Data Processing Agreement (DPA)
THE UNDERSIGNED:
and
hereinafter jointly referred to as: Parties;
CONSIDERATIONS:
AGREE AS FOLLOWS:
The terms written with a capital letter in this DPA have the following meanings:
1.2 Data Breach: a breach of security measures aimed at protecting Personal Data against loss or any form of unlawful processing, as well as any incident or event in which loss or unlawful processing of Personal Data occurs or could occur.
1.3 Agreement: the Agreement between Processor and Controller regarding the cybersecurity SAAS solution provided by Processor, from which the processing of Personal Data arises.
1.4 Personal Data: any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, particularly by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
1.5 Sub-Processor: the natural or legal person who assists a Processor in processing Personal Data on behalf of the Controller.
1.6 Processing: any operation or set of operations performed on Personal Data, whether or not by automated means, such as collecting, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, dissemination or otherwise making available, aligning or combining, restricting, erasing, or destroying.
1.7 Data Processing Agreement (DPA): this agreement between Controller and Processor concerning the processing of personal data, including considerations and associated appendices.
2.1 This DPA enters into effect on the date the Parties sign the Agreement.
2.2 This DPA will remain in effect as long as the Processor processes Personal Data on behalf of the Controller under the Agreement.
3.1 During the execution of the Agreement, the Controller may provide Personal Data to the Processor. An overview of the categories of Personal Data that may be provided to the Processor is included in the Privacy Policy.
3.2 The Controller determines the purpose and means of processing Personal Data. This purpose is recorded in the Privacy Policy.
3.3 The Processor processes these Personal Data solely for the execution of the Agreement, this DPA, and the written instructions given by the Controller. The Processor will only process Personal Data for the purposes described in the Privacy Policy and will not use the Personal Data for any other or its own purposes unless required to do so by law.
3.4 If an instruction as referred to in Article 3.3, in the Processor’s opinion, is in conflict with a legal provision on data protection, the Processor will inform the Controller of this before processing, unless a legal provision prohibits such notification.
3.5 The Controller grants the Processor a general authorization to subcontract the processing of Personal Data to Sub-Processors, including those Sub-Processors listed on the Processor’s website.
3.6 If the Processor engages a new or replacement Sub-Processor, the Processor will:
(a) Update the list of Sub-Processors available on the Processor’s website.
(b) Impose substantially the same data protection terms on any Sub-Processor it engages as those contained in this DPA (including data transfer provisions, where applicable).
(c) Remain liable to the Controller for any breach of this DPA caused by an act, error, or omission of such Sub-Processor.
(d) Notify Controller, if Controller is signed up. If Controller elects to be notified in writing 14 days prior to Guardey engaging a new or replacement Sub-Processor, Controller must subscribe to such notifications via this link.
3.7 The Controller may object to the Processor’s appointment of any new or replacement Sub-Processor promptly in writing within fourteen (14) days after receipt of notice in accordance with 3.6(d) and on reasonable grounds related to the Sub-Processor’s ability to comply with applicable data protection laws. In such case, the Parties shall discuss the Controller’s concerns in good faith with a view to achieving a commercially reasonable resolution. If the Parties cannot reach such a resolution, the Processor shall have the right, at its sole discretion, to either not appoint the disputed Sub-Processor, or permit the Controller to suspend or terminate the applicable Order and/or the Agreement.
3.8 The Processor will provide assistance as necessary to comply with the obligations under Articles 32 to 36 of the GDPR. In particular, the Processor will cooperate in performing necessary actions in response to requests from Data Subjects regarding access, rectification, restriction, or deletion of Personal Data.
3.9 The Processor will store and process the Personal Data only within the European Union, unless otherwise agreed with the Controller.
3.10 The Controller guarantees that the processing of Personal Data as instructed to the Processor is not in violation of data protection regulations and is not unlawful. The Controller indemnifies the Processor against all third-party claims, including those from supervisory authorities, related to this matter.
3.11 International Data Transfers:
(a) If the processing involves transferring Personal Data outside the EU/EER, the Processor will ensure an adequate level of protection in compliance with Chapter V of the GDPR.
(b) For transfers to countries without an adequacy decision, standard contractual clauses (SCCs) or another approved transfer mechanism will be used.
(c) The Processor will notify the Controller of Sub-Processors outside the EU/EER and allow the Controller to object to such transfers in accordance with 3.7.
4.1 The Processor will continue to comply with the provisions of this DPA after the termination of the Agreement and the DPA as long as the Processor retains any Personal Data from the Controller.
5.1 Upon termination of the Agreement and the DPA, all Personal Data will be returned to the Controller (or a third party designated by the Controller) or destroyed as soon as reasonably possible at the Controller’s request, at the Controller’s choice.
