Data Processing Addendum
This Data Processing Addendum (hereinafter referred to as the “DPA”) for vendors is entered into between vendor, hereinafter the “Vendor” or “Processor”; and SuprStack, Inc. (“Company”)
The Vendor and Company shall also be referred to collectively as the “Parties” and individually as the “Party”.
The Parties hereby agree as follows:
The Vendor and Company shall also be referred to collectively as the “Parties” and individually as the “Party”.
The Parties hereby agree as follows:
1. Definitions
In this DPA, the following terms shall have the following meanings:
1.1
“Authorised Persons” shall mean any and all persons formally and properly empowered to perform specified duties associated with an office or an agreement or contract and shall include in this context the Vendor's staff, agents and subcontractors.
1.2
“Controller” shall mean the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
1.3
“Data Protection Laws” shall mean any data protection laws applicable to Company or Vendor in connection with the providing the Services, including without limitation, the General Data Protection Regulation (“GDPR”) (Regulation (EU) 2016/679; the UK GDPR; and the Swiss Federal Act on Data Protection (as may be amended or superseded).
1.4
“Data Subject” shall mean an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. In the context of CCPA, the term Data Subject shall have the meaning given to the term “Consumer” under the CCPA.
1.5
“GDPR” shall mean the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
1.6
“Personal Data” shall mean any information relating to a Data Subject.
1.7
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
1.8
“Processor” shall mean a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller.
1.9
“Services” shall mean the work performed by the Vendor for Company as set forth in a Services Agreement.
1.10
“Services Agreement” shall mean the agreement between the Vendor and Company describing and governing the Services to be provided by the Vendor to Company.
1.11
“Standard Contractual Clauses” or “SCCs” means (i) where the GDPR applies, the standard contractual clauses as approved by the European Commission (Implementing Decision (EU) 2021/914 of 04 June 2021) Implementing Decision (EU) 2021/914 of 04 June 2021) and available at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914 (“EU SCCs”); (ii) where the UK GDPR applies, the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner, Version B1.0, in force from 21 March 2022 set forth as Schedule D of the UK GDPR (“UK SCCs”) and (iii) where the Swiss DPA applies, the applicable standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection and Information Commissioner (the “Swiss SCCs”) (in each case, as updated, amended or superseded from time to time).
1.12
“Processing/To Process” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
2. Processing of Data
2.1
In connection with providing the Services to Company, Vendor acknowledges and agrees that it may Process Personal Data solely as necessary to perform its obligations under the Services Agreement and strictly in accordance with the documented instructions of Company (the "Permitted Purpose") as contained in this DPA, except where otherwise required by any EU (or any EU Member State) law applicable to Company. In this case, the Vendor shall inform Company of that legal requirement before Processing, unless the law prohibits this on important grounds of public interest.
2.2
Vendor acknowledges that Company may either be the Controller or the Processor of the Personal Data and where Company is the Processor, Vendor acknowledges that it will be a sub-processor to Company. Each Party shall adhere to and comply with the obligations that apply to it under applicable Data Protection Laws.
2.3
Sub-processing: Company consents to Vendor engaging third-party sub-processors to Process Personal Data provided that: (i) Vendor provides at least thirty (30) days prior notice in accordance with the DPA of the addition or removal of any sub-processor (including details of Processing it performs or will perform) to or from the list of existing sub-processors in Schedule C hereto; (ii) Vendor engages third-party sub-processors by way of a contract which imposes on the sub-processor, in substance, the same data protection obligations as the ones imposed on the Vendor in accordance with this DPA, and ensures that the sub-processor complies with the obligations to which the Vendor is subject under this DPA and under applicable Data Protection Laws. At Company’s request, the Vendor shall provide a copy of such a sub-processor agreement and any subsequent amendments to the Company. To the extent necessary to protect business secret(s) or other confidential information, including personal data, the Vendor may redact the text of the agreement prior to sharing the copy. The Vendor shall agree to a third-party beneficiary clause with the sub-processor whereby, in the event, the Vendor has factually disappeared, ceased to exist in law, or has become insolvent, Company shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the Personal Data; and (iii) the Vendor remains fully liable for any breach of this DPA that is caused by an act, error or omission of its sub-processor. If Company refuses to consent to the Vendor's appointment of a third-party sub-processor on reasonable grounds relating to the protection of Personal Data, Company may elect to suspend or terminate the Services Agreement without penalty.
