From 4eeee7397cef09fd30a89f36838e9d233b549937 Mon Sep 17 00:00:00 2001
From: Lenka Bidova <lenka.bidova@apify.com>
Date: Tue, 8 Oct 2024 11:50:52 +0200
Subject: [PATCH 1/8] docs: added dpa

---
 .../latest/terms/data-processing-addendum.md  | 291 ++++++++++++++++++
 1 file changed, 291 insertions(+)
 create mode 100644 sources/legal/latest/terms/data-processing-addendum.md

diff --git a/sources/legal/latest/terms/data-processing-addendum.md b/sources/legal/latest/terms/data-processing-addendum.md
new file mode 100644
index 0000000000..c6086e4d5a
--- /dev/null
+++ b/sources/legal/latest/terms/data-processing-addendum.md
@@ -0,0 +1,291 @@
+---
+title: Apify Data Processing Addendum
+description: Apify Data Processing Addendum serve as a framework for processing of personal data on behalf of Apify customers.
+sidebar_position: 3
+sidebar_label: Data Processing Addendum
+category: legal
+slug: /data-processing-addendum
+---
+
+# Apify Data Processing Addendum
+
+<!-- vale off -->
+
+Last Updated: September 20, 2024
+
+---
+
+
+<i>If you wish to execute this DPA, continue [here](https://eform.pandadoc.com/?eform=5344745e-5f8e-44eb-bcbd-1a2f45dbd692) and follow instructions in the PandaDoc form.</i>
+
+---
+
+This Apify Data Processing Addendum ("**DPA**") forms part of the Apify General Terms of Service and/or the Master Service Agreement ("**Agreement**") between Apify Technologies s.r.o. ("**Apify**") and Customer identified in the Agreement (referred to as the "**Parties**" or individually as the "**Party**"), and sets forth the Parties' obligations with respect to the Processing of Personal Data (definitions below).
+
+## 1. Definitions 
+
+All capitalized terms not otherwise defined herein shall have the meaning set forth in the Agreement or the Data Protection Law, as applicable. In the event of a conflict between the terms of the Agreement and this DPA, the DPA will prevail.
+
+1.1. "**Data Protection Law**" means all applicable laws, regulations, and other legally binding requirements in any jurisdiction relating to privacy, data protection, data security, breach notification, or the Processing of Personal Data, including, to the extent applicable, the General Data Protection Regulation, Regulation (EU) 2016/679 ("**GDPR**"), the United Kingdom Data Protection Act of 2018 ("**UK Privacy Act**"), the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. and associated amendments and regulations thereto ("**CCPA**"). For the avoidance of any doubt, if Apify's Processing activities involving Personal Data are not within the scope of a given Data Protection Law, such law is not applicable for purposes of this DPA.
+
+1.2. "**EU SCCs**" means the Standard Contractual Clauses issued pursuant to Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (available as of the DPA effective date at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj or any subsequent link published by the competent EU authorities).
+
+1.3. "**Personal Data**" includes "personal data," "personal information," "personally identifiable information," and similar terms, and such terms will have the same meaning as defined by applicable Data Protection Laws, that are Processed by Apify on behalf of Customer in the course of providing Apify Platform and other Services under the Agreement.
+
+1.4. "**UK Addendum**" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, as published by the UK Information Commissioner's Office and in force as of 21 March 2022.
+
+## 2. Roles and Details of Processing
+
+2.1. **Customer as a Controller**
+
+2.1.1. Under this DPA, Customer acts as a Controller or Processor (as applicable) of Personal Data and Apify will act as a (Sub)Processor or Service Provider (as defined in and as applicable under the Data Protection Laws) and will Process Personal Data in connection with the Apify Platform and other Services solely to fulfill Apify obligations to Customer under the Agreement, including this DPA; on Customer's behalf, pursuant to Customer's documented instructions; and in compliance with applicable Data Protection Laws ("**Permitted Purpose**").
+
+2.1.2. The scope, nature, purposes, and duration of the Processing, the types of Personal Data Processed, and the Data Subjects concerned are set forth in this DPA, including without limitation Schedule C to this DPA.
+
+2.1.3. It is Customer's responsibility to ensure that Customer's instructions comply with Data Protection Laws. Apify is not responsible for determining what laws or regulations apply to Customer's business, or for determining whether Apify Platform or other Services meet the requirements of such laws. Customer will ensure that Processing Personal Data in accordance with its instructions will not cause Apify to violate any law or regulation, including Data Protection Laws. 
+
+2.1.4. Unless Parties mutually agree otherwise in writing, Customer shall not provide Apify any Personal Data for Processing that is subject to strict privacy regimes outside of the scope of this DPA, including but not limited to Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g (FERPA), relating to criminal convictions and offenses or Personal Data collected or otherwise Processed by Customer subject to or in connection with FBI Criminal Justice Information Services or the related Security Policy; constituting protected health information subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) or data subject to Payment Card Industry Data Security Standard (PCI-DSS).
+
+2.2. **Apify as an Independent Controller**. Apify Processes some Personal Data as an independent Controller. Apify conducts such Processing outside of the scope of this DPA, however, in compliance with Data Protection Laws, and in a manner consistent with the purposes outlined in the [Apify Privacy Policy](https://docs.apify.com/legal/privacy-policy). Those exhaustive purposes are restated here for transparency and convenience:¨
+
+2.2.1. user accounts provisioning, management and removal, customer support; account, billing, and customer relationship management and related customer correspondence;
+
+2.2.2. complying with and resolving legal obligations, including responding to Data Subject requests for Personal Data Processed by Apify as Controller (for example, website data), tax requirements, agreements, and disputes;
+
+2.2.3. abuse detection, prevention, and protection, and scanning to detect violations of Apify Terms and Conditions and,
+
+2.2.4. creating aggregated statistical data for internal reporting, financial reporting, revenue planning, capacity planning, and forecast modeling (including product strategy).
+
+## 3. Confidentiality of Processing
+
+3.1. Apify shall ensure that any person it authorizes to Process the Personal Data (including Apify affiliates and their staff, agents, and subcontractors) (an "**Authorized Person**") shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty), and shall not permit any person to Process the Personal Data who is not under such a duty of confidentiality. 
+
+3.2. Apify shall ensure that only Authorized Persons will Process the Personal Data, and that such Processing shall be limited to the extent necessary to achieve the Permitted Purpose. Apify accepts responsibility for any breach of this DPA caused by the act, error or omission of an Authorized Person.
+
+## 4. Security Measures
+
+4.1. Apify has adopted a variety of administrative, technical, physical, and organizational measures designed to protect the Apify Platform against accidental or unlawful destruction, loss, alteration, disclosure or access (collectively the "**Security Measures**").
+
+4.2. Apify will maintain its Security Measures to provide a level of protection that is appropriate to the risks concerning confidentiality, integrity, availability, and resilience of our systems and the Apify Platform while also taking into account the state of the art, implementation costs, the nature, scope, and purposes of Processing, as well as the probability of occurrence and the severity of the risk to the rights and freedoms of Data Subjects. Apify Security Measures are described in Schedule D.
+
+## 5. Security Incidents
+
+5.1. Apify will notify Customer without undue delay (and in any event within 72 hours) of any known breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data Processed by Apify on Customer's behalf (a "**Security Incident**"). For clarity, the term Security Incident always excludes (a) unsuccessful attempts to penetrate computer networks or servers maintained by or for Apify; and (b) immaterial incidents that occur on a routine basis, such as security scans, brute-force attempts or "denial of service" attacks.
+
+5.2. Apify will also provide reasonable assistance to Customer in its compliance with Customer's Security Incident-related obligations, including without limitation by:
+
+5.2.1. taking steps to mitigate the effects of the Security Incident and reduce the risk to Data Subjects whose Personal Data was involved (such steps to be determined by Apify in its sole discretion); and
+
+5.2.2. providing Customer with the following information, to the extent known: 
+
+(i) the nature of the Security Incident, including, where possible, how the Security Incident occurred, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned; 
+
+(ii) the likely consequences of the Security Incident; and 
+
+(iii) the measures we have taken or propose to take to address the Security Incident, including where appropriate measures to mitigate its possible adverse effects. 
+Where, and in so far as, it is not possible to provide all information at the same time, the initial notification will contain the information then available and further information will, as it becomes available, subsequently be provided without undue delay. 
+
+5.3. Apify's notification of or response to a Security Incident under this Section is not an acknowledgement of any fault or liability. 
+
+5.4. Customer is solely responsible for complying with its obligations under any incident notification laws. Customer must notify Apify promptly about any possible misuse of its user accounts or authentication credentials, or any Security Incident related to Apify Platform or other Services provided by Apify under the Agreement.
