Data Processing Agreement
This Data Processing Agreement (“DPA”) forms part of the general terms and conditions of sale and use ("Principal Agreement") between: the Client as defined in the Principal Agreement (hereafter th "Controller") and the Provider as defined in the Principal Agreement (hereafter the "Processor"). Processor and Controller are each a “Party” and together are the “Parties”.
In these DPA, the following terms with a capital letter, unless otherwise specified, shall have the meaning given to them by this Article, whether in the singular or plural:
"Subprocessors": means any Data Processor (including any third party) appointed by the Processor to process Controller Personal Data on behalf of the Controller.
"Data Protection Laws": means EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council ("GDPR").
"Third Country": means any country outside the EU/EEA.
"Controller Personal Data": means the data described in Annex 1 and any other Personal Data processed by Processor on behalf of the Controller pursuant to or in connection with the Principal Agreement.
"Personal Data Breach": means a breach of leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Controller Personal Data transmitted, stored or otherwise processed.
"Services": means the services to be supplied by the Processor to the Controller pursuant to the Principal Agreement.
"Products" means the products to be supplied by the Processor to the Controller pursuant to the Principal Agreement.
"Purposes"shall mean (i) Processor’s provision of Products and/or Services as described in the Principal Agreement, including Processing initiated by Controller in their use of the Products; and (ii) further documented, reasonable instructions from Controller agreed upon by the Parties.
“Standard Contractual Clauses (Processor to Processor)” means the agreement executed by and between Provider and its Sub-processors pursuant to the European Commission’s decision (EU) 2021/914 of 4 June 2021 for the transfer of personal data from processor to processor (module three), as may be amended or replaced.
"Process/Processing/Processed", "Data Controller", "Data Processor", "Data Subject", "Personal Data", "Special Categories of Personal Data" and any further definition not included under this Agreement or the Principal Agreement shall have the same meaning as in EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council ("GDPR").
2. processing of personal data
2.1 In the course of providing the Products and/or Services to the Controller pursuant to the Principal Agreement, the Processor may process Controller Personal Data on behalf of the Controller as per the terms of this DPA. The Processor agrees to comply with the following provisions with respect to any Controller Personal Data.
2.2 Processor will Process Controller Personal Data only for the Purposes. Controller shall ensure its Processing instructions are lawful and that the Processing of Controller Personal Data in accordance with such instructions will not violate applicable Data Protection Laws. The Parties agree that the Principal Agreement and the DPA sets out the exclusive and final instructions to the Processor for all Processing of Controller Personal Data. Any additional requested instructions require the prior written agreement of the Processor. The Processor shall promptly notify Controller if, in Processor’s opinion, such an instruction violates Union or Member State law.
2.3 Processor shall ensure that persons authorized to process Controller Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, limit access to Controller Personal Data to only those employees or agents that require access to perform their roles and responsibilities in connection with the Products and/or Services.
2.4 Processor provides reasonably requested information regarding the Products and/or Services to enable Controller to carry out data protection impact assessments or prior consultations with data protection authorities as required by Data Protection Laws, so long as Controller does not otherwise have access to the relevant information.
3. rights of data subjects
Processor shall promptly notify Controller if Processor receives a request from a Data Subject that identifies Controller Personal Data or otherwise identifies Controller, including where the Data Subject seeks to exercise any of its rights under applicable Data Protection Laws (collectively, “Data Subject Request”). The Products and/ or Services provides Controller with a number of controls that Controller may use to assist it in responding to Data Subject Requests and Controller will be responsible for responding to any such Data Subject Requests. To the extent Controller is unable to access the relevant Controller Personal Data within the Products and/ or Services using such controls or otherwise, Processor shall (upon Controller’s written request and taking into account the nature of the Processing) provide commercially reasonable cooperation to assist Controller in responding to Data Subject Requests.
4. return and erasure of personal data
4.1 This DPA shall automatically terminate upon any termination or expiration of the Principal Agreement. The Parties agree that at termination or expiry of the Principal Agreement, Processor shall, at the choice of Controller, delete and/or return all data processed under the Principal Agreement and this DPA, including copies. Upon Controller's request, Processor shall also provide documentation for such deletion.
4.2 Processor may retain Controller Personal Data to the extent required by Union or Member State law, and only to the extent and for such period as required by Union or Member State law, and always provided that Processor shall ensure the confidentiality of all such Controller Personal Data and shall ensure that such Controller Personal Data is only Processed as necessary for the purpose(s) specified in the Union or Member State law requiring its storage and for no other purpose.
5.1 Controller provides Processor with a general authorization to engage Sub-processors. Processor makes available to Controller the up-to-date list of Sub-processors used by Processor to process Controller Personal Data at [URL] (“Sub-Processor List”). To receive notification concerning the intention of including a new Sub-Processor into the Sub-Processor List, Controller shall subscribe by sending an email to privacy@ncScale.com to receive notifications of any new Sub-processors used to Process Controller Personal Data.
