Data Processing Addendum
1.1 In accordance with clause 13.1 of the Agreement, this Data Processing Addendum ("DPA") sets out the basis on which the Supplier processes Customer Personal Data (as defined below).
1.2 In the event of a conflict between any of the provisions of this DPA and the remaining provisions of the Agreement, the provisions of this DPA shall prevail.
2.1 Unless otherwise set out below, each capitalised term in this DPA shall have the meaning set out in the Agreement and the following capitalised terms used in this DPA shall be defined as follows:
- the Supplier's Terms of Service available here.
- Customer Personal Data
- the personal data described in ANNEX 1, and any other personal data that the Supplier processes on behalf of Customer in connection with the Suppliers provision of the Services.
- Data Protection Laws
- the EU General Data Protection Regulation 2016/679 of the European Parliament and of the Council ("GDPR") and all applicable legislation protecting the fundamental rights and freedoms of persons and their right to privacy with regard to the Processing of Customer Personal Data
- European Economic Area or EEA
- the Member States of the European Union together with Iceland, Norway, and Liechtenstein
- Security Incident
- any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Customer Personal Data.
- Standard Contractual Clauses
- the Standard Contractual Clauses (processors) approved by the European Commission Decision C(2010)593 or any subsequent version thereof released by the European Commission.
- any Processor engaged by the Supplier who agrees to receive from the Supplier Customer Personal Data
- "personal data", "Controller", "Processor", "Data Subject", "Process" and "Supervisory Authority"
- the same meaning as set out in the GDPR.
3. Data Processing
3.1 Instructions for Data Processing. The Supplier will only Process Customer Personal Data in accordance with (a) the Agreement, to the extent necessary to provide the Services to Customer, and (b) Customer's written instructions.
3.2 Processing outside the scope of this DPA will require prior written agreement between Customer and the Supplier on additional instructions for Processing.
3.3 Where required by applicable Data Protection Laws, the Customer will ensure that it has obtained/will obtain all necessary consents for the Processing of Customer Personal Data by the Supplier in accordance with this Agreement.
4.1 Customer acknowledges and agrees that (i) the Supplier may be retained as Subprocessors; and (ii) Subprocessors in connection with the provision of the Services. Any such Subprocessors will be permitted to obtain Customer Personal Data only to deliver the Services the Supplier has retained them to provide, and are prohibited from using Customer Personal Data for any other purpose. The Supplier agrees that any agreement with a Subprocessor will include substantially the same data protection obligations as set out in this DPA.
4.2 A list of Subprocessors is available here. The Supplier may change the list of such other Subprocessors by no less than five (5) business days’ by providing an in-app or other notice to Customer. If Customer objects to the Supplier's change in such other Subprocessors, Customer may, as its sole and exclusive remedy terminate the portion of any Agreement relating to the Services that cannot be reasonably provided without the objected to new Subprocessor by providing 30 days’ written notice to the Supplier. If Customer does not object to the Supplier's change in such other Subprocessors within five (5) business days' of the in-app notification, this will be deemed as acceptance of that new Subprocessor.
4.3 The Supplier shall be liable for the acts and omissions of its Subprocessors to the same extent the Supplier would be liable if performing the services of each Subprocessor directly under the terms of this DPA, except as otherwise set forth in the Agreement.
4.4 Transfers of Personal Data. To the extent that the Processing of Customer Personal Data by the Service Provider involves the export of such Customer Personal Data to a third party to a country or territory outside the EEA, other than (i) a country or territory ensuring an adequate level of protection for the rights and freedoms of Data Subjects in relation to the Processing of personal data as determined by the European Commission, or (ii) where the third party is a member of a compliance scheme recognised as offering adequate protection for the rights and freedoms of Data Subjects as determined by the European Commission, such export shall be governed by the Standard Contractual Clauses.
5. Data Security, Audits and Security Notifications
5.1 Security Obligations. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Supplier shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk including, where applicable by virtue of Article 28(3)(c) of the GDPR, and as appropriate, the measures referred to in Article 32(1) of the GDPR. Without limiting the generality of the foregoing, the Supplier shall put in place and maintain the technical and organisational measures set out in Annex 2 to protect the Customer Personal Data against any Security Incident.