2.4
International transfers: The Vendor shall at all times provide an adequate level of protection for the Personal Data, wherever Processed, in accordance with the requirements of Data Protection Laws.
- Where the Vendor Processes Personal Data under this DPA that originates from the European Economic Area (“EEA”), any such Processing shall be conditional on compliance with the SCCs. The SCCs, which are incorporated by reference, shall apply as follows:
- Module 2 (Controller to Processor) shall apply where Company is a Controller and Vendor is a Processor.
- Module 3 (Processor to Processor) shall apply where Company is a Processor and Vendor is a sub-processor.
- in Clause 7, the optional docking clause will apply;
- in Clause 11, the optional language will not apply;
- in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
- in Clause 18(b), disputes shall be resolved before the courts of Ireland;
- Annex I of the EU SCCs shall be deemed completed with the information set out in Schedule A to this DPA; and
- Annex II of the EU SCCs shall be deemed completed with the information set out in Schedule B to this DPA;
- In relation to transfers of Personal Data originating from Switzerland and subject to the Swiss DPA, the EU SCCs as implemented under sub-paragraph (a) above will apply with the following modifications:
- references to Regulation (EU) 2016/679; shall be interpreted as references to the Swiss DPA;
- references to specific Articles of Regulation (EU) 2016/679; shall be replaced with the equivalent article or section of the Swiss DPA;
- references to “EU”, “Union”, “Member State”, and “Member State law” shall be replaced with references to “Switzerland” or “Swiss law”;
- the term “member state” shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., Switzerland);
- Clause 13(a) and Part C of Annex I are not used and the “competent supervisory” is the Swiss Federal Data Protection Information Commissioner;
- references to the “competent supervisory authority” and “competent courts” shall be replaced with references to the “Swiss Federal Data Protection Information Commissioner” and “applicable courts of Switzerland”;
- in Clause 17, the Standard Contractual Clauses shall be governed by the laws of Switzerland; and
- with respect to transfers to which the Swiss DPA applies, Clause 18(b) shall state that disputes shall be resolved before the applicable courts of Switzerland.
- Where the UK GDPR applies, the UK SCCs shall apply to transfers of Personal Data originating in the UK to any other country not recognized by the competent United Kingdom regulatory authority or governmental body for the United Kingdom as providing an adequate level of protection for Personal Data.
- Purely for the purpose of descriptions in the SCCs and only as between the Parties, Company agrees that it is the “data exporter” and Vendor is the “data importer”.
- The Parties agree that if the Standard Contractual Clauses are replaced, amended or no longer recognized as valid under Data Protection Laws, or if a Supervisory Authority and/or Data Protection Legislation requires the adoption of an alternative transfer solution, the data exporter and data importer will: (i) promptly take such steps requested including putting an alternative transfer mechanism in place to ensure the Processing continues to comply with Data Protection Laws; or (ii) cease the transfer of Personal Data and at the data exporter’s option, delete or return the Personal Data to the data exporter.
2.5
Confidentiality of Processing: The Vendor will restrict its personnel from Processing Personal Data without authorisation. The Vendor will impose appropriate contractual obligations upon its personnel, including relevant obligations regarding confidentiality, data protection, and data security. Vendor shall ensure that any Authorised Person to Process Personal Data, shall be subject to a strict duty of confidentiality (whether a contractual or statutory duty), and shall not permit any person to Process Personal Data who is not under such a duty of confidentiality. Vendor shall ensure that all Authorised Persons Process Personal Data only as necessary for the Permitted Purpose.
2.6
For the avoidance of doubt, any instructions that would lead to Processing outside the scope of this DPA (e.g., because a new Processing purpose is introduced) will require a prior agreement between the Parties and, where applicable, shall be subject to the contract change procedure under the respective Agreement.
2.7
Vendor shall, without undue delay, inform Company in writing if, in Vendor’s opinion, an instruction infringes Data Protection Laws, and provide a detailed explanation of the reasons for its opinion in writing.
3. Security of Data
Vendor shall implement appropriate technical and organizational measures to ensure the security of the Personal Data and protect the data against a Personal Data Breach, as specified in Schedule B hereto. In assessing the appropriate level of security, the Parties shall take due account of state of the art, the costs of implementation, the nature, scope, context and purposes of Processing, and the risks involved for the Data Subjects.
If the Processing involves Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life, or sexual orientation, or data relating to criminal convictions and offenses (“Sensitive Data”), the Vendor shall apply specific restrictions and/or additional safeguards.