+
+## 6. Subprocessors
+
+6.1. Customer authorizes Apify to engage third parties to Process Personal Data ("**Subprocessors**") listed in Schedule E ("**Apify Subprocessor(s)**"), provided that Apify provides at least ten (10) days' prior written notice of the addition of any Subprocessor (including the categories of Personal Data Processed, details of the Processing it performs or will perform, and the location of such Processing) by means of a notice on the Apify Subprocessors website.
+
+6.2. Apify encourages Customer to periodically review the Apify Subprocessors website for the latest information on Apify Subprocessors, and especially before Customer provides Apify with any Personal Data. The Apify Subprocessors website contains a mechanism to subscribe to notifications of updates to the Subprocessor list, and Apify will provide details of any such changes solely via this subscription mechanism. Customer has the opportunity to object to such changes within ten (10) days after written notification. Suppose Customer objects to Apify's appointment of a new Subprocessor on reasonable grounds relating to the protection of its Personal Data. In that case, the Parties will promptly confer and discuss alternative arrangements to enable Apify to continue Processing of Personal Data. 
+
+6.3. In all cases, Apify shall impose in writing the same data protection obligations on any Subprocessor it appoints as those provided for by this DPA and Apify shall remain liable for any breach of this DPA that is caused by an act, error or omission of its Subprocessor to the extent it is liable for its own acts and omissions under the Agreement.
+
+## 7. International Data Transfers
+
+7.1. Customer appoints Apify to transfer Personal Data to the United States or any other country in which Apify or its Subprocessors operate as specified hereunder, and to store and Process Personal Data for Permitted Purpose, subject to the safeguards below and described elsewhere in this DPA.
+
+7.2. Where Apify engages in an onward transfer of Personal Data, Apify shall ensure that, where legally required, a lawful data transfer mechanism is in place prior to transferring Personal Data from one country to another.
+
+7.3. To the extent legally required, the EU SCCs form part of this DPA and will be deemed completed as set forth in Schedule A. In the event of a conflict between the terms of the EU SCCs and this DPA, the EU SCCs will prevail.
+
+7.4. If, as a Controller, the Customer is situated in the United Kingdom (UK), the EU SCCs shall apply together with the UK Addendum to the SCCs, as specified in Schedule A, in relation to the transfer of Personal Data from the United Kingdom and shall be incorporated in this DPA.
+
+## 8. Auditing Compliance
+
+8.1. Upon Customer's written request, and no more than once per twelve (12) calendar months, Apify will provide Customer with its most recent security review reports and/or applicable certifications for the Apify Platform and provide reasonable assistance and information to Customer to understand the information in such reports.
+
+8.2. If Customer has a reasonable objection that the information provided is not sufficient to demonstrate Apify compliance with this DPA, Customer may conduct an audit, or select a mutually-agreed upon third-party to conduct an audit, of Apify practices related to Processing Personal Data in compliance with this DPA, at Customer's sole expense (an "**Audit**"). General compliance Audits shall occur not more than once every twelve (12) calendar months. 
+
+8.3. To the extent you use a third-party representative to conduct the Audit, Customer will ensure that such third-party representative is bound by obligations of confidentiality no less protective than those contained in this DPA and the Agreement. Customer will provide Apify with at least thirty (30) days prior written notice of its intention to conduct an Audit. Before any Audit, the Parties will mutually agree upon the scope, timing, and duration of the Audit, as well as the Apify reimbursement rate for which Customer will be responsible. All reimbursement rates will be reasonable, taking into account the resources expended by or on behalf of Apify. 
+
+8.4. Customer and its third-party representatives will conduct Audits:
+
+(i) acting reasonably, in good faith, and in a proportional manner, taking into account the nature and complexity of the Apify Platform; and 
+
+(ii) in a manner that will result in minimal disruption to Apify's business operations and during Apify's regular business hours. 
+
+Neither Customer nor its third-party representatives will be entitled to receive data or information of other Apify customers or any other Apify Confidential Information that is not directly relevant for the authorized purposes of the Audit in accordance with this provision. 
+
+8.5. Customer will promptly provide Apify with the Audit results upon completion of the Audit. All Audit related materials will be considered "Confidential Information" subject to the confidentiality provisions of the Agreement.
+
+## 9. Personal Data Retention; Return and Destruction
+
+9.1. Apify will retain Personal Data in accordance with its standard data retention policies and procedures. Customer shall ensure to retrieve all Personal Data before termination or expiration of the Agreement. If Customer deletes its user account or following the termination of Agreement, Apify will have no obligation to maintain or provide Customer with copies of its Personal Data.
+
+9.2. Except to the extent required otherwise by Data Protection Laws, Apify will, at Customer's choice and upon its written request, return to Customer or securely destroy all Personal Data upon such request or at termination or expiration of the Agreement. Apify will provide Customer with a certificate of destruction only upon Customer's written request. In case of local laws applicable to Apify that prohibit the return or deletion of Personal Data, Apify warrants that it will continue to ensure compliance with this DPA and will only Process the Personal Data to the extent and for as long as required under such local laws.
+
+## 10. Data Subject Requests
+
+10.1. If Apify receives any requests from Data Subjects seeking to exercise any rights afforded to them under Data Protection Laws regarding their Personal Data, and to the extent legally permitted, will promptly notify Customer or refer the Data Subjects to Customer for handling. Such requests related to Personal Data may include: access, rectification, restriction of Processing, erasure ("right to be forgotten"), data portability, objection to the Processing, or to not be subject to automated individual decision making (each, a "**Data Subject Request**").
+
+10.2. Apify will not respond to such Data Subject Requests itself, and Customer authorizes Apify to redirect the Data Subject Request as necessary to Customer for handling. If Customer is unable to directly respond to a Data Subject Request made by a Data Subject itself, Apify will, upon your request, provide commercially reasonable efforts to assist Customer in responding to the Data Subject Request, to the extent Apify is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws. 
+
+10.3. To the extent legally permitted, Customer will be responsible for any costs arising from Apify's provision of this additional support to assist Customer with a Data Subject Request.
+
+## 11. Data Protection Impact Assessment
+
+11.1. Apify will provide reasonable assistance to and cooperation with the other party for their performance of a data protection impact assessment or privacy impact assessment of Processing or proposed Processing activities, when required by applicable Data Protection Laws.
+
+## 12. General Cooperation to Remediate
+12.1. If Apify believes or becomes aware that (i) its Processing of the Personal Data is likely to result in a high risk to the data protection rights and freedoms of Data Subjects; (ii) it can no longer meet its obligations under this DPA or applicable Data Protection Laws; or (iii) in its opinion an instruction from Customer infringes applicable Data Protection Laws; it shall promptly inform Customer of the same and await Customer's further instructions. Apify shall, taking into account the nature of Processing and the information available to Apify, provide Customer with all such reasonable and timely assistance as Customer may require in order to conduct a data protection impact assessment, and, if necessary, to consult with its relevant data protection authority.
+
+12.2. Each Party shall promptly notify the other Party of any proceedings, in particular administrative or court proceedings, relating to Personal Data Processing hereunder, and of any administrative decision or judgment concerning the Processing of that Personal Data, as well as of any inspections pertaining to Personal Data Processing.
+
+12.3. In the event that Data Protection Law, or a data protection authority or regulator, provides that the transfer or Processing of Personal Data under this DPA is no longer lawful or otherwise permitted, then the Parties shall agree to remediate the Processing (by amendment to this DPA or otherwise) in order to meet the necessary standards or requirements.
+
+## 13. Representations and Warranties; Liability
+
+13.1. Customer represents and warrants that it is authorized to enter into this DPA, issue instructions, and make and receive any communications or notifications in relation to this DPA on behalf of Customer Affiliates. Customer further represents and guarantees that it has acquired all necessary consents from the Data Subjects for the Processing of their Personal Data or is subject to any other lawful basis under the applicable Data Protection Laws. Customer is fully responsible for compliance of the instructions, requests and recommendations issued to Apify with the Permitted Purpose of the Processing and any applicable Data Protection Laws.
