Data Processing Addendum (DPA)
This Data Processing Addendum (this “DPA”) forms part of and is subject to the inSided Terms and Conditions or other written subscription agreement (together with all Order Forms and attachments thereto, the “Agreement”) between the inSided entity referenced on the Order Form (such entity being, “inSided”) and the party identified as the “Client” in the Agreement. Capitalized terms used herein and not otherwise defined shall have the meaning set forth for such term in the Agreement. This DPA applies where and to the extent that inSided processes Client Data (as defined below) on behalf of Client when providing the Services under the Agreement.
By executing this DPA, Client enters into this DPA (including the Standard Contractual Clauses referenced herein, if applicable) on behalf of itself and any Affiliates authorized to use the Services under the Agreement and who have not entered into a separate contractual arrangement with inSided. For the purposes of this DPA only, and except where otherwise indicated, the term “Client” shall include Client and such Affiliates.
Notwithstanding anything in the Agreement to the contrary, notices to be delivered under this DPA shall be directed to (if Client does not include a contact in the box below, Client confirms that inSided shall forward any notices hereunder to the contact information identified on the applicable Order Form):
IF TO INSIDED:
IF TO CLIENT:
As noted on the Order Form
The Parties agree as follows:
“CCPA” means the California Consumer Privacy Act of 2018 (California Civil Code §§ 1798.100 et seq.), as may be amended, superseded or replaced.
“Client Data” means any Client Content that is Personal Data that inSided processes on behalf of Client in the course of providing the Services, as more particularly described in Annex A.
“Data Protection Law” means all data protection and privacy laws and regulations applicable to a party’s processing of Client Data including, where applicable, European Data Protection Law and the CCPA.
“Europe” means, for the purposes of this DPA, the Member States of the European Union, plus Iceland, Liechtenstein, Norway, Switzerland and the United Kingdom.
“European Data Protection Law” means all data protection and privacy laws and regulations enacted in Europe, including: (a) the GDPR; (b) all applicable national implementations of the GDPR; (c) the Swiss Federal Data Protection Act of 19 June 1992 and its Ordinance; and (d) in respect of the United Kingdom, the Data Protection Act 2018 and the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (“UK GDPR”), in each case, as may be amended, superseded or replaced.
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
“Personal Data” means any information which is protected as “personal data”, “personal information” or “personally identifiable information” under Data Protection Law.
“Security Incident” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Client Data transmitted, stored or otherwise processed by inSided under this DPA. “Security Incident” shall not include unsuccessful attempts or activities that do not compromise the security of Client Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
“Standard Contractual Clauses” or the “EU SCCs” means the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
“Sub-processor” means any third party that has access to Client Data and which is engaged by inSided to assist in fulfilling its obligations with respect to providing the Services under the Agreement, solely when acting in its capacity as such. Sub-processors may include inSided’s Affiliates but shall exclude inSided employees, contractors and consultants.
“UK Addendum” means the International Data Transfer Addendum (version B1.0) issued by Information Commissioners Office under s.119(A) of the UK Data Protection Act 2018, as may be amended, superseded or replaced.The terms “controller”, “processor”, “process”, “processing” and “data subject” have the same meanings as set forth in the GDPR, and the term “service provider” has the meaning set forth in the CCPA.
2. Scope of this DPA
This DPA applies where and only to the extent that inSided processes Client Data on behalf of Client that is subject to Data Protection Law in the course of providing the Services pursuant to the Agreement and in this context inSided shall process Client Data as a processor (for the purposes of European Data Protection Law or similar Data Protection Laws) or service provider (for the purposes of the CCPA).
3. Processing of Client Data
3.1 Permitted Purposes. inSided shall process Client Data in accordance with Client’s documented lawful instructions and for the purposes described in Annex A (the “Permitted Purpose”), unless obligated to do otherwise by applicable law. In such case, inSided shall inform Client of such legal requirement before the processing, unless legally prohibited from doing so.
