Access Control Cloud Applications
Data Processing Agreement
This Data Processing Agreement (“DPA”), supplements Salto’s Terms of Service, for access control cloud applications, Salto Space Software License Agreement or Salto XS4 Face Terms of Service, as applicable, as updated from time to time between Client and Salto in relation to the processing of personal data. This DPA is an agreement between you and the entity you represent (“Client”, “you” or “your”) and Salto Systems, S.L. (hereinafter, “Salto”).
1. Definitions
1.1. For the purposes of this Data Processing Agreement, the terms listed herein mean the following:
- Applicable Data Protection Law: Shall mean all laws and regulations applicable to Salto’s processing of Personal Data under the Agreement.
- Client: A legal or natural person who operates as a professional or business (not being a consumer) and who enters into the Agreement with Salto for using and having access to the Services.
- Client Account Data: Personal Data that relates to the Client’s relationship with Salto, including the names or contact information of employees, representatives or contact people of the Client.
- Controller (also as Data Controller): The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
- Data Processing Agreement (also as DPA): Means this supplementary agreement entered into by Salto and the Client (if required by the legislation applicable from time to time), on which basis Salto shall process Personal Data.
- Data Subject: An identified or identifiable natural person.
- International Data Transfer: Processing which implies the transfer of the Personal Data outside of the European Economic Area, either by data disclosure or communication or by the processing of the Personal Data by a Processor established outside of the EEA on behalf of a Controller established in the EEA.
- Personal Data: Means all personal data relating to an identified or identifiable natural person that is introduced, collected or gathered through the Platform.
- Privacy Policy: Means Salto’s Privacy Policy.
- Processing: Means any operation or set of operations performed on Personal Data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
- Processor (also “Data Processor”): A natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.
- Security Incident: Unauthorised or unlawful access to, or acquisition, alteration, use, disclosure, or destruction of User Data.
- Standard Contractual Clauses (also as SCC): Shall mean the transfer mechanism approved the European Commission through its Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
- Term: Means the time period the DPA shall be valid, enforceable and in force as set out in Section 3.
- User(s): Natural person(s) authorised by the Client to have access to and use the Services.
- User Data: Personal Data of Users.
1.2. Any capitalized term used in this Data Processing Agreement and not included in the list above shall have the meaning provided to it in the Terms of Service, and if not defined therein have the meaning established in Article 4 GDPR.
2. Applicability and amendments
2.1. This Data Processing Agreement applies when Salto processes User Data on behalf of the Client. In this context, Salto acts as Processor to this data, whereas the Client may act as Controller or Processor of the User Data. When the Client acts as Processor, Salto will be a sub-processor.
2.2. This Data Processing Agreement is part of the Agreement into which it is incorporated by reference.
3. Term
This DPA shall be effective during the time necessary to render the Services to the Client pursuant the Agreement. Nonetheless, the Parties agree that all clauses of the present DPA which are expressly or implicitly intended to continue in force after its termination shall continue in force and binding the Parties in accordance with the relevant clause.
4. Limitation of liability
4.1. Each Party’s liability is subject to the Liability section in Salto’s Terms of Service, as permitted by applicable law.
5. Relationship of the Parties
5.1. To the extent Salto has access to User Data, Salto will process it as Processor, whereas the Client may act as Controller or Processor of the User Data. When the Client acts as Processor, Salto will be sub-Processor.
5.2. Notwithstanding the foregoing, Salto will act as Controller with regards to Client Account Data and other specific data as detailed for each type of Services in the Privacy Policy. This Processing shall be done in accordance to and as informed in the Privacy Policy.
6. Salto as Processor
6.1. Purpose of the Processing: The Personal Data processed by Salto on behalf of the Client shall be processed only to carry out the provision of the Services in accordance with the Agreement, which may entail, where requested by the Client in accordance to the Terms of Service, technical support activities. Where the Processor deems necessary to process Personal Data for a different purpose, it shall obtain the previous written authorisation from the Client. Where such authorisation is not obtained, the processing shall not take place.
