Data Processing Agreement

Data Processing Agreement

VERSION DATE: January 1, 2021

This Data Processing Agreement (“DPA”) is between Customer (as defined in the terms of use (the “Terms of Use”)) and the applicable MinusOne entity providing the Services (“MinusOne”). Customer has appointed MinusOne to provide the Services to Customer pursuant to the Terms of Use. As a result of providing such Services, MinusOne may use, store and process certain personal data of Customer.

For the purposes of the GDPR, MinusOne acts as data processor (as that term is defined in the GDPR) and will act in accordance with Customer instructions. For the purposes of the CCPA, MinusOne acts as a service provider.

Customer enters into this DPA by and on behalf of itself and, to the extent required under Applicable Law, in the name and on behalf of its Authorized Affiliates, if and to the extent MinusOne Processes Personal Data for such Authorized Affiliates and they qualify as, for the purposes of the GDPR, the controller and, for the purposes of the CCPA, the business. By entering into this DPA, the parties agree to comply with the following provisions with respect to any Personal Data from the effective date of the Terms of Use. This DPA shall form part of and is incorporated into the Terms of Use.

To the extent there is a conflict between this DPA, the Terms of Use and any other terms or conditions regarding the Processing of Personal Data contained in the Terms of Use (including any existing data processing addendum to the Terms of Use), this DPA shall prevail.

1. DEFINITIONS

For the purposes of this DPA, all capitalized terms not defined herein shall have the meaning set forth in the Terms of Use. The following expressions bear the following meanings unless the context otherwise requires:

Authorized Affiliate” means any of Customer's Affiliate(s) which (a) is subject to the data protection laws and regulations of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom, and (b) is permitted to use the Services pursuant to the Terms of Use between Customer and MinusOne, but has not signed a separate Terms of Use with MinusOne and is not a "Customer" as defined under the Terms of Use;

Applicable Law” means (i) Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data, together with any national implementing laws in any member state of the European Union (“GDPR”); (ii) the UK Data Protection Act 2018 and the applied GDPR; (iii) if applicable, California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100 et seq (the “CCPA”); and (iv) any applicable data protection laws or regulations in the jurisdiction in which the Personal Data is hosted;

Business Purpose” shall have the meaning given to it in the CCPA;

California Consumer Privacy Act” or “CCPA” means the California Consumer Privacy Act of 2018 as amended from time to time;

Customer Data”means the data provided by Customer for Processing through use of the Services;

Data Subject” means (i) “data subject” as defined under the GDPR, and (ii) “consumer” as defined under the CCPA;

GDPR” means General Data Protection Regulation and is Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data and repealing of Directive 95/46/EC;

Personal Data” means (i) “personal data” as defined under the GDPR, and (ii) “personal information” as defined under CCPA, under the control of Customer and Processed by MinusOne in connection with the performance of the Services;

Process”, “Processed” or “Processing” means “processing” as defined under the GDPR and the CCPA, the details of which are outlined on Schedule 1;

Sale”, “Sell”or “Selling” means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, Personal Data with a Third Party, whether for monetary or other valuable considerations or for no consideration, for the Third Party’s commercial purposes;

Security Measures” means the technical and organizational measures deployed by MinusOne as described in the Terms of Use;

Services” means any and all services provided by MinusOne as identified in the Terms of Use;

Standard Contractual Clauses” means the agreement pursuant to the European Commission’s decision (C(2010)593) of 5 February 2010 on Standard Contractual Clauses for the transfer of Personal Data to processors established in Third Countries approved by the EU Commission in Commission Decision 2010/87/EU, dated 5th February 2010;

Third Country(ies)” means countries outside of the scope of the data protection laws of the European Economic Area, excluding countries approved as providing adequate protection for Personal Data by the European Commission from time-to-time; and

Third Party” means any person (including companies, entities, organizations, etc.) that is not Customer or MinusOne or its Affiliates.

2. DATA PROCESSING

2.1. MinusOne shall only Process Personal Data on behalf of Customer in accordance with and for the purposes set out in the documented instructions received from Customer from time to time, which, for the avoidance of doubt may include the provisions of the Terms of Use governing the provision by MinusOne of products and services to Customer. MinusOne may also be required to Process Personal Data in accordance with Union or Member State Law, in which case, unless prohibited by Applicable Law, MinusOne shall inform Customer of such legal requirement before Processing.

2.2. MinusOne shall not access, retain, use, or disclose Personal Data for any purpose other than for the specific purpose of performing the services specified in the Terms of Use with MinusOne.

2.3. MinusOne will not further collect, sell, or use Personal Data except as necessary to perform the Business Purpose(s).

2.4. Where applicable for the purposes of the CCPA, MinusOne shall act as a service provider for Customer, pursuant to which the parties agree that all such Personal Data is disclosed to MinusOne for one or more Business Purpose(s) and its use or sharing by Customer with MinusOne is necessary to perform such Business Purpose(s).

2.5. Throughout the term of this DPA, the parties agree to comply with Applicable Laws. MinusOne shall inform Customer if, in MinusOne’s opinion, MinusOne is unable to comply with Applicable Law or Customer’s instructions violate Applicable Law, provided that MinusOne is not obliged to perform a comprehensive legal examination with respect to an instruction of Customer.

2.6. MinusOne hereby confirms that its employees and subcontractors who are authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

2.7. Customer represents and warrants that

i. it has complied and continues to comply with Applicable Law, in particular that it has obtained any necessary consents and/or given any necessary notices, and/or otherwise has the right to disclose Personal Data to MinusOne and enable the Processing set out in this DPA and as contemplated by the Terms of Use;

ii. it has assessed the requirements under Article 28 of the GDPR as they apply to Customer with regards to Personal Data and finds that the security measures referenced in Schedule 3 are adequate to meet those requirements;

iii. it will ensure compliance with and shall not in any way alter or diminish the Security Measures to the extent applicable to Customer through its use of the Services.

2.8. Notwithstanding any provision herein to the contrary, MinusOne owns all aggregated system metric data derived from the Services as aggregated with such data from MinusOne’s other customers, and may Process such aggregated data for its own purposes. For the avoidance of doubt, aggregated data does not contain Personal Data.

3. NOTIFICATION OF DATA BREACH. MinusOne shall notify Customer about any breach of the Security Measures leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer’s Personal Data (“Security Breach”) without undue delay. For the avoidance of doubt, Security Breaches will not include unsuccessful attempts to, or activities that do not, compromise the security of Customer’s Personal Data including, without limitation, unsuccessful log in attempts, denial of service attacks and other attacks on firewalls or networked systems and no notice of the foregoing shall be required. In the event a Security Breach requires notification by Customer to Data Subjects or relevant Regulators, MinusOne shall provide reasonable information as necessary to support Customer’s reporting obligations.

4. AUDIT AND INSPECTION

4.1. MinusOne shall provide reasonable assistance in response to inquiries from Customer or its Regulator relating to MinusOne’s Processing of Customer’s Personal Data.

4.2. MinusOne shall, upon written request from Customer, provide, if available, Customer with information reasonably necessary to demonstrate compliance with the obligations under this DPA. This information shall comprise of permitting examination of the most recent reports, certificates and/or extracts prepared by an independent auditor pursuant to MinusOne’s ISO27001 or similarly held industry certification.

4.3. For the avoidance of doubt, the provisions of this Clause 4 shall also apply to the audit provisions of any Standard Contractual Clauses entered into in accordance with Clause 6 of this DPA.

5. COMPLIANCE, CO-OPERATION AND RESPONSE

5.1. In the event that MinusOne directly receives a request from a Data Subject and it is clear from the nature of the request without the need for any independent investigation that Customer is the applicable controller of Data Subject’s Personal Data, unless prohibited by Applicable Law, MinusOne will refer the Data Subject to Customer. If MinusOne is legally required to respond to the Data Subject, Customer will fully co-operate with MinusOne as appropriate. Customer agrees that provision of technical tools to enable Customer to take the necessary action to comply with such request/s shall be sufficient to discharge MinusOne’s obligations of assistance hereunder.

5.2. Customer will reimburse all reasonable costs incurred by MinusOne as a result of reasonable assistance provided by MinusOne under this Clause 5.

6. TRANSFER. Customer acknowledges and agrees that MinusOne may, in the course of providing the Services, Process (or permit any Affiliate or subprocessor to Process) Customer’s Personal Data in one or more Third Countries, provided that such Processing is in compliance with Applicable Law. MinusOne undertakes that it shall not, and that it shall procure that any Affiliate or Third-Party Subcontractor, will not cause or permit Personal Data to be Processed or Transferred outside of the EEA unless such Processing or Transfer is in compliance with Applicable Laws. MinusOne shall comply with the data importer obligations under the Standard Contractual Clauses in respect of any such transfer. Customer hereby grants MinusOne a mandate to enter into the Standard Contractual Clauses with a Third-Party subprocessor or Affiliate it appoints.

