EXHIBIT A TO MASTER SERVICES AGREEMENT
DATA PROCESSING ADDENDUM
THIS DATA PROCESSING ADDENDUM (this “DPA”) applies solely to the Processing of Personal Data subject to Data Protection Laws (each, as defined below) by 15Five, Inc. (“15Five”) on your (“Customer”) behalf in connection with 15Five’s provision of its Services. This DPA is subject to the terms and conditions set forth in the agreement, by and between 15Five and Customer, that, by its terms, expressly governs Customer’s use of the Services (collectively, the “Agreement”). Capitalized terms used herein but not otherwise defined have the meanings ascribed to them in the Agreement.
STATEMENT OF PURPOSE
The parties wish to set out their roles and responsibilities with respect to 15Five’s Processing (as defined below) of Customer Personal Data (as defined below) pursuant to this DPA.
NOW, THEREFORE, in consideration of the mutual promises exchanged herein and of other good and valuable consideration, the receipt and sufficiency of which hereby are acknowledged, the parties hereby agree as follows:
- Definitions and Interpretation. For the purposes of this DPA, the following terms have the following meanings:“Customer Data” means User Content, as well as any Confidential Information other than User Content.“Customer Personal Data” means any Customer Data that identifies (or can be used to identify) a particular natural person and that is considered “personal data,” “personal information,” or a like characterization under Data Protection Laws;
“Data Protection Laws” means: the data protection laws of any jurisdiction applicable to 15Five’s business and/or identified here;
“Data Subject” means a particular identified or identifiable natural person;“EEA” means the European Economic Area;“Model Clauses” means the EC Standard Contractual Clauses for Processors as published in the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council set out here;
“Process,” “Processes,” and “Processing” means (performing) any operation or set of operations on Customer Personal Data, whether or not by automated means;
“Processor” means a natural person or legal entity which Processes Customer Data; and, with respect to the Processing of Customer Personal Data pursuant to this DPA, “Processor” means 15Five;
“Sub-Processor” means any Processor appointed by 15Five to assist with 15Five’s Processing of Customer Personal Data; and
“Supervisory Authority” means a government agency responsible for enforcement of the Data Protection Laws, with competent jurisdiction over the parties.
- 15Five’s Data Processing Obligations.2.1. 15Five shall Process Customer Personal Data only as permitted under the Agreement, in accordance with Customer’s express written instructions (including as documented in this DPA, the Agreement, an Order Form, or through use of the Services), or in order to comply with applicable law.2.2. From time to time Customer may provide additional instructions in writing to 15Five with regard to Processing of Customer Personal Data in accordance with Data Protection Laws. Any such additional instructions must relate to 15Five’s performance of the Services and must be agreed to by both parties in writing. Subject to such mutual agreement, 15Five shall comply with such instructions to the extent necessary for it to: (i) comply with its obligations as Processor of Customer Personal Data under applicable Data Protection Laws; and (ii) reasonably assist Customer in complying with Customer’s obligations under applicable Data Protection Laws.
2.3. Customer may obtain a current list of 15Five Sub-Processors on written request. As of the Effective Date, the Sub-Processors set out here are authorized to process Customer Personal Data on behalf of 15Five for the purpose of providing the Services. Subject to Section 2.4 below, Customer hereby agrees 15Five may engage additional Sub-Processors and add such Sub-Processors to its list of Sub-Processors accessed through the link set forth in this Section 2.3 hereinabove. 15Five shall take commercially reasonable steps to ensure any Sub-Processor that Processes Customer Personal Data hereunder is bound by terms comparably protective to the applicable terms set forth in this DPA as they apply to 15Five hereunder. 15Five will be responsible for the acts and omissions of its Sub-Processors in connection with their Processing of Customer Personal Data hereunder.
