This Data Processing Addendum ("DPA") amends and forms part of the Master Subscription Agreement (the "Agreement") between Indent Inc ("Company") and you ("Customer"). This DPA prevails over any conflicting term of the Agreement, but does not otherwise modify the Agreement.
- In this DPA:
- "Controller", "Data Subject", "Personal Data", "Personal Data Breach", "Processing", "Processor", and "Supervisory Authority" have the meaning given to them in the GDPR;
- "Customer Personal Data" means any Customer Data that constitutes Personal Data, the Processing of which is subject to Data Protection Law, for which Customer or Customer's customers are the Controller, and which is Processed by Company to provide the Services;
- "Data Protection Law" means General Data Protection Regulation (EU) 2016/679 ("GDPR") and e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC), and their national implementations in the European Economic Area ("EEA"), Switzerland and the United Kingdom, each as applicable, and as may be amended or replaced from time to time;
- "Data Subject Rights" means Data Subjects' rights to information, access, rectification, erasure, restriction, portability, objection, and not to be subject to automated individual decision-making in accordance with Data Protection Law;
- "International Data Transfer" means any transfer of Customer Personal Data from the EEA, Switzerland or the United Kingdom to an international organization or to a country outside of the EEA, Switzerland and the United Kingdom;
- "Services" means the services provided by Company to Customer under the Agreement;
- "Subprocessor" means a Processor engaged by Company to Process Customer Personal Data; and
- "Standard Contractual Clauses" means the clauses annexed to EU Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (OJ L 39, 12.2.2010, p. 5-18) as amended by Commission Implementing Decision (EU) 2016/2297 of 16 December 2016 (OJ L 344, 17.12.2016, p. 100).
- Capitalized terms used but not defined herein have the meaning given to them in the Agreement.
Scope and applicability
- This DPA applies to Processing of Customer Personal Data by Company to provide the Services.
- The subject matter, nature and purpose of the Processing, the types of Customer Personal Data and categories of Data Subjects are set out in Appendix 1.
- Customer is a Controller and appoints Company as a Processor on behalf of Customer. Customer is responsible for compliance with the requirements of Data Protection Law applicable to Controllers.
- If Customer is a Processor on behalf of other Controller(s), then Customer: is the single point of contact for Company; must obtain all necessary authorizations from such other Controller(s); undertakes to issue all instructions and exercise all rights on behalf of such other Controller(s); and is responsible for compliance with the requirements of Data Protection Law applicable to Processors.
- Customer acknowledges that Company may Process Personal Data relating to the operation, support, or use of the Services for its own business purposes, such as billing, account management, data analysis, benchmarking, technical support, product development, and compliance with law. Company is the Controller for such Processing and will Process such data in accordance with Data Protection Law.
- Company will Process Customer Personal Data to provide the Services and in accordance with Customer's documented instructions.
- The Controller's instructions are documented in this DPA, the Agreement, and any applicable statement of work.
- Customer may reasonably issue additional instructions as necessary to comply with Data Protection Law. Company may charge a reasonable fee to comply with any additional instructions.
- Unless prohibited by applicable law, Company will inform Customer if Company is subject to a legal obligation that requires Company to Process Customer Personal Data in contravention of Customer's documented instructions.
- Company will ensure that all personnel authorized to Process Customer Personal Data are subject to an obligation of confidentiality.
Security and Personal Data Breaches
- Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Company will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the measures listed in Appendix 2.
- Customer acknowledges that the security measures in Appendix 2 are appropriate in relation to the risks associated with Customer's intended Processing, and will notify Company prior to any intended Processing for which Company's security measures may not be appropriate.
- Company will notify Customer without undue delay after becoming aware of a Personal Data Breach involving Customer Personal Data. If Company's notification is delayed, it will be accompanied by reasons for the delay.
- Customer hereby authorizes Company to engage Subprocessors. A list of Company's current Subprocessors is available at https://indent.com/legal/subprocessors (as may be updated by Company from time to time in accordance with this DPA).
- Company will enter into a written agreement with Subprocessors which imposes the same obligations as required by Data Protection Law.
- Customer will subscribe to Company’s RSS feed to receive notifications of any intended changes to the list of Company’s Subprocessors, available at https://indent.com/legal/subprocessors/rss. Customer may object to the addition of a Subprocessor based on reasonable grounds relating to a potential or actual violation of Data Protection Law by providing written notice detailing the grounds of such objection within thirty (30) days following Company's notification of the intended change. Customer and Company will work together in good faith to address Customer's objection. If Company chooses to retain the Subprocessor, Company will inform Customer at least thirty (30) days before authorizing the Subprocessor to Process Customer Personal Data, and Customer may immediately discontinue using the relevant parts of the Services, and may terminate the relevant parts of the Services within thirty (30) days.
