Last Updated: September 25, 2024
1.1. In this Data Processing Addendum:
"Data Protection Laws" means, with respect to a party, laws and regulations in any relevant jurisdiction directly applicable to such party’s processing of personal data that may include, without limitation: (i) EU Regulation 2016/679 ("GDPR"); (ii) GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (the "UK GDPR"); (iii) any laws or regulations ratifying, implementing, adopting, supplementing or replacing the GDPR; (iv) in the UK, the Data Protection Act 2018 ("DPA"); (v) any laws and regulations implementing or made pursuant to EU Directive 2002/58/EC (as amended by 2009/136/EC); (vi) in the UK, the Privacy and Electronic Communications (EC Directive) Regulations 2003; and (vii) as to Personal Data originating from California Consumers, the California Consumer Privacy Act and the California Consumer Privacy Rights Act and their implementing regulations (the “CCPA”); in each case, as updated, amended or replaced from time to time. The terms "Data Subject", "Personal Data", "processing", "processor" and "controller" will have the meanings set out in the GDPR. As to Personal Data originating from California consumers: the terms “business,” “sell,” “service provider,” and “share” will have the meanings set out in the CCPA; the term “Data Subject” shall mean and refer to the term “Consumer” as defined under the CCPA and the term “Personal Data” shall mean and refer to the term “Personal Information” as defined under the CCPA.
"DP Regulator" means any governmental or regulatory body or authority with responsibility for monitoring or enforcing compliance with the Data Protection Laws.
"Your Personal Data" means all Personal Data in Your Data processed by Us on behalf of You under or in connection with this Agreement.
1.2. Each party will comply with the provisions and obligations imposed on it by the Data Protection Laws at all times when processing Your Personal Data in connection with this Agreement, which processing will be in respect of the types of Your Personal Data, categories of Data Subjects, nature and purposes, and duration, set out in the Appendix to this Addendum.
1.3. Each party will maintain records of its processing operations that contain at least the minimum information required by the Data Protection Laws, and will make such records available to any DP Regulator on request in accordance with the applicable Data Protection Laws.
1.4. Each party acknowledges and agrees that, regarding the processing of Your Personal Data carried out under this Agreement: (i) under the GDPR, You are the controller and We are the processor and (ii) under the CCPA, You are the business and We are the service provider.
1.5. You will:
1.5.1. ensure that any instructions for the processing of Your Personal Data You issue to Us comply with the Data Protection Laws;
1.5.2. have sole responsibility for the accuracy, quality and legality of Your Personal Data and the means by which You acquired Your Personal Data; and
1.5.3. establish the legal basis for processing under Data Protection Laws, including providing all notices and obtaining all consents as may be required under Data Protection Laws in order for Us to process Your Personal Data as otherwise contemplated by this Agreement.
1.6. We will:
1.6.1. Process Your Personal Data (i) only in accordance with Your written instructions set out in this Agreement (including any executed Order Form and SoW), provided such instructions are lawful, unless otherwise required by applicable laws (in which case, unless such law prohibits such notification on important grounds of public interest, We will notify You of the relevant legal requirement before processing Your Personal Data), and (ii) only for the duration of this Agreement;
1.6.2. ensure that Our personnel who are Authorized to have access to Your Personal Data are committed to confidentiality or are under an appropriate statutory obligation of confidentiality when processing Your Personal Data;
1.6.3. taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, implement technical and organizational measures and procedures to ensure a level of security for Your Personal Data appropriate to the risk, including the risks of accidental, unlawful or unauthorized destruction, loss, alteration, disclosure, dissemination or access, which are set out in the Security Addendum;
1.6.4. as to the GDPR and Your Personal Data that originates from the European Economic Area or the United Kingdom, not transfer Your Personal Data outside the European Economic Area or the United Kingdom unless (i) We have entered into the relevant EU standard contractual clauses (with the UK addendum if applicable) approved by the European Commission (and the UK's Information Commissioner's Office, if applicable); or (ii) the transfer is otherwise permitted by the Data Protection Laws;
1.6.5. inform You without undue delay upon becoming aware of Your Personal Data (while within Our control) being subject to a personal data breach (as defined in the Data Protection Laws);
1.6.6. not disclose any Your Personal Data to any Data Subject other than at Your written request or as provided for in this Agreement or as required to comply with applicable laws;
