Data Processing Addendum
This Data Processing Addendum ("Addendum") forms part of the Services Agreement ("Agreement") between Customer acting on its own behalf and as agent for each Customer Affiliate; and SaaSync, LLC ("SaaSync") acting on its own behalf and as agent for each SaaSync Affiliate.
The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect.
The parties hereby agree that the terms and conditions set out below shall be added as an addendum to the Agreement. The following obligations shall only apply to the extent required by Data Protection Laws (as defined below) with regard to the relevant Customer Personal Data (as defined below), if applicable.
1.1 "Controller," "Processor," "Data Subject," "Processing," "Supervisory Authority," "Personal Data Breach," and "Special Categories of Personal Data" shall have the same meaning as in the applicable Data Protection Law.
1.2 "Customer Personal Data" means Personal Data received from or on behalf of Customer that is covered by a Data Protection Law.
1.3 "Data Protection Laws" means: (i) the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et seq. ("CCPA"); and (ii) the EU General Data Protection Regulation 2016/679 ("GDPR"), as well as any other applicable national rule and legislation on the protection of personal data in the European Union that is already in force or that will come into force during the term of this Addendum, and any data protection laws substantially amending, replacing or superseding the GDPR following any exit by the United Kingdom from the European Union, or, and to the extent applicable, the data protection or privacy laws of any other Member State of the European Economic Area.
1.4 "EEA" means the European Economic Area as well as any country for which the European Commission has published an adequacy decision as published at https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/adequacy-protection-personal-data-non-eu-countries_en.
1.5 "Personal Data" means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household.
1.6 "Restricted Transfer" means the onward transfer of Customer Personal Data that is located in the European Economic Area to SaaSync in a country that is not in the EEA, where such transfer would be prohibited by Data Protection Laws in the absence of the Standard Contractual Clauses or another adequate transfer mechanism as approved by the European Commission.
1.7 "Standard Contractual Clauses" means the European Commission's decision (C(2010)593) of 5 February 2010 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection (the text of which is available at: https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32010D0087), as amended from time to time.
1.8 "Subprocessor" means any Processor (including any third party and any SaaSync Affiliate) appointed by SaaSync to Process Customer Personal Data on behalf of Customer or any Customer Affiliate.
Data Processing Terms. While providing the Services to Customer and Customer Affiliates pursuant to the Agreement, SaaSync and SaaSync Affiliates may Process Customer Personal Data on behalf of Customer or any Customer Affiliate as per the terms of this Addendum. SaaSync agrees to comply with the following provisions with respect to any Customer Personal Data submitted by or for Customer or any Customer Affiliate to the Services or otherwise collected and Processed by or for Customer or any Customer Affiliate by SaaSync or any SaaSync Affiliate. SaaSync shall only retain, use, or disclose Customer Personal Data as necessary for SaaSync's performance of its obligations under the Agreement and only in accordance with Customer's instructions. SaaSync shall not sell any Customer Personal Data as the term "selling" is defined in the CCPA. SaaSync shall not take any action that would cause any transfers of Customer Personal Data to or from SaaSync to qualify as "selling personal information" under the CCPA.
Processing of Customer Personal Data. SaaSync shall not Process Customer Personal Data other than on Customer's documented instructions unless Processing is required by Data Protection Laws to which SaaSync is subject, in which case SaaSync shall to the extent permitted by Data Protection Laws inform Customer of that legal requirement before Processing Customer Personal Data. For the avoidance of doubt, the Agreement, including any Processing reasonably necessary and proportionate to achieve the business purpose outlined in the Agreement, and any related SOW entered into by Customer shall constitute documented instructions for the purposes of this Addendum. Customer shall be responsible for: (1) giving adequate notice and making all appropriate disclosures to Data Subjects regarding Customer's use and disclosure and SaaSync's Processing of Customer Personal Data; and (2) obtaining all necessary rights, and, where applicable, all appropriate and valid consents to disclose such Customer Personal Data to SaaSync to permit the Processing of such Customer Personal Data by SaaSync for the purposes of performing SaaSync's obligations under the Agreement or as may be required by Data Protection Laws. Customer shall notify SaaSync of any changes in, or revocation of, the permission to use, disclose, or otherwise process Customer Personal Data that would impact SaaSync's ability to comply with the Agreement, or Data Protection Laws.
Confidentiality. SaaSync shall take reasonable steps to ensure that individuals that process Customer Personal Data are subject to obligations of confidentiality or are under an appropriate statutory obligation of confidentiality.
Security. Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, SaaSync shall in relation to Customer Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
Subprocessing. SaaSync may engage such Subprocessors as SaaSync considers reasonably appropriate for the processing of Customer Personal Data in accordance with this Addendum, provided that SaaSync shall notify Customer of the addition or replacement of such Subprocessor and Customer may, on reasonable grounds, object to a Subprocessor by notifying SaaSync in writing within 10 days of receipt of SaaSync's notification, giving reasons for Customer's objection. Upon receiving such objection, SaaSync shall: (1) work with Customer in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Subprocessor; and (2) where such change cannot be made within 10 days of SaaSync's receipt of Customer's notice, Customer may by written notice to SaaSync with immediate effect terminate the portion of the Agreement or relevant SOW to the extent that it relates to the Services which require the use of the proposed Subprocessor. This termination right is Customer's sole and exclusive remedy to Customer's objection of any Subprocessor appointed by SaaSync. SaaSync shall require all Subprocessors to enter into an agreement with equivalent effect to the Processing terms contained in this Addendum. SaaSync shall remain fully liable for all the acts and omissions of each Subprocessor.
