Data Processing Agreement

Data Processing Agreement

Background

  1. The Customer and the Provider entered into the Terms & Conditions on the Commencement Date (Master Agreement) that may require the Provider to process Personal Data on behalf of the Customer.
  2. This Personal Data Processing Agreement (Agreement) sets out the additional terms, requirements and conditions on which the Provider will process Personal Data when providing services under the Master Agreement. This Agreement contains the mandatory clauses required by Article 28(3) of the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) (UK GDPR) for contracts between controllers and processors.

Agreed Terms

1. Definitions and Interpretation

The following definitions and rules of interpretation apply in this Agreement.

1.1 Definitions:
  • Authorised Persons: the persons or categories of persons that the Customer authorised to give the Provider written personal data processing instructions and from whom the Provider agrees solely to accept such instructions.
  • Business Day: a day other than a Saturday, Sunday or public holiday in England and Wales, when banks in the United Kingdom are open for business.
  • Business Purpose: the services to be provided by the Provider to the Customer as described in the Master Agreement or any other purpose specifically identified in Annex A.
  • California Personal Information: Personal Data that is subject to the protection of the CCPA.
  • CCPA: California Civil Code Sec. 1798.100 et seq. (also known as the California Consumer Privacy Act of 2018).
  • Consumer, Business, Sell and Service Provider will have the meanings given to them in the CCPA.
  • Commissioner: the Information Commissioner (see Article 4(A3), UK GDPR and section 114, DPA 2018).
  • Contract: means the contract between the Customer and Provider for the supply of the Services more particularly set out in the Terms & Conditions.
  • Controller: has the meaning given to it in section 6, DPA 2018.
  • Customer: the person, firm or entity who purchases software or services from the Provider as set out in any Order.
  • Data Protection Legislation refers to all laws and regulations applicable to Provider’s processing of personal data under the Agreement including, without limitation, the General Data Protection Regulation (EU 2016/679) (“GDPR“).
  • Data Subject: the identified or identifiable living individual to whom the Personal Data relates.
  • Europe: for the purposes of this DPA, the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom.
  • Non-EU Data Protection Laws: California Consumer Privacy Act (“CCPA”); the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”); the Brazilian General Data Protection Law (“LGPD”), Federal Law no. 13,709/2018; and the Privacy Act 1988 (Cth) of Australia, as amended (“Australian Privacy Law”).
  • Order: the Customers order for software or services as set out in the Order Form
  • Order Form: Bespin Labs’s ordering document that specifies the Service/s purchased by the Customer under the Contract that is entered into by the Customer and Bespin Labs Limited. By entering into an Order Form, Customer agrees to be bound by the terms of the Contract including this DPA.
  • Personal Data: means any information relating to an identified or identifiable living individual that is processed by the Provider on behalf of the Customer as a result of, or in connection with, the provision of the services under the Master Agreement; an identifiable living individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual.
  • Personal Data Breach: a breach of security leading to the accidental, unauthorised or unlawful destruction, loss, alteration, disclosure of, or access to, the Personal Data.
  • Processing, processes, processed, process: any activity that involves the use of the Personal Data. It includes, but is not limited to, any operation or set of operations which is performed on the Personal Data or on sets of the Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing also includes transferring the Personal Data to third-parties.
  • Processor: a natural or legal person, public authority, agency or other body which processes personal data on behalf of the Controller.
  • Provider: Bespin Labs Limited incorporated and registered in England and Wales with company number 11068628 whose registered office is at First Floor Office Suite, Mill B Colne Road Buildings, Colne Road, Huddersfield, United Kingdom, HD1 3AG. ICO Registration Number ZA686937
  • Privacy and Data Protection Requirements: all applicable laws and regulations relating to the processing, protection, or privacy of the Personal Data, including where applicable, the guidance and codes of practice issued by regulatory bodies in any relevant jurisdiction.
  • Privacy Shield: the EU-U.S. and Swiss-US Privacy Shield self-certification program operated by the U.S. Department of Commerce and approved by the European Commission pursuant to its Decision of July, 12 2016 and by the Swiss Federal Council on January 11, 2017 respectively; as may be amended, superseded or replaced.
  • Privacy Shield Principles: means the Privacy Shield Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision of July, 12 2016; as may be amended, superseded or replaced.
  • Records: has the meaning given to it in Clause 12.
  • Security Breach: any act or omission that materially compromises the security, confidentiality, or integrity of Personal Data or the physical, technical, administrative, or organizational safeguards put in place to protect it. The loss of or unauthorised access, disclosure, or acquisition of Personal Data is a Security Breach.
  • Standard Contractual Clauses (SCC): means the standard contractual clauses for Processors approved pursuant to the European Commission’s decision (C(2010)593) of 5 February 2010, in the form set out at Annex C; as may be amended, superseded or replaced.
  • Sub-Processor: means any Processor engaged by the Provider to assist in fulfilling the Providers obligations with respect to the provision of the Services under the Contract. Sub-Processors will exclude any Provider employee or consultant.
  • Term: this Agreement’s term as defined in Clause 10.
  • UK GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act of 2018.

1.2.  This DPA is subject to the terms of the Master Agreement and is incorporated into the Master Agreement. Interpretations and defined terms set forth in the Master Agreement apply to the interpretation of this DPA.

1.3.  The Annexes form part of this Agreement and will have effect as if set out in full in the body of this Agreement. Any reference to this Agreement includes the Annexes.

1.4.  A reference to writing or written includes email.

1.5.  In the case of conflict or ambiguity between:

  1. any provision contained in the body of this Agreement and any provision contained in the Annexes, the provision in the body of this Agreement will prevail;
  2. the terms of any accompanying invoice or other documents annexed to this Agreement and any provision contained in the Annexes, the provision contained in the Annexes will prevail; and
  3. any of the provisions of this Agreement and the provisions of the Master Agreement, the provisions of this Agreement will prevail.
  4. any of the provisions of this DPA and any executed Standard Contractual Clauses, the provisions of the executed Standard Contractual Clauses will prevail.

