This data processing addendum (DPA) generally is a part of the Terms of Service (ToS) between Customer and Processor (Terms of Service). In the absence of an executed Terms of Service this DPA shall act as a standalone data processing agreement. In such a case any reference to Terms of Service in this DPA shall be construed as reference to the existing contractual arrangement that applies between Parties pursuant to which the Service Provider has agreed to process Personal Data on behalf of Customer.
This DPA is effective as of the date last signed.
BETWEEN:
(1) Customer; and
(2) JoanaHope, a company incorporated in Ireland with company number 664722 whose registered office is at Cube Building, Co. Cork, Ireland (hereinafter referred to as Secure Target, Processor or Service Provider),
individually referred to as a Party and together as Parties.
WHEREAS:
- Customer Processes Customer Personal Data as Controller;
- Customer appointed Processor to provide the services as referred to in the Terms of Service, whereby Processor will Process Customer Personal Data on behalf of Customer;
- Parties have reached an agreement on the rights and obligations of Customer and Processor, when Processing Customer Personal Data on behalf of Customer and now wish to record these rights and obligations in this DPA.
NOW THEREFORE THE PARTIES AGREE AS FOLLOWS:
Definitions & Interpretation
1.1 In the event of conflict or inconsistency between this DPA and any of the terms and conditions of the Terms of Service, including any in respect of the protection of personal data, this DPA will be given precedence, unless otherwise set out herein.
1.2 In this DPA, unless otherwise defined, all capitalised words and expressions shall have the following meaning:
Customer Personal Data means any Personal Data Processed by Processor on behalf of Customer pursuant to or in connection with the Terms of Service and this DPA.
- Data Protection Law means data protection legislation or any statutory equivalent in force applicable to the Processing of Customer Personal Data, including the GDPR and the Irish Data Protection Acts 1988 to 2018 and/or the UK Data Protection Act 2018 (UK GDPR).
- EEA means the European Economic Area.
- GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
- Processor Affiliate means an entity that is controlled by, in control of, or under common control with the Processor;
- SCCs means the Commission Decision 2010/87 of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in non-adequate countries, as defined under Directive 95/46/EC of the European Parliament and of the Council (2010/87/EU) attached as Schedule 1.
- Personal Data Breach means a Security Incident that has led to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Customer Personal Data transmitted, stored or otherwise processed by the Processor.
- Security Incident means any breach of security measures used by Processor to secure Customer Personal Data.
- Security Incident Log means the electronic record described in article 4.1 below.
- Subprocessor means a person or entity subcontracted by Data Processor to Process Customer Personal Data.
The terms Controller, Processor, Data Subject, Personal Data, Processing, Supervisory Authority shall have the meaning given to them in the GDPR.
- Processing Customer Personal Data
- 2.1 For the purpose of this DPA, Secure Target is the Processor of Customer Personal Data and Customer is the Controller.
- The subject-matter of Processing of Personal Data by Processor is the performance of the Service pursuant to the Terms of Service. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Annex 1 (Details of the Processing) to this DPA.
- Additionally, Secure Target’s Customer Privacy Policy and Subprocessors pages contain further details about the Processing of Customer Personal Data by Processor and Subprocessors, including the purpose and nature of the Processing and type of Personal Data.
