Data Processing Addendum
This Data Processing Addendum (“DPA”) forms part of and is incorporated in the Software License and Services Agreement (“Agreement”) in effect between Cellcontrol, Inc. d/b/a TRUCE Software (“TRUCE”) and the customer identified in the Agreement as the “Licensee” (“Customer”).
In the course of TRUCE providing the Services as defined in and pursuant to the Agreement, TRUCE or its Sub-processors may process Personal Data (as both such terms are defined herein) on behalf of Customer and the parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.
This DPA is subject to the terms of the Agreement, and in the event of and to the extent of conflict between the DPA and the Agreement, the DPA shall prevail over the Agreement. The parties agree that they shall be bound by the terms of the Standard Contract Clauses and by any Exhibits attached hereto, as applicable.
1. DEFINITIONS. All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.
1.1. “Affiliate” means all entities, now or hereafter, controlling, controlled by, or under common control with, TRUCE. For the purpose of this definition, “control” or “controlled” means direct or indirect ownership of fifty percent (50%) or more of the shares of stock entitled to vote for the election of directors in the case of a corporation or fifty percent (50%) or more of the equity interest in the case of any other type of legal entity; status as a general partner in any partnership; or any other arrangement whereby the entity or person controls or has the right to control the board of directors or equivalent governing body of a corporation or other entity or the ability to cause the direction of the management or policies of a corporation or other entity.
1.2. “Customer Data” means data provided by or on behalf of Customer or Customer’s End Users via the Services under the Agreement.
1.3. “Data Controller” means an entity that determines the purposes and means of the processing of Personal Data.
1.4. “Data Protection Laws” means all applicable laws and regulations, including the GDPR, relating to data privacy and security.
1.5. “EEA” means the European Economic Area.
1.6. “End Users” means the end users (employees and other personnel) of a Customer.
1.7. “GDPR” means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council the European Union of 27 April 2016.
1.8. “Personal Data” means any information relating to an identified or identifiable natural person who is a resident or citizen or a country or region in the EEA.
1.9. “Processing” or “Processes” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.10. “Processor” means an entity that processes Personal Data on behalf of a Data Controller.
1.11. “SCC” or “Standard Contractual Clauses” means the Standard Contractual Clauses that are required under GDPR and which have been generally adopted.
1.12. “Services” means the services set forth in the Agreement and any amendments or additions made thereto during the term of the Agreement.
1.13. “Sub-processor” means any Processor engaged by TRUCE or by any other subprocessor of TRUCE who agrees to receive from TRUCE or from any other subprocessor of TRUCE Personal Data exclusively intended for processing activities to be carried out on behalf of the data exporter (as defined under the GDPR) after the transfer in accordance with the data exporter’s instructions and the terms of the SCC.
2. SCOPE AND APPLICABILITY OF THIS DPA. This DPA applies where and only to the extent that TRUCE processes Personal Data that originates from the EEA and/or that is otherwise subject to the GDPR on behalf of TRUCE as a Sub-processor in the course of providing Services pursuant to the Agreement.
2.1. Details of the Processing.
A. Subject Matter. The subject matter of the Processing of Personal Data by TRUCE is set forth in the Agreement.
B. Duration of Processing. Processing shall be for term specified in the Agreement plus the period from the expiration or termination of the Agreement until deletion of all Customer Data by TRUCE in accordance with the terms of the Agreement and this DPA.
C. Nature and Purpose of the Processing. The nature and purpose of the Processing is to provide the Services set forth in the Agreement.
D. Types of Personal Data Processed. The types of Personal Data (including special categories of Personal Data) and include: name, address, email address, mobile and other phone numbers and identification, mobile device operating system information, IP address(es) (mobile device, computer, etc.), mobile device geolocation, technology identifiers, job title, employee ID, browser type and version, website pages visited, date and time of website visits, cookies, beacons, and tags.
E. Categories of Personal Data Processed. The categories of Data Subjects Processed under this DPA include: Customer’s employees and contractors, and website visitors.
F. Categories of Personal Data Processed. The categories of Data Subjects Processed under this DPA include: Customer’s employees and contractors.
2.2. Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Data Controller and TRUCE is the Processor of Customer Personal Data, notwithstanding any direct collection of Personal Data by TRUCE as part of the Services. Each party will comply with the obligations applicable to it under the GDPR with respect to the Processing of Customer Personal Data.