6.2. Description of the Processing: Salto will process Personal Data in accordance to the specifications included as Schedule 1, including the nature and purpose of the Processing, the Processing activities, the duration of the Processing, the types of Personal Data and categories of Data Subjects.
6.3. Obligations of the Client: Client is responsible for ensuring that it complies with Applicable Data Protection Law in its use of the Services and its own Processing of Personal Data, and that it has the right to provide access to Personal Data to Salto for Processing in accordance with the Agreement and this DPA. Client is responsible for the accuracy of the Personal Data provided to Salto.
6.4. Client’s instructions: The Processor undertakes to process User Data in accordance with Client’s instructions as set forth in the Agreement, and as otherwise necessary to provide the Services to Client, and where it is required to do so to comply with applicable law. Additional instructions outside the abovementioned shall be agreed by the Parties in writing. The Client shall ensure Salto that any Processing carried out under its instructions is compliant with applicable laws and regulations. Salto undertakes to inform Client if it becomes aware or reasonably believes that the instructions given by Client infringe applicable laws.
6.5. Confidentiality: Salto ensures that its employees engaged in the Processing of User Data under the Agreement are informed and are bound by confidentiality obligations.
6.6. Security measures: Salto guarantees the implementation of appropriate technical and organisational measures in order to achieve a level of security adequate to the risk, taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing.
In assessing the appropriate level of security, Salto takes into account the risks that are presented by the Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed, or unauthorised communication or access to said data.
Schedule 2 includes additional information about Salto’s technical and organisational security measures to protect User Data.
6.7. Subcontracting: The Client expressly authorises to Salto to subcontract the companies which form part of Salto’s Group and in this respect to provide them with access to the Personal Data as needed for the rendering of all or part of the Services, including maintenance and technical support services under Client’s request.
Additionally, the Client expressly authorises the Processor to engage onward sub-processors (hereinafter, “Sub-processors”), subject to the following provisions:
- Salto has a list of its Sub-processors available here. Salto shall keep this list updated, and include any new Sub-processor at least thirty (30) days before engaging with it. Salto may provide Client with a mechanism to subscribe to notifications of new Sub-processors. The Client may reasonably object to any new Sub-processor in the thirty (30) days period from the update of the list. In the event that the Client reasonably objects to a new Sub-processor, either Client or Salto may terminate the portion of the Agreement related to the Services that are not possibly provided without the objected-to new Sub-processor.
- Salto undertakes that all Sub-processors are contractually bound by the same or equivalent data protection obligations as those established in this DPA for the Processor.
- Salto shall remain fully liable to the Client for the performance of the Sub-processor's obligations.
6.8. Data Subject Rights: Taking into account the nature of the processing, Salto will assist the Client by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Client’s obligation to respond to requests for exercising the data subject's data protection rights. In the event that a Data Subject makes a request directly to Salto in relation to User Data, Salto will forward it without undue delay to the Client to the email address registered in the Platform.
6.9. Assistance: Taking into account the nature of processing and the information available to Salto, Salto shall provide reasonable cooperation to the Client in relation to related data protection impact assessments, and consultations with Supervisory Authorities required in compliance with data protection regulations.
6.10. Return or deletion of User Data: Salto shall delete or return all the Personal Data processed on its behalf to the Client, at the choice of the latter, after the end of the provision of Services, and delete all existing copies unless storage of the personal data is required by law. As part of the Services, once the term of the provision of the services consisting of electronic locking solutions for doors and access controls has elapsed, Salto will keep the Personal Data blocked for a period of one (1) month in order to enable reactivation of said services.
