DATA PROCESSING AGREEMENTBACKGROUND
- The Customer and EVRYTHNG Limited (“EVRYTHNG“, “we“, “our” or “us“) entered into a Master Platform Agreement for access to the EVRYTHNG Product Cloud and other Services (the “Agreement”).
- In the event that we Process any Customer Personal Data (each as defined below), this Data Processing Addendum (the “DPA“) shall be supplemental to the Agreement and apply to the Processing of such Customer Personal Data. In the event of a conflict between any of the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail, provided that any claims brought under this DPA will be subject to the exclusions and limitations set forth in the Agreement.
- This DPA is between EVRYTHNG and the Customer (each a “Party” and collectively the “Parties“).
- Unless otherwise set out below, each capitalised term in this DPA shall have the meaning set out in the Agreement, and the following capitalised terms used in this DPA shall be defined as follows:
- “Business” has the meaning given in the Data Protection Laws.
- “Business Purpose” has the meaning given in the Data Protection Laws.
- “Consumer” has the meaning given in the Data Protection Laws.
- “Controller” has the meaning given in the Data Protection Laws.
- “Customer Personal Data” means the “personal data” (as defined in the Data Protection Laws) described in ANNEX 1 and any other personal data that we process on behalf of the Customer in connection with our provision of the Services.
- “Data Protection Laws” means collectively: the privacy and data protection laws, regulations, and decisions applicable to a party to this DPA, including: (i) the General Data Protection Regulation of the European Union (Regulation 2016/679 of 27 April 2016) (the “GDPR”); (ii) any applicable national/federal or state/provincial legislation implementing the GDPR in a member state of the European Economic Area; (iii) the GDPR as incorporated into United Kingdom law pursuant to s.3 of the European Union (Withdrawal Act) 2018; and (iv) the Federal Data Protection Act of 19 June 1992 (Switzerland) (the “Swiss DPA”), in each case as such legislation may be amended or replaced from time to time.
- “Data Subject” has the meaning given in the Data Protection Laws.
- “European Economic Area” or “EEA” means the Member States of the European Union together with Iceland, Norway, and Liechtenstein.
- “Personal Information” has the meaning given in the Data Protection Laws.
- “Processing” has the meaning given in the Data Protection Laws, and “Process” will be interpreted accordingly.
- “Processor” has the meaning given in the Data Protection Laws.
- “Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Customer Personal Data.
- “Sell” has the meaning given in the Data Protection Laws.
- “Sensitive Data” has the meaning given in the Data Protection Laws.
- “Service Provider” has the meaning given in the Data Protection Laws.
- “Services” means the Services as described in the Agreement.
- “Subprocessor” means any Processor engaged by us who agrees to receive from us Customer Personal Data.
- “Supervisory Authority” has the meaning given in the Data Protection Laws.
- Instructions for Data Processing.We will only Process Customer Personal Data in accordance with the Customer’s written instructions, unless Processing is required by applicable law to which we may be subject, in which case we shall, to the extent permitted by applicable law, inform the Customer of that legal requirement before Processing that Customer Personal Data. The Agreement (subject to any changes to the Services agreed between the Parties) together with this DPA shall be the Customer’s complete and final instructions to us in relation to the processing of Customer Personal Data.
- Details of the Processing. The subject-matter, nature and purpose of Processing of Customer Personal Data by us is as described in the Background section of this DPA. Subject to the Termination section of this DPA, we will Process Customer Personal Data for the duration of the Agreement. Further details of the types of Personal Data and categories of Data Subjects Processed under this DPA are set out in ANNEX 1.
- Processing outside the scope of this DPA or the Agreement will require prior written agreement between the Customer and us on additional instructions for Processing.
- Required consents.Where required by applicable Data Protection Laws, Customer will ensure that it has obtained/will obtain all necessary consents for the Processing of Customer Personal Data by us in accordance with the Agreement.
- We shall immediately inform the Customer if, in our opinion, an instruction from the Customer infringes applicable Data Protection Laws.
