DATA PROCESSING AGREEMENT
1GENERAL
1.1This DPA is applicable between the Customer and Truvio in relation to Truvio's processing of personal data within the scope of the provision of the Truvio Services, as ordered by the Customer under an Order Agreement.
1.2By executing an Order Agreement that references this DPA, the Customer agrees to the terms and conditions set out herein and that this DPA shall form an integrated part of the Agreement.
1.3If any provision of this DPA is found by any court of competent jurisdiction to be invalid or unenforceable, the invalidity of such provision shall not affect the other provisions hereof, and all provisions not affected by such invalidity shall remain in full force and effect.
1.4The Customer acknowledges that Truvio, in its capacity as an EU based processor of personal data is required to enter into data processing agreements with data controllers on which behalf Truvio processes personal data within the provision of the Truvio Services. Thus, the provision in this DPA applies between the Parties even if the GDPR is not applicable to the Customer.
1.5It is acknowledged and agreed that with regard to processing of personal data under this DPA, the Customer is the controller (for its own part and on behalf of its Affiliates, as the case may be), and Truvio is the processor for such processing.
1.6The duration, nature and purpose of the processing, the types of personal data and categories of data subjects processed under this DPA are specified in Annex 1 hereto, as may be updated by the Parties as applicable from time to time.
2DEFINITIONS
Capitalized terms used in this DPA shall have the meaning assigned to them in the General Terms and Conditions, unless the context requires otherwise. In addition to the definitions under the General Terms and Conditions, the below terms shall have the following meaning:
"Applicable Data Protection Laws" means all EU and relevant member state legislation and regulations, including regulations and decisions issued by relevant supervisory authorities, protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data that from time to time apply to Truvio and the Customer, including without limitation the GDPR, including any future interpretations thereof in court precedence from the EU Court of Justice or any other authorized court or supervisory authority.
"DPA" means this data processing agreement and the appendices attached hereto (as amended from time to time in accordance herewith).
"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
"Sub-processor" means any processor engaged by Truvio, by an Affiliate of Truvio or by another Sub-processor, including Affiliates of Truvio acting as processors (as the case may be).
"Standard Contractual Clauses" or sometimes also referred to the "EU Model Clauses" means the standard contractual clauses for the transfer of personal data to third countries pursuant to the Regulation (EU) 2016/679 of the European Parliament and of the Council, based on the Commission Decision (EU) 2021/914 of 4th June 2021.
The terms "controller", "processor", "data subject", "processing", "personal data", and "personal data breach", shall have the same meanings as set out in article 4 of the GDPR.
3CUSTOMER OBLIGATIONS
3.1Except as may be otherwise required under the Applicable Data Protection Law, the Customer shall, on behalf of any Affiliate, serve as a single point of contact for Truvio in all matters under this DPA and shall be responsible for the internal coordination, review and submission of instructions or requests to Truvio as well as the onward distribution of any information, notifications and reports provided by Truvio hereunder.
3.2In its capacity as controller the Customer confirms (for its own part and/or on behalf of its Affiliates, as the case may be) that it is entitled to provide access to personal data to Truvio for the purposes hereof and, consequently, that it has a lawful basis and any necessary approvals from any relevant data subjects for Truvio's performance of the Truvio Services.
3.3The Customer shall have sole responsibility for the accuracy, quality, and legality of personal data and the means by which the Customer acquired personal data.
4 SIGNUP'S OBLIGATIONS
4.1Truvio shall process personal data hereunder solely in accordance with the documented instructions of the Customer, for the following limited purposes:
(a)
performance of the Truvio Services under the terms of the Agreement;
(b)
where applicable depending on the Truvio Services provided to the Customer under the Agreement, setting up, operating, and monitoring the underlying infrastructure (hardware, software, servers, environments, connectivity, etc) required to provide the Truvio Services to the Customer and to meet the technical, security and organizational requirements for the processing of the personal data in connection therewith;
(c)
processing initiated by authorized users of the Customer in their use of the Truvio Services;
(d)
executing documented instructions of the Customer provided such instructions relate to and are consistent with the Truvio Services;
(e)
addressing service issues or technical problems; and/or
(f)
meeting any express requirement under the Applicable Data Protection Laws, in which case Truvio shall, unless it is prohibited by applicable laws from doing so, inform the Customer of that legal requirement before processing.
4.2Truvio is prohibited from processing the Customer's personal data for Truvio's own purposes unless the Customer has provided its approval for such processing or if Truvio is required to process the personal data by virtue of applicable laws, in which case Truvio will be the controller for such processing.
4.3Truvio will report to the Customer without undue delay any request, demand or order received by Truvio from a competent supervisory authority or a data subject relating to the processing of personal data on the Customer's behalf.
