Data Processing Addendum
The Data Processing Addendum set forth in this Exhibit C (this “DPA”)
Unless expressly stated otherwise, capitalized terms used in this DPA have the meanings given below or, if not defined in this DPA, have the meanings given to them elsewhere in this Agreement.
“Applicable Data Protection Laws” means the privacy, data protection and data security laws and regulations of any jurisdiction applicable to the Processing of Customer Personal Data under this Agreement, including GDPR and CCPA (as applicable).
“CCPA” means the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (the “CPRA”), and any regulations promulgated thereunder.
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
“Customer Personal Data” means any Personal Data that Customer makes available to SDA for Processing to perform the Services.
“Data Subject” means the identified or identifiable natural person to whom Customer Personal Data relates.
“Data Subject Request” means the request of a Data Subject to exercise rights under Applicable Data Protection Laws in respect of Customer Personal Data in SDA’s possession, custody or control.
“EEA” means the European Economic Area.
“GDPR” means, as and where applicable to Processing concerned (i) the General Data Protection Regulation (Regulation (EU) 2016/679) (“EU GDPR”) and/or (ii) the EU GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 (as amended, including by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019) (“UK GDPR”), including, in each case (i) and (ii), any applicable national implementing or supplementary legislation (e.g., the UK Data Protection Act 2018), and any successor, amendment or re-enactment, to or of the foregoing. References to “Articles” and “Chapters” of, and other relevant defined terms in, the GDPR shall be construed accordingly.
“Personal Data” means “personal data,” “personal information,” “personally identifiable information” or similar terms defined in Applicable Data Protection Laws.
“Personal Data Breach” means a breach of SDA’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data in SDA’s possession, custody or control.
“Process” and inflections thereof refer to any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure and destruction.
“Processor” means a natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Controller.
“Restricted Transfer” means any transfer of Customer Personal Data to any person located in (i) in the context of the EEA, any country or territory outside the EEA which does not benefit from an adequacy decision from the European Commission described in Chapter 45 of the GDPR (an “EU Restricted Transfer”) and (ii) in the context of the UK, any country or territory outside the UK, which does not benefit from an adequacy decision from the UK Government (a “UK Restricted Transfer”), in each case, which would be prohibited without a legal basis under Chapter V of the GDPR.
“SCCs” means the standard contractual clauses approved by the European Commission pursuant to implementing Decision (EU) 2021/914.
“Service Data” means any data relating to the use, support and/or operation of the Services, which is collected directly by SDA from and/or about Users of the Services and/or Customer’s use of the Services for its own purposes (certain of which may constitute Personal Data).
“Subprocessor” means any third party engaged directly or indirectly by or on behalf of SDA to Process Customer Personal Data under SDA’s care, custody or control.
“Supervisory Authority” means (i) in the context of the EEA and the EU GDPR, “supervisory authority” as defined in the EU GDPR; and (ii) in the context of the UK and the UK GDPR, means the UK Information Commissioner’s Office.
“UK Transfer Addendum” means the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of the Mandatory Clauses included in Part 2 thereof (the “UK Mandatory Clauses”).
2. SCOPE OF THIS DATA PROCESSING ADDENDUM
2.1 The Parties acknowledge and agree that the details of SDA’s Processing of Customer Personal Data (including the respective roles of the Parties relating to such Processing) are as described in Annex 1 (Data Processing Details) to this DPA.
2.2 Annex 2 (European Annex) to this DPA applies to SDA’s Processing of Customer Personal Data that is subject to the GDPR.
2.3 Annex 3 (California Annex) to this DPA applies to SDA’s Processing of Customer Personal Data that is subject to the CCPA.
2.4 Section 9 of this DPA applies to SDA’s Processing of Customer Personal Data to the extent required under any requirements of Applicable Data Protection Laws for contracts with Processors, and in such cases, only in respect of Processing subject to such laws.
3. PROCESSING OF CUSTOMER PERSONAL DATA
3.1 SDA shall not Process Customer Personal Data other than on Customer’s instructions or as required by applicable laws (or in the case of Customer Personal Data subject to the GDPR, the laws of the UK or European Union, as applicable, to which SDA is subject). Customer instructs SDA to Process Customer Personal Data to provide the Services and as authorized by this Agreement. This Agreement is a complete expression of such instructions, and Customer’s additional instructions will be binding on SDA only pursuant to an amendment to this DPA signed by both Parties. Where SDA receives an instruction from Customer that, in its reasonable opinion, violates Applicable Data Protection Laws, SDA shall notify Customer.