3.2 Processing Instructions. The Parties agree that the Agreement (including this DPA), and Client’s use of the Services in accordance with the Agreement, set out Client’s processing instructions. Client shall ensure its instructions are lawful and that the processing of Client Data in accordance with such instructions will not violate Data Protection Laws.
3.3 Client Responsibilities. Client is responsible for determining whether the Services are appropriate for the storage and processing of Client Data under Data Protection Law. Client further agrees that: (a) it will comply with its obligations under Data Protection Law regarding its use of the Services and the processing of Client Data; (b) it has provided notice and obtained all consents, permissions and rights necessary for inSided and its Sub-processors to lawfully process Client Data for the purposes contemplated by the Agreement (including this DPA); (c) it is responsible for reviewing the information made available by inSided relating to data security and making an independent determination as to whether the Services meet Client’s requirements and legal obligations under Data Protection Law; (d) it is responsible for its secure use of the Services, including taking the actions set forth in Section 4.1 of the Agreement, and (e) it will notify inSided if it is unable to comply with its obligations under Data Protection Law or its processing instructions will cause inSided or its Sub-processors to be in breach of Data Protection Law.
Client provides a general authorization for inSided to engage Sub-processors in order to provide the Services. The Sub-processors currently engaged by inSided are set forth on Annex A. inSided will restrict Sub-processors’ access to Client Data to what is necessary to assist inSided in providing or maintaining the Services and will remain responsible for any acts or omissions of Sub-processors to the extent they cause inSided to breach its obligations under this DPA.
5.1 Security Measures. inSided shall implement and maintain appropriate and reasonable technical and organizational security measures designed to protect Client Data from Security Incidents and preserve the security and confidentiality of Client Data. Such measures shall include, at a minimum, those measures described in Annex B (“Security Measures”). Client acknowledges that the Security Measures are subject to technical progress and development and that inSided may update or modify the Security Measures from time to time, provided that such updates and modifications do not degrade or diminish the overall security of the Services.
5.2 Access and Confidentiality. inSided restricts its personnel from processing Client Data without authorization and shall ensure that any person who is authorized by inSided to process Client Data is under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
5.3 Security Incidents. Upon becoming aware of a Security Incident, inSided shall notify Client without undue delay and, where feasible, within 48 hours. inSided shall provide Client with timely information relating to the Security Incident as it becomes known or is reasonably requested by Client to fulfil its obligations under Data Protection Law. inSided will also take reasonable steps to contain, investigate, and mitigate any Security Incident.
6.1 Security Reports. Upon Client’s written request to firstname.lastname@example.org, inSided will provide Client with a summary copy of its then-current SOC 2 Type II or ISO 27001 report (“Report”). inSided shall also provide written responses to all reasonable requests made by Client for information relating to inSided’s processing of Client Data that are submitted to email@example.com, including responses to information and security audit questionnaires submitted to it by Client and that are necessary to confirm inSided’s compliance with this DPA, provided that Client shall not exercise this right more than once per calendar year unless Client is expressly requested or required to provide this information to a data protection authority.
6.2 Client Audits. Following a confirmed Security Incident or where a data protection authority requires it, Client may provide inSided with 30 days’ prior written notice requesting that a third-party conduct an audit of inSided’s facilities, equipment, documents and electronic data relating to the processing of Client Data under the Agreement (“Audit”), provided that: (a) the Audit shall be conducted at Client’s expense; (b) the Parties shall mutually agree upon the scope, timing and duration of the Audit; and (c) the Audit shall not unreasonably impact inSided’s regular operations. Client acknowledges that any Report, written responses or Audit described in this Section 6 shall be subject to the confidentiality provisions of the Agreement.
7. International Transfers
Client acknowledges and agrees that inSided may transfer and process Personal Data to and within the United States and the other locations in which inSided, its Affiliates or its Sub-processors maintain data processing operations as more particularly described on Annex A. inSided shall ensure that such transfers are made in compliance with Data Protection Law and this DPA.
