Data Processing Addendum
This Data Processing Addendum (“DPA”) forms an integral part of the Agreement.
The purpose of this DPA is to reflect the parties’ agreement with regard to the processing of Customer Personal Data. The parties agree to comply with this DPA with respect to any Customer Personal Data that the inSided Group may process in the course of providing the Services pursuant to the Agreement. This DPA shall not replace or supersede any data processing addendum or agreement executed by the parties prior to the DPA Effective Date without the prior written consent of the parties (electronically submitted consent acceptable).
This DPA will take effect on the DPA Effective Date and, notwithstanding the expiry of the Term, will remain in effect until, and automatically expire upon, deletion of all Customer Data by inSided as described in this DPA.
If the Customer entity entering into or accepting this DPA is neither a party to an Order Form nor the Agreement, this DPA is not valid and is not legally binding. Such an entity should request that the Customer entity that is a party to the Agreement executes this DPA.
For the purposes of this DPA only, and except where indicated otherwise, the term "Customer" shall include Customer and its Covered Affiliates.
1.1 Capitalized terms used but not defined in this DPA shall have the meanings given to them in the Terms or applicable Data Protection Laws.
“Covered Affiliate” means any of Customer's Affiliate(s) which (a) is subject to the Data Protection Laws, and (b) is permitted to use the Services pursuant to the Agreement between Customer and inSided, but has not signed its own Service Order with inSided and is not a "Customer" as defined under the agreement.
“Data Incidents” means a personal data breach as defined in Article 4 (12) GDPR.
"Data Protection Laws" means all applicable data protection and privacy laws and regulations, including EU Data Protection Laws.
“DPA Effective Date” means, as applicable, (a) May 25, 2018; or (b) Contract Start Date as defined in written or electronic agreements or order forms, if such date is after May 25, 2018.
“EEA” means the European Economic Area.
“EU Data Protection Laws” means laws and regulations of the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom, applicable to the processing of Personal Data under the Agreement, including the GDPR.
"GDPR" means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC effective as of May 25, 2018, and
any legislation and/or regulation which amends, replaces or re-enacts it.
“Sub-processor” means any third-party engaged by inSided or a member of the inSided Group which processes Customer Personal Data in order to provide parts of the Services.
“Term” means the period from the DPA Effective Date until the end of inSided’s provision of the Services, including, if applicable, any period during which provision of the Services may be suspended and any post-termination period during which inSided may continue providing the Services for transitional purposes.
“Terms” means the terms and conditions of inSided that apply to the Agreement.
1.2 The terms “personal data”, “data subject”, “processing”, “controller”, “processor” and “supervisory authority” as used in this DPA have the meanings given in the GDPR.
2. Personal Data Processing Terms
2.1 The parties agree that if the EU Data Protection Laws apply to the processing of Customer Personal Data, the parties acknowledge and agree that:
- The Customer is the controller and inSided and the inSided Group are the processor of the Customer Personal Data and inSided or a member of the inSided Group may engage Subprocessors pursuant to Section 7 (Sub-processors).
- The subject-matter of the data processing covered by this DPA is the provision of the Services and the processing will be carried out for the duration of the Agreement or so long as inSided is providing the Services. Attachment 1 of this DPA sets out the nature and purpose of the processing, the types of Customer Personal Data inSided processes and the categories of data subjects whose personal data is processed.
- Each party will comply with the obligations applicable to it under the EU Data Protection Laws, including with respect to the processing of Customer Personal Data.
- If the GDPR is applicable, inSided will process Customer Personal Data in accordance with the requirements of the GDPR directly applicable to inSided’s provision of Services. Notwithstanding anything to the contrary set forth in this DPA, in the event of a conflict or clarification of definitions, the GDPR shall apply only as of May 25, 2018.
- If Customer is a processor itself, Customer warrants to inSided that Customer’s instructions and actions with respect to the Customer Personal Data, including its appointment of inSided as another processor, have been authorized by the relevant controller.
- For the avoidance of doubt, Customer’s instructions to inSided for the processing of Customer Personal Data shall comply with all applicable laws, including the EU Data Protection Laws. As between inSided and Customer, Customer shall be responsible for the Customer Personal Data and the means by which Customer acquired Customer Personal Data.
- For the purposes of this DPA, the following is deemed an instruction by Customer to process Customer Personal Data (a) to provide the Services; (b) as further specified via Customer’s use of the Services (including the Services’ user interface dashboard and other functionality of the Services); (c) as documented in the Agreement (including this DPA and any Order Form that requires processing of Customer Personal Data); and (d) as further documented in any other written instructions given by the Customer (which may be specific instructions or instructions of a general nature as set out in this DPA, the Agreement or as otherwise notified by Customer to inSided from time to time), where such instructions are consistent with the terms of the Agreement.
