Data Processing Addendum
- In this Addendum, the following terms have the following meanings:
- (a) Applicable Data Protection Law means:
- (i) the EU General Data Protection Regulation (Regulation 2016/679) (GDPR);
- (ii) the UK Data Protection Act 2018 (UK DPA); and
- (iii) the California Consumer Privacy Act of 2018, Cal. Civ. Code §1798.100 et. seq., and its implementing regulations (CCPA), as applicable.
- (b) business, business purpose, consumer, controller, data subject, processor, service provider, personal data, processing (and process), sell (and selling and sale) and special categories of personal data shall have the meanings given in Applicable Data Protection Law;
- (a) Applicable Data Protection Law means:
- Relationship of the parties: You (the controller) appoint Us as a processor to process the personal data described in the Agreement (the Data) for the purposes described, and the terms set out, in the Agreement, including, for the avoidance of doubt, to provide you with, and update and improve, our services (or as otherwise agreed in writing by the parties) (the Permitted Purpose). Each party shall comply with the obligations that apply to it under Applicable Data Protection Law.
- Prohibited data: Unless explicitly requested by Us to do so, You shall not disclose (and shall not permit any data subject to disclose) any special categories of personal data to Us for processing.
- International transfers: We shall not transfer the Data outside of the European Economic Area (EEA), the United Kingdom (UK) or the State of California (as applicable based on the origin of the Data) unless it has taken such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law. Such measures may include (without limitation) transferring the Data to a recipient in a country that the European Commission, UK, or the State of California, respectively, has decided provides adequate protection for personal data (e.g., New Zealand), to a recipient in the United States that has certified its compliance with the EU-US Privacy Shield, or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission.
- Confidentiality of processing: We shall ensure that any person it authorises to process the Data (an Authorised Person) shall protect the Data in accordance with Our confidentiality obligations under the Agreement.
- Security: We shall implement technical and organisational measures, as set out in Annex A, which may be amended and updated from time to time, to protect the Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorised disclosure of, or access to the Data (a Security Incident).
- Subcontracting: You consent to Us engaging third party subprocessors to process the Data for the Permitted Purpose provided that: (i) We maintain an up-to-date list of Our subprocessors, which shall be available on its website, which it shall update with details of any change in subprocessors at least 30 days prior to the change; (ii) We impose data protection terms on any subprocessor We appoint that require it to protect the Data to the standard required by Applicable Data Protection Law; and (iii) We remain liable for any breach of this Addendum that is caused by an act, error or omission of Our subprocessor. You may object to Our appointment or replacement of a subprocessor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such event, We will either not appoint or replace the subprocessor or, if this is not reasonably possible, in Our sole discretion, You may suspend or terminate the Agreement without penalty (without prejudice to any fees incurred by You up to and including the date of suspension or termination).
- Cooperation and data subjects’ rights: We shall provide reasonable and timely assistance to You (at Your expense) to enable You to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law; and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data. In the event that any such request, correspondence, enquiry or complaint is made directly to Us, We shall promptly inform You providing full details of the same.
- Data Protection Impact Assessment: If We believe or become aware that Our processing of the Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, We shall inform You and provide reasonable cooperation to You in connection with any data protection impact assessment that may be required under Applicable Data Protection Law.
- Security incidents: If We become aware of a confirmed Security Incident, We shall inform You without undue delay and shall provide reasonable information and cooperation to You so that You can fulfil any data breach reporting obligations You may have under (and in accordance with the timescales required by) Applicable Data Protection Law. We shall further take reasonably necessary measures and actions to remedy or mitigate the effects of the Security Incident and keep You informed of all material developments in connection with the Security Incident.
- Deletion or return of Data: Upon termination or expiry of the Agreement, We will, on Your explicit request, delete or return the Data in its possession or control (in a manner and form decided by Us, acting reasonably). This requirement shall not apply to the extent that We are required by applicable law to retain some or all of the Data, which Data We shall securely isolate and protect from any further processing.
- Audit: You acknowledge that We are regularly audited against SOC 2 standards by an independent third-party auditor. Upon Your request, and subject to the confidentiality obligations set out in the Agreement, We shall make available to You (provided that You are not a competitor of Us) (or Your independent, third-party auditor that is not Our competitor) a copy of Our SOC 2 report in the same manner and form that We make the SOC 2 report generally available to customers.
- Limitation of Liability: Each party’s liability, taken in aggregate, arising out of or related to this Addendum, whether in contract, tort or under any other theory of liability, will be subject to the limitations and exclusions of liability set out in the “Limitation of Liability” section 11 of the Agreement and any reference in such section to the liability of a party means aggregate liability of that party and all of its Affiliates under the Agreement (including this Addendum).