2.4. 15Five shall give Customer reasonable prior written notice of the appointment of any new Sub-Processor. If, within ten (10) days of receipt of such notice, Customer notifies 15Five in writing of a reasonable objection to the proposed appointment due to a good faith concern such Sub-Processor will adversely impact Customer’s ability to comply with applicable Data Protection Laws, 15Five shall work with Customer in good faith to make available commercially reasonable alternative(s), including in the modification of the Services which avoids the use of that proposed Sub-Processor. If 15Five, in its sole discretion, cannot provide any such alternatives, or if Customer does not agree to any such alternative(s) provided, either party may terminate, in whole or in part, the Agreement. Termination of the Agreement pursuant to this Section 2.4 shall not relieve Customer of any fees owed to 15Five under the Agreement. Upon such termination, Customer shall not make Customer Personal Data available to Processor. If Customer does not object to the proposed appointment of a Sub-Processor in accordance with this Section 2.4, such Sub-Processor shall be deemed an authorized Sub-Processor for the purposes of this DPA.2.5. Subject to Section 2.15 below, 15Five will not transfer Customer Personal Data outside the EEA or the U.S. without Customer’s prior written consent.
2.6. 15Five will provide reasonable assistance to Customer to enable Customer to comply with its obligations under applicable Data Protection Laws in respect of the Customer Personal Data, including if and to the extent required by the applicable Data Protection Law, in the event a Data Subject requests: (i) access to such Data Subject’s Customer Personal Data Processed by 15Five hereunder; (ii) deletion of such Data Subject’s Customer Personal Data; (iii) information with respect to the categories and specific pieces of Customer Personal Data collected by Customer and related to such Data Subject; and (iv) information with respect to the categories of sources from which Customer Personal Data is collected by Customer. Subject to Section 2.7 below, within ninety (90) days of termination or expiration of the Agreement, 15Five shall delete all Customer Personal Data not permitted to be retained in accordance with the Agreement.
2.7. 15Five shall not be required to delete Customer Personal Data to the extent: (i) 15Five is required by applicable law or order of a government/regulatory body to retain some or all the Customer Personal Data; (ii) Customer Personal Data is archived on back-up systems, which Customer Personal Data shall be securely isolated and protected from any further Processing, except to the extent required by applicable law; and/or (iii) it otherwise is permitted to be retained by 15Five under the Agreement.
2.8. Within a commercially reasonable period of time (and in all cases, within the time period required by Data Protection Laws), 15Five will comply with any request from Customer requiring 15Five to amend, transfer or delete Customer Personal Data, unless otherwise required by applicable law.
2.9. In the event 15Five receives any complaint, notice or communication from a Supervisory Authority or a Data Subject which relates to the Processing of Customer Personal Data, 15Five shall notify Customer thereof within a commercially reasonable period of time (and in all cases, within the time period required by applicable Data Protection Laws) and shall provide Customer and the Supervisory Authority, if applicable, with full cooperation and assistance in relation to any such complaint, notice or communication. Any assistance provided to Customer by 15Five pursuant to this Section 2.9 shall be at Customer’s sole cost and expense.
2.10. Except as required by applicable law or permitted under the Agreement, 15Five will not disclose Customer Personal Data to any Data Subject or to a third party, other than an approved Sub-Processor, without Customer’s prior written consent.
2.11. 15Five will notify Customer within a commercially reasonable time period (and in all cases, within the time period required by applicable Data Protection Laws) upon becoming aware of any unauthorized or unlawful Processing, loss of, damage to, or destruction of any Customer Personal Data Processed by 15Five.
2.12. 15Five will maintain all appropriate records of Processing carried out in respect of Customer Personal Data in accordance with this DPA as well as with applicable Data Protection Laws (the “Records”).
2.13. Within a commercially reasonable period of time after receiving a written request from Customer and no more than once per calendar year, unless otherwise required by applicable law or a Supervisory Authority, 15Five will provide Customer with information demonstrating its compliance with this Article 2.
2.14. 15Five will take appropriate technical, administrative and organizational measures designed to protect against the unauthorized or unlawful Processing of Customer Personal Data, and against the loss or destruction of, or damage to Customer Personal Data while Processed by 15Five. 15Five’s current list of technical, administrative, and organizational measures is set out here.
2.15. If and as necessary to effect the transfer of such Customer Personal Data, as directed by Customer, 15Five may Process, access, or direct Customer Personal Data anywhere in the world.