- The Processor will (and will procure that Subprocessors will):
- have no independent rights in relation to Customer Personal Data and only Process Customer Personal Data on behalf of and for the benefit of Customer, in accordance with the terms of the Terms of Service and this DPA together with Customer’s instructions, unless required to do so by applicable law to which Processor is subject, in which case the Processor shall inform Customer of that legal requirement before the Processing of that Customer Personal Data;
- immediately inform Customer if, in its opinion, an instruction received from Customer infringes Data Protection Law;
- not assume any responsibility for determining the purposes for which and the manner in which Customer Personal Data is Processed and not Process Customer Personal Data for purposes not determined by Customer;
- not carry out any further research, analysis or profiling activity which involves the use of any element of the Customer Personal Data or any information derived from any Processing of such Customer Personal Data outside the scope of the Terms of Service and this DPA;
- notify Customer promptly in the event that it is unable to comply with this DPA or its obligations under Data Protection Law or if it has reason to believe that the legislation applicable to it is likely to have a substantial adverse effect on the obligations provided under this DPA or otherwise prevents it from fulfilling the instructions received from Customer under this DPA;
- If it has appointed a data protection officer, the Processor shall communicate the name and contact details of the data protection officer to Customer
- 2.5 Customer accepts that its reimbursement for all costs accrued by the Processor in the context of its performance of this DPA, shall be considered as an additional expense to be reimbursed.
- 3. Right and obligations of Processor
- Processor will:
- keep Customer Personal Data confidential and take appropriate technical and organisational security measures to protect Customer Personal Data against unauthorised or unlawful Processing, accidental loss or damage or destruction. Secure Target’s Trust Centre page contains the minimum security measures to be implemented by Processor;
- only grant access to Customer Personal Data to persons under the Processor’s authority who have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and only on a need to know basis. The list of persons to whom access has been granted shall be kept under periodic review. Subprocessors listed in Secure Target’s Subprocessors page are deemed approved by Customer. On the basis of this review, such access to Personal Data can be withdrawn, if access is no longer necessary, and Personal Data shall consequently not be accessible anymore to those persons;
- assist Customer by appropriate technical and organisational measures, insofar as this is possible, in the fulfilment of Customer’s obligations to respond to requests for exercising the data subject’s rights laid down in Data Protection Law and will inform Customer as soon as possible, and no later than 48 (forty eight) hours, if it receives a complaint or request from a Data Subject in respect of Customer Personal Data. Such assistance will be provided subject to agreement to any reasonable and duly evidenced cost being charged by the Processor for these services;
- will only hold complaints or requests from Data Subjects seeking to exercise their rights under applicable Data Protection Laws until such time as the records have been securely transferred to Customer. The Processor shall not respond -and shall ensure that Sub-processors do not respond- to requests from Data Subject exercising their rights except on the written instructions of Customer (subject to agreement to any reasonable and duly evidenced cost being charged by the Processor for these services ) or as required by the applicable Data Protection Laws to which the Processor or Sub-processor is subject, in which case the latest shall to the extent permitted by laws, inform Customer of the existence and detailed provisions of that legal requirement before it responds to the request.
- assist Customer in ensuring compliance with its obligation to carry out an assessment of the impact of the envisaged Processing operations on the protection of Customer Personal Data (a data protection impact assessment) (subject to agreement to any reasonable and duly evidenced cost being charged by the Processor for this assistance) , when applicable, its obligation to consult the competent Supervisory Authority, prior to Processing where a data protection impact assessment, indicates that the processing would result in a high risk;
- assist Customer in the event of an investigation or audit by a Supervisory Authority, to the extent that such investigation or audit relates to Processor’s Processing of Customer Personal Data and inform Customer as soon as possible if a Supervisory Authority requests an investigation or audit of Processor relating to Processor’s Processing of Customer Personal Data;
- maintain records of all Processing operations under its responsibility that contain at least the minimum information required by Data Protection Law.
- Security Incidents
- The Processor (and shall procure that all its Subprocessors) will maintain an up to date electronic record of all discovered Security Incidents (Security Incident Log). The incident log shall contain at least a description of the Security Incident, including the date and time the Security Incident was discovered. If a Security Incident is a Personal Data Breach the log shall also contain an overview of the affected Customer Personal Data and the categories and number of affected Data Subjects.
