Cloud-based document processing service for your applications.
Empower your software systems via Web API.
Current version - February, 2020.
“Client” or "You" refers to and includes any person and/or any entity that is accepting the Agreement.
“Сontroller” has the same meaning under the Data Protection Laws.
“Data Protection Laws” means all applicable laws governing the protection of Personal Data including, but not limited to, the General Data Protection Regulation 2016/679 (“GDPR”) and all other laws implementing or supplementing the GDPR including the Germany Federal Data Protection Act 2017 (“BDSG”).
“Data Subject” means the individual to whom Personal Data relates.
“Processing” means processing of Personal Data as defined under the Data Protection Laws, including the storage, amendment, transfer, blocking or erasure of Personal Data by ABBYY acting on behalf of the Client.
“Processor” has the same meaning under the Data Protection Laws.
“ABBYY” means ABBYY Europe GmbH Landsberger Str. 300 80687 Munich, Germany (if You have chosen Data Processing Location in the EU) or ABBYY USA Software House, Inc., 890 Hillview Court, Suite 300, Milpitas, CA 95035 (if You have chosen Data Processing Location in the USA).
“Instruction” means the written instruction, issued by Client to ABBYY, and directing the same to perform a specific action with regard to Personal Data (including, but not limited to, de-personalizing, blocking, deletion, making available). Instructions shall initially be specified in the Agreement and may, from time to time thereafter, be amended, amplified or replaced by Client in separate written instructions (individual instructions).
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
“Data Processing Location” means geographical location where Uploaded Data is processed and stored.
“Standard Contractual Clauses”, “SCC” means standard data protection clauses adopted by the European Commission as defined in the Article 46 of the GDPR.
2.1. The Client and ABBYY acknowledge that for the purpose of the Data Protection Laws, the Client is the Controller and ABBYY is the Processor. In some circumstances, Client may be a Processor, in which case Client appoints ABBYY as Client’s sub-processor, which shall not change the obligations of either Client or ABBYY under this DPA, as ABBYY shall always remain a Processor with respect to the Client in such event.
2.2. Client retains control of the Personal Data and remains responsible for its compliance with its obligations under the applicable Data Protection Laws, including providing any required notices and obtaining any required consents for the lawful Processing of Personal Data made available to or otherwise transferred to ABBYY, and for the processing instructions it gives to ABBYY.
2.3. ABBYY shall process Personal Data on behalf of Client. Processing shall include such actions as may be specified in the Agreement and in the scope of work. Within the scope of the Agreement, Client shall be solely responsible for complying with the statutory requirements relating to the lawfulness of the data processing.
2.4. Based on this responsibility, Client shall be entitled to request that ABBYY, subject to the Data Protection Laws, rectifies, deletes, blocks and makes available Personal Data during and after the term of the Agreement at Client’s cost. ABBYY shall promptly comply with any of Client’s request or instruction requiring the ABBYY to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorized Processing.
2.5. The provisions of this DPA shall also apply if testing or maintenance of automatic processes or of Processing equipment is performed on behalf of Client.
3.1. ABBYY shall process Personal Data only within the scope of Client’s Instructions as set-out in the Agreement, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by Union or Member State law to which ABBYY is subject. In this case, ABBYY shall inform Client of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
3.2. ABBYY shall, insofar this is possible, by appropriate technical and organizational measures, reasonably assist Client with meeting Client’s compliance obligations with respect to the rights exercised by Data Subjects under the Data Protection Laws (particularly the Data Subject’s Rights stated in Chapter 3 of the GDPR and related to Data Subject’s requests), taking into account the nature of the data Processing. Taking into account the nature of Processing and any information available to ABBYY, ABBYY shall further assist the Client in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR, in particular its obligations to undertake data protection impact assessments and report to and consult with supervisory authorities under the Data Protection Laws. In a situation where requested level of assistance will be excessive or unreasonably burdensome for ABBYY, any such assistance shall be exercised at Client’s cost.
3.3. ABBYY shall implement appropriate technical and organizational measures required pursuant to Article 32 GDPR with respect to the Personal Data, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects. Such measures shall be designed to ensure a level of security appropriate to the risk in order to protect Personal Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, access or use. Such measures hereunder shall include, but are not limited to taking reasonable steps to achieve the following:
3.4. Contact information:
ABBYY Europe GmbH is ABBYY’s data protection representative for the European Economic Area, the United Kingdom, and Switzerland. The data protection representative of ABBYY can be reached at the following address:
ABBYY Europe GmbH
Landsberger Str. 300, 80687 Munich, Germany
Phone: +49-89-69 33 330
3.5. Client’s Notification Email Address is the same address that is used by the Client for registration within the Service. “Notification Email Address” means the email address designated by Client to receive certain notifications from ABBYY relating to this DPA.
3.6. If applicable, Client shall retain title as to any carrier media provided to ABBYY as well as any copies or reproductions thereof. ABBYY shall store such media safely and protect them against unauthorized access by third parties. ABBYY shall, upon Client’s request, provide to Client all information on Client’s Personal Data and information. ABBYY shall be obliged to securely delete any test and scrap material based on an Instruction issued by Client on a case-by-case basis. Where Client so decides, ABBYY shall hand over such material to Client or store it on Client’s behalf.
