Effective Date: 10/2/2019
This Data Processing Addendum (“DPA”) applies to the extent that Data Protection Legislation applies to the processing of personal data under this Agreement, including if (a) the processing is in the context of the activities of an establishment of either Party in the European Economic Area (“EEA”) and/or (b) the personal data relates to data subjects who are in the EEA and the processing relates to the offering to them of services or the monitoring of their behavior in the EEA by or on behalf of a Party. All capitalized terms not otherwise defined in this DPA will have the meaning given to them in this Agreement. If there is any inconsistency or conflict between this DPA and any Agreement, then as it relates to data protection, this DPA will govern and will survive termination of this Agreement.
- “Company Personal Data” means personal data processed by UserLeap on behalf of Company or the Data Subject in provision of the Services.
- “Data Subject” means the identifiable, natural person to whom Company Personal Data relates.
- “Data Protection Legislation” means as applicable: (a) the GDPR; and/or (b) the Federal Data Protection Act of 19 June 1992 (Switzerland).
- “GDPR” means the General Data Protection Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, and any amendment or replacement to it.
- “Security Breach” or “personal data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Company Personal Data transmitted, stored or otherwise processed.
- “Controller to Processor Standard Clauses” in relation to the processing of Company Personal Data pursuant to this Agreement means the standard clauses for the transfer of personal data to processors established in third countries as updated, amended replaced or superseded from time to time by the European Commission, the approved version of which in force at present is that set out in the European Commission's Decision 2010/87/EU of 5 February 2010, available at: http://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32010D0087. For clarity, the terms “controller”, “data subject”, “personal data”, “processing”, “processor”, and “supervisory authority” as used in this DPA will have the meanings ascribed to them in the GDPR.
PROCESSING OF DATA.
- 2.1. Purpose of Processing. The purpose of data processing under this Agreement is the provision of the Services pursuant to this agreement.
- 2.2. Processor and Controller Responsibilities. The parties acknowledge and agree that: (a) UserLeap is a processor of Company Personal Data under the Data Protection Legislation; (b) Company is a controller of Company Personal Data under the Data Protection Legislation; and (c) each party will comply with the obligations applicable to it under the Data Protection Legislation with respect to the processing of Company Personal Data.
- 2.4. Company Instructions. Company instructs UserLeap to process Company Personal Data: (a) in accordance with this agreement and any applicable Order Form; and (b) to comply with other reasonable written instructions provided by Company where such instructions are consistent with the terms of this agreement. Company will ensure that its instructions for the processing of Company Personal Data will comply with the Data Protection Legislation. Company will have sole responsibility for the accuracy, quality, and legality of Company Personal Data and the means by which Company obtained the personal data.
- 2.5. UserLeap’s Compliance with Company Instructions. UserLeap will only process Company Personal Data in accordance with Company’s instructions. UserLeap may process Company Personal Data other than on the written instructions of Company if it is required under applicable law to which UserLeap is subject. In this situation, UserLeap will inform Company of such requirement before UserLeap processes the Company Personal Data unless prohibited by applicable law.
SECURITY; PRIVACY IMPACT ASSESSMENTS.
- 3.1. UserLeap Personnel. UserLeap will ensure that its personnel engaged in the processing of Company Personal Data are informed of the confidential nature of the Company Personal Data, and are subject to obligations of confidentiality and such obligations survive the termination of that individual’s engagement with UserLeap.
- 3.2. Security. UserLeap will implement appropriate technical and organizational measures to safeguard Company Personal Data taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
- 3.3 Data Privacy Impact Assessments. UserLeap will take reasonable measures to cooperate and assist Company in conducting a data protection impact assessment and related consultations with any supervisory authority, if Company is required to conduct such assessment under Data Protection Legislation.
DATA SUBJECT RIGHTS.
- 4.1. Assistance with Company’s Obligations. To the extent Company, in its use or receipt of the Services, does not have the ability to correct, amend, restrict, block or delete Company Personal Data, as required by Data Protection Legislation, UserLeap will promptly comply with reasonable requests by Company to facilitate such actions to the extent UserLeap is legally permitted and able to do so.
- 4.2. Notification Obligations. UserLeap will, to the extent legally permitted, promptly notify Company if it receives a request from a Data Subject for access to, correction, amendment, deletion of or objection to the processing of Company Personal Data relating to such individual. UserLeap will not respond to any such data subject request relating to Company Personal Data without Company’s prior written consent except to confirm that the request relates to Company. UserLeap will provide Company with commercially reasonable cooperation and assistance in relation to handling of a Data Subject request, to the extent legally permitted and to the extent Company does not have the ability to address such Company Personal Data through its use or receipt of the Services.
