This Data Processing Addendum ("Addendum") forms part of the Enterprise SaaS Subscription Agreement (the "Agreement") between Provider and ("Company") (collectively the "Parties").
a) Subject Matter. This Addendum reflects the Parties' commitment to abide by Applicable Data Protection Laws concerning the Processing of Customer Personal Data in connection with Provider's execution of the Agreement. All capitalized terms that are not expressly defined in this Addendum will have the meanings given to them in the Agreement. If and to the extent language in this Addendum or any of its Exhibits conflicts with the Agreement, this Addendum shall control.
b) Duration and Survival. This Addendum will become legally binding upon the Effective Date of the Agreement or upon the date that the Parties sign this Addendum if it is completed after the effective date of the Agreement. Provider will Process Customer Personal Data until the relationship terminates as specified in the Agreement. Provider's obligations and Customer's rights under this Addendum will continue in effect so long as Provider Processes Customer Personal Data.
For the purposes of this Addendum, the following terms and those defined within the body of this Addendum apply.
a) "Applicable Data Protection Law(s)" means applicable U.S. federal and state privacy laws and their implementing regulations, as amended or superseded from time to time, that apply generally to the processing of Customer Personal Data.
b) "Customer Personal Data" means Personal Data Processed by Provider pertaining to Customer's business and related to individuals located in the United States. The Customer Personal Data and the specific uses of the Customer Personal Data are detailed in Exhibit A attached hereto.
c) "Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
d) "Personal Data" shall have the meaning assigned to the terms "personally identifiable information" or "personal information" under Applicable Data Protection Law(s).
e) "Provider Account Data" means Personal Data that relates to Provider's relationship with Customer, including but not limited to, the names or contact information of individuals Customer has associated with its account. Provider Account Data also includes any data Provider may need to collect for the purpose of managing its relationship with Customer, identity verification, or as otherwise required by applicable laws and regulations.
f) "Provider Usage Data" means Services usage data and configuration metrics collected and processed by Provider in connection with the provision of the Services, including without limitation data used to identify the source and destination of a communication, activity logs, and data used to optimize and maintain performance of the Services, and to investigate and prevent system abuse.
g) "Process" or "Processing" means any operation or set of operations which is performed on data or sets of data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
h) "Processor" means a natural or legal person, public authority, agency or other body which Processes Customer Personal Data on behalf of Customer subject to this Addendum.
i) "Security Incident(s)" shall have the same meaning as set forth under Applicable Data Protection Laws(s).
j) "Sell", and "Share" shall have the same meanings as set forth under Applicable Data Protection Law(s).
k) "Service Provider(s)" shall have the same meanings as set forth under Applicable Data Protection Law(s).
l) "Services" means any and all services that Provider performs under the Agreement, including Application Services.
m) "Third Party(ies)" means Provider's authorized contractors, agents, vendors and third party service providers (i.e., sub-processors, Service Providers) that Process Customer Personal Data.
a) Compliance with Laws. Customer Personal Data shall be Processed in compliance with the terms of this Addendum and all Applicable Data Protection Law(s).
b) Documented Instructions. Provider and its Third Parties shall Process Customer Personal Data only in accordance with the documented instructions of Customer or as specifically authorized by this Addendum, the Agreement, or the Order Form Provider will, unless legally prohibited from doing so, inform Customer in writing if it reasonably believes that there is a conflict between Customer's instructions and applicable law or otherwise seeks to Process Customer Personal Data in a manner that is inconsistent with Customer's instructions. Customer shall ensure that Provider's processing of Personal Data in accordance with Customer's instructions will not cause Provider to be in breach of the Applicable Data Protection Law(s). Customer is solely responsible for the accuracy, quality, and legality of (i) the Customer Personal Data provided to Provider by or on behalf of Customer, (ii) the means by which Customer acquired any such Customer Personal Data, and (iii) the instructions it provides to Provider regarding the processing of such Customer Personal Data. Customer shall not provide or make available to Provider any Customer Personal Data in violation of the Agreement or Applicable Data Protection Law(s).
c) Authorization to Use Third Parties. To the extent necessary to fulfill Provider's contractual obligations under the Agreement or any Statement of Work, Customer hereby authorizes (i) Provider to engage Third Parties and (ii) Third Parties to engage Service Providers. Any Third Party Processing of Customer Personal Data shall be consistent with Customer's documented instructions and comply with all Applicable Data Protection Law(s). Customer consents to Provider appointing Service Providers listed in Exhibit B and _____________("Sub-Processor URL")). Provider will notify Customer of any changes to this list if the Customer signs up for notices through the Sub-Processor URL.
d) Provider and Third Party Compliance. Provider agrees to (i) enter into a written agreement with Third Parties regarding such Third Parties' Processing of Customer Personal Data that imposes on such Third Parties (and their Service Providers) data protection and security requirements for Customer Personal Data that are compliant with Applicable Data Protection Law(s) and are substantially similar to those set out in this Agreement; and (ii) remain responsible to Customer for Provider's Third Parties' (and their Service Providers if applicable) failure to perform their obligations with respect to the Processing of Customer Personal Data.
e) Confidentiality. Any person or Third Party authorized to Process Customer Personal Data must agree to maintain the confidentiality of such information or be under an appropriate statutory or contractual obligation of confidentiality.