2.Personal Data Types and Processing Purposes

2.1.  The Customer and the Provider agree and acknowledge that for the purpose of the Data Protection Legislation:

  1. The Customer is the Controller and the Provider is the Processor.
  2. The Customer retains control of the Personal Data and remains responsible for its compliance obligations under the Data Protection Legislation, including but not limited to, providing any required notices and obtaining any required consents, and for the written processing instructions it gives to the Provider.
  3. TA describes the subject matter, duration, nature and purpose of the processing and the Personal Data categories and Data Subject types in respect of which the Provider may process the Personal Data to fulfil the Business Purposes.
  4. Annex A describes the general Personal Data categories and Data Subject types the Provider may process to fulfil the Business Purposes of the Master Agreement.

3. Provider’s Obligations

3.1.  The Provider will only process the Personal Data to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Customer’s written instructions. The Provider will not process the Personal Data for any other purpose or in a way that does not comply with this Agreement or the Data Protection Legislation. The Provider must notify promptly the Customer if, in its opinion, the Customer’s instructions do not comply with the Data Protection Legislation.

3.2.  The Provider must comply promptly with any Customer written instructions requiring the Provider to amend, transfer, delete or otherwise process the Personal Data, or to stop, mitigate or remedy any unauthorised processing.

3.3.  The Provider will maintain the confidentiality of the Personal Data and will not disclose the Personal Data to third-parties unless the Customer or this Agreement specifically authorises the disclosure, or as required by domestic law, court or regulator (including the Commissioner). If a domestic law, court or regulator (including the Commissioner) requires the Provider to process or disclose the Personal Data to a third-party, the Provider must first inform the Customer of such legal or regulatory requirement and give the Customer an opportunity to object or challenge the requirement, unless the domestic law prohibits the giving of such notice.

3.4.  The Provider will reasonably assist the Customer, at no additional cost to the Customer, with meeting the Customer’s compliance obligations under the Data Protection Legislation, taking into account the nature of the Provider’s processing and the information available to the Provider, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with the Commissioner under the Data Protection Legislation.

3.5.  The Provider must notify promptly the Customer of any changes to the Data Protection Legislation that may reasonably be interpreted as adversely affecting the Provider’s performance of the Master Agreement or this Agreement.

Provider’s employees

  1. The Provider will ensure that all of its employees:
  2. are informed of the confidential nature of the Personal Data and are bound by written confidentiality obligations and use restrictions in respect of the Personal Data;
  3. have undertaken training on the Data Protection Legislation and how it relates to their handling of the Personal Data and how it applies to their particular duties; and

4.2.  are aware both of the Provider’s duties and their personal duties and obligations under the Data Protection Legislation and this Agreement.

4.3.  The Provider will take reasonable steps to ensure the reliability, integrity and trustworthiness of and conduct background checks consistent with applicable domestic law on all of the Provider’s employees with access to the Personal Data.

Security

5.1.  The Provider must at all times implement appropriate technical and organisational measures against accidental, unauthorised or unlawful processing, access, copying, modification, reproduction, display or distribution of the Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data including, but not limited to, the security measures set out in Annex B.​

 5.2.  The Provider must implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:

  1. the pseudonymisation and encryption of personal data;
  2. the ability to ensure the ongoing confidentiality, integrity, ​availability and resilience of processing systems and services;
  3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
  4. a process for regularly testing, assessing and evaluating the effectiveness of the security measures.

Security Breach and Personal Data Loss

6.1.  The Provider will within 24 hours and in any event without undue delay notify the Customer in writing if it becomes aware of:

  1. The loss, unintended destruction or damage, corruption, or unusability of part or all of the Personal Data. The Provider will restore as soon as possible such Personal Data at its own expense.
  2. any accidental, unauthorised or unlawful processing of the Personal Data; or
  3. any Personal Data Breach.

6.2.  Where the Provider becomes aware of (6.1.1), (6.1.2) and/or (6.1.3) above, it will, without undue delay, also provide the Customer with the following written information:

  1. description of the nature of (6.1.1), (6.1.2) and/or (6.1.3), including the categories of in-scope Personal Data and approximate number of both Data Subjects and the Personal Data records concerned;
  2. the likely consequences; and
  3. a description of the measures taken or proposed to be taken to address (6.1.1), (6.1.2) and/or (6.1.3), including measures to mitigate its possible adverse effects.

6.3.  Immediately following any accidental, unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. Further, the Provider will reasonably co-operate with the Customer at no additional cost to the Customer, in the Customer’s handling of the matter, including but not limited to:

  1. assisting with any investigation;
  2. providing the Customer with physical access to any facilities and operations affected;
  3. facilitating interviews with the Provider’s employees, former employees and others involved in the matter including, but not limited to, its officers and directors;
  4. making available all relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Customer; and
  5. taking reasonable and prompt steps to mitigate the effects and to minimise any damage resulting from the Personal Data Breach or accidental, unauthorised or unlawful Personal Data processing.​

6.4.  The Provider will not inform any third-party of any accidental, unauthorised or unlawful processing of all or part of the Personal Data and/or a Personal Data Breach without first obtaining the Customer’s written consent, except when required to do so by domestic law.

6.5.  The Provider agrees that the Customer has the sole right to determine:

  1. whether to provide notice of the accidental, unauthorised or unlawful processing and/or the Personal Data Breach to any Data Subjects, the Commissioner, other in-scope regulators, law enforcement agencies or others, as required by law or regulation or in the Customer’s discretion, including the contents and delivery method of the notice; and
  2. whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.

6.6.  The Provider will cover all reasonable expenses associated with the performance of the obligations under 6.1 to 6.3 unless the matter arose from the Customer’s specific written instructions, negligence, wilful default or breach of this Agreement, in which case the Customer will cover all reasonable expenses.

6.7.  The Provider will also reimburse the Customer for actual reasonable expenses that the Customer incurs when responding to an incident of accidental, unauthorised or unlawful processing and/or a Personal Data Breach to the extent that the Provider caused such, including all costs of notice and any remedy as set out in 6.5.

7.Cross-border transfers of personal data

7.1.  Customer acknowledges and agrees that Provider may access and Process Personal Data on a global basis necessary to provide the Services in accordance with the Contract and in particular where Sub-Processors have operations. Provider will ensure such transfers are made in compliance with the Privacy and Data Protection Requirements.

