Data Processing Agreement

 

This Data Processing Agreement (the “DPA”) forms part of the Master Subscription Agreement (the “Agreement”) by and between You and Us. It shall be effective at the Effective Date as defined in the Agreement unless otherwise agreed by the Parties in writing. It shall apply to all Personal Data Processed by Us on Your behalf in the course of providing On Premise or Cloud Products to You as further described in the Agreement.

 

1. Definitions

Unless otherwise defined herein, defined terms used in this DPA have the meaning given to them in the Agreement, particularly Annex 1 of the Agreement. The following terms have the meaning set out below:

“Applicable Data Protection Laws”: All in the concrete context applicable laws regarding privacy and the protection of Personal Data or personally identifiable information (as defined by such laws) and as amended from time to time, including, without limitation, Regulation (EU) 2016/679 of the European Parliament (GDPR) to the extent it applies.

“Data Controller”, “Data Processor”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Process” and “Processing”: Have the meaning set out in Applicable Data Protection Laws.

“DPA”: This Data Processing Agreement which is a part of the Agreement.

“End User” means an individual You permit or invite to use the Products. For the avoidance of doubt: (i) individuals invited by your End Users and (ii) individuals interacting with a Product as your customer are also considered End Users.

“Permitted Purpose”: Has the meaning given in section 2.4 of this DPA.

“Process Duration”: Has the meaning given in section 2.6 of this DPA.

“Prohibited Sensitive Personal Information” means any sensitive personal data in the sense of the European Union Regulation 2016/679 or other personal data that is according to the Applicable Data Protection Laws more sensitive than normal personal data.

“Subscription Term” means your permitted subscription period for the concerned Product, as set forth in the applicable Order.

“Sub-processor”: Any third party We appoint to Process Usage Data for Us or on Our behalf in connection with the Agreement.

“Usage Data”: Any data and information as defined in section 2.2 below.

 

2. Data Protection Obligations

2.1. DATA CONTROLLER AND DATA PROCESSOR. It is agreed that You are the Data Controller and We are the Data Processor under Applicable Data Protection Laws in the context of the Agreement. The subject matter of the Processing, its nature and its purpose are set out in the Agreement. The categories of persons affected by the Processing and the categories of personal data concerned are described in Schedule 1 below. In Processing Your Usage Data, We will comply with Applicable Data Protection Laws.

2.2. USAGE DATA. You retain all right, title and interest in and to all data and information (i) provided by You (including any of Your Authorized Users) to Us and/or input by You, or Us on Your behalf for the purpose of using the Products or facilitating Your use of the Products or (ii) collected or otherwise Processed by or for You through Your use of the Products, to the extent such data and information is Personal Data. In this context, “provide” (and any similar term) includes submitting, uploading, transmitting or otherwise making available Usage Data to or through the Products. Usage Data is further described in Schedule 1 below. You represent and warrant that We are entitled to process in accordance with this DPA any data and information which is delivered to Us or which We can access in the context of the Agreement.

2.3. PROHIBITED SENSITIVE PERSONAL INFORMATION. You will not (i) submit to Us or Our Products, (ii) use Our Products to collect or otherwise Process, or (iii) enable Us to access, any Prohibited Sensitive Personal Information unless such using or Processing is expressly supported as a feature of the applicable Product. Notwithstanding any other provision to the contrary, We have no liability under the Agreement for Prohibited Sensitive Personal Information submitted in violation of the foregoing sentence.

2.4. PERMITTED PURPOSE. You agree that We are entitled to Process Your Usage Data as necessary to provide the Products and Services in connection with the Agreement to You, in accordance with this DPA, as We may otherwise agree with You in writing or based on any particular written instructions You may provide to Us (the “Permitted Purpose”). You acknowledge and agree that as part of providing the Products and Services, xorlab has the right to use data relating to or obtained in connection with the operation, support or use of the Products for its legitimate internal business purposes, such as to support billing processes, to administer the Products, to improve, benchmark, and develop our products and services, to comply with applicable laws (including law enforcement requests), to ensure the security of our Products and to prevent fraud or mitigate risk. You will ensure that You have all necessary consents and notices in place to ensure that We and Your Administrators are entitled to use or otherwise Process Your Usage Data in accordance with the Agreement for the Permitted Purpose and during the Process Duration. We agree not to access, use, or otherwise Process Your Usage Data except for the Permitted Purpose, or as necessary to comply with Applicable Data Protection Laws or other applicable laws.

2.5. ADMINISTRATORS. Your Administrators have important rights and controls over Your use of Products, Authorized User Accounts and the Processing of Your Usage Data connected therewith. You take responsibility for any rights that are executed and decisions taken by Your Administrators concerning the Processing of Your Usage Data. This also applies if You provide third parties with Administrator rights.

2.6. PROCESS DURATION. Our Products will transmit Your Usage Data to Us and We will Process Your Usage Data for (i) the applicable term of the Agreement (as defined therein) and for as long as Our Products (as applicable) are used by You and/or Your End Users plus (ii) a reasonable period required to delete or otherwise dispose of Your Usage Data after You and/or Your End Users cease such use in accordance with the Agreement (the “Process Duration”). We may retain anonymized data after expiry or termination of the Agreement for purposes of improving Our Products.

