an important part of our communication with our Users.
The Company may, but is not obliged, to send you strictly service-related announcements on rare occasions, when it is necessary to do so. For example, if our service is temporarily suspended for maintenance, we might send you an e-mail.
The legal basis for this Processing is the performance of the contract (consisting of the Website Terms & Conditions) according to Art. 6 (1) b) GDPR and our legitimate interest to organize the requests (Art. 6 (1) f) GDPR).
Generally, you may not opt-out of these communications since they are not promotional in nature. If you do not wish to receive them, you may have the option to deactivate your account.

2.6. Blog management

We also Process Personal Data when we communicate with our blog readers and give them the opportunity to express certain points of view/ questions. In this regard, we are using the services of WebHostFace for hosting our blog (blog.shortpixel.com), as well as Disqus platform.
For this scope, the following data may be Processed: name and surname (if available), profile picture (if available), comment content. The legal basis for this Processing lays in the performance of our Website's Terms and Conditions (Art. 6 (1) letter b) GDPR), and in our legitimate interest to communicate, interact and receive feedback from you (Art. 6 (1) letter f) GDPR).

2.7. Cookies

At the same time, we use both session ID cookies and persistent cookies as part of our Website’s interaction with your browser. For more information on the use of cookies and when your prior consent is required, please refer to our Cookie Policy available here.


3. DATA RECIPIENTS AND DATA TRANSFERS



3.1. Data recipients

Services providers: We may employ third party companies and individuals to perform service-related activities. These Third Parties may access your Personal Data only to perform these tasks on our behalf and are compelled not to disclose or use it for any other purpose.
Also, where these recipients qualify as data processors, they will be contractually bound to respect the same obligations in what regards the protection of Personal Data as that incumbent to us and shall implement adequate technical and organizational measures for the protection of Personal Data, at least at the same level as those implemented by the data controller.
Third parties: Your Personal Data may be provided to governmental and regulatory agencies (e.g. tax authorities), courts or other governmental authorities, in accordance with the provisions of the applicable legislation and in line with art. 6 (1) (c) GDPR, as well as to external consultants acting as data controllers (e.g. lawyers, accountants, auditors, etc.), based on art. 6 (1) (f) GDPR.

3.2. Data transfers

We may transfer your Personal Data abroad, both to countries located within the EU/EEA and to countries outside EU/EEA.
For some of these countries located outside EU/EEA, the transfer of data is recognized by the European Commission as ensuring an adequate level of protection for the Personal Data, in accordance with art. 45 GDPR.
In what regards the recipients located in other countries, by executing Data Transfer Agreements based on Model Contractual Clauses (Decision of the European Commission no. 2010/87/EU and/or Decision of the European Commission no. 2004/915/EU), in accordance with art. 46 (5) GDPR or by using other adequate means for the transfer of Personal Data, we ensured that all such recipients offer an adequate level of protection for the Personal Data and that adequate technical and organizational measures have been implemented for the protection of Personal Data against unlawful destruction, loss, alteration or unauthorized disclosure.


4. HOW LONG DO WE KEEP YOUR PERSONAL DATA?

The Personal Data provided by you to us is only stored for as long as it is required to perform the respective purpose for which you have transmitted your data, or inasmuch as it is required for conformity with statutory or official requirements.
Your Personal Data for taking the necessary actions to offer Customers the Company’s products are kept by us for additional 3 years as of the termination of our contractual relation.
We also keep your Personal Data for the duration of our contractual relation for providing you support services and for the purpose of offering you the possibility to formulate your requests to the Company or regarding the Company's products.
For commercial communications transmitted by electronic means, we keep your Personal Data until the moment of transmission of the communication or until you withdraw your consent, in case the request for transmission of commercial communications concerned recurrent communications.
We keep your Personal Data in relation to blogging activities during the existence of the blog or until the deletion of the comment by you.
For the use of cookies for which your prior consent is required, please refer to our Cookie Policy available at [insert hyperlink].