7.2.  If any Personal Data transfer between the Provider and the Customer requires execution of Standard Contractual Clauses in order to comply with the Privacy and Data Protection Requirements, the parties will complete all relevant details in, and execute, the Standard Contractual Clauses contained in Annex C, and take all other actions required to legitimise the transfer, including, if necessary:

  1. co-operating to register the Standard Contractual Clauses with any supervisory authority in any member state of the European Economic Area; or
  2. procuring approval from any such supervisory authority;
  3. providing additional information about the transfer to such supervisory authority.

8. Sub-Processors

8.1.  Other than those subcontractors as set out in A, the Provider may not authorise any other third-party or subcontractor to process the Personal Data.

8.2.  Where Provider engages Sub-Processors, the Provider will enter into a written contract with the subcontractor that contains terms substantially the same as those set out in this DPA (including where appropriate Standard Contractual Clauses). Provider remains responsible for each Sub-Processors performance of its obligations and for any acts of omissions of such Sub-processor that cause Provider to breach any of its obligations under this DPA.

8.3.  Where the subcontractor fails to fulfil its obligations under the written agreement with the Provider which contains terms substantially the same as those set out in this Agreement, the Provider remains fully liable to the Customer for the subcontractor’s performance of its agreement obligations.

8.4.  The Parties agree that the Provider will be deemed by them to control legally any Personal Data controlled practically by or in the possession of its subcontractors

8.5.  On the Customer’s written request, the Provider will audit a subcontractor’s compliance with its obligations regarding the Personal Data and provide the Customer with the audit results. Where the Customer concludes reasonably that the subcontractor is in material default of its obligations regarding the Personal Data, the Customer may in writing instruct the Provider to instruct the subcontractor to remedy such deficiencies within 20 business days.

9. Complaints, data subject requests and third-party rights

9.1.  The Provider must, at no additional cost to the Customer, take such technical and organisational measures as may be appropriate, and promptly provide such information to the Customer as the Customer may reasonably require, to enable the Customer to comply with:

9.2.  the rights of Data Subjects under the Data Protection Legislation, including, but not limited to, subject access rights, the rights to rectify, port and erase personal data, object to the processing and automated processing of personal data, and restrict the processing of personal data; and

9.3.  information or assessment notices served on the Customer by the Commissioner under the Data Protection Legislation.

9.4.  The Provider must notify the Customer immediately in writing if it receives any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either party’s compliance with the Data Protection Legislation.

9.5.  The Provider must notify the Customer within 3 business days if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their other rights under the Data Protection Legislation.

9.6.  The Provider will give the Customer, at no additional cost to the Customer, its full co-operation and assistance in responding to any complaint, notice, communication or Data Subject request.

9.7.  The Provider must not disclose the Personal Data to any Data Subject or to a third-party other than in accordance with the Customer’s written instructions, or as required by domestic law.

10. Term and Termination

10.1.  This Agreement will remain in full force and effect so long as:

  1. the Master Agreement remains in effect; or
  2. the Provider retains any of the Personal Data related to the Master Agreement in its possession or control (Term).

10.2.  Any provision of this Agreement that expressly or by implication should come into or continue in force on or after termination of the Master Agreement in order to protect the Personal Data will remain in full force and effect.

10.3.  The Provider’s failure to comply with the terms of this Agreement is a material breach of the Master Agreement. In such event, the Customer may terminate [the Master Agreement OR any part of the Master Agreement involving the processing of the Personal Data] effective immediately on written notice to the Provider without further liability or obligation of the Customer.

10.4.  If a change in any Data Protection Legislation prevents either party from fulfilling all or part of its Master Agreement obligations, the parties may agree to suspend the processing of the Personal Data until that processing complies with the new requirements. If the parties are unable to bring the Personal Data processing into compliance with the Data Protection Legislation within 20 business days, either party may terminate the Master Agreement on not less than 30 working days on written notice to the other party.

11. Data return and destruction

11.1.  At the Customer’s request, the Provider will give the Customer, or a third-party nominated in writing by the Customer, a copy of or access to all or part of the Personal Data in its possession or control in the format and on the media reasonably specified by the Customer.

11.2.  On termination of the Master Agreement for any reason or expiry of its term, the Provider will securely delete or destroy all or any of the Personal Data related to this Agreement in its possession or control, except for administration and audit logs that it may retain and use for 36 months for audit purposes only.

11.3.  If any law, regulation, or government or regulatory body requires the Provider to retain any documents, materials or Personal Data that the Provider would otherwise be required to return or destroy, it will notify the Customer in writing of that retention requirement, giving details of the documents, materials or Personal Data that it must retain, the legal basis for such retention, and establishing a specific timeline for deletion or destruction once the retention requirement ends.

11.4.  The Provider will certify in writing to the Customer that it has deleted or destroyed the Personal Data within 20 days after it completes the deletion or destruction.

12. Records

12.1.  The Provider will keep detailed, accurate and up-to-date written records regarding any processing of the Personal Data, including but not limited to, the access, control and security of the Personal Data, [approved subcontractors] , the processing purposes, categories of processing, , and a general description of the technical and organisational security measures referred to in 5.1 (Records).

12.2.  The Provider will ensure that the Records are sufficient to enable the Customer to verify the Provider’s compliance with its obligations under this Agreement and the Data Protection Legislation and the Provider will provide the Customer with copies of the Records upon request.

12.3.  The Customer and the Provider must review the information listed in the Annexes to this Agreement annually to confirm its current accuracy and update it when required to reflect current practices.

13. Audit

13.1.  At least once a year, the Provider will conduct site audits of its Personal Data processing practices and the information technology and information security controls for all facilities and systems used in complying with its obligations under this Agreement, including, but not limited to, obtaining a network-level vulnerability assessment performed by a recognised third-party audit firm based on recognised industry best practices.​

13.2.  On the Customer’s written request, the Provider will make all of the relevant audit reports available to the Customer for review, including as applicable: The Provider’s latest Payment Card Industry (PCI) Compliance Report, reports relating to its ISO/IEC 27001 certification and 3rd party VAPT (Vulnerability Assessment and Penetration Testing) reports. The Customer will treat such audit reports as the Provider’s confidential information under the Master Agreement.

