Data Processing Addendum
This Data Processing Addendum ("Addendum"), effective as of the DPA Effective Date (defined below), is entered into by and between 8012 Labs, LLC ("Company") and you ("Customer") (collectively the "Parties"). This Addendum forms part of the Terms of Service or other agreement you may have entered with Company governing the provision of Company's web applications (collectively "Agreement") and will amend the terms of the Agreement to reflect the parties' rights and responsibilities with respect to the processing and security of Customer's data under the Agreement.
a) Agreement to Terms. If you are accessing and using the Services on behalf of a company (such as your employer) or other legal entity, you represent and warrant that you have the authority to bind that company or other legal entity to this Addendum. In that case, "Customer" will refer to that company or other legal entity.
b) Subject Matter. This Addendum reflects the Parties' commitment to abide by Applicable Data Protection Laws concerning the Processing of Customer Personal Data in connection with Company's execution of the Agreement. Customer will be the Controller or Processor of Customer Personal Data and Company will be the Processor of Customer Personal Data under Applicable Data Protection Law(s). All capitalized terms that are not expressly defined in this Data Processing Addendum will have the meanings given to them in the Agreement. Except as expressly provided herein, nothing in this Addendum shall be deemed to waive or modify any of the provisions of the Agreement, which otherwise remains in full force and effect. If and to the extent language in this Addendum or any of its Exhibits conflicts with the Agreement, this Addendum shall control.
c) Duration and Survival. This Addendum will become legally binding upon the Effective Date of the Agreement or upon the date that the Customer electronically accepts other otherwise agrees or opts-in to this Addendum if it is completed after the effective date of the Agreement. Company will Process Customer Personal Data until the relationship terminates as specified in the Agreement. Company's obligations and Customer's rights under this Addendum will continue in effect so long as Company Processes Customer Personal Data.
For the purposes of this Addendum, the following terms and those defined within the body of this Addendum apply.
a) "Applicable Data Protection Law(s)" means the relevant data protection and data privacy laws, rules and regulations to which the Customer Personal Data are subject. "Applicable Data Protections Law(s)" shall include, but not be limited to, the EU General Data Protection Regulation 2016/679 ("GDPR") and Privacy Shield principles and requirements.
b) "Customer Personal Data" means Personal Data pertaining to Customer's users or employees located in the European Economic Area Processed by Company. The Customer Personal Data and the specific uses of the Customer Personal Data are detailed in Exhibit A attached hereto, as required by the GDPR.
c) "Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
d) "DPA Effective Date" means either (i) May 25, 2018; and (ii) the date on which you accept or otherwise agree or opt-in to this Addendum, if that date is after May 25, 2018.
e) "Personal Data" shall have the meaning assigned to the terms "personal data" or "personal information" under Applicable Data Protection Law(s).
f) "Privacy Shield" means the EU-US and Swiss-US Privacy Shield Framework established by the US Department of Commerce and the European Commission.
g) "Process" or "Processing" means any operation or set of operations which is performed on data or sets of data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
h) "Processor" means a natural or legal person, public authority, agency or other body which Processes Customer Personal Data on behalf of Customer subject to this Addendum.
i) "Security Incident(s)" means the breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data Processed by Company.
j) "Services" means any and all services that Company performs under the Agreement.
k) "Third Party(ies)" means Company's authorized contractors, agents, vendors and third party Companys (i.e., sub-processors) that Process Customer Personal Data.
3. Data Use and Processing
a) Compliance with Laws. Customer shall ensure that it has obtained any and all authorizations and lawful bases for processing (including verifiable consent where necessary) in accordance with Applicable Data Protections Law(s) in order to provide Customer Personal Data to Company for Processing. Customer Personal Data shall be Processed in compliance with the terms of this Addendum and all Applicable Data Protection Law(s).
b) Documented Instructions. Company and its Third Parties shall Process Customer Personal Data only in accordance with the documented instructions of Customer or as specifically authorized by this Addendum, the Agreement, or any applicable Statement of Work. Company will, unless legally prohibited from doing so, inform Customer in writing if it reasonably believes that there is a conflict between Customer's instructions and applicable law or otherwise seeks to Process Customer Personal Data in a manner that is inconsistent with Customer's instructions.
c) Authorization to Use Third Parties. To the extent necessary to fulfill Company's contractual obligations under the Agreement or any Statement of Work, Customer hereby authorizes (i) Company to engage Third Parties and (ii) Third Parties to engage sub-processors. Any Third Party Processing of Customer Personal Data shall be consistent with Customer's documented instructions and comply with all Applicable Data Protection Law(s).
d) Company and Third Party Compliance. Company agrees to (i) enter into a written agreement with Third Parties regarding such Third Parties' Processing of Customer Personal Data that imposes on such Third Parties (and their sub-processors) data protection and security requirements for Customer Personal Data that are compliant with Applicable Data Protection Law(s); and (ii) remain responsible to Customer for Company's Third Parties' (and their sub-processors if applicable) failure to perform their obligations with respect to the Processing of Customer Personal Data.