3.2 The Parties acknowledge that SDA’s Processing of Customer Personal Data authorized by Customer’s instructions stated in this DPA are integral to the Services and the business relationship between the Parties. Access to Personal Data does not form part of the consideration exchanged between the Parties in respect of this Agreement or any other business dealings.
4. VENDOR PERSONNEL
SDA shall ensure that all SDA employees or other personnel who Process Customer Personal Data are subject to contractual or appropriate statutory obligations of confidentiality with respect to such Customer Personal Data.
SDA shall implement and maintain technical, organizational and physical measures designed to protect the confidentiality, integrity and availability of Customer Personal Data and prevent Personal Data Breaches. Such measures shall include the measures described in Annex 4 of this DPA (the “Security Measures”) and such other measures as are required by Applicable Data Protection Laws. SDA may update the Security Measures from time to time, so long as the updated measures do not decrease in the aggregate the protection of Personal Data.
6. DATA SUBJECT REQUESTS
6.1 SDA, taking into account the nature of the Processing of Customer Personal Data, shall provide Customer with such assistance by appropriate technical and organizational measures as Customer may reasonably request to assist Customer in fulfilling its obligations under Applicable Data Protection Laws to respond to Data Subject Requests.
6.2 SDA shall promptly notify Customer if it receives a Data Subject Request and not respond to any Data Subject Request, other than to advise the Data Subject to submit the request to Customer, except as required by Applicable Data Protection Laws.
7. PERSONAL DATA BREACHES
7.1 SDA shall notify Customer of a Personal Data Breach without undue delay after becoming aware of the occurrence thereof. SDA’s notification of or response to a Personal Data Breach will not be construed as SDA’s acknowledgement of any fault or liability with respect to the Personal Data Breach. Customer is solely responsible for complying with notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Personal Data Breaches.
7.2 If Customer determines that a Personal Data Breach must be notified to any Supervisory Authority or other governmental authority, any Data Subject(s), the public or others under Applicable Data Protection Laws in a manner that directly or indirectly refers to or identifies SDA, where permitted by applicable laws, Customer agrees to notify SDA in advance and in good faith consult with SDA and consider any clarifications or corrections SDA may reasonably recommend or request to any such notification.
8.1 Customer generally authorizes SDA to appoint Subprocessors in accordance with this Section 8. Without limitation to the foregoing, Customer authorizes the engagement of the Subprocessors listed as of the effective date of this Agreement at the URL specified in 2.
8.2 Information about Subprocessors, including their functions and locations, is available at: https://www.softwaredefinedautomation.io/privacy-policy/ (as may be updated by SDA from time to time) or such other website address as SDA may provide to Customer from time to time (the “Subprocessor Site”).
8.3 When engaging any Subprocessor, SDA will enter into a written contract with such Subprocessor containing data protection obligations not less protective than those in this DPA with respect to Customer Personal Data where required by Applicable Data Protection Laws and to the extent applicable to the nature of the services provided by such Subprocessor. SDA shall be liable for all obligations under this Agreement subcontracted to the Subprocessor or its actions and omissions related thereto.
8.4 When SDA engages any Subprocessor after the effective date of this Agreement, SDA will notify Customer of the engagement (including the name and location of the relevant Subprocessor and the activities it will perform) by updating the Subprocessor Site or by other written means at least 15 days before such Subprocessor Processes Customer Personal Data. If Customer objects to such engagement in a written notice to SDA within 15 days after being notified of the engagement on reasonable grounds relating to the protection of Personal Data, Customer and SDA will work together in good faith to consider a mutually acceptable resolution to such objection. If the parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, Customer may, as its sole and exclusive remedy, terminate this Agreement and cancel the Services by providing written notice to SDA and pay SDA for all amounts due and owing under this Agreement as of the date of such termination. If Customer does not object to SDA’s appointment of a Subprocessor during the objection period referred to in this Paragraph 8.4, Customer shall be deemed to have approved the engagement and ongoing use of that Subprocessor.