Data Subject Rights. SaaSync shall promptly notify Customer if it receives a request from a Data Subject under any Data Protection Laws in respect to Customer Personal Data. In the event that any Data Subject exercises any of its rights under the Data Protection Laws in relation to Customer Personal Data, SaaSync will shall use reasonable commercial efforts to assist Customer in fulfilling its obligations as Controller following written request from Customer, provided that SaaSync may charge Customer on a time and materials basis in the event that SaaSync considers, in its reasonable discretion, that such assistance is onerous, complex, frequent, or time consuming.
Personal Data Breach. In the event of a Personal Data Breach, SaaSync will notify Customer without undue delay after becoming aware of the Personal Data Breach. Such notification may be delivered to an email address provided by Customer or by direct communication (for example, by phone call or an in-person meeting). Customer is solely responsible for ensuring that the appropriate notification contact details are current and valid. SaaSync will take reasonable steps to provide Customer with information available to SaaSync that Customer may reasonably require to comply with its obligations as Controller to notify impacted Data Subjects or Supervisory Authorities.
Data Protection Impact Assessment and Prior Consultation. In the event that Customer considers that the Processing of Customer Personal Data requires a privacy impact assessment to be undertaken or requires assistance with any prior consultations to any Supervisory Authority of Customer, following written request from Customer, SaaSync shall use reasonable commercial efforts to provide relevant information and assistance to Customer to fulfil such request, provided that SaaSync may charge Customer on a time and materials basis in the event that SaaSync considers, in its reasonable discretion, that such assistance is onerous, complex, frequent, or time consuming.
Deletion or Return of Customer Personal Data. Unless otherwise required by applicable Data Protection Laws, following termination or expiration of the Agreement SaaSync shall, at Customer's option, delete or return all Customer Personal Data and all copies to Customer.
Relevant Records and Audit Rights. SaaSync shall make available to Customer on request all information reasonably necessary to demonstrate compliance with this Addendum and allow for and contribute to audits, including inspections by Customer or an auditor mandated by Customer, not being competitors of SaaSync ("Mandated Auditor") of any premises where the Processing of Customer Personal Data takes place in order to assess compliance with this Addendum. SaaSync shall provide reasonable cooperation to Customer in respect of any such audit and shall at the request of Customer, provide Customer with relevant records of compliance with its obligations under this Addendum. SaaSync shall promptly inform Customer if, in its opinion, a request infringes the Data Protection Laws or any other confidentially obligations with SaaSync's other customers. Customer agrees that: (1) audits may only occur during normal business hours, and where possible only after reasonable notice to SaaSync (not less than 20 days' advance written notice); (2) audits will be conducted in a manner that does not have any adverse impact on SaaSync's normal business operations; (3) Customer and any Mandated Auditor will comply with SaaSync's standard safety, confidentiality, and security procedures in conducting any such audits; and (4) any records, data, or information accessed by Customer or any Mandated Auditor in the performance of any such audit will be deemed to be the Confidential Information of SaaSync. To the extent any such audit incurs in excess of 20 hours of SaaSync personnel time, SaaSync may charge Customer on a time and materials basis for any such excess hours.
International Data Transfer. With respect to Restricted Transfers, the parties will conduct such Restricted Transfer in accordance all applicable laws. The parties hereby agree to the Standard Contractual Clauses (which will be deemed executed by the parties as of the effective date of this Addendum), and the following terms will apply: (a) Customer will be referred to as the "Data Exporter" and SaaSync will be referred to as the "Data Importer" in such clauses with relevant company name and address details from the Agreement being used accordingly; (b) details in the Agreement and any Order will be used to complete Appendix 1 of the Standard Contractual Clauses; (c) details in Section 5 (Security) of this DPA will be used to complete Appendix 2 of the Standard Contractual Clauses; and (d) if there is any conflict between this Addendum or the Agreement and the Standard Contract Clauses, the Standard Contract Clauses will prevail.
12.1 Instructions. For the purposes of Section 2 of this Addendum and Clause 5(a) of the Standard Contractual Clauses, the following acts are deemed an instruction by the Customer to process Personal Data: (a) Customer's entering into the Agreement and applicable Orders are deemed instructions to Process Personal Data as is necessary to perform Services under the Agreement; (b) Users actions that initiate Processing while using the Services; and (c) Customer's other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement.
12.2 Engagement of New Subprocessors. Pursuant to Clause 5(h) of the Standard Contractual Clauses, Customer acknowledges and expressly agrees that SaaSync may engage new Subprocessors as described in this Addendum.
12.3 Copies of Subprocessor Agreements. The parties agree that SaaSync may redact the copies of the Subprocessor agreements that must be provided by SaaSync to Customer pursuant to Clause 5(j) of the Standard Contractual Clauses to remove commercial information, confidential information, and clauses unrelated to the Standard Contractual Clauses or their equivalent. SaaSync will provide copies of the Subprocessor agreements, only upon request by Customer.
12.4 Audits and Certifications. The parties agree that the audits described in Clause 5(f) and Clause 12(2) of the Standard Contractual Clauses shall be carried out in accordance with the specifications described in this Addendum.
12.5 Certification of Deletion. The parties agree that the certification of deletion of Personal Data that is described in Clause 12(1) of the Standard Contractual Clauses shall be provided by SaaSync to Customer only upon Customer's request.
General Terms. Any obligation imposed on SaaSync under this Addendum in relation to the Processing of Personal Data shall survive any termination or expiration of this Addendum. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either: (1) amended as necessary to ensure its validity and enforceability, while preserving the intent of the provision as closely as possible or, if this is not possible, (2) construed in a manner as if the invalid or unenforceable part had never been contained therein. With regard to the subject matter of this Addendum, the provisions of this Addendum shall prevail over the Agreement with regard to data protection obligations for Personal Data of a Data Subject under Data Protection Laws.