- The parties acknowledge and agree that the parties will comply with all applicable laws with respect to the processing of Customer Personal Data.
- When inSided processes Customer Personal Data in the course of providing the Services, inSided will:
- Process the Customer Personal Data only in accordance with (a) the Agreement and (b) Customer’s instructions as described in Section 2.1.7, unless inSided is required to process Customer Personal Data for any other purpose by the European Union or member state law to which inSided is subject. inSided shall inform the Customer of this requirement before processing unless prohibited by applicable laws on important grounds of public interest.
- Notify the Customer without undue delay if, in inSided's opinion, an instruction for the processing of Customer Personal Data given by the Customer infringes applicable EU Data Protection Laws.
3. Data Security
3.1 Security Measures
- inSided will implement and maintain appropriate technical and organizational measures designed to protect or secure (i) Customer Personal Data, against unauthorized or unlawful processing and against accidental or unlawful loss, destruction or alteration or damage, unauthorized disclosure of, or access to, Customer Personal Data, and (ii) the confidentiality and integrity of Customer Personal Data.
- In addition to these measures, inSided may make additional security guidelines available that provide the Customer with information about, in inSided’s opinion, best practices for securing, accessing and using Customer Personal Data including best practices for password and credentials protection.
- inSided will take reasonable steps to ensure the reliability and competence of inSided personnel engaged in the processing of Customer Personal Data.
3.2 Data Incidents
- If inSided becomes aware of a Data Incident, inSided will: (a) notify Customer of the Data Incident without undue delay after becoming aware of the Data Incident; and (b) promptly take reasonable steps to minimize harm and secure Customer Data.
- Notifications made pursuant to this section will describe, to the extent possible, details of the Data Incident, including steps taken to mitigate the potential risks and, as applicable, steps inSided recommends Customer to take to address the Data Incident.
- Notification(s) of any Data Incident(s) will be delivered to Customer by direct communication. The Customer is solely responsible for ensuring that any contact information, including notification email address, provided to inSided is current and valid.
- inSided will not assess the contents of Customer Personal Data in order to identify information subject to any specific legal requirements. The Customer is solely responsible for complying with incident notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Data Incident(s).
- inSided’s notification of or response to a Data Incident under this Section 3.2 (Data Incidents) will not be construed as an acknowledgment by inSided of any fault or liability with respect to the Data Incident.
3.3 Customer’s Security Responsibilities
- Customer agrees that, without prejudice to inSided’s obligations under Section 3.1 (Security Measures) and Section 3.2 (Data Incidents):
The Customer is solely responsible for reviewing the security measures and evaluating for itself whether the Services, the security measures, the additional security information and inSided’s commitments under this Section 3 (Data Security) will meet Customer’s needs, including with respect to any security obligations of Customer under the Data Protection Laws. Customer acknowledges and agrees that the security measures implemented and maintained by inSided as set out in Section 3.1 (Security Measures) provide a level of security appropriate to the risk in respect of the Customer Data.
- Customer is solely responsible for its use of the Services, including: (i) making appropriate use of the Services and any additional security information to ensure a level of security appropriate to the risk in respect of the Customer Data; (ii) securing the account authentication credentials, systems, and devices Customer uses to access the Services; and
- inSided has no obligation to protect Customer Personal Data that Customer elects to store or transfer outside of inSided’s and its Sub-processors’ systems (for example, offline or on-premises storage).
3.4 Customer Audit Rights
- The Customer may contact inSided to request an on-site audit of the procedures relevant to the protection of Customer Personal Data. Customer shall reimburse inSided for any time expended for any such on-site audit. Before the commencement of any such on-site audit, Customer and inSided shall mutually agree upon the scope, timing, and duration of the audit, that reasonably does not interfere with normal business operations. The Customer shall promptly notify inSided with information regarding any non- compliance discovered during the course of an audit.
- The Customer may conduct such on-site audit (a) itself, (b) through an Affiliate that is not a competitor of inSided or (c) through an independent, third-party auditor that is not a competitor of inSided.
- The audit may only be undertaken when the Customer has requested and reviewed the relevant audit reports in possession of inSided, and presents reasonable specific grounds that justify an audit initiated by the Customer. An audit is justified if the relevant audit rapports give no or insufficient information about the compliance with this Data Processing Agreement. The audit initiated by the Customer shall not take place earlier than two weeks after the Customer has provided written notice to inSided and no more than once per year. All costs of the audit, including the costs incurred by inSided, will be borne by the Customer.
4. Data Deletion
4.1 inSided will enable the Customer’ users to delete their data during the Term in a manner consistent with the functionality of the Services. If the Customer’ users utilize the Services to delete any data during the Term and that data cannot be recovered by the Customer, this use will constitute an instruction to inSided to delete the relevant data from inSided’s systems in accordance with applicable law.
