DATA PROCESSING AGREEMENT
1GENERAL
1.1This DPA is applicable between the Customer and SignUp in relation to SignUp's processing of personal data within the scope of the provision of the SignUp Services, as ordered by the Customer under an Order Agreement.
1.2By executing an Order Agreement that references this DPA, the Customer agrees to the terms and conditions set out herein and that this DPA shall form an integrated part of the Agreement.
1.3If any provision of this DPA is found by any court of competent jurisdiction to be invalid or unenforceable, the invalidity of such provision shall not affect the other provisions hereof, and all provisions not affected by such invalidity shall remain in full force and effect.
1.4The Customer acknowledges that SignUp, in its capacity as an EU based processor of personal data is required to enter into data processing agreements with data controllers on which behalf SignUp processes personal data within the provision of the SignUp Services. Thus, the provision in this DPA applies between the Parties even if the GDPR is not applicable to the Customer.
1.5It is acknowledged and agreed that with regard to processing of personal data under this DPA, the Customer is the controller (for its own part and on behalf of its Affiliates, as the case may be), and SignUp is the processor for such processing.
1.6The duration, nature and purpose of the processing, the types of personal data and categories of data subjects processed under this DPA are specified in Annex 1 hereto, as may be updated by the Parties as applicable from time to time.
2DEFINITIONS
Capitalized terms used in this DPA shall have the meaning assigned to them in the General Terms and Conditions, unless the context requires otherwise. In addition to the definitions under the General Terms and Conditions, the below terms shall have the following meaning:
"Applicable Data Protection Laws" means all EU and relevant member state legislation and regulations, including regulations and decisions issued by relevant supervisory authorities, protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data that from time to time apply to SignUp and the Customer, including without limitation the GDPR, including any future interpretations thereof in court precedence from the EU Court of Justice or any other authorized court or supervisory authority.
"DPA" means this data processing agreement and the appendices attached hereto (as amended from time to time in accordance herewith).
"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
"Sub-processor" means any processor engaged by SignUp, by an Affiliate of SignUp or by another Sub-processor, including Affiliates of SignUp acting as processors (as the case may be).
"Standard Contractual Clauses" or sometimes also referred to the "EU Model Clauses" means the standard contractual clauses for the transfer of personal data to third countries pursuant to the Regulation (EU) 2016/679 of the European Parliament and of the Council, based on the Commission Decision (EU) 2021/914 of 4th June 2021.
The terms "controller", "processor", "data subject", "processing", "personal data", and "personal data breach", shall have the same meanings as set out in article 4 of the GDPR.
3CUSTOMER OBLIGATIONS
3.1Except as may be otherwise required under the Applicable Data Protection Law, the Customer shall, on behalf of any Affiliate, serve as a single point of contact for SignUp in all matters under this DPA and shall be responsible for the internal coordination, review and submission of instructions or requests to SignUp as well as the onward distribution of any information, notifications and reports provided by SignUp hereunder.
3.2In its capacity as controller the Customer confirms (for its own part and/or on behalf of its Affiliates, as the case may be) that it is entitled to provide access to personal data to SignUp for the purposes hereof and, consequently, that it has a lawful basis and any necessary approvals from any relevant data subjects for SignUp's performance of the SignUp Services.
3.3The Customer shall have sole responsibility for the accuracy, quality, and legality of personal data and the means by which the Customer acquired personal data.
4 SIGNUP'S OBLIGATIONS
4.1SignUp shall process personal data hereunder solely in accordance with the documented instructions of the Customer, for the following limited purposes:
(a)
performance of the SignUp Services under the terms of the Agreement;
(b)
where applicable depending on the SignUp Services provided to the Customer under the Agreement, setting up, operating, and monitoring the underlying infrastructure (hardware, software, servers, environments, connectivity, etc) required to provide the SignUp Services to the Customer and to meet the technical, security and organizational requirements for the processing of the personal data in connection therewith;
(c)
processing initiated by authorized users of the Customer in their use of the SignUp Services;
(d)
executing documented instructions of the Customer provided such instructions relate to and are consistent with the SignUp Services;
(e)
addressing service issues or technical problems; and/or
(f)
meeting any express requirement under the Applicable Data Protection Laws, in which case SignUp shall, unless it is prohibited by applicable laws from doing so, inform the Customer of that legal requirement before processing.
4.2SignUp is prohibited from processing the Customer's personal data for SignUp's own purposes unless the Customer has provided its approval for such processing or if SignUp is required to process the personal data by virtue of applicable laws, in which case SignUp will be the controller for such processing.
4.3SignUp will report to the Customer without undue delay any request, demand or order received by SignUp from a competent supervisory authority or a data subject relating to the processing of personal data on the Customer's behalf.