- The Processor will (and shall procure that all its Subprocessors will) without delay, but in any event within 36 hours, inform Customer in writing of any actual or suspected Personal Data Breaches. The Processor must take all adequate remedial measures immediately and must promptly provide Customer with all relevant information and assistance as requested by Customer regarding the actual or suspected Personal Data Breaches. The notification of a Personal Data Breach to Customer will include at a minimum:
- a description of the Personal Data Breach, including the date and time the Personal Data Breach was discovered;
- an overview of the affected Customer Personal Data and the categories and number of affected Data Subjects;
- information on the (expected) consequences of the Personal Data Breach; and
- a description of the measures taken by the Processor to limit the consequences of the Personal Data Breach.
If the Processor is unable to communicate all information relating to the Personal Data Breach simultaneously, the Processor shall provide the information as soon as the information becomes available.
The Processor shall not do any notification, statement, communication, press release or other public announcement relating to a Personal Data Breach without prior consultation and written consent of Customer.
- In relation to an actual or suspected Personal Data Breach, the Processor shall (and shall procure that all Subprocessors) provide Customer all reasonable assistance, including to minimise the impact of the Personal Data Breach, prevent a similar Personal Data Breach from recurring, effect a reconstruction or recovery of the relevant Customer Personal Data and to comply with Customer’s obligations under Data Protection Law in relation to the Personal Data Breach.
- Subprocessors
- Customer hereby grants the Processor general written authorisation for the engagement of Subprocessors, under the conditions that the Processor shall remain fully liable to Customer as regards the fulfilment of the obligations of the Subprocessor and that the Processor and the Subprocessor have entered into an agreement that imposes obligations on the Subprocessor that are no less restrictive than those imposed on the Processor under this DPA, and provides for sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the Processing will meet the requirements of Data Protection Laws.
- Where Sub-processors are engaged, the Processor shall before the Sub-processor first processes Customer Personal Data, carry out adequate due diligence to ensure that the Sub-processor is capable of providing the level of protection for Customer Personal Data required by this DPA.
- The Subprocessors listed in Secure Target’s Subprocessors page are hereby approved by Customer.
- Audit Rights
- Upon Customer’s written request, the Processor will provide Customer, with the results of the most recent data security compliance reports or any audit performed by or on behalf of the Processor that assesses the effectiveness of the Processor’s information security program, system(s), internal controls, and procedures relating to the processing of Customer Personal Data.
- Upon reasonable advance written notice to the Processor, Customer may, on reasonable notice of not less than thirty days and no more than once in a calendar year, during normal business hours, audit the Processor’s facilities, Processor’s Security Incident Log, networks, systems, procedures, Processing and maintenance of Customer Personal Data, and its compliance with its obligations under this DPA. Notwithstanding the foregoing, Customer will be permitted to exercise such audit right any time a Security Breach has occurred. The Processor will cooperate with such audit by providing reasonable access to knowledgeable personnel, physical premises as applicable, documentation, infrastructure, and any application software that Processes Customer Personal Data. Customer will be responsible for the costs and expenses of such audit (or the fees and costs of the third party performing the audit).
- Data transfers
- The Processor will abide by the requirements under Data Protection Law regarding the transfer of Customer Personal Data from the EEA to countries outside the EEA. Unless otherwise provided for in Annex 1, the Processor shall not transfer or process any of Customer Personal Data outside of the territory of the EEA or outside the territories defined in Annex 1 without the explicit prior written consent of Customer. If the Processor obtains such consent, the Processor shall ensure that such transfer/access is only implemented provided that the transfer is covered by:
- binding corporate rules approved by a competent Supervisory Authority in accordance with Article 47 GDPR;
- an approved code of conduct or certification mechanism pursuant to Article 46 GDPR;
- standard data protection clauses adopted by the European Commission pursuant to Article 46 GDPR.
- an adequacy decision of the European Commission pursuant to Article 45 GDPR.
- To the extent that a Subprocessor is based in a third country that does not provide an adequate level of protection, and the transfer of Customer Personal Data is not covered by one or more safeguards listed in 7.1(a), 7.1(b) or 7.1 (d) Parties hereby agree to enter into the SCCs, attached as Schedule 1 to this DPA for the transfer of Customer Personal Data from Customer to the Processor and subject to the Controller confirming that, in its opinion, the transfers will meet the requirements set out by the Court of Justice of the European Union in the Schrems II case.