9. COMPLIANCE ASSISTANCE; AUDITS
9.1 SDA, taking into account the nature of the Processing and the information available to SDA, shall provide such information and assistance as Customer may reasonably request (insofar as such information is available to SDA and the sharing thereof does not compromise the security, confidentiality, integrity or availability of Personal Data Processed by SDA) to help Customer meet its obligations under Applicable Data Protection Laws, including in relation to the security of Customer Personal Data, the reporting and investigation of Personal Data Breaches, the demonstration of Customer’s compliance with such obligations, and the performance of any data protection assessments and consultations with Supervisory Authorities or other government authorities regarding such assessments in relation to SDA’s Processing of Customer Personal Data, including those required under Articles 35 and 36 of the GDPR.
9.2 SDA shall make available to Customer such information as Customer may reasonably request for SDA to demonstrate compliance with Applicable Data Protection Laws and this DPA. Without limitation of the foregoing, Customer may conduct (in accordance with Section 3 below), at its sole cost and expense, and SDA will reasonably cooperate with, reasonable audits (including inspections, manual reviews, and automated scans and other technical and operational testing that Customer is entitled to perform under Applicable Data Protection Laws), in each case, whereby Customer or a qualified and independent auditor appointed by Customer using an appropriate and accepted audit control standard or framework may audit SDA’s technical and organizational measures in support of such compliance and the auditor’s report is provided to Customer and SDA upon Customer’s request.
9.3 Customer shall give SDA reasonable advance notice of any such audits. SDA need not cooperate with any audit (a) performed by any individual or entity who has not entered into a non-disclosure agreement with SDA on terms acceptable to SDA in respect of information obtained in relation to the audit; (b) outside normal business hours; or (c) on more than one occasion in any calendar year during the term of this Agreement, except for any additional audits that Customer is required to perform under Applicable Data Protection Laws. The audit must be conducted in accordance with SDA’s safety, security or other relevant policies, must not impact the security, confidentiality, integrity or availability of any data Processed by SDA and must not unreasonably interfere with SDA’s business activities. Customer shall not conduct any scans or technical or operational testing of SDA’s applications, websites, Services, networks or systems without SDA’s prior approval (which shall not be unreasonably withheld).
9.4 If the controls or measures to be assessed in the requested audit are assessed in a SOC 2 Type 2, ISO, NIST or similar audit report performed by a qualified and independent third-party auditor pursuant to a recognized industry standard audit framework within twelve (12) months of Customer’s audit request (“Audit Report”) and SDA has confirmed in writing that there have been no known material changes to the controls audited and covered by such Audit Report(s), Customer agrees to accept provision of such Audit Report(s) in lieu of requesting an audit of such controls or measures. SDA shall provide copies of any such Audit Reports to Customer upon request.
9.5 Such Audit Reports and any other information obtained by Customer in connection with an audit under this Section 9 shall constitute confidential information of SDA, which Customer shall use only for the purposes of confirming compliance with the requirements of this DPA or meeting Customer’s obligations under Applicable Data Protection Laws. Nothing in this Section 9 shall be construed to obligate SDA to breach any duty of confidentiality, including (without limitation) any such duty owed to SDA’s other customers or other third parties.
10. RETURN AND DELETION
10.1 Upon termination of this Agreement, SDA shall return and/or delete all Customer Personal Data in SDA’s care, custody or control within a reasonable period of time.
10.2 Notwithstanding the foregoing, SDA may retain Customer Personal Data where required by law (or in the case of Customer Personal Data subject to the GDPR, the laws of the UK or European Union, as applicable), provided that SDA shall (a) maintain the confidentiality of all such Customer Personal Data and (b) Process Customer Personal Data only as necessary for the purpose(s) and duration specified in the applicable law requiring such retention.
11. CUSTOMER RESPONSIBILITIES
11.1 Customer agrees that, without limiting SDA’s obligations under Section 5 of this DPA, Customer is solely responsible for its use of the Services, including (a) making appropriate use of the Services to maintain a level of security appropriate to the risk in respect of Customer Data; (b) securing the account authentication credentials, systems and devices Customer uses to access the Services; (c) securing Customer’s systems and devices that SDA uses to provide the Services; and (d) backing up Customer Data.
11.2 Customer shall ensure that there is a valid legal basis for SDA’s Processing of Customer Personal Data in accordance with this Agreement for the purposes of Applicable Data Protection Laws (including Article 6, Article 9(2) and/or Article 10 of the GDPR where applicable). Customer shall ensure (and is solely responsible for ensuring) that all required notices have been given to, and all consents and permissions have been obtained from, Data Subjects and others as are required, including under Applicable Data Protection laws, for SDA to Process Customer Personal Data as contemplated by this Agreement.