2.16. With respect to the transfer of Customer Personal Data by Customer, other than from within the U.S., to 15Five in a Third Country (as defined herein), the parties agree 15Five is a “data importer” and Customer is the “data exporter” under the Model Clauses. With respect to the transfer of Customer Personal Data by 15Five to a Sub-Processor in a Third Country, 15Five shall take commercially reasonable steps to ensure such Sub-Processor’s complies with the data importer and Sub-Processor obligations under the Model Clauses. To the extent 15Five or a Sub-Processor Processes any Customer Personal Data that originates from the EEA, in a country that has not been designated by the European Commission or Swiss Federal Data Protection Authority as providing an adequate level of protection for Personal Data, the parties agree to rely on the Model Clauses to permit the transfer of Customer Personal Data and to provide adequate protection for such transfer. For purposes hereof, “Third Country” means a country not recognized by the European Commission as providing a suitable level of data protection.
2.17. In the event Customer reasonably determines that any Processing activity related to 15Five’s Processing of Customer Personal Data is likely to result in high risk to the rights and freedoms of a Data Subject, 15Five and Customer shall reasonably cooperate, at Customer’s sole cost and expense, to conduct a data protection impact assessment of such Processing activity, with such impact assessment to be conducted in a manner so as not to interfere with 15Five business operations.
- Customer Obligations.
3.1. Customer agrees: (i) it will comply with its obligations under Data Protection Laws in the performance of its obligations under the Agreement, this DPA, and any Order Forms executed by the parties, including with respect to any Processing instructions it issues to 15Five; (ii) it will obtain all consents and rights necessary under Data Protection Laws for 15Five to Process Customer Personal Data; and (iii) it does not sell Customer Personal Data to 15Five in connection with the Agreement or this DPA. Customer warrants to 15Five that Customer’s instructions and actions with respect to the Customer Personal Data, including its appointment of 15Five as a Processor, have been or will be authorized by the relevant Data Subject to the extent required under applicable law.3.2. Customer acknowledges it is responsible for its use of the 15Five System, including making appropriate use of the 15Five System to ensure a level of security appropriate to the risk in respect of the Customer Personal Data, securing its account authentication credentials, protecting the security of Customer Personal Data when in transit to and from the 15Five System, and taking any appropriate steps to securely encrypt or backup any Customer Personal Data transmitted to the 15Five System.3.3. 15Five has no obligation to protect Customer Personal Data stored or transferred by Customer outside of the 15Five System (e.g., offline or on-premises storage).
- Processing Review.4.1. The Records are 15Five’s Confidential Information.4.2. 15Five shall permit Customer and its respective third party representatives, on reasonable prior written notice during normal business hours, subject to agreement with 15Five’s onsite confidentiality and security procedures and policies, no more than once per calendar year or as otherwise required by law, to gain access to, and receive copies of, the relevant portions of the Records, for the sole purposes of assessing Customer’s compliance with Data Protection Laws and assessing 15Five’s compliance with its obligations under this DPA. Customer shall conduct any such review within a reasonable timeframe so as not to unreasonably interfere in 15Five business operations.4.3. Access by any third party representative of Customer shall be subject to such representative’s agreement to confidentiality obligations no less restrictive than those set forth in the Agreement with respect to the Records and information obtained in connection with such review, provided that all such Records and information may be disclosed to Customer.
- Term and Termination. This DPA shall remain in effect until the termination or expiration of the Agreement; provided, this DPA shall remain in effect as to any Customer Personal Data for so long as Customer Personal Data remains in the custody or control of 15Five. If 15Five Processes Customer Personal Data under one or more agreements in addition to the Agreement, this DPA shall terminate upon expiry of the last agreement between the parties related to the Processing of Customer Personal Data to expire or terminate.
- General.6.1. In the event of any conflict between any term or condition of this DPA and any provision of the Agreement solely with respect to the Processing of Customer Personal Data, this DPA shall take precedence.6.2. Except as necessary under applicable Data Protection Laws, a person who is not a party to this DPA may not enforce any of its terms against a party to this DPA.6.3. The Agreement’s choice of law and venue provision apply to this DPA unless otherwise required by law.