1.0 Processor and Subprocessor Relationships
1.1 CustomerOS as Processor.
1.2 CustomerOS as Subprocessor.
2.1 Processing Details.
2.2 Processing Instructions.
- to provide and maintain the Service;
- as may be further specified through Customer’s use of the Service;
- as documented in the Agreement; and
- as documented in any other written instructions given by
Customer and acknowledged by CustomerOS about Processing Customer Personal Data under this DPA. CustomerOS will abide by these instructions unless prohibited from doing so by Applicable Laws. CustomerOS will immediately inform Customer if it is unable to follow the Processing instructions. Customer has given and will only give instructions that comply with Applicable Laws.
2.3 Processing by CustomerOS.
If CustomerOS updates the Service to update existing or include new products, features, or functionality, CustomerOS may change the Categories of Data Subjects, Categories of Personal Data, Special Category Data, Special Category Data Restrictions or Safeguards, Frequency of Transfer, Nature and Purpose of Processing, and Duration of Processing as needed to reflect the updates by notifying Customer of the updates and changes.
2.4 Customer Processing.
Where Customer is a Processor and CustomerOS is a Subprocessor, Customer will comply with all Applicable Laws that apply to Customer’s Processing of Customer Personal Data. Customer’s agreement with its Controller will similarly require Customer to comply with all Applicable Laws that apply to Customer as a Processor. In addition, Customer will comply with the Subprocessor requirements in Customer’s agreement with its Controller.
2.5 Consent to Processing.
Customer has complied with and will continue to comply with all Applicable Data Protection Laws concerning its provision of Customer Personal Data to CustomerOS and/or the Service, including making all disclosures, obtaining all consents, providing adequate choice, and implementing relevant safeguards required under Applicable Data Protection Laws.
CustomerOS will not provide, transfer, or hand over any Customer Personal Data to a Subprocessor unless Customer has approved the Subprocessor. The current list of Approved Subprocessors includes the identities of the Subprocessors, their country of location, and their anticipated Processing tasks. CustomerOS will inform Customer at least 10 business days in advance and in writing of any intended changes to the Approved Subprocessors whether by addition or replacement of a Subprocessor, which allows Customer to have enough time to object to the changes before the CustomerOS begins using the new Subprocessor(s). CustomerOS will give Customer the information necessary to allow Customer to exercise its right to object to the change to Approved Subprocessors. Customer has 30 days after notice of a change to the Approved Subprocessors to object, otherwise Customer will be deemed to accept the changes. If Customer objects to the change within 30 days of notice, Customer and CustomerOS will cooperate in good faith to resolve Customer’s objection or concern.
When engaging a Subprocessor, CustomerOS will have a written agreement with the Subprocessor that ensures the Subprocessor only accesses and uses Customer Personal Data (i) to the extent required to perform the obligations subcontracted to it, and (ii) consistent with the terms of Agreement.
If the GDPR applies to the Processing of Customer Personal Data, (i) the data protection obligations described in this DPA (as referred to in Article 28(3) of the GDPR, if applicable) are also imposed on the Subprocessor, and (ii) CustomerOS’s agreement with the Subprocessor will incorporate these obligations, including details about how CustomerOS and its Subprocessor will coordinate to respond to inquiries or requests about the Processing of Customer Personal Data. In addition, CustomerOS will share, at Customer’s request, a copy of its agreements (including any amendments) with its Subprocessors. To the extent necessary to protect business secrets or other confidential information, including Personal Data, CustomerOS may redact the text of its agreement with its Subprocessor prior to sharing a copy.
CustomerOS remains fully liable for all obligations subcontracted to its Subprocessors, including the acts and omissions of its Subprocessors in Processing Customer Personal Data. CustomerOS will notify Customer of any failure by its Subprocessors to fulfill a material obligation about Customer Personal Data under the agreement between CustomerOS and the Subprocessor.