- If the Processor intends to transfer Personal Data to an engaged Sub-processor located outside of the EEA and the Processor opts to have such transfer covered by the SCCs, the Company hereby authorizes the Processor to enter into such SCCs in the Company’s name and on its behalf.
- At Customer’s request, the Processor shall provide a copy of any document evidencing the implementation of any of the above-mentioned measures to cover the transfer/access of Customer Personal Data.
- Termination and erasure and return of data
- On termination of the Terms of Service, or earlier as obliged by contract with Customer, the Processor will destroy, or at Customer’s election and in accordance with any instructions from Customer will deliver to Customer, or enable Customer to do so by means of the functionality provided by the Services, all Customer Personal Data in its possession, custody and control, except for such information as must be retained under applicable law and insofar as is technically possible.
- To the extent that the Processor retains any such Customer Personal Data beyond termination or expiration of the Terms of Service or as earlier requested by Customer because such retention is required under applicable law, this DPA will remain in full effect and the Processor will immediately destroy all such Customer Personal Data so retained once such retention is no longer required under applicable laws insofar as is technically possible. At Customer’s request, the Processor will provide Customer with a written log evidencing the destruction of Customer Personal Data.
- At such time when Customer Personal Data is either returned or destroyed in full, this DPA will expire automatically.
- Liability
- Notwithstanding provisions of the Terms of Service, the Controller remains liable for any direct and/or indirect damages arising out of or in connection with a breach of this DPA, or Customer’s instructions under this DPA, by the Processor, Processor Affiliates or any Subprocessor, their directors, officers, employees or other individuals working under their control and/or supervision.
- Notwithstanding provisions of the Terms of Service, the Controller shall , indemnify and hold the Processor harmless for any costs, claims, losses, damages, liabilities and expenses (including legal expenses) resulting from any data breach or Customer’s instructions under this DPA by Processor or any Subprocessor, their directors, officers, employees or other individuals working under their control and/or supervision.
- Applicable law and forum
- This DPA and any dispute or claim arising out of it or in connection with it, its subject matter or formation shall be governed by and construed in accordance with the laws of Ireland.
- Any dispute, controversy or claim arising out of or in connection with this DPA, its subject matter or formation shall be submitted to the exclusive jurisdiction of the competent Courts of Ireland.
- Annex 1 – Details of the Processing
- Nature and Purpose of Processing
- Providing the Service to Customer;
- Performing the Terms of Service, this DPA and/or other contracts executed by the Parties;
- Acting upon Customer’s instructions, where such instructions are consistent with the terms of the Terms of Service;
- Providing support and technical maintenance, if agreed in the Terms of Service;
- Preventing, mitigating and investigating the risks of data security incidents, fraud, error or any illegal or prohibited activity;
- Resolving disputes;
- Enforcing the Terms of Service, this DPA and/or defending Processor’s rights;
- Complying with applicable laws and regulations;
- All tasks related with any of the above.
- Duration of Processing
Subject to any Section of the DPA and/or the Terms of Service dealing with the duration of the Processing and the consequences of the expiration or termination thereof, Processor will Process Personal Data pursuant to the DPA and Terms of Service for the duration of the Agreement, unless otherwise agreed upon in writing.
- Type of Personal Data
Customer may submit Personal Data to the Service, the extent of which is determined and controlled by Customer in its sole discretion.
- Categories of Data Subjects
Customer may submit Personal Data to the Service which may include, but is not limited to, Personal Data relating to the following categories of Data Subjects:
- Employees, agents, advisors, freelancers of Customer (who are natural persons)
- Prospects, customers, business partners and vendors of Customer (who are natural persons)
- Employees or contact persons of Customer’s prospects, customers, business partners and vendors
- Any other third party individual with whom Customer decides to communicate through the Service.