If the Processing involves Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life, or sexual orientation, or data relating to criminal convictions and offenses (“Sensitive Data”), the Vendor shall apply specific restrictions and/or additional safeguards.
4. Term and Termination
4.1
This DPA becomes effective upon signature. It shall continue to be in full force and effect as long as Vendor is Processing Personal Data pursuant to the Services Agreement.
4.2
Where amendments are required to ensure compliance of this DPA with Data Protection Laws, the Parties shall make reasonable efforts to agree on such amendments upon request of the Controller. Where the Parties are unable to agree upon such amendments, Company may terminate the Services Agreement and this DPA with ten (10) days’ prior written notice to the Vendor.
4.3
Without prejudice to any provisions under applicable Data Protection Laws, in the event that the Vendor is in breach of its obligations under this DPA, Company may instruct the Vendor to suspend the Processing of Personal Data until the latter complies with this DPA or the Services Agreement is terminated. The Vendor shall promptly inform Company in case it is unable to comply with this DPA, for whatever reason.
4.4
Company shall be entitled to terminate the Services Agreement insofar as it concerns Processing of Personal Data in accordance with this DPA if:
- the Processing of Personal Data by the Vendor has been suspended by Company pursuant to Clause 4.3 and if compliance with this DPA is not restored within a reasonable time and in any event within one (1) month following suspension;
- the Vendor is in substantial or persistent breach of this DPA or its obligations under applicable Data Protection Laws;
- the Vendor fails to comply with a binding decision of a competent court or the competent supervisory authority/ies regarding its obligations pursuant to this DPA or to applicable Data Protection Laws.
4.5
The Vendor shall be entitled to terminate the Services Agreement insofar as it concerns Processing of Personal Data under this DPA where, after having informed Company that its instructions infringe applicable legal requirements in accordance with Clause 2.8, Company insists on compliance with the instructions.
5. Actions and Access Requests
5.1
Vendor shall assist Company in the event of any supervisory action by data protection authorities. Vendor hereby grants permission to Company to disclose, at its sole discretion, the contents of this DPA with its customers and/or any data protection authorities on their request. Upon Company’s request, Vendor shall provide Company with a designated contact for all privacy-related queries.
5.2
Vendor shall provide all reasonable and timely assistance to Company to enable Company to respond to:
- any request from a Data Subject to exercise any of its rights under applicable laws (including its rights of access, correction, objection, erasure and data portability, as applicable); and
- any other correspondence, enquiry or complaint received from a Data Subject, regulator or other third-party in connection with the Processing of the Personal Data.
In the event that any such request, correspondence, enquiry or complaint is made directly to Vendor, Vendor shall promptly inform Company and, where appropriate, the Controller, providing full details of the same.
5.3
The Vendor shall cooperate with and assist Company, for Company to comply with its obligations under applicable Data Protection Laws, taking into account the nature of Processing and the information available to the Vendor.
6. Breach Notification
6.1
In the event of a Personal Data Breach concerning data Processed by the Vendor or sub-processor, the Vendor shall notify Company of the Personal Data Breach without undue delay and in any event within forty-eight (48) hours of the Vendor having become aware of the breach. Such notification shall contain, at least:
- a description of the nature of the breach (including, where possible, the categories and approximate number of Data Subjects and data records concerned);
- the details of a contact point where more information concerning the Personal Data Breach can be obtained;
- its likely consequences and the measures taken or proposed to be taken to address the breach, including to mitigate its possible adverse effects.
Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
The Parties shall set out in Schedule C all other elements to be provided by the Vendor when assisting Company in compliance with Company’s obligations under applicable Data Protection Laws.
7. Deletion or Return of Data
At any time during the term of the Services Agreement at Company’s written request or upon the termination or expiration of the Services Agreement for any reason, Vendor shall instruct all Authorised Persons to, securely dispose of all copies of Personal Data and certify in writing to Company that such Personal Data has been disposed of securely. The Vendor shall comply with all directions provided by Company with respect to the return or disposal of Personal Data. Until the data is deleted or returned, the Vendor shall continue to ensure compliance with this DPA.