11.3 Customer agrees that the Service, the Security Measures, and SDA’s commitments under this DPA are adequate to meet Customer’s needs, including with respect to any security obligations of Customer under Applicable Data Protection Laws, and provide a level of security appropriate to the risk in respect of Customer Personal Data.
11.4 Customer shall ensure that Customer Personal Data made available to SDA for Processing does not contain any (a) Social Security numbers or other government-issued identification numbers; (b) biometric information; (c) passwords to any online accounts; (d) credentials to any financial accounts; (e) tax return data; (f) any payment card information subject to the Payment Card Industry Data Security Standard; (g) Personal Data of children under 16 years of age; (h) data relating to criminal convictions and offences or related security measures; or (i) information that constitutes special categories of personal data (as defined in the GDPR), sensitive personal information (as defined in the CCPA) or information of a similarly sensitive character regulated by Applicable Data Protection Laws.
11.5 Except to the extent prohibited by applicable law, Customer shall compensate SDA at SDA’s then-current professional services rates for, and reimburse any costs reasonably incurred by SDA in the course of providing, cooperation, information or assistance requested by Customer pursuant to Sections 6, 9 and 1 of this DPA beyond SDA’s provision of any self-service tools as part of the Services that Customer can use to obtain the requested cooperation, information or assistance.
The total aggregate liability of either Party towards the other Party, howsoever arising, under or in connection with this DPA will under no circumstances exceed any limitations or caps on, and shall be subject to any exclusions of, liability and loss agreed by the Parties in this Agreement.
13. SERVICE DATA
13.1 Customer acknowledges that SDA may collect, use and disclose Service Data for its own business purposes, such as:
- for accounting, tax, billing, audit, and compliance purposes;
- to provide, improve, develop, optimise and maintain the Services;
- to investigate fraud, spam, wrongful or unlawful use of the Services; and/or
- as otherwise permitted or required by applicable law.
13.2 In respect of any such Processing described in Section 1 above, SDA:
- independently determines the purposes and means of such Processing;
- shall comply with Applicable Data Protection Laws (if and as applicable in the context);
- shall Process such Service Data as described in SDA’s relevant privacy notices/policies, as updated from time to time; and
- where possible, shall apply technical and organisational safeguards to any relevant Personal Data that are no less protective than the Security Measures.
13.3 For the avoidance of doubt, this DPA shall not apply to SDA collection, use, disclosure or other Processing of Service Data, and Service Data does not constitute Customer Personal Data.
14. CHANGE IN LAWS
SDA may on notice vary this DPA to the extent that (acting reasonably) it considers necessary to address the requirements of Applicable Data Protection Laws from time to time, including (without limitation) as described in Section 1 of Annex 2 of this DPA. The Parties agree to cooperate in good faith to amend this Agreement or DPA as may be reasonably necessary to address compliance with Applicable Data Protection Laws.
In the event of any conflict or inconsistency between (a) the provisions in this DPA and any other provisions of this Agreement, this DPA shall prevail or (b) any SCCs entered into in the future pursuant to Section 1 of Annex 2 of this DPA and any provisions of this DPA and/or any other provisions of this Agreement, the SCCs shall prevail in respect of the Restricted Transfer to which they apply.
Annex 1 – Data Processing Details
Name: As set out in the applicable Order(s)
Contact details for data protection: As set out in the applicable Order(s)
Customer Activities: Manufacturing operations
Name: Software Defined Automation Inc.
Contact details for data protection: firstname.lastname@example.org
SDA Activities: Provider of a software-as-a-service industrial automation platform to organizations’ development and operations teams
DETAILS OF PROCESSING
Categories of Data Subjects: Users of the Services
Categories of Personal Data: Personal Data pertaining to Customer’s employees’ and other Users’ use of and interaction with the Services, which may include: (i) personal details such as business contact data (name, business phone and email, etc.) and (ii) technological details, such as internet protocol (IP) addresses, unique identifies and numbers (including unique identifiers in tracking cookies or similar technologies), pseudonymous identifiers, location data, internet/application/program activity data, and device IDs and addresses.
Sensitive Categories of Data, and associated additional restrictions/safeguards: Not applicable
Frequency of transfer: ongoing
Nature and purpose of the Processing: Processing operations required in order to provide the Services in accordance with this Agreement. Customer Personal Data will be processed: (i) as necessary to provide the Services as initiated by Customer in its use thereof, and (ii) to comply with any other reasonable instructions provided by Customer in accordance with the terms of this DPA.
