Data Processing Addendum
This Data Processing Addendum (DPA) forms part of the Terms of Service but only applies if we process data on behalf of you where you are a Controller according to the EU General Data Protection Regulation (Regulation 2016/679) (the GDPR).
This version of the DPA became effective on 24 November 2020 for all customers agreeing to this DPA for the first time.
If you previously agreed to a version of the DPA before 24 November 2020 then we will have sent you a notice of the changes. By continuing to use our Services after 24 December 2020 you are accepting this updated DPA.
If you have a separate written agreement with us then the updates to the DPA will not apply to you.
Relationship between the parties
- You are a Controller: The parties have agreed that it is necessary for us to Process certain Personal Data on behalf of you who acts as a Controller in respect of such Personal Data.
- We are a Processor: The parties have agreed to enter into this DPA to address the compliance obligations imposed upon Customer pursuant to any Applicable Privacy Law. We are instructed by you to Process such Personal Data as is necessary to fulfil our contracts with you to deliver our Services.
Conditions of Processing
- Purposes: We will only Process Personal Data for the purposes described in our Terms of Service, Subscription Agreements and on any of your instructions.
- Deletion: We will delete Personal Data from the Platform when it is no longer required for these purposes.
- Sharing with 3rd parties: We will not transfer Personal Data to a 3rd party except to the extent that is provided for in this DPA.
- End User requests: We have in place and will keep in place appropriate processes and technical measures to ensure that requests by End Users exercising their privacy rights in respect of their Personal Data can be fulfilled. This includes but is not limited to requests for information, rights of correction and withdrawal of consent.
- Compliance: We will at all times comply with Applicable Privacy Law and will not perform our obligations in a way that would cause you to breach any of your obligations under Applicable Privacy Law.
- Cooperation: We will give you such cooperation, assistance and information as may be required to enable you to comply with your obligations under Applicable Privacy Law and comply with directions or decisions of a relevant Privacy Authority. This includes assistance in order to carry out a privacy impact assessment.
- Improper requests: Prior to commencing Processing, we will promptly inform you if we have received an instruction that, in our opinion, infringes any Applicable Privacy Law; or if we are subject to legal requirements that make it unlawful or otherwise impossible to act on your instructions.
- International transfers: We will not transfer the Data outside of the European Economic Area (EEA) unless we have taken steps necessary to ensure the transfer is in compliance with Applicable Data Protection Law. Such measures may include transferring the data to a recipient in a country that the European Commission has decided provides adequate protection for personal data (eg, New Zealand), or to a recipient in the United States that has executed standard contractual clauses adopted or approved by the European Commission.
- Security measures: We will maintain appropriate technical and organisational security measures to protect Personal Data against accidental or unlawful destruction, damage, alteration, unauthorised disclosure or access as described in our Security Measures.
- Employees: We will ensure the reliability of our personnel and ensure they have undergone appropriate training in the care, protection and handling of Personal Data.
- Use of Sub Processors: We utilise the services provided by 3rd parties to deliver Platform functionality and these services Process Personal Data (Sub Processors).
- Conditions: We will ensure that any Processing by Sub Processors is performed in such a way that is consistent with the conditions above and using data security measures no less onerous than described above.
- Changes of Sub Processors: The Sub Processors currently utilised by us and the nature of the Processing is described here. We may from time to time (a) change one Sub Processor for another to perform substantially the same Processing; or (b) introduce new Sub Processors, or change the nature of a Sub Processor’s Processing in order to support new Platform functionality. In these cases we will give you no less than 30 days notice.
- Objection to a Sub Processor: You may object to any change in Sub Processors by terminating your use of our Services. You may terminate your Subscription Agreement within 30 days of receiving notice of a change regardless of the remaining term of that Subscription Agreement. This termination right is your sole and exclusive remedy if you object to a change in Sub Processors.
Right to audit
- Right to audit: We will provide you access to systems, records, documents and agreements as reasonably required for you to verify our compliance with this DPA and compliance with our obligations under Applicable Privacy Law.
- Costs: If you exercise your right to audit you will pay for our time and materials required to support this audit at standard professional services rates.
- Notification: We will notify you as soon as possible, but no later than 48 hours after becoming aware of any accidental, unauthorised, or unlawful destruction, loss, alteration, or disclosure of, or access to, Personal Data or any other notifiable breach under Applicable Privacy Law (Security Breach).
- Investigate and contain: We will immediately investigate any Security Breach and identify, prevent and make best efforts to mitigate the effects.
Terms used in this document have the meaning given to them in our Terms of Service or have the meaning described below:
Applicable Privacy Law means the relevant data protection and privacy law, regulations and other regulatory requirements to which Customer is subject from time to time, and any guidance or statutory codes of practice issued by the relevant Privacy Authority/ies.
Controller means legal entity that determines the purpose for which and the manner in which personal data are or are to be processed.
Personal Data means any information relating to: (a) an identified or identifiable natural person; and (b) an identified or identifiable legal entity where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws and Regulations.
Privacy Authority means the relevant supervisory authority with responsibility for privacy or data protection matters in the jurisdiction of Customer.
Process, Processing or Processed means any operation or set of operations which is performed upon Personal Data whether or not by automatic means, including collecting, recording, organising, storing, adapting or altering, retrieving, consulting, using, disclosing, making available, aligning, combining, blocking, erasing and destroying Personal Data.
Processor means legal entity that provides products or services that involves the processing of personal data.