+
+13.2. Each Party represents, warrants, and covenants that it understands and will comply with the restrictions and obligations set forth in this DPA. Each Party further represents, warrants, and covenants that it will comply with all Data Protection Laws applicable to such Party in its role as Data Controller, Business, Data Processor, Service Provider, or Subprocessor (as applicable under Data Protection Laws). 
+
+13.3. Customer agrees to indemnify and hold Apify harmless against all claims, actions, third-party claims, losses, damages and expenses incurred by Apify in its capacity as Processor of the Personal Data of the Customer arising from (i) any Security Incident in terms of this Agreement if such Security Incident was caused by the Customer or (ii) any negligent act or omission by Customer in the exercise of the rights granted to it under the Privacy Protection Law and arising directly or indirectly out of or in connection with a breach of this DPA.
+
+13.4. Except for Customer's indemnification obligations hereunder, each Party’s liability arising out of or related to this DPA is subject to the liability limitation provisions of the Agreement, and any reference in such section to the liability of a Party means the aggregate liability of that Party under the Agreement and this DPA together.
+
+## 14. Final Provisions
+
+14.1. This DPA is effective from the date of its execution or from the Effective Date of the Agreement, which incorporates the DPA. The obligations placed upon Apify under this DPA shall survive so long as Apify and/or its Subprocessors Process Personal Data as described herein and/or under the terms of the Agreement.
+
+14.2. Apify may update this DPA from time to time as laws, regulations, and industry standards evolve, or as Apify makes changes to its business or the Apify Platform. 
+
+14.3. If Apify makes changes that materially change the Parties’ rights or obligations under this DPA, Apify will provide additional notice in accordance with applicable legal requirements, such as via our website or through the Apify Platform. By continuing to access and use the Apify Platform and other Services after the "last updated" date of the revised DPA, Customer agrees to be bound by the revised DPA.
+
+14.4. If any provision hereof is deemed to be invalid or unenforceable for any reason, all other provisions shall remain in force and the Parties shall be obliged to replace such invalid (unenforceable) provisions at the request of either Party with a provision which is valid and the economic effect of which is as close as possible to the economic effect of the replaced provision.
+
+**Schedules**:
+Schedule A: EU SCCs & UK Addendum
+Schedule B: CCPA Additional Terms
+Schedule C: Details of Processing
+Schedule D: Security Measures
+Schedule E: List of Apify Subprocessors
+
+## Schedule A: EU SCCs and UK Addendum
+
+Article 46 of the GDPR requires that a Processor that transfers data outside of the EEA to a non-adequate country must utilize a safeguard.
+
+Therefore, where:
+(a) Customer is not established in the EU and Personal Data Processing by Customer is not subject to GDPR (pursuant to Article 3(2) thereof); and
+(b) GDPR applies to international data transfer from EEA to countries outside the EEA (where Apify is involved in Processing data within the EEA on behalf of Customer); and 
+(c) an international transfer of Personal Data cannot take place on the basis of an adequacy decision pursuant to Art 45 (3) GDPR; 
+
+Parties will comply with the obligations in the EU SCCs, which shall form an integral part of this Addendum. Any undefined capitalized terms used in this Schedule A have the meanings assigned to such terms in the EU SCCs.
+
+For the purposes of EU Standard Contractual Clauses:
+1.1. Module Four of the EU SCCs will apply.
+1.2. The docking option under Clause 7 (Optional - Docking Clause) will not apply.
+1.3. Clause 17 (Governing law) shall be completed as follows: "These Clauses shall be governed by the law of a country allowing for third-party beneficiary rights. The Parties agree that this shall be the law of the Czech Republic."
+1.4. Clause 18 (Choice of forum and jurisdiction), shall be completed as follows: "Any dispute arising from these Clauses shall be resolved by the courts of the Czech Republic."
+
+#### Annex I(A): List of Parties
+Data exporter: 
+Name: Apify Technologies s.r.o.
+Address: Vodičkova 704/36, Nové Město, 110 00 Praha 1
+Contact person’s name, position and contact details: 
+Apify Privacy Team, privacy@apify.com
+Activities relevant to the data transferred under these Clauses: Processing necessary to provide the Apify Platform and other Services by Apify to Customer and for any disclosures of Personal Data in accordance with the Agreement. 
+Role: Processor or Subprocessor, as applicable
+
+
+Data importer: 
+Name: Customer's name identified in the Agreement
+Address: Customer's address as provided in the Agreement
+Contact person’s name, position and contact details: As provided in Customer's user account at Apify Platform
+Activities relevant to the data transferred under these Clauses: Processing necessary to provide the Apify Platform and other Services by Apify to Customer and for any disclosures of Personal Data in accordance with the Agreement. 
+Role: Controller or Processor, as applicable
+Annex I(B): Description of Processing & Transfer
+As provided in Schedule C to this DPA.
+
+### UK Addendum
+In relation to Personal Data that is protected by the UK GDPR, the UK Addendum will apply, completed as follows:
+The Module 4 of the EU SCCs shall also apply to transfers of such Personal Data, subject to sub-section (b) below;
+Tables 1 to 3 of the UK Addendum shall be deemed completed with relevant information from the EU SCCs, completed as set out in Schedule A of this DPA, and the option "neither party" shall be deemed checked in Table 4; and,
+The start date of the UK Addendum (as set out in Table 1) shall be the date of this DPA.
+
+
+
+## Schedule B: CCPA Additional Terms
+If and to the extent Apify is Processing Personal Data within the scope of the CCPA on Customer's behalf and in accordance with Customer's documented instructions, Apify will not:
+(a) sell the Personal Data as the term "selling" is defined in the CCPA;
+(b) share, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means, the Personal Data to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions for cross-context behavioral advertising in which no money is exchanged;
+(c) retain, use, or disclose the Personal Data for any purpose other than for the business purposes specified in this DPA and the Agreement, or as otherwise permitted by the CCPA;
+(d) retain, use, or disclose the Personal Data outside of the direct business relationship with Customer; or
+(e) combine the Personal Data with personal information that it receives from or on behalf of a third party or collects from California residents, except that Apify may combine Personal Data to perform any business purpose as permitted by the CCPA or any regulations adopted or issued under the CCPA.
+
+The Parties acknowledge and agree that the exchange of Personal Data between them does not constitute a "sale" of Personal Data under the CCPA and does not form part of any monetary or other valuable consideration exchanged between them with respect to the Agreement or this DPA.
+
+## Schedule C: Details of Processing
+
+### Categories of Data Subjects
+Data Subjects may be any individuals about which Customer collects and instructs Apify to Process Personal Data, including its prospects, customers, vendors, employees, contact persons, website users, etc.
+### Categories of Personal Data
+Categories of Personal Data collected are solely at Customer's own discretion, resulting from Customer's use of Apify Platform and other Services, and may include name, title, contact details, ID data, professional or personal life data, connection data, localization data, etc.
+### Sensitive Data Transferred
+Customer agrees not to transfer sensitive data without informing Apify. Transfer of sensitive data, if applicable and agreed upon in the Agreement, is done subject to additional safeguards that fully take into account the nature of such data and risks involved.
+### Frequency of the Transfer
+Continuous during the term of the DPA.
+### Nature of Processing
+The nature of processing is storage and retrieval of Personal Data relating to the provision of Apify Platform and other Services by Apify to Customer.
+### Purpose of Processing
+As specified in Section 2.1.1. of the DPA above.
+### The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
+As described in Section 9 of the DPA.
+### For transfers to (sub-) Processors, also specify subject matter, nature and duration of the processing
+The Personal Data are transferred to further Subprocessors for the purposes of provision of infrastructure and/or software as a service in relation to the Permitted Purpose, for as long as needed in order to deliver the functionality.
+
+## Schedule D: Security Measures
+
+Apify shall implement appropriate technical and organizational measures in accordance with Data Protection Laws to ensure a level of security appropriate to the risk, which may include as appropriate:
+
+(a) the encryption of personal data;
+(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;
+(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
+(d) a process for regularly testing, accessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.
+
+## Schedule E: List of Apify Subprocessors
+
+<table border="0.5"> 
+ <tr align="left"> 
+    <th>Subprocessor Name</th>
+    <th>Purpose of Processing</th>
+    <th>Location</th>
+  </tr>
+  <tr>
+    <td>Amanzon Web Services, Inc.</td>
+    <td>Infrastructure</td>
+    <td>US</td>
+    
+  </tr>
+  <tr> 
+    <td>MongoDB Inc.</td>
+    <td>Database</td>
+    <td>US</td>
+ </tr>
+ <tr> 
+    <td>Snowflake, Inc.</td>
+    <td>Data Warehousing</td>
+    <td>US</td>
+ </tr>
+ <tr> 
+    <td>Mezmo Inc.</td>
+    <td>Centralized Log Management</td>
+    <td>US</td>
+ </tr>
+</table>

