Data Processing Addendum

The parties conclude this Data Processing Addendum (“DPA”), which forms part of the Agreement between Customer and Supplier (“Psycholate LTD”), meaning the Subscription Services Agreement (the “Agreement”) to reflect their agreement about the Processing of Personal Data, in accordance with the requirements of applicable Data Protection Laws and Regulations, including the GDPR, to the extent applicable. To the extent Supplier, in providing the Services set forth in the Agreement, processes Personal Data on behalf of Customer, the provisions of this DPA apply. 

References to the Agreement will be construed as including this DPA. Any capitalized terms not defined herein shall have the respective meanings given to them in the Agreement. 

This DPA consists of two parts: (i) the main body of this DPA, and (ii) Attachments 1, 2 and 3 hereto. 

HOW TO EXECUTE THIS DPA

To complete this DPA, Customer should:

a. Sign the main body of this DPA in the signature box below.

b. Complete any missing information and sign Attachment 1, Attachment 2 and Attachment 3.

Submit the completed and signed DPA to Supplier via email to dpo@psycholate.com. Upon receipt of a validly completed DPA, this DPA will be legally binding (provided that Customer has not overwritten or modified any of the terms beyond completing the missing information).

HOW THIS DPA APPLIES

If the Customer entity signing this DPA is a party to the Agreement, then this DPA is an addendum to and forms part of the Agreement. 

If the Customer entity signing this DPA has submitted Schedule A pursuant to the Agreement then this DPA is an addendum to that Schedule A and applicable renewal terms. 

If the Customer entity signing this DPA is not a party to the Agreement, this DPA is not valid and is not legally binding. Such entity should request that the Customer entity who is party to the Agreement executes this DPA.

If the Customer entity signing the DPA is not a party to the Agreement directly with Supplier, but is instead a customer indirectly via an Authorized Reseller or a Partner, this DPA is not valid and is not legally binding. Such entity should contact the Authorized Reseller or the Partner to discuss whether any amendment to its agreement with that Reseller or Partner may be required.

This DPA shall not replace any comparable or additional rights relating to Processing of Personal Data contained in the Agreement.

DATA PROCESSING TERMS

Customer and Supplier hereby agree to the following provisions with respect to any Personal Data processed by Supplier in relation to the provision of the Services under the Agreement.

  1. DEFINITIONS

“Adequacy Decision” means a European Commission Decision that a third country or an international organization ensures an adequate level of data protection within the meaning of Article 45 (9) GDPR in conjunction with Article 25 (6) of Directive 95/46/EC, or within the meaning of Article 45 (3) GDPR, as applicable.

“Affiliate” means, with respect to any entity, any other entity Controlling, Controlled by or under common Control with such entity, for only so long as such Control exists; 

“Authorized Affiliate” means any of Customer’s Affiliate(s), which (i) is subject to Customer’s Binding Corporate Rules or to similar contractual clauses, including Standard Contractual Clauses or contractual clauses approved by a Supervisory Authority, where applicable, with the Customer to ensure adequate level of protection of Personal Data (ii) is not established in a Restricted Third Country, and (iii) is permitted to use the Services, i.e. is an Authorized User, pursuant to the Agreement between Customer and Supplier, but is not a signatory Party to the Agreement and is not a “Customer” as defined under the Agreement.  

“Authorized Client” means any of Customer’s Client(s) or their Client(s), which (i) is/are subject to Client’s Binding Corporate Rules or to similar contractual clauses, including Standard Contractual Clauses or contractual clauses approved by a Supervisory Authority, where applicable, with the Customer or the Customer’s Client(s) to ensure adequate level of protection of Personal Data, (ii) is not established in a Restricted Third Country, and (iii) is permitted to use the Services, i.e. is an Authorized User, pursuant to the Agreement between Customer and Supplier, but is not a signatory Party to the Agreement and is not a “Customer” as defined under the Agreement (applicable for Resellers or Partners).    

