APP4U DATA PROCESSING AGREEMENT
Last Revised: MAY 2019
THIS DATA PROCESSING AGREEMENT (“DPA”) BETWEEN THE APP4U LEGAL ENTITY SIGNING AN ORDER FORM AND ITS AFFILIATES (COLLECTIVELY, “APP4U”, “COMPANY”, “WE”, “US” or “PROCESSOR”) AND THE INDIVIDUAL OR LEGAL ENTITY LICENSING THE SERVICES UNDER AN APPLICABLE ORDER FORM AND/OR APP4U’S MASTER SAAS AGREEMENT (MSA) (“CUSTOMER”, “YOU” OR “CONTROLLER”) AND TOGETHER WITH APP4U, THE “PARTIES”) GOVERNS CUSTOMER’S ACCESS AND USE OF THE SERVICES.
BY ACCEPTING THIS DPA WHILE EXECUTING AN ORDER FORM AND/OR MSA THAT REFERENCES THIS DPA, CUSTOMER AGREES TO THE TERMS OF THIS DPA. IF YOU ARE ENTERING INTO THIS DPA ON BEHALF OF A COMPANY OR OTHER LEGAL ENTITY, YOU REPRESENT THAT YOU HAVE THE AUTHORITY TO BIND SUCH ENTITY AND ITS AFFILIATES TO THESE TERMS AND CONDITIONS, IN WHICH CASE THE TERMS “CUSTOMER” “YOU” OR “YOUR” SHALL REFER TO SUCH ENTITY AND ITS AFFILIATES. IF YOU DO NOT HAVE SUCH AUTHORITY, OR IF YOU DO NOT AGREE WITH THESE TERMS AND CONDITIONS, YOU MUST NOT ACCEPT THIS DPA AND SHALL NOT BE PERMITTED TO USE THE SERVICES.
BY ACCEPTING THIS TERMS OF THIS DPA YOU REPRESENT AND WARRANT THAT ANY AND ALL INFORMATION YOU PROVIDE US THROUGH THE SERVICES IS TRUE, ACCURATE AND COMPLETE. THE PROVISION OF FALSE OR FRAUDULENT INFORMATION IS STRICTLY PROHIBITED.
Capitalized terms not otherwise defined herein shall have the meaning given to them in the Order Form and/or the MSA.
1 – Definitions
In addition to capitalized terms defined elsewhere in this DPA, the following terms shall have the meanings set forth opposite each one of them:
1.1 “Applicable Laws” means (a) European Union or Member State laws with respect to any Controller Personal Data in respect of which Controller is subject to EU Data Protection Laws; and (b) any other applicable law with respect to any Controller Personal Data in respect of which any Controller Group Member is subject to any other Data Protection Laws;
1.2 “Controller Personal Data” means any Personal Data Processed by Processor on behalf of Controller pursuant to or in connection with the MSA;
1.3 “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other applicable country;
1.4 “EEA” means the European Economic Area;
1.5 “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
1.6 “GDPR” means EU General Data Protection Regulation 2016/679;
1.7 “Restricted Transfer” means (i) a transfer of Controller Personal Data from Controller to Processor; or (ii) an onward transfer of Controller Personal Data from a Processor to a Subprocessor, or between two establishments of Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws) in the absence of the Standard Contractual Clauses to be established under Section 11 below;
1.8 “Standard Contractual Clauses” means the contractual clauses for the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection;
1.9 “Subprocessor” means any person (including any third party and any Processor Affiliate, but excluding an employee of Processor or any of its sub-contractors) appointed by or on deleten with the Principal Agreement; and
1.10 The terms, “Commission“, “Controller“, “Data Subject“, “Member State“, “Personal Data“, “Personal Data Breach“, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR.
2 – Processing of Controller Personal Data
2.1 Processor shall (i) comply with all applicable Data Protection Laws in the Processing of Controller Personal Data; and (ii) not Process Controller Personal Data other than on the Controller’s documented instructions unless Processing is required by Applicable Laws to which the Processor is subject, in which case Processor shall to the extent permitted by Applicable Laws inform the Controller of that legal requirement before the relevant Processing of that Personal Data.
2.2 Controller instructs Processor (and authorizes Processor to instruct each Subprocessor) to (i) Process Controller Personal Data; and (ii) in particular, transfer Controller Personal Data to any country or territory, all as reasonably necessary for the provision of the Services and consistent with the MSA.
2.3 Furthermore, Controller warrants and represents that it is and will at all relevant times remain duly and effectively authorized to give the instruction set out in Section 2.2 on behalf of each relevant Controller Affiliate.