From 4a8d26771e4ec6d156da36abb6839583c2cd80d6 Mon Sep 17 00:00:00 2001
From: Lenka Bidova <lenka.bidova@apify.com>
Date: Tue, 8 Oct 2024 12:27:40 +0200
Subject: [PATCH 2/8] docs: dpa updated

---
 .../latest/terms/data-processing-addendum.md  | 84 +++++++++++--------
 1 file changed, 51 insertions(+), 33 deletions(-)

diff --git a/sources/legal/latest/terms/data-processing-addendum.md b/sources/legal/latest/terms/data-processing-addendum.md
index c6086e4d5a..d4596c27f6 100644
--- a/sources/legal/latest/terms/data-processing-addendum.md
+++ b/sources/legal/latest/terms/data-processing-addendum.md
@@ -22,7 +22,7 @@ Last Updated: September 20, 2024
 
 This Apify Data Processing Addendum ("**DPA**") forms part of the Apify General Terms of Service and/or the Master Service Agreement ("**Agreement**") between Apify Technologies s.r.o. ("**Apify**") and Customer identified in the Agreement (referred to as the "**Parties**" or individually as the "**Party**"), and sets forth the Parties' obligations with respect to the Processing of Personal Data (definitions below).
 
-## 1. Definitions 
+## 1. Definitions
 
 All capitalized terms not otherwise defined herein shall have the meaning set forth in the Agreement or the Data Protection Law, as applicable. In the event of a conflict between the terms of the Agreement and this DPA, the DPA will prevail.
 
@@ -42,11 +42,11 @@ All capitalized terms not otherwise defined herein shall have the meaning set fo
 
 2.1.2. The scope, nature, purposes, and duration of the Processing, the types of Personal Data Processed, and the Data Subjects concerned are set forth in this DPA, including without limitation Schedule C to this DPA.
 
-2.1.3. It is Customer's responsibility to ensure that Customer's instructions comply with Data Protection Laws. Apify is not responsible for determining what laws or regulations apply to Customer's business, or for determining whether Apify Platform or other Services meet the requirements of such laws. Customer will ensure that Processing Personal Data in accordance with its instructions will not cause Apify to violate any law or regulation, including Data Protection Laws. 
+2.1.3. It is Customer's responsibility to ensure that Customer's instructions comply with Data Protection Laws. Apify is not responsible for determining what laws or regulations apply to Customer's business, or for determining whether Apify Platform or other Services meet the requirements of such laws. Customer will ensure that Processing Personal Data in accordance with its instructions will not cause Apify to violate any law or regulation, including Data Protection Laws.
 
 2.1.4. Unless Parties mutually agree otherwise in writing, Customer shall not provide Apify any Personal Data for Processing that is subject to strict privacy regimes outside of the scope of this DPA, including but not limited to Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g (FERPA), relating to criminal convictions and offenses or Personal Data collected or otherwise Processed by Customer subject to or in connection with FBI Criminal Justice Information Services or the related Security Policy; constituting protected health information subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) or data subject to Payment Card Industry Data Security Standard (PCI-DSS).
 
-2.2. **Apify as an Independent Controller**. Apify Processes some Personal Data as an independent Controller. Apify conducts such Processing outside of the scope of this DPA, however, in compliance with Data Protection Laws, and in a manner consistent with the purposes outlined in the [Apify Privacy Policy](https://docs.apify.com/legal/privacy-policy). Those exhaustive purposes are restated here for transparency and convenience:¨
+2.2. **Apify as an Independent Controller**. Apify Processes some Personal Data as an independent Controller. Apify conducts such Processing outside of the scope of this DPA, however, in compliance with Data Protection Laws, and in a manner consistent with the purposes outlined in the [Apify Privacy Policy](https://docs.apify.com/legal/privacy-policy). Those exhaustive purposes are restated here for transparency and convenience:
 
 2.2.1. user accounts provisioning, management and removal, customer support; account, billing, and customer relationship management and related customer correspondence;
 
@@ -58,7 +58,7 @@ All capitalized terms not otherwise defined herein shall have the meaning set fo
 
 ## 3. Confidentiality of Processing
 
-3.1. Apify shall ensure that any person it authorizes to Process the Personal Data (including Apify affiliates and their staff, agents, and subcontractors) (an "**Authorized Person**") shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty), and shall not permit any person to Process the Personal Data who is not under such a duty of confidentiality. 
+3.1. Apify shall ensure that any person it authorizes to Process the Personal Data (including Apify affiliates and their staff, agents, and subcontractors) (an "**Authorized Person**") shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty), and shall not permit any person to Process the Personal Data who is not under such a duty of confidentiality.
 
 3.2. Apify shall ensure that only Authorized Persons will Process the Personal Data, and that such Processing shall be limited to the extent necessary to achieve the Permitted Purpose. Apify accepts responsibility for any breach of this DPA caused by the act, error or omission of an Authorized Person.
 
@@ -76,16 +76,16 @@ All capitalized terms not otherwise defined herein shall have the meaning set fo
 
 5.2.1. taking steps to mitigate the effects of the Security Incident and reduce the risk to Data Subjects whose Personal Data was involved (such steps to be determined by Apify in its sole discretion); and
 
-5.2.2. providing Customer with the following information, to the extent known: 
+5.2.2. providing Customer with the following information, to the extent known:
 
-(i) the nature of the Security Incident, including, where possible, how the Security Incident occurred, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned; 
+(i) the nature of the Security Incident, including, where possible, how the Security Incident occurred, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned;
 
-(ii) the likely consequences of the Security Incident; and 
+(ii) the likely consequences of the Security Incident; and
 
-(iii) the measures we have taken or propose to take to address the Security Incident, including where appropriate measures to mitigate its possible adverse effects. 
-Where, and in so far as, it is not possible to provide all information at the same time, the initial notification will contain the information then available and further information will, as it becomes available, subsequently be provided without undue delay. 
+(iii) the measures we have taken or propose to take to address the Security Incident, including where appropriate measures to mitigate its possible adverse effects.
+Where, and in so far as, it is not possible to provide all information at the same time, the initial notification will contain the information then available and further information will, as it becomes available, subsequently be provided without undue delay.
 
-5.3. Apify's notification of or response to a Security Incident under this Section is not an acknowledgement of any fault or liability. 
+5.3. Apify's notification of or response to a Security Incident under this Section is not an acknowledgement of any fault or liability.
 
 5.4. Customer is solely responsible for complying with its obligations under any incident notification laws. Customer must notify Apify promptly about any possible misuse of its user accounts or authentication credentials, or any Security Incident related to Apify Platform or other Services provided by Apify under the Agreement.
 
@@ -93,7 +93,7 @@ Where, and in so far as, it is not possible to provide all information at the sa
 
 6.1. Customer authorizes Apify to engage third parties to Process Personal Data ("**Subprocessors**") listed in Schedule E ("**Apify Subprocessor(s)**"), provided that Apify provides at least ten (10) days' prior written notice of the addition of any Subprocessor (including the categories of Personal Data Processed, details of the Processing it performs or will perform, and the location of such Processing) by means of a notice on the Apify Subprocessors website.
 
-6.2. Apify encourages Customer to periodically review the Apify Subprocessors website for the latest information on Apify Subprocessors, and especially before Customer provides Apify with any Personal Data. The Apify Subprocessors website contains a mechanism to subscribe to notifications of updates to the Subprocessor list, and Apify will provide details of any such changes solely via this subscription mechanism. Customer has the opportunity to object to such changes within ten (10) days after written notification. Suppose Customer objects to Apify's appointment of a new Subprocessor on reasonable grounds relating to the protection of its Personal Data. In that case, the Parties will promptly confer and discuss alternative arrangements to enable Apify to continue Processing of Personal Data. 
+6.2. Apify encourages Customer to periodically review the Apify Subprocessors website for the latest information on Apify Subprocessors, and especially before Customer provides Apify with any Personal Data. The Apify Subprocessors website contains a mechanism to subscribe to notifications of updates to the Subprocessor list, and Apify will provide details of any such changes solely via this subscription mechanism. Customer has the opportunity to object to such changes within ten (10) days after written notification. Suppose Customer objects to Apify's appointment of a new Subprocessor on reasonable grounds relating to the protection of its Personal Data. In that case, the Parties will promptly confer and discuss alternative arrangements to enable Apify to continue Processing of Personal Data.
 
 6.3. In all cases, Apify shall impose in writing the same data protection obligations on any Subprocessor it appoints as those provided for by this DPA and Apify shall remain liable for any breach of this DPA that is caused by an act, error or omission of its Subprocessor to the extent it is liable for its own acts and omissions under the Agreement.
 
@@ -111,17 +111,17 @@ Where, and in so far as, it is not possible to provide all information at the sa
 
 8.1. Upon Customer's written request, and no more than once per twelve (12) calendar months, Apify will provide Customer with its most recent security review reports and/or applicable certifications for the Apify Platform and provide reasonable assistance and information to Customer to understand the information in such reports.
 
-8.2. If Customer has a reasonable objection that the information provided is not sufficient to demonstrate Apify compliance with this DPA, Customer may conduct an audit, or select a mutually-agreed upon third-party to conduct an audit, of Apify practices related to Processing Personal Data in compliance with this DPA, at Customer's sole expense (an "**Audit**"). General compliance Audits shall occur not more than once every twelve (12) calendar months. 
+8.2. If Customer has a reasonable objection that the information provided is not sufficient to demonstrate Apify compliance with this DPA, Customer may conduct an audit, or select a mutually-agreed upon third-party to conduct an audit, of Apify practices related to Processing Personal Data in compliance with this DPA, at Customer's sole expense (an "**Audit**"). General compliance Audits shall occur not more than once every twelve (12) calendar months.
 
