Data Processing Agreement ("DPA")
Data Processing Agreement
THIS DATA PROCESSING AGREEMENT (“DPA”) (in the version dated 2024-05-09) GOVERNS THE DATA PROCESSING OPERATIONS BETWEEN THE CUSTOMER (“DATA CONTROLLER”) AND ADVERITY INC. (“DATA PROCESSOR”). BY ENTERING A COMMERCIAL AGREEMENT THAT REFERENCES THIS DPA, CUSTOMER AGREES TO THE TERMS AND CONDITIONS OF THIS DPA.
Table of Contents
Data Controller's Processing Instructions
Data Processor's Processing Obligations
I. Background
II. Processing of Personal Data
III. Sub-processors
IV. Transfer to Third Countries
V. Security of Processing
VI. Audit Rights
VII. Indemnification
VIII. Term
IX. Notices
X. Measures Upon Completion of Processing Personal Data
XI. Definitions
XII. Final provisions
Appendix I - Technical and Organizational Measures (TOMs)
Data Controller's Processing Instructions
|
Purposes |
Provide access to and enable the use of the Data Processor’s Software-as-a-Service (SaaS) and additional services as agreed between the Data Controller and the Data Processor. |
|
Categories of Personal Data to be Processed by Default (If the Data Controller intends to process other categories of Personal Data with the Data Processor’s SaaS, the Data Controller must notify the Data Processor and an additional agreement must be concluded.) |
|
|
Special Categories of Personal Data (If the Data Controller instructs the Data Processor to process special categories of Personal Data on its behalf, the Data Controller shall ensure that all legal requirements for the processing of such special categories of Personal Data by the Data Processor (esp. those outlined in art. 9 (2) GDPR) are met at all times.) |
The Data Controller does not intend to and will not instruct the Data Processor to process any special categories of Personal Data. |
|
Data Subjects by Default (If the Data Controller intends to process Personal Data of additional Data Subjects with the Data Processor’s SaaS, the Data Controller must notify the Data Processor and an additional agreement must be concluded.) |
|
|
Processing Operations |
Collect, store, and process data to enable access to and use of the Data Processor’s SaaS. |
|
Sub-processor(s) |
Applicable in case of SaaS hosting by Data Processor:
If the Data Controller processes personal data of additional Data Subjects or additional Categories of Personal Data with the SaaS, the following Sub-processor is mutually agreed between the Parties:
Applicable in case of SaaS hosting by Data Controller: If the Data Controller processes personal data of additional Data Subjects or additional Categories of Personal Data with the SaaS, the following Sub-processor is mutually agreed between the Parties:
|
|
Location of Processing Operations |
Applicable in case of SaaS hosting by Data Processor:
At the request of the Data Controller, the specific location will be communicated to the Data Controller. Applicable in case of SaaS hosting by Data Controller:
|
Data Processor's Processing Obligations
|
Our DPA in plain language |
Talk legal to me - here is the full text of our DPA |
I. Background
|
As provided under the Commercial Agreement, the Data Processor will process certain Personal Data while providing services to the Data Controller. This DPA will govern the Data Processor’s data processing activities. |
1. Within the scope and for the performance of the services defined in the Commercial Agreement, the Data Processor will process certain Personal Data on behalf of the Data Controller. |
II. Processing of Personal Data
|
The Data Processor and its affiliates will comply with all relevant requirements under Applicable US Data Protection Laws while following the Data Controller’s instructions, including assisting the Data Controller in meeting legal obligations, refraining from actions that could breach Applicable US Data Protection Laws, and promptly notifying the Data Controller of any relevant communications or requests received from competent authorities.