3.0 Restricted Transfers
Customer agrees that CustomerOS may transfer Customer Personal Data outside the EEA, the United Kingdom, or other relevant geographic territory as necessary to provide the Service. If CustomerOS transfers Customer Personal Data to a territory for which the European Commission or other relevant supervisory authority has not issued an adequacy decision, CustomerOS will implement appropriate safeguards for the transfer of Customer Personal Data to that territory consistent with Applicable Data Protection Laws.
3.2 Ex-EEA Transfers.
Customer and CustomerOS agree that if the GDPR protects the transfer of Customer Personal Data, the transfer is from Customer from within the EEA to CustomerOS outside of the EEA, and the transfer is not governed by an adequacy decision made by the European Commission, then by entering into this DPA, Customer and CustomerOS are deemed to have signed the EEA SCCs and their Annexes, which are incorporated by reference. Any such transfer is made pursuant to the EEA SCCs, which are completed as follows:
For each module, the following applies (when applicable):
– The optional docking clause in Clause 7 does not apply; – In Clause 9, Option 2 (general written authorization) applies, and the minimum time period for prior notice of Subprocessor changes is 10 business days; – In Clause 11, the optional language does not apply; – All square brackets in Clause 13 are removed; – In Clause 17 (Option 1), the EEA SCCs will be governed by the laws of Governing Member State; – In Clause 18(b), disputes will be resolved in the courts of the Governing Member State; and – The Standard Terms of Service and any applicable Cloud Service Agreement contains the information required in Annex I, Annex II, and Annex III of the EEA SCCs.
3.3 Ex-UK Transfers.
Customer and CustomerOS agree that if the UK GDPR protects the transfer of Customer Personal Data, the transfer is from Customer from within the United Kingdom to CustomerOS outside of the United Kingdom, and the transfer is not governed by an adequacy decision made by the United Kingdom Secretary of State, then by entering into this DPA, Customer and CustomerOS are deemed to have signed the UK Addendum and their Annexes, which are incorporated by reference. Any such transfer is made pursuant to the UK Addendum, which is completed as follows:
Table 4 of the UK Addendum is modified as follows: Neither party may end the UK Addendum as set out in Section 19 of the UK Addendum; to the extent ICO issues a revised Approved Addendum under Section 18 of the UK Addendum, the parties will work in good faith to revise this DPA accordingly.
3.3 Other International Transfers.
For Personal Data transfers where Swiss law (and not the law in any EEA member state or the United Kingdom) applies to the international nature of the transfer, references to the GDPR in Clause 4 of the EEA SCCs are, to the extent legally required, amended to refer to the Swiss Federal Data Protection Act or its successor instead, and the concept of supervisory authority will include the Swiss Federal Data Protection and Information Commissioner.
4.0 Security Incident Response
Upon becoming aware of any Security Incident, CustomerOS will: (a) notify Customer without undue delay when feasible, but no later than 72 hours after becoming aware of the Security Incident; (b) provide timely information about the Security Incident as it becomes known or as is reasonably requested by Customer; and (c) promptly take reasonable steps to contain and investigate the Security Incident. CustomerOS’s notification of or response to a Security Incident as required by this DPA will not be construed as an acknowledgment by CustomerOS of any fault or liability for the Security Incident.
5.0 Audit & Reports
5.1 Audit Rights.
CustomerOS will give Customer all information reasonably necessary to demonstrate its compliance with this DPA and CustomerOS will allow for and contribute to audits, including inspections by Customer, to assess CustomerOS’s compliance with this DPA. However, CustomerOS may restrict access to data or information if Customer’s access to the information would negatively impact CustomerOS’s intellectual property rights, confidentiality obligations, or other obligations under Applicable Laws. Customer acknowledges and agrees that it will only exercise its audit rights under this DPA and any audit rights granted by Applicable Data Protection Laws by instructing CustomerOS to comply with the reporting and due diligence requirements below. CustomerOS will maintain records of its compliance with this DPA for 3 years after the DPA ends.
5.2 Security Reports.
Customer acknowledges that CustomerOS is regularly audited against the standards defined in the Security Policy by independent third-party auditors. Upon written request, CustomerOS will give Customer, on a confidential basis, a summary copy of its then-current Report so that Customer can verify CustomerOS’s compliance with the standards defined in the Security Policy.