-8.3. To the extent you use a third-party representative to conduct the Audit, Customer will ensure that such third-party representative is bound by obligations of confidentiality no less protective than those contained in this DPA and the Agreement. Customer will provide Apify with at least thirty (30) days prior written notice of its intention to conduct an Audit. Before any Audit, the Parties will mutually agree upon the scope, timing, and duration of the Audit, as well as the Apify reimbursement rate for which Customer will be responsible. All reimbursement rates will be reasonable, taking into account the resources expended by or on behalf of Apify. 
+8.3. To the extent you use a third-party representative to conduct the Audit, Customer will ensure that such third-party representative is bound by obligations of confidentiality no less protective than those contained in this DPA and the Agreement. Customer will provide Apify with at least thirty (30) days prior written notice of its intention to conduct an Audit. Before any Audit, the Parties will mutually agree upon the scope, timing, and duration of the Audit, as well as the Apify reimbursement rate for which Customer will be responsible. All reimbursement rates will be reasonable, taking into account the resources expended by or on behalf of Apify.
 
 8.4. Customer and its third-party representatives will conduct Audits:
 
-(i) acting reasonably, in good faith, and in a proportional manner, taking into account the nature and complexity of the Apify Platform; and 
+(i) acting reasonably, in good faith, and in a proportional manner, taking into account the nature and complexity of the Apify Platform; and
 
-(ii) in a manner that will result in minimal disruption to Apify's business operations and during Apify's regular business hours. 
+(ii) in a manner that will result in minimal disruption to Apify's business operations and during Apify's regular business hours.
 
-Neither Customer nor its third-party representatives will be entitled to receive data or information of other Apify customers or any other Apify Confidential Information that is not directly relevant for the authorized purposes of the Audit in accordance with this provision. 
+Neither Customer nor its third-party representatives will be entitled to receive data or information of other Apify customers or any other Apify Confidential Information that is not directly relevant for the authorized purposes of the Audit in accordance with this provision.
 
 8.5. Customer will promptly provide Apify with the Audit results upon completion of the Audit. All Audit related materials will be considered "Confidential Information" subject to the confidentiality provisions of the Agreement.
 
@@ -135,7 +135,7 @@ Neither Customer nor its third-party representatives will be entitled to receive
 
 10.1. If Apify receives any requests from Data Subjects seeking to exercise any rights afforded to them under Data Protection Laws regarding their Personal Data, and to the extent legally permitted, will promptly notify Customer or refer the Data Subjects to Customer for handling. Such requests related to Personal Data may include: access, rectification, restriction of Processing, erasure ("right to be forgotten"), data portability, objection to the Processing, or to not be subject to automated individual decision making (each, a "**Data Subject Request**").
 
-10.2. Apify will not respond to such Data Subject Requests itself, and Customer authorizes Apify to redirect the Data Subject Request as necessary to Customer for handling. If Customer is unable to directly respond to a Data Subject Request made by a Data Subject itself, Apify will, upon your request, provide commercially reasonable efforts to assist Customer in responding to the Data Subject Request, to the extent Apify is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws. 
+10.2. Apify will not respond to such Data Subject Requests itself, and Customer authorizes Apify to redirect the Data Subject Request as necessary to Customer for handling. If Customer is unable to directly respond to a Data Subject Request made by a Data Subject itself, Apify will, upon your request, provide commercially reasonable efforts to assist Customer in responding to the Data Subject Request, to the extent Apify is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws.
 
 10.3. To the extent legally permitted, Customer will be responsible for any costs arising from Apify's provision of this additional support to assist Customer with a Data Subject Request.
 
@@ -144,6 +144,7 @@ Neither Customer nor its third-party representatives will be entitled to receive
 11.1. Apify will provide reasonable assistance to and cooperation with the other party for their performance of a data protection impact assessment or privacy impact assessment of Processing or proposed Processing activities, when required by applicable Data Protection Laws.
 
 ## 12. General Cooperation to Remediate
+
 12.1. If Apify believes or becomes aware that (i) its Processing of the Personal Data is likely to result in a high risk to the data protection rights and freedoms of Data Subjects; (ii) it can no longer meet its obligations under this DPA or applicable Data Protection Laws; or (iii) in its opinion an instruction from Customer infringes applicable Data Protection Laws; it shall promptly inform Customer of the same and await Customer's further instructions. Apify shall, taking into account the nature of Processing and the information available to Apify, provide Customer with all such reasonable and timely assistance as Customer may require in order to conduct a data protection impact assessment, and, if necessary, to consult with its relevant data protection authority.
 
 12.2. Each Party shall promptly notify the other Party of any proceedings, in particular administrative or court proceedings, relating to Personal Data Processing hereunder, and of any administrative decision or judgment concerning the Processing of that Personal Data, as well as of any inspections pertaining to Personal Data Processing.
@@ -154,7 +155,7 @@ Neither Customer nor its third-party representatives will be entitled to receive
 
 13.1. Customer represents and warrants that it is authorized to enter into this DPA, issue instructions, and make and receive any communications or notifications in relation to this DPA on behalf of Customer Affiliates. Customer further represents and guarantees that it has acquired all necessary consents from the Data Subjects for the Processing of their Personal Data or is subject to any other lawful basis under the applicable Data Protection Laws. Customer is fully responsible for compliance of the instructions, requests and recommendations issued to Apify with the Permitted Purpose of the Processing and any applicable Data Protection Laws.
 
-13.2. Each Party represents, warrants, and covenants that it understands and will comply with the restrictions and obligations set forth in this DPA. Each Party further represents, warrants, and covenants that it will comply with all Data Protection Laws applicable to such Party in its role as Data Controller, Business, Data Processor, Service Provider, or Subprocessor (as applicable under Data Protection Laws). 
+13.2. Each Party represents, warrants, and covenants that it understands and will comply with the restrictions and obligations set forth in this DPA. Each Party further represents, warrants, and covenants that it will comply with all Data Protection Laws applicable to such Party in its role as Data Controller, Business, Data Processor, Service Provider, or Subprocessor (as applicable under Data Protection Laws).
 
 13.3. Customer agrees to indemnify and hold Apify harmless against all claims, actions, third-party claims, losses, damages and expenses incurred by Apify in its capacity as Processor of the Personal Data of the Customer arising from (i) any Security Incident in terms of this Agreement if such Security Incident was caused by the Customer or (ii) any negligent act or omission by Customer in the exercise of the rights granted to it under the Privacy Protection Law and arising directly or indirectly out of or in connection with a breach of this DPA.
 
@@ -164,7 +165,7 @@ Neither Customer nor its third-party representatives will be entitled to receive
 
 14.1. This DPA is effective from the date of its execution or from the Effective Date of the Agreement, which incorporates the DPA. The obligations placed upon Apify under this DPA shall survive so long as Apify and/or its Subprocessors Process Personal Data as described herein and/or under the terms of the Agreement.
 
-14.2. Apify may update this DPA from time to time as laws, regulations, and industry standards evolve, or as Apify makes changes to its business or the Apify Platform. 
+14.2. Apify may update this DPA from time to time as laws, regulations, and industry standards evolve, or as Apify makes changes to its business or the Apify Platform.
 
 14.3. If Apify makes changes that materially change the Parties’ rights or obligations under this DPA, Apify will provide additional notice in accordance with applicable legal requirements, such as via our website or through the Apify Platform. By continuing to access and use the Apify Platform and other Services after the "last updated" date of the revised DPA, Customer agrees to be bound by the revised DPA.
 
@@ -183,8 +184,8 @@ Article 46 of the GDPR requires that a Processor that transfers data outside of
 
 Therefore, where:
 (a) Customer is not established in the EU and Personal Data Processing by Customer is not subject to GDPR (pursuant to Article 3(2) thereof); and
-(b) GDPR applies to international data transfer from EEA to countries outside the EEA (where Apify is involved in Processing data within the EEA on behalf of Customer); and 
-(c) an international transfer of Personal Data cannot take place on the basis of an adequacy decision pursuant to Art 45 (3) GDPR; 
+(b) GDPR applies to international data transfer from EEA to countries outside the EEA (where Apify is involved in Processing data within the EEA on behalf of Customer); and
+(c) an international transfer of Personal Data cannot take place on the basis of an adequacy decision pursuant to Art 45 (3) GDPR;
 
 Parties will comply with the obligations in the EU SCCs, which shall form an integral part of this Addendum. Any undefined capitalized terms used in this Schedule A have the meanings assigned to such terms in the EU SCCs.
 
@@ -195,28 +196,30 @@ For the purposes of EU Standard Contractual Clauses:
 1.4. Clause 18 (Choice of forum and jurisdiction), shall be completed as follows: "Any dispute arising from these Clauses shall be resolved by the courts of the Czech Republic."
 