6.11. Audits: Salto will, upon the Client’s request and at its expense, make available at reasonable intervals and in no event more than once (1) every year, the information necessary to demonstrate compliance with applicable data protection obligations, as well as allow for audits. Client shall provide Salto with at least two (2) months’ prior written notice of any intended audit. This audit may be conducted either by Client or by an independent auditor appointed by Client bound by reasonable confidentiality restrictions, which in no event shall be, or shall act on behalf of, a competitor of Salto. The scope of the audit shall be limited to Salto’s systems, processes, and documentation relevant to the Processing on behalf of the Client, and the reports and results of the audit will be confidential information of Salto. Upon the end of the audit, the Client shall inform Salto of any perceived non-compliance or security concerns detected in the audit.
6.12. Security Incident: Salto undertakes to notify the Client, via email to email address registered in the Platform by the Client, without undue delay after becoming aware of any unauthorized or unlawful access to, or acquisition, alteration, use, disclosure, or destruction of User Data (hereinafter, “Security Incident”). Salto will provide reasonable assistance to Client in the event that Client is required under Applicable Data Protection Law to notify a regulatory authority or any data subjects impacted by a Security Incident.
6.13. Transfers of Personal Data: In certain cases, the Processing of personal data may be carried out outside the European Economic Area (EEA), in particular:
- When the Client is accessing to the Platform from a country located out of the EEA;
- When the Client is subscribed to 24/7 technical support services, which implies that technicians located in some countries located out of the EEA are involved in the incident resolution; and
- In relation to the processing carried out the by Sub-processors identified below.
In the case mentioned above, transfers of User Data from the EEA to outside the EEA (either directly or via onward transfer) will be done on the basis of adequacy decisions by the European Commission. To the extent that the territories to where the User Data is transferred do not have adequate standards of data protection as determined by the European Commission, the Parties agree that the Standard Contractual Clauses will apply and will be deemed entered into (and incorporated into this DPA by this reference) and completed as indicated hereafter:
(i) Module Three (Processor to Processor) of the SCC will apply where Client is a processor of User Data outside the EEA, and Salto acts as sub-processor and processes User Data in the EEA.
(ii) Module Four (Processor to Controller) of the SCC will apply where Client processes as Controller User Data outside the EEA, and Salto is a processor which processes User Data in the EEA.
In relation to each Module of the Standard Contractual Clauses, where applicable:
- Clause 7: the optional docking clause will not apply.
- Clause 9: Option 2 shall apply, with the notice period established under Clause 6.7 to this DPA.
- Clause 11: the optional section regarding the lodging of complaints with independent resolution bodies by data subjects shall not apply;
- Clause 17: Option 1 will apply, and the Standard Contractual Clauses will be governed by Spanish law;
- Clause 18 (b): any dispute arising from the Standard Contractual Clauses shall be resolved before the courts of Spain;
- Annex I, Part A:
- Data Exporter: Salto.
- Contact details: privacy@saltosystems.com
- Data Exporter Role: The Data Exporter’s role is set forth in Section 4 (Relationship of the Parties) of this DPA.
- Signature and Date: By entering into the Agreement, Data Exporter is deemed to have signed these SCC incorporated herein, including their Annexes, as of the date of acceptance of the Agreement.
- Data Importer: Client
- Contact details: The email address provided by the Client to sign up to the Service will be considered the contact email to this effect.
- Data Importer Role: The Data Importer’s role is set forth in Section 2 of this DPA.
- Signature and Date: By entering into the Agreement, Data Importer is deemed to have signed these SCC incorporated herein, including their Annexes, as of the Effective Date of the Agreement.
- Annex I, Part B:
- The categories of data subject, sensitive data transferred, nature of the processing, purpose of the processing, and the period for which the personal data will be retained are described in Schedule 1 of this DPA.
- The frequency of the transfer is on a continuous basis for the duration of the Agreement for the provision of the services consisting of electronic locking solutions for doors and access controls, and for maintenance and technical support services the transfer is on a one-off basis.
- Transfers to sub-processors, the subject matter, nature, and duration of the processing are listed at https://saltosystems.com/en/legal-data/software-terms/access-control-cloud-applications/list-of-sub-pocessors/.
