EU Data Protection Addendum
Last Modified 12/13/22
THIS DATA PROCESSING AGREEMENT (“DPA”) is made as of ______________________ (the “Effective Date”).
Allbound, Inc., a company whose principal office is at ________________ USA (“Processor”); and ____________________________________________ (“Controller”).
(A) Controller intends to transfer certain Personal Data to Processor, so that it may be Processed in accordance with an agreement for the provision of Processor’s services entered by and between the parties (the “Agreement”).
(B) The parties agree that this DPA will govern the parties’ rights and obligations with respect to the Processing of such Personal Data.
(C) Capitalized terms used but not defined in this DPA shall have the meanings given in the Agreement.
The parties hereby as follows:
1. Data Protection
1.1. Definitions: In this Clause, the following terms shall have the following meanings:
(a) “controller“, “processor“, “data subject“, “personal data” and “processing” (and “process”) shall have the meanings given in EU/UK Data Protection Law;
(b) “Applicable Data Protection Law” means all worldwide data protection and privacy laws and regulations, to the extent applicable to the parties and the nature of the personal data processed under the Agreement, including, where applicable, (i) EU/UK Data Protection Law; and (ii) the California Consumer Privacy Act (the “CCPA”).
(c) “EU/UK Data Protection Law” means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the “EU GDPR“); (ii) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (the “UK GDPR“); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iv) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii) or (iii); in each case as may be amended or superseded from time to time;
(d) “Restricted Transfer” means: (i) where the EU GDPR applies, a transfer of personal data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; and
(e) “Standard Contractual Clauses” means: (i) where the EU GDPR applies, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs“); and (ii) where the UK GDPR applies, standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR (“UK SCCs“).
1.2. Relationship of the parties: Controller instructs Processor to process the personal data that is the subject of the Agreement (the “Data“) on its behalf. In respect of such processing, Controller shall be the controller and Processor shall be a processor. Each party shall comply with the obligations that apply to it under Applicable Data Protection Law.
1.3. Prohibited data: Controller shall not disclose (and shall not permit any data subject to disclose) any special categories of Data to Processor for processing except where and to the extent expressly disclosed in Annex I.
1.4. Purpose limitation: Processor shall process the Data for the purposes described in Annex I and strictly in accordance with the documented instructions of Controller (the “Permitted Purpose”), except where otherwise required by law(s) that are not incompatible with Applicable Data Protection Law. In no event shall Processor process the Data for its own purposes or those of any third party. Processor shall immediately inform Controller if it becomes aware that such processing instructions infringe Applicable Data Protection Law (but without obligation to actively monitor Controller’s compliance with Applicable Data
1.5. Restricted transfers: The parties agree that when the transfer of Data from Controller to Processor is a Restricted Transfer it shall be subject to the appropriate Standard Contractual Clauses as follows:
(a) in relation to Data that is protected by the EU GDPR, the EU SCCs will apply completed as follows:
(i) Module Two will apply;
(ii) in Clause 7, the optional docking clause will apply;
(iii) in Clause 9, Option 2 will apply, and the time period for prior notice of subprocessor changes shall be as set out in Clause 1.9 of this DPA;
(iv) in Clause 11, the optional language will not apply;
(v) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
(vi) in Clause 18(b), disputes shall be resolved before the courts of Ireland;
(vii) Annex I of the EU SCCs shall be deemed completed with the information set out in Annex I to this DPA;
(viii) Annex II of the EU SCCs shall be deemed completed with the information set out in Annex II to this DPA; and
(ix) Annex III of the EU SCCs shall be deemed completed with the information set out in Annex III to this DPA;
(b) in relation to Data that is protected by the UK GDPR, the “UK Addendum to the EU Standard Contractual Clauses” (“UK Addendum”) issued by the Information Commissioner’s Office under s.119A(1) of the Data Protection Act 2018, will be completed as follows:
(A) The EU SCCs, completed as set out above in clause 1.5(a) of this DPA shall also apply to transfers of such Data, subject to sub-clause (B) below;
(A) The UK Addendum shall be deemed executed between the transferring Controller and the Processor, and the EU SCCs shall be deemed amended as specified by the UK Addendum in respect of the transfer of such Controller Data.
