Capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement.
You represent and warrant that you have full authority to bind the Customer to this DPA. If you cannot, or do not agree to, comply with and be bound by this DPA, or do not have authority to bind the Customer or any other entity, please do not provide Personal Data to us.
In addition to capitalized terms defined elsewhere in this DPA, the following terms shall have the meanings set forth opposite each one of them:
1.1. “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control” for purposes of this definition means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
1.2. “Applicable Laws” means all applicable data protection, privacy and electronic marketing legislation, including the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003, the GDPR, as well as any equivalent laws anywhere in the world – to the extent any such laws apply to Controller Personal Data to be processed hereunder by Processor.
1.3. “Controller Personal Data” means any Personal Data Processed by Processor solely on behalf of Controller pursuant to or in connection with the Agreement and this DPA.
1.4. “GDPR” means EU General Data Protection Regulation 2016/679.
1.5. “Personal Data” means any information relating to an identified or identifiable natural person, submitted by Controller or any individual on its behalf to Provider or created by them through their use of Epistema’ services, to be Processed by Provider solely on behalf of Controller under the Agreement and this DPA.
1.6. “Process” or “Processing” or “Processing of Personal Data” means any operation or set of operations which is performed by Epistema on Personal Data or on sets of Personal Data pursuant to the Agreement and this DPA, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.7. “Sub Processor” means any person (including any third party and any Processor Affiliate, but excluding an employee of Processor or any of its sub-contractors) appointed by or on behalf of Processor or any Processor Affiliate to Process Controller Personal Data on behalf of the Controller in connection with the Agreement and this DPA.
1.8. “Restricted Transfer” means (i) a transfer of Controller Personal Data from Controller to Processor; or (ii) an onward transfer of Controller Personal Data from a Processor to a Sub Processor, or between two establishments of Processor, in each case, where such transfer would be prohibited by Applicable Laws (or by the terms of a data transfer agreement put in place to address the data transfer restrictions of Applicable Laws).
1.9. The terms, “Commission“, “Controller“, “Data Subject“, “Member State“, “Personal Data Breach“, “Processor” and “Supervisory Authority” shall have the same meaning as in the GDPR.
2.1. The Parties acknowledge and agree that with regard to the Processing of Controller Personal Data, (i) the customer is the Controller, (ii) Epistema is the Processor, and (iii) Processor or Processor Affiliates may engage Sub Processors pursuant to the requirements set forth in Section 5 below.
2.2. Processor shall not Process Controller Personal Data other than on the Controller’s documented reasonable and customary instructions as specified in the Agreement or in this DPA, unless such Processing is required by applicable laws to which the Processor is subject or as strictly necessary for the provision of Processor’s service and product under the Agreement (together the “Services“).
2.3. Controller instructs Processor (and authorizes Processor to instruct each Sub Processor) to (i) Process Controller Personal Data; and (ii) in particular, transfer Controller Personal Data to any country or territory, all as reasonably necessary for the provision of the Services and consistent with Section 2.5 below, with the Agreement and this DPA and in accordance with Applicable Laws.
2.4. Furthermore, Controller warrants and represents that it is and will remain duly and effectively authorized to give the instructions set out in Section 2.1 and any additional instructions as provided pursuant to the Agreement and this DPA and/or in connection with the performance thereof, on behalf of itself and each relevant Controller Affiliate, at all relevant times and at least for as long as the Agreement and this DPA are in effect and for any additional period during which Processor is lawfully processing the Controller Personal Data.
2.5. Controller hereby sets forth the details of the Processing of Controller Personal Data, as required by article 28(3) of the GDPR in Annex 1 (Details of Processing of Controller Personal Data) hereto.
2.6. Controller Personal Data may be transferred from the EU Member States, EEA member countries, and the United Kingdom (collectively, “EEA“), (i) to countries that offer adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the EEA, the European Union, Member States or the European Commission, without any further safeguard being necessary; (ii) to the United States, solely for Processing by Processor or Sub Processor on its behalf which has self-certified and comply with the EU-US and Swiss-US Privacy Shield Frameworks, as administered by the US Department of Commerce, to the extent permitted under Applicable Laws; (iii) to any country that does not offer an adequate level of data protection, or offers a mechanism such as the aforesaid Privacy Shield, if the Parties hereto have executed the standard data protection clauses adopted by the relevant data protection authorities of the EEA, the European Union, Member States or the European Commission, or complied with any of the other mechanisms provided for in the GDPR or any other Applicable Laws for transferring Personal Data to such other countries.