5.2 Controller may reasonably object to Processor’s use of a new Sub-processor, for reasons relating to the protection of Controller Personal Data intended to be Processed by such Sub-processor, by providing a written notice to Processor at privacy@ncScale.com, listing all specific legitimate gaps allegedly preventing the use of such Sub-processor by Processor, within fourteen (14) calendar days after receipt of Provider’s notice in accordance with the subscription mechanism set out above. If it can be reasonably demonstrated to Processor that the new Sub-processor is unable to Process Controller Personal Data in compliance with the terms of this DPA and Process or cannot provide an alternative Sub-processor, or the Parties are not otherwise able to achieve resolution as provided in the preceding sentence, Controller, as its sole and exclusive remedy, may provide written notice to Provider terminating the Principal Agreement with respect only to those aspects which cannot be provided by Processor without the use of the new Sub-processor. Processor will refund Controller any prepaid unused fees of such Principal Agreement following the effective date of such termination.
5.3 Processor shall: (i) enter into a written agreement with each Sub-processor imposing data protection obligations no less protective of Controller Personal Data as Processor’s obligations under this DPA to the extent applicable to the nature of the services provided by such Sub-processor; and (ii) remain liable for each Sub-processor’s compliance with the obligations under this DPA. Upon written request, and subject to any confidentiality restrictions, Processor shall provide Controller all relevant information it reasonably can in connection with its applicable Sub-processor agreements where required to satisfy Controller’s obligations under Data Protection Laws.
6. transfer of personal data
Processor may Process Controller Personal Data to countries in Third Countries as provided in the Sub-Processor List. Controller hereby approves the transfer of Controller Personal Data to the locations stated in the Sub-Processor List and acknowledges that the basis of such transfer between jurisdictions is acceptable.
Personal Data may be transferred to Third Countries that offer an adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of Europe, the Member States or the European Commission (“Adequacy Decisions”), without any further safeguard being necessary.
If the Processing of Personal Data includes transfers (either directly or via onward transfer) to the Third Countries which have not been subject to an Adequacy Decision (“Other Countries”), and such transfer or disclosure is not permitted through alternative means approved applicable Data Protection Laws, the Parties agree that the Standard Contractual Clauses (Processor to Processor), will apply.
7. data security
Provider will maintain appropriate measures to protect the integrity, security and confidentiality of all Controller Personal Data against any anticipated threats or hazards, and/or unauthorized access to or use of such data, which measures shall include at a minimum those set forth in Annex 2 to this DPA.
8. personal data breaches
If Processor becomes aware of a Personal Data Breach, Processor shall notify Controller without undue delay, and in any case, where feasible, notify Controller within forty-eight (48) hours after becoming aware. Processor’s notification shall be sent to the email registered by Controller within the Service for such purposes, and where no such email is registered, Controller acknowledges that the means of notification shall be at Processor’s reasonable discretion and Processor’s ability to timely notify shall be negatively impacted. Processor shall promptly take reasonable steps to contain, investigate, and mitigate any Personal Data Breach.
Processor shall provide Controller timely information about the Personal Data Breach, including, but not limited to, the nature and consequences of the Personal Data Breach, the measures taken and/or proposed by Processor to mitigate or contain the Personal Data Breach, the status of Processor’s investigation, a contact point from which additional information may be obtained, and the categories and approximate number of data records concerned. Communications by or on behalf of Processor with Controller in connection with a Personal Data Breach shall not be construed as an acknowledgment by Processor of any fault or liability with respect to the Personal Data Breach.
If Controller is subject to an audit or investigation from a data protection authority, Processor shall, when required, respond to any information requests, and/or agree to submit its premises and operations to audits, including inspections by Controller and/or the competent data protection regulator, in each case for the purpose of evidencing its compliance with this DPA, provided that:
- Controller shall ensure that all information obtained or generated in connection with any information request, audit or inspection is kept strictly confidential (unless disclosure to a competent data protection regulator or as otherwise required by applicable law).
- Controller shall ensure that any information request, audit or inspection is undertaken within normal business hours with minimal disruption to Processor' business, and acknowledge that such information request, audit or inspection shall be subject to any reasonable policies, procedures or instructions of Processor for the purposes of preserving security and confidentiality.
- Controller shall give Processor at least fifteen (15) calendar days prior written notice of an information request and/or audit or inspection (unless the competent data protection authority provides Controller with less than fifteen (15) calendar days notice, in which case Controller shall provide Processor with as much notice as practically possible.
A maximum of one information request, audit and/or inspection may be requested by Controller in any twelve-month (12) period unless an additional information request, audit and/or inspection is mandated by a competent data protection regulator in writing.
- Controller shall pay Provider reasonable costs for any assistance or facilitation of any audit or inspection, or other work undertaken unless such costs are incurred due to Processor' breach of its obligations under this DPA.
If any audit request is not at the request of a data protection authority, Controller agrees:
- to request information in the first instance in written form,
- Processor may respond to such requests by providing up-to-date attestations, reports or extracts from independent bodies (e.g., ISO 27001 reports/certificates) that scrutinizes and confirms the processing of Controller Personal Data is in accordance with the agreed to measures herein, it being understood that Controller may demand additional clarifications and perform on-site inspections where necessary to satisfy Data Protection Laws requirements,
- on Processor' request, to conduct the audit through a certified auditor, bound by confidentiality obligations, the Parties jointly agree on.