(c) in the event that any provision of this DPA contradicts, directly or indirectly, the. Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
1.6. Onward transfers: Processor shall not participate in (nor permit any subprocessor to participate in) any other Restricted Transfers of Data (whether as an exporter or an importer of the Data) unless:
(i) it has first obtained Controller’s prior written consent; and
(ii) the Restricted Transfer is made in full compliance with Applicable Data Protection Law.
Such measures may include (without limitation) transferring the Data to a recipient in a country that the European Commission has decided provides adequate protection for personal data, to a recipient that has achieved binding corporate rules authorisation in accordance with Applicable Data Protection Law, or pursuant to Standard Contractual Clauses implemented between the relevant exporter and importer of the Data.
1.7. Confidentiality of processing: Processor shall ensure that any person that it authorises to process the Data (including Processor’s staff, agents and subprocessors) (an “Authorised Person”) shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty), and shall not permit any person to process the Data who is not under such a duty of confidentiality. Processor shall ensure that all Authorised Persons process the Data only as necessary for the Permitted Purpose.
1.8. Security: The processor shall implement appropriate technical and organisational measures to protect the Data from accidental or unlawful destruction, loss, alteration, or unauthorised disclosure or access (a “Security Incident”). Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures shall include, as appropriate:
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. At a minimum, such measures shall include the measures identified in Annex II.
1.9. Subprocessing: Processor shall not subcontract any processing of the Data to a third party subprocessor without the prior written consent of Controller. Not withstanding this, Controller consents to Processor engaging third party subprocessors to process the Data provided that:
(i) Processor provides at least 30 days’ prior notice of the addition of any subprocessor (including details of the processing it performs or will perform);
(ii) Processor imposes data protection terms on any subprocessor it appoints that protect the Data, in substance, to the same standard provided for by this DPA; and
(iii) Processor remains fully liable for any breach of this DPA that is caused by an act, error or omission of its subprocessor. A list of approved subprocessors as at the date of this DPA is attached at Annex III, and Processor shall maintain and provide updated copies of this list to Controller upon request. If Controller refuses to consent to Processor’s appointment of a third party subprocessor on reasonable grounds relating to the protection of the Data, then either Processor will not appoint the subprocessor or Controller may elect to suspend or terminate the Agreement without penalty. All subprocessors shall be service providers for purposes of the CCPA.
1.10. Cooperation and data subjects’ rights: Processor shall provide all reasonable and timely assistance (including by appropriate technical and organisational measures) to Controller to enable Controller to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data. In the event that any such request, correspondence, enquiry or complaint is made directly to Processor, Processor shall promptly inform Controller providing full details of the same.
1.11. Data Protection Impact Assessment: If Processor believes or becomes aware that its processing of the Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, it shall promptly inform Controller and Processor shall provide Controller with all such reasonable and timely assistance as Controller may require in order to enable it to conduct a data protection impact assessment in accordance with Applicable Data Protection Law including, if necessary, to assist Controller to consult with its relevant data protection authority.
1.12. Security incidents: Upon becoming aware of a Security Incident, Processor shall inform Controller without undue delay (and within 48 hours in any event) and shall provide all such timely information and cooperation as Controller may require in order for Controller to fulfil its data breach reporting obligations under (and in accordance with the timescales required by) Applicable Data Protection Law. Processor shall further take all such measures and actions as are necessary to remedy or mitigate the effects of the Security Incident and shall keep Controller informed of all developments in connection with the Security Incident.
1.13. Deletion or return of Data: Upon termination or expiry of the Agreement, Processor shall (at Controller’s election destroy or return to Controller all Data (including all copies of the Data) in its possession or control (including any Data subcontracted to a third party for processing). This requirement shall not apply to the extent that Processor is required by any applicable law to retain some or all of the Data, in which event Processor shall isolate and protect the Data from any further processing except to the extent required by such law until deletion is possible.
1.14. Audit: Processor shall make available to Controller all information necessary to
demonstrate compliance with the obligations laid down in this DPA. In fulfilment of this
(a) Controller acknowledges that Processor is regularly audited against SSAE 18 SOC 2 standards by independent third auditors. Upon request, Processor shall supply a summary copy of its audit report(s) to Controller, which reports shall be subject to the confidentiality provisions of the Agreement.
