Data Processing Addendum

This Data Processing Addendum (“DPA”) is incorporated into and forms part of the Agreement (as defined in the applicable Statement of Work, Master Services Agreement, or other applicable agreement) entered into by Crosslake Technologies, LLC, a limited liability company organized and existing under the laws of Washington, and its Affiliates and Client and sets out the additional terms, requirements, and conditions which shall apply to the processing of Personal Data by the parties when Services are performed under the Agreement. Capitalized terms used but not defined below will have the meanings set forth in the Agreement. References to “You” or “Your” herein shall be interpreted to mean the Client.

 

1.   Definitions and Interpretation

1.1

The Definitions and terms of the Agreement are deemed incorporated into this DPA, unless expressly stated otherwise, and the following definitions shall additionally or in replacement apply in this DPA.

• “Controller, Processor, Data Subject, Personal Data, Personal Data Breach and Processing”: each have the meanings given to them in the Data Protection Legislation.
• “Data Protection Legislation”: means all applicable laws and regulations in force from time to time relating to the processing, protection, or privacy of Personal Data, including but not limited to the UK GDPR, which has the meaning given to it in section 3(10) of the Data Protection Act 2018 (as supplemented by section 205(4)); the General Data Protection Regulation ((EU) 2016/679); the Privacy and Electronic Communications Regulations 2003 (SI 2003/2426) as amended, the California Consumer Privacy Act, as amended, and all other legislation and regulatory requirements in force from time to time which apply to a party relating to the use of personal data.
• “Data Subject Request”: a request from a Data Subject to exercise the Data Subject’s rights under the Data Protection Legislation, including requests for access to Personal Data, rectification or erasure of Personal Data, right to object and right to human intervention restrictions of processing Personal Data, and portability of Personal Data.
• “EEA”: European Economic Area (currently EU and Ireland, Lichtenstein and Norway).
• “Regulator”: a regulatory or supervisory authority of competent jurisdiction from time to time with authority under Data Protection Legislation over the processing of Personal Data.
• “Standard Contractual Clauses (SCC) or International Data Transfer Agreement (IDTA)”: standard contractual clauses for the international transfer of Personal Data from the UK or EEA to countries outside of the UK or EEA that do not benefit from an adequacy decision by the European Commission.

1.2

References to clauses herein are to the clauses of this DPA.

1.3

The Schedule forms part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Schedule.

1.4

A reference to a statute or statutory provision is a reference to it as amended, extended or re-enacted from time to time and shall include all subordinate legislation made from time to time under that statute or statutory provision.

1.5

Any words following the terms “including,” “include,” or any similar phrase shall be construed as illustrative and shall not limit the generality of the related words.

1.6

A reference to writing or written shall include email.

 

2. General

2.1

The parties acknowledge and agree that this DPA forms part of the Agreement between Provider and You relating to the provision of the Services and sets out the parties’ obligations in respect of the processing of personal data under the Agreement.

2.2

In the event of any conflict or ambiguity between:

• (a) any provision contained in the body of this DPA and any provision contained in the Schedules, the provision in the body of this DPA will prevail;
• (b) any of the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA will prevail; and
• (c) any of the provisions of this DPA and any executed SCCs or IDTA, the provisions of the executed SCCs or IDTA will prevail.

 

3.   Personal Data Types and Processing Purposes

3.1

If and to the extent that Provider is considered to be acting as a Processor of any Personal Data on Your behalf, Provider shall process such Personal Data for the sole purpose of providing the Services in accordance with this DPA. Further detail on the Personal Data categories, types of Data Subjects and the purpose for which Provider may Process the Personal Data in order to provide the Services are set out in the Schedule to this DPA.

3.2

In respect of Personal Data which Provider processes as a sole Controller in connection with the provision of the Services, then except where this DPA refers generally to Personal Data, the provisions of this DPA will not apply to such Processing but Provider will undertake such Processing in accordance with its legal obligations to Data Subjects under the Data Protection Legislation.

3.3

Both parties shall comply with their respective obligations under the Data Protection Legislation in respect of Personal Data processed in connection with the Agreement.

 

4.  Data Processing Obligations

4.3

You shall be responsible for compliance with Article 22 GDPR “Automated individual decision-making, including profiling” or, as the case may be, Section 14 of the UK Data Protection Act 2018, as a result of the way in which You decide to make use of the Services. This includes providing for human intervention following a Data Subject Request.

4.4

You shall be responsible for carefully reviewing the Provider policies and statements, as amended from time to time, and to assess whether such measures are appropriate to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. You can request the latest versions of Provider’s policies and statements at any time by emailing [email protected]

4.5

You shall provide an email address to which Provider shall transfer Data Subjects Requests.