The Parties will update "Data Controller's Processing Instructions" to reflect any changes if needed. |
1. The Data Processor and any person acting under its authority (e.g. personnel, Sub-processors, and persons acting under the Sub-processor’s authority) undertake to only process Personal Data as instructed in writing by the Data Controller (see the “Data Controller’s Processing Instructions” above). The Data Processor shall only process Personal Data to the extent necessary to fulfill its obligations under this DPA or Applicable US Data Protection Laws. The Data Processor shall not carry out or omit any act that would cause the Data Controller to be in breach of Applicable US Data Protection Laws. 5. The Data Processor shall immediately inform the Data Controller of a request, complaint, message, or any other communication received from a competent authority or any other third party regarding the processing of Personal Data covered by this DPA. The Data Processor may not in any way act on behalf of or as a representative of the Data Controller and may not, without prior instructions from the Data Controller, transfer or in any other way disclose Personal Data or any other information relating to the processing of Personal Data to any third party, unless the Data Processor is required to do so by law. The Data Processor shall assist the Data Controller in an appropriate manner to enable it to respond to such request, complaint, message, or other communication following Applicable US Data Protection Laws. |
III. Sub-processors
|
The Data Controller authorizes the Data Processor to engage Sub-processors to operate under the Data Controller's instructions. If the Data Processor intends to make changes to the current list outlined in the "Data Controller’s Processing Instructions”, it will notify the Data Controller in advance and the Data Controller can object within 8 weeks. |
1. The Data Controller authorizes the Data Processor to engage Sub-processors. All Sub-processors authorized by the Data Controller are acting under the authority and subject to direct instructions of the Data Controller. A list of the current Sub-processors is set out in the “Data Controller’s Processing Instructions” for the purposes specified therein. The Data Processor shall notify the Data Controller in writing in advance of any changes, in particular before engaging other Sub-processors in which event the Data Processor shall without undue delay and no less than 8 weeks before transferring any Personal Data to a Sub-processor, inform the Data Controller in writing of the identity of such Sub-processor as well as the purpose for which it will be engaged. 2. The Data Controller at its discretion may object with good cause to any such changes within 8 weeks after the Data Processor’s notice. 3. The Data Processor shall impose by written agreement, which includes an electronic form, on all Sub-processors processing Personal Data under this DPA (including inter alia its agents, intermediaries and sub-contractors) the same obligations as apply to the Data Processor. |
IV. Transfer to Third Countries
|
The Data Processor must obtain prior written consent from the Data Controller before transferring Personal Data outside the US. Further, it will ensure compliance with relevant standards under Applicable US Data Protection Laws. |
1. The location(s) of intended or actual processing of Personal Data is set out in “the Data Controller’s Processing Instructions”. The Data Processor must not transfer or otherwise directly or indirectly disclose Personal Data outside the United States without the prior written consent of the Data Controller (which may be refused or granted at its discretion) and ensure that the level of protection of Data Subjects guaranteed by Applicable US Data Protection Laws is not undermined. |
V. Security of Processing
|
The Data Processor ensures the security of Personal Data through specified technical and organizational measures (see Appendix 1). Further, the Data Processor will notify the Data Controller of any security incidents, restrict access to authorized personnel bound by confidentiality obligations, and appoint a designated contact person for data protection matters without undue delay. |
1. The Data Processor guarantees to implement and uphold appropriate technical and organizational measures according to the current state of the art to ensure an appropriate level of security for Personal Data and shall continuously review and improve the effectiveness of its security measures (See Appendix 1 hereunder). The Data Processor shall protect the Personal Data against destruction, modification, unlawful dissemination, or unlawful loss, alteration, or access. The Personal Data shall also be protected against all other forms of unlawful processing. With regard to the state of the art and the costs of implementation and taking into account the nature, scope, context, and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects, the technical and organizational measures to be implemented by the Data Processor shall include, as appropriate: a. the pseudonymization and encryption of Personal Data; 2. The Data Processor shall without undue delay notify the Data Controller of any Personal Data Breach after becoming aware of such incidents. The notification shall be in written form and shall at least: a. describe the nature of the Personal Data Breach; b. communicate the name and contact details of the data protection officer or other contact point where more information can be obtained; d. describe the measures taken or proposed to be taken by the Data Controller to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects; and 3. The Data Processor shall provide reasonable assistance requested by the Data Controller. 