- Annex I, Part C: The Spanish Data Protection authority (Agencia Española de Protección de Datos) will be the competent supervisory authority.
- Annex II: Schedule 2 of this DPA.
The Client agrees to notify Salto if it receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to the SCC. Such notification must be done at least 48 hours in advance, and in any event before any disclosure takes place, and it shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided.
In the event of any conflict between the Standard Contractual Clauses, and any other terms in the Agreement, or the Privacy Policy, the provisions of the Standard Contractual Clauses will prevail.
6.14. Jurisdiction Specific Terms: To the extent Salto processes Personal Data originating from and protected by Applicable Data Protection Law in one of the jurisdictions listed in Schedule 3 of this DPA, the terms specified in this Schedule 3 with respect to the applicable jurisdiction(s) will apply in addition to the terms of this DPA.
SCHEDULE 1 | Details of Processing
A. Access Control Cloud Applications
- Nature and Purpose of the Processing
Salto will process personal data as necessary to provide the Services under the Agreement. In this sense, Salto will process User Data as Processor pursuant the Client’s instructions as foreseen in Section 6.4 of this DPA.
Specifically, when the Client contracts Access Control Cloud Applications, Salto will process personal data with the following purposes:
- For the enrolment of the end user in the application.
- To carry out the access control services (including by means of facial recognition technologies if the functionalities of Salto XS4 Face has been contracted).To provide the necessary maintenance and technical support services.
- When the Client is using the Services via a Third Party’s Platform and/or has activated the integration between the Platform and the Third Party’s Platform, for receiving and transmitting the User Data from and to the Third Party’s Platform.
- If the Client uses the Services via a Third Party’s Platform and/or has activated the integration between the Platform and the Third Party’s Platform, to receive and transmit the User Data to and from the Third Party’s Platform.
- Processing Activities
Collection, recording, conservation, transmission to the Client and erasure or destruction of personal data, to the extent necessary for the adequate provision of the Services.
If the Client uses the Services via a Third Party’s Platform and/or has activated the integration between the Platform and the Third Party’s Platform, the processing activities will also include the transmission and collection of the User Data to and from the Third Party’s Platform. In this case, the Client acknowledges that the provider of the Third Party’s Platform will act as an unaffiliated, independent service provider and data processor processing the User Data on behalf of the Client and following its instructions. For the avoidance of doubt, Salto is not responsible for the privacy, security or integrity of such data processed within the Third Party’s Platform. This data communication is done by Salto on behalf of the Client, which is responsible of complying with the applicable legal requirements of the processing as Controller or Processor.
- Duration of the Processing
Salto will process User Data on behalf of Client for the duration of the Services as established in the Agreement. As part of the Services, once the term of the provision of the services consisting of electronic locking solutions for doors and access controls has elapsed, Salto will keep the Personal Data blocked for a period of one (1) month in order to enable reactivation of said services.
With regard to the provision of maintenance and technical support services, the User Data that may be accessed by Salto will only be processed for the time necessary to solve the issue.
Once the Agreement has terminated, Salto may retain a copy of the Personal Data duly blocked for the period of prescription of related infractions. Once this period has elapsed, Salto will erase all copies of the Personal Data.
- Categories of Data Subjects
User Data: Client’s end users.
- Categories of Personal Data
- Identification data
- Contact details
- Access permits
- Record of access
- Profile picture (optional)
- Sensitive Data or Special Categories of Data
Salto does not process special categories data on behalf of the Client as the processing related to facial recognition, if any, takes place locally (without Salto’s involvement in the processing).
B. Space System integrated with Salto XS4 Face
-
Nature and Purpose of the Processing
Salto will process personal data as necessary to provide the Services under the Agreement. In this sense, Salto will process User Data as Processor pursuant the Client’s instructions as foreseen in Section 6.4 of this DPA.
Specifically, when the Client contracts Salto XS4 Face for using the facial recognition technology integrated with the Space System, Salto will process personal data with the following purposes:
-
For the management of Client’s Subscriptions and users of the Salto XS4 Face console (i.e. site administrators).
