1. DEFINITIONS
In these DPA, the following terms with a capital letter, unless otherwise specified, shall have the meaning given to them by this Article, whether in the singular or plural:
- “Subprocessors”: means any Data Processor (including any third party) appointed by the Processor to process Controller Personal Data on behalf of the Controller.
- “Data Protection Laws”: means EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council (“GDPR”).
- “Third Country”: means any country outside the EU/EEA.
- “Controller Personal Data”: means the data described in Annex 1 and any other Personal Data processed by Processor on behalf of the Controller pursuant to or in connection with the Principal Agreement.
- “Personal Data Breach”: means a breach of leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Controller Personal Data transmitted, stored or otherwise processed.
- “Services”: means the services to be supplied by the Processor to the Controller pursuant to the Principal Agreement.
- “Products” means the products to be supplied by the Processor to the Controller pursuant to the Principal Agreement.
- “Purposes”shall mean (i) Processor’s provision of Products and/or Services as described in the Principal Agreement, including Processing initiated by Controller in their use of the Products; and (ii) further documented, reasonable instructions from Controller agreed upon by the Parties.
- “Standard Contractual Clauses (Processor to Processor)” means the agreement executed by and between Provider and its Sub-processors pursuant to the European Commission’s decision (EU) 2021/914 of 4 June 2021 for the transfer of personal data from processor to processor (module three), as may be amended or replaced.
- “Process/Processing/Processed”,
- “Data Controller”, “Data Processor”,
- “Data Subject”, “Personal Data”,
- “Special Categories of Personal Data” and any further definition not included under this Agreement or the Principal Agreement shall have the same meaning as in EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council (“GDPR”).
2. PROCESSING OF PERSONAL DATA
2.1
2.2
2.3
2.4
3. RIGHTS OF DATA SUBJECTS
4. RETURN AND ERASURE OF PERSONAL DATA
4.1
4.2
5. SUBPROCESSORS
5.1
5.2
5.3
6. TRANSFER OF PERSONAL DATA
Personal Data may be transferred to Third Countries that offer an adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of Europe, the Member States or the European Commission (“Adequacy Decisions”), without any further safeguard being necessary.
If the Processing of Personal Data includes transfers (either directly or via onward transfer) to the Third Countries which have not been subject to an Adequacy Decision (“Other Countries”), and such transfer or disclosure is not permitted through alternative means approved applicable Data Protection Laws, the Parties agree that the Standard Contractual Clauses (Processor to Processor), will apply.
7. DATA SECURITY
8. PERSONAL DATA BREACHES
If Processor becomes aware of a Personal Data Breach, Processor shall notify Controller without undue delay, and in any case, where feasible, notify Controller within forty-eight (48) hours after becoming aware. Processor’s notification shall be sent to the email registered by Controller within the Service for such purposes, and where no such email is registered, Controller acknowledges that the means of notification shall be at Processor’s reasonable discretion and Processor’s ability to timely notify shall be negatively impacted. Processor shall promptly take reasonable steps to contain, investigate, and mitigate any Personal Data Breach.
Processor shall provide Controller timely information about the Personal Data Breach, including, but not limited to, the nature and consequences of the Personal Data Breach, the measures taken and/or proposed by Processor to mitigate or contain the Personal Data Breach, the status of Processor’s investigation, a contact point from which additional information may be obtained, and the categories and approximate number of data records concerned. Communications by or on behalf of Processor with Controller in connection with a Personal Data Breach shall not be construed as an acknowledgment by Processor of any fault or liability with respect to the Personal Data Breach.
9. AUDITS
If Controller is subject to an audit or investigation from a data protection authority, Processor shall, when required, respond to any information requests, and/or agree to submit its premises and operations to audits, including inspections by Controller and/or the competent data protection regulator, in each case for the purpose of evidencing its compliance with this DPA, provided that:
- Controller shall ensure that all information obtained or generated in connection with any information request, audit or inspection is kept strictly confidential (unless disclosure to a competent data protection regulator or as otherwise required by applicable law).
- Controller shall ensure that any information request, audit or inspection is undertaken within normal business hours with minimal disruption to Processor’ business, and acknowledge that such information request, audit or inspection shall be subject to any reasonable policies, procedures or instructions of Processor for the purposes of preserving security and confidentiality.
- Controller shall give Processor at least fifteen (15) calendar days prior written notice of an information request and/or audit or inspection (unless the competent data protection authority provides Controller with less than fifteen (15) calendar days notice, in which case Controller shall provide Processor with as much notice as practically possible.
A maximum of one information request, audit and/or inspection may be requested by Controller in any twelve-month (12) period unless an additional information request, audit and/or inspection is mandated by a competent data protection regulator in writing. - Controller shall pay Provider reasonable costs for any assistance or facilitation of any audit or inspection, or other work undertaken unless such costs are incurred due to Processor’ breach of its obligations under this DPA.