- Under the California Consumer Protection Act of 2018:
- EVRYTHNG is acting solely as a service provider with respect to Customer Personal Data;
- EVRYTHNG shall not retain, use or disclose Customer Personal Data for any purpose other than for the specific purpose of performing services under the Agreement; and
- EVRYTHNG may deidentify or aggregate Customer Personal Data as part of its performance of services under the Agreement.
- Use of Subprocessors. The Customer acknowledges that we use Subprocessors to provide certain services on our behalf. The Customer agrees that we may use Subprocessors to Process Customer Personal Data under the Agreement. As a condition to permitting a Subprocessor to Process Customer Personal Data, we shall enter into a written agreement with each Subprocessor containing data protection obligations that provide at least the same level of protection for Personal Data as those in this DPA, to the extent applicable to the nature of the services provided by each Subprocessor.
- List of Current Subprocessors and Notification of New Subprocessors.A current list of Subprocessors used by us for the Services is available at https://evrythng.com/platform-privacy-policy/. We may amend the list of Subprocessors by adding or replacing Subprocessors at any time and any material changes to the list of Subprocessors will be disclosed to the Customer by email within five (5) business days’ notice prior to any changes taking effect.
- Customer’s Right to Object to New Subprocessors. The Customer may reasonably object to our use of a new Subprocessor (e.g. where using such new Subprocessor would weaken the protections for Personal Data) by notifying us promptly in writing within the five (5) business days’ notice period specified in the List of Current Subprocessors and Notification of New Subprocessors section of this DPA. Such notice shall explain the reasonable grounds for the objection. Where the Customer objects to the new Subprocessor, we shall work with the Customer in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Subprocessor. If we are unable to make available such change within thirty (30) business days from our receipt of the Customer’s notice, either party may terminate the applicable features of the Services which cannot be provided by us without use of the proposed Subprocessor.
- Liability of Subprocessors. We will at all times remain responsible for compliance with our obligations under the DPA and will be liable to the Customer for the acts and omissions of any Subprocessor as if they were our acts and omissions.
- Transfers of Personal Data. If: (a) Customer Personal Data includes any personal data that is protected under the Data Protection Laws of the EEA, Switzerland, or the UK; (b) EVRYTHNG processes such personal data outside of the EEA, Switzerland, or the UK; and (c) such processing takes place in a country that is not subject to an adequacy determination by the European Commission, the UK or Swiss authorities (as applicable), then the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 (“SCCs”) are hereby incorporated by reference and form an integral part of this DPA. The SCCs apply as follows:
- 5.1 EEA Transfers. To the extent that Customer Personal Data is subject to the Data Protection Laws of the EEA, the SCCs apply as follows:
- the “data exporter” is Customer and the “data importer” is EVRYTHNG;
- the Module Two terms are selected;
- in Clause 7, the optional docking clause applies;
- in Clause 9, Option 2 applies and the time period for prior notice of sub-processor changes is set out in the Transfer of Personal Data section of this DPA;
- in Clause 11, the optional language does not apply;
- in Clause 17, Option 1 applies and the SCCs are governed by German law;
- in Clause 18(b), disputes will be resolved before the courts of Germany;
- in Annex I.A and I.B, the details of the parties and description of the transfer are set out in the Details of the transfer forming part of the Standard Contractual Clauses below;
- in Clause 13(a) and Annex I.C, the competent supervisory authority is the Federal Commissioner for Data Protection and Freedom of Information of Germany;
- in Annex II, the description of the technical and organizational security measures is set out the Details of the transfer forming part of the Standard Contractual Clauses below; and
- in Annex III, the list of Sub-processors is in the Transfer of Personal Data section of this DPA.