8. Deletion Or Return Of Client Data
Upon termination or expiry of the Agreement, at Client’s written election inSided shall delete or return all Client Data in its possession or control in accordance with the terms of the Agreement. This requirement shall not apply to the extent inSided is required by applicable law to retain some or all of the Client Data, or to Client Data archived on back-up systems, which data inSided shall securely isolate and protect from any further processing (to the extent permitted by applicable law) and delete in accordance with its internal and regular schedule back-up data purge schedule. The Parties agree that the certification of deletion that is described in Clause 8.5 and 16(d) of the EU SCCs shall be provided by inSided to Client upon Client’s written request.
9.1 Data Subject Requests. To the extent that Client is unable to independently access, delete or retrieve the relevant Client Data within the Services, inSided shall, taking into account the nature of the processing, provide reasonable cooperation to assist Client in responding to any requests from individuals relating to the processing of Client Data under the Agreement. In the event that any such request is made to inSided directly, inSided shall promptly notify Client and shall not respond to the request directly (except to refer the individual to Client) without Client’s prior authorization, unless legally compelled to do so. For the purposes of clause 15(1)(a) of EU SCCs, inSided shall only notify Client and not the data subject(s) in case of government access requests. Client shall be solely responsible for promptly notifying the data subject as necessary.
9.2 General Cooperation. Each Party will reasonably cooperate with the other in any activities contemplated by this DPA and to enable each Party to comply with its respective obligations under Data Protection Law.
To the extent that Client Data is subject to the CCPA, inSided agrees that it shall process Client Data as a service provider and shall not (a) retain, use or disclose Client Data for any purpose other than the purposes set out in the Agreement and this DPA and as permitted by the CCPA; or (b) “sell” personal information (as defined and understood within the requirements of the CCPA).
11. European Data Protection Law
11.1 Applicable Law. To the extent that Client Data is subject to European Data Protection Law, the terms in this Section 11 shall apply in addition to the terms in the remainder of this DPA.
11.2 Role of the Parties. As between the Parties, Client is controller of Client Data (whether itself a controller or a processor acting on behalf of a third party controller) and inSided shall process Client Data only as a processor on behalf of Client. Without prejudice to Section 3.3 of this DPA, inSided shall notify Client in writing, unless prohibited from doing so under Data Protection Law, if it becomes aware or believes that any processing instructions from Client violate European Data Protection Law.
11.3 Sub-processor Obligations. inSided shall enter into a written agreement with each Sub-processor imposing data protection obligations no less protective of Client Data as required by this DPA (to the extent applicable, considering the nature of the services provided by the Sub-processor).
11.4 Changes to Sub-processors. inSided will provide ten days’ prior notice to Client (via email to the Client contact listed on the first page of this DPA) if it intends to make any changes to its Sub-processors. Client may object in writing to inSided’s appointment of a new Sub-processor on reasonable grounds relating to data protection (e.g., if making Client Data available to the Sub-processor would violate European Data Protection Law or weaken the protections for Client Data) by notifying inSided in writing within five days of receiving notification from inSided. In such event, the Parties shall discuss Client’s concerns in good faith with a view to achieving a mutually acceptable resolution. If the Parties cannot reach a mutually acceptable resolution, inSided shall, at its sole discretion, either not appoint the Sub-processor, or permit Client to suspend or terminate the affected Services in accordance with the Agreement without liability to either Party (but without prejudice to any fees incurred by Client prior to suspension or termination). In the event of a termination pursuant to this Section 11.4, inSided shall refund to Client any prepaid fees covering the remainder of the Subscription Term following the date of such termination.