2.7. Without derogating from the provisions of the Agreement and this DPA, Controller (and not Processor) shall be exclusively liable for any excess Controller Personal Data provided or otherwise made available to Processor or any Sub Processor in the course of providing Processor’s Services under the Agreement or under this DPA. Processor’s obligations under the Agreement or under this DPA shall not apply to any such excess Controller Personal Data.
Processor shall take reasonable steps to ensure that access to the Controller Personal Data is limited on a need to know/access basis, and that all Processor personnel receiving such access are subject to confidentiality undertakings or professional or statutory obligations of confidentiality in connection with their access/use of Controller Personal Data.
Processor shall, in relation to the Controller Personal Data, implement appropriate technical and organizational measures to ensure an appropriate level of security, including, as appropriate and applicable, the measures referred to in Article 32(1) of the GDPR in assessing the appropriate level of security, Processor shall take into account the risks that are presented by Processing, in particular risks emanating from a Personal Data Breach.
5.1. Controller authorizes Processor and each Processor Affiliate to appoint (and permit each Sub Processor appointed in accordance with this Section 5 to appoint) Sub Processors in accordance with this Section 5 and subject to any restrictions in the Agreement and this DPA.
5.2. Processor and each Processor Affiliate may continue to use those Sub Processors already engaged by Processor or any Processor Affiliate as of the date of this DPA, including for the purpose of cloud hosting services by reputable Sub Processors, to the extent necessary to perform Processor’s obligations under the Agreement and this DPA. Without derogating from the aforesaid, Processor may also use any Sub Processors whom Controller requested Processor to use.
5.3. Processor shall make available to Controller the current list of all Sub Processors, available upon sending an email to email@example.com with the subject header “Sub Processors List”. If, within seven (7) days of such notice of the planned appointment, Controller notifies Processor in writing of any objections (on reasonable grounds) to the proposed appointment, Processor shall not appoint the proposed Sub Processor for the processing of Controller Personal Data until reasonable steps have been taken to address the objections raised by Controller, and Controller has been provided with a reasonable written explanation of the steps taken. Where such steps are not sufficient to relieve Controller’s reasonable objections then Controller or Processor may, by written notice to the other Party, with immediate effect, terminate the Agreement and this DPA to the extent that it relates to the Services which require the use of the proposed Sub Processor without bearing liability for such termination.
5.4. With respect to each new Sub Processor, Processor shall:
5.4.1. Before such new Sub Processor first Processes Controller Personal Data, take reasonable steps (for instance by way of reviewing such new Sub Processor’s privacy policies as appropriate) to ensure that the new Sub Processor is committed to provide the level of protection for Controller Personal Data required by the Agreement and by this DPA; and
5.4.2. Ensure that the arrangement between the Processor and the new Sub Processor is governed by a written contract, including terms which offer materially similar level of protection for Controller Personal Data as those set out in this DPA that meet the requirements of Applicable Laws.
6.1. Controller shall be solely responsible for compliance with any statutory obligations concerning requests to exercise Data Subject rights under Applicable Laws (e.g., for access, rectification, deletion of Controller Personal Data, etc.). Taking into account the nature of the Processing, Processor shall reasonably endeavour to assist Controller insofar as feasible, to fulfil Controller’s said obligations with respect to such Data Subject requests, as applicable, at Controller’s sole expense.
6.2. Processor shall:
6.2.1. Promptly notify Controller if it receives a request from a Data Subject under Applicable Laws in respect of Controller Personal Data; and
6.2.2. Ensure that it does not respond to that request except on the documented instructions of Controller or as required by Applicable Laws to which the Processor is subject, in which case Processor shall, to the extent permitted by Applicable Laws, inform Controller of that legal requirement before it responds to the request.