“Behavioral Data” means data that tracks or otherwise monitors a Data Subject’s activities or the Data Subject’s product and service usage.

“Binding Corporate Rules” are binding internal rules that regulate the transfer of Personal Data within an organization which, where applicable, have been approved by EU data protection authorities as providing an adequate level of protection to Personal Data.

“Control” means the direct or indirect ownership of more than 50% of the voting capital or similar right of ownership of an entity, or the legal power to direct or cause the direction of the general management and policies of that entity, whether through the ownership of voting capital, by contract or otherwise. Control and Controlling shall be construed accordingly;

“Dashboard” for applicable Services, means the user interface features of the hosted Software (as described in the Agreement);

“Data Controller” means the entity that determines the purposes and means of the Processing of Personal Data. 

“Data Processor” means the entity which Processes Personal Data on behalf of the Data Controller. 

“Data Protection Laws and Regulations” means all laws and regulations applicable to the Processing of Personal Data as part of or in connection with the Services, including but not limited to (i) laws and regulations of the European Union, the European Economic Area and their member states, including the GDPR, and ii) Adequacy Decisions, including the Privacy Shield, as either of (i) or (ii) may be amended and are in force from time to time;

“Data Subject” means the individual to whom Personal Data relates;

“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), as may be amended from time to time;

“Personal Data” means data about a natural person processed by Supplier in relation to the provision of the Services under the Agreement, from which that person is identified or is identifiable (either directly or indirectly); for the avoidance of doubt, Personal Data includes but is not limited to Support Data, Behavioral Data and Unique Identifier Data.

“Privacy Shield” means Commission Implementing Decision EU 2016/1250 of 12 July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-US Privacy Shield;

“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, transfer or otherwise making available, alignment or combination, blocking, erasure or destruction;

“Restricted Third Country” means a country to which a transfer of Personal Data, or from which access to Personal Data, would be prohibited by applicable Data Protection Laws and Regulations;

“Software” means the object code version of TraitForward software and/or any software to which Customer is provided access as part of the Services, including any updates or new versions. 

“Standard Contractual Clauses” means contractual clauses adopted by the European Commission based on Article 46 (5) GDPR in conjunction with Article 26 (4) of Directive 95/46/EC, or within the meaning of Article 46 (2) c) or d) GDPR, as applicable.

“Sub-processor” means any non-Affiliate or Affiliate Data Processor, engaged by Supplier, who agrees to receive from Supplier or from any other Sub-processor of Supplier Personal Data exclusively intended for the Processing to be carried out on behalf of the Customer, in accordance with its instructions, the terms of this DPA, and the terms of the written Sub-processor agreement;

“Supervisory Authority” means an independent public authority which is established by a EU Member State, pursuant to the GDPR. 

“Support Data” means information that Supplier collects, when Customer submits a request for support services or other troubleshooting, including information about hardware, software and other details related to the support incident, such as authentication information, information about the condition of the product, system and registry data about software installations and hardware configurations, and error-tracking files; 

“Unique Identifier Data” means a unique persistent identifier associated with an individual or a networked device, including a customer number held in a cookie, a user ID, a processor serial number, or a device serial number.

2. PROCESSING OF PERSONAL DATA

2.1 Roles of the Parties. The parties acknowledge and agree that for the purposes of this DPA Customer is the Data Controller and Supplier is the Data Processor. Customer may permit the use of the Services to Authorized Affiliate(s), and/or Authorized Clients, if applicable based on the Agreement, pursuant to the conditions set out in Clauses 14 and 15 of this DPA. 