4.6

You shall provide an email and telephone number for notification of data breach incidents.

4.7

You shall consult Provider beforehand on the content of any data breach notification made to Regulators that mentions Provider and provide a copy of the notification once it has been submitted.

4.8

You shall be responsible for the provision of fair processing information to relevant Data Subjects and for obtaining any consents that may be required (in each case to the extent necessary in order to comply with the Data Protection Legislation) from that Data Subject. You shall ensure that such fair processing notices are accurate and complete, and that any consents are sufficient in order for Provider to lawfully process the Personal Data in the manner set out in this DPA.

4.9

Given that Provider has no direct contact with the Data Subjects, You shall be responsible, (i) for informing Data Subjects that data collected is also processed by Provider as either a Processor or a sub-Processor as applicable; (ii) for providing a  link to Provider’s privacy policy, and (iii) for notifying Provider without delay if You become aware of any Data Subject Request that is wholly or partly intended for Provider.

4.10

You shall be responsible for monitoring compliance of Provider with the terms and conditions of this DPA.

4.11

You shall be responsible for ensuring all of Your own privacy policies, data protection policies, security statements and any and all such other applicable policies or statements relating to the safeguarding of Personal Data are up to date and where applicable declare Provider as a Processor or sub-Processor of Personal Data, as the case may be.

4.12

To the extent that You transfer Personal Data to Crosslake or a Crosslake Affiliate located in a country without an E.U. Commission adequacy decision, You will enter into SCCs or an IDTA (as applicable) with Crosslake with respect to such transfer.

PROVIDER’S OBLIGATIONS

4.13

If and to the extent that Provider processes Personal Data as a Processor on Your behalf, Provider shall in respect of such Personal Data:

• (a) only Process the Personal Data on Your behalf where and to the extent necessary to perform Provider’s obligations under the Agreement and applicable law, and only in accordance with the terms of this DPA, and the documented reasonable instructions You may issue from time to time (provided that such instructions are within the scope of Provider’s obligations under this DPA), unless otherwise required by law, regulation, court of competent jurisdiction or any other governmental or regulatory body. The Provider will promptly notify You if, in its opinion, Your instructions would not comply with the Data Protection Legislation;
• (b) implement appropriate technical and organizational measures, taking into account the nature and purposes of the processing and being appropriate to the nature of Personal Data to be protected, to protect the Personal Data against unauthorized or unlawful processing, access, copying, modification, storage, reproduction, display, or distribution, and against accidental loss, destruction, unavailability, or damage. Provider’s security measures are described further in the Schedule to this DPA;
• (c) ensure that personnel who have access to and/or process the Personal Data are obliged to keep the Personal Data confidential;
• (d) not transfer the Personal Data to another country unless the transfer complies with the Data Protection Legislation. The Schedule lists the countries where the Provider may receive, access, transfer, or store Personal Data;
• (e) notify You if Provider becomes aware of any Data Subject Request to exercise any rights an individual may have relating to the Personal Data and to the extent that You, in Your use of the Services, do not have the ability to address the Data Subject Request, Provider shall upon Your request provide commercially reasonable efforts to assist You in responding to such Data Subject Request;
• (f) provide commercially reasonable assistance to You in ensuring compliance with Your obligations under the Data Protection Legislation, taking into account the nature of the Provider’s processing and the information available to the Provider, including with respect to consultations with supervisory authorities or regulators or carrying out a data protection impact assessment;
• (g) inform You within 48 hours if it becomes aware of any Personal Data Breach or any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to such Personal Data transmitted, stored or otherwise processed by Provider. Following any such notification, the parties will co-ordinate with each other to investigate the matter. The Provider will reasonably co-operate with the Client in the Client’s handling of the matter, including assisting with any investigation and making available all relevant records, logs, files, data reporting, and other materials required to comply with all Data Protection Legislation or as otherwise reasonably required by the Client;
• (h) maintain records and information regarding Provider’s processing activities in respect of the Personal Data to demonstrate Provider’s compliance with this DPA and any applicable Data Protection Legislation requirements;
• (i) conduct audits of its Personal Data processing practices and the information technology and information security controls for the facilities and systems used in complying with its obligations under this DPA. Upon the Clients written request, Provider will make all of the relevant audit reports available to the Client for review. The Client will treat such reports as the Provider’s confidential information under the Agreement;
• (j) allow for audits by You or Your designated auditor of Provider’s procedures relevant to the processing of the Personal Data, provided that in the case of any audit, You shall:
  • (i) comply with any reasonable requirements or security restrictions that Provider may impose to safeguard Provider’s systems, Personal Data Provider holds as a Controller and/or on behalf of other customers and clients and Provider’s own confidential or commercially sensitive information and to avoid unreasonable disruption to Provider’s business and operations;
  • (ii) reimburse Provider for any time expended by Provider in respect of any such audit, at Provider’s then current professional services rates, which shall be made available to You upon request, which costs shall be reasonable, taking into account the resources expended by Provider; and
  • (iii) before the commencement of any audit, the parties shall mutually agree on the scope, timing, and duration of the audit.
• (k) On termination or expiry of this Agreement, or at any other time at Your request, Provider shall return or permanently erase (at Your election) all copies of Personal Data received and/or processed by it under this Agreement unless any applicable law requires retention of the Personal Data.

4.14

For the avoidance of doubt, the provisions of Clause 4.13 do not apply to Personal Data Processed by Provider as a Controller.

4.15

Provider will limit Personal Data access to:

• (a) Those of its employees who require Personal Data access to meet the Provider’s obligations under this DPA and the Agreement; and
• (b) the part or parts of the Personal Data that those employees strictly require for the performance of their duties.

4.16

Provider will ensure that all of its employees:

• (a) are informed of the confidential nature of the Personal Data and are bound by written confidentiality obligations and use restrictions in respect of the Personal Data;
• (b) have undertaken training on the Data Protection Legislation and how it relates to their handling of the Personal Data and how it applies to their particular duties; and
• (c) are aware both of Provider’s duties and their personal duties and obligations under the Data Protection Legislation and this Agreement.

4.17

Provider will take reasonable steps to ensure the reliability, integrity, and trustworthiness of all of the Provider’s employees with access to the Personal Data.

 

6.   Liability

6.1

Each party’s liability under this DPA shall be subject to the exclusions and limitations of liability in the Agreement.

 

7.   Change of Law

7.1

If there are any changes and/or updates to any Applicable Law (including Data Protection Legislation) or codes of practice issued by the Information Commissioner’s Office which require or make it desirable for any amendments to be made to this DPA (as determined by Provider), Provider shall be entitled to vary this DPA and shall provide notice of any changes in writing to You.

 

8.   Term & Termination

8.1

This DPA will remain in full force and effect so long as:

• (a) the Agreement remains in effect; or
• (b) Provider retains any Personal Data related to the provision of the Services under the Agreement in its possession or control (“Term”).

8.2

Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Agreement in order to protect Personal Data will remain in full force and effect.

8.3

If any change in any Data Protection Legislation or either party’s circumstances prevent a party from fulfilling all or part of its obligations, the parties will suspend the processing of Personal Data until the party’s processing complies with the requirements. If the parties are unable to bring the Personal Data processing into compliance with the Data Protection Legislation, either party may terminate the Agreement upon written notice to the other party.

 

9.   Miscellaneous

9.1

This DPA and the Agreement (and any documents incorporated therein) constitute the entire agreement and understanding of the parties in relation to the subject matter of this DPA and the Agreement and supersede any previous agreement between the parties relating to such subject matter; and shall apply to the exclusion of and prevail over any express terms contained in any standard documentation of either party (including but not limited to any of Your standard terms and conditions). The parties acknowledge that they have not entered into this DPA in reliance upon any statement, representation, assurance or warranty which is not set out in this DPA.

9.2

Subject to Clause 7 (Change of Law), any variation or amendment to this DPA will not be binding on the parties unless set out in writing, expressed to amend this DPA and signed by an authorised representative of each party.

9.3

Each of the parties to this DPA is an independent contractor and nothing contained in this DPA shall be construed to imply that there is any relationship between the parties of partnership or of principal/agent or of employer/employee nor are the parties hereby engaging in a joint venture and accordingly neither of the parties shall have any right or authority to act on behalf of the other nor to bind the other by contract or otherwise, unless expressly permitted by the terms of this DPA.

9.4

No failure or delay by a party to exercise any right or remedy provided under this DPA or by law shall constitute a waiver or abandonment of that or any other right or remedy, nor shall it prevent or restrict the further exercise of that or any other right or remedy. No single or partial exercise of any right or remedy shall prevent or restrict the further exercise of that or any other right or remedy.

9.5

Any notice given to a party under or in connection with this DPA shall be done so in accordance with the provisions for notices in the Agreement.

 

10.   Governing Law & Venue

10.1

This DPA and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in accordance with the provisions for governing law and venue in the Agreement.