4.2 Upon expiry of the Term or upon Customer’s written request, subject to the terms of the Agreement, inSided shall either (a) return (to the extent such data has not been deleted by the Customer from the Services) or (b) securely delete Customer Data, to the extent allowed by applicable law, in accordance within a maximum of 30 days, as applicable.
4.3 inSided will comply with this instruction as soon as reasonably practicable and within a maximum period of 30 days, unless the European Union or member state law requires storage. Without prejudice to Section 5 (Data Subject Rights; Data Export).
4.4 Customer acknowledges and agrees that the Customer will be responsible for requesting to inSided, before the Term expires, any Customer Data it wishes to retain afterwards, including database dump(s) and static files.
5. Data Subject Rights
5.1 As of the DPA Effective Date for the duration of the period inSided provides the Services:
- inSided will, in a manner consistent with the functionality of the Services, enable Customer to access, rectify and restrict processing of Customer Data, including via the deletion functionality provided by inSided as described in Section 4 (Data Deletion);
- inSided will, without undue delay, notify the Customer, to the extent legally permitted, if inSided receives a request from a data subject to exercise the data subject's right of access, right to rectification, restriction of processing, erasure, data portability, objection to the processing, or its right not to be subject to an automated individual decision making (“Data Subject Request”); and
- if inSided receives any request from a data subject in relation to Customer Personal Data, inSided will advise the data subject to submit his or her request to the Customer and the Customer will be responsible for responding to any such request including, where necessary, by using the functionality of the Services.
- Taking into account the nature of the processing, inSided will assist the Customer by appropriate technical and organizational measures, insofar as it is possible, for the fulfillment of Customer’s obligation to respond to a Data Subject Request under EU Data Protection Laws. In addition, to the extent the Customer, in its use of the Services, does not have the ability to address a Data Subject Request, inSided shall, upon Customer’s written request, provide the Customer with reasonable cooperation and assistance to facilitate Customer’s response to such Data Subject Request, to the extent inSided is legally permitted to do so and the response to such Data Subject Request is required under EU Data Protection Laws. To the extent legally permitted, the Customer shall be responsible for any costs arising from inSided’s provision of such assistance. Furthermore, inSided is entitled to charge reasonable costs for the requested assistance.
6. Data Protection
6.1 Upon Customer’s written request, inSided will provide the Customer with reasonable cooperation and assistance needed to fulfill Customer's obligation under the GDPR to carry out a data protection impact assessment related to Customer's use of the Services, to the extent the Customer does not otherwise have access to the relevant information, and to the extent such information is available to inSided. inSided will provide reasonable assistance to the Customer in the cooperation or prior consultation with the applicable data protection authority in the performance of its tasks relating to this Section 6 (Data Protection Impact Assessment) to the extent required under the GDPR. inSided is entitled to charge reasonable costs for the requested assistance.
7.1 The Customer specifically authorizes the engagement of inSided’s Affiliates as Sub-processors. In addition, the Customer acknowledges and agrees that inSided and inSided’s Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services. The Customer hereby gives inSided general permission to engage third parties (Sub-processors).
7.2 inSided will make available the current list of Sub-processors for the Services to the Customer. inSided shall provide notification of a new Sub-processor(s) before authorizing any new Sub-processor(s) to process Customer Personal Data in connection with the provision of the Services either by sending an email or via the user interface dashboard of the Services. The Customer has the right to object (in writing, within two weeks and supported by arguments) to a proposed new/changed Sub-processor. Should the Customer object, the parties will jointly endeavour to find a solution.
7.3 For the avoidance of doubt, the above authorization constitutes Customer’s prior written consent to the sub-processing by inSided for purposes of Clause 11 of the Standard Contractual Clauses.
7.4 inSided aims to keep the current list of Sub-processors for the Services updated. The list will keep at all times the last updated date.
7.5 inSided shall be liable for the acts and omissions of its Sub-processors to the same extent inSided would be liable if performing the services of each Sub-processor directly under the terms of this DPA subject to the limitations set forth in Section 8 (Liability) and the Agreement.
8.1 Any liability arising out of or in connection with this DPA shall be exclusively governed by, the liability provisions set forth in, or otherwise applicable to, the Agreement.
9. Transfer of Customer Personal Data outside the EEA
9.1 inSided may process the Customer Personal Data in countries inside the European Economic Area (EEA). In addition, inSided may also transfer the Customer Personal Data to a country outside the EEA, provided that the legal requirements for such transfer have been fulfilled.
9.2 Upon request, inSided shall notify the Customer as to which country or countries the Customer Personal Data will be processed in.
10. Effect of this DPA
10.1 Notwithstanding anything to the contrary in the Agreement, to the extent of any conflict or inconsistency between this DPA and the remaining terms of the Agreement, this DPA will govern.