(b) Processor shall also respond to any written audit questions submitted to it by Controller, provided that Controller shall not exercise this right more than once per year. By signing below, each party acknowledges that it has read and understood the terms of this DPA and agrees to be bound by them, effective as of the date that both parties sign below.
3411 Pierce Dr Chamblee, GA 30341
Data Processing Description
This Annex I forms part of the DPA and describes the processing that the processor will perform on behalf of the controller.
A. LIST OF PARTIES
Controller(s) / Data exporter(s): [Identity and contact details of the controller(s) /data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]
|Contact person’s name, position and contact details:||[INSERT]|
|Activities relevant to the data transferred under these Clauses:||The Controller is a customer of Processor’s that will provide Personal Data to Processor in order to allow Processor to provide services to Controller pursuant to a services agreement entered by and between the parties.|
|Signature and date:|
Processor(s) / Data importer(s): [Identity and contact details of the processor(s) /data importer(s), including any contact person with responsibility for data protection]
|Contact person’s name, position and contact details:|
|Activities relevant to the data transferred under these Clauses:||The processing activities that are necessary in order to provide ____________ software and services to the controller, which shall include hosting, storage, providing customer service, ______________________.|
|Signature and date:|
В. DESCRIPTION OF TRANSFER
|Categories of data subjects whose personal data is transferred:||The Data Exporter’s ____________________, and any other individuals whose personal data are uploaded or transmitted via the Data Importer’s software application.|
|Categories of personal data transferred:||Personal information such as the name, email, mailing address, ______________________of data subjects mentioned above and other data in an electronic form provided to Data Importer when using the services covered in the agreement between Data Exporter and Data Importer.|
|Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:||None|
|The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):||Personal data will be transferred continuously throughout the duration of the underlying agreement to purchase the Processor’s software and services.|
|Nature of the processing:||The personal data transferred will be subject to the processing activities that are necessary to provide the Processor’s software and services to the Controller, including hosting, storage, __________________, and applying analytics.|
|Purpose(s) of the data transfer and further processing:||To provide the Processor’s software and services to the Controller pursuant to a separate agreement between the parties governing the provision of the software and services.|
|The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:||For the duration of the underlying agreement to purchase the Processor’s software and services, unless the personal data is deleted prior to the termination or expiration of that contract by the Controller or by the Processor at the Controller’s instruction.|
|For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:||Personal data is transferred to the Processor’s sub-processors for the purpose of providing the Processor’s software and services to the Controller for the duration of the underlying purchase agreement, unless the personal data is deleted prior to the termination or expiration of that contract by the Controller or by the Processor at the Controller’s instruction.|
- COMPETENT SUPERVISORY AUTHORITY
|Identify the competent supervisory authority/ies in accordance (e.g. in accordance with Clause 13 SCCs)||
Where the EU GDPR applies, the competent supervisory authority shall be the Irish Data Protection Commissioner.
Where the UK GDPR applies, the competent supervisory authority shall be the UK Information Commissioner’s Office.
Technical and Organisational
Description of the technical and organisational measures implemented by the processor(s) / data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
||Industry standard encryption technologies for Personal Data that is: (i) transmitted over public networks (i.e., the Internet) or when transmitted wirelessly; or (ii) at rest.|
Organisational management and dedicated staff responsible for the development, implementation and maintenance of Data Importer’s information security program.
Data security controls which include at a minimum, but may not be limited to, logical segregation of data, restricted (e.g., role-based) access and monitoring, and utilisation of commercially available and industry standard encryption technologies for Personal Data, as described above.
Network security controls that provide for the use of stateful firewalls and layered DMZ architectures and other traffic and event correlation procedures designed to protect systems from intrusion and limit the scope of any successful attack.
Vulnerability assessment, patch management and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate and protect against identified security threats, viruses and other malicious code.
A highly available redundant infrastructure and offsite backups are utilised. Business resiliency/continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergency situations or disasters.
||Incident / problem management procedures designed to allow Data Importer to investigate, respond to, mitigate and notify of events related to Data Importer’s technology and information assets.|
||Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Data Importer’s organisation, monitoring and maintaining compliance with Data Importer’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.|
|Measures for user identification and authorisation||
Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g., granting access on a need-to-know and least privilege basis, use of unique IDs and passwords for all users, periodic review and revoking/changing access promptly when employment terminates or changes in job functions occur).