7.1. Processor shall notify Controller without undue delay upon Processor becoming aware of a Personal Data Breach affecting Controller Personal Data, in connection with the Processing of such Controller Personal Data by the Processor or by Processor Affiliates and Sub Processors. In such event, Processor shall provide Controller with information (to the extent in Processor’s possession) to assist Controller to meet any obligations to inform Data Subjects or Data Protection authorities of the Personal Data Breach under the Applicable Laws.
7.2. At the written request of the Controller, Processor shall reasonably cooperate with Controller and take such commercially reasonable steps as are agreed by the Parties at such a time, or necessary as under Privacy Protection Laws to assist in the investigation, mitigation and remediation of each such Personal Data Breach, at Controller’s sole expense.
At the written request of the Controller, the Processor shall provide reasonable assistance to Controller, at Controller’s expense, with any data protection impact assessments or prior consultations with Supervising Authorities or other competent data privacy authorities, as required under any Applicable Laws. Such assistance shall be solely in relation to Processing of Controller Personal Data by the Processor.
9.1. Subject to Section 9.2, Processor shall, as early as practicable and in any event within up to sixty (60) days of the date of cessation of any Services involving the Processing of Controller Personal Data (the “Cessation Date“), delete or anonymize all copies of those Controller Personal Data, except such copies as authorized including under this DPA or required to be retained in accordance with Applicable Law and/or regulation.
9.2. Subject to the Agreement and this DPA, Processor may retain Controller Personal Data to the extent authorized or required by Applicable Laws, provided that Processor shall ensure the confidentiality of all such Controller Personal Data and shall ensure that it is only processed for such legal purpose(s).
9.3. Upon Controller’s written request, Processor shall provide written certification to Controller that it has complied with this Section 9.
10.1. The Parties acknowledge and agree that, by executing the DPA, Controller enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of any of its authorized Controller Affiliates, thereby establishing a separate DPA between authorized Controller Affiliates and Processor or Processor Affiliates. Each authorized Controller Affiliate agrees to be bound by the obligations under this DPA and the Agreement. All access to and use of Processor’s Services by authorized Controller Affiliates must comply with the terms and conditions of the Agreement and of this DPA, and any violation of the terms and conditions therein by authorized Controller Affiliates shall be deemed a violation by Controller.
10.2. Controller shall remain responsible for coordinating all communication with Processor under the Agreement and under this DPA, and shall be entitled to make and receive any communication in relation to this DPA on behalf of its authorized Controller Affiliates.
11.1. Subject to Sections 11.2 and 11.3, Processor shall make available to a reputable third party auditor mandated by Controller in coordination with Processor, upon prior written request, such information necessary to reasonably demonstrate compliance with this DPA, and shall allow for audits, including inspections, by such auditor in relation to the Processing of the Controller Personal Data by the Processor, provided that such third-party auditor shall be subject to confidentiality obligations.
11.2. Provisions of information and audits are and shall be at Controller’s sole expense, and may only arise under Section 11.1 to the extent that the Agreement does not otherwise give Controller information and audit rights meeting the relevant requirements of the Applicable Laws. In any event, all audits or inspections shall be subject to the terms of the Agreement and this DPA, and to Processor’s obligations to third parties, including with respect to confidentiality.
11.3. Controller shall give Processor reasonable prior written notice of any audit or inspection to be conducted under Section 11.1 and shall use (and ensure that each of its mandated auditors uses) its best efforts to avoid causing (or, if it cannot avoid, to minimize) any damage, injury or disruption to the Processors’ premises, equipment, personnel and business while its personnel are on those premises in the course of such an audit or inspection. Processor need not give access to its premises for the purposes of such an audit or inspection:
11.3.1. To any individual unless he or she produces reasonable evidence of identity and authority;
11.3.2. If Processor was not given a written notice of such audit or inspection at least 2 weeks in advance;
11.3.4. Outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis and Controller has given sufficient prior notice to Processor that this is the case;
11.3.5. For premises outside the Processor’s control (such as data storage farms of Processor’s cloud hosting providers);
11.3.6. If more than one (1) audit or inspection, in respect of each Processor, already took place in the same calendar year, except for any additional audits or inspections which:
188.8.131.52. Controller reasonably considers necessary because of genuine concerns as to Processor’s compliance with this DPA; or
184.108.40.206 Controller is required to carry out by Applicable Laws, a Supervisory Authority or any similar regulatory authority responsible for the enforcement of Applicable Laws in any country or territory, where Controller has identified its concerns or the relevant requirement or request in its prior written notice to Processor of the audit or inspection.