2.2 Customer’s Processing of Personal Data. Customer shall, in its use of the Services, Process Personal Data in accordance with Data Protection Laws and Regulations. For the avoidance of doubt, Customer has instructed and throughout the duration of the Agreement shall continue to instruct Supplier to Process Personal Data only on the Customer’s and its Authorized Affiliates’/Authorized Clients’ (where applicable) behalf and in accordance with Data Protection Laws and Regulations and this DPA. It is clearly stated that Customer is solely responsible (i) for the legality of the purposes of the Processing, ii) for the necessity of the Processing to serve these purposes, iii) to inform any and all Data Subjects, whose Personal Data is processed by using the Services, about the scope, the purpose, the duration and the means of the Processing, their rights with respect to the Processing iv) to acquire the consent of the Data Subjects, whose Personal Data is being processed by using the Services, v) to conduct a Data Protection Impact Assessment Study (DPIA) within the meaning of Article 35 and 36 GDPR, where applicable.

2.3 Supplier’s Processing of Personal Data. a. Supplier shall treat Personal Data as Confidential Information and shall only Process Personal Data on behalf of and in accordance with Customer’s documented instructions which include: (i) Processing in accordance with the Agreement and this DPA, (ii) Processing initiated by Authorized Affiliates/Authorized Clients, where applicable, in their use of the Services; and (iii) Processing to comply with other documented, reasonable instructions provided by Customer (for example, via email) where such instructions are consistent with the terms of the Agreement and this DPA. b. Customer takes full responsibility to keep the amount of Personal Data provided to Supplier to the minimum necessary for the performance of the Services. c. Supplier shall not be required to comply with or observe Customer’s instructions, if such instructions would violate the GDPR or the Data Protection Laws and Regulations. Supplier shall immediately inform Customer if, in its opinion, an instruction infringes the GDPR or other European Union or Member State data protection law. d. Supplier shall process Personal Data, if required to do so by European Union or Member State law to which Supplier is subject; in such a case, Supplier shall inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. Supplier shall promptly notify Customer of any legally binding request for disclosure of Personal Data by a law enforcement authority, unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation.

2.4 Scope of the Processing. The subject-matter of Processing of Personal Data by Supplier is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Attachment 1 to this DPA.

3. RIGHTS OF DATA SUBJECTS

3.1 Complaints or Notices related to Personal Data. In the event Supplier receives any official complaint, notice, or communication that relates to Processing of Personal Data for or on behalf of the Customer or either party’s compliance with Data Protection Laws and Regulations, to the extent legally permitted, Supplier shall promptly notify Customer and, to the extent applicable, Supplier shall provide Customer with commercially reasonable cooperation and assistance in relation to any such complaint, notice, or communication. Customer shall be responsible for any reasonable costs arising from Supplier’s provision of such assistance. 

3.2 Data Subject Requests. To the extent legally permitted, Supplier shall promptly notify Customer, if Supplier receives a request from a Data Subject to exercise the Data Subject’s right to consent, and to withdraw the consent, right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making (“Data Subject Request”). Factoring into account the nature of the Processing, Supplier shall assist Customer by appropriate organizational and technical measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations. In addition, to the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, Supplier shall, upon Customer’s request, provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent that Supplier is legally permitted to do so, and the response to such Data Subject Request is required under Data Protection Laws and Regulations. To the extent legally permitted, Customer shall be responsible for any costs arising from Supplier’s provision of such assistance.

4. SUPPLIER’S PERSONNEL

4.1. Confidentiality. Supplier shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Supplier shall ensure that such confidentiality obligations survive the termination of the personnel engagement. 

4.2. Reliability. Supplier shall take commercially-reasonable steps to ensure the reliability of its personnel engaged in the Processing of Personal Data. 

4.3. Limitation of Access. Supplier shall ensure that Supplier’s access to Personal Data is limited to those personnel assisting in the provision of the Services in accordance with the Agreement, and that access is limited to those personnel that is necessary for the provision of the Services.

4.4. Data Protection Officer. Supplier shall appoint, a Data Protection Officer, if and whereby such appointment is required by Article 37 of the GDPR. Any such appointed person or Supplier’s personnel responsible for privacy issues, may be reached at dpo@psycholate.com 

5. SUB-PROCESSORS

5.1. Appointment of Sub-processors. Customer acknowledges and agrees that:

(i) Supplier is entitled to retain its future Affiliate(s) as Sub-processor(s). Supplier shall inform the Customer of any intended changes to its Affiliates, acting as Sub-processors. 