 #### Annex I(A): List of Parties
-Data exporter: 
+
+Data exporter:
 Name: Apify Technologies s.r.o.
 Address: Vodičkova 704/36, Nové Město, 110 00 Praha 1
-Contact person’s name, position and contact details: 
+Contact person’s name, position and contact details:
 Apify Privacy Team, privacy@apify.com
-Activities relevant to the data transferred under these Clauses: Processing necessary to provide the Apify Platform and other Services by Apify to Customer and for any disclosures of Personal Data in accordance with the Agreement. 
+Activities relevant to the data transferred under these Clauses: Processing necessary to provide the Apify Platform and other Services by Apify to Customer and for any disclosures of Personal Data in accordance with the Agreement.
 Role: Processor or Subprocessor, as applicable
 
 
-Data importer: 
+Data importer:
 Name: Customer's name identified in the Agreement
 Address: Customer's address as provided in the Agreement
 Contact person’s name, position and contact details: As provided in Customer's user account at Apify Platform
-Activities relevant to the data transferred under these Clauses: Processing necessary to provide the Apify Platform and other Services by Apify to Customer and for any disclosures of Personal Data in accordance with the Agreement. 
+Activities relevant to the data transferred under these Clauses: Processing necessary to provide the Apify Platform and other Services by Apify to Customer and for any disclosures of Personal Data in accordance with the Agreement.
 Role: Controller or Processor, as applicable
 Annex I(B): Description of Processing & Transfer
 As provided in Schedule C to this DPA.
 
 ### UK Addendum
+
 In relation to Personal Data that is protected by the UK GDPR, the UK Addendum will apply, completed as follows:
 The Module 4 of the EU SCCs shall also apply to transfers of such Personal Data, subject to sub-section (b) below;
-Tables 1 to 3 of the UK Addendum shall be deemed completed with relevant information from the EU SCCs, completed as set out in Schedule A of this DPA, and the option "neither party" shall be deemed checked in Table 4; and,
+Tables 1 to 3 of the UK Addendum shall be deemed completed with relevant information from the EU SCCs,completed as set out in Schedule A of this DPA, and the option "neither party" shall be deemed checked in Table 4; and,
 The start date of the UK Addendum (as set out in Table 1) shall be the date of this DPA.
 
 
@@ -234,20 +237,35 @@ The Parties acknowledge and agree that the exchange of Personal Data between the
 ## Schedule C: Details of Processing
 
 ### Categories of Data Subjects
+
 Data Subjects may be any individuals about which Customer collects and instructs Apify to Process Personal Data, including its prospects, customers, vendors, employees, contact persons, website users, etc.
+
 ### Categories of Personal Data
+
 Categories of Personal Data collected are solely at Customer's own discretion, resulting from Customer's use of Apify Platform and other Services, and may include name, title, contact details, ID data, professional or personal life data, connection data, localization data, etc.
+
 ### Sensitive Data Transferred
+
 Customer agrees not to transfer sensitive data without informing Apify. Transfer of sensitive data, if applicable and agreed upon in the Agreement, is done subject to additional safeguards that fully take into account the nature of such data and risks involved.
+
 ### Frequency of the Transfer
+
 Continuous during the term of the DPA.
+
 ### Nature of Processing
+
 The nature of processing is storage and retrieval of Personal Data relating to the provision of Apify Platform and other Services by Apify to Customer.
+
 ### Purpose of Processing
+
 As specified in Section 2.1.1. of the DPA above.
+
 ### The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
+
 As described in Section 9 of the DPA.
+
 ### For transfers to (sub-) Processors, also specify subject matter, nature and duration of the processing
+
 The Personal Data are transferred to further Subprocessors for the purposes of provision of infrastructure and/or software as a service in relation to the Permitted Purpose, for as long as needed in order to deliver the functionality.
 
 ## Schedule D: Security Measures
@@ -261,8 +279,8 @@ Apify shall implement appropriate technical and organizational measures in accor
 
 ## Schedule E: List of Apify Subprocessors
 
-<table border="0.5"> 
- <tr align="left"> 
+<table border="0.5">
+ <tr align="left">
     <th>Subprocessor Name</th>
     <th>Purpose of Processing</th>
     <th>Location</th>
@@ -271,19 +289,19 @@ Apify shall implement appropriate technical and organizational measures in accor
     <td>Amanzon Web Services, Inc.</td>
     <td>Infrastructure</td>
     <td>US</td>
-    
+
   </tr>
-  <tr> 
+  <tr>
     <td>MongoDB Inc.</td>
     <td>Database</td>
     <td>US</td>
  </tr>
- <tr> 
+ <tr>
     <td>Snowflake, Inc.</td>
     <td>Data Warehousing</td>
     <td>US</td>
  </tr>
- <tr> 
+ <tr>
     <td>Mezmo Inc.</td>
     <td>Centralized Log Management</td>
     <td>US</td>

From d72a0c624db943f724414706da380fc702407d08 Mon Sep 17 00:00:00 2001
From: Lenka Bidova <lenka.bidova@apify.com>
Date: Tue, 8 Oct 2024 12:30:53 +0200
Subject: [PATCH 3/8] docs: dpa update formatting

---
 sources/legal/latest/terms/data-processing-addendum.md | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/sources/legal/latest/terms/data-processing-addendum.md b/sources/legal/latest/terms/data-processing-addendum.md
index d4596c27f6..72de3f18c6 100644
--- a/sources/legal/latest/terms/data-processing-addendum.md
+++ b/sources/legal/latest/terms/data-processing-addendum.md
@@ -195,7 +195,7 @@ For the purposes of EU Standard Contractual Clauses:
 1.3. Clause 17 (Governing law) shall be completed as follows: "These Clauses shall be governed by the law of a country allowing for third-party beneficiary rights. The Parties agree that this shall be the law of the Czech Republic."
 1.4. Clause 18 (Choice of forum and jurisdiction), shall be completed as follows: "Any dispute arising from these Clauses shall be resolved by the courts of the Czech Republic."
 
-#### Annex I(A): List of Parties
+### Annex I(A): List of Parties
 
 Data exporter:
 Name: Apify Technologies s.r.o.
@@ -222,9 +222,8 @@ The Module 4 of the EU SCCs shall also apply to transfers of such Personal Data,
 Tables 1 to 3 of the UK Addendum shall be deemed completed with relevant information from the EU SCCs,completed as set out in Schedule A of this DPA, and the option "neither party" shall be deemed checked in Table 4; and,
 The start date of the UK Addendum (as set out in Table 1) shall be the date of this DPA.
 
-
-
 ## Schedule B: CCPA Additional Terms
+
 If and to the extent Apify is Processing Personal Data within the scope of the CCPA on Customer's behalf and in accordance with Customer's documented instructions, Apify will not:
 (a) sell the Personal Data as the term "selling" is defined in the CCPA;
 (b) share, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means, the Personal Data to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including transactions for cross-context behavioral advertising in which no money is exchanged;

From ead6d68d141a50b15d8c2b626ffd5b089f52d1ac Mon Sep 17 00:00:00 2001
From: Lenka Bidova <lenka.bidova@apify.com>
Date: Mon, 13 Jan 2025 17:49:23 +0100
Subject: [PATCH 4/8] replacing table with subprocessors by link to Vanta

---
 .../latest/terms/data-processing-addendum.md  | 31 ++-----------------
 1 file changed, 2 insertions(+), 29 deletions(-)

diff --git a/sources/legal/latest/terms/data-processing-addendum.md b/sources/legal/latest/terms/data-processing-addendum.md
index 72de3f18c6..d151d9a092 100644
--- a/sources/legal/latest/terms/data-processing-addendum.md
+++ b/sources/legal/latest/terms/data-processing-addendum.md
@@ -11,7 +11,7 @@ slug: /data-processing-addendum
 
 <!-- vale off -->
 
-Last Updated: September 20, 2024
+Last Updated: January 13, 2025
 
 ---
 
@@ -278,31 +278,4 @@ Apify shall implement appropriate technical and organizational measures in accor
 
 ## Schedule E: List of Apify Subprocessors
 
-<table border="0.5">
- <tr align="left">
-    <th>Subprocessor Name</th>
-    <th>Purpose of Processing</th>
-    <th>Location</th>
-  </tr>
-  <tr>
-    <td>Amanzon Web Services, Inc.</td>
-    <td>Infrastructure</td>
-    <td>US</td>
-
-  </tr>
-  <tr>
-    <td>MongoDB Inc.</td>
-    <td>Database</td>
-    <td>US</td>
- </tr>
- <tr>
-    <td>Snowflake, Inc.</td>
-    <td>Data Warehousing</td>
-    <td>US</td>
- </tr>
- <tr>
-    <td>Mezmo Inc.</td>
-    <td>Centralized Log Management</td>
-    <td>US</td>
- </tr>
-</table>
+List of Apify Subprocessor is available at: https://trust.apify.com/subprocessors

From 063c983205177b6c35f892f523702598e803dac9 Mon Sep 17 00:00:00 2001
From: Lenka Bidova <lenka.bidova@apify.com>
Date: Thu, 23 Jan 2025 16:33:15 +0100
Subject: [PATCH 5/8] docs: email address update

---
 sources/legal/latest/policies/privacy-policy.md        | 6 +++---
 sources/legal/latest/terms/data-processing-addendum.md | 2 +-
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/sources/legal/latest/policies/privacy-policy.md b/sources/legal/latest/policies/privacy-policy.md
index f46a6a6380..258849f1b4 100644
--- a/sources/legal/latest/policies/privacy-policy.md
+++ b/sources/legal/latest/policies/privacy-policy.md
@@ -108,14 +108,14 @@ We keep your personal data for no longer than necessary for the purposes for whi
 Upon your request and authentication of your identity, Apify will provide you with information about the personal data we have collected from you, whether we hold your personal data or process your personal data on behalf of a third party.
 Requests to access, change, or delete personal data made to Apify will be addressed within 30 days or earlier if required by applicable laws or regulations.
 