4.4Taking into account the nature of the processing, Truvio will assist the Customer in complying with its obligation to respond to requests of data subjects under Applicable Data Protection Laws (including requests for exercising data subjects' rights under the Applicable Data Protection Law) by appropriate technical and organizational measures, insofar as this is possible provided that Truvio will provide such assistance to the extent:
(a)
the information is available to Truvio, and such information is not otherwise available to the Customer or the requested assistance cannot practicably be performed by the Customer;
(b)
the Customer acknowledges that Truvio has no responsibility to interact directly with any data subject or supervisory authority in respect of any request, demand or order (except as expressly provided under the Applicable Data Protection Law or as otherwise agreed by the Parties in writing); and
(c)
to the extent legally permitted, the Customer shall be responsible for any costs arising from Truvio's provision of such assistance.
4.5Subject to applicable legal retention obligations, upon termination of the Agreement Truvio will return to the Customer or delete any personal data that has been processed on the Customer's behalf under this DPA. If the Customer has not instructed Truvio whether the personal data should be returned or deleted within fourteen (14) calendar days from termination of the Agreement, Truvio is entitled to delete the personal data.
4.6Truvio will only rely on personnel in the processing of personal data who are contractually or by statutory obligation bound to maintain confidentiality, ensure that access to personal data processed is limited to those personnel who require such access to perform the applicable Truvio Services, and take commercially reasonable steps to ensure the reliability of personnel engaged in the processing of personal data hereunder.
4.7Truvio will promptly inform the Customer if, in its opinion, any instruction or request violates Applicable Data Protection Law, and Truvio disclaims any obligation or liability with regard to any such instructions or requests.
4.8The Customer may request Truvio to provide assistance if the Customer is carrying out a data protection impact assessment. Such assistance will in such case consist of Truvio providing relevant information to the Customer regarding the personal data processed in the Truvio Services. Truvio shall be entitled to charge the Customer its Professional Services Fees on a time and material basis for such assistance.
4.9The Customer accepts that any requests for information, assistance or activities beyond Truvio's ordinary course of business, routines or practices, or what is otherwise commercially reasonable, shall be specifically agreed in an Order Agreement and may be subject to additional fees and charges.
5SECURITY
In connection with its processing of personal data hereunder Truvio will provide for and maintain appropriate administrative, physical, technical and organizational security measures for such processing, which are intended to protect personal data against accidental or unauthorized loss, destruction, alteration, disclosure or access, and to ensure a level of security appropriate to the particular risks involved in the processing. In this connection:
(a)
it is acknowledged that further details on the administrative, physical, technical and organizational security measures that will be implemented and maintained by Truvio in processing the personal data are described or referred to in Annex 1 hereto; and
(b)
Truvio will not materially decrease the overall security of any Truvio Services with respect to processing of personal data.
6PERSONAL DATA BREACH
6.1Truvio will inform the Customer without undue delay after it becomes aware of any personal data breach in connection with the processing of personal data under this DPA, overserving the following process:
(a)
Truvio will investigate the personal data breach and take reasonable measures to identify its root cause(s) and, where such breach is caused by Truvio or a Truvio Sub-processor;
(b)
as information is collected or otherwise becomes available, to the extent legally permitted, Truvio will provide the Customer with a description of the personal data breach, the type of the data to which the breach relates, and, other information the Customer may reasonably request concerning the affected data subject(s) where such information is available to Truvio; and
(c)
the Parties agree to coordinate in good faith on developing the content of any related public statements or any required notices for the affected data subject(s) and/or the competent supervisory authorities.
6.2The obligations set out above will not apply, to the extent that the personal data breach is caused by the Customer, the Customer's Affiliate or anyone acting for the Customer, save that Truvio will inform the Customer of the personal data breach and provide information it discovers up to the stage it identifies the breach is caused by the Customer, the Customer's Affiliate or anyone acting for the Customer. Truvio may charge the Customer for any assistance that the Customer may request when a personal data breach is attributable to or caused by the Customer.
7AUDITS
Truvio shall upon the Customer's request, make all necessary information available to demonstrate compliance hereof and allow for audits, including inspections, to be performed by the Customer (or an independent third-party auditor mandated by the Customer that is reasonably acceptable to Truvio and subject to signature of a confidentiality agreement with Truvio) of Truvio relevant to the personal data processed under this DPA.
8SUB-PROCESSORS
8.1Truvio may delegate the processing of personal data to a Sub-processor. Truvio shall ensure that Truvio has concluded a data processing agreement with such Sub-processor on terms equivalent to and not less restrictive than the provisions in this DPA. Moreover, Truvio shall remain fully liable for the conduct of any of its Sub-processors as for its own conduct.