3.7. ABBYY shall provide reasonable assistance to the Client with any data protection impact assessment which the Client is required to undertake in order to Comply with Articles 35 and 36 of the GDPR, in each case solely in relation to the processing of Personal Data and taking into account the nature of the Processing and information available to ABBYY and shall make available to Client on request such information as is reasonably necessary to demonstrate its compliance with this DPA and its obligations under Article 28 of the GDPR and shall allow for and contribute to audits, including inspections, conducted by the Client or another auditor mandated by the Client for the purpose of demonstrating compliance by ABBYY with its obligations under Data Protection Laws in respect of the Personal Data. ABBYY may object to the deployment of a specific auditor if such auditor (i) is not subject to confidentiality regarding the results of such audit (except vis-à-vis ABBYY and Client), (ii) is a competitor of ABBYY, (iii) is affiliated with a competitor of ABBYY.
3.8. ABBYY will store Personal Data for processing purposes (duration of the storage is subject to the clause 3.16 of the Agreement) either in the United States of America or in the European Union (depending on the Data Processing Location chosen by the Client).
3.9. Depending on the Data Processing Location chosen by the Client, the Personal Data of the Client may be processed in a third country pursuant to adequate safeguards under Art. 46 GDPR including, but not limited to execution of Standard Contractual Clauses or an approved code of conduct or other appropriate safeguards (for instance EU-U.S. Privacy Shield/Swiss-U.S. Privacy Shield mechanism). In the event of using the SCC, Client hereby (itself as well as on behalf of each Controller established within the EEA or Switzerland) accedes to the SCC between ABBYY and the sub-processor. ABBYY will enforce the SCC against the sub-processor on behalf of the Client or Data Subject if a direct enforcement right is not available under Data Protection Laws. Notwithstanding the above, ABBYY Europe GmbH will always have access to Personal Data and will process Personal Data.
4.1. Client shall be separately responsible for conforming with such statutory data protection regulations including the Data Protection Laws as are applicable to it and shall ensure that the Personal Data may lawfully be processed by ABBYY under the Agreement.
4.2. Client shall inform ABBYY without undue delay and comprehensively about any errors or irregularities related to statutory provisions on the Processing of Personal Data detected during a verification of the results of such Processing or otherwise arising following the date of this DPA.
4.3. Client shall be obliged to maintain the register as defined in Article 30 of the GDPR. Client shall promptly notify ABBYY of the exercise of any rights by Data Subjects affecting the Processing of Personal Data by ABBYY.
Client shall, upon termination or expiration of the Agreement and by way of issuing an Instruction, stipulate, within a period set by ABBYY, the measures to return data carrier media or to delete stored data.
4.4. Any additional cost arising out of ABBYY’s performance under Instructions outside the Agreement’s scope of work or otherwise not contemplated by this DPA shall be borne by Client.
ABBYY shall provide a copy of its most current security report upon Client’s written request and subject to the confidentiality provisions of the Agreement. If Client requires additional information beyond that which is stated in the Report, Client may contact ABBYY at email@example.com to request an on-site audit of the architecture, systems and procedures relevant to the protection of Client Personal Data that are controlled by ABBYY. Notwithstanding of the above, if an audit is excessive or unreasonably burdensome for ABBYY, then Client shall reimburse ABBYY for such excessive or unreasonably burdensome audit at ABBYY's then-current professional services rates, which shall be made available to Client upon request. Before the commencement of any such audit, Client and ABBYY shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Client shall be responsible. Client shall promptly notify ABBYY with information regarding any non-compliance discovered during the course of an audit.
6.1. Client agrees that ABBYY may engage ABBYY’s Affiliates and third party sub-processors (collectively, "sub-processors") to Process the Personal Data on ABBYY's behalf. Client acknowledges that ABBYY’s contractual obligations hereunder, or the parts of the services, shall be performed by a subcontractor and consents to use of sub-processors by ABBYY as described in this section 6 to fulfil its contractual obligations under the Agreement and to provide certain services on ABBYY's behalf such as support services. The list of current sub-processors authorized by Client is provided in the Annex 1 hereof.
6.2. ABBYY undertakes to enter into a written agreement with any applicable sub-processors and such agreement shall contain the same data protection obligations as set out in this DPA. ABBYY shall remain responsible for its compliance with the obligations stated herein and for any acts or omissions of the sub-processors.
6.3. ABBYY may, by giving no less than thirty (30) days’ notice to Client, add or make changes to the sub-processors. Client may object to the appointment of an additional sub-processor within fourteen (14) calendar days of such notice on reasonable grounds relating to the protection of the Personal Data, in which case ABBYY shall have the right to cure the objection through one of the following options (to be selected at ABBYY’s sole discretion):
If none of the above options are reasonably available and the objection has not been resolved to the mutual satisfaction of the parties within 30 days after ABBYY’s receipt of Client’s objection, either party may terminate the Agreement and Client shall be entitled to a pro-rata refund for prepaid fees for Subscription Services not performed as of the date of termination.