- 5.1. General Authorization. Company generally authorizes the use of subprocessors to process Company Personal Data in connection with fulfilling UserLeap’s obligations under this agreement and/ or this DPA.
- 5.2 New Subprocessors. When UserLeap engages any new subprocessor to process Company Personal Data, UserLeap will, at least ten (10) days before the new subprocessor processes any Company Personal Data, inform Company of the engagement via email to the email address on file for Company’s account and give Company the opportunity to object to such subprocessor within five (5) days of UserLeap giving notice. If Company objects to a new subprocessor, and such objection is not resolved within twenty (20) days of UserLeap receiving the objection, UserLeap may terminate this agreement with Company.
- 5.3. UserLeap Obligations. UserLeap will remain liable for the acts and omissions of its subprocessors to the same extent UserLeap would be liable if performing the services of each subprocessor directly under the terms of this DPA. UserLeap will contractually impose data protection obligations on its subprocessors that are at least equivalent to those data protection obligations imposed on UserLeap under this DPA.
Transfers of Company Personal Data collected pursuant to this agreement outside of the EEA or Switzerland will be governed by the Controller to Processor Standard Clauses, incorporated herein by reference. For purposes of the Controller to Controller Standard Clauses, (i) Company, the party transferring from the EEA or Switzerland, will be referred to as the “Data Exporter” and (ii) UserLeap will be referred to as the “Data Importer.” Annex 1 to this DPA will apply as Appendix 1 of the Controller to Processor Standard Clauses. Annex 2 to this DPA will apply as Appendix 2 of the Controller to Processor Standard Clauses.
- 7.1. Notification Obligations. In the event UserLeap becomes aware of any Security Breach, UserLeap will notify Company of the Security Breach without undue delay. The obligations in this Section 7 do not apply to incidents that are caused by Company or Company's personnel or end users or to unsuccessful attempts or activities that do not compromise the security of Company Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
- 7.2. Manner of Notification. Notification(s) of Security Breaches, if any, will be delivered to one or more of Company’s business, technical or administrative contacts by any means UserLeap selects, including via email. It is Company’s sole responsibility to ensure it maintains accurate contact information on UserLeap’s support systems at all times.
TERM AND TERMINATION.
- 8.1. Term of DPA. This DPA will remain in effect until, and automatically expire upon, the return or deletion of all Company Personal Data as described in this DPA.
- 8.2. Deletion of Company Data. UserLeap will delete or return Company Personal Data to Company after the end of the provision of Services under this agreement and will delete all existing copies thereof, except to the extent that UserLeap is required under applicable law to keep a copy of the Company Personal Data.
- 9.1. Information Rights. UserLeap has obtained the third-party certification and audits demonstrating its compliance with the security measures set forth in Annex 2, including ISO/IEC 27001:2013 certification. Upon Company’s written request no more than once per year, UserLeap will provide a copy of UserLeap’s then most recent third-party audits or certifications (the “Audit Reports”), as applicable, or any summaries thereof, that UserLeap makes available to its customers. Audit requests must be sent to firstname.lastname@example.org. UserLeap may satisfy such audit request by providing Company with a confidential copy of an Audit Report in order that Company may reasonably verify UserLeap’s compliance with the technical and organizational measures as required under this Agreement. If Company is not satisfied with the above certifications and audits, UserLeap will allow Company or a mutually agreed upon independent auditor appointed by Company to conduct an audit (including inspection), no more than once per year upon eight weeks’ notice sent to the above email address. Any independent auditor appointed must commit to a duty of confidentiality. UserLeap will contribute to such audits whose sole purpose will be to verify UserLeap’s compliance with its obligations under this Agreement.
- 9.2. Separate Service. Any request for UserLeap to provide assistance with an audit is considered a separate service if such audit assistance requires the use of resources different from or in addition to those required by law. Company will reimburse UserLeap for any time spent for any such audit at rates mutually agreed to by the parties, taking into account the resources expended by UserLeap. Company will promptly notify UserLeap with information regarding any non-compliance discovered during the course of an audit. UserLeap will reasonably cooperate with Company, at Company’s expense, to assist Company in ensuring compliance with Articles 32 to 36 of the GDPR taking into account the nature of processing and the information available to UserLeap.