2.7. TECHNICAL AND ORGANISATIONAL MEASURES. We implement and maintain physical, technical and administrative security measures designed to protect Your Usage Data from unauthorized access, destruction, use, modification, or disclosure as set forth in this DPA. Such measures may include, but not be limited to, where appropriate, anonymizing, pseudonymizing and encrypting Usage Data, ensuring confidentiality, integrity, availability and resilience of Our systems, Products and Services, and regularly assessing and evaluating the effectiveness of the technical and organizational measures We adopt.

2.8. ASSISTANCE WITH COMPLIANCE. We will assist You, at Your cost, in responding to any request from a Data Subject in relation to the Agreement and this DPA and in ensuring compliance with Your obligations under Applicable Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators.

2.9. CONFIDENTIALITY OBLIGATIONS. Section 14 of the Agreement shall apply. Accordingly, except as expressly provided otherwise herein, We will (i) hold in confidence and not disclose any Confidential Information to third parties and (ii) not use Confidential Information for any purpose other than fulfilling Our obligations and exercising Our rights under the Agreement.

2.10. DELETION OF USAGE DATA. When You and Your End Users cease to use Our Products, Your Usage Data will no longer be transmitted to Us, and We will, within a reasonable period after such use ceases, destroy, or otherwise dispose of any or all of Your Usage Data in Our possession, unless otherwise required by mandatory applicable laws.

2.11. REPORTING. If We become aware of any accidental, unauthorized or unlawful destruction, loss, alteration, or disclosure of, or access to Your Usage Data (a “Security Incident”), We will notify You promptly and provide You promptly with a detailed description of the Security Incident and the identity of each affected Data Subject, with periodic updates, and any other information You may reasonably request in relation to such Security Incident. Moreover, We shall always comply with those reporting obligations concerning Security incidents, Personal Data Breaches or other relevant incidents that are applicable to Us based on mandatory Applicable Data Protection Laws.

2.12. SUBCONTRACTING. We engage in the context of the Agreement at the Effective Date the Sub-processors as referred to in Schedule 2. You consent to Us engaging both (i) these Sub-processors and (ii) new Sub-processors to be selected by Us in Our free discretion after the Effective Date in order to Process Usage Data for Permitted Purposes, provided that:

a) We ensure that each Sub-processor enters into agreements with Us containing appropriate provisions for non-disclosure and data processing compliance;

b) We remain responsible and liable for any breach of this DPA that is caused by an act, error or omission of Our Sub-processors;

c) We will provide You with Our then current list of any such Sub-processors upon Your request; and

d) You may terminate the Agreement with immediate effect if a new Sub-processor is for important reasons inacceptable to You and a compromise between You and Us cannot be reached within 30 days of Your objection in writing against the new Sub-processor.

2.13. Transfer of Data Outside the EEA. We will only transfer Your Usage Data outside the EEA where We have complied with Our obligations under Applicable Data Protection Laws in ensuring adequate safeguards in relation to such transfer.

2.14. AUDIT. We will maintain complete and accurate records and information to demonstrate Our compliance with this DPA and allow for You or Your designated auditors to perform an audit solely for the purpose of checking compliance with this DPA, provided that We are given reasonable notice of such audit, such audit does not occur more than once in a calendar year, and such audit is conducted in a manner which does not interfere with Our day to day business operations, and at Your cost.

 

3. Miscellaneous

3.1. Notices. Any notice under this DPA must be given in writing, including emails and other electronic messages. You may either provide notice to Us by post to xorlab AG, Attn.: Data Protection Officer, Binzmühlestrasse 170d, 8050 Zurich, Switzerland or by email to data-privacy@xorlab.com. Your notices to us will be deemed given upon receipt or – in case of emails – upon reply or confirmation by email. Termination notices regarding this DPA must notwithstanding the foregoing sentence be provided by registered letter.

3.2 LIABILITIES AND WARRANTIES. The applicable provisions of the Agreement shall also apply in the context of this DPA.

3.3 GOVERNING LAW; JURISDICTION. The applicable provisions of the Agreement shall also apply in the context of this DPA.

 

Schedule 1

1. Categories of concerned Data Subjects

The Usage Data concerns End Users of the Products, in addition to individuals whose personal data is supplied (automatically and/or manually) by End Users of the Products.

2. Categories of Personal Data

The categories of Personal Data involved are:

• Direct identifying information (e.g., name, email address, telephone).
• Indirect identifying information (e.g., job title, gender, date of birth).
• Device identification data and traffic data (e.g., IP addresses, MAC addresses, web logs).
• Any Personal Data included in emails of individuals supplied by users of the Product.

3. Special Categories of Personal Data

We do not knowingly collect any Prohibited Sensitive Personal Information.

4. Purposes of Processing

The Personal Data is processed for the purposes of providing the Products and Services in connection with the Agreement and other purposes as further specified in this DPA.

 

Schedule 2

Sub-processors

The following Sub-processors are approved by You: