Data Processing Addendum
Last updated on: August 10, 2020
This Data Processing Addendum (“DPA”) forms part of the Agreement and is incorporated by reference into the Agreement and sets out the terms that apply with regard to the Processing of Personal Data by the Company, on behalf of the Customers, in the course of providing the Application to the Customers under the Agreement.
All capitalized terms not defined in this DPA will have the meanings set forth in the Agreement.
- “Agreement” or “Terms” means the written or electronic agreement for the provision of the Application to the Customers.
- “Data Controller” or “Data Fiduciary” or “Business”; as used under relevant data protection laws – means, who determines the purposes and means of processing.
- “Data Processor” or “Service Provider”, as used under relevant data protection laws – means, who process the data on behalf of the data controller (or data fiduciary or business).
- “Data Subject(s)” means an identified or identifiable natural person, directly or indirectly, in particular by reference to an identifies such as a name, an identification number, location data or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- “Personal Data” means any information relating to an identified or identifiable natural person contained within the Content of the Customers as defined in the Agreement.
- “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by the Company on behalf of the Customers under the Agreement.
- “Process” or “Processed” or “Processing” means any operation or set of operations which is performed on the Personal Data, whether or not by automatic means, such as collection, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, blocking, erasure or destruction.
Scope & Roles
This DPA applies when Personal Data is Processed by the Company strictly on behalf of the Customers, as part of the Company’s provision of the Application. In this context, the Customers are the Data Controller and the Company is the Data Processor. The Customers agree that the Agreement is its complete and final instructions to the Company in relation to the Processing of Personal Data.
Subject Matter, Data Subjects, Duration, Nature & Purpose of Processing
- The Company Processes the Personal Data as a part of providing the Customers with the Application, pursuant to the specifications and for the duration under the Agreement.
- The duration of the Processing under the Agreement is determined by the Customers as set forth in the Agreement.
- The Customers determine the Data Subjects which may include the Customers’ end users, employees and other third parties.
- The Company and the sub-processors are providing its service via the Application to the Customers and fulfilling its contractual obligations. Using the Application may include Processing of Personal Data by the Company or its sub-processors.
- The Customer in its use of the Application, submit Personal Data Processed in accordance with any data protection legal requirement. The Company will only Process Personal Data on behalf of and in accordance with the Customer’s reasonable instructions which includes the following purposes:
- Processing related to the Application in accordance with the Agreement;
- Processing to comply with other reasonable instructions provided by the Customer where such instructions are consistent with the Agreement;
- Rendering Personal Data fully and irrevocably anonymous and non-personal; and
- Processing as required under any applicable laws to which the Company is subject to.
However, any Processing of Personal Data shall comply with any data protection legal requirement.
- The Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which the Customer acquired Personal Data. Without limitation, the Customer will provide all necessary notices to relevant Data Subjects, including a description of the Application, and secure all necessary permissions and consents, or other applicable lawful grounds for Processing Personal Data pursuant to this DPA, and shall indemnify, defend and hold harmless any claim, damages or fine against the Company arising from any failure to acquire or use the Personal Data with legal consent or legitimate business purpose or in violation of any data protection legal requirement.
- The Company will inform the Customer, if in the opinion of the Company, an instruction infringes any data protection legal requirement and will be in no obligation to follow such instruction. To the extent that the Company cannot comply with an instruction from the Customer, the Company:
- Shall, promptly inform the Customer, providing relevant details of the issue;
- May, without any liability to the Customer, temporarily cease all processing of the affected Personal Data (other than securely storing such data in accordance with the Agreement) and may further suspend any relationship with the Customer;
- If the parties do not agree to a resolution concerning the instruction, the Customer may, as its sole remedy, terminate the Agreement and this DPA with respect to the affected Processing. The Customer will not have any further claims against the Company including without limitation, requesting refunds; following such termination.
- Use of sub-processor
The Company engages sub-processors to provide certain services on its behalf. The Customer consents to the Company engaging sub-processors to process Personal Data under the Agreement. The Company will be responsible for any acts, errors or omissions of its sub-processors that cause the Company to breach any of the Company’s obligations under this DPA.
The Company will enter into an agreement with each sub-processor that would require the sub-processor to process the Personal Data in a manner substantially similar to the standards set forth in this DPA, and at a minimum, at the level of data protection required by any data protection legal requirement.
- Changes to sub-processors
- Use of sub-processor
- The Company will reasonably assist the Customer by appropriate technical and organizational measures, insofar possible, for the fulfilment of the obligation of the Customer to respond to requests for exercising the Data Subjects’ rights under any data protection legal requirement; to request access, rectification or deletion of Personal Data or to restrict or object to further Processing of such data.