5. LINKS TO OTHER WEBSITES

The Company’s website uses interfaces with social media websites such as Facebook, LinkedIn, Twitter and others. If you choose to "like" or share information from the Website through these services, you should review the privacy policy of that service. If you are a member of a social media website, the interfaces may allow the social media website to connect your site visit to your Personal Data.
We are not responsible for the collection, usage and disclosure policies and practices of other organizations, such as Facebook, Twitter, Google, or any other developer, provider, social media platform, operating system provider, wireless service provider, including any personal information you disclose to other organizations through or in connection with our social media functionalities, therefore we recommend you examine the privacy statements for all Third Party websites, to understand their procedures for collecting, using, and disclosing your Personal Data.


6. DATA SECURITY

We have taken appropriate technical and organizational measures to guarantee data security, in particular to protect your Personal Data against access by Third parties, as well as accidental or intentional modification, loss or destruction. The Company stores the information it collects on computers located in a controlled, secure facility, protected from physical or electronic unauthorized access, use, or disclosure.
The Personal Data are kept in safe conditions in accessible electronic format, using the authentication systems of the internal domain, access rights for each User for the allocated resources and in printed format.
The Company protects the privacy and integrity of the information it collects by employing appropriate administrative protocols, technical safeguards, and physical security controls, designed to limit access, detect and prevent the unauthorized access, improper disclosure, alteration, or destruction of the information under its control. The Company transmits the information used by its external service providers for the specific outsourced operations listed above, across public and private networks via recognized encryption technologies, such as by using Secure Sockets Layer (SSL) software, which encrypts the information you input.


7. RIGHTS OF OUR USERS REGARDING THE PERSONAL DATA


Pursuant to the legal requirements established by GDPR, Data Subjects have specific legal rights relating to the personal data we collect from them, as follows:

Right to withdraw consent: Where you have given consent for the Processing of your Personal Data, you may withdraw your consent at any moment.

Right to rectification: You may obtain from us rectification of Personal Data concerning you. We make reasonable efforts to keep Personal Data in our possession or control which are used on an ongoing basis, accurate, complete, current, and relevant, based on the most recent information available to us.

Right to restriction: You may obtain from us restriction of Processing of your Personal Data, if you contest the accuracy of your Personal Data and the legal requirements for the exercising of this right are met.

Right to access: You may ask from us information regarding Personal Data that we hold about you, including information as to which categories of Personal Data we have in our possession or control, what are used for, where we collected them, if not from you directly, and to whom they have been disclosed, if applicable. We may have to charge you with a reasonable fee should you request further copies of your Personal Data.

Right to portability: You have the right to receive your Personal Data that you have provided to us, and, where technically feasible, request that we transmit your Personal Data (that you have provided to us) to another organization,

Right to object: You may object, at any time, to the Processing of your Personal Data due to your particular situation, provided that the Processing is not based on your consent but on our legitimate interests or those of a Third Party. In this event we shall no longer Process your Personal Data, unless we can demonstrate compelling legitimate grounds and an overriding interest for the Processing or for the establishment, exercise or defense of legal claims.

Right to erasure: You have the right to request that we delete the Personal Data we Process about you. Please note that the deletion of Personal Data can lead to the termination of the service we provide due to technical reasons.

The right to fill a complaint with the national authority: For us, your Personal Data is important, and we try to take all the necessary steps to protect it and to respect your rights. You have the right to fill a complaint at the National Authority for the Supervision of Personal Data Processing (Romanian: Autoritatea Naţională de Supraveghere a Prelucrării Datelor cu Caracter Personal), also known as ANSPDCP.

If you have any questions about the Company's security on its Website, please feel free to contact us using the contact page on the Website.


8. INTERNET FRAUD

The Company has a ZERO TOLERANCE policy for Internet fraud or any attempt to access or acquire Customer or other information on its Website via illegal or surreptitious means. The Company works with local, national, and international fraud investigation agencies and employs a variety of electronic and other means to discourage, detect, and intercept fraudulent activities.