7.1. ABBYY shall without undue delay notify Client if it becomes aware of any Personal Data Breach in accordance with applicable Data Protection Laws.
7.2. Immediately following any Personal Data Breach, the parties shall coordinate with each other to investigate the matter. ABBYY shall reasonably co-operate with Client in Client's handling of the matter.
7.3. ABBYY shall not inform any third party of any Personal Data Breach without first obtaining Client's prior written consent, except when required to do so by Data Protection Laws or any other applicable Union or Member State laws.
7.4. ABBYY shall cover all reasonable expenses associated with the performance of the obligations under this section 7 unless the matter arose from Client's specific instructions, negligence, willful default or breach of the Agreement, in which case Client shall cover all reasonable expenses.
7.5. ABBYY shall also reimburse Client for actual reasonable expenses that Client incurs when responding to a Personal Data Breach to the extent that ABBYY caused such a Personal Data Breach, including all costs of notice and any remedy.
8.1. Where Client’s Personal Data becomes subject to search and seizure, an attachment order, confiscation during bankruptcy or insolvency proceedings, or similar events or measures by third parties while being Processed, ABBYY shall inform Client without undue delay. ABBYY shall, without undue delay, notify to all pertinent parties in such action, that any Personal Data affected thereby is in Client’s sole property and area of responsibility that Personal Data is at Client’s sole disposition.
8.2. No change of or amendment to this DPA and all of its components, including any commitment issued by ABBYY, shall be valid and binding unless made in writing and unless they make express reference to being a change or amendment to these regulations. The foregoing shall also apply to the waiver of this mandatory written form.
8.3. To the extent required by applicable Data Protection Laws, this DPA shall be governed by the law of the applicable jurisdiction. In all other cases, this DPA shall be governed by the laws of the same jurisdiction stated in the Agreement for governing the Agreement.
8.4. The term of this DPA shall follow the term of the Agreement. Upon termination or expiration of the Agreement, ABBYY shall, in accordance with the terms of the Agreement, delete or make available to Client for retrieval all relevant Personal Data (including copies) in ABBYY’s possession, save to the extent that ABBYY is required by any applicable Union or Member State law to retain some or all of the Personal Data. In such event, ABBYY shall extend the protections of the Agreement and this DPA to such Personal Data and limit any further processing of such Personal Data to only those limited purposes that require the retention, for so long as ABBYY maintains the Personal Data.
8.5. Exclusive trial Service’s provisions. Based on the provision 2.8 of the Agreement, ABBYY may use Personal Data for its own R&D purposes which go beyond of Client Instructions under this DPA. In such case ABBYY becomes independent data Controller. Deletion Periods set out for Uploaded Data in the section 3.14 of the Agreement are only applicable for the data processing under the Client’s Instructions.
9.1. The purpose of the data processing by ABBYY is the provision of its services to Client. ABBYY provides for the Client the following service:
Document recognition, document conversion, and data capture service using OCR (optical character recognition) technologies.
9.2. The following types of data are processed:
The Subject Matter of the processing of personal data comprises the following data types/categories (List/Description of the Data Categories):
Neither Client nor End Users authorized by Client shall use the Service to process Special Categories of Personal Data about (this includes details about race or ethnicity, religious or philosophical beliefs, sex life, sexual orientation, political opinions, trade union membership, information about health and genetic and biometric data). Nor shall Client process or give instructions to process any information about criminal convictions and offences.
Client is liable for any Personal Data that is provided or otherwise made available to ABBYY in excess of the categories of data described above ("Excess Data"). ABBYY’s obligations under the Agreement of this DPA shall not apply to any such Excess Data.
9.3. The following people and groups of people are affected:
The Categories of Data Subjects comprise:
Client acknowledges that ABBYY’s contractual obligations hereunder, or the parts of the deliverables defined below, shall be performed by sub-processors:
Technical and organizational measures
ABBYY and the Client agree that the technical and organizational measures are an integral and an effective part of this DPA. This applies subject to the provision that these technical and organizational measures may be adopted to the newest developments from time to time. ABBYY shall inform without any further delay the Client about any changes of its security guidelines.
General practices. ABBYY has implemented and shall maintain for the Services appropriate technical and organizational measures, internal controls, and information security measures as provided by Data Protection Law (including pursuant to Article 32 of the GDPR) to protect Personal Data against accidental loss, destruction, or alteration; unauthorized disclosure or access; or unlawful destruction. Client is wholly responsible for implementing and maintaining security within any interface and Client’s Services\Application provided by Client, or on Client’s behalf.
1. Service. For the Service, ABBYY has implemented and shall maintain the following:
2. Human resources security.
3. Communications and operations management.
4. Domain: access control.
5. Audits and job control.
Fill out the form below, and we will get back to you shortly.
We will get back to you shortly. If you’d like to contact ABBYY office in your region, please visit the Contacts page.
With best regards,
The ABBYY Team