5.3 Security Due Diligence.
In addition to the Report, CustomerOS will respond to reasonable requests for information made by Customer to confirm CustomerOS’s compliance with this DPA, including responses to information security, due diligence, and audit questionnaires, or by giving additional information about its information security program. All such requests must be in writing and made to the CustomerOS Security Contact and may only be made once a year.
6.0 Coordination & Cooperation
6.1 Response to Inquiries.
If CustomerOS receives any inquiry or request from anyone else about the Processing of Customer Personal Data, CustomerOS will notify Customer about the request and CustomerOS will not respond to the request without Customer’s prior consent. Examples of these kinds of inquiries and requests include a judicial or administrative or regulatory agency order about Customer Personal Data where notifying Customer is not prohibited by Applicable Law, or a request from a data subject. If allowed by Applicable Law, CustomerOS will follow Customer’s reasonable instructions about these requests, including providing status updates and other information reasonably requested by Customer. If a data subject makes a valid request under Applicable Data Protection Laws to delete or opt out of Customer’s giving of Customer Personal Data to CustomerOS, CustomerOS will assist Customer in fulfilling the request according to the Applicable Data Protection Law. CustomerOS will cooperate with and provide reasonable assistance to Customer, at Customer’s expense, in any legal response or other procedural action taken by Customer in response to a third-party request about CustomerOS’s Processing of Customer Personal Data under this DPA.
6.2 DPIAs and DTIAs.
If required by Applicable Data Protection Laws, CustomerOS will reasonably assist Customer in conducting any mandated data protection impact assessments or data transfer impact assessments and consultations with relevant data protection authorities, taking into consideration the nature of the Processing and Customer Personal Data.
7.0 Deletion of Customer Personal Data
7.1 Deletion by Customer.
CustomerOS will enable Customer to delete Customer Personal Data in a manner consistent with the functionality of the Services. CustomerOS will comply with this instruction as soon as reasonably practicable except where further storage of Customer Personal Data is required by Applicable Law.
7.2 Deletion at DPA Expiration.
After the DPA expires, CustomerOS will return or delete Customer Personal Data at Customer’s instruction unless further storage of Customer Personal Data is required or authorized by Applicable Law. If return or destruction is impracticable or prohibited by Applicable Laws, CustomerOS will make reasonable efforts to prevent additional Processing of Customer Personal Data and will continue to protect the Customer Personal Data remaining in its possession, custody, or control. For example, Applicable Laws may require CustomerOS to continue hosting or Processing Customer Personal Data.
If Customer and CustomerOS have entered the EEA SCCs or the UK Addendum as part of this DPA, CustomerOS will only give Customer the certification of deletion of Personal Data described in Clause 8.1(d) and Clause 8.5 of the EEA SCCs if Customer asks for one.
8.0 Limitation of Liability
8.1 Liability Caps and Damages Waiver.
To the maximum extent permitted under Applicable Data Protection Laws, each party’s total cumulative liability to the other party arising out of or related to this DPA will be subject to the waivers, exclusions, and limitations of liability stated in the Agreement.
8.2 Related-Party Claims.
This DPA does not limit any liability to an individual about the individual’s data protection rights under Applicable Data Protection Laws. In addition, this DPA does not limit any liability between the parties for violations of the EEA SCCs or UK Addendum.
9.0 Conflicts Between Documents
This DPA forms part of and supplements the Agreement. If there is any inconsistency between this DPA, the Agreement, or any of their parts, the part listed earlier will control over the part listed later for that inconsistency: (1) the EEA SCCs or the UK Addendum, (2) this DPA, and then (3) the Agreement.
10.0 Term of Agreement
This DPA will start when CustomerOS and Customer agree to the Standard Terms of Service and any applicable Cloud Service Agreement and sign or electronically accept the Agreement and will continue until the Agreement expires or is terminated. However, CustomerOS and Customer will each remain subject to the obligations in this DPA and Applicable Data Protection Laws until Customer stops transferring Customer Personal Data to CustomerOS and CustomerOS stops Processing Customer Personal Data.