9. CHILDREN’S PRIVACY

The Company's Website is not intended for or directed to persons under the age of 16. The Company does not buy or sell products or services from or to children. Any person who provides their information to the Company through the Company's Website attests that they are 16 years of age or older.
If we become aware that a child under the age of 16 has provided us with personally identifiable data, we will delete such information from our servers/databases.


10. CHANGES TO THIS PRIVACY STATEMENT

The Company will, from time-to-time, update this Privacy Policy and notify Users and Visitors of material changes to this statement.
Data subject’s use of the Website after such changes have been made constitutes his agreement to such changes.
Last updated: 1.03.2021



APPENDIX 1. - SHORTPIXEL DATA PROTECTION ADDENDUM


This Data Processing Addendum (“DPA”) is concluded between you (“Customer” or “you”) and ShortPixel and it regulates the data processing activities performed within your use of ShortPixel services. Unless otherwise defined in this DPA or in other applicable agreements (i.e. Terms of Use – the “Agreement”), all capitalised terms used in this DPA will have the meaning given to them in Section 2 of this DPA.

1. SCOPE

This DPA applies to the processing operations performed on Customer data for the provision of ShortPixel services, as detailed in Appendix 1 below. In this context, ShortPixel will act as a data processor to Customer.

2. DEFINITIONS

The capitalized terms which are not otherwise defined in this DPA shall have the meaning below:
• „Personal Data” means any information relating to an identified or identifiable natural person (hereinafter referred to as „Data Subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;
• „Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;
• „Processing” shall mean any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
• „Controller” means the entity determining the purposes and means of the personal data processing;
• „Processor” means the entity acting under the authority and instructions of the controller;
• „Data Protection Authority” or „DPA” means a supervisory authority controlling the processing of personal data because: (a) the Controller or Processor is established on the territory of the Member State of that supervisory authority; (b) data subjects residing in the Member State of that supervisory authority are substantially affected or likely to be substantially affected by the Processing; or (c) a complaint has been lodged with that supervisory authority;
• „Data Protection Officer” or „DPO” shall mean the person designated by the Controller or the Processor in compliance with Article 37 of the GDPR;
• „Transfer of Personal Data” shall mean any transfer of Personal Data from an entity to another entity. A transfer can be carried out via any communication, copy, transfer or disclosure of Personal Data through a network, including remote access to a database or transfer from one medium to another, whatever the type of medium (for instance from a computer hard disk to a server).


3. OBLIGATIONS OF THE PROCESSOR


3.1. General Obligations

The Processor shall:
• comply with all obligations incumbent upon the data processors, as provided by the GDPR and the Relevant Data Protection Legislation;
• comply with the documented Controller’s instructions, in particular without limitation those instructions which are necessary to ensure the Controller is in compliance with the GDPR and the Relevant Data Protection Legislation;
• process the Personal Data solely in order to perform its obligations under the Agreement, only pursuant to the terms and conditions of this DPA and/or in accordance with the instructions of the Controller, except where the Processor is required to have a specific conduct pursuant to GDPR or the Relevant Data Protection Legislation.
• promptly inform the Controller i) of its inability to comply with the provisions of the DPA and/or ii) if, in its opinion, an instruction of the Controller infringes the GDPR or any other Relevant Data Protection Legislation; and
• provide the Controller with the contact details of the Processor’s Data Protection Officer, should such Data Protection Officer is appointed in compliance with Article 37 of the GDPR.