(ii) Supplier may engage any third parties from time to time to process Personal Data in connection with the provision of Services. 

  1. List of Sub-processors. Current Sub-processors, are listed in Attachment 3 to this DPA, and Customer hereby authorizes the use of such Sub-processors to assist Supplier with the performance of Supplier’s obligations under the Agreement and this DPA. Supplier shall inform the Customer of any intended changes to such List by sending an email. Additionally, the list of Sub-processors is also available in the Services Dashboard. 
  2. Objection Right for New Sub-processors. Customer, in order to exercise its right to object to Supplier’s use of a new Sub-processor, whether Affiliate or not, shall notify Supplier promptly in writing within ten (10) business days after receipt of Supplier’s notice about its intention to use a new Sub-processor. In the event Customer objects to a new Sub-processor in the above way and delay, and that objection is not unreasonable, Supplier shall use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening the Customer. In the event Customer objects to a new Sub-processor in the above way and delay, Supplier shall not disclose, transmit or in any other way announce Personal Data to the suggested Sub-processor, unless and until such time as agreed to by Customer in writing. If Supplier is unable to make available such change within a reasonable time period, which shall not exceed thirty (30) days, Customer may terminate the Services, which cannot be provided by Supplier without the use of the objected-to new Sub-processor by providing written notice to Supplier. Supplier shall refund Customer any prepaid fees covering the remainder of the Services following the effective date of termination with respect to such terminated Services, without imposing a penalty for such termination on Customer. 
  3. Contractual relationships. Supplier shall only engage and disclose Personal Data to Sub-processors that are parties to written agreements with Supplier containing data protection obligations no less protective that the obligations of this DPA. Supplier agrees and warrants, upon request of the Customer, to send promptly a copy of any Sub-processor contract to the Customer, and to make available to the Data Subject upon request a copy of the DPA, or any existing Sub-processing contract, unless the DPA or contract contain commercial information, in which case it may remove such commercial information, with the exception of Attachment 2, which shall be replaced by a summary description of the security measures, in those cases where the Data Subject is unable to obtain a copy from the Customer.
  4. Liability. Supplier shall be liable for the acts and omissions of its non-Affiliate Sub-processors to the same extent Supplier would be liable, if performing the services of each Sub-processor directly under the terms of this DPA. 

6. LOCATION OF FACILITIES

The parties agree that TraitForward Software, including the Portal, and all Personal Data will be hosted and/or stored at facilities located in data centers in the European Economic Area. All backups of TraitForward Software and all Personal Data will be hosted and/or stored at facilities located in the European Economic Area. 

If Supplier proposes to host or store TraitForward Software, including the Portal, or backups, and any Personal Data, at facilities located outside the European Economic Area (“Foreign Facility”), then Supplier shall provide prior written notice to Customer providing the details of such proposal (“Relocation Notice”). Customer may, at its sole discretion, object to the proposed Foreign Facility. If the parties cannot agree on a resolution within sixty (60) days following Customer’s objection then Customer may terminate this Agreement. Supplier shall not allow TraitForward software, including the Portal, or backups of the software, nor any Personal Data, to be hosted at and/or stored by a Foreign Facility unless and until such time as agreed to by Customer in writing.

  7. SECURITY 

Supplier shall ensure that during the provision of the Services Personal Data is protected with the security measures set out in Attachment 2 to this DPA. Supplier shall regularly monitor compliance with these measures. Supplier shall not materially decrease the overall security of the Services during Customer’s subscription term. Attachment 2 may be amended from time to time, upon parties’ written agreement, to meet higher standards of safety and privacy. In such case Attachment 2 shall be replaced.  