4.4Taking into account the nature of the processing, SignUp will assist the Customer in complying with its obligation to respond to requests of data subjects under Applicable Data Protection Laws (including requests for exercising data subjects' rights under the Applicable Data Protection Law) by appropriate technical and organizational measures, insofar as this is possible provided that SignUp will provide such assistance to the extent:
(a)
the information is available to SignUp, and such information is not otherwise available to the Customer or the requested assistance cannot practicably be performed by the Customer;
(b)
the Customer acknowledges that SignUp has no responsibility to interact directly with any data subject or supervisory authority in respect of any request, demand or order (except as expressly provided under the Applicable Data Protection Law or as otherwise agreed by the Parties in writing); and
(c)
to the extent legally permitted, the Customer shall be responsible for any costs arising from SignUp's provision of such assistance.
4.5Subject to applicable legal retention obligations, upon termination of the Agreement SignUp will return to the Customer or delete any personal data that has been processed on the Customer's behalf under this DPA. If the Customer has not instructed SignUp whether the personal data should be returned or deleted within fourteen (14) calendar days from termination of the Agreement, SignUp is entitled to delete the personal data.
4.6SignUp will only rely on personnel in the processing of personal data who are contractually or by statutory obligation bound to maintain confidentiality, ensure that access to personal data processed is limited to those personnel who require such access to perform the applicable SignUp Services, and take commercially reasonable steps to ensure the reliability of personnel engaged in the processing of personal data hereunder.
4.7SignUp will promptly inform the Customer if, in its opinion, any instruction or request violates Applicable Data Protection Law, and SignUp disclaims any obligation or liability with regard to any such instructions or requests.
4.8The Customer may request SignUp to provide assistance if the Customer is carrying out a data protection impact assessment. Such assistance will in such case consist of SignUp providing relevant information to the Customer regarding the personal data processed in the SignUp Services. SignUp shall be entitled to charge the Customer its Professional Services Fees on a time and material basis for such assistance.
4.9The Customer accepts that any requests for information, assistance or activities beyond SignUp's ordinary course of business, routines or practices, or what is otherwise commercially reasonable, shall be specifically agreed in an Order Agreement and may be subject to additional fees and charges.
5SECURITY
In connection with its processing of personal data hereunder SignUp will provide for and maintain appropriate administrative, physical, technical and organizational security measures for such processing, which are intended to protect personal data against accidental or unauthorized loss, destruction, alteration, disclosure or access, and to ensure a level of security appropriate to the particular risks involved in the processing. In this connection:
(a)
it is acknowledged that further details on the administrative, physical, technical and organizational security measures that will be implemented and maintained by SignUp in processing the personal data are described or referred to in Annex 1 hereto; and
(b)
SignUp will not materially decrease the overall security of any SignUp Services with respect to processing of personal data.
6PERSONAL DATA BREACH
6.1SignUp will inform the Customer without undue delay after it becomes aware of any personal data breach in connection with the processing of personal data under this DPA, overserving the following process:
(a)
SignUp will investigate the personal data breach and take reasonable measures to identify its root cause(s) and, where such breach is caused by SignUp or a SignUp Sub-processor;
(b)
as information is collected or otherwise becomes available, to the extent legally permitted, SignUp will provide the Customer with a description of the personal data breach, the type of the data to which the breach relates, and, other information the Customer may reasonably request concerning the affected data subject(s) where such information is available to SignUp; and
(c)
the Parties agree to coordinate in good faith on developing the content of any related public statements or any required notices for the affected data subject(s) and/or the competent supervisory authorities.
6.2The obligations set out above will not apply, to the extent that the personal data breach is caused by the Customer, the Customer's Affiliate or anyone acting for the Customer, save that SignUp will inform the Customer of the personal data breach and provide information it discovers up to the stage it identifies the breach is caused by the Customer, the Customer's Affiliate or anyone acting for the Customer. SignUp may charge the Customer for any assistance that the Customer may request when a personal data breach is attributable to or caused by the Customer.
7AUDITS
SignUp shall upon the Customer's request, make all necessary information available to demonstrate compliance hereof and allow for audits, including inspections, to be performed by the Customer (or an independent third-party auditor mandated by the Customer that is reasonably acceptable to SignUp and subject to signature of a confidentiality agreement with SignUp) of SignUp relevant to the personal data processed under this DPA.
8SUB-PROCESSORS
8.1SignUp may delegate the processing of personal data to a Sub-processor. SignUp shall ensure that SignUp has concluded a data processing agreement with such Sub-processor on terms equivalent to and not less restrictive than the provisions in this DPA. Moreover, SignUp shall remain fully liable for the conduct of any of its Sub-processors as for its own conduct.