Duration of Processing / Retention Period: Concurrent with term of this Agreement and then thereafter pursuant to Section 10 of this DPA
Transfers to Subprocessors: Transfers to Subprocessors are as, and for the purposes, described from time to time in the Subprocessor List (as may be updated from time to time in accordance with this DPA).
Annex 2 – European Annex
1. RESTRICTED TRANSFERS
The Parties acknowledge that should the transmission of Customer Personal Data between SDA and Customer under this Agreement involve a Restricted Transfer, the Parties shall, prior to any such Restricted Transfer taking place, enter into the required contractual transfer mechanism, which may include the SCCs and/or UK Transfer Addendum, in order to legitimately carry out such Restricted Transfer.
2. LIABILITY TO DATA SUBJECTS
Notwithstanding any provision of this Agreement to the contrary, nothing in this Agreement shall limit either Party’s liability to Data Subjects under the third party beneficiary provisions of the SCCs.
Annex 3 – California Annex
Capitalized terms used in this California Annex but not defined in this DPA or elsewhere in this Agreement shall have the meanings given to them in the CCPA. As used in this California Annex, “Personal Information” means Customer Personal Data that constitutes “personal information” under the CCPA.
1. Business Purposes and services: the Business Purposes and services for which SDA is Processing Personal Information are for SDA to provide the Services to and on behalf of Customer as set forth in this Agreement, as described in more detail in Annex 1 of this DPA.
2. It is the Parties’ intent that SDA is a Service Provider with respect to its processing of Customer Personal Data. SDA (a) acknowledges that Personal Information is disclosed by Customer only for limited and specified purposes described in this Agreement; (b) shall comply with applicable obligations under the CCPA and shall provide the same level of privacy protection to Personal Information as is required by the CCPA; (c) agrees that Customer has the right to take reasonable and appropriate steps under Section 9 of this DPA to help to ensure that SDA’s use of Personal Information is consistent with Customer’s obligations under the CCPA; (d) shall notify Customer in writing of any determination made by SDA that it can no longer meet its obligations under the CCPA; and (e) agrees that Customer has the right, upon notice, including pursuant to the preceding clause, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information.
3. SDA shall not (a) Sell or Share Personal Information; (b) retain, use, or disclose any Personal Information for any purpose other than for the Business Purposes specified in this Agreement, including retaining, using, or disclosing Personal Information for a Commercial Purpose other than the Business Purpose specified in this Agreement, or as otherwise permitted by CPPA; (c) retain, use or disclose Personal Information outside of the direct business relationship between SDA and Customer; or (d) combine Personal Information received pursuant to this Agreement with Personal Information (i) received from or on behalf of another person, or (ii) or collected from SDA’s own interaction with any Consumer to whom such Personal Information pertains. SDA hereby certifies that it understands the obligations under this Section and will comply with them.
4. Giving Customer notice of Subprocessor engagements in accordance with Section 8 of this DPA shall satisfy SDA’s obligation under the CPRA to give notice of such engagements.
5. Obligations under this California Annex that are neither required to be imposed on SDA for SDA to qualify as a Service Provider under the CCPA nor for the Parties to comply with their obligations under the CCPA in relation to the required terms of contracts, in each case, before the CPRA takes effect on January 1, 2023, shall apply to SDA only on and after January 1, 2023.
Annex 4 – Security Measures
SDA agrees to implement and maintain the following Security Measures:
1. Audit and risk assessment procedures for the purposes of periodic review and assessment of risks to SDA’s organization, monitoring and maintaining compliance with SDA’s policies and procedures, and reporting the condition of its information security and compliance to internal senior management.
2. Data security controls which include at a minimum logical segregation of data, restricted (e.g., role-based) access and monitoring, and utilisation of commercially available and industry standard encryption technologies for Customer Personal Data.
3. Logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions.
4. Password controls designed to manage and control password strength, expiration and usage.
5. System audit or event logging and related monitoring procedures to proactively record user access and system activity.
6. Operational procedures and controls to provide for configuration, monitoring and maintenance of technology and information systems, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from SDA’s
7. Network security controls and procedures for network services and components.
8. Vulnerability assessment and threat protection technologies and scheduled monitoring procedures designed to identify, assess, mitigate, and protect against identified security threats, viruses, and other malicious code.
9. Business resiliency/ continuity and disaster recovery procedures designed to maintain service and/or recovery from foreseeable emergency situations or disaster.