13.3.  The Provider will promptly address any exceptions noted in the audit reports with the development and implementation of a corrective action plan by the Provider’s management.

14. Warranties

14.1.  The Provider warrants and represents that:

  1. its employees, subcontractors, agents and any other person or persons accessing the Personal Data on its behalf are reliable and trustworthy and have received the required training on the Data Protection Legislation;
  2. it and anyone operating on its behalf will process the Personal Data in compliance with the Data Protection Legislation and other laws, enactments, regulations, orders, standards and other similar instruments;
  3. it has no reason to believe that the Data Protection Legislation prevents it from providing any of the Master Agreement’s contracted services; and
  4. considering the current technology environment and implementation costs, it will take appropriate technical and organisational measures to prevent the accidental, unauthorised or unlawful processing of Personal Data and the loss or damage to, the Personal Data, and ensure a level of security appropriate to:
    1. the harm that might result from such accidental, unauthorised or unlawful processing and loss or damage;
    2. the nature of the Personal Data protected; and
    3. comply with all applicable Data Protection Legislation and its information and security policies, including the security measures required in 5.1.

14.2.  The Customer warrants and represents that the Provider’s expected use of the Personal Data for the Business Purposes and as specifically instructed by the Customer will comply with the Data Protection Legislation.

15. Indemnification

15.1.  The Provider agrees to indemnify, keep indemnified and defend at its own expense the Customer against all costs, claims, damages or expenses incurred by the Customer or for which the Customer may become liable due to any failure by the Provider or its employees, subcontractors or agents to comply with any of its obligations under this Agreement and/or the Data Protection Legislation.

15.2.  During the Term, the Provider must, at its own cost and expense, obtain and maintain insurance, in full force and effect, sufficient to cover the Provider’s potential indemnity or reimbursement obligations. The Provider will produce the policy and premium payment receipt to the Customer on request. The Provider will give the Customer thirty (30) days’ advance written notice if the policy materially changes or is cancelled

16.Notice

16.1.  Any notice [or other communication] given to a party under or in connection with this Agreement must be in writing and delivered to:
–  For the Customer: The Customer Account Manager or data privacy officer.
–  For the Provider: dpo@bespinlabs.com

16.2.  16.1 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.

17.Additional Provisions

17.1. California Personal Information

  1. The ‘Additional Provisions for California Personal Information’ section of the DPA will apply only with respect to California Personal Information.
  2. Roles of the Parties. When processing California Personal Information in accordance with your Instructions, the parties acknowledge and agree that you are a Business and we are a Service Provider for the purposes of the CCPA.
  3. Responsibilities. The parties agree that we will Process California Personal Information as a Service Provider strictly for the purpose of performing the Subscription Services and Consulting Services under the Agreement (the “Business Purpose”) or as otherwise permitted by the CCPA, including as described in the ‘Data Practices and Machine Learning’ section of our Product Specific Terms.

17.2. Australian data.

  1. To the extent that the Provider is a recipient of Customer Data protected by the Australian Privacy Law, the parties acknowledge and agree that the Provider may transfer such Customer Data outside of Australia as permitted by the terms agreed upon by the parties and subject to the Service Provider complying with this DPA and the Australian Privacy Law.

17.3. Canadian data

  1. Sub-processors, as described in Section 8 (Sub-processors) of the DPA, are third parties under PIPEDA, with whom the Provider has entered into a written contract that includes terms substantially similar to this DPA. The Provider conducts appropriate due diligence on its Sub-processors.
  2. The Provider will implement technical and organizational measures as set forth in Section 5 (Security) of the DPA.

17.4. United Kingdom

  1. For the avoidance of doubt, when European Union law ceases to apply to the UK upon the UK’s withdrawal from the European Union and until such time as the UK is deemed to provide adequate protection for personal data (within the meaning of applicable EU Data Protection Law) then to the extend the Service processes (or causes to be processed) any Customer Data protected by EU Data Protection Law applicable to EEA and Switzerland in the United Kingdom, The Provider shall process such Customer Data in compliance with the SCCs or any applicable Alternative Transfer Mechanism implemented in accordance with Section 7.1 and 7.2 (Cross-border transfers of personal data)of this DPA

This agreement has been entered into on the Commencement Date of any Order Form.

Annex A

Data Processing Purposes and Details

Duration of Processing

Provider will Process Personal Data for the duration of the Contract, unless otherwise agreed in writing.

Nature and Purpose of Processing:

Provider will Process Personal Data as necessary to provide the Services pursuant to the Contract in accordance with the Order Form and as instructed by Customer in its use of the Services.

Business Purposes: ​

The Services described on the Order Form to the Master Agreement.

Personal Data Categories:

Customer may submit Personal Data during the use of the Services, the extent of which is determined and controlled by Customer in your sole discretion, and which may include the following Personal Data relating to the following categories of Personal Data:
– Contact Information (as defined in the Master Agreement)
– Any other Personal Data submitted by, sent to, or received by the Customer, or the Customer’s end users, via the Service.

Data Subject Types

Customer may submit Personal Data in the course of using the Services, to the extent which is determined and controlled by Customer and which may include but is not limited to the following Data Subject types:
– Contact information such as names, email addresses, telephone numbers
– Any other Personal Data submitted by, sent to or received by Customer or the Customer’s end users through the Service.

Special Categories of Personal Data (if applicable)

The parties do not anticipate any transfer of special categories of data.

Sub-Processors

Sub-Processor Purpose Location Website
Google Cloud Services Provider US/EU https://cloud.google.com/ter ms/data-processing-terms
Crisp Customer Support EU https://help.crisp.chat/en/arti cle/whats-crisp-eu-gdpr-com pliance-status-nhv54c/
Mailchimp Marketing processes US/EU https://mailchimp.com/legal/ data-processing-addendum/
Stripe Payment Gateway US/EU https://support.stripe.com/qu estions/stripe-and-european- data-transfers

Annex B

Security Measures

This Annex B forms part of the DPA.
Provider currently observes the security measures described in this Annex B.

Access Controls

Outsourced processing: All product infrastructure for production purposes is outsourced to Google Cloud Platform. Provider maintains contractual relationships with Google in order to provide the Service in accordance with our DPA. Provider relies on contractual agreements, privacy policies, and Google compliance programs in order to protect data processed or stored by these vendors.