8.2Subject to Section 8.1, the Customer hereby gives its general written consent and authorization to SignUp to use Sub-processors for processing of personal data solely for the purposes set forth in this DPA. The current list of SignUp Sub-processors is available at GDPR-Sub-Processors - SignUp Software ("Sub-processor List"). SignUp shall update the Sub-processor List before authorizing any new Sub-processor(s) to process personal data in connection with the provision of the SignUp Services.
8.3The Customer may object to SignUp's use of a new Sub-processor by notifying SignUp in writing within ten (10) Business Days from when the Sub-processor List was updated. In the event the Customer objects to a new Sub-processor, SignUp will use commercially reasonable efforts to provide the SignUp Services without engaging the Sub-processor subject to the objection. If such work-around is not possible, the Customer shall be entitled to terminate the relevant SignUp Service. In the event of such termination, the Customer shall not be entitled to any refund of any fees paid to SignUp within the scope of the Agreement.
9LIMITATION OF LIABILITY
9.1The Parties liability with respect to data subjects' claims for compensation shall be handled in accordance with article 82 of the GDPR.
9.2The Parties acknowledge and agree that neither Party shall have an obligation to indemnify the other Party for any administrative fines imposed by a supervisory authority or a court under Applicable Data Protection Legislation.
9.3For the purposes of Section 9.2 above, both Parties shall, to a reasonable extent, provide information to the other Party which may be useful within the scope of a supervisory matter or a court proceeding.
9.4Without prejudice to the foregoing, the Parties' liability under this DPA shall be limited in accordance with the provisions of the General Terms and Conditions.
10TRANSFER OF PERSONAL DATA
10.1The Customer acknowledges and agrees that SignUp is only entitled to transfer personal data to a country located outside the EU/EEA under the following circumstances:
(a)
the country is subject to an adequacy decision made by the European Commission, or, in the absence of an adequacy decision;
(b)
SignUp has taken measures to ensure that the transfer is lawful, e.g. by ensuring that there is a transfer mechanism in place subject to article 46 GDPR or a specific derogation according to article 49 GDPR.
10.2Where personal data is transferred outside the EU/EEA on the basis of a transfer mechanism under article 46 GDPR, SignUp will conduct a risk analysis in accordance with the recommendations 01/2020 and 02/2020 of the European Data Protection Board. The Customer is, in accordance with Section 7 above, entitled to receive information about the result of such risk analysis.
10.3The Sub-processor List includes information about any potential third-country transfers made by SignUp within the scope of the Agreement.
ANNEX 1
Description of processing
1EXFLOW AND EXDOC
| Description of processing | Personal data will be processed to a limited extent within the scope of providing implementation services, Consultancy Services and Support Services and only in cases where SignUp needs access to the Customer's environment (which is only provided upon Customer's approval). Generally, there will be no need to access any personal data, but in circumstances where said services requires access to an invoice, processing of data in that invoice will occur. |
| Purpose of the processing | The purpose of the processing is to be able to provide the implementation, Consultancy Services or Support Services in accordance with the Agreement. |
| Categories of personal data | Any data that may be available on an invoice, typically name, title, personal identification number, and other invoicing related identifiers. |
| Categories of data subjects | Generally persons employed by or representing the Customer, or any other individual whose personal data appears on an invoice. |
| Retention and erasure | SignUp will not store any data on behalf of the Customer. |
2EXFLOW WEB
| Description of processing | ExFlow Web is a cloud-based interface for approval of invoices. The processing that will be carried out is mainly storage and processing of invoices through the ExFlow Web application. |
| Purpose of the processing | The purpose is to provide the ExFlow Web service to the Customer. |
| Categories of personal data | Any data that may be available on an invoice, typically name, title, personal identification number, and other invoicing related identifiers. |
| Categories of data subjects | Generally persons employed by or representing the Customer, or any other individual whose personal data appears on an invoice. |
| Retention and erasure | Invoices are stored for sixty (60) days and are thereafter automatically erased by SignUp. |
3EXFLOW DATA CAPTURE
| Description of processing | The processing in ExFlow Data Capture includes processing of invoices in a cloud-based environment. This will include storage and processing of invoice data. |
| Purpose of the processing | The purpose of the processing is to provide the ExFlow Data Capture service in order for the Customer to be able to seamlessly interpret and extract critical invoice data. |
| Categories of personal data | Any data that may be available on an invoice, typically name, title, personal identification number, and other invoicing related identifiers. |
| Categories of data subjects | Generally persons employed by or representing the Customer, or any other individual whose personal data appears on an invoice. |
| Retention and erasure | Personal data is stored for ninety (90) days and is thereafter automatically erased. |