e) Right to Object to Third Parties. Prior to engaging any new Third Parties that Process Customer Personal Data, Company will notify Customer of these changes by posting its proposed new Third Parties to the following website https://statushero.com/gdpr/. Company will allow Customer ten (10) calendar days to object after notice is given. It is Customer's responsibility to check this website regularly for updates. If Customer has legitimate objections to the appointment of any new Third Party that relates to Company's compliance with this Addendum, Company will make reasonable efforts to address Customer's objection. After this process, if a resolution has not been agreed to within five (5) calendar days, Company will proceed with engaging the Third Party. Failing any such resolution, Customer may terminate the part of the service performed under the Agreement that cannot be performed by Company without use of the objectionable Third Party. No refunds shall be given for any prepaid portion of the Services.
f) Confidentiality. Any person or Third Party authorized to Process Customer Personal Data must agree to maintain the confidentiality of such information or be under an appropriate statutory or contractual obligation of confidentiality.
g) Personal Data Inquiries and Requests. Company agrees to comply with all reasonable instructions from Customer related to any requests from individuals exercising their rights in Personal Data granted to them under Applicable Data Protection Law(s) ("Privacy Request"). At Customer's request, Company agrees to assist Customer in answering or complying with any Privacy Request in so far as it is possible. Company may invoice Customer for costs arising from such assistance.
h) Data Protection Impact Assessment and Prior Consultation. Company agrees to provide reasonable assistance at Customer's sole expense to Customer where, in Customer's judgement, the type of Processing performed by Company is likely to result in a high risk to the rights and freedoms of natural persons (e.g., systematic and extensive profiling, Processing sensitive Personal Data on a large scale and systematic monitoring on a large scale, or where the Processing uses new technologies) and thus requires a data protection impact assessment and/or prior consultation with the relevant data protection authorities.
i) Demonstrable Compliance. Company agrees to keep records of its Processing in compliance with Applicable Data Protection Law(s) and provide any necessary records to Customer to demonstrate compliance upon reasonable request.
4. Cross-Border Transfers of Personal Data
a) Cross-Border Transfers of Personal Data. Customer authorizes Company and its Third Parties to transfer Customer Personal Data across international borders, including from the European Economic Area to the United States. Any cross-border transfer of Customer Personal Data must be supported by an approved adequacy mechanism.
b) Privacy Shield Certification. Company is currently Privacy Shield certified, will maintain its Privacy Shield certification during the term of the Agreement and will Process the Customer Personal Data in accordance with at least the same level of protection as required under the applicable Privacy Shield principles. Company will provide written notification to Customer before it withdraws from or otherwise no longer maintains a current certification to the Privacy Shield. Company shall promptly notify Customer if it can no longer meet its obligations under this Section.
5. Information Security Program
a) Information Security Program. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Company shall implement and maintain appropriate technical and organizational measures in such a manner that its Processing of Personal Data will meet the requirements of Applicable Data Protection Law(s), ensure the protection of the rights of the data subjects, and ensure a level of security appropriate to the risk (an "Information Security Program").
6. Security Incidents
a) Security Incident Procedure. Upon becoming aware of a Security Incident, Company shall without undue delay inform Customer and provide written details of the Security Incident reasonably required to fulfill Customer's Security Incident reporting obligations under Applicable Data Protection Law(s). Where possible, such details shall include, the nature of the Security Incident, the categories and approximate number of data subjects concerned and the categories and approximate number of Customer Personal Data records concerned, the likely consequences of the Security Incident, and the measures taken or proposed to be taken to mitigate the Security Incident's possible adverse effects.
a) Audits. If Applicable Data Protection Law affords Customer an audit right, Customer (or its appointed representative) may, no more than once annually, carry out an inspection of Company's operations and facilities with respect to the Processing of Customer Personal Data. Customer must provide Company forty-five (45) days written notice of such intention to audit, conduct its audit during normal business hours, and take reasonable measures necessary to prevent unnecessary disruption to Company's operations. Prior to any audit being conducted, the Parties will agree Any such audit shall be subject to Company's security and confidentiality terms and guidelines. Customer shall be responsible for any costs arising from such audit.
8. Data Deletion
a) Data Deletion. At the expiry of termination of the Agreement, Company will, at Customer's option, delete or return all Customer Personal Data to Customer, except where Company is required to retain copies under applicable laws, in which case Company will isolate and protect that Customer Personal Data from any further Processing except to the extent required by applicable laws.
Exhibit A – Details of Processing
Subject Matter of Processing: The provision of the Service to the Customer, and related technical support.
Duration of the Processing: The Processing will continue until the expiration or termination of the Agreement.
Nature and Purpose of the Processing: Company will process Personal Data submitted to, stored on, or sent via the Service for the purpose of providing the Service and related technical support in accordance with this Addendum.
Types of Customer Personal Data: Personal data submitted to, stored on, or sent via the Service may include, without limitation, the following categories of data: IP addresses, browser agents, email addresses, usernames, full names, browser and operating system identifiers, and any other personal data that Customer chooses to send us related during the course of our provision of the Service and technical support.
Categories of Data Subjects: Personal data submitted, stored, sent or received via the Service may concern the following categories of data subjects, without limitation: Customer's employees, contractors, and agents; the personnel of Customer's customers, suppliers and subcontractors; and any other person who transmits data via the Service.