3.2. Security and Confidentiality Obligations

The Processor shall preserve the security and confidentiality of the Personal Data and implement all adequate measures to ensure the level of security of the Controller’s Personal Data are appropriate.
The Processor undertakes to implement all reasonably necessary and appropriate technical and organizational measures using generally accepted state-of-the-art technology to protect the Personal Data it processes under the Agreement against unauthorized or accidental access, alteration, transmission, disclosure, deletion or destruction.
The Processor shall review and adapt such measures regularly to comply with the state of the art and applicable regulations, namely security measures necessary to ensure the conservation and integrity of the Personal Data processed during the performance of the Contract (for instance to secure the access to computers, to install antivirus, to perform regular backups on removable media and to increase the employees and suppliers’ awareness to security measures);
Without limiting the generality of the foregoing, the Processor shall comply with the following obligations and shall ensure that its employees and/or its suppliers will also comply with them:
• The Processor shall process the Personal Data only in accordance with the Controller’s instructions and to the extent such processing is necessary to carry out the Processor’s obligations in connection with the performance of the Agreement;
• The Processor will not use the Personal Data for any other purposes, nor will the Processor retain this data for any longer than required by the Controller;
• The Processor will only use personnel who: (i) has a need to process the Personal Data in order to fulfill the Processor’s obligations under the Agreement, (ii) has entered into a confidentiality agreement; (iii) has received adequate training regarding the protection of Personal Data and (iv) has been informed of any special data protection requirements arising from this DPA and of the limitation of the use of the Personal Data for specific purposes as instructed. The Processor also undertakes to communicate to the Data Controller, upon request, the list of persons so entitled;
• The Personal Data shall not be disclosed to any Third Party, whether individual or legal person, public or private entity without prior approval of the Controller (in such case the Processor shall maintain a record of any disclosure of Personal Data to a Third Party and make such report available to the Controller, promptly upon request);
• The Processor is not allowed to make copies or duplicate of the Personal Data without the prior written consent of the Controller, unless such copies or duplicates are necessary for the fulfillment of its obligations under the Agreement.

3.3. Personal Data Breach Notification

The Processor shall notify the Controller of any Personal Data Breach without undue delay and in writing after it becomes aware of such Personal Data Breach. Such notification shall at least contain the following information:
• the nature of the Personal Data Breach including where possible, the data categories and approximate number of Data Subjects concerned and the categories and approximate number of personal data records concerned;
• the name and contact details of the Data Protection Officer or other contact point where additional information can be obtained;
• a description of the likely consequences of the Personal Data Breach;
• a description of the measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
The Processor also undertakes to provide the Controller with reasonable assistance and co-operation to notify the Personal Data Breach to the competent Data Protection Authority and to communicate such Personal Data Breach to the Data Subjects, in compliance with Articles 33 and 34 of the GDPR and any Relevant Data Protection Legislation.
The Processor shall design and implement procedures for managing and reporting such Personal Data Breach to the Controller.

3.4. Exercise of Data Subjects’ rights

The Processor shall provide the Controller, taking into account the nature of the Processing, with reasonable assistance and co-operation, to allow the Controller to respond (i) to requests presented by Data Subjects for exercising their rights, or (ii) to requests of the competent Data Protection Authorities in relation with the Processing of Personal Data. In particular, the Processor shall implement appropriate technical and organisational measures in order to promptly satisfy in writing, within 5 working days, any request for information from the Controller.
The Processor may only grant access to, correct, delete, block, restrict the Processing of, or communicate to the Data Subject the Personal Data processed on behalf of the Controller in a structured, commonly used and machine-readable format, when instructed to do so by the Controller.
If a Data Subject would send directly a request or a complaint to the Processor, the Processor shall forward this request or complaint to the Controller without undue delay.

3.5. Subcontracting

The Processor may disclose, assign, or otherwise communicate Personal Data to any subcontractor (whether located within the EU or outside the EU) when neccessary for providing the services for the Customer.
The Processor shall impose on its subcontractor by way of a contract or other legal act, the same legal requirements as the Processor itself undertakes under the DPA, in particular the obligation to provide sufficient guarantees in relation with the Processing by implementing appropriate technical and organizational measures. Where the subcontractor fails to fulfil its data protection obligations, the Processor shall remain fully liable towards the Controller for the performance of that subcontractor’s obligations.