12.1.1. The Parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity; and
12.1.2. This DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Agreement.
In the event of any conflict or inconsistency between this DPA and the Agreement, this DPA shall prevail solely with respect to the subject matter of this DPA and solely if such conflict or inconsistency originates from the requirements of Article 28 of the GDPR (except where explicitly agreed otherwise in writing, signed on behalf of the Parties). This DPA is not intended to, and does not in any way limit or derogate from Controller’s own obligations and liabilities towards the Processor under the Agreement, and/or pursuant to the GDPR or any law applicable to Controller, in connection with the collection, handling and use of Personal Data by Controller or its Affiliates or other processors or their sub-processors, including with respect to the transfer or provision or Controller Personal Data to Processor and/or providing access thereto to Processor.
12.3.1. Controller may by at least forty-five (45) calendar days’ prior written notice to Processor, request any variations to this DPA if they are required, as a result of any change in, or decision of a competent authority under any Applicable Laws, to allow Processing of those Controller Personal Data to be made (or continue to be made) without breach of that Applicable Law; and
12.3.2. If Controller gives notice with respect to its request to modify this DPA under Section 12.3.1, then:
220.127.116.11. Processor shall make commercially reasonable efforts to accommodate such modification request; and
18.104.22.168. Controller shall not unreasonably withhold or delay agreement to any consequential variations to this DPA proposed by Processor to protect the Processor against additional risks, or to indemnify and compensate Processor for any further steps and costs associated with the variations made herein.
12.3.3. If Controller gives notice under Section 12.3.1, the Parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in Controller’s notice as soon as is reasonably practicable. In the event that the Parties are unable to reach such an agreement within 30 days of Controller’s notice, then Controller or Processor may, by written notice to the other Party, with immediate effect, terminate the Agreement and this DPA to the extent that it relates to the Services which are affected by the proposed variations (or lack thereof).
Notwithstanding anything to the contrary in this DPA, generic and anonymous information or data, which is derived by Processor from the use of Processor’s programs or services (i.e., metadata, aggregated and/or analytics information) and/or which was fully anonymized by Processor, which is not personally identifiable information, which cannot identify the Controller or its users and which is not Personal Data (“Analytics Information”) may be used by Processor for providing its programs and services, for development, and/or for statistical purposes. Such Analytics Information shall be Processor’s exclusive property.
Should any provision of this DPA be deemed invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall either be (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
This DPA shall automatically terminate upon the termination or expiration of the Agreement, under which the Services are provided.
This DPA may be amended at any time by a written instrument duly signed by both Parties.
12.9.1. This DPA shall only become legally binding between Controller and Processor when the steps set out below have been fully completed.
12.9.2. The Parties represent and warrant that they each have the power to enter into, execute, perform, and be bound by this DPA.
12.9.3. By approving this DPA, Controller enters into this DPA on behalf of itself and, to the extent required under Applicable Laws, in the name and on behalf of authorized Controller Affiliates, if and to the extent that Processor actually Processes Controller Personal Data, for which such authorized Controller Affiliates qualify as Controller, and to the extent that Processor was informed by Controller in advance and in writing of each such Controller Affiliates.
This Annex 1 to the Data Processing Addendum includes certain details of the Processing of Controller Personal Data, as required by Article 28(3) GDPR.
Controller Personal Data shall be Processed as necessary for the performance of the Services, in accordance with the Agreement and this DPA as agreed upon by Controller and Processor and for the duration thereof (subject to Section 9 of this DPA).
Controller’s Personal Data is Processed pursuant to and in the course of the Agreement and this DPA, for the purpose of providing Controller with the Services.
Epistema’s account data of the Controller, end-user data Processed on behalf of the Controller, as well as non-identifying technical data relating to both Controller or related third parties.
Controller’s personnel and other Data Subjects whose Personal Data is submitted by Controller to the Services for Processing by Processor.