If any audit request is not at the request of a data protection authority, Controller agrees:
- to request information in the first instance in written form,
- Processor may respond to such requests by providing up-to-date attestations, reports or extracts from independent bodies (e.g., ISO 27001 reports/certificates) that scrutinizes and confirms the processing of Controller Personal Data is in accordance with the agreed to measures herein, it being understood that Controller may demand additional clarifications and perform on-site inspections where necessary to satisfy Data Protection Laws requirements,
- on Processor’ request, to conduct the audit through a certified auditor, bound by confidentiality obligations, the Parties jointly agree on.
10. OTHER PROVISIONS
10.1
10.2
10.3
10.4
ANNEX 1 – DETAILS OF DATA PROCESSING
Nature and Purpose of Processing: Processor will Process the Controller Personal Data for the Purposes, as described in this DPA. Processor will perform Processing as needed for the Purposes, and to comply with Controller ’s Processing instructions as provided in accordance with the Agreement and this DPA
Duration of Processing: Subject to any Section of the DPA and/or the Principal Agreement dealing with the duration of the Processing and the consequences of the expiration or termination thereof, Processor will Process Controller Personal Data pursuant to the DPA and Principal Agreement for the duration of the Principal Agreement.
Categories of Data Subjects: The categories of Data Subjects to which Controller Personal Data relate are determined and controlled by Controller in its sole discretion, and may include, but are not limited to:
- Prospects, customers, business partners and vendors of Controller (who are natural persons);
- Employees or contact persons of Controller ’s prospects, customers, business partners and vendors; and/or
- Employees, agents, advisors, freelancers of Controller (who are natural persons).
Categories of Personal Data: The types of Controller Personal Data are determined and controlled by Controller in its sole discretion, and may include, but are not limited to:
- Identification and contact data (name, address, title, contact details);
- Financial information (credit card details, account details, payment information);
- Employment details (employer, job title, geographic location, area of responsibility); and/or
- IT information (log).
Special Categories of Personal Data (if applicable): Subject to any applicable restrictions and/or conditions in the Principal Agreement, Controller may also include « special categories of personal data » or similarly sensitive Personal Data (as described or defined in Data Protection Laws) in Controller Personal Data, the extent of which is determined and controlled by Controller in its sole discretion.
ANNEX 2 – TOMS
1. ORGANIZATIONAL SECURITY MEASURES
1.1. Privacy & Cybersecurity Program. Provider has developed and implemented, and will consistently update and maintain as needed: (a) a written and comprehensive information security program in compliance with applicable Data Protection Law; and (b) reasonable policies and procedures designed to detect, prevent, and mitigate the risk of data security breaches or identify theft (“Security Program”). Specifically, the Security Program shall include, at a minimum:
1.1.1. A data loss prevention program, with appropriate policies and/or technological controls designed to prevent loss of Personal Data.
1.1.2. A disaster recovery/business continuity plan that addresses ongoing access, maintenance and storage of Personal Data as well as security needs for back-up sites and alternate communication networks.
1.2. Access. Provider shall reasonably update all access rights based on personnel or computer system changes, and shall periodically review all access rights at an appropriate frequency to ensure current access rights to Personal Data are appropriate and no greater than are required for an individual to perform his or her functions necessary to fulfill the purposes of the DPA.
1.3. Provider shall verify all access rights through effective authentication methods.
2. PHYSICAL SECURITY MEASURES
2.1. Provider shall maintain appropriate physical security measures for any facility used to Process
Personal Data and continually monitor any changes to the physical infrastructure, business, and known threats.
3. TECHNICAL SECURITY MEASURES
3.1. Vulnerability Scanning and Assessments. Provider shall perform vulnerability scanning and assessments on its applications and infrastructure.
3.2. Access Control and Limiting Remote Access. Provider shall secure its computer networks using multiple layers of access controls to protect against unauthorized access.
3.2.1. Provider shall restrict access through mechanisms such as, but not limited to, management approvals, robust controls, logging, and monitoring access events and subsequent audits.
3.2.2. Provider shall identify computer systems and applications that warrant security event monitoring and logging, and reasonably maintain and analyze log files.
3.3. Encryption. Provider shall encrypt all Personal Data in its possession, custody or control while in transit.
3.4. Security Patches. Provider shall deploy all applicable and necessary system security patches to all software and systems that Process Personal Data.
3.5. Virus/Malware Scanning. Provider shall use up-to-date, industry standard, commercial virus/malware scanning software that identifies malicious code on all of its systems that collect, use, disclose, store, retain or otherwise Process Personal Data.