Password controls designed to manage and control password strength, expiration and usage including prohibiting users from sharing passwords and requiring that Processor’s passwords that are assigned to its employees: (i) be at least eight (8) characters in length, (ii) not be stored in readable format on Data Importer’s computer systems, (iii) must have defined complexity, and (iv) must have a history threshold to prevent reuse of recent passwords. Multi-factor authentication, where available, must always be used. All remote access requires MFA.
||Industry standard encryption technologies for Personal Data that is transmitted over public networks (i.e., the Internet) or when transmitted wirelessly.|
||Industry standard encryption technologies for Personal Data that is at rest.|
||Physical and environmental security of data center, server room facilities and other areas containing Personal Data designed to: (i) protect information assets from unauthorised physical access, (ii) manage, monitor and log movement of persons into and out of Data Importer facilities, and (iii) guard against environmental hazards such as heat, fire and water damage (iv) provide adequate level of redundancy to protect against data loss.|
||System audit or event logging and related monitoring procedures to proactively record user access and system activity for routine review.|
Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems according to prescribed internal and adopted industry standards, including creating secure system baselines and following formal change management procedures.
including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Data Importer’s possession.
Change management procedures and tracking mechanisms designed to test, approve and monitor all changes to Data Importer’s technology and information assets.
Vulnerability and patch management programs ensuring vulnerabilities and misconfigurations are identified on a regular basis and patched promptly.
Organisational management and dedicated staff responsible for the development, implementation and maintenance of Data Importer’s information security program.
This includes annual third party audits of the security program and its policies, procedures, and controls.
||Not applicable to Data Importer. Data Importer is processing the Personal Data on behalf of the Data Exporter for the sole purpose of providing services to the Data Importer for the duration of the services agreement entered into between the Data Importer and the Data Exporter. The Data Exporter has complete control over the collection, modification, and deletion of Personal Data (subject to the data retention section, below).|
|Measures for ensuring data quality||Not applicable to Data Importer. Data Importer is processing the Personal Data on behalf of the Data Exporter for the sole purpose of providing services to the Data Importer for the duration of the services agreement entered into between the Data Importer and the Data Exporter. The Data Importer does not have the ability to monitor the quality of the Personal Data.|
||The Data Exporter is permitted to set its own retention rules per a dedicated feature within the application and can self-service delete the personal data it has collected at any point during the term of the underlying Agreement. All Personal Data in the Data Exporter’s account is automatically deleted ninety (90) days following expiration or termination of the services agreement entered into between the Data Exporter and Data Importer, or earlier upon request, subject to the Data Importer’s standard 30 day backup schedule.|
|Measures for ensuring accountability||The Data Importer takes responsibility for complying with the EU GDPR and the UK GDPR, at the highest management level and throughout our organisation. The Data Importer keeps evidence of the steps taken to comply with the EU GDPR and the UK GDPR. The Data Importer puts in place appropriate technical and organisational measures, such as: (i) adopting and implementing data protection policies (where proportionate), (ii) putting written contract in place with organisations that process personal data on our behalf, (iii) maintaining documentation of our processing activities, (iv) implementing appropriate security measures, (v) recording and, where necessary, reporting personal data breaches, and (vi) carrying out data protection impact assessments for uses of personal data that are likely to result in high risk to individuals’ interests. We review and update our accountability measures at appropriate intervals.|
Most of the data within the system can be exported by the Data Exporter in an industry standard format. The Data Importer has procedures in place to export additional data at the Data Exporters request.
Policies and procedures in place to ensure secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Data Importer’s possession.
For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller (and, for transfers from a processor to a sub-processor, to the data exporter).
|Processor Self-Service Features||At all times during the term of the underlying services Agreement, the Controller will have access to its own Processor Account and the ability to delete or modify any personal data stored therein. Any deletions or modifications by Controller will automatically be reflected in Processor’s databases as well.|
To support the delivery of Services, Allbound may engage third-party services providers, referred to as Sub-processors. A list of our sub-processors and the purpose and location for each sub-processor is available at https://www.allbound.com/sub-processors/