- 5.2 Swiss Transfers. To the extent that Customer Personal Data is subject to the Data Protection Laws of Switzerland, the SCCs apply as described in the EEA Transfers section of this DPA with the following modifications:
- references to ‘Regulation (EU) 2016/679’ are interpreted as references to the Swiss Federal Data Protection Act of 19 June 1992 or any successor thereof (“Swiss DPA”);
- references to specific articles of ‘Regulation (EU) 2016/679’ are replaced with the equivalent article or section of the Swiss DPA;
- references to ‘EU’, ‘Union’ and ‘Member State’ are replaced with ‘Switzerland’;
- Clause 13(a) and Part C of Annex 2 are not used and the ‘competent supervisory authority’ is the Swiss Federal Data Protection Information Commissioner (“FDPIC”), or, if the transfer is subject to both the Swiss DPA and the GDPR, the FDPIC (insofar as the transfer is governed by the Swiss DPA) or the supervisory authority of the EEA member state in which Customer or Customer representative is in or where the data subjects are predominantly located (insofar as the transfer is governed by the GDPR;
- references to the ‘competent supervisory authority’ and ‘competent courts’ are replaced with the FDPIC and ‘competent Swiss courts’;
- in Clause 17, the SCCs are governed by the laws of Switzerland;
- in Clause 18(b), disputes will be resolved before competent Swiss courts; and
- the SCCs also protect the data of legal entities until entry into force of the revised Swiss DPA.
- 5.3 UK Transfers. To the extent that Customer Personal Data is subject to the Data Protection Laws of the UK, the SCCs apply as amended by Part 2 of the UK Addendum to the SCCs issued by the Information Commissioner under section 119A(1) of the Data Protection Act 2018 (“UK Addendum”), and Part 1 of the UK Addendum is deemed completed as follows:
- in Table 1, the details of the parties are set out in the Agreements between Customer and EVRYTHNG;
- in Table 2, the selected modules and clauses are set out in the EEA Transfers section of this DPA;
- in Table 3, the appendix information is set out in the Details of the transfer forming part of the Standard Contractual Clauses below; and
- in Table 4, the ‘Importer’ is selected.
- 5.1 EEA Transfers. To the extent that Customer Personal Data is subject to the Data Protection Laws of the EEA, the SCCs apply as follows:
- EVRYTHNG Security Obligations. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including the measures set out in ANNEX 2.
- Upon request by the Customer, we will make available all information reasonably necessary to demonstrate compliance with this DPA.
- Audits The Customer may contact us to request an on-site audit of our procedures relevant to the protection of Customer Personal Data, but only to the extent permitted under applicable Data Protection Laws. The Customer (or its mandated auditors) shall execute a mutually agreed non-disclosure agreement (NDA) before commencement of any on-site audit. All information disclosed by us in accordance with this section shall be deemed our Confidential Information and the Customer (or its mandated auditors) shall not disclose any such information to any third party except to the extent required by law or court order. The Customer shall reimburse us for any time expended for any such on-site audit at our then-current rates, which shall be made available to the Customer on request. Before the commencement of any such on-site audit, we shall mutually agree with the Customer on the scope, timing, and duration of the audit, in addition to the reimbursement rates which shall be reasonable, taking into account the resources expended by us. The Customer shall make (and ensure that each of its mandated auditors makes) reasonable efforts to avoid causing any damage, injury or disruption to our premises, equipment, personnel and business while its personnel are on those premises during such an audit. For the avoidance of doubt, the Customer shall be responsible for any damage, injury or disruption caused by itself or its mandated auditors. The Customer shall promptly notify us with information regarding any non-compliance discovered during the course of an audit, and we shall use reasonable efforts to address any confirmed non-compliance.
- Security Incident Notification.If we or any Subprocessor become aware of a Security Incident we will (a) notify the Customer of the Security Incident without undue delay, (b) investigate the Security Incident and provide such reasonable assistance to the Customer (and any law enforcement or regulatory official) as required to investigate the Security Incident, and (c) take steps to remedy any non-compliance with this DPA.
