“Affiliate” means any entity controlling, controlled by, or under common control with a Party, where “control” is defined as: (a) the ownership of at least fifty percent (50%) of the equity or beneficial interests of the entity; (b) the right to vote for or appoint a majority of the board of directors or other governing body of the entity; or (c) the power to exercise a controlling influence over the management or policies of the entity.
“Agreement” means the Services Agreement entered into between the Supplier and the Customer for the provision of Services by the Supplier to Customer.
“Agreed Liability Cap” means the maximum monetary or payment-based amount at which a Party’s liability is capped under the Agreement, either per annual period or event giving rise to liability, as applicable.
“Customer Data” means data submitted, stored, sent or received via the Services by Customer, its Affiliates or End Users. Customer Data may also include Personal Data sent or otherwise made available by Customer to Supplier and/or Supplier’s Affiliates where Customer uses Supplier Affiliates Solutions. For the avoidance of doubt, for the purpose of the Agreement and the DPA, Customer Data does not include data contained in files stored in Customer’s Third Party Service Provider Solution account(s) to which Supplier does not have access.
“Customer Personal Data” means Personal Data contained within the Customer Data, as described in Appendix 1.
“Data Incident” means a breach of Supplier’s security measures leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data on systems managed by or otherwise controlled by Supplier. “Data Incidents” will not include unsuccessful attempts or activities that do not compromise the security of Customer Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
“Effective Date” means the date on which Customer and Supplier agreed to this DPA, and is the Agreement Effective Date.
“EEA” means the European Economic Area.
“End User” means natural persons authorized by Customer to access or use the Services, including Customer and Customer’s Affiliate personnel, employee, agent or contractor.
“Data Protection Legislation” means, as applicable: (a) the GDPR; and/or (b) the Federal Data Protection Act of 19 June 1992 (Switzerland) as well as any data protection laws substantially amending, replacing or superseding the GDPR, the Federal Data Protection Act of Switzerland and/or other applicable European Union Member state domestic data protection or national/federal or state/provincial privacy legislation in force, including where applicable, statutes, decisions, guidelines, guidance notes, codes of practice, codes of conduct and data protection certification mechanisms issued from time to time by competent court or Supervisory Authority, relating to the Processing of personal data and privacy.
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
“Model Contract Clauses” or “MCCs” means the standard data protection clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, as approved by the European Commission in Decision 2010/87/EU, as amended, replaced or superseded by any set of clauses approved by the European Commission. The Model Contract Clauses are enclosed as Appendix 4 and are part of this agreement when applicable.
“Non-European Data Protection Legislation” means any national/federal or state/provincial/emirate data protection or privacy legislation, other than the Data Protection Legislation.
“Notification Email Address(es)” means the email address(es) designated by Customer to receive certain notifications from Supplier.
“Supplier’s Systems” means the computing and storage infrastructure contracted by Supplier to run the Services and to store the Customer Data. For the avoidance of doubt, Supplier’s Systems do not include Third-Party Service Provider Solution used by Customer and contracted by Customer, nor any of the Third Party Offerings.
“Restricted Transfer” means (a) a transfer of the Personal Data from Customer to Supplier or Subprocessor, or (b) an onward transfer of the Personal Data from Supplier or Subprocessor to (or between two establishments of) Supplier or Subprocessor, in each case, being a transfer to a country outside the EEA, where such transfer would be prohibited by European Data Protection Legislation in the absence of Model Contract Clauses or other legal instruments required by European Data Protection Legislation.
“Subprocessor(s)” mean third parties authorized by Processor under this DPA to have logical access to and process Customer Data on behalf of Customer in order to provide parts of the Services and related technical support, including Supplier’s Affiliates.
“Security Measures” has the meaning given in Section 13 (Supplier Security Measures).
“Services” means the services that have been purchased by the Customer pursuant to the Agreement and any applicable Order Form, which may include AODocs and any update or replacement thereof and technical support provided by Supplier to Customer according to the terms of the Agreement. The Services do not include (i) Supplier Affiliates Solution that may have been separately licensed by Customer, (ii) any Third Party Offerings that may have been separately licensed by Customer, nor (iii) the Third-Party Service Provider Solution used by Customer.
“Supplier Affiliates Solution” means any solution of software provided by one or more Supplier’s Affiliates, which supplements and/or are necessary to provide the Services performed by Supplier, that have either been (i) licensed by Customer from a Supplier’s Affiliate or (ii) licensed by Customer from Supplier.
The terms “Personal Data”, “Data Subject”, “Processing”, “Data Controller”, “Data Processor” and “Supervisory Authority” as used in this DPA have the meanings given to them in the GDPR, and the terms “Data Importer” and “Data Exporter” have the meanings given to them in the Model Contract Clauses, in each case irrespective of whether the European Data Protection Legislation or Non-European Data Protection Legislation applies.
“Term” means the period from the Agreement Effective Date until the end of Supplier’s provision of the Services to Customer under the Agreement, including, if applicable, any period during which provision of the Services may be suspended and any post-termination period during which Supplier may continue providing the Services to Customer for transitional purposes.