-If your name, e-mail or postal address, telephone number, or other personal data changes, you may update, correct, or omit the relevant information by contacting Apify at privacy@apify.com or by updating your personal data on the Account settings page on the Website.
+If your name, e-mail or postal address, telephone number, or other personal data changes, you may update, correct, or omit the relevant information by contacting Apify at privacy[at]apify[dot]com or by updating your personal data on the Account settings page on the Website.
 In some situations, we may not be able to provide access to certain personal data. Where an access request is refused, we will notify you in writing, document the reasons for refusal and outline further steps which are available to you. When a challenge regarding the accuracy of personal data is not resolved to your satisfaction, We will annotate the personal data under our control with a note that the correction was requested but not made.
 
 ### Removal and Objection
 
 If you prefer not to receive newsletters or other marketing emails from Apify, please let us know by clicking on the unsubscribe link within any newsletter or marketing email you receive. Please note that, regardless of your request, we may still use and disclose certain personal data as permitted by this Privacy Policy or as required by applicable law. For example, you may not opt out of certain transactional emails from us, such as those confirming your requests or providing you with updates regarding our legal terms.
 
-If you prefer not to receive marketing mail via the mail carrier, please let us know by contacting User service at support@apify.com. Please note that such requests may take up to ten (10) days to become effective.
+If you prefer not to receive marketing mail via the mail carrier, please let us know by contacting User service at support[at]apify[dot]com. Please note that such requests may take up to ten (10) days to become effective.
 For more information about your rights under EEA and U.K. GDPR, please refer to Clause “Territory-Specific Terms” below.
 
 ## Third-Party Links and Features
@@ -183,7 +183,7 @@ We update this Privacy Policy from time to time and encourage you to review it p
 
 ## Contact Us
 
-Any notices or requests to Apify under this Privacy Policy shall be made to [privacy@apify.com](mailto:privacy@apify.com) or:
+Any notices or requests to Apify under this Privacy Policy shall be made to privacy[at]apify[dot]com or:
 
 By mail:
 
diff --git a/sources/legal/latest/terms/data-processing-addendum.md b/sources/legal/latest/terms/data-processing-addendum.md
index d151d9a092..4bba8d5aa0 100644
--- a/sources/legal/latest/terms/data-processing-addendum.md
+++ b/sources/legal/latest/terms/data-processing-addendum.md
@@ -201,7 +201,7 @@ Data exporter:
 Name: Apify Technologies s.r.o.
 Address: Vodičkova 704/36, Nové Město, 110 00 Praha 1
 Contact person’s name, position and contact details:
-Apify Privacy Team, privacy@apify.com
+Apify Privacy Team, privacy[at]apify[dot]com
 Activities relevant to the data transferred under these Clauses: Processing necessary to provide the Apify Platform and other Services by Apify to Customer and for any disclosures of Personal Data in accordance with the Agreement.
 Role: Processor or Subprocessor, as applicable
 

From e2b88118c03c80f086812afc6d57ae0b86ec974a Mon Sep 17 00:00:00 2001
From: Lenka Bidova <lenka.bidova@apify.com>
Date: Mon, 10 Feb 2025 09:23:51 +0100
Subject: [PATCH 6/8] ATS and recruitment updates

---
 .../legal/latest/policies/privacy-policy.md    | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/sources/legal/latest/policies/privacy-policy.md b/sources/legal/latest/policies/privacy-policy.md
index 258849f1b4..5e621d90f7 100644
--- a/sources/legal/latest/policies/privacy-policy.md
+++ b/sources/legal/latest/policies/privacy-policy.md
@@ -11,25 +11,25 @@ slug: /privacy-policy
 
 <!-- vale off -->
 
-Last Updated: September 12, 2024
+Last Updated: February 10, 2025
 
 Welcome to the Apify Privacy Policy!
 
 Apify Technologies s.r.o. ("**Apify**," "**we**," "**our**" or "**us**") operates website apify.com (“**Website**”), provides its customers with the computer platform “Apify” (the "**Platform**") and some other services and functions, as specified in the [Apify General Terms and Conditions](../terms/general-terms-and-conditions.md) (the "**Services**").
 
-Apify is committed to transparency in our processing of information. This is where we describe how we handle your personal data. “**Personal data**” is any information that is directly linked or can be linked to you. Capitalized terms not otherwise defined in this Privacy Policy will have the meaning outlined in the [Apify General Terms and Conditions](../terms/general-terms-and-conditions.md).
+Apify is committed to transparency in the processing of information. This is where we describe how we handle your personal data. “**Personal data**” is any information that is directly linked or can be linked to you. Capitalized terms not otherwise defined in this Privacy Policy will have the meaning outlined in the [Apify General Terms and Conditions](../terms/general-terms-and-conditions.md).
 
 ## When the Privacy Policy applies
 
-Please note that this Privacy Policy applies where Apify is a “data controller” of your personal data. This includes when we collect information from and about visitors to our websites, prospective users and customers, and users of the Platform, collectively referred to herein as “**you**.”
+Please note that this Privacy Policy applies where Apify is a “data controller” of your personal data. This includes when we collect information from and about visitors to our websites, job candidates, prospective users and customers, and users of the Platform, collectively referred to herein as “**you**.”
 
 ## When the Privacy Policy does not apply
 
 You may collect and manage personal data when using Platform or other Services. In such a scenario, Apify is a “**data processor**", not a “**data controller**” (as defined by applicable privacy laws) of personal data that we process under your instructions and on your behalf. For clarity, this Privacy Policy does not apply to where Apify processes personal data as a data processor. Such processing activities are governed by a separately executed data processing agreement(s) between Apify and you. We are not responsible for your privacy or data security practices. You represent and warrant that you have all necessary rights, consents, or other legal basis for processing such personal data and instructing us to process them on your behalf.
 
-This Privacy Policy also does not apply to personal data about current and former Apify employees, job candidates, or contractors and agents acting in similar roles.
+This Privacy Policy also does not apply to personal data about current and former Apify employees or contractors and agents acting in similar roles.
 
-**PLEASE READ THIS PRIVACY POLICY CAREFULLY TO UNDERSTAND HOW WE HANDLE YOUR PERSONAL DATA. IF YOU DO NOT AGREE TO THIS PRIVACY POLICY, PLEASE DO NOT USE THE SERVICES.**
+**PLEASE READ THIS PRIVACY POLICY CAREFULLY TO UNDERSTAND HOW WE HANDLE YOUR PERSONAL DATA. IF YOU DO NOT AGREE TO THIS PRIVACY POLICY, PLEASE DO NOT USE OUR WEBSITE OR THE SERVICES.**
 
 ## Table of Contents
 
@@ -55,9 +55,10 @@ This Privacy Policy also does not apply to personal data about current and forme
 We collect a variety of personal data that you provide directly to us. For example, we collect information from you when you:
 
 - create a user account to log into and use Platform and Services, including communicating with support or sales teams
-- register for a demo, webinar, conference, or other events.
+- register for a demo, webinar, conference, or other events
+- apply to a job offer.
 
-We need your name, email address, username, business information, billing information, and payment information. Additionally, you may provide us voluntarily with a short bio, homepage URL, GitHub username, Twitter username, and profile picture, which will be added to your public profile on the Platform.
+We need, including but not limited to, your name, email address, username, business information, billing information, information about your professional career and educational background, including current and old job positions, degrees, qualifications, and payment information. Additionally, you may provide us voluntarily with a short bio, homepage URL, GitHub username, Twitter username, and profile picture, which will be added to your public profile on the Platform.
 
 ### Personal Data We Collect through Automated Means
 
@@ -84,12 +85,13 @@ We process your personal data for various purposes:
 - **Secure our Services** and resolve technical issues being reported
 - **Meet legal requirements**: Comply with any procedures, laws, and regulations that apply to us where it is necessary for our legitimate interests or the legitimate interests of others
 - **Establish, exercise, or defend our legal rights** where it is needed for our legitimate interests or the legitimate interests of others
+- **Recruiting**: Evaluation and selection of applicants; including, for example, setting up and conducting interviews and tests, evaluating and assessing the results thereto, and as is otherwise needed in the recruitment processes, including the final recruitment. Additionally, we may process your personal data to include you in our talent pool and contact you should a suitable position be available if you have consented to this; such processing is legally permissible under Art. 6 (1)(a) of the GDPR.
 