3.6. Transfers of Personal Data outside the EEA

The Processor undertakes to:
a. only carry out Transfers of Personal Data outside the EEA when neccessary for providing the services to the Customer.
b. ensure that its own subcontractors, the persons acting under the authority or on behalf of the Processor, do not carry out any Transfer of Personal Data concerning Controller’s Personal Data information outside the EEA unless required for the provision of the services;
c. if the Processor appoints a subcontractor, located outside the EEA, the Processor shall also ensure, before any Transfer of Personal Data, that the transfer will be carried out in compliance with the GDPR and the Relevant Data Protection Legislation (for instance, by ensuring that the EU Standard Contractual Clauses approved by the EU Commission on February, 10, 2010 (c2010/0593) will be signed by the subcontractor, if the latter is located in a country which does not provide for an adequate level of protection of Personal Data).

4. DOCUMENTATION AND AUDIT RIGHTS OF THE CONTROLLER

The Controller is entitled acces to the relevant documentation regarding audits performed by the Processor. Any issues, errors or irregularities that are identified, and brought to the Processor's attention, will be promptly remedied by the Processor without delay. The Processor will assist the Controller with any data protection audits or controls enforced by a Data Protection Authority or other competent public authority if these audits or controls concern data Processing within the scope of the DPA.

5. RETENTION, RETURN OR DELETION OF DATA

During the execution of the Agreement, the Processor undertakes to implement adequate technical and organizational measures to comply with data retention periods applicable to Controller’s Personal Data processed under the Agreement where requested by the Controller.
Upon termination of the Agreement, the Processor shall at the Controller’s request, either (i) return all Personal Data processed and the copies thereof to the Controller or (ii) destroy all the Personal Data.

6. LIABILITY AND INDEMNIFICATION

Pursuant to the provisions of Article 82 of GDPR, Processor shall indemnify, defend and hold the Controller harmless from any and all any claims asserted by any Data Subject, Data Protection Authority or any Third Party with respect to a breach of any of the Processor’s obligations under this Agreement, to the extent the Processor is responsible for the event giving rise to any such claim.

7. TERMINATION

This DPA shall automatically terminate upon the termination of the Agreement.
In the event the Processor is in breach of any of its obligations under this DPA, the Controller may:
a. suspend the transfer of Personal Data to the Processor until the breach is repaired to the Controller’s reasonable satisfaction or the Agreement is terminated; or
b. terminate the Agreement.

BY ADHERING TO THE PROVISIONS OF THE AGREEMENT, the terms of this DPA are also deemed accepted by the Controller and will regulate the data processing activities performed for the scope of the Agreement.



APPENDIX 1

Personal Data Processing activities
Purpose(s) of Processing Provision of image optimisation services for the benefit of the Customer
Category/ies of Personal Data Name and surname, e-mail address, images to be processed, IP
Category/ies of Data Subjects Customers
Duration of Processing operations During the term of the Agreement


APPENDIX 2

Summary of the Technical and Organizational Security Measures in order to ensure protection of Personal Data
1. Information Security Program. ShortPixel will maintain an information security program (including the adoption and enforcement of internal policies and procedures) designed to (a) help Customer secure data against accidental or unlawful loss, access or disclosure, (b) identify reasonably foreseeable and internal risks to security and unauthorised access to the ShortPixel Network, and (c) minimise security risks.
2. Designated Information Security Person: ShortPixel will designate a designated person to coordinate and be accountable for the information security program.
3. Main points of the information security measures:
  · a. User access management: Acces to Personal Data is only provided to those employees and contractors who have a legitimate business need for such access privileges.
  · b. Network Security: ShortPixel network will be electronically accessible to employees, contractors and any other person as necessary to provide the services under the Agreement.
  · c. Physical security: Acces control procedures implemented to prevent unauthorised entrance to Processor’s facilities.
  · d. Continued Evaluation: ShortPixel will conduct periodic reviews of the security of its network and adequacy of its information security program as measured against industry security standards and its policies and procedures.

4. Other measures described within the content of the DPA