“Third-Party Service Provider Solution” means any solution or software on which all or part of the Services are performed by the Supplier, that have been separately licensed by Customer, as the case may be, from an unaffiliated Third-Party Service Provider. Third Party Service Providers Solutions may notably include Google, Microsoft and/or Facebook solutions or software.
“Terms Effective Date” means the date on which Customer accepted, or the parties otherwise agreed to, these Terms.
Appendix 1 - Data Processing Details
Subject Matter | Supplier’s provision of the Services and related technical support to Customer. |
Categories of Data Subjects
Categories of Data Subjects whose Personal Data will be Processed by Service Provider |
Personal Data submitted, stored, sent or received via the Services may concern the following categories of Data Subjects: End Users including Customer’s employees and contractors; the personnel of Customer’s own customers, suppliers and subcontractors; and any other person who transmits data via the Services, including individuals collaborating and communicating with End Users. |
Categories of data
Personal Data that will be Processed by Supplier |
Personal Data that will be Processed by Supplier includes data submitted, stored, sent or received by Customer, its Affiliates or End Users via the Services such as user IDs, email, textual information used in documents and document titles, description and other metadata, text and images to be displayed by the Service, audit log information, system log information and other data. |
Location of Processing Operations
Locations where the personal data will be Processed by Supplier |
Personal Data submitted, stored, sent or received by Customer, its Affiliates or End Users via the Services may be processed at Supplier’s locations situated at:
|
Purposes
Purposes for which the Personal Data will be Processed by Supplier |
Supplier will process Customer Personal Data submitted, stored, sent or received by Customer, its Affiliates or End Users via the Services for the purposes of providing the Services and related technical support to Customer in accordance with the Data Processing Agreement. |
Duration of processing
The length of time for which Processing activities will be carried out Supplier |
The applicable Term plus the period from expiry of such Term until deletion of all Customer Data by Supplier in accordance with the Data Processing Agreement. |
Appendix 2 - Security Measures
Appendix 3 - Subprocessors
Supplier uses the following Subprocessors for the performance of the Services:
Entity name | Corporate location |
Google Inc (data hosting) | USA |
SendGrid, Inc. (workflow automatic email notification) | USA |
Aliz Tech Kft (support) | Hungary |
Accusoft Corporation (integrated document viewer) | USA |
Appendix 4 - Model Contract Clauses
Model Contractual Clauses (processor) for the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection
Supplier (the “Data Importer”) and Customer (the “Data Exporter”), each a “party”, together “the parties”, agree on the following Model Contractual Clauses (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the Data Exporter to the Data Importer of the personal data specified in the Clauses Schedule 1. The Clauses (including Schedules 1 and 2) are incorporated by reference into the Data Processing Agreement and are effective from the DPA Effective Date.
Clause 1 - Definitions
For the purposes of the Clauses:
Clause 2 - Details of the transfer
The details of the transfer and in particular the special categories of personal data where applicable are specified in Schedule 1 which forms an integral part of the Clauses.
Clause 3 - Third-party beneficiary clause
Clause 4 Obligations of the Data Exporter
The Data Exporter agrees and warrants:
The Data Exporter acknowledges that its data will be hosted in the Google's data centers of Google Inc. and/or one or more of its affiliated entities (collectively, “Google”) (and not by the Data Importer) and, as a consequence, that most of the technical and organisational security measures relating to the Data Importer's data (as notably referred to in paragraphs 4c., 4d., 4e. and 4h. above) will be provided by the applicable Google entity under its own liability. Accordingly, and notwithstanding any other provision in these Clauses, the Data Importer disclaims any and all responsibility in relation to any acts and/or omission of Google, including notably (without limitation) for such Google technical and organisational security measures as listed for information purposes only and without any representation in Schedules 1 and 2.
Clause 5 - Obligations of the Data Importer
The Data Importer agrees and warrants:
Clause 6 - Liability
Clause 7 - Mediation and jurisdiction
Clause 8 - Cooperation with supervisory authorities
Clause 9 - Governing Law
The Clauses shall be governed by the law of the Member State in which the Data Exporter is established.
Clause 10 - Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not preclude the parties from adding clauses on business related issues where required as long as they do not contradict the Clause.
Clause 11 - Sub-Processing
Clause 12 - Obligation after the termination of personal data processing services
Schedule 1 to the Model Contractual Clauses
Data Exporter | The Data Exporter is the Customer legal entity that is a party to the Clauses. |
Data Importer | The Data Importer is the Supplier, a global provider of a variety of technology services for businesses. |
Categories of Data Subjects | The personal data transferred concern personal data submitted, stored, sent or received by Customer, its Affiliates or End Users via the Services and concerning the categories of Data Subjects listed in the DPA Appendix 1. |
Categories of Data | The personal data transferred is personal data that will be Processed by Supplier including data submitted, stored, sent or received by Customer, its Affiliates or End Users via the Services as listed in the DPA Appendix 1 |
Processing operations | The personal data transferred will be subject to the following basic processing activities:
|
Schedule 2 to the Model Contractual Clauses
Description of the technical and organisational security measures implemented by the Data Importer in accordance with Clauses 4(c) and 5(c):
The Data Importer currently abides by the security standards in this Schedule 2. The Data Importer may update or modify these security standards from time to time provided such updates and modifications will not result in a material degradation in the security of the Service during the term of the Agreement.