Application Programming Interface (API) access: Public product APIs may be accessed using an API key or through Oauth authorization.

Authentication: All products are protected by single sign on authentication method and two factor authentication. No access to any customer data is possible without a valid authorised account managed by the customer.

Physical and environmental security: All product infrastructure for production purposes is hosted on Google Cloud Platform (GCP) cloud infrastructure and is protected by their published security process including access control. The physical and environmental security controls are audited for SOC 2 Type II and ISO 27001 compliance, among other certifications.

System Access Controls

The internal Provider teams access to customer data is protected by a least privilege model with two factor authentication enforced as default. All access is logged and monitored.

Network access: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.

Transmission Controls

In-transit: Provider makes HTTPS encryption (also referred to as SSL or TLS) available on every one of its login interfaces and for free on every customer site hosted on the products. Provider HTTPS implementation uses industry standard algorithms and certificates.

At-rest: Provider has implemented technologies to ensure that stored data is encrypted at rest.

Input Controls

Detection: Full monitoring and alerting of system behavior, traffic received, system authentication, and other application requests are in place for the products. Internal systems aggregated log data and alert appropriate employees of malicious, unintended, or anomalous activities. Our personnel, including security, operations, and support personnel, are responsive to known incidents.

Response and tracking: Provider maintains a record of all known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, we will take appropriate steps to minimize product and Customer damage or unauthorized disclosure. Notification to you will be in accordance with the terms of the Agreement.

Data Backups

Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Customer data is backed up to multiple durable data stores and replicated across multiple availability zones. Backup data is segregated from production data and subject to independent access control and monitoring.

Data Segregation

All customer data is subject to full segregation based on a multi-tenanted data model. No customers have access to any data outside of their tenant.

Annex C

Standard Contractual Clauses

For the purposes of Article 26 (2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection.

The Customer as defined in the Contract (the data exporter)
And

Bespin Labs – First Floor Office Suite, Mill B Colne Road Buildings, Colne Road, Huddersfield, United Kingdom, HD1 3AG (the data importer)

Each ‘a party’ together ‘the parties’
HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Annex A.

Clause 1 – Definitions

For the purposes of the Clauses:

personal data, special categories of data, process/processing, controller, processor, data subject and supervisory authority shall have the same meaning as in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on theprotection of individuals with regard to the processing of personal data and on the free movement of such data;

the data exporter means the controller who transfers the personal data;

the data importer means the processor who agrees to receive from the data exporter personal data intended for processing on its behalf after the transfer in accordance with its instructions and the terms of the Clauses and who is not subject to a third country’s system ensuring adequate protection within the meaning of Article 25(1) of Directive 95/46/EC;

the sub-processor means any processor engaged by the data importer or by any other sub-processor of the data importer who agrees to receive from the data importer or from any other sub-processor of the data importer personal data exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer in accordance with its instructions, the terms of the Clauses and the terms of the written subcontract;

the applicable data protection law means the legislation protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a data controller in the Member State in which the data exporter is established;

technical and organisational security measures means those measures aimed at protecting personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.

Clause 2 – Details of the transfer

The details of the transfer and in particular the special categories of personal data where applicable are specified in Annex A which forms an integral part of the Clauses.

Clause 3 – Third-party beneficiary clause

  1. The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.
  2. The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceased to exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity.
  3. The data subject can enforce against the Sub-Processor this Clause, Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factually disappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights and obligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-party liability of the Sub-Processor shall be limited to its own processing operations under the Clauses.
  4. The parties do not object to a data subject being represented by an association or other body if the data subject so expressly wishes and if permitted by national law.

Clause 4 – Obligations of the data exporter

The data exporter agrees and warrants:

  • that the processing, including the transfer itself, of the personal data has been and will continue to be carried out in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been notified to the relevant authorities of the Member State where the data exporter is established) and does not violate the relevant provisions of that State;
  • that it has instructed and throughout the duration of the personal data-processing services will instruct the data importer to process the personal data transferred only on the data exporter’s behalf and in accordance with the applicable data protection law and the Clauses;
  • that the data importer will provide sufficient guarantees in respect of the technical and organisational security measures specified in Annex B to this contract;
  • that after assessment of the requirements of the applicable data protection law, the security measures are appropriate to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing, and that these measures ensure a level of security appropriate to the risks presented by the processing and the nature of the data to be protected having regard to the state of the art and the cost of their implementation;
  • that it will ensure compliance with the security measures;
  • that, if the transfer involves special categories of data, the data subject has been informed or will be informed before, or as soon as possible after, the transfer that its data could be transmitted to a third country not providing adequate protection within the meaning of Directive 95/46/EC;
  • to forward any notification received from the data importer or any Sub-Processor pursuant to Clause 5(b) and Clause 8(3) to the data protection supervisory authority if the data exporter decides to continue the transfer or to lift the suspension;
  • to make available to the data subjects upon request a copy of the Clauses, with the exception of Annex B, and a summary description of the security measures, as well as a copy of any contract for subprocessing services which has to be made in accordance with the Clauses, unless the Clauses or the contract contain commercial information, in which case it may remove such commercial information;
  • that, in the event of subprocessing, the processing activity is carried out in accordance with Clause 11 by a Sub-Processor providing at least the same level of protection for the personal data and the rights of data subject as the data importer under the Clauses; and
  • that it will ensure compliance with Clause 4(a) to (i).