Customer represents that after its assessment of the requirements of the Data Protection Laws and Regulations, Customer considers that the security measures set out in Attachment 2 are appropriate to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and against all other unlawful forms of Processing, and that these measures ensure a level of security appropriate to the risks presented by the Processing and the nature of Personal Data to be protected having regard to the state of the art and the cost of their implementation. 

8. DATA INCIDENT MANAGEMENT AND NOTIFICATION

Supplier has in place reasonable and appropriate security incident management policies and procedures, specified in Attachment 2 of this DPA, and shall notify Customer without undue delay after becoming aware of an unlawful or accidental destruction, alteration or damage or loss, unauthorized disclosure of, or access to Personal Data, transmitted, stored or otherwise Processed by Supplier or its Sub-processors of which Supplier becomes aware ( “Personal Data Breach”), as required under Article 33 of the GDPR. Supplier shall make reasonable efforts to identify the cause of such Personal Data Breach, and take those steps as it deems necessary and reasonable in order to remediate the cause of such a Personal Data Breach, to the extent that the remediation is within Supplier’s reasonable control. 

9. CERTIFICATIONS AND AUDITS

9.1 Audits. Upon Customer’s request, and subject to the confidentiality set forth in the Agreement, Supplier shall make available to the Customer that is not a competitor of Supplier all information necessary to demonstrate compliance with the obligations of Supplier under this DPA, and allow for and contribute to audits, including on-site audits, conducted by the Customer or by Customer’s independent, third-party auditor, in possession of the required professional qualifications bound by a duty of confidentiality, that is not a competitor of Supplier. The parties agree that the audits shall be carried out in accordance with the following specifications: Customer may contact Supplier to request an on-site audit of the architecture, systems, and procedures relevant to the protection of Personal Data. Customer shall reimburse Supplier for any time expended by Supplier or its Sub-processors for any such on-site audit at the Supplier’s then-current professional services rates, which shall be made available to Customer upon request. Before the commencement of any such on-site audit, Customer and Supplier shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Customer shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by Supplier or its Sub-processors. Customer shall promptly notify Supplier and provide information about any actual or suspected non-compliance discovered during an audit. 

9.2 Certifications. Supplier shall also allow and provide third-party certifications and audit results upon Customer’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement. Supplier shall make available to Customer that is not a competitor of Supplier a copy of Supplier’s then most recent third-party certifications or audit results, as applicable. 

10. RECORDS AND COOPERATION WITH THE SUPERVISORY AUTHORITY 

10.1. Records. Where applicable, Supplier shall maintain a record, in electronic form, of all categories of processing activities carried out on behalf of the Customer, as per Article 30 (2) GDPR. 

10.2. Cooperation with the Supervisory Authority. Where applicable, Supplier shall, upon request, cooperate with the Supervisory Authority in the performance of its tasks, as per Article 31 of the GDPR.

11. RETURN AND DELETION OF PERSONAL DATA

Notwithstanding Clause 7.3 of the Agreement, Supplier shall, at the choice of the Customer, return Personal Data, to Customer or delete existing copies after the end of the provision of the Services and certify to the Customer that it has done so in accordance with the procedures specified in Attachment 2 to this DPA, unless mandatory laws require storage of Personal Data. In that case Supplier warrants that it shall guarantee the confidentiality of the Personal Data and shall not actively process Personal Data transferred anymore. 

12. DATA PROTECTION IMPACT ASSESSMENT

Upon Customer’s request, Supplier shall provide Customer with reasonable cooperation and assistance needed to fulfil Customer’s obligation under Article 35 of the GDPR to carry out a Data Protection Impact Assessment (“DPIA”) related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Supplier. Supplier shall provide reasonable assistance to Customer in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks relating to this DPA, to the extent required under Article 36 of the GDPR.