4. The Data Processor shall at its own expense immediately take necessary measures to restore and/or reconstruct Personal Data that has been lost, damaged, destroyed, or corrupted as a result of any Personal Data Breach. 5. The Data Processor shall not disclose or otherwise make the Personal Data processed under this DPA available to any third party, without the Data Controller’s prior written approval. For clarity, if the Data Processor is required by applicable laws and regulations to disclose Personal Data that the Data Processor processes on behalf of the Data Controller, section II.5 shall apply. 6. The Data Processor shall ensure that access to Personal Data under this DPA is restricted to those of its personnel who directly require access to the Personal Data to fulfill the Data Processor’s obligations under this DPA and the Commercial Agreement. The Data Processor shall ensure that such personnel (whether employees or others engaged by the Data Processor) a. has the necessary knowledge of and training in the Applicable US Data Protection Laws to perform the contracted services; and b. is bound by a confidentiality obligation concerning the Personal Data to the same extent as the Data Processor under this DPA. 7. The Data Processor shall ensure that this confidentiality obligation extends beyond the termination of employment contracts, Sub-processor contracts, service contracts, or the termination of this DPA. This confidentiality obligation shall remain in force after the expiry or termination of the DPA. 8. The Data Processor appoints the following person as a contact point for data protection matters: Mr. Michael Pilz (dpo@adverity.com). |
VI. Audit Rights
|
The Data Processor grants the Data Controller (or an external auditor of the Data Controller’s choice) the right to conduct audits on data protection and security to ensure compliance with this DPA and relevant data protection laws, and will provide all necessary information and assistance to demonstrate compliance. |
1. The Data Processor shall allow the Data Controller or an external auditor appointed by the Data Controller to conduct audits, investigations, and inspections on data protection and/or data security (“audit”) to ensure that the Data Processor or Sub-processors comply with the obligations under this DPA and Applicable US Data Protection Laws and that the Data Processor or Sub-processors have undertaken the required measures to ensure such compliance. 2. The Data Processor makes available all information necessary to demonstrate compliance with this DPA and Applicable US Data Protection Laws and assists the Data Controller in the performance of audits. |
VII. Indemnification
|
The Data Processor is responsible for indemnifying the Data Controller against claims from third parties arising from breaches caused by the Data Processor's intentional or grossly negligent actions under this DPA up to the fees paid by the Data Controller in the 12 months preceding the incident, except for willful intent, personal injuries, or death. |
The Data Processor shall indemnify and hold harmless the Data Controller upon the Data Controller’s first demand insofar as third parties (Data Subjects in particular) make claims against the Data Controller on the grounds of an infringement of their rights or of data protection law where such infringement is caused by actions of the Data Processor in intentional or grossly negligent violation of this DPA. The obligation to indemnify is – except in cases of willful intent or concerning personal injuries or death – capped with the amount of fees paid by the Controller in the 12 months immediately before the infringing incidence. |
VIII. Term
|
This DPA is in effect as long as the Data Processor handles Personal Data on behalf of the Data Controller. |
1. This DPA shall remain in force as long as the Data Processor processes Personal Data on behalf of the Data Controller. 2. The Data Controller may terminate the Agreement without notice as a result of a breach of the obligations under this DPA by the Data Processor or one of its Sub-processors. |
IX. Notices
|
In addition to other notice obligations provided hereunder, in case the Data Processor determines that any instruction to process data of the Data Controller violates Applicable US Data Protection Laws or substantial provisions of this DPA (including technical and organizational measures), it will immediately inform the Data Controller thereof. |
X. Measures Upon Completion of Processing of Personal Data
|
Personal data will be deleted or returned after contract fulfillment unless storage is required by law.
