This data processing agreement (the “DPA”) constitutes a binding agreement between xyzt.ai BV (the “Service Provider”), and the customer contracting entity to the Agreement (the “Customer”).
The Customer and the Service Provider may individually be referred to as a “Party” and jointly as “the Parties”.
PREAMBLE
Whereas the Parties entered into (whether through physical or electronic signature or click-through acceptance) a master agreement (covering a (trial) Software as a Service (SaaS)subscription) (“the Master Agreement”);
Whereas in the context of performing the Master Agreement, the Service Provider may process personal data on behalf of the Customer;
Whereas this DPA sets out the rights and obligations of the Parties in respect of such personal data processing by the Service Provider.
NOW THEREFORE, the Parties hereby agree as follows:
1. References in this DPA to “data controller”, “personal data”, “data processor”, “data subject” and “processing” (and “process “and “processes” shall be construed accordingly) shall have the meanings ascribed to them under applicable personal data protection legislation (which may include the General Data Protection Regulation (Regulation (EU) 2016/679) (as may be amended from time to time) (the “GDPR”)). This DPA shall constitute a data processing agreement for the purposes of the GDPR. Details of the processing activities pursuant to this DPA are set out in annexes to this DPA, or on a Service Provider designated webpage (“the Processing Details”).
2. To the extent that the Service Provider is deemed (pursuant to applicable data protection law) to process Customer personal data pursuant to the Master Agreement, the Parties acknowledge that the Customer will be the data controller, and the Service Provider the data processor, in relation to such personal data processing (or such equivalent terms as may be used under applicable personal data protection legislation) (each as defined in the applicable personal data protection legislation). Each Party shall comply with the obligations that apply to it under applicable data protection law. The Customer shall ensure that it is entitled to make the relevant personal data available to the Service Provider so that the Service Provider may lawfully process the personal data in accordance with the DPA on the Customer’s behalf, which may include the Service Provider processing such personal data outside the country where the Customer and the data subjects are located in order for the Service Provider to perform the Master Agreement.
3. In relation to such processing of Customer personal data hereunder, the Service Provider agrees that it shall:
(a) act only upon the Customer’s lawful reasonable instructions when processing Customer personal data, only process such data to the extent necessary to perform the Master Agreement, and not use such data for any other purpose.
(b) implement and maintain adequate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The Customer agrees that compliance with the measures set out in the Processing Details shall constitute such appropriate technical and organizational measures for the Service Provider to protect the Customer personal data under its control hereunder against unauthorized or unlawful processing, access or disclosure and against accidental loss, destruction of, or damage to, such data (a “Security Incident“), any Customer requested changes to such agreed measures to be agreed pursuant to the change management process agreed under the Master Agreement.
Within 36 hours of becoming aware of a Security Incident, the Service Provider shall inform the Customer thereof, and shall subsequently provide such information and cooperation as the Customer may reasonably require in order to remedy or mitigate the effects of the Security Incident.
(c) notify the Customer if it receives any complaint, request, notice or communication which relates to the processing of Customer personal data hereunder (including requests from data subjects exercising their rights as laid down in Chapter 3 of the GDPR), and the Service Provider shall provide reasonable co-operation and assistance to the Customer, as reasonably requested by the Customer, in order to assist the Customer with its compliance with its legal obligations under applicable data protection legislation (including under Chapter 3 and pursuant to Articles 32 to 36 of the GDPR), taking into account the nature of the processing and the information available to the Service Provider. The Customer shall reimburse the Service Provider for any time spent by the Service Provider personnel as part of any such cooperation and assistance, at the Service Provider’s then standard professional services rates, together with any out of pocket expenses reasonably incurred by the Service Provider.
(d) only disclose Customer personal data to a third party subject to the Customer’s prior written consent, such consent not to be unreasonably withheld.
(e) maintain a personal data record to allow the Service Provider to provide the Customer with the necessary information regarding its data processing activities hereunder; such personal data record shall be in a format of the Service Provider’s choice and shall contain at least the following information:
- Name and contact details of the Parties in their respective roles of processor and controller hereunder;
- Name and contact details of the Service Provider’s data protection officer (“DPO”) if one is required under the GDPR, or in the event the Service Provider has a DPO even though not legally required;
- The categories of personal data processed, and the types of processing carried out on behalf of the Customer pursuant to the Master Agreement;
- A general description of the technical and organisational security measures that are in place (as per clause 3 (b) above);
- Detail on any transfers of personal data to a country outside the EEA, including the identification of those third countries and reasonable documentation regarding the safeguards that are in place to ensure adequate personal data protection, except if the transfer were to be based on an adequacy decision.
4. The Service Provider may engage affiliates, its and its affiliates’ contractors, and third-party providers identified in the Processing Details (the “Sub-Processors”) as sub-processors under the DPA without having to obtain the Customer’s additional prior written consent, and the Service Provider shall (i) impose upon such Sub-Processors data protection obligations equivalent to those set out herein, and (ii) be responsible for the acts and omissions of its Sub-Processors under the DPA. The Service Provider shall inform the Customer of any intended changes concerning the addition or replacement of its Sub-Processors (making such information available on a Service Provider designated webpage shall suffice for this purpose). Unless the Customer objects to such changes in writing, setting out its reasonable concerns in detail, within four (4) weeks from such notice, the change shall be deemed accepted by the Customer. If the Customer objects, the Service Provider shall consult with the Customer, consider the Customer’s concerns in good faith and inform the Customer of any measures taken to address the Customer’s concerns. If the Customer upholds its objection and/or demands significant accommodation measures, and if either would result in a material increase in cost for the Service Provider to perform the DPA, the Service Provider shall be entitled to introduce or increase (the) fees under the Master Agreement or, at its option, terminate the Master Agreement. Where necessary to legalize the use of a Sub-Processor as processor, the Customer hereby authorizes the Service Provider to conclude the contractual clauses set out in EU Commission Decision C(2010)593 Standard Contractual Clauses (processors) for the purposes of Article 26(2) of Directive 95/46/EC (the “Standard Contractual Clauses”) with such processors on behalf of the Customer (as per Article 46 of the GDPR). Each such conclusion of Standard Contractual Clauses shall be considered a supplement to the DPA and shall be subject to the terms and conditions set out herein.