11.5 Data Transfer Mechanism. To the extent inSided is a recipient of and processes Client Data protected by European Data Protection Law in a country that does not provide an adequate level of protection for Personal Data (within the meaning of applicable European Data Protection Law), the Parties agree to the following:
- EU Transfers. In relation to transfers of Client Data protected by the GDPR, the Client acknowledges that Client is a controller; accordingly the EU SCCs shall apply to such transfers, completed as follows:
- Module Two (controller to processor transfer) of the EU SCCs shall apply;
- in Clause 7, the optional docking clause will apply;
- in Clause 9, Option 2 will apply, and the time period for prior notice of Sub-processor changes shall be as set out in Section 11.4 of this DPA;
- in Clause 11, the optional language will not apply;
- in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
- in Clause 18(b), disputes shall be resolved before the courts of Ireland;
- Annex I of the EU SCCs shall be deemed completed with the information set out in Annex A to this DPA; and
- Subject to Section 5.1 of this DPA, Annex II of the EU SCCs shall be deemed completed with the information set out in Annex B to this DPA.
- UK Transfers. In relation to transfers of Client Data protected by the UK GDPR, the EU SCCs
will apply to such transfers in accordance with paragraph (a) above with the following modifications:
- The EU SCCs shall be deemed amended as specified by the UK Addendum, which shall be deemed executed between the inSided and the Client
- Any conflict between the terms of the SCCs and the UK Addendum shall be resolved in accordance with Section 10 and Section 11 of the UK Addendum;
- For the purposes of the UK Addendum, Tables 1 to 3 in Part 1 of the UK Addendum shall be deemed completed using the information contained in the Annexes of this DPA; and
- Table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting “neither party”.
- It is not the intention of either Party to contradict or restrict any of the provisions set forth in the Standard Contractual Clauses or the UK Addendum and, accordingly, if and to the extent any provision of the Agreement (including this DPA) conflict with the Standard Contractual Clauses or UK Addendum, the latter shall prevail.
11.6 Alternative Transfer Arrangements. To the extent inSided adopts an alternative data export mechanism (including any new version of or successor to the Standard Contractual Clauses or EU-US Privacy Shield adopted pursuant to applicable European Data Protection Law) for the transfer of Personal Data not described in this DPA (“Alternative Transfer Mechanism”), the Alternative Transfer Mechanism shall apply instead of any applicable transfer mechanism described in this DPA (but only to the extent such Alternative Transfer Mechanism complies with European Data Protection Law and extends to the territories to which Client Data is transferred) and the Parties agrees to execute such other and further documents and take such other and further actions as may be reasonably necessary to give legal effect such Alternative Transfer Mechanism.
11.7 Data Protection Impact Assessments. inSided shall provide reasonably requested information regarding inSided’s processing of Client Data under the Agreement to enable Client to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.
12. Limitation of Liability
Any claim or remedy Client or its Affiliates may have against inSided, its employees, agents and Sub-processors, arising under or in connection with this DPA (including the Standard Contractual Clauses), whether in contract, tort (including negligence) or under any other theory of liability, shall to the maximum extent permitted by law be subject to the limitations and exclusions of liability in the Agreement. Accordingly, any reference in the Agreement to the liability of a Party means the aggregate liability of that Party and all of its Affiliates under and in connection with the Agreement and this DPA together.
13.1 Execution in Counterparts. This DPA may be executed in counterparts, each of which will be deemed an original, but all of which together will constitute one and the same instrument.
13.2 Permitted Disclosures. Each Party acknowledges that the other Party may disclose the Standard Contractual Clauses, this DPA and any privacy related provisions in the Agreement to any European or US regulator upon request.
13.3 Conflict with Agreement. Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict.
13.4 Permitted Modifications. The Parties agree to use reasonable efforts to modify this DPA if such modification is required to comply with Data Protection Law.
13.5 Severability. The provisions of this DPA are severable. If any phrase, clause or provision or Annex (including the Standard Contractual Clauses) is invalid or unenforceable in whole or in part, such invalidity or unenforceability shall affect only such phrase, clause or provision, and the rest of this DPA or the remainder of the Agreement, which shall remain in full force and effect.
13.6 Governing Law and Venue. This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Data Protection Law or the Standard Contractual Clauses.