13. DATA TRANSFERS 

Transfers of Personal Data under this DPA from Supplier to countries outside of the European Economic Area, if applicable, shall be made only in accordance with the following:

i. the transfer is to a jurisdiction for which an Adequacy Decision has been issued and subject to the terms of that Adequacy Decision;

ii. in the absence of an Adequacy Decision, the transfer is subject to the latest versions of the Standard Contractual Clauses approved by the European Commission from time to time, as published in the Official Journal of the European Union, and which themselves form part of this DPA.

14. AUTHORIZED AFFILIATES/AUTHORIZED CLIENTS

14.1 Contractual Relationship. The parties acknowledge and agree that, by executing the DPA, the Customer enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliate(s)/Authorized Client(s), where applicable, thereby establishing a separate DPA between Supplier and each such Authorized Affiliate/Authorized Client subject to the provisions of the Agreement, this Clause and Clause 15 of this DPA. Each Authorized Affiliate/Authorized Client, where applicable, agrees to be bound by the obligations under this DPA and, to the extent applicable, the Agreement. For the avoidance of doubt, an Authorized Affiliate/Authorized Client, where applicable, is not and does not become a party to the Agreement and is only a party to the DPA. All access to and use of the Services and Content by Authorized Affiliate(s)/Authorized Clients, where applicable, must comply with the terms and conditions of the Agreement and any violation of the terms and conditions of the Agreement by an Authorized Affiliate/Authorized Client shall be deemed as a violation by Customer. 

14.2. Communication. The Customer that is contracting party to the Agreement shall remain responsible for coordinating all communication with Supplier under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Authorized Affiliates/Authorized Clients, where applicable. Customer informs Supplier of the Authorized Affiliate(s)/Authorized Client(s), where applicable, to which Customer intends to permit the use of the Services, thereby giving Supplier the opportunity to object, in case the requirements set out in the Definition of an Authorized Affiliate/Authorized Client under this DPA are not met.

14.3. Rights of Authorized Affiliates. Where an Authorized Affiliate/Authorized Client, where applicable, becomes a party to the DPA with Supplier, it shall, to the extent required under applicable Data Protection Laws and Regulations, be entitled to exercise the rights and seek remedies under this DPA, subject to the following:

i. Except where applicable Data Protection Laws and Regulations require the Authorized Affiliate/Authorized Client to exercise a right or seek any remedy under this DPA against Supplier directly by itself, the parties agree that (a) solely the Customer that is the contracting party to the Agreement shall exercise any such right or seek any such remedy on behalf of the Authorized Affiliate/Authorized Client, and (b) the Customer that is the contracting party to the Agreement shall exercise any such rights under this DPA not separately for each Authorized Affiliate/Authorized Client individually but in a combined manner for all of its Authorized Affiliates and/or Authorized Clients together (as set forth, for example, in Section 14.3.ii below). 

ii. The parties agree that the Customer that is the contracting party to the Agreement shall, when carrying out an on-site audit on the procedures relevant to the protection of Personal Data, take all reasonable measures to limit any impact on Supplier and its non-Affiliate Sub-processors by combining, to the extent reasonable possible, several audit requests carried out on behalf of different Authorized Affiliates and/or Authorized Clients in one single audit. 

15. LIABILITY

For the avoidance of doubt, Supplier’s total liability for all claims from the Customer and all of its Authorized Affiliates and/or Authorized Clients arising out of or related to the Agreement and each DPA shall apply in the aggregate for all claims under both the Agreement and all DPAs established under this Agreement, including by Customer and all Authorized Affiliates and/or Authorized Clients, and in particular, shall not be understood to apply individually and severally to Customer and/or to any Authorized Affiliate/Authorized Client that is a contractual party to any such DPA. 

16. LEGAL EFFECT; TERMINATION; VARIATION

This DPA shall only become legally binding between Customer and Supplier, when fully executed following the formalities steps set out in the Section “How to Execute this DPA” and will terminate when the Agreement terminates, without further action required by either party.

The parties undertake not to vary or modify the DPA. This does not preclude the parties from adding clauses on business related issues, where required as long as they do not contradict the DPA. 

17. CONFLICT

