Data Processing Addendum
This Data Processing Addendum (“DPA”) forms part of the Agreement between the party identified in the Agreement (“Customer”) and Heimdall Data (“Vendor”), and applies to the extent that (i) Vendor processes Personal Data on behalf of Customer in the course of providing Services and (ii) the Agreement expressly incorporates this DPA by reference. This DPA does not apply where Vendor is the Controller. All capitalized terms not defined in this DPA will have the meanings set forth in the Agreement.
1. DEFINITIONS.
- “Agreement” means the written or electronic agreement between Customer and Vendor for the provision of the Services to Customer.
- “Controller” means an entity that determines the purposes and means of the processing of Personal Data.
- “Data Protection Law” means all data protection and privacy laws applicable to the processing of Personal Data under the Agreement.
- “GDPR” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation).
- “Personal Data” means any information relating to an identified or identifiable natural person contained within Customer’s Content as defined in the Agreement.
- “Personal Data Breach” means a breach of security of the Services leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
- “Processor” means an entity that processes Personal Data on behalf of a Controller.
- “Services” means any cloud service offering or customer support services provided by Vendor to Customer pursuant to the Agreement.
- “Sub-processor” means any Processor engaged by Vendor or any member of its group of companies that processes Personal Data pursuant to the Agreement. Sub- processors may include third parties or any member of Vendor’s group of companies.
2. PROCESSING.
- Role of the Parties. As between Vendor and Customer, Vendor will process Personal Data under the Agreement only as a Processor acting on behalf of the Customer. Customer may act either as a Controller or as a Processor with respect to Personal Data.
- Customer Processing of Personal Da Customer will, in its use of the Services, comply with its obligations under Data Protection Law in respect of its processing of Personal Data and any processing instructions it issues to Vendor. Customer represents that it has all rights and authorizations necessary for Vendor to process Personal Data pursuant to the Agreement.
- Vendor Processing of Personal Data. Vendor will comply with its processor obligations under Data Protection Law and will process Personal Data in accordance with Customer’s documented instructions. Customer agrees that the Agreement is its complete and final instructions to Vendor in relation to the processing of Personal Data. Processing any Personal Data outside the scope of the Agreement will require prior written agreement between Vendor and Customer by way of written amendment to the Agreement, and will include any additional fees that may be payable by Customer to Vendor for carrying out such instructions. Upon notice in writing, Customer may terminate the Agreement if Vendor declines to follow Customer’s reasonable instructions that are outside the scope of, or changed from, those given or agreed to in the Agreement, to the extent such instructions are necessary to enable Customer to comply with Data Protection Laws.
- Processing of Personal Data Details.
- Subject matter. The subject matter of the processing under the Agreement is the Personal Data.
- The duration of the processing under the Agreement is determined by Customer and as set forth in the Agreement.
- The purpose of the processing under the Agreement is the provision of the Services by Vendor to Customer as specified in the Agreement.
- Nature of the Vendor and/or its Sub-processors are providing Services or fulfilling contractual obligations to Customer as described in the Agreement. These Services may include the processing of Personal Data by Vendor and/or its Sub-processors on systems that may contain Personal Data.
- Categories of data subjects. Customer determines the data subjects which may include Customer’s end users, employees, contractors, suppliers, and other third parties.
- Categories of data. Personal Data that Customer submits to the Services.
3. SUBPROCESSING.
- Use of Sub-Processors. Vendor engages Sub-processors to provide certain services on its behalf. Customer consents to Vendor engaging Sub-processors to process Personal Data under the Agreement. Vendor will be responsible for any acts, errors, or omissions of its Sub-processors that cause Vendor to breach any of Vendor’s obligations under this DPA.
- Vendor will enter into an agreement with each Sub-processor that obligates the Sub-processor to process the Personal Data in a manner substantially similar to the standards set forth in the DPA, and at a minimum, at the level of data protection required by Data Protection Law (to the extent applicable to the services provided by the Sub- processor).
- Vendor will provide a list of Sub-processors that it engages to process Personal Data upon written request by Customer or as otherwise made available by Vendor on its website.
- Changes to Sub-processors. Vendor agrees (i) to provide prior notice to Customer of any new engagement of a Sub-processor to process Personal Data if the Customer has subscribed to receive notification via the mechanisms that Vendor provides for the specific Service; and (ii) if Customer objects to a new Sub-processor on reasonable data protection grounds within ten (10) days of receiving the notice, to discuss with Customer those concerns in good faith with a view to achieving resolution.
4. SECURITY MEASURES.
- Security Measures by Vendor. Vendor will implement and maintain appropriate technical and organizational security measures to protect against Personal Data Breaches and to preserve the security and confidentiality of Personal Data processed by Vendor on behalf of Customer in the provision of the Services (“Security Measures”). The Security Measures are subject to technical progress and development. Vendor may update or modify the Security Measures from time to time provided that any updates and modifications do not result in material degradation of the overall security of the Services purchased by the Customer.