 ## How We Disclose Your Personal Data
 
 We may disclose your personal data:
 
-- **Service Providers**: We provide access to or disclose your personal data to selected third parties who help us run our Website, provide Platform, or deliver our other Services, including billing and credit card verification, advertising and marketing, content and features, analytics, research, customer support, data storage, security, web hosting, fraud prevention, and legal services.
+- **Service Providers**: We provide access to or disclose your personal data to selected third parties who help us run our Website, provide Platform, or deliver our other Services, including billing and credit card verification, advertising and marketing, content and features, analytics, research, customer support, data storage, security, web hosting, fraud prevention, applicants tracking and legal services.
 - **Protection of Apify and Others**: By using the Services, you acknowledge and agree that we may access, retain, and disclose the personal data we collect and maintain about you if required to do so by applicable law or in a good faith belief that such access, retention or disclosure is reasonably necessary to: (a) enforce any contracts with you; (b) respond to claims that any content violates the rights of third parties; (c) protect the rights, property or personal safety of Apify, its agents and affiliates, its other users and/or the public; and/or (d) comply with legal process (e.g. a subpoena or court order).
 - **Joint Offerings**: From time to time, Apify may partner with other companies to offer products or services jointly. If you purchase or specifically express interest in a jointly offered product or service from us, Apify may share certain personal data collected in connection with your purchase or expression of interest with our joint promotion partner(s). Apify does not control its business partners' use of the personal data we share with them, and their use of the personal data will be in accordance with their own privacy policies. If you do not wish for your personal data to be shared in connection with any joint offerings, you may opt not to purchase or specifically express interest in a jointly offered product or service.
 - **Public Forums**: Our websites may offer publicly accessible message boards, blogs, and community forums. Please keep in mind that if you directly disclose any personal data through our public message boards, blogs, or forums (including profile information associated with your user account), it may be read, collected, and used by any member of the public who accesses these Websites. Your posts and profile information may remain available even after terminating your user account. We urge you to consider the sensitivity of any information you may disclose in this way.

From 90756e46300fc1cf93ab77bd75058edccf20fa87 Mon Sep 17 00:00:00 2001
From: Lenka Bidova <lenka.bidova@apify.com>
Date: Fri, 14 Feb 2025 15:41:47 +0100
Subject: [PATCH 7/8] docs: new OSS fair share terms

---
 ...fair-share-program-terms-and-conditions.md | 59 +++++++++++++++++++
 1 file changed, 59 insertions(+)
 create mode 100644 sources/legal/latest/terms/fair-share-program-terms-and-conditions.md

diff --git a/sources/legal/latest/terms/fair-share-program-terms-and-conditions.md b/sources/legal/latest/terms/fair-share-program-terms-and-conditions.md
new file mode 100644
index 0000000000..8e84e21382
--- /dev/null
+++ b/sources/legal/latest/terms/fair-share-program-terms-and-conditions.md
@@ -0,0 +1,59 @@
+---
+title: Apify Open Source Fair Share Program Terms
+description: Apify Affiliate Program Terms and Conditions govern Apify's affiliate partnership program.
+sidebar_position: 5
+sidebar_label: Fair Share Program Terms
+category: legal
+slug: /fair-share-program-terms-and-conditions
+---
+
+# Apify Open Source Fair Share Program Terms and Conditions
+
+<!-- vale off -->
+
+Effective Date: February 14, 2025
+
+---
+
+We offer you the opportunity to enroll in our Apify Open Source Fair Share Program ("**Fair Share Program**"), which is subject to the following Apify Open Source Fair Share Program Terms and Conditions ("**Fair Share Program Terms**"). Fair Share Program is further governed by the [Affiliate Program Terms and Conditions](affiliate-program-terms-and-conditions.md) and, to the extent applicable, by [Apify Store Publishing Terms and Conditions](store-publishing-terms-and-conditions.md) which are both incorporated herein by the reference. In case of a conflict, these Apify Fair Share Program Terms shall prevail.
+
+Terms starting with a capital letter used in these Fair Share Program Terms have the meaning defined either here or in the Affiliate Program Terms and Conditions.
+
+## 1. Eligibility
+
+The Fair Share Program is open to maintainers of GitHub repositories with projects suitable for web automation, data extraction, or related purposes (“**you**” or "**Participant**"). Participation is subject to review and approval by Apify.
+
+## 2. Tiers
+
+The Fair Share Program offers three different tiers, each with varying levels of involvement and benefits:
+
+### 2.1. Passive Tier
+
+2.1.1. **Joining Passive Tier**. You can join the Passive Tier only by accepting a pull request from Apify for your GitHub repository. To participate, your GitHub repository must have the GitHub Sponsor button enabled. Participants in the Passive Tier will not have access to the FirstPromoter account and, therefore, will not have visibility into the traffic or detailed performance metrics.
+
+2.1.2. **Commission**. Notwithstanding anything to the contrary in Section 4.1. of the Affiliate Program Terms, the Commission shall be calculated as 10% of all payments made by each Referred Customer to Apify in the first 3 months from the date when that Referred Customer started paying for Services (as defined in the General Terms) and then increased to 20% for all payments made by each Referred Customer to Apify, up to 2,500 USD per Referred Customer.
+
+2.1.3. **Payment Terms**. Notwithstanding anything to the contrary in Sections 5.2. and 5.3, Commission for Referred Customers in the Passive Tier is paid monthly, exclusively via the GitHub Sponsor button.
+
+### 2.2. Maintainer Tier
+
+2.2.1. **Joining Maintainer Tier**. To join the Maintainer Tier, you must first:
+(i) [join our Affiliate Program](https://apify.firstpromoter.com/signup/28997),
+(ii) [create an Account](https://console.apify.com/sign-up) at apify.com, and
+(iii) either successfully claim ownership of the Actor in Apify Store or link your GitHub OSS Public Repository containing an Actor code to the same Actor in Apify Store, subject to the Apify Store Publishing Terms.
+
+2.2.2. **Commission & Remuneration**. In the Maintainer Tier you may receive standard Commission as outlined in the Affiliate Program. Additionally, you may also be eligible to receive remuneration under the Apify Store Publishing Terms in case you monetize your Actor.
+
+### 2.3. Active Developer Tier
+
+2.3.1. **Joining Active Developer Tier**. In order to benefit from the Active Developer Tier, you must:
+(i) join the Maintainer Tier,
+(ii) monetize your Actor through the Pay-Per-Event monetization model which allows you to set custom pricing for each use of your Actor by Apify Users (you are required to optimize your Actor’s performance and configure it for Pay-Per-Event usage).
+
+2.3.2. **Additional Incentive under Active Developer Tier**. In addition to the benefits arising from the Maintainer Tier, as an Active Developer you may receive a temporary discount on computing resources or other incentives for your open-source Actor subject to a separate agreement with Apify.
+
+## 3. General
+
+3.1. Participants are responsible for any applicable taxes, payment processing fees, or other charges related to receiving Commission under the Fair Share Program. Apify is not responsible for covering such costs.
+
+3.2. Apify reserves the right to modify, suspend, or terminate the Fair Share Program at any time, with or without prior notice. Any changes will be posted on our Website, and continued participation constitutes acceptance of the updated Terms.
\ No newline at end of file

From fb43341d59ab0616779e3ca840642793d0a8e5ab Mon Sep 17 00:00:00 2001
From: Lenka Bidova <lenka.bidova@apify.com>
Date: Fri, 14 Feb 2025 15:47:51 +0100
Subject: [PATCH 8/8] fairshare program terms

---
 .../latest/terms/fair-share-program-terms-and-conditions.md     | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/sources/legal/latest/terms/fair-share-program-terms-and-conditions.md b/sources/legal/latest/terms/fair-share-program-terms-and-conditions.md
index 8e84e21382..0c7fda3d3c 100644
--- a/sources/legal/latest/terms/fair-share-program-terms-and-conditions.md
+++ b/sources/legal/latest/terms/fair-share-program-terms-and-conditions.md
@@ -56,4 +56,4 @@ The Fair Share Program offers three different tiers, each with varying levels of
 
 3.1. Participants are responsible for any applicable taxes, payment processing fees, or other charges related to receiving Commission under the Fair Share Program. Apify is not responsible for covering such costs.
 
-3.2. Apify reserves the right to modify, suspend, or terminate the Fair Share Program at any time, with or without prior notice. Any changes will be posted on our Website, and continued participation constitutes acceptance of the updated Terms.
\ No newline at end of file
+3.2. Apify reserves the right to modify, suspend, or terminate the Fair Share Program at any time, with or without prior notice. Any changes will be posted on our Website, and continued participation constitutes acceptance of the updated Terms.