Data Processing Agreement for USA

THIS DATA PROCESSING AGREEMENT (“DPA”) (in the version dated September 11, 2023) GOVERNS THE DATA PROCESSING OPERATIONS BETWEEN THE CUSTOMER (“BUSINESS" OR "DATA CONTROLLER”) AND ADVERITY INC. (“SERVICE PROVIDER" OR DATA PROCESSOR”). BY ENTERING A COMMERCIAL AGREEMENT THAT REFERENCES THIS DPA, CUSTOMER AGREES TO THE TERMS AND CONDITIONS OF THIS DPA.

1. Background

The Data Controller and the Data Processor have entered into the above-mentioned Commercial Agreement (“Agreement”) under which the Data Processor shall provide certain services to the Data Controller, which includes processing of Personal data.
The Data Controller and the Data Processor have entered into this DPA in order to fulfill the requirement of a written agreement between a data controller and a data processor of Personal Data as set out in Applicable Data Protection Legislation.

2. Definitions

All terms used in this DPA are to be understood in accordance with Applicable US Data Protection Laws, unless otherwise expressly agreed. The following terms and expressions in this DPA shall have the meaning set out below:

“Applicable US Data Protection Laws” means any applicable local, state and federal laws, rules and regulations in the United States relating to the use, collection, retention, storage, security, disclosure, transfer, sale or other processing of Personal Data, including but not limited to the California Consumer Privacy Act (the “CCPA”), the California Privacy Rights Act (the “CPRA”), the Virginia Consumer Data Protection Act (the “VCDPA”), the Colorado Privacy Act (the “CPA”), the Connecticut Data Protection Act (the “CTDPA”), the Utah Consumer Privacy Act, (the “UCPA ”) and any regulations promulgated pursuant to any such Act, as applicable to the Application Services provided pursuant to the Agreement.

“Data Controller” means the legal person which, alone or jointly with others, determines the purposes and means of the processing of Personal Data under this DPA;

“Data Processor” means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Data Controller under this DPA;

“Sub-processor” means any legal or natural person, including any agents and intermediaries, processing Personal Data on behalf of the Data Processor as set forth in section 4.1 below;

“Personal Data” means any information relating to an identified or identifiable living, natural person (“data subject”) as set forth in Applicable US Data Protection Laws;

“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means.

3. Processing of Personal Data

The Data Processor and any person acting under its authority (e.g. personnel, Sub-processors and persons acting under the Sub-processor’s authority) undertake to only process Personal Data in accordance with documented instructions communicated by the Data Controller (Appendix 1) and to the extent necessary to fulfill its obligations under this DPA or Applicable US Data Protection Laws.
If the services are altered during the term of the Agreement and involve new or amended processing of Personal Data, or if the Data Controller’s instructions are otherwise changed or updated, the parties shall ensure that Appendix 1 is updated as appropriate.
When processing Personal Data under this DPA, the Data Processor shall comply with any and all Applicable US Data Protection Laws and applicable recommendations by competent Data Protection Authorities or other competent authorities.
The Data Processor shall assist the Data Controller in fulfilling its legal obligations under Applicable US Data Protection Laws. The Data Processor shall not carry out any act, or omit any act, that would cause the Data Controller to be in breach of Applicable US Data Protection Laws.
The Data Processor shall immediately inform the Data Controller of a request, complaint, message, or any other communication received from a competent authority or any other third party regarding the processing of Personal Data covered by this DPA. The Data Processor may not, without prior instructions from the Data Controller, transfer or in any other way disclose Personal Data or any other information relating to the processing of Personal Data to any third party, unless the Data Processor is required to do so by law. The Data Processor shall assist the Data Controller in an appropriate manner to enable it to respond to such a request, complaint, message or other communication in accordance with Applicable US Data Protection Laws.

4. Sub-processors

The Data Controller authorizes the Data Processor to engage the Sub-processors. All Sub-processors authorized by the Data Controller are acting under the authority and subject to direct instructions of the Data Controller. A list of the current Sub-processors is set out in Appendix 1 for the purposes specified therein. The Data Processor shall notify the Data Controller in writing in advance of any changes, in particular before engaging other Sub-processors in which event the Data Processor shall without undue delay and at the latest 8 weeks prior to transferring any Personal Data to a Sub-processor, inform the Data Controller in writing of the identity of such Sub-processor as well as the purpose for which it will be engaged.
The Data Controller at its own discretion may object with good cause to any such changes within 8 weeks after the Data Processor’s notice.
The Data Processor shall impose by written agreement, which includes an electronic form, on all Sub-processors processing Personal Data under this DPA (including inter alia its agents, intermediaries and sub-contractors) the same obligations as apply to the Data Processor.