2.4 Controller sets forth the details of the Processing of Controller Personal Data, as required by article 28(3) of the GDPR in Annex 1 (Details of Processing of Controller Personal Data), attached hereto. Controller may, from time to time, make reasonable amendments to Annex 1 by prior written notice to Processor as Controller, in its reasonable discretion, considers necessary to meet any legal requirements.
3 – Process or Personnel
Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of the Processor who may have access to the Controller Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know/access the relevant Controller Personal Data, as strictly necessary for the purposes of the MSA, and to comply with Applicable Laws in the context of that individual’s duties to the Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
4 – Security
Processor shall in relation to the Controller Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR. In assessing the appropriate level of security, Processor shall take into account the risks that are presented by Processing, in particular from a Personal Data Breach.
5 – Subprocessing
5.1 Controller authorizes Processor and each Processor Affiliate to appoint (and permit each Subprocessor appointed in accordance with this Section 5 to appoint) Subprocessors in accordance with this Section 5 and any restrictions in the MSA.
5.2 Processor and each Processor Affiliate may continue to use those Subprocessors already engaged by Processor or any Processor Affiliate as at the date of this Exhibit, subject to Processor and each Processor Affiliate in each case as soon as practicable meeting the obligations set out in Section 5.4.
5.3 Processor shall give Controller prior written notice of the appointment of any new Subprocessor, including relevant details of the Processing to be undertaken by the Subprocessor. If, within seven (7) days of receipt of that notice, Controller notifies Processor in writing of any objections (on reasonable grounds) to the proposed appointment:
- Controller shall not appoint (or disclose any Controller Personal Data to) that proposed Subprocessor until reasonable steps have been taken to address the objections raised by Controller and Controller has been provided with a reasonable written explanation of the steps taken. Where such steps are not sufficient to relieve Controller’s reasonable objections then Controller may by written notice to Processor with immediate effect terminate the MSA to the extent that it relates to the Services which require the use of the proposed Subprocessor.
5.4 With respect to each Subprocessor, Processor shall:
- before the Subprocessor first Processes Controller Personal Data, carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Controller Personal Data required by the MSA; and
- ensure that the arrangement between the Processor and the Subprocessor, is governed by a written contract including terms which offer at least the same level of protection for Controller Personal Data as those set out in this Exhibit and meet the requirements of Applicable Laws.
5.5 Processor shall ensure that each Subprocessor performs the obligations herein, to the extent applicable to Subprocessor, as they apply to Processing of Controller Personal Data carried out by that Subprocessor, as if it were party to this Exhibit in place of Processor.
6 – Data Subject Rights
6.1 Taking into account the nature of the Processing, Processor shall reasonably assist Controller by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligations, as reasonably understood by Controller, to respond to requests to exercise Data Subject rights under the Data Protection Laws, at Controller’s sole expense.
6.2 Processor shall:
- promptly notify Controller if it receives a request from a Data Subject under any Data Protection Law in respect of Controller Personal Data; and
- ensure that it does not respond to that request except on the documented instructions of Controller or the Controller or as required by Applicable Laws to which the Processor is subject, in which case Processor shall to the extent permitted by Applicable Laws inform Controller of that legal requirement before it responds to the request.
7 – Personal Data Breach
7.1 Processor shall notify Controller without undue delay upon Processor or any Subprocessor becoming aware of a Personal Data Breach affecting Controller Personal Data providing Controller with sufficient information to allow Controller to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
7.2 Processor shall cooperate with Controller and take such reasonable commercial steps as are directed by Controller to assist in the investigation, mitigation and remediation of each such Personal Data Breach, at Controller’s sole expense.
8 – Data Protection Impact Assessment and Prior Consulation
8.1 Processor and each Processor Affiliate shall provide reasonable assistance to each Controller Group Member with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Controller reasonably considers to be required of any Controller Group Member by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Controller Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.
9 – Deletion or return of Controller Personal Data
9.1 Subject to Sections 9.2 and 3 Processor shall promptly and in any event within ninety (90) days of the date of cessation of any Services involving the Processing of Controller Personal Data (the “Cessation Date“), delete all copies of those Controller Personal Data, except such copies as required to be retained in accordance with applicable law and/or regulation.
9.2 Subject to Section 9.3, Controller may in its absolute discretion, by written notice to Processor and within thirty (30) days of the Cessation Date require Processor to (a) return a complete copy of all Controller Personal Data to Controller by secure file transfer in such format as is reasonably notified by Controller to Processor; and (b) delete and procure the deletion of all other copies of Controller Personal Data Processed by Processor. Processor shall comply with any such written request within ninety (90) days of the Cessation Date.
9.3 Processor may retain Controller Personal Data to the extent required by Applicable Laws and only to the extent and for such period as required by Applicable Laws and always provided that Processor shall ensure the confidentiality of all such Controller Personal Data and shall ensure that such Controller Personal Data is only Processed as necessary for the purpose(s) specified in the Applicable Laws requiring its storage and for no other purpose.
9.4 Upon Controller’s prior written request, Processor shall provide written certification to Controller that it has fully complied with this Section 9.
10 – Restricted Transfers
10.1 Subject to Section 10.3 and to the extent necessary, Controller (as “data exporter”) and Processor (as “data importer”) shall enter into the Standard Contractual Clauses in respect of any Restricted Transfer from Controller to Processor.
10.2 The Standard Contractual Clauses shall come into effect under Section 10.1 on the later of:
- the data exporter becoming a party to them;
- the data importer becoming a party to them; and
- commencement of the relevant Restricted Transfer.
10.3 Section 10.1 shall not apply to a Restricted Transfer unless its effect, together with other reasonably practicable compliance steps (which, for the avoidance of doubt, do not include obtaining consents from Data Subjects) is to allow the relevant Restricted Transfer to take place without breach of applicable Data Protection Law.
11 – General Terms
11.1 Governing Law and Jurisdiction. Without prejudice to clauses 7 (Mediation and Jurisdiction) and 9 (Governing Law) of the Standard Contractual Clauses:
- the parties to this Exhibit hereby submit to the choice of jurisdiction stipulated in the MSA with respect to any disputes or claims howsoever arising under this Exhibit, including disputes regarding its existence, validity or termination or the consequences of its nullity; and
- this Exhibit and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the MSA.
11.2 Order of Precedence. Nothing in this Exhibit reduces Processor’s obligations under the MSA in relation to the protection of Personal Data or permits Processor to Process (or permit the Processing of) Personal Data in a manner which is prohibited by the MSA. In the event of any conflict or inconsistency between this Exhibit and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
Subject to Section 11.2, with regard to the subject matter of this Exhibit, in the event of inconsistencies between the provisions of this Exhibit and any other agreements between the Parties, including the MSA and including (except where explicitly agreed otherwise in writing, signed on behalf of the Parties) agreements entered into or purported to be entered into after the date of this Exhibit, the provisions of this Exhibit shall prevail.
11.3 Changes in Data Protection Laws.
- by at least forty-five (45) calendar days’ prior written notice to Processor from time to time, make any variations to the Standard Contractual Clauses (including any Standard Contractual Clauses entered into under Section 11.1), as they apply to Restricted Transfers which are subject to a particular Data Protection Law, which are required, as a result of any change in, or decision of a competent authority under, that Data Protection Law, to allow those Restricted Transfers to be made (or continue to be made) without breach of that Data Protection Law; and
- propose any other variations to this Exhibit which Controller reasonably considers to be necessary to address the requirements of any Data Protection Law.
If Controller gives notice under Section 220.127.116.11:
- Processor shall promptly cooperate (and shall make commercial efforts to ensure that any affected Subprocessors promptly cooperate) to ensure that equivalent variations are; and
- Controller shall not unreasonably withhold or delay agreement to any consequential variations to this Exhibit proposed by Processor to protect the Processor against additional risks associated with the variations made herein.
11.4 If Controller gives notice under Section 3.1.2, the Parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in Controller’s notice as soon as is reasonably practicable.
11.5 Severance. Should any provision of this Exhibit be invalid or unenforceable, then the remainder of this Exhibit shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
Annex 1: Details Of Processing Of Controller Personal Data
This Annex 1 includes certain details of the Processing of Controller Personal Data as required by Article 28(3) GDPR.
Subject matter and duration of the Processing of Controller Personal Data. The subject matter and duration of the Processing of the Controller Personal Data are set out in the Principal Agreement and this Addendum.
The nature and purpose of the Processing of Controller Personal Data. The Personal Data transferred will be processed solely as necessary for the Processor’s performance of the services for the Controller as instructed by the Controller in accordance with the applicable Agreement.
The types of Controller Personal Data to be Processed are as follows:
- IP address;
- Web application data: page title, URL;
- Location information: country and city;
- Language preference.
The categories of Data Subject to whom the Controller Personal Data relates to are as follows:
Controller may submit Personal Data, the extent of which is determined and controlled by the Controller in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of Data Subjects:
- Prospects, customers, business partners and vendors of Controller (who are natural persons);
- Subscribers/end users
- Employees or contact persons of Controller’s prospects, customers, business partners and vendors;
- Employees, agents, advisors, contractors of Controller (who are nature persons).
The obligations and rights of Controller. The obligations and rights of Controller and Controller Affiliates are set out in the MSA and this DPA.