8.2Subject to Section 8.1, the Customer hereby gives its general written consent and authorization to Truvio to use Sub-processors for processing of personal data solely for the purposes set forth in this DPA. The current list of Truvio Sub-processors is available at GDPR-Sub-Processors - Truvio Software ("Sub-processor List"). Truvio shall update the Sub-processor List before authorizing any new Sub-processor(s) to process personal data in connection with the provision of the Truvio Services.
8.3The Customer may object to Truvio's use of a new Sub-processor by notifying Truvio in writing within ten (10) Business Days from when the Sub-processor List was updated. In the event the Customer objects to a new Sub-processor, Truvio will use commercially reasonable efforts to provide the Truvio Services without engaging the Sub-processor subject to the objection. If such work-around is not possible, the Customer shall be entitled to terminate the relevant Truvio Service. In the event of such termination, the Customer shall not be entitled to any refund of any fees paid to Truvio within the scope of the Agreement.
9LIMITATION OF LIABILITY
9.1The Parties liability with respect to data subjects' claims for compensation shall be handled in accordance with article 82 of the GDPR.
9.2The Parties acknowledge and agree that neither Party shall have an obligation to indemnify the other Party for any administrative fines imposed by a supervisory authority or a court under Applicable Data Protection Legislation.
9.3For the purposes of Section 9.2 above, both Parties shall, to a reasonable extent, provide information to the other Party which may be useful within the scope of a supervisory matter or a court proceeding.
9.4Without prejudice to the foregoing, the Parties' liability under this DPA shall be limited in accordance with the provisions of the General Terms and Conditions.
10TRANSFER OF PERSONAL DATA
10.1The Customer acknowledges and agrees that Truvio is only entitled to transfer personal data to a country located outside the EU/EEA under the following circumstances:
(a)
the country is subject to an adequacy decision made by the European Commission, or, in the absence of an adequacy decision;
(b)
Truvio has taken measures to ensure that the transfer is lawful, e.g. by ensuring that there is a transfer mechanism in place subject to article 46 GDPR or a specific derogation according to article 49 GDPR.
10.2Where personal data is transferred outside the EU/EEA on the basis of a transfer mechanism under article 46 GDPR, Truvio will conduct a risk analysis in accordance with the recommendations 01/2020 and 02/2020 of the European Data Protection Board. The Customer is, in accordance with Section 7 above, entitled to receive information about the result of such risk analysis.
10.3The Sub-processor List includes information about any potential third-country transfers made by Truvio within the scope of the Agreement.
ANNEX 1
Description of processing
1EXFLOW AND EXDOC
| Description of processing | Personal data will be processed to a limited extent within the scope of providing implementation services, Consultancy Services and Support Services and only in cases where Truvio needs access to the Customer's environment (which is only provided upon Customer's approval). Generally, there will be no need to access any personal data, but in circumstances where said services requires access to an invoice, processing of data in that invoice will occur. |
| Purpose of the processing | The purpose of the processing is to be able to provide the implementation, Consultancy Services or Support Services in accordance with the Agreement. |
| Categories of personal data | Any data that may be available on an invoice, typically name, title, personal identification number, and other invoicing related identifiers. |
| Categories of data subjects | Generally persons employed by or representing the Customer, or any other individual whose personal data appears on an invoice. |
| Retention and erasure | Truvio will not store any data on behalf of the Customer. |
2EXFLOW WEB
| Description of processing | ExFlow Web is a cloud-based interface for approval of invoices. The processing that will be carried out is mainly storage and processing of invoices through the ExFlow Web application. |
| Purpose of the processing | The purpose is to provide the ExFlow Web service to the Customer. |
| Categories of personal data | Any data that may be available on an invoice, typically name, title, personal identification number, and other invoicing related identifiers. |
| Categories of data subjects | Generally persons employed by or representing the Customer, or any other individual whose personal data appears on an invoice. |
| Retention and erasure | Invoices are stored for sixty (60) days and are thereafter automatically erased by Truvio. |
3EXFLOW DATA CAPTURE
| Description of processing | The processing in ExFlow Data Capture includes processing of invoices in a cloud-based environment. This will include storage and processing of invoice data. |
| Purpose of the processing | The purpose of the processing is to provide the ExFlow Data Capture service in order for the Customer to be able to seamlessly interpret and extract critical invoice data. |
| Categories of personal data | Any data that may be available on an invoice, typically name, title, personal identification number, and other invoicing related identifiers. |
| Categories of data subjects | Generally persons employed by or representing the Customer, or any other individual whose personal data appears on an invoice. |
| Retention and erasure | Personal data is stored for ninety (90) days and is thereafter automatically erased. |