2.3. Authorization by Third Party Controller. If GDPR applies to the Processing of Personal Data and Customer is a Processor, Customer represents, warrants, and covenants to TRUCE that Customer’s instructions and actions with respect to Customer Personal Data, including Customer’s appointment of TRUCE as an additional processor, have been and during the Agreement shall be authorized by the relevant Data Controller (Customer).
3. DATA PROCESSING.
3.1. Customer’s Collection of Personal Data. Customer shall, in its use of the Services, collect Personal Data in accordance with the requirements of all applicable Data Protection Laws. For the avoidance of doubt, Customer’s instructions for the processing of Personal Data shall comply with Data Protection Laws and TRUCE shall not be obliged to comply with any instructions of Customer that would be reasonably likely to result in TRUCE violating any Data Protection Law. Customer shall have sole responsibility for the accuracy, quality and legality of Personal Data and the means by which Customer acquired Personal Data.
3.2. Certification by Customer. Customer certifies that it has, after providing proper notice, obtained the written consent, affirmative opt-in, and/or other written authorization from applicable individuals in the EEA or has another legitimate, legal basis for collecting and processing Personal Data including making this Personal Data accessible to TRUCE and also for onward transfer of Customer Personal Data.
3.3. Processing of Personal Data. TRUCE shall treat Personal Data as Confidential Information and shall only process Personal Data on behalf of and in accordance with Customer’s documented instructions for the following purposes: (i) Processing in accordance with the Agreement and applicable Addenda; (ii) Processing initiated by End Users in their use of the Services; and (iii) Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement. This DPA and the Agreement are Customer’s complete instructions to TRUCE for the processing of Personal Data related to Services. Any alternative or additional instructions may only be by written amendment to this DPA sent to the address identified in the Agreement. TRUCE will receive notice of any alternative or additional instructions as applicable. Customer will have the exclusive authority to determine the purpose for and means of processing Personal Data. TRUCE will comply with the GDPR, in the event of and to the extent such laws apply to TRUCE in its role as a Processor.
3.4. Data Protection Impact Assessment. Upon Customer’s request, but no more frequently than once annually, TRUCE shall provide Customer with reasonable cooperation and assistance needed to fulfill Customer’s obligation under the GDPR to carry out a data protection impact assessment (as defined under the GDPR) related to Customer’s use of the Services.
4. RIGHTS OF DATA SUBJECTS.
4.1. Data Subject Request. TRUCE shall, to the extent legally permitted, promptly notify Customer if TRUCE receives a request from an individual whose data is subject to the GDPR (“Data Subject”) to exercise the Data Subject’s rights of access, rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, objection to the Processing, or right not to be subject to an automated individual decision-making process (each of the foregoing referred to as a “Data Subject Request”).
4.2. Taking into account the nature of the Processing, TRUCE shall assist Customer by appropriate technical and organizational measures, insofar as this is reasonably possible, for the fulfilment of TRUCE’s obligation to respond to a Data Subject Request under Data Protection Laws. In addition, to the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, TRUCE shall upon Customer’s request provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent TRUCE is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws. To the extent permitted under the GDPR, Customer shall be responsible for and promptly reimburse TRUCE (upon receipt of TRUCE’s invoice) for any costs (including TRUCE’s internal time or that of its contractors) arising from TRUCE’s provision of such assistance.
5. RETURN OR DELETION OF DATA. Upon termination or expiration of the Agreement and written request of Customer, TRUCE shall (at Customer’s election) delete or return to Customer all Customer Data (including copies) in its possession or control, provided that this requirement shall not apply to the extent TRUCE is required by applicable law to retain some or all of the Customer Data, or to Customer Data TRUCE has archived on back-up systems, which Customer Data TRUCE shall securely isolate and protect from any further Processing, except to the extent required by applicable law. All Customer Data retained by TRUCE after such termination or expiration of the Agreement will be maintained as confidential.
7.1. Appointment of Authorized Sub-processors. Customer acknowledges and agrees that TRUCE may engage third-party Sub-processors to process Customer Data.