Clause 5 – Obligations of the data importer

The data importer agrees and warrants:

  1. to process the personal data only on behalf of the data exporter and in compliance with its instructions and the Clauses; if it cannot provide such compliance for whatever reasons, it agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
  2. that it has no reason to believe that the legislation applicable to it prevents it from fulfilling the instructions received from the data exporter and its obligations under the contract and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by the Clauses, it will promptly notify the change to the data exporter as soon as it is aware, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract;
  3. that it has implemented the technical and organisational security measures specified in Annex B before processing the personal data transferred;
  4. that it will promptly notify the data exporter about;
    1. any legally binding request for disclosure of the personal data by a law enforcement authority unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation;
    2. any accidental or unauthorised access; and
    3. any request received directly from the data subjects without responding to that request, unless it has been otherwise authorised to do so;
  5. to deal promptly and properly with all inquiries from the data exporter relating to its processing of the personal data subject to the transfer and to abide by the advice of the supervisory authority with regard to the processing of the data transferred;
  6. at the request of the data exporter to submit its data-processing facilities for audit of the processing activities covered by the Clauses which shall be carried out by the data exporter or an inspection body composed of independent members and in possession of the required professional qualifications bound by a duty of confidentiality, selected by the data exporter, where applicable, in agreement with the supervisory authority;
  7. to make available to the data subject upon request a copy of the Clauses, or any existing contract for subprocessing, unless the Clauses or contract contain commercial information, in which case it may remove such commercial information, with the exception of Appendix 2 which shall be replaced by a summary description of the security measures in those cases where the data subject is unable to obtain a copy from the data exporter;
  8. that, in the event of subprocessing, it has previously informed the data exporter and obtained its prior written consent;
  9. that the processing services by the Sub-Processor will be carried out in accordance with Clause 11;
  10. to send promptly a copy of any Sub-Processor agreement it concludes under the Clauses to the data exporter.

Clause 6 – Liability

  1. The parties agree that any data subject, who has suffered damage as a result of any breach of the obligations referred to in Clause 3 or in Clause 11 by any party or Sub-Processor is entitled to receive compensation from the data exporter for the damage suffered.
  2. If a data subject is not able to bring a claim for compensation in accordance with paragraph 1 against the data exporter, arising out of a breach by the data importer or his Sub-Processor of any of their obligations referred to in Clause 3 or in Clause 11, because the data exporter has factually disappeared or ceased to exist in law or has become insolvent, the data importer agrees that the data subject may issue a claim against the data importer as if it were the data exporter, unless any successor entity has assumed the entire legal obligations of the data exporter by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The data importer may not rely on a breach by a Sub-Processor of its obligations in order to avoid its own liabilities.
  3. If a data subject is not able to bring a claim against the data exporter or the data importer referred to in paragraphs 1 and 2, arising out of a breach by the Sub-Processor of any of their obligations referred to in Clause 3 or in Clause 11 because both the data exporter and the data importer havefactually disappeared or ceased to exist in law or have become insolvent, the Sub-Processor agrees that the data subject may issue a claim against the data Sub-Processor with regard to its own processing operations under the Clauses as if it were the data exporter or the data importer, unless any successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law, in which case the data subject can enforce its rights against such entity. The liability of the Sub-Processor shall be limited to its own processing operations under the Clauses.

Clause 7 – Mediation and jurisdiction

  1. The data importer agrees that if the data subject invokes against it third-party beneficiary rights and/or claims compensation for damages under the Clauses, the data importer will accept the decision of the data subject:
    • to refer the dispute to mediation, by an independent person or, where applicable, by the supervisory authority;
    • to refer the dispute to the courts in the Member State in which the data exporter is established.
  2. The parties agree that the choice made by the data subject will not prejudice its substantive or procedural rights to seek remedies in accordance with other provisions of national or international law.

Clause 8 – Cooperation with supervisory authorities

  1. The data exporter agrees to deposit a copy of this contract with the supervisory authority if it so requests or if such deposit is required under the applicable data protection law.
  2. The parties agree that the supervisory authority has the right to conduct an audit of the data importer, and of any Sub-Processor, which has the same scope and is subject to the same conditions as would apply to an audit of the data exporter under the applicable data protection law.
  3. The data importer shall promptly inform the data exporter about the existence of legislation applicable to it or any Sub-Processor preventing the conduct of an audit of the data importer, or any Sub-Processor, pursuant to paragraph 2. In such a case the data exporter shall be entitled to take the measures foreseen in Clause 5(b).

Clause 9 – Governing Law

The Clauses shall be governed by the law of the Member State in which the data exporter is established.

Clause 10 – Variation of the contract

The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clauses.

Clause 11 – Sub-processing

  1. The data importer shall not subcontract any of its processing operations performed on behalf of the data exporter under the Clauses without the prior written consent of the data exporter. Where the data importer subcontracts its obligations under the Clauses, with the consent of the data exporter, it shall do so only by way of a written agreement with the Sub-Processor which imposes the same obligations on the Sub-Processor as are imposed on the data importer under the Clauses. Where the Sub-Processor fails to fulfil its data protection obligations under such written agreement the data importer shall remain fully liable to the data exporter for the performance of the Sub-Processor’s obligations under such agreement.
  2. The prior written contract between the data importer and the Sub-Processor shall also provide for a third-party beneficiary clause as laid down in Clause 3 for cases where the data subject is not able to bring the claim for compensation referred to in paragraph 1 of Clause 6 against the data exporter or the data importer because they have factually disappeared or have ceased to exist in law or have become insolvent and no successor entity has assumed the entire legal obligations of the data exporter or data importer by contract or by operation of law. Such third-party liability of the Sub-Processor shall be limited to its own processing operations under the Clauses.
  3. The provisions relating to data protection aspects for subprocessing of the contract referred to in paragraph 1 shall be governed by the law of the Member State in which the data exporter is established.
  4. The data exporter shall keep a list of subprocessing agreements concluded under the Clauses and notified by the data importer pursuant to Clause 5(j), which shall be updated at least once a year. The list shall be available to the data exporter’s data protection supervisory authority.

Clause 12 – Obligation after the termination of personal data processing services

  1. The parties agree that on the termination of the provision of data-processing services, the data importer and the Sub-Processor shall, at the choice of the data exporter, return all the personal data transferred and the copies thereof to the data exporter or shall destroy all the personal data and certify to the data exporter that it has done so, unless legislation imposed upon the data importer prevents it from returning or destroying all or part of the personal data transferred. In that case, the data importer warrants that it will guarantee the confidentiality of the personal data transferred and will not actively process the personal data transferred anymore.
  2. The data importer and the Sub-Processor warrant that upon request of the data exporter and/or of the supervisory authority, it will submit its data-processing facilities for an audit of the measures referred to in paragraph 1.

ANNEX A to the Standard Contractual Clauses

This Annex forms part of the Standard Contractual Clauses (the ‘Clauses’). Defined terms used in this Annex 1 shall have the meaning given to them in the Agreement (including the DPA).