Written notice of measures taken can be provided to the Data Controller upon request. |
1. Upon expiration or termination of this DPA, the Data Processor shall delete or return all Personal Data (including any copies thereof) to the Data Controller, as instructed by the Data Controller, and shall ensure that any Sub-processors do the same unless otherwise required by applicable law. When returning the Personal Data, the Data Processor shall provide the Data Controller with all necessary assistance. 2. Upon request by the Data Controller, the Data Processor shall provide written notice of the measures taken by itself or its Sub-processors concerning the deletion or return of the Personal Data upon the completion of the processing. |
XI. Definitions
|
For clarification purposes, the terms are to be understood in accordance with Applicable US Data Protection Laws. |
All terms used in this DPA are to be understood in accordance with Applicable US Data Protection laws, unless otherwise expressly agreed. The following terms and expressions in this DPA shall have the meaning set out below: “Applicable US Data Protection Laws” means any applicable local, state and federal laws, rules and regulations in the United States relating to the use, collection, retention, storage, security, disclosure, transfer, sale or other processing of Personal Data, including but not limited to the California Consumer Privacy Act (the “CCPA”), the California Privacy Rights Act (the “CPRA”), the Virginia Consumer Data Protection Act (the “VCDPA”), the Colorado Privacy Act (the “CPA”), the Connecticut Data Protection Act (the “CTDPA”), the Utah Consumer Privacy Act, (the “UCPA ”) and any regulations promulgated pursuant to any such Act, as applicable to the SaaS provided pursuant to the Commercial Agreement. “Data Controller” means the legal person which, alone or jointly with others, determines the purposes and means of the processing of Personal Data under this DPA. “Data Processing Agreement” (or “DPA”) refers this agreement which governs the data processing operations between the Data Controller and the Data Processor. “Data Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Data Controller under this DPA. “Personal Data” means any information relating to an identified or identifiable living, natural person (“Data Subject”). “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means. “Software-as-a-Service” (or “SaaS”) shall have the meaning as defined in section I of Adverity’s Master Subscription Agreement. “Sub-processor” means any legal or natural person, including any agents and intermediaries, processing Personal Data on behalf of the Data Processor. |
XII. Final Provisions
|
In the event of a conflict with additional agreements, this DPA shall prevail regarding Personal Data processing, and be governed by New York law, with disputes subject to the jurisdiction of New York; ineffective provisions will be replaced. |
1. If the Data Controller and the Data Processor have entered into additional agreements in conflict with this DPA, the provisions of this DPA regarding the processing of Personal Data shall take priority, except where such provision is included in the Commercial Agreement to supplement this DPA. All other conflicting provisions shall be governed by the provisions of the Commercial Agreement. 2. This DPA is governed by the law of the State of New York. Each Party hereby submits to the exclusive jurisdiction and venue of the courts located in New York County, New York, and each Party hereby waives any defense and agrees not to make any claim of personal jurisdiction or inconvenient forum. Each Party expressly waives any right to trial by jury. 3. The plain language descriptions in this DPA are for reference purposes only, and shall not in any way define, limit, or extend the scope of this DPA. If a provision or parts of a provision in this DPA is or becomes ineffective under applicable legislation, this will not affect the effectiveness and validity of the remaining provisions. The contracting parties will replace it with a provision which, in terms of content, is as close as possible to the ineffective provision. |
Appendix 1 – Technical and Organizational Measures (“TOMs”)
The Data Processor confirms that the implemented technical and organizational measures provide an appropriate level of protection for the Data Controller’s Personal Data considering the risks associated with the processing.
|
General Description of Measures |
Description of Measures Implemented |
|
Physical Access and Environmental Control Suitable physical security and environmental controls are in place and designed to protect, control, and restrict physical access for systems and servers |
Used hosting providers comply with:
|
|
Logical Access Control (systems) Preventing data processing systems from being used without authorization |
|
|
Access Control (data) Ensuring that persons entitled to use a data processing system have access only to the data to which they have a right of access, and that Personal Data cannot be read, copied, modified or removed without authorization |
|
|
Transmission Control Ensuring that Personal Data cannot be read, copied, modified or removed without authorization during electronic transmission or transport, and that it is possible to review and establish which bodies are to receive the Personal Data |
|
|
Input Control Ensuring that it is possible to review and establish whether and by whom Personal Data have been input into data processing systems, modified, or removed |
|
|
Job Control Ensuring that the Personal Data is processed exclusively in accordance with the instructions |
|
|
Availability Control Ensuring that Personal Data is protected from accidental destruction and loss |
Used hosting provider comply with:
Additional managed by Data Processor:
|
|
Separation Control Ensuring that data collected for different purposes can be processed separately |
|
|
Document Information |
|
|
Document Owner |
VP Legal & Compliance |
|
Version |
V7.0 |
|
Date of Version |
2024-05-09 |
View outdated Data Processing Agreements
v2.0 (2020-06-01)
v2.1 (2020-12-11)
v3.0 (2021-04-26)
v4.0 (2021-10-08)
v4.1 (2022-02-18)
v4.2 (2022-09-02)
v5.0 (2023-01-23)
v5.1 (2023-04-21)
v6.0 (2023-09-11)