Terms Of Service - Data Processing Agreement



1. Background
1.1 This Data Processing Appendix (“DPA”) is an appendix to the Terms Of Service.
1.2 The purpose of this DPA is to fulfil the requirements of a written agreement pursuant to Article 28 of the GDPR.
2. Definitions
In this DPA the following terms shall have the following meanings: “Data Protection Laws” refers to Regulation (EU) 2016/679 of the European parliament and of the council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”) including supplementing legislation acts and decisions. ”DPA” refers to this Data Processing Appendix and all annexes thereto. “Personal Data” refers to the personal data that Adveronix processes on behalf of Customer pursuant to the Agreement. “security incident”, “audit”, “controller”, “data subject”, “personal data”, “processor” and “processing” all have the meaning given under the GDPR.
3. Processing instructions
3.1 In consideration of Customer making available the Personal Data to Adveronix, Adveronix agrees to process the Personal Data in accordance with the terms and conditions of this DPA.
3.2 Subject to clause 3.3 in this DPA, the Parties acknowledge and agree that: i. for the purposes of this DPA and as between them, Customer is, or shall be regarded as, a controller of the Personal Data and Adveronix is, or shall be regarded as, a processor of the Personal Data; and ii. Customer will comply with its obligations as a controller under the Data Protection Laws and Adveronix will comply with its obligations as a processor under this DPA, the Data Protection Laws and Customer’s written instructions.
3.3 Customer instructs Adveronix, and Adveronix agrees to, process the Personal Data in accordance with the instructions put forward in ANNEX 1.
4. Confidentiality of processing
4.1 Adveronix shall ensure that all persons it authorizes to process the Personal Data are subject to a duty of confidentiality (whether a contractual duty or a statutory duty) and only process the Personal Data as set out in this DPA.
4.2 Adveronix shall ensure that only persons who needs to process the Personal Data, in order for Adveronix to supply the Service, have access to such Personal Data.
5. Data subject rights
5.1 Adveronix shall provide reasonable assistance to Customer to enable Customer to respond to: i. any request relating to the Personal Data from a data subject to exercise any of its rights under Data Protection Laws; ii. any other correspondence, enquiry or complaint received from a data subject or regulator in connection with the processing of the Personal Data by Adveronix.
5.2 If any such request, correspondence, enquiry or complaint is made directly to Adveronix, Adveronix shall without undue delay inform Customer of such request, correspondence, enquiry or complaint.
5.3 Adveronix shall not disclose any Personal Data in response to a request for access or disclosure from any third party without Customer’s prior written consent, unless where Adveronix is compelled to do so in accordance with applicable law or as otherwise allowed under this DPA or the Agreement.
6. Data protection impact assessments
If requested by Customer, Adveronix shall provide Customer with reasonable assistance in order for Customer to conduct a data protection impact assessment; and if necessary, consult with its relevant supervisory authority.
7. Security
7.1 Adveronix shall implement and maintain appropriate technical and organisational measures to protect the Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
7.2 Adveronix shall notify Customer of any security incident that it becomes aware of without undue delay, and in any case, never later than 48 hours after Adveronix becomes aware of the security incident. All such notifications shall be made at Adveronix’s discretion by a phone call or email to Customer representative that Adveronix regularly liaises with.
7.3 If the security incident may be attributed to Adveronix’s processing of the Personal Data, Adveronix shall cooperate with Customer and provide Customer with reasonable assistance and information in the investigation of a security incident.
7.4 All costs associated with managing a security incident and fulfilling its obligations shall be borne by Customer where the security incident occurs as a result of Customer failing to perform its obligations under this DPA or the Data Protection Laws. If the security incident did not occur as a result of Customer failing to perform its obligations under this DPA or the Data Protection Laws, or if it is not possible to determine which Party that are responsible for the security incident, each Party shall bear their respective costs that are associated with managing such security incident and fulfilling such obligations.
8. Sub-Processors
8.1 Customer gives Adveronix a general written authorisation to subcontract any processing of the Personal Data to a third-party subcontractor.
8.2 Adveronix shall, upon request from Customer, provide a list to Customer of the third-party subcontractors Adveronix engages with in its processing of the Personal Data.
8.3 Adveronix shall impose data protection terms to an equivalent standard as provided for under this DPA for all its subcontractors.
8.4 Adveronix shall remain fully liable for the processing of the Personal Data that its subcontractors process under this DPA.
9. Audit
9.1 Adveronix shall permit Customer (or its appointed third-party auditors) to audit Adveronix's compliance with this DPA, and shall make available to Customer information, systems and staff necessary for Customer (or its third-party auditors) to conduct such audit. Adveronix acknowledges that Customer (or its third-party auditors) may enter its premises for the purposes of conducting this audit, provided that Customer gives it reasonable prior notice of its intention to audit, conducts its audit during normal business hours, and takes all reasonable measures to prevent unnecessary disruption to Adveronix's operations. Customer will not exercise its audit rights more than once in any twenty-four (24) calendar month period, except if, and when, required by instruction of a competent supervisory authority.
10. International data transfers
Customer gives Adveronix permission to transfer and process the Personal Data outside the European Economic Area, as long as Adveronix transfers such Personal Data in accordance with one of the allowed mechanisms prescribed by the Data Protection Laws.
11. Terms and termination
11.1 This DPA shall be in effect for as long as Adveronix processes Personal Data for Customer. Upon termination of the Agreement, Adveronix shall destroy or return the Personal Data to Customer, depending on what Customer chooses. If Customer has not informed Adveronix of its choice within two (2) months from the termination of the Agreement, Adveronix shall destroy all Personal Data.
11.2 At the request of Customer, Adveronix shall confirm the actions taken regarding the Personal Data after the completion of the process mentioned in clause
11.1 in this DPA.
11.3 If Customer chooses that Adveronix should destroy the Personal Data, in accordance with clause 11.1 in this DPA, it shall not apply to the extent that Adveronix is required by any European Union, or Member State, law or other applicable law to retain such data.
11.4 All clauses of this DPA which by their nature should survive termination will survive termination.
ANNEX 1

Instruction for processing of the Personal Data

Purposes

To provide the Service pursuant to the Agreement and security and monitoring.

Categories of Personal Data

Data Sources, which the Customer imports to the Service.

Categories of data subjects

Data subjects in the Data Sources, e.g. customers’ customers and employees.

Processing activities
  • Collection;
  • logging;
  • organization;
  • structuring;
  • storage;
  • adaptation or alteration;
  • use;
  • disclosure;
  • anonymization or aggregating; and
  • erasure.
Location for the processing of the Personal Data
  • EU; and
  • USA.
Retention periods

Adveronix will process the Personal Data during the period in which the Agreement is in effect and for a reasonable period of time thereafter. However, Adveronix will strive to aggregate or in other ways de-identify the Personal Data so it is no longer considered as personal data.

Subcontractors per the Effective Date

Adveronix uses data center services from Amazon Web Services (AWS), Google and Microsoft (based in the EU and the USA).