7.2. Sub-processor Obligations. When engaging any Sub-processor, TRUCE will ensure via a written agreement that:
A. the Sub-processor only accesses and uses Personal Data to the extent required to perform the obligations subcontracted to it and does so in accordance with the Agreement (including this DPA)
B. if and to the extent the GDPR applies to the processing of Personal Data, the data protection obligations set out in Article 28(3) of the GDPR (Processor’s obligations) are imposed on the Sub-processor; and,
C. TRUCE will remain responsible for any acts or omissions of its Sub-processors related to this DPA.
The written agreement with each Sub-processor shall contain data protection obligations not less protective than those in this DPA with respect to the protection of Customer Data to the extent applicable to the nature of the Services provided by such Sub-processor.
7.3. List of Current Sub-processors and Approval of New Sub-processors. Upon Customer’s request, TRUCE shall make available to Customer the then-current list of Sub-processors for the Services identified in Agreement.
7.4. Liability. TRUCE shall be liable for the acts and omissions of its Sub-processors to the same extent TRUCE would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Agreement.
8. SECURITY MEASURES.
8.1. Security Measures. TRUCE will implement and maintain technical and organizational measures designed to protect Customer Data held by TRUCE against accidental or unlawful destruction, loss, alteration, and unauthorized disclosure or access in accordance with TRUCE’s security standards, including, as appropriate, the measures required pursuant to Article 32 of the GDPR. Such security measures include measures (a) to encrypt Personal Data; (b) to help ensure ongoing confidentiality, integrity, availability, and resilience of TRUCE’s systems and Services; (c) to help restore timely access to Personal Data following a security incident; and, (d) for regular testing of effectiveness.
8.2. Confidentiality of Personnel. TRUCE shall ensure that any TRUCE personnel who are authorized by TRUCE to process Customer Data (including its staff, agents and subcontractors) shall be under appropriate obligations of confidentiality. TRUCE shall ensure that TRUCE’s access to Personal Data is limited to those personnel performing Services in accordance with the Agreement. TRUCE shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data and have received appropriate training on their responsibilities.
8.3. Customer’s Audit Rights. If GDPR applies to the processing of Personal Data, TRUCE will allow Customer or an independent auditor appointed by Customer or TRUCE to conduct an audit no more than once annually (provided that inspections may be more frequent if specifically requested and required by a European Data Authority) with reasonable advance written notice and during normal business hours to verify TRUCE’s compliance with its obligations under this DPA, provided that such audit will be done in a manner to minimize disruption to TRUCE’s business operations. Customer may also conduct an audit no more than once annually to verify TRUCE’s compliance with its obligations under this DPA by reviewing TRUCE’s documentation outlining TRUCE’s security measures.
9. SECURITY INCIDENT MANAGEMENT. TRUCE shall maintain security incident management policies and procedures as required by GDPR.
9.1. Security Incident Response. Upon becoming aware of and verifying the occurrence of a security incident involving or believed to involve Customer Personal Data, TRUCE shall notify Customer without undue delay and shall periodically provide information relating to the security incident as it becomes known or as is reasonably requested by Customer.
TRUCE shall make reasonable efforts to identify the cause of such security incident and take those steps as TRUCE deems necessary and reasonable in order to remediate the cause of such security incident to the extent the remediation is within TRUCE’s reasonable control. The obligations herein shall not apply to incidents that are caused by Customer or its service providers other than those covered by this DPA.
9.2. No Acknowledgement of Fault by TRUCE. TRUCE’s notification of or response to a security incident under this Section will not be construed as an acknowledgement or admission by TRUCE of any fault or liability with respect to the security incident.
9.3. Customer Responsibilities. Notwithstanding the above, Customer agrees that except as provided by this DPA, Customer is responsible for its secure use of the Services, including securing its and its End Users’ account authentication credentials, protecting the security of Customer Data when in transit to and from the Services, and taking any appropriate steps to securely encrypt or backup any Customer Data uploaded to the Services.
10. INTERNATIONAL TRANSFERS.
10.1. Data Center Locations. TRUCE may store, transfer, and/or Process Customer Data anywhere in the world where TRUCE, its Affiliates or its Sub-processors or service providers maintain data processing operations. TRUCE shall at all times provide an adequate level of protection for the Customer Data Processed, in accordance with the requirements of Data Protection Laws.
11.1. This DPA shall terminate automatically upon termination or expiration of the Agreement.
[END OF DATA PROCESSING ADDENDUM]