f) Personal Data Inquiries and Requests. Provider agrees to comply with all reasonable instructions from Customer related to any requests from individuals exercising their rights in Customer Personal Data granted to them under Applicable Data Protection Law(s) ("Privacy Request"). To the extent permitted by law, Provider will notify Customer of a Privacy Request without undue delay. If Provider receives a Privacy Request in relation to Customer Data, Provider shall direct the data subject to submit their request to Customer. Customer will be responsible for responding to such request. Customer is solely responsible for ensuring that Privacy Requests for erasure, restriction or cessation of processing, or withdrawal of consent to processing of any Customer Personal Data are communicated to Provider, and, if applicable, for ensuring that a record of consent to processing is maintained with respect to each data subject. To the extent Customer is unable to respond to Privacy Requests without Provider's assistance, Provider will use commercially reasonable measures to assist Customer in answering or complying with any Privacy Request in so far as it is possible and without undue delay.
g) Demonstrable Compliance. Provider agrees to keep records of its Processing in compliance with Applicable Data Protection Law(s) and provide any necessary records to Customer to demonstrate compliance upon reasonable request.
h) Selling and Sharing of Personal Data. Customer agrees that with the exceptions of Provider Account Data and Provider Usage Data, Provider is a Service Provider and is receiving Customer Personal Data from Customer in order to provide Services pursuant to the Agreement, which constitutes a business purpose under Applicable Data Protection Law(s) US. Provider will not (i) Sell or Share Personal Data; (ii) retain, use, or disclose Personal Data for any purpose other than the specific purpose of performing its obligations under the Agreement, including retaining, using, or disclosing the Personal Data for a commercial purpose other than fulfilling its obligations under the Agreement; or (iii) retain, use, or disclose Personal Data outside of the direct business relationship between Customer and Provider.
i) Compliance Management. Provider will promptly notify Customer in writing in the event that it determines it is no longer able to meet its obligations under Applicable Data Protection Law(s) or this Addendum. Provider shall take appropriate measures to remediate its noncompliant Processing of Personal Data.
j) Provider's Role as a Controller. The parties agree that with respect to Provider Usage Data and Provider Account Data, Provider is an independent Controller, and the parties are not joint Controllers. Provider will process Provider Usage Data and Provider Account Data solely to (i) manage the relationship with Customer, including but not limited to performing its obligations to Customer under the Agreement; (ii) to carry out Provider's core business operations, such as accounting, audits, tax preparation and filing and compliance purposes; (iii) to monitor, investigate, prevent and detect fraud, security incidents and other misuse of the Services, and to prevent harm to Customer; (iv) for identity verification purposes; (v) to comply with legal or regulatory obligations applicable to the processing and retention of Personal Data to which Provider is subject; and (vi) as otherwise permitted or required under Applicable Data Protection Law(s) and in accordance with this Addendum and the Agreement.
a) Provider agrees to implement appropriate technical and organizational measures designed to protect Customer Personal Data as required by Applicable Data Protection Law(s) (the "Information Security Program"). Such measures shall include:
a) Security Incident Procedure. Provider will deploy and follow policies and procedures to detect, respond to, and otherwise address Security Incidents including procedures to (i) identify and respond to reasonably suspected or known Security Incidents, mitigate harmful effects of Security Incidents, document Security Incidents and their outcomes, and (ii) restore the availability or access to Customer Personal Data in a timely manner.
b) Notice. Provider agrees to provide prompt written notice without undue delay and within the time frame required under Applicable Data Protection Law(s) to Customer's Designated POC if it knows that a Security Incident has taken place. Such notice will include all available details required under Applicable Data Protection Law(s) for Customer to comply with its own notification obligations to regulatory authorities or individuals affected by the Security Incident.
a) Data Storage. Provider will not store or retain any Customer Personal Data except as necessary to perform the Services under the Agreement.
b) Data Deletion. Upon expiration or termination of the Agreement, at Customer's written request made within 30 days after such termination or expiration, Provider will provide Customer with assistance in retrieving and/or deleting any Customer or transaction log data left in Provider's system. If return or destruction is prohibited by law, Provider shall use reasonable efforts to prevent such Customer Personal Data from any further processing (except to the extent necessary for its continued hosting or processing required by law) and shall continue to maintain the same levels of protection and confidentiality for the Customer Personal Data remaining in Provider's possession as required under Applicable Data Protection Law(s).
Audits. During the term of this Agreement and upon written request by Customer, Provider, to the extent that it is acting as a data processor to Customer, shall make available to Customer all information reasonably necessary to demonstrate compliance with the obligations set forth under Applicable Data Protection Laws, provided that Provider shall have no obligation to provide commercially confidential information. Audits will be limited to documentation only and do not provide access to the Provider's premises.
a) Liability. Provider's liability for any losses or damages incurred by Customer for fines and penalties imposed against Customer by a government agency or resulting from claims brought against Customer by third parties relating to Provider's breach of its obligations under this addendum Addendum shall be subject to the Limitation of Liability clause set forth in the Agreement.
b) Counterparts. This Addendum may be executed in counterparts, each of which is deemed an original, but all of which together are deemed to be one and the same agreement. A signed copy of this Addendum delivered by facsimile, e-mail or other means of electronic transmission is deemed to have the same legal effect as delivery of an original signed copy of this Addendum. The parties have caused this Addendum to be executed by their respective authorized representatives, as of the date indicated below the representative's signature.
c) The Agreement. All other terms and conditions in the Agreement shall remain in full force and effect.
a) Provider and the Customer agree to designate a point of contact for urgent privacy and security issues (a "Designated POC"). The Designated POC for both parties are:
| CUSTOMER | Provider |
|---|---|
| Address: | Address: |
| Signature | Signature |
| Name | Name |
| Title | Title |
| Date Signed | Date Signed |
| Email: | Email: |
| 1.1 Subject Matter of Processing | |
| 1.2 Duration of Processing | |
| 1.3 Categories of Data Subjects | Includes the following: |
| 1.4 Nature and Purpose of Processing | Includes the following: |
| 1.5 Types of Personal Information | Includes the following: |
List of Service Providers
| Name | Location | Website | Purpose |
|---|---|---|---|