5.2 Security Audits. Customer may audit (by itself or using independent third party auditors) the Supplier's compliance with the security measures (including the technical and organisational measures set out in Annex 2), including by conducting audits of the Supplier's (and Subprocessors) data processing facilities and such audits may be performed once annually at the cost of the Customer.
5.3 Where applicable by virtue of Article 28(3)(h) of the GDPR, the Supplier shall make available to Customer on request all information necessary to demonstrate compliance with this DPA. The Supplier shall immediately inform Customer if, in its opinion, an instruction pursuant to this clause 5.3 infringes applicable Data Protection Laws.
5.4 Security Incident Notification. If the Supplier or any Subprocessor becomes aware of, or has reason to suspect that there has been, a Security Incident, the Supplier will promptly (a) notify Customer of the Security Incident without undue delay, (b) investigate the Security Incident and fully co-operate with Customer's (and any law enforcement or regulatory official's) investigation of the Security Incident, and (c) take steps to remedy any non-compliance with this DPA.
5.5 Employees and Personnel. The Supplier shall limit access to Customer Personal Data to those employees or other personnel who have a business need to have access to such Customer Personal Data. Further, the Supplier shall ensure that such employees or other personnel have agreed in writing to protect the confidentiality and security of Customer Personal Data in accordance with the provisions of this DPA.
6. Access Requests and Data Subject Rights
6.1 Data Subject Requests. The Supplier shall promptly notify Customer of any request received by the Supplier or any Subprocessor from a Data Subject in respect of their personal data included in the Customer Personal Data, and shall not respond to the Data Subject.
6.2 The Supplier shall, where possible, assist Customer with ensuring its compliance under applicable Data Protection Laws, and in particular shall:
(a) provide Customer with the ability to correct, delete, block, access or copy the personal data of a Data Subject, or
(b) promptly correct, delete, block, access or copy Customer Personal Data within the Services at Customer's request.
7.1 The Supplier shall provide the Customer with any information or assistance reasonably requested by the Customer for the purpose of complying with any of the Customer's obligations under applicable Data Protection Laws.
8. Deletion of Data
8.1 Subject to Clause 8.2 and Clause 8.3 below, the Supplier shall promptly and in any event within 10 (ten) weeks of the date of termination of the Agreement delete and use all reasonable efforts to procure the deletion of Customer Personal Data Processed by us or any Subprocessors;
8.2 Within the 10 (ten) week period specified at Clause 8.1, the Customer may request for a copy of all Customer Personal Data by secure file transfer.
8.3 The Supplier may retain Customer Personal Data to the extent required by applicable laws and only to the extent and for such period as required by applicable laws and always provided that the Supplier shall ensure the confidentiality of all such Customer Personal Data and shall ensure that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.
Annex 1: Details of the processing of customer data
This ANNEX 1 includes certain details of the Processing of Customer Personal Data as required by Article 28(3) of the GDPR.
Subject matter and duration of the Processing of Customer Personal Data
The subject matter and the duration of the Processing of the Customer Personal Data are set out in the Agreement including this DPA.
The nature and purpose of the Processing of Customer Personal Data
The Processing of Customer Personal Data provided by the Customer through their use of the Services.
The types of Customer Personal Data to be processed
a) Custom plugin data collected through our monitoring agent or API
b) Customer account data e.g. first user name, email, phone number submitted during the signup process
c) User accounts e.g. name, email, phone number submitted by admin users when creating new users.
d) Account user phone number and email submitted by admin users when managing users or by the user managing their own profile.
The categories of data subject to whom the Customer Personal Data relates
End users, website users and any other Data Subjects whose Personal Data the Customer may extract, transfer, and load onto the Services.
Customer's obligations and rights
The obligations and rights of the Customer are as set out in the Agreement including this DPA.
Annex 2: Technical and organisational security measures
1. The Supplier maintains internal policies and procedures, or procures that its Subprocessors do so, which are designed to:
a) secure any personal data Processed by the Supplier against accidental or unlawful loss, access or disclosure
b) identify reasonably foreseeable and internal risks to security and unauthorised access to the personal data Processed by the Supplier
c) minimise security risks, including through risk assessment and regular testing