5. In case of processing of Customer personal data outside the European Economic Area, the Service Provider undertakes to enter into a suitable agreement with the Customer and/or any relevant third parties (including the above referenced Standard Contractual Clauses) and/or adopt any necessary measures in order to ensure an adequate level of protection for such data in accordance with applicable data protection legislation.
6. The Service Provider shall ensure that the Customer personal data is processed solely by reliable personnel who have committed to confidentiality undertakings or are under an appropriate statutory obligation of confidentiality.
7. Where the Service Provider is acting as a processor under the DPA, at the Customer’s reasonable written request and no more than once per DPA contract year unless required under applicable law, the Service Provider shall make available to the Customer such information as reasonably deemed necessary by the Service Provider to demonstrate the Service Provider’s compliance with its obligations hereunder (making such information available on a Service Provider designated web page shall suffice for this purpose). To this end, the Customer shall be entitled to have an independent, reputable third party (in any event excluding the Service Provider’s competitors as reasonably determined by the Service Provider) audit the Service Provider’s compliance with its obligations under the DPA, provided that any such audit shall be contingent on the following:
(i) such audit shall be limited to one per DPA contract year (unless additional audits are required under applicable law or at a regulator’s request (as documented by the Customer)), must be notified reasonably in advance (a minimum of thirty days, unless otherwise required under applicable law or a regulator request (as documented by the Customer)), and may only occur during the Service Provider’s normal business hours at the locations that are directly related to the performance of the Service Provider’s obligations hereunder; (ii) access shall be limited to two (2) participants from the Customer/third-party auditor; (iii) the audit shall be conducted at mutually agreeable times; (iv) the Service Provider personnel may, at the Service Provider’s option, supervise such audit; (v) such audit shall be conducted in a manner that is designed to minimize any adverse impact on the Service Provider’s normal business operations and its performance of the Master Agreement; (vi) Customer and the entity conducting the audit shall comply with all safety and security procedures of the Service Provider in conducting any such audit; (vii) Customer shall inform any third-party auditor of the obligations of confidentiality set forth in the Master Agreement and secure such person’s agreement to be bound by such provisions; (viii) any information accessed by the Customer or its third-party auditors in the performance of any such audit, including any resulting audit report, shall be deemed to be the Confidential Information (as defined under the Master Agreement) of the Service Provider; in no event shall the Service Provider be required to provide any access that could reasonably be expected to result in an impact to any other Service Provider client or in a disclosure of another Service Provider client’s information; In the event that the Service Provider agrees to provide, or is otherwise required (under applicable law or pursuant to a regulatory request), to provide access to multi-client environments, then the Customer shall ensure that any risks to or impact on another Service Provider client’s environment are avoided; (ix) any audit may only occur pursuant to a mutually agreed scope defined in writing by the Parties prior to the audit; (x) the Customer shall reimburse the Service Provider for any out of pocket costs reasonably incurred as part of any such audit, and shall reimburse the Service Provider for any time spent by the Service Provider personnel as part of any such audit, at the Service Provider’s then applicable professional services rates.
Alternatively, at the Service Provider’s option, the Service Provider may allow a reputable third-party auditor chosen by the Service Provider to perform audits on the Customer’s behalf (or on behalf of multiple Service Provider clients), and the Customer hereby authorizes the Service Provider to issue such mandate to the third-party auditor.
The above audit right only applies to the extent that it cannot be excluded under applicable personal data protection law.
8. Upon the Customer’s written request, the Service Provider shall delete the Customer personal data or, at the Customer’s discretion, return the Customer personal data (the modalities (including associated fees) to be agreed) to the Customer once such data is no longer required for the purposes of the Master Agreement, subject to the Service Provider retaining any copies as may be required by applicable law.
9. The Customer undertakes to comply with the principle of data minimization. The Customer acknowledges and agrees that it is the Parties’ intent to minimise personal data processing by the Service Provider in pursuance of proportionality and necessity principles and as such, the Customer acknowledges and agrees that it has a duty to limit access to/the provision of personal data to the Service Provider to what is necessary for the Service Provider to be able to perform its obligations pursuant to the Master Agreement, and to anonymise or apply pseudonymisation in respect of any personal data made accessible to the Service Provider. Such personal data as necessary for the purposes of the Service Provider performing the Master Agreement are reflected in the Processing Details. The Customer shall use reasonable efforts not to provide the Service Provider with personal data in excess of those set out in such Processing Details, and shall inform its relevant personnel in this respect so as to make them aware of and comply with such data minimisation principle. In the event the Customer materially fails to address the issue, resulting in continued repeated or consistent non-observance by the Customer of this data minimisation principle, this shall constitute a breach of the Master Agreement by the Customer.
10. The Customer warrants that it has sufficient rights and authorizations to make the personal data available to the Service Provider hereunder, and for granting the Service Provider the authorization to use such personal data as stated herein. The Customer shall indemnify the Service Provider in respect of any third-party claims against the Service Provider resulting from a breach of this warranty.
11. This DPA shall automatically terminate upon the termination of the Master Agreement.