- EVRYTHNG Employees and Personnel. We will treat the Customer Personal Data as the Confidential Information of the Customer and shall ensure that any employees or other personnel have agreed in writing to protect the confidentiality and security of Customer Personal Data.
- Data Subject Requests. Save as required or where prohibited (as applicable) under applicable law, we will notify the Customer of any request received by us or any Subprocessor from a Data Subject in respect of their personal data included in the Customer Personal Data and will not respond to the Data Subject.
- We will provide the Customer with the ability to correct, delete, block, access or copy the Customer Personal Data in accordance with the functionality of the Services.
- Data Subject Rights. Where applicable, and taking into account the nature of the Processing, we will use all reasonable endeavours to assist the Customer by implementing any other appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising Data Subject rights set out in the Data Protection Laws.
- To the extent required under the Data Protection Laws, we will provide reasonable assistance to the Customer with any data protection impact assessments and with any prior consultations to any Supervisory Authority of the Customer, in each case solely in relation to Processing of Customer Personal Data and taking into account the nature of the Processing and information available to us.
- This DPA will terminate immediately upon termination of the Agreement.
- On termination of this DPA, howsoever caused, EVRYTHNG will immediately cease processing the Customer Personal Data and, at Customer’s option or direction, arrange for the prompt and safe return and/or destruction of all Customer Personal Data, unless applicable law prevents us from returning or destroying all or part of the Customer Personal Data (in which case we shall archive the data and implement reasonable measures to prevent any further Processing of such Personal Data).
Details of the transfer forming part of the Standard Contractual Clauses
Categories of Data Subjects
The personal data transferred concern the following categories of data subjects: employees and other personnel of the Customer; end users of services of the Customer; visitors to the Customer’s websites and mobile applications.
Categories of Personal Data Processed
The personal data transferred concern the following categories of data: names of Customer personnel; contact information (including email addresses and telephone numbers) of Customer personnel; online identifiers of end users of services of the Customer and of visitors to the Customer’s websites and mobile applications.
Frequency of the Transfer
Nature of the Processing
The personal data transferred will be subject to the following basic processing activities: transmitting, collecting, storing and analysing data in order to provide the Services to the Customer, and any other activities related to the provision of the Services or specified in the Agreement.
Subject Matter of the Processing
Providing the Services to Customer under the Agreement.
Duration of the Processing
The term of the Agreement.
Technical and Organisational Security Measures Forming Part of the Standard Contractual Clauses
We maintain internal policies and procedures, or procure that our Subprocessors do so, which are designed to:
- secure any personal data Processed by us against accidental or unlawful loss, access or disclosure;
- identify reasonably foreseeable and internal risks to security and unauthorised access to the personal data Processed by us;
- minimise security risks, including through risk assessment and regular testing.
We will conduct periodic reviews of the security of our network and the adequacy of our information security program as measured against industry security standards and our policies and procedures, and will use reasonable efforts to procure that our Subprocessors do so as well.
We will periodically evaluate the security of our network and associated services to determine whether additional or different security measures are required to respond to new security risks or findings generated by the periodic reviews, and will use reasonable efforts to procure that our Subprocessors do so as well.
We limit access to personal data by implementing appropriate access controls.
Availability and back-up of personal data
We regularly back-up Customer Personal Data. Back-ups are stored separately and are encrypted at rest.
Disposal of IT equipment
We have in place processes to securely remove all personal data before disposing of IT systems (for example, by using appropriate technology to purge equipment of data and/or destroying hard disks).
We use encryption technology where appropriate to protect personal data held electronically.
Transmission or transport of personal data
We will implement appropriate controls to secure personal data during transmission or transit.
We will remove unused software and services from devices used to process personal data. Default passwords that are provided by hardware and software producers will not be used.
We implement appropriate physical security measures to safeguard personal data.
Staff training and awareness
We carry out staff training on data security and privacy issues relevant to their job role and ensure that new starters receive appropriate training before they start their role.
Staff are subject to disciplinary measures for breaches of our policies and procedures relating to data privacy and security.