- The Company will further reasonably assist the Customer, upon their reasonable request, in ensuring compliance with their obligations in connection with the security of Processing, notification of a Personal Data Breach to supervisory authorities and affected Data Subjects, insofar as it relates to the Company’s Processing of Personal Data under this DPA, and to the extent the Customer does not otherwise have access to the relevant information, and that such information is available with the Company.
- Except for negligible costs, the Customer will promptly reimburse the Company with costs and expenses incurred by it in connection with the provision of assistance to the Customer under this DPA.
- Measures undertaken by the Company
The Company will implement and maintain appropriate technical and organizational security measures to protect against Personal Data Breaches and to preserve the security and confidentiality of Personal Data Processed by the Company on behalf of its Customers in the provision of the Application (“Security Measures”). The Security Measures are subject to technical progress and development. The Company may update or modify the Security Measures from time to time provided that any updates and modifications do not result in material degradation of the overall security of the Application purchased by the Customer.
- Measures undertaken by the Business Partners
The Customers are responsible to implement their own security measures. They undertake to use the Application in a manner that enables the Customer to comply with any data protection legal requirement; including implementing appropriate technical and organizational measures.
The personnel engaged by the Company carry out the Processing as per the instructions of the Customers. The Company restricts its personnel from Processing Personal Data without authorization (unless required to so by applicable law) and will ensure that any person authorized by the Company to process Personal Data is subject to an obligation of confidentiality.
- Prohibited Data
Each Customer acknowledges and agrees that the Agreement may prohibit the submission of certain types of Personal Data (such as an individual’s financial or health information) to the Application. \
- Measures undertaken by the Company
- The Company is headquartered in India, which is not considered by the European Commission to be offering an adequate level or protection for the Personal Data of EU Member State residents as of the date when this DPA was last updated.
- The Company may transfer and Process Personal Data to and in other locations around the world where the Company or its sub-processors maintain Processing operations as necessary to run the Application as set forth in the Agreement.
- The Company may transfer Personal Data or other information to any other body corporate or a person in India, or located in any other country, that ensures the same level of data protection that is adhered by the Company.
PERSONAL DATA BREACH MANAGEMENT AND NOTIFICATION
The Company will notify without undue delay to its Customer on becoming aware of a Personal Data Breach affecting Customer’s Personal Data being Processed hereunder by the Company or the Company’s sub-processors.
The notice will at least:
- describe the nature of the Personal Data Breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
- communicate the name and contact details of a designated officer of the Company, which will be available to provide any additionally available information about the Personal Data Breach;
- describe the likely consequences of the Personal Data Breach,
- describe the measures taken or proposed to be taken by the Company to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
If it is not possible to provide the information at the same time, the information may be provided in phases without undue delay.
The Company, pursuant to its policies and procedures, identify and rectify the cause of the Personal Data Breach and inform the Customers accordingly.
The liability for a Personal Data Breach toward the Customers and any third party is subject to: 1. The Personal Data Breach is a result of a breach of the Company’s security obligations under this DPA; and 2. The Personal Data breach is not caused by (a) acts or omissions of the Business Partner, or any person acting on behalf or jointly with the Customers; including the users authorized; or (b) their instructions to the Company.
RETURN OR DELETION OF PERSONAL DATA
Following expiration or termination of the Agreement, the Company will delete or return to the Customers all Personal Data in its possession as set forth in the Agreement except to the extent the Company is required by applicable law to retain some or all of the Personal Data. The terms of this DPA will continue to apply to that retained Personal Data.
This DPA will commence and become legally binding on the earlier of (a) the date of its execution, (b) the effective date of the Agreement to which it relates, or (c) the initiation of the Company’s Processing of Personal Data on behalf of the Customer; and will continue until the Agreement expires or is terminated.
Relationship with Agreement
Any claims brought under this DPA will be subject to the terms and conditions of the Agreement, including the exclusions and limitations set forth in the Agreement
In the event of any conflict between this DPA and any privacy-related provisions in the Agreement, the terms of this DPA will prevail.
Modification & Supplementation
The Company may modify the terms of this DPA as provided in the Agreement, in circumstances such as 1. if required to do so by a supervisory authority or other government or regulatory entity; 2. if necessary to comply with any data protection legal requirement, or 3. to implement or adhere to standard contractual clauses, approved codes of conduct or certifications, binding corporate rules, or other compliance mechanisms, which may be permitted under any data protection legal requirement.
The Company will provide notice of such changes to the Customers and the modified DPA will become effective, in accordance with the terms of the Agreement. The Company will monitor, update and promptly display the date when this DPA has been most recently updated.