Data Processing Addendum
Effective: August 1, 2018
This LEANSTACK Data Processing Agreement (“DPA”), that includes the Standard Contractual Clauses adopted by the European Commission, as applicable, reflects the parties’ agreement with respect to the terms governing the Processing of Personal Data under the LEANSTACK Customer Terms of Service (the “Agreement”).
This DPA is an amendment to the Agreement and is effective upon its incorporation into the Agreement, which incorporation may be specified in the Agreement, an Order or an executed amendment to the Agreement. Upon its incorporation into the Agreement, the DPA will form a part of the Agreement.
The term of this DPA shall follow the term of the Agreement. Terms not otherwise defined herein shall have the meaning as set forth in the Agreement.
1 INTERPRETATION
1.1 The definitions set out in this clause shall apply to this Schedule which is a part of the Customer Terms of Service.
Applicable Data Protection Law: prior to 25 May 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data together with any transposition of that directive into member state law to which the controller is subject; and (ii) on and after 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation); and (iii) Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (as amended or replaced from time to time) and applicable laws implementing that directive in European Union Member States.
Contract: a contract for the provision of Services, comprised of the Customer Terms of Service and this Schedule.
Data:has the meaning set out in Clause 2;
Laws: all laws, statutory provisions, enactments, orders, regulations, subordinate legislation, codes and other similar instruments (including EU instruments).
Services:the services to be provided by LEANSTACK as set out in the Contract and includes the products or materials arising out of the services.
1.2 References to any Laws shall be construed as a reference to the Laws as amended, replaced, consolidated or re–enacted from time to time and shall include Laws made under them.
1.3 References to clauses and schedules are to the clauses and schedules of the relevant Contract.
1.4 Any words introduced by the terms including, include, in particular or any similar expression shall be construed as illustrative and the words following any of those terms shall not limit the sense of the words preceding those terms.
1.5 In case of any conflict between the terms of this Schedule 1 and the terms of the Customer Terms of Service, the terms of this Schedule 1 shall prevail.
2 Data protection
2.1 For the purposes of this Clause 2, "controller", "processor", "data subject", "personal data" and "processing" (and "process") shall have the meanings given in Applicable Data Protection Law.
2.2 The Customer appoints LEANSTACK as a processor to process the personal data described in the Contract (the "Data") on the Customer’s behalf. LEANSTACK must:
a. process the Data as a processor: (i) only for the purposes of providing the Services; (ii) only in accordance with Applicable Data Protection Law; and (iii) strictly in accordance with the Customer’s documented instructions from time to time, except where otherwise required by any EU (or any EU Member State) law applicable to LEANSTACK. In no event shall LEANSTACK process the Data for our own purposes or those of any third party;
b. ensure that any person that we authorize to process the Data (including our staff, agents and subcontractors) (an "Authorized Person") shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty or otherwise), and shall not permit any person to process the Data who is not under such a duty of confidentiality. We shall ensure that all Authorized Persons process the Data only as necessary for the purposes outlined in Clause 2.2(a).
c. take all appropriate technical and organizational measures to protect the Data from (i) accidental or unlawful destruction, (ii) accidental loss, alteration, unauthorized disclosure or access, and (iii) any other breach of security(each of (i), (ii) and (iii) an “Unauthorized Act”). Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures shall include, as appropriate:
i. the pseudonymisation and encryption of personal data;
ii. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
iii. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and/or
iv. a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing;
d. immediately notify the Customer (i) upon becoming aware of an Unauthorized Act, (ii) provide all such timely information and cooperation as the Customer may require including in order for the Customer to fulfill any data breach reporting obligations under (and in accordance with the timescales required by) Applicable Data Protection Law, and (iii) further take all such measures and actions as are necessary to remedy or mitigate the effects of the Unauthorized Act and keep the Customer up-to-date about all developments in connection with the Unauthorized Act;
e. provide all reasonable and timely assistance to the Customer to enable you to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its right of access, correction, objection, erasure and data portability, as applicable); and (ii) any other complaint, notice, communication or enquiry received from a data subject, regulator or other third party in connection with the processing of the Data. In the event that any such request, complaint, notice, communication or enquiry is made or sent directly to LEANSTACK, we shall promptly inform the Customer providing full details of the same;
f. permit the Customer (or your appointed third party auditors) to audit our compliance with this Contract, and make available to the Customer all information, systems and staff necessary for you (or your third party auditors) to conduct such audit. We acknowledge that the Customer (or your third party auditors) may enter our sites and facilities, on reasonable notice, for the purposes of conducting such audit;
g. not without the Customer’s prior written consent (i) transfer the Data (or permit the Data to be transferred) outside the European Economic Area; or (ii) disclose personal data to third parties, except where otherwise required by any EU (or any EU Member State) law applicable to LEANSTACK;
h. if we believe or become aware that the processing of the Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, promptly inform the Customer and provide you with all such reasonable and timely assistance as you may require in order to conduct a data protection impact assessment and, if necessary, consult with the Information Commissioner; and
i. as the "Indemnifying Party", indemnify the Customer (the "Indemnified Party") from and against all loss, cost, harm, expense (including reasonable legal fees), liabilities or damage ("Damage") suffered or incurred by the Indemnified Party as a result of the Indemnifying Party's breach of the data protection provisions set out in this Schedule, and provided that: (i) the Indemnified Party gives the Indemnifying Party notice of any circumstances of which it is aware that give rise to an indemnity claim under this Clause without undue delay; and (ii) the Indemnified Party takes reasonable steps and actions to mitigate any ongoing Damage it may suffer as a consequence of the Indemnifying Party's breach. Notwithstanding any limits or exclusions of liability in the Customer Terms of Service, the Indemnifying Party's liability for each claim by the Indemnified Party under this Clause 2.2 (i) shall not exceed the amount paid by the Indemnified Party to the Indemnifying Party under this agreement in the twelve (12) months preceding the last event giving rise to liability.