7. CHANGES IN APPLICABLE LAW. The parties agree to negotiate in good faith modifications to this DPA if changes are required for MinusOne to continue to Process Personal Data in compliance with Applicable Law including (i) the GDPR; (ii) the CCPA; (iii) Standard Contractual Clauses; or (iv) if changes to the membership status of a country in the European Union or the European Economic Area require such modification.

8. SUB PROCESSORS

8.1. Use of Sub Processors. MinusOne does not currently use any subprocessors, however, to the extent MinusOne appoints any subprocessors, MinusOne will notify Customer by the process set forth in Clause 8.2. MinusOne shall ensure that it has entered into written agreements with all Third-Party subprocessors that contain obligations on the Third-Party subprocessor that are no less onerous on the relevant Third-Party subprocessor than the obligations on MinusOne under this DPA in respect of the specific Services provided by the Third-Party subprocessor.

8.2. Changes to Sub Processors. MinusOne will inform Customer with reasonable advance notice (including electronically, for example via email) if it appoints a new subprocessor, or intends to make any changes concerning the addition or replacement of a sub processor. Customer shall have 10 days after such advance notice to object to the appointment or replacement of a sub processor in writing, provided Customer’s objection is based on legitimate data protection grounds. Upon receipt of such objection by Customer, MinusOne may, in its sole discretion, propose commercially reasonable changes to Customer’s use of the Services so that the relevant subprocessor is not used in terms of the Service/s procured. If such change is not possible within a reasonable period of time, Customer may, upon not less than 20 days’ written notice from the date of notification by MinusOne, terminate the applicable Services with respect to those Services which cannot be provided without the use of the relevant subprocessor. If Customer does not object within 10 days following notice by MinusOne, Customer is deemed to have approved the new sub processor.

9. LIABILITY. The aggregate liability of the Affiliates, sub processor and MinusOne under this DPA and any Standard Contractual Clauses entered into pursuant to this DPA, shall be no greater than the aggregate liability of MinusOne under the Terms of Use, to the extent permissible by Applicable Law. For the avoidance of doubt, the limitations of liability in the Terms of Use shall apply to this DPA and any Standard Contractual Clauses entered into in accordance with Clause 6 herein. Neither Customer nor any of its Authorized Affiliates shall be entitled to recover more than once in respect of the same claim under this DPA.

10. TERMINATION. Termination of this DPA shall be governed by the Terms of Use.

11. CONSEQUENCES OF TERMINATION. Upon termination of this DPA in accordance with Clause 10 and upon Customer’s written request, MinusOne shall:

i. delete all Personal Data Processed on behalf of Customer (except to the extent permitted or required to be retained by applicable laws, regulations, subpoenas or court orders); or

ii. assist Customer with the return to Customer of Personal Data and any copies thereof which it is Processing or has Processed upon behalf of Customer. Customer acknowledges and agrees that the nature of the Services mean that Customer may extract a copy of Personal Data at any time during the term of the Terms of Use, and providing the tools to allow Customer to do so shall be sufficient to show MinusOne has complied with this Clause 11(ii).

12. LAW AND JURISDICTION. This DPA and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it shall be governed by and construed in all respects in accordance with the governing law and jurisdiction provisions in the Terms of Use, and each party submits to the jurisdiction of the forum set forth in the Terms of Use.

SCHEDULE 1 - PROCESSING DETAILS

Data subjects

The personal data transferred include the following categories of data subjects:

  • Customer’s end users authorized by Customer to use MinusOne;

  • All employees, agents, advisors, consultants of Customer (who are natural persons);

  • Prospects, customers, business partners and vendors of Customer (who are natural persons); and/or

  • Employees or contact persons of Customer’s prospects, customers, business partners and vendors.

Categories of data

The personal data transferred include the following categories of data:

  • Identification and contact data (name, address, title, contact details);

  • Financial Information, such as payment information (but excluding credit card details and account details, which may not be stored on the Service, as specified in the Terms of Use);

  • Employment details (employer, job title, geographic location, area of responsibility); and/or

  • IT information (IP addresses, usage data, cookies data, location data).

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data (please specify):

  • None

Processing operations

The personal data transferred will be subject to the following basic processing activities (please specify):

  • As provided in the DPA, MinusOne will Process Customer Personal Data as necessary to provide the Service pursuant to the Terms of Use, in accordance with the DPA, and as instructed by Customer in their use of MinusOne.