6.1 The Processor will implement appropriate technical and organizational measures to protect Personal Data against loss or any form of unlawful processing. These measures will ensure a level of security appropriate to the risk presented by the processing and the nature of the Personal Data to be protected, taking into account the state of the art and the costs of implementation. A detailed list of these measures is provided in the Security Policy.
6.2 The Processor will update the measures referred to in Article 6.1 if the Controller requests such updates because the Controller believes it is necessary to maintain an appropriate level of security as described in Article 6.1. In such cases, the Processor is entitled to increase the agreed prices with the Controller to cover the costs incurred by the Processor in connection with these updates.
7.1 Upon request, the Processor shall provide copies of any certifications, audit report summaries, and/or other relevant documentation it holds, where reasonably required by the Controller to verify the Processor’s compliance with this DPA.
7.2 While it is the parties’ intention ordinarily to rely on the Processor’s obligations set forth in Section 7.1 to verify the Processor’s compliance with this DPA, following a confirmed Security Incident or where a data protection authority requires it, the Controller may provide the Processor with thirty (30) days’ prior written notice requesting that a third party conduct an audit of the Processor’s operations and facilities (“Audit”); provided that (i) any Audit shall be conducted at the Controller’s expense; (ii) the parties shall mutually agree upon the scope, timing, and duration of the Audit; and (iii) the Audit shall not unreasonably impact the Processor’s regular operations.
8.1 The Controller is responsible for assessing the need to report a Data Breach to the supervisory authority and/or Data Subjects and for making the actual report.
8.2 The Processor will report any Data Breach or suspicion thereof to the Controller as soon as possible, but in any case within 24 hours after discovering the breach. The Processor will provide at least the following information:
(a) the (suspected) cause of the Data Breach;
(b) the (known or expected) consequences of the Data Breach;
(c) location data of the Data Breach;
(d) any unauthorized recipients of the Personal Data and all available information about them;
(e) suggestions for measures to limit the damage;
(f) any other information requested by the Controller.
8.3 The Processor will cooperate with the Controller’s request to adequately inform Data Subjects or supervisory authorities about the Data Breach and will be available for consultation with the Controller. 8.4 The Controller and the Processor will maintain strict confidentiality towards each other regarding the Data Breach, any fear of a Data Breach, and further related matters, except for obligations under EU or national law.
9.1 Each party shall be liable for and shall indemnify the other party against any claims, actions, damages, and losses arising out of or in connection with any breach of this DPA, to the extent that such breach is attributable to that party’s negligence, willful misconduct, or non-compliance with applicable data protection laws.
9.2 The Processor’s liability for any breach of this DPA shall be limited to direct damages only and shall not exceed the amounts paid by the Controller to the Processor under the Agreement during the 12 months preceding the breach.
10.1 The Processor shall promptly notify the Controller if it receives a request from a Data Subject to exercise their rights under the GDPR.
10.2 The Processor shall cooperate with the Controller and provide assistance to the Controller to enable the Controller to comply with such requests within the timeframes stipulated by the GDPR.
11.1 The Processor designates the following contact person for coordinating obligations under this DPA:
Processor Contact Information:
11.2 All communications regarding this DPA should be directed to the contact person specified above.
11.3 The Controller should provide their contact information through the designated communication channels on the Processor’s website or by contacting the Processor’s support team at the contact details provided above.
12.1 UK GDPR: If and to the extent that the processing of Personal Data under this DPA pertains to data subjects in the United Kingdom, the provisions of the UK GDPR shall apply. References to the GDPR in this DPA shall also include references to the UK GDPR, where applicable.
12.2 CCPA / CPRA: If and to the extent that the processing of Personal Data under this DPA pertains to data subjects in California, the provisions of the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) shall apply. The Processor shall:
(a) Immediately notify the Controller of any consumer requests under the CCPA/CPRA.
(b) Cooperate with the Controller to ensure that such requests are handled timely and in accordance with the CCPA/CPRA.
(c) Not “sell” Personal Data as defined by the CCPA/CPRA.
(d) Ensure compliance with CCPA/CPRA requirements, including transparency and consumer rights notifications.
13.1 Deviations from this DPA are only binding if expressly agreed in writing between the Parties.
13.2 General terms and conditions or other general or special conditions of the Processor do not apply to this DPA and are expressly rejected by the Controller.
13.3 This DPA supplements the Agreement. In case of conflict between the provisions of this DPA and the Agreement, the provisions of this DPA will prevail.
13.4 This DPA is governed by Dutch law.
13.5 Disputes between the Parties that cannot be resolved through consultation will be submitted to the competent Dutch court in The Hague.