5. Transfer to Third Countries

The location(s) of intended or actual processing of Personal Data is set out in Appendix 1. The Data Processor must not transfer or otherwise directly or indirectly disclose Personal Data outside the United States of America without the prior written consent of the Data Controller (which may be refused or granted at its own discretion) and ensure that the level of protection of natural persons guaranteed by Applicable US Data Protection Laws and as set forth in this DPA is not undermined.

6. Security of Processing

As set forth in Appendix 2, the Data Processor guarantees to implement and uphold appropriate technical and organizational measures according to the current state of the art to ensure an appropriate level of security for the Personal Data and shall continuously review and improve the effectiveness of its security measures. The Data Processor shall protect the Personal Data against destruction, modification, unlawful dissemination, or unlawful loss, alteration or access. The Personal Data shall also be protected against all other forms of unlawful processing. The technical and organizational measures to be implemented by the Data Processor shall include, as appropriate:
1. the pseudonymization and encryption of Personal Data;
2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services processing Personal Data;
3. the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
4. a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
The Data Processor shall without undue delay notify the Data Controller of any accidental or unauthorized access or supposed access to Personal Data or any other actual or supposed, threatened or potential security incidents (Personal Data Breach) after becoming aware of such incidents. The notification shall be in written form and shall at least:
1. describe the nature of the Personal Data breach;
2. communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
3. describe the likely consequences of the Personal Data Breach;
4. describe the measures taken or proposed to be taken by the controller to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects;
5. include any other information available to the Data Processor which the Data Controller is required to notify the Data Protection Authorities and/or the data subjects.
The Data Processor will furthermore provide reasonable assistance requested by the Data Controller.
In addition, the Data Processor shall at its own expense immediately take necessary measures to restore and/or reconstruct Personal Data that has been lost, damaged, destroyed or corrupted as a result of the Personal Data Breach.
The Data Processor undertakes to not disclose or otherwise make the Personal Data processed under this DPA available to any third party, without the Data Controller’s prior written approval. This section 6.5 shall not apply if the Data Processor is required by applicable laws and regulations to disclose Personal Data that the Data Processor processes on behalf of the Data Controller, in which case what is set out in section 3.5 shall apply.
The Data Processor undertakes to ensure that access to Personal Data under this DPA is restricted to those of its personnel who directly require access to the Personal Data in order to fulfil the Data Processor’s obligations in accordance with this DPA and the Agreement. The Data Processor shall ensure that such personnel (whether employees or others engaged by the Data Processor) (i) has the necessary knowledge of and training in the Applicable US Data Protection Laws to perform the contracted services; and (ii) is bound by a confidentiality obligation concerning the Personal Data to the same extent as the Data Processor in accordance with this DPA.
The Data Processor requires all of its personnel (employees and Sub-processors) authorized to process Personal Data not to process Personal Data for any other purpose, except on instructions from the Data Controller or unless required by applicable law. The Data Processor shall ensure that this confidentiality obligation extends beyond the termination of employment contracts, Sub-processor contracts, service contracts or the termination of this DPA. This confidentiality obligation shall remain in force after the expiry or termination of the DPA.
The Data Processor appoints the following person as contact point for data protection matters: Mr. Michael Pilz ( dpo@adverity.com).

7. Audit Rights

The Data Processor shall allow the Data Controller or an external auditor mandated by the Data Controller to conduct audits, investigations and inspections on data protection and/or data security (“audit”) in order to ensure that the Data Processor or Sub-processors are able to comply with the obligations under this DPA and Applicable US Data Protection Laws and that the Data Processor or Sub-processors have undertaken the required measures to ensure such compliance.
The Data Processor makes available all information necessary to demonstrate compliance with this DPA and Applicable US Data Protection Laws and assists the Data Controller in the performance of audits.

8. Indemnification

The Data Processor shall indemnify and hold harmless the Data Controller upon the Data Controller’s first demand insofar as third parties (Data Subjects in particular) make claims against the Data Controller on the grounds of an infringement of their personal rights or of data protection law where such infringement is caused by actions of the Data Processor in intentional or gross negligent violation of this DPA. The obligation to indemnify is – except in cases of willful intent or in relation to personal injuries or death – capped with the amount of fees paid by the Controller in the 12 months immediately before the infringing incidence.

9. Term

The term of this DPA follows the above-mentioned Agreements.
In case of a termination of the Agreement, this DPA shall remain in force as long as the Data Processor processes Personal Data for the Data Controller.
The Data Controller may terminate the Agreement without notice as a result of a breach of the obligations under this DPA by the Data Processor or one of its Sub-processors.

10. Notices

Any notice or other communication to be provided by one party to the other party under this DPA, shall be provided in accordance with the notices provision of the Agreement.
In case the Data Processor determines that any instruction to process data of the Data Controller violates Applicable US Data Protection Laws or substantial provisions of this DPA (including technical and organizational measures), it will immediately inform the Data Controller thereof.

11. Measures upon completion of processing of personal data

Upon expiration or termination of this DPA, the Data Processor shall delete or return all Personal Data (including any copies thereof) to the Data Controller, as instructed by the Data Controller, and shall ensure that any Sub-processors do the same, unless otherwise required by applicable law. When returning the Personal Data, the Data Processor shall provide the Data Controller with all necessary assistance.
Upon request by the Data Controller, the Data Processor shall provide a written notice of the measures taken by itself or its Sub-processors with regard to the deletion or return of the Personal Data upon the completion of the processing.

12. Final Provisions

If the Data Controller and the Data Processor have entered into additional agreements in conflict with this DPA, the provisions of this DPA regarding the processing of Personal Data shall take priority, except where such provision is included in the Agreement for the purpose of supplementing this DPA. All other conflicting provisions shall be governed by the provisions of the Commercial Agreement.
This DPA is governed and construed in accordance with the laws of the State of New York. Each Party hereby submits to the exclusive jurisdiction and venue of the courts located in New York County, New York, and each Party hereby waives any defense and agrees not to make any claim of personal jurisdiction or inconvenient forum. Each Party expressly waives any right to trial by jury.
If a provision or parts of a provision in this DPA is or becomes ineffective under applicable legislation, this will not affect the effectiveness and validity of the remaining provisions. The contracting parties will replace it by a provision which, in terms of content, is as close as possible to the ineffective provision.

Appendix 1 – Data Processing Instructions

Purposes

Specify all purposes for which the personal data will be processed by the Data Processor.

Provide access to and enable use of Data Processor’s Application Services and additional services as agreed between Data Controller and Data Processor.

Categories of data

Specify the different types of Personal Data that will be processed by the Data Processor

The following Personal Data is processed by default. If the Data Controller intends to process other categories of Personal Data with the Application Services of the Data Processor, the latter must be notified hereof, and an additional agreement must be concluded.

Email address
IP Address
Timestamps
Name (on a voluntary basis)

Special Categories of Data

Specify the different special categories of Personal Data that will be processed by the Data Processor.

The Controller does not intend to and will not instruct the Processor to process any special categories of Personal Data.
In the event that the Data Controller instructs the Data Processor to process special categories of Personal Data on its behalf, the Data Controller shall ensure that all legal requirements for the processing of such special categories of Personal Data by the Data Processor are met at all times.

Data subjects

Specify the categories of data subjects whose Personal Data will be processed by the Data Processor.

The following categories of data subjects are affected by the data processing operations by default. If the Data Controller intends to process Personal Data of other categories of data subjects with the Application Services of the Data Processor, the latter must be notified hereof, and an additional agreement must be concluded.

Users of the Application Services

Processing operations

Specify all processing activities to be conducted by the Data Processor

Collect, store, and process data to enable access to and use of the Data Processor’s Application Services.

Sub-processor(s)

Specify the Sub-processors engaged by the Data Processor (if any) and the purposes for which the personal data is processed by such Sub-processor

Applicable in case of Application Services hosting by Data Processor:

Amazon Web Services legal entity contracting with USA legal entities; or Google legal entity contracting with USA legal entities; or Microsoft Corporation, (One Microsoft Way, Redmond, WA 98052, USA).
Purpose: Hosting infrastructure for server and databases.

In case that the Data Controller processes personal data of additional Data Subjects or additional Categories of Personal Data within the Adverity Application Services, the following Sub-Processor is mutually agreed between the Parties:

Snowflake Inc., (Suite 3A, 106 East Babcock Street, Bozeman, Montana 59715, USA).
Purpose: Cloud-based data warehouse, that provides the infrastructure, storage and processing engine to power data reporting and analysis.

Applicable in case of Application Services hosting by Data Controller:

Snowflake Inc., (Suite 3A, 106 East Babcock Street, Bozeman, Montana 59715, USA).
Purpose: Cloud-based data warehouse, that provides the infrastructure, storage and processing engine to power data reporting and analysis.

Location of Processing Operations

Specify all locations where the Personal Data will be processed by the Data Processor and any Sub-processor (if applicable)

Applicable in case of Application Services hosting by Data Processor:

If the Data Controller is based in the United States of America, the data will be hosted on servers located in a data center in the United States of America
If the Data Controller is located outside the United States of America, the data might be hosted on servers inside or outside the United States of America.

At the request of the Data Controller, the specific location will be communicated to the Data Controller.

Applicable in case of Application Services hosting by Data Controller:

Hosting location is determined by the Data Controller.

Appendix 2 – Technical and Organizational Measures (“TOMs”)

The Data Processor confirms that the implemented technical and organizational measures provide an appropriate level of protection for the Data Controller’s Personal Data considering the risks associated with the processing.

General Description of Measures	Description of Measures Implemented
Access Control (premises) Preventing unauthorized persons from gaining access to data processing systems	Used hosting provider complies: with ISO 27018 which is based on ISO 27000 Access control systems (smart cards, biometric control) Security personnel at entrances (backgrounds checked) Right to access generally limited List of authorized people (manager approval required) Surveillance systems (alarm system, door prop alarm, motion detectors, 24×7 CCTV) Visitor logbook (time and purpose of entry, time of exit)
Access Control (systems) Preventing data processing systems from being used without authorization	Database security controls restrict access Access rights based on roles and need to know Password policy Automatic blocking of access (e.g. password, timeout) Protocol of failed log-in attempts
Access Control (data) Ensuring that persons entitled to use a data processing system have access only to the data to which they have a right of access, and that Personal Data cannot be read, copied, modified or removed without authorization	Access rights based on roles and need to know Approval process for access rights; periodical reviews and audits Signed confidentiality undertakings Optional restricted to Office IPs
Transmission Control Ensuring that Personal Data cannot be read, copied, modified or removed without authorization during electronic transmission or transport, and that it is possible to review and establish which bodies are to receive the Personal Data	Encrypted transfer (HTTPS, SSL, SSH; RSA, 4096-bit keys) Log files
Input Control Ensuring that it is possible to review and establish whether and by whom Personal Data have been input into data processing systems, modified, or removed	Access rights based on roles and need to know Approval process for access rights Log files
Job Control Ensuring that the Personal Data is processed exclusively in accordance with the instructions	Diligently selecting (Sub-)processors and other service providers Documenting selection procedures (privacy and security policies, audit reports, certifications) Backgrounds of service providers are checked, subsequent monitoring Standardized policies and procedures (including clear segregation of responsibilities); documentation of instructions received from data controller Signed confidentiality undertakings
Availability Control Ensuring that Personal Data is protected from accidental destruction and loss	Redundant uninterruptible power supply (UPS) Air-conditioning, temperature and humidity controls (monitored 24×7) Disaster-proof housing (smoke detection, fire alarm, fire suppression, water detection, raised flooring, protection against severe weather conditions, pest repellent system) Electrical equipment monitored and logged, 24×7 support Daily backup procedures Disaster recovery plan Routinely test-running data recovery
Separation Control Ensuring that data collected for different purposes can be processed separately	Separate processing possibilities in the Application Services for HR data, production data, supplier data, customer data Separation between productive and test data Detailed management of access rights

Document Information
Document Owner	VP Legal & Compliance
Version	V6.0
Date of Version	2023-09-11

View outdated Data Processing Agreements

v2.0 (2020-06-01)
v2.1 (2020-12-11)
v3.0 (2021-04-26)
v4.0 (2021-10-08)
v4.1 (2022-02-18)
v4.2 (2022-09-02)
v5.0 (2023-01-23)
v5.1 (2023-04-21)

Platform

Why Adverity?

By industry

By team

Use cases

Resources

Company

Data Processing greement ("DPA")