- Security Measures by Customer is responsible for using and configuring the Services in a manner that enables Customer to comply with Data Protection Laws, including implementing appropriate technical and organizational measures.
- Vendor restricts its personnel from processing Personal Data without authorization (unless required to so by applicable law) and will ensure that any person authorized by Vendor to process Personal Data is subject to an obligation of confidentiality.
- Prohibited Data. Customer acknowledges and agrees that the Agreement may prohibit the submission of certain types of Personal Data (such as an individual’s financial or health information) to the Services. Customer must not submit to the Services any Personal Data which is regulated by the United States Health Insurance Portability and Accountability Act unless Customer has entered into a business associate agreement with Vendor.
5. PERSONAL DATA BREACH RESPONSE.
Upon becoming aware of a Personal Data Breach, Vendor will notify Customer without undue delay and will provide information relating to the Personal Data Breach as reasonably requested by Customer. Vendor will use reasonable endeavors to assist Customer in mitigating, where possible, the adverse effects of any Personal Data Breach.
6. AUDIT REPORTS.
Vendor (or third parties engaged by Vendor) audits its compliance against data protection and information security standards on a regular basis. The specific audits, and the data protection and information security certifications Vendor has achieved, will necessarily vary depending upon the nature of the Services in question. Upon Customer’s written request, and subject to obligations of confidentiality, Vendor will make available to Customer a summary of its most recent relevant audit report and/or other documentation reasonably required by Customer which Vendor makes generally available to its customers, so that Customer can verify Vendor’s compliance with this DPA.
7. DATA TRANSFERS AND EXPORTS.
- Data Transfers. Vendor may transfer and process Personal Data to and in other locations around the world where Vendor or its Sub-processors maintain data processing operations as necessary to provide the Services as set forth in the Agreement.
- Vendor will process all European Economic Area (including the UK) or Switzerland Personal Data transferred to it for processing under this DPA in accordance with its BCR, including when such Personal Data is processed outside of the European Economic Area by Vendor, any member of its group of companies, or any external Sub-processor appointed by Vendor.
8. DELETION OF DATA.
Following expiration or termination of the Agreement, Vendor will delete or return to Customer all Personal Data in Vendor’s possession as set forth in the Agreement except to the extent Vendor is required by applicable law to retain some or all of the Personal Data (in which case Vendor will archive the data and implement reasonable measures to prevent the Personal Data from any further processing). The terms of this DPA will continue to apply to that retained Personal Data.
9. COOPERATION.
- Data Protection Requests. If Vendor receives any requests from individuals or applicable data protection authorities relating to the processing of Personal Data under the Agreement, including requests from individuals seeking to exercise their rights under Data Protection Law, Vendor will promptly redirect the request to the Customer. Vendor will not respond to such communication directly without Customer’s prior authorization, unless legally compelled to do If Vendor is required to respond to such a request, Vendor will promptly notify Customer and provide Customer with a copy of the request, unless legally prohibited from doing so.
- Customer Requests. Vendor will reasonably cooperate with Customer, at Customer’s expense, to permit Customer to respond to any requests from individuals or applicable data protection authorities relating to the processing of Personal Data under the Agreement to the extent that Customer is unable to access the relevant Personal Data in their use of the Services.
- DPIAs and Prior Consultations. To the extent required by Data Protection Law, Vendor will, upon reasonable notice and at Customer’s expense, provide reasonably requested information regarding the Services to enable Customer to carry out data protection impact assessments (“DPIAs”) and/or prior consultations with data protection authorities.
- Legal Disclosure Requests. If Vendor receives a legally binding request for the disclosure of Personal Data which is subject to this DPA, such request will be dealt with in accordance with the Agreement.
10. GENERAL.
- Relationship with Agreement. Any claims brought under this DPA will be subject to the terms and conditions of the Agreement, including the exclusions and limitations set forth in the Agreement.
- Conflicts. In the event of any conflict between this DPA and any privacy-related provisions in the Agreement, the terms of this DPA will prevail.
- Modification and Supplementation. Vendor may modify the terms of this DPA as provided in the Agreement, in circumstances such as (i) if required to do so by a supervisory authority or other government or regulatory entity, (ii) if necessary to comply with Data Protection Law, or (iii) to implement or adhere to standard contractual clauses, approved codes of conduct or certifications, binding corporate rules, or other compliance mechanisms, which may be permitted under Data Protection Supplemental terms may be added as an Annex or Appendix to this DPA where such terms only apply to the processing of Personal Data under the Data Protection Law of specific countries or jurisdictions. Vendor will provide notice of such changes to Customer, and the modified DPA will become effective, in accordance with the terms of the Agreement or as otherwise provided on Vendor’s website if not specified in the Agreement.