- Taking into account the nature of the Processing, and the information available to Company, Company will assist Customer, including, as appropriate, by implementing technical and organizational measures, with the fulfilment of Customer's own obligations under Data Protection Law to: comply with requests to exercise Data Subject Rights; conduct data protection impact assessments, and prior consultations with Supervisory Authorities; and notify a Personal Data Breach.
- Company will maintain records of Processing of Customer Personal Data in accordance with Data Protection Law.
- Company may charge a reasonable fee for assistance under this Section 7. If Company is at fault, Company and Customer shall each bear their own costs related to assistance.
- Upon reasonable request, Company must make available to Customer all information necessary to demonstrate compliance with the obligations of this DPA and allow for and contribute to audits, including inspections, as mandated by a Supervisory Authority or reasonably requested no more than once a year by Customer and performed by an independent auditor as agreed upon by Customer and Company. The foregoing shall only extend to those documents and facilities relevant and material to the Processing of Customer Personal Data, and shall be conducted during normal business hours and in a manner that causes minimal disruption.
- Company will inform Customer if Company believes that Customer's instruction under Section 8.1 infringes Data Protection Law. Company may suspend the audit or inspection, or withhold requested information until Company has modified or confirmed the lawfulness of the instructions in writing.
- Company and Customer each bear their own costs related to an audit.
International Data Transfers
- Customer hereby authorizes Company to perform International Data Transfers to any country deemed adequate by the EU Commission; on the basis of appropriate safeguards in accordance with Data Protection Law; or pursuant to the Standard Contractual Clauses referred to in Section 9.2.
- By signing this DPA, Customer and Company conclude the Standard Contractual Clauses, which are hereby incorporated into this DPA and completed as follows: the "data exporter" is Customer; the "data importer" is Company; the governing law in Clause 9 and Clause 11.3 of the Standard Contractual Clauses is the law of the country in which Customer is established; Appendix 1 and Appendix 2 to the Standard Contractual Clauses, are Appendix 1 and 2 to this DPA respectively; and the optional indemnification clause is struck.
- Company may, by written notice to Customer, make any variations to the Standard Contractual Clauses which are required, as a result of any change in, or decision of a competent authority under, Data Protection Law, to allow transfers of Personal Data to be made (or to continue to be made) without breach of Data Protection Law, or to this DPA which Company reasonably considers to be necessary to address the requirement of any Data Protection Law.4. If Company's compliance with Data Protection Law applicable to International Data Transfers is affected by circumstances outside of Company's control, including if a legal instrument for International Data Transfers is invalidated, amended, or replaced, then Customer and Company will work together in good faith to reasonably resolve such non-compliance.
- Customer will send all notifications, requests and instructions under this DPA to Company's Legal Department via email to [email protected] Company will send all notifications under this DPA to the customer contact email on file.
- Subject to any limitation of liability set out in the Agreement, to the extent permitted by applicable law, where Company has paid damages or fines, Company is entitled to claim back from Customer that part of the compensation, damages or fines, corresponding to Customer's part of responsibility for the damages or fines.
Termination and return or deletion
- This DPA is terminated upon the termination of the Agreement.
- Customer may request return of Customer Personal Data up to ninety (90) days after termination of the Agreement. Unless required or permitted by applicable law, Company will delete all remaining copies of Customer Personal Data within one hundred eighty (180) days after returning Customer Personal Data to Customer.
Modification of this DPA
- This DPA may only be modified by a written amendment signed by both Company and Customer.
Invalidity and severability
- If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.
Description of the Processing
1. Data Subjects
The Customer Personal Data Processed concern the following categories of Data Subjects (please specify):
Employees of Customer, including agents, advisors, and freelancers
Contact persons, including employees, of Customer's prospects, customers, business partners and vendors
2. Categories of Customer Personal Data
The Customer Personal Data Processed concern the following categories of data (please specify):
Account and user profile information (such as name, email, photo)
Directory information (such as employer, title, geographic location, area of responsibility)
IT information (such as IP addresses, cookies, usage data, device specific information, connection data, location data)
3. Sensitive data
The Customer Personal Data Processed concern the following special categories of data (please specify):
The Services are not intended to Process special categories of data.
4. Processing operations
The Customer Personal Data will be subject to the following basic Processing activities (please specify):
Providing the Services set out into the Agreement and any applicable statement of work
Company provides a copy of its technical and organizational security measures under Appendix 2 to customers under a valid Agreement, and to prospective customers under a confidentiality agreement.