Posted/Revised: 13 March 2018
|1.2||In the event of a conflict between any of the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail.|
Unless otherwise set out below, each capitalised term in this DPA shall have the meaning set out in the Agreement and the following capitalised terms used in this DPA shall be defined as follows:
|3.1||Instructions for Data Processing. Provider will only Process Customer Personal Data in accordance with (a) the Agreement, to the extent necessary to provide the Service to the Customer, and (b) the Customer's written instructions, unless Processing is required by European Union or Member State law to which Provider is subject, in which case Provider shall, to the extent permitted by applicable law, inform the Customer of that legal requirement before Processing that Customer Personal Data. The Agreement (subject to any changes to the Service agreed between the Parties) and this DPA shall be the Customer's complete and final instructions to Provider in relation to the processing of Customer Personal Data.|
|3.2||Processing outside the scope of this DPA or the Agreement will require prior written agreement between the Customer and Provider on additional instructions for Processing.|
|3.3||Required consents. Where required by applicable Data Protection Laws, Customer will be responsible for ensuring that all Data Subjects have given/will give all necessary consents for the lawful Processing of Customer Personal Data by the Provider in accordance with the Agreement.|
Privacy notices. Customer warrants and represents that:
|3.5||Indemnity. Customer agrees to indemnify the Provider and its officers, directors, employees, agents, affiliates, successors and permitted assigns (each an "Indemnified Party", and collectively the "Indemnified Parties") against any and all losses, damages, liabilities, deficiencies, claims, actions, judgments, settlements, interest, awards, penalties, fines, costs, or expenses of whatever kind, including legal fees and court fees, that are incurred by the Indemnified Parties (collectively, "Losses") arising out of any third party claim brought against the Provider relating to or arising out any instructions given by the Customer to the Provider under paragraph 3.1, any failure to obtain the consents under paragraph 3.3, any breach by the Customer of the warranty in paragraph 3.4 or any other breach by the Customer of any Data Protection Laws.|
|4.||TRANSFER PERSONAL DATA|
|4.1||Authorised Subprocessors. The Customer agrees that Provider may use Amazon Web Services, Inc and Wildbit, LLC as Subprocessors to Process Customer Personal Data.|
|4.2||The Customer agrees that the Provider may use subcontractors to fulfil its contractual obligations under the Agreement. The Provider shall notify the Customer from time to time of the identity of any Subprocessors it engages. If the Customer (acting reasonably) does not approve of a new Subprocessor, then without prejudice to any right to terminate the Agreement, the Customer may request that the Provider moves the Customer Personal Data to another Subprocessor and Provider shall, within a reasonable time following receipt of such request, use all reasonable endeavours to ensure that the Subprocessor does not Process any of the Customer Personal Data.|
|4.3||Save as set out in clauses 4.1 and 4.2, the Provider shall not permit, allow or otherwise facilitate Subprocessors to Process Customer Personal Data without the prior written consent of Customer and unless Provider enters into a written agreement with the Subprocessor which imposes the same obligations on the Subprocessor with regard to their Processing of Customer Personal Data, as are imposed on the Provider under this DPA.|
|4.4||Liability of Subprocessors. The Provider shall at all times remain responsible for compliance with its obligations under the DPA and will be liable to the Customer for the acts and omissions of any Subprocessor approved by the Customer as if they were the acts and omissions of Provider.|
|4.5||Prohibition on Transfers of Personal Data. The Customer acknowledges that the Provider or its Subprocessors may access the Customer Personal Data outside the EEA or Switzerland, provided that Provider maintains its certification to the EU-U.S. Privacy Shield.|
|5.||DATA SECURITY, AUDITS AND SECURITY NOTIFICATIONS|
|5.1||Provider Security Obligations. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Provider shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the measures set out in ANNEX 2.|
|5.2||Upon request by the Customer, Provider shall make available all information reasonably necessary to demonstrate compliance with this DPA.|
|5.3||Security Incident Notification. If Provider or any Subprocessor becomes aware of a Security Incident, Provider will (a) notify the Customer of the Security Incident within 72 hours, (b) investigate the Security Incident and provide such reasonable assistance to the Customer (and any law enforcement or regulatory official) as required to investigate the Security Incident, and (c) take steps to remedy any non-compliance with this DPA.|
|5.4||Provider Employees and Personnel. Provider shall treat the Customer Personal Data as the Confidential Information of the Customer, and shall ensure that any employees or other personnel have agreed in writing to protect the confidentiality and security of Customer Personal Data.|
|6.||ACCESS REQUESTS AND DATA SUBJECT RIGHTS|
|6.1||Data Subject Requests. Save as required (or where prohibited) under applicable law, Provider shall notify Customer of any request received by Provider or any Subprocessor from a Data Subject in respect of their personal data included in the Customer Personal Data, and shall not respond to the Data Subject.|
|6.2||Provider shall provide Customer with the ability to correct, delete, block, access or copy the Customer Personal Data in accordance with the functionality of the Service.|
|6.3||Government Disclosure. Provider shall notify Customer of any request for the disclosure of Customer Personal Data by a governmental or regulatory body or law enforcement authority (including any data protection supervisory authority) unless otherwise prohibited by law or a legally binding order of such body or agency.|
Where applicable, taking into account the nature of the Processing, and to the extent required under applicable Data Protection Laws, the Provider shall provide the Customer with any information or assistance reasonably requested by the Customer for the purpose of complying with any of the Customer's obligations under applicable Data Protection Laws, including:
|8.||DURATION AND TERMINATION|
Deletion of data. Subject to 8.2 and 8.3 below, Provider shall, within 90 (ninety) days of the date of termination of the Agreement:
Subject to section 8.3 below, Customer may in its absolute discretion notify Provider in writing within 30 (thirty) days of the date of termination of the Agreement to require Provider to delete and procure the deletion of all copies of Customer Personal Data Processed by Provider. Provider shall, within 90 (ninety) days of the date of termination of the Agreement:
|8.3||Provider and its Subprocessors may retain Customer Personal Data to the extent required by applicable laws and only to the extent and for such period as required by applicable laws and always provided that Provider shall ensure the confidentiality of all such Customer Personal Data and shall ensure that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.|
This ANNEX 1 includes certain details of the processing of Customer Personal Data as required by Article 28(3) of the GDPR.
Subject matter and duration of the Processing of Customer Personal Data
The subject matter of the Processing of Customer Personal Data is the use of and access to the Service by the Customer in accordance with the Agreement.
The duration of the Processing of Customer Personal Data is the Term, subject to paragraphs 8.2 and 8.3 of this DPA
The nature and purpose of the Processing of Customer Personal Data
The Processing of Customer Personal Data provided by Customer to the Provider, or collected by Provider on behalf of the Customer, for the purposes of providing the Service to the Customer.
The types of Customer Personal Data to be processed
Users: name, contact information, usage information, non-traditional identifiers of Users, and any other Personal Data the Customer or its Users submit to the Provider in the course of their use of the Service.
Applicants for employment with the Customer (the "Candidates"): name, email address, usage information, non-traditional identifiers and any other Personal Data the Candidates submit to the Provider in the course of their use of the Service.
The categories of data subject to whom the Customer Personal Data relates
Users and Candidates
The obligations and rights of the Customer
The obligations and rights of the Customer are as set out in this DPA.