10. other provisions
10.1 If any individual provisions of this DPA are determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this DPA will not be affected.
10.2. Each Party ' liability, taken in aggregate, arising out of or related to this DPA and the Standard Contractual Clauses, whether in contract, tort or under any other theory of liability, will be subject to the limitations and exclusions of liability set out in the “Limitation of Liability” section of the Principal Agreement.
10.3. Processor shall only be liable for damages caused by processing for which (i) it has not complied with the obligations of the Data Protection Laws specifically related to data processors or (ii) it has acted outside or contrary to lawful written instructions of the Controller. Where Processor and Controller are involved in a processing under the Principal Agreement (including this DPA) that caused damage to a Data Subject, the Controller shall in a first time take in charge the full indemnification (or any other compensation) which is due to the Data Subject and, for second time, claim back from Processor the part of the data subject’s compensation corresponding to Processor’s part of responsibility for the damage in accordance with the conditions set out the section above.
10.4. This DPA will be governed by and construed in accordance with the “Applicable Law – Dispute” section of the Principal Agreement, unless required otherwise by Data Protection Laws.
annex 1 - details of data processing
Nature and Purpose of Processing: Processor will Process the Controller Personal Data for the Purposes, as described in this DPA. Processor will perform Processing as needed for the Purposes, and to comply with Controller ’s Processing instructions as provided in accordance with the Agreement and this DPA
Duration of Processing: Subject to any Section of the DPA and/or the Principal Agreement dealing with the duration of the Processing and the consequences of the expiration or termination thereof, Processor will Process Controller Personal Data pursuant to the DPA and Principal Agreement for the duration of the Principal Agreement.
Categories of Data Subjects: The categories of Data Subjects to which Controller Personal Data relate are determined and controlled by Controller in its sole discretion, and may include, but are not limited to:
- Prospects, customers, business partners and vendors of Controller (who are natural persons);
- Employees or contact persons of Controller ’s prospects, customers, business partners and vendors; and/or
- Employees, agents, advisors, freelancers of Controller (who are natural persons).
Categories of Personal Data: The types of Controller Personal Data are determined and controlled by Controller in its sole discretion, and may include, but are not limited to:
- Identification and contact data (name, address, title, contact details);
- Financial information (credit card details, account details, payment information);
- Employment details (employer, job title, geographic location, area of responsibility); and/or
- IT information (log).
Special Categories of Personal Data (if applicable): Subject to any applicable restrictions and/or conditions in the Principal Agreement, Controller may also include « special categories of personal data » or similarly sensitive Personal Data (as described or defined in Data Protection Laws) in Controller Personal Data, the extent of which is determined and controlled by Controller in its sole discretion.
annex 2 - toms
1. organizational security measures
1.1. Privacy & Cybersecurity Program. Provider has developed and implemented, and will consistently update and maintain as needed: (a) a written and comprehensive information security program in compliance with applicable Data Protection Law; and (b) reasonable policies and procedures designed to detect, prevent, and mitigate the risk of data security breaches or identify theft (“Security Program”). Specifically, the Security Program shall include, at a minimum:
1.1.1. A data loss prevention program, with appropriate policies and/or technological controls designed to prevent loss of Personal Data.
1.1.2. A disaster recovery/business continuity plan that addresses ongoing access, maintenance and storage of Personal Data as well as security needs for back-up sites and alternate communication networks.
1.2. Access. Provider shall reasonably update all access rights based on personnel or computer system changes, and shall periodically review all access rights at an appropriate frequency to ensure current access rights to Personal Data are appropriate and no greater than are required for an individual to perform his or her functions necessary to fulfill the purposes of the DPA.
1.3. Provider shall verify all access rights through effective authentication methods.
2. physical security measures
2.1. Provider shall maintain appropriate physical security measures for any facility used to Process
Personal Data and continually monitor any changes to the physical infrastructure, business, and known threats.
3. technical security measures
3.1. Vulnerability Scanning and Assessments. Provider shall perform vulnerability scanning and assessments on its applications and infrastructure.
3.2. Access Control and Limiting Remote Access. Provider shall secure its computer networks using multiple layers of access controls to protect against unauthorized access.
3.2.1. Provider shall restrict access through mechanisms such as, but not limited to, management approvals, robust controls, logging, and monitoring access events and subsequent audits.
3.2.2. Provider shall identify computer systems and applications that warrant security event monitoring and logging, and reasonably maintain and analyze log files.
3.3. Encryption. Provider shall encrypt all Personal Data in its possession, custody or control while in transit.
3.4. Security Patches. Provider shall deploy all applicable and necessary system security patches to all software and systems that Process Personal Data.
3.5. Virus/Malware Scanning. Provider shall use up-to-date, industry standard, commercial virus/malware scanning software that identifies malicious code on all of its systems that collect, use, disclose, store, retain or otherwise Process Personal Data.