1.6.7. except as required by law or in order to defend any actual or possible legal claims delete all Your Personal Data on termination or expiry of this Agreement, and not make any further use of Your Personal Data;
1.6.8. at Your expense and subject to paragraph (9) in relation to audits, provide You and any DP Regulator with information and assistance reasonably necessary to demonstrate or ensure compliance with the obligations in this Addendum and/or the Data Protection Laws;
1.6.9. on an annual basis, at Our own expense, engage an independent third party auditor to conduct a SOC 2 or other industry standard audit. We will (upon request by You) provide a copy of Our then most recent third-party audit or certifications, as applicable, or any summaries thereof, that We generally make available to Our customers at the time of such request;
1.6.10. at Your expense, take such steps as are reasonably required to assist You in ensuring compliance with Your obligations under the Data Protection Laws and which are obligatory for processors and/or service providers under the Data Protection Laws;
1.6.11. notify You as soon as reasonably practicable if We receive a request from a Data Subject to exercise its rights under the Data Protection Laws in relation to that person's Personal Data; and
1.6.12. provide You with reasonable cooperation and assistance in relation to any request made by a Data Subject to exercise its rights under the Data Protection Laws in relation to that person's Personal Data provided that You will be responsible for Our costs and expenses arising from such cooperation and assistance.
1.7. If either We or You receive any complaint, notice or communication which relates directly or indirectly to the processing of Your Personal Data by the other or to either of our compliance with the Data Protection Laws, We or You will as soon as reasonably practicable notify the other and provide the other with commercially reasonable cooperation and assistance in relation to any such complaint, notice or communication.
1.8. You agree that We may disclose Your Personal Data to Our advisers, auditors or other third parties as reasonably required in connection with the performance of Our obligations under this Agreement. In addition, We may engage third parties to process Your Personal Data on behalf of You ("Sub-Processors"). The current list of Sub Processors is set out here.
1.9. If We engage a new Sub-Processor ("New Sub-Processor"), We will inform You of the engagement no later than thirty (30) days in advance. You may object to the engagement of a New Sub-Processor within fourteen (14) days by informing Us of Your objection and the reasons for such objection. If We believe that Your objection is reasonable, We will engage with You in good faith to reach a mutually acceptable solution. If a mutually acceptable solution is not reached within thirty (30) days of Us informing You of the engagement of a New Sub-Processor, You will have the right to terminate the Agreement.
1.10. We will ensure that Our contract with each New Sub-Processor will impose obligations on the New Sub-Processor that are materially equivalent to the obligations to which We are subject to under this Agreement.
1.11. Any sub-contracting or transfer of Your Personal Data pursuant to this Addendum will not relieve Us of any of Our liabilities, responsibilities and obligations to You under this Agreement and We will remain liable for the acts and omissions of Our Sub-Processors.
1.12. As to Your Personal Data that is subject to the CCPA: (i) We will not (a) sell or share Your Personal Data; (b) retain, use or disclose any of Your Personal Data for any purpose other than for the specific purpose of providing the Solution, including retaining, using, combining or disclosing any of Your Personal Data for a commercial purpose other than providing the Solution; or (c) retain, use or disclose any of Your Personal Data outside of the direct business relationship between You and Us; and (ii) the parties acknowledge and agree that Our access to Your Personal Data does not constitute part of the consideration exchanged by the parties in respect of the Agreement. We certify Our understanding of the foregoing requirements.
The Personal Data processing activities carried out by Us under this Agreement may be described as follows (except as otherwise stated in an Order Form or a Statement of Work):
The subject matter, nature and purpose of the Processing is (i) as specified in the Agreement, (ii) to support You and Your service providers in implementing and using the Solution and (iii) to improve the Solution (only anonymised and/or aggregated data are processed for this purpose).
The types of Personal Data processed includes those specified in the definition of Your Data.
The categories of data subjects include Your representatives, Authorized Users and any other individuals identified or identifiable by Your Data.
The duration of the processing shall be as set out in the Agreement.
Our list of Sub-Processors shall be updated by Us from time to time, in accordance with Section 1.9. of this Addendum and can be found here.