-
For the enrolment of the end user.
-
To provide the necessary maintenance and technical support services.
-
Processing Activities
Collection, use, transmission to the Client and erasure or destruction of personal data, to the extent necessary for the adequate provision of the Services
-
Duration of the Processing
Salto will process User Data on behalf of Client for the duration of the Services as established in the Agreement. As part of the Services, once the term of the provision of the services consisting of access control powered by facial recognition technology has elapsed, SALTO will keep the Personal Data blocked for a period of three (3) months in order to enable reactivation of said services.
With regard to the provision of maintenance and technical support services, the User Data that may be accessed by Salto will only be processed for the time necessary to solve the issue.
Once the Agreement has terminated, Salto may retain a copy of the Personal Data duly blocked for the period of prescription of related infractions. Once this period has elapsed, Salto will erase all copies of the Personal Data.
-
Categories of Data Subjects
User Data: Client’s end users and system administrators.
-
Categories of Personal Data
-
Contact details: email address system administrators and end users.
-
Name of system administrators.
-
Sensitive Data or Special Categories of Data
Salto does not process special categories of data on behalf of the Client as the processing related to facial recognition, if any, takes place locally (without Salto’s involvement in the processing).
SCHEDULE 2 | Technical and Organisational Security Measures
The technical and organisational measures applying are described in the dedicated website section.
SCHEDULE 3 | Jurisdiction Specific Terms
To the extent Salto processes Personal Data originating from and protected by Applicable Data Protection Law in one of the jurisdictions listed in Schedule 3 of this DPA, the terms specified in this Schedule 3 with respect to the applicable jurisdiction(s) will apply in addition to the terms of this DPA.
- California
- The definition of Applicable Data Protection Law includes the California Consumer Privacy Act (CCPA).
- The definition of Personal Data includes “Personal Information” as defined under Applicable Data Protection Law.
- The definition of Data Subject includes “Consumer” as defined under Applicable Data Protection Law. Any data subject rights, as described in Section 6.8 (Data Subject Rights) of this DPA, apply to Consumer rights.
- The definition of Controller includes “Business” as defined under Applicable Data Protection Law.
- The definition of Processor includes “Service Provider” as defined under Applicable Data Protection Law.
- Salto will process, retain, use, and disclose personal data only as necessary to provide the Services under the Agreement, which constitutes a business purpose.
- Salto will not sell User Data.
- Salto will not retain, use, or disclose User Data for any commercial purpose other than the provision of the Services.
- Salto will not retain, use, or disclose User Data outside of the scope of the Agreement.
- Salto certifies that its Sub-processors, as described in Section 6.7 of this DPA, are Service Providers under Applicable Data Protection Law, and that prior to its contracting they are properly evaluated.
- Switzerland
- The definition of Applicable Data Protection Law includes the Federal Act on Data Protection 1992 (FADP).
- The definition of Personal Data includes personal data pertaining to legal entities.
- United Kingdom
- The definition of Applicable Data Protection Law includes UK General Data Protection Regulation (UK GDPR).
- In relation to Section 6.3 of the DPA, where the Controller is established in the UK and Salto transfers User Data from the UK to outside the UK (either directly or via onward transfer) to countries without adequacy regulations, such transfer shall be covered by the SCC together with the being the International Data Transfer Addendum or Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 28 January 2022 (hereinafter, the “IDTA”), which are incorporated to this DPA by reference.
- In relation to the IDTA:
- Tables 1 and 2 are completed with clause 6.13 of this DPA.
- In relation to Table 2, personal data received from the Importer is not combined with personal data collected by the Exporter
- Table 4: The Exporter.
- Australia
- The definition of Applicable Data Protection Law includes the Australian Federal Privacy Act 1988 and Australian Privacy Principles.
Last update: December 2024
© Salto Systems, S.L., 2024. All rights reserved.