Data exporter: The data exporter is the legal entity specified as “Customer” in the DPA.

Data importer: The data importer is Bespin Labs Limited.

Data subjects: Please see Annex 1 of the DPA, which describes the data subjects.

Categories of data: Please see Annex 1 of the DPA, which describes the categories of data.

Special categories of data (if appropriate): The parties do not anticipate the transfer of special categories of data.

Purposes of Processing: Bespin Labs Limited shall process personal data as necessary to provide the Subscription Services to data exporter in accordance with the Agreement.

Processing operations: Please see Annex 1 of the DPA, which describes the processing operations.

ANNEX B to the Standard Contractual Clauses

This Annex B forms part of the Standard Contractual Clauses.

Description of the technical and organisational security measures implemented by the data importer in accordance with clause 4(d) and clause 5(c) (or documents/legislation attached):

Please see Annex B of the DPA, which describes the technical and organisational security measures implemented by Bespin Labs Limited.

ANNEX C To the Standard Contractual Clauses

This Annex C forms part of the Standard Contractual Clauses (the Clauses).

This Annex C sets out the parties’ interpretation of their respective obligations under specific terms of the Clauses. Where a party complies with the interpretations set out in this Annex C, that party shall be deemed by the other party to have complied with its commitments under the Clauses.

For the purposes of this Appendix, DPA means the Data Processing Agreement in place between Customer and Provider and to which these Clauses are incorporated and “Contract” shall have the meaning given to it in the DPA.

Clause 4(h) and 8: Disclosure of these Clauses

Data exporter agrees that these Clauses constitute data importer’s Confidential Information as that term is defined in the Contract and may not be disclosed by data exporter to any third party without data importer’s prior written consent unless permitted pursuant to Contract. This shall not prevent disclosure of these Clauses to a data subject pursuant to Clause 4(h) or a supervisory authority pursuant to Clause 8.

Clauses 5(a) and 5(b): Suspension of data transfers and termination

  1. The parties acknowledge that the data importer may process the personal data only on behalf of the data exporter and in compliance with its instructions as provided by the data exporter and the Clauses.
  2. The parties acknowledge that if data importer cannot provide such compliance in accordance with Clause 5(a) and Clause 5(b) for whatever reason, the data importer agrees to inform promptly the data exporter of its inability to comply, in which case the data exporter is entitled to suspend the transfer of data and/or terminate the contract the affected parts of the Services in accordance with the terms of the Contract.
  3. If the data exporter intends to suspend the transfer of personal data and/or terminate the affected parts of the Services, it shall endeavour to provide notice to the data importer and provide data importer with a reasonable period of time to cure the non-compliance (“Cure Period”).
  4. If required, the parties shall reasonably cooperate with each other during the Cure Period to agree what additional safeguards or other measures, if any, may be reasonably required to ensure the data importer’s compliance with the Clauses and applicable data protection law.
  5. If after the Cure Period the data importer has not or cannot cure the non-compliance then the data exporter may suspend and/or terminate the affected part of the Services in accordance with the provisions of the Contract without liability to either party (but without prejudice to any fees incurred or to be incurred by the data exporter prior to suspension or termination). The data exporter shall not be required to provide such notice in instance where it considers there is a material risk of harm to data subjects or their personal data.

Clause 5(f): Audit

Data exporter acknowledges and agrees that it exercises its audit right under Clause 5(f) by instructing data importer to comply with the audit measures described in the ‘Demonstration of Compliance’ section of the DPA.

Clause 5(j): Disclosure of Sub-Processor agreements

  1. The parties acknowledge the obligation of the data importer to send promptly a copy of any onward Sub-Processor agreement it concludes under the Clauses to the data exporter.
  2. The parties further acknowledge that, pursuant to Sub-Processor confidentiality restrictions, data importer may be restricted from disclosing onward Sub-Processor agreements to data exporter. Notwithstanding this, data importer shall use reasonable efforts to require any Sub-Processor it appoints to permit it to disclose the Sub-Processor agreement to data exporter.
  3. Even where data importer cannot disclose a Sub-Processor agreement to data exporter, the parties agree that, upon the request of data exporter, data importer shall (on a confidential basis) provide all information it reasonably requires in connection with such Sub-Processing agreement to data exporter.

Clause 6: Liability

Any claims brought under the Clauses shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Contract. In no event shall any party limit its liability with respect to any data subject rights under these Clauses.

Clause 11: Onward Sub-Processing

  1. The parties acknowledge that, pursuant to FAQ II.1 in Article 29 Working Party Paper WP 176 entitled “FAQs in order to address some issues raised by the entry into force of the EU Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC” the data exporter may provide a general consent to onward subprocessing by the data importer.
  2. Accordingly, data exporter provides a general consent to data importer, pursuant to Clause 11 of these Clauses, to engage onward Sub-Processors. Such consent is conditional on data importer’s compliance with the requirements set out in the ‘Notification and Objection to New Sub-Processors’ section of the DPA.

Clause 12: Obligation after the termination of personal data-processing services

Data importer agrees that the data exporter will fulfil its obligation to return or destroy all the personal data on the termination of the provision of data-processing services by complying with the ‘Data Return and Destruction’ section of the DPA.

Annex D – Jurisdiction-Specific Terms

Australia:

  1. The definition of “Data Protection Legislation” includes the Australian Privacy Principles and the Australian Privacy Act (1988)
  2. The definition of “personal data” includes “Personal Information” as defined under Applicable Data Protection Law.
  3. The definition of “Sensitive Data” includes “Sensitive Information” as defined under Applicable Data Protection Law.

Brazil:

  1. The definition of “Applicable Data Protection Law” includes the Lei Geral de Proteção de Dados (LGPD).
  2. The definition of “Security Incident” includes a security incident that may result in any relevant risk or damage to the data subjects.
  3. The definition of “processor” includes “operator” as defined under Applicable Data Protection Law.

California:

  1. The definition of “Applicable Data Protection Law” includes the California Consumer Privacy Act (CCPA).
  2. The definition of “personal data” includes “Personal Information” as defined under Applicable Data Protection Law and, for clarity, includes any Personal Information contained within Customer Account Data, Customer Content, and Customer Usage Data.
  3. The definition of “data subject” includes “Consumer” as defined under Applicable Data Protection Law. In regards to data subject requests, Provider can only verify a request from Customer and not from Customer’s end user or any third party.
  4. The definition of “controller” includes “Business” as defined under Applicable Data Protection Law.
  5. The definition of “processor” includes “Service Provider” as defined under Applicable Data Protection Law.
  6. Provider will process, retain, use, and disclose personal data only as necessary to provide the Services under the Agreement, which constitutes a business purpose. Provide agrees not to
    • sell (as defined by the CCPA) Customer’s personal data or Customer end users’ personal data;
    • retain, use, or disclose Customer’s personal data for any commercial purpose (as defined by the CCPA) other than providing the Services;or
    •  
  7. Provider certifies that its sub-processors, as described in Section 8 (Sub-processors) of this Agreement, are Service Providers under Applicable Data Protection Law, with whom Provider has entered into a written contract that includes terms substantially similar to this Agreement. Provider conducts appropriate due diligence on its sub-processors.
  8. Provider will implement and maintain reasonable security procedures and practices appropriate to the nature of the personal data it processes as set forth in Section 5 (Security) of this Agreement.

Canada:

  1. The definition of “Applicable Data Protection Law” includes the Federal Personal Information Protection and Electronic Documents Act (PIPEDA).
  2. Provider’s sub-processors, as described in Section 8 (Sub-processors) of this DPA, are third parties under Applicable Data Protection Law, with whom Provider has entered into a written contract that includes terms substantially similar to this Agreement. Provider has conducted appropriate due diligence on its sub-processors.
  3. Provider will implement technical and organizational measures as set forth in Section 5 (Security) of this Agreement.

Europe:

  1. Objection to Sub-processors. Customer may object in writing to Provider appointment of a new Sub-processor within five (5) calendar days of receiving notice in accordance with Section 8.5 of this Agreement, provided that such objection is based on reasonable grounds relating to data protection. In such event, the parties shall discuss such concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, Provider will, at its sole discretion, either not appoint such Sub-processor, or permit Customer to suspend or terminate the affected Service in accordance with the termination provisions in the Agreement without liability to either party (but without prejudice to any fees incurred by Customer prior to suspension or termination).
  2. Government data access requests. As a matter of general practice, Provider does not voluntarily provide government agencies or authorities (including law enforcement) with access to or information about Provider accounts (including Customer Data). If Provider receives a compulsory request (whether through a subpoena, court order, search warrant, or other valid legal process) from any government agency or authority (including law enforcement) for access to or information about a Providers account (including Customer Data) belonging to a Customer whose primary contact information indicates the Customer is located in Europe, Providers shall:
    • inform the government agency that Providers is a processor of the data;
    • attempt to redirect the agency to request the data directly from Customer; and
    • notify Customer via email sent to Customer’s primary contact email address of the request to allow Customer to seek a protective order or other appropriate remedy. As part of this effort, Provider may provide Customer’s primary and billing contact information to the agency. Provider shall not be required to comply with this paragraph 2 if it is legally prohibited from doing so, or it has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual, public safety, or Provider’s property, Sites, or Service.

Israel

  1. The definition of “Applicable Data Protection Law” includes the Protection of Privacy Law (PPL).
  2. The definition of “controller” includes “Database Owner” as defined under Applicable Data Protection Law.​
  3. The definition of “processor” includes “Holder” as defined under Applicable Data Protection Law.
  4. Provider will require that any personnel authorized to process Customer Content comply with the principle of data secrecy and have been duly instructed about Applicable Data Protection Law. Such personnel sign confidentiality agreements with Provider in accordance with Section 3 (Provider’s Obligations) of this Agreement.
  5. Provider must take sufficient steps to ensure the privacy of data subjects by implementing and maintaining the security measures as specified in Section 5 (Security) of this Addendum and complying with the terms of the Agreement.
  6. Provider must ensure that the personal data will not be transferred to a Sub-Processor unless such Sub-Processor has executed an agreement with Provider pursuant to Section 8 (Sub-processors) of this Agreement.

Japan:

  1. The definition of “Applicable Data Protection Law” includes the Act on the Protection of Personal Information (APPI).
  2. The definition of “personal data” includes “Personal Information” as defined under Applicable Data Protection Law.
  3. The definition of “controller” includes “Business Operator” as defined under Applicable Data Protection Law. As a Business Operator, Provider is responsible for the handling of personal data in its possession.​
  4. The definition of “processor” includes a business operator entrusted by the Business Operator with the handling of personal data in whole or in part (also a “trustee”), as described under Applicable Data Protection Law. As a trustee, Provider will ensure that the use of the entrusted personal data is securely controlled.

Mexico:

  1. The definition of “Applicable Data Protection Law” includes the Federal Law for the Protection of Personal Data Held by Private Parties and its Regulations (FLPPIPPE).
  2. When acting as a processor, Provider will:
    • treat personal data in accordance with Customer’s instructions as outlined in in Section 3 (Provider’s Obligations) of this Agreement;
    • process personal data only to the extent necessary to provide the Services;
    • implement security measures in accordance with Applicable Data Protection Law and Section 5 (Security) of this Agreement;
    • keep confidentiality regarding the personal data processed in accordance with the Agreement;
    • delete all personal data upon termination of the Agreement in accordance with Section 11 (Data Return and Deletion) of this Agreement; and
    • only transfer personal data to sub-processors in accordance with Section 8 (Sub-processors) of this Agreement.

Singapore:

  1. The definition of “Applicable Data Protection Law” includes the Personal Data Protection Act 2012 (PDPA).
  2. Provider will process personal data to a standard of protection in accordance with the PDPA by implementing adequate technical and organizational measures as set forth in Section 5 (Security) of this Agreement.

United Kingdom:

  1. References in this Agreement to GDPR will to that extent be deemed to be references to the corresponding laws of the United Kingdom (including the UK GDPR and Data Protection Act 2018)
  2. The Standard Contractual Clauses will also apply to Customer in the United Kingdom as data exporter and to Provider as data importer for transfers of personal data to countries that are not deemed to have an adequate level of data protection under the United Kingdom’s Applicable Data Protection Law.