8. Audit Rights
The Vendor shall be able to demonstrate compliance with this DPA. The Vendor shall maintain complete and accurate records in connection with the Vendor’s performance under this DPA, and shall retain such records for a period of three (3) years after the termination or expiration of the Services Agreement. The Vendor shall permit Company (or its appointed third-party auditors) to audit the Vendor's compliance with this DPA and shall make available to the Company all information, systems, and staff necessary for Company (or its third-party auditors) to conduct such audit. The Vendor acknowledges that Company (or its third-party auditors) may enter its premises for the purposes of conducting this audit, provided that Company gives it reasonable prior notice of its intention to audit, conducts its audit during normal business hours, and takes all reasonable measures to prevent unnecessary disruption to the Vendor's operations. The Company shall be responsible for the costs of such audits unless the Vendor is found to be in breach of this DPA. The Vendor agrees, at its cost, to make any changes requested by the Company to correct inadequacies discovered in such audits or tests
9. Data Protection Impact Assessment
The Vendor shall provide Company with all such reasonable and timely assistance as Company may require in order to conduct a data protection impact assessment and, if necessary, to consult with relevant data protection authorities.
10. Indemnity
Vendor will indemnify, defend, and hold harmless Company and its Affiliates and their respective shareholders, directors, officers, employees, and agents from and against all expenses, liabilities, damages, and costs (including settlement costs and reasonable attorneys’ fees) arising out of a third-party claim related to a breach by Vendor of its obligations under this DPA.
11. Miscellaneous
11.1
In case of any conflict, the provisions of this DPA shall take precedence over the Services Agreement or provisions of any other agreement between the Company and the Vendor. In case of any conflict between this DPA and the SCCs, the SCCs shall take precedence over the provisions of the rest of the DPA.
11.2
No Party shall receive any remuneration for performing its obligations under this DPA except as explicitly set out in the Services Agreement.
11.3
Where this DPA requires a “written notice” such notice can also be communicated per email to the other Party.
11.4
Any supplementary agreements or amendments to this DPA must be made in writing and signed by both Parties.
11.5
Should individual provisions of this DPA become void, invalid, or non-viable, this shall not affect the validity of the remaining conditions of this DPA.
Annex I
Details of Processing
A. LIST OF PARTIES
Name of Data Importer:
The party identified as the "Company" in this DPA
Address:
16192, Coastal Highway, Lewes, Delaware, 19958, Country of Sussex, USA
Contact person’s name, position, and contact details:
Upon request
Activities relevant to the data transferred under these Clauses:
See Annex 1(B) below and the Agreement.
Signature and date:
This Annex I shall automatically be deemed executed when the DPA is executed by Company.
Role (controller/processor):
Processor
Name of Data Exporter:
The party identified as the “Vendor” in this DPA.
Address:
Reference is made to the Agreement.
Contact person’s name, position, and contact details:
Reference is made to the Agreement.
Activities relevant to the data transferred under these Clauses:
See Annex 1(B) below and the Agreement.
Signature and date:
This Annex I shall automatically be deemed executed when the DPA is executed by Customer.
Role (controller/processor):
Controller
B. DESCRIPTION OF PROCESSING/ TRANSFER
Categories of Data Subjects whose Personal Data is transferred
The Data Subjects whose Personal Data the Company processes when providing the Services to the Vendor.
Categories of Personal Data transferred
The categories of Personal Data that the Company processes when delivering Services to the Vendor.
Sensitive data transferred (if applicable) and applied restrictions or safeguards
No sensitive data is processed under the Agreement.
Frequency of Transfer
Continuous basis
Nature and purpose(s) of the data transfer and Processing
Company will process Personal Data as necessary to provide the Services under the Agreement, including the provision of an API to engage users, power cross-channel workflows, and manage notification preferences.
Retention period (or, if not possible to determine, the criterial used to deter- mine the period)
Personal Data will be retained for as long as necessary taking into account the purpose of the Processing, and in compliance with applicable laws, including laws on the statute of limitations and Data Protection Law.
For transfers to (sub-)processors, also specify subject matter, nature, and duration of the processing
Company will restrict the onward Subprocessor’s access to Customer Personal Data only to what is strictly necessary to provide the Services and Company will prohibit the Subprocessor from Processing the Customer Personal Data for any other purpose.
Identify the competent supervisory authority/ies in accordance with Clause 13
Where the EU GDPR applies, the competent authority will be determined in accordance with Clause 13 of the Standard Contractual Clauses.
Where the UK GDPR applies, the UK Information Commissioner's Office.
Where the UK GDPR applies, the UK Information Commissioner's Office.
Annex II
TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
The technical and organizational measures the Company has implemented are available at https://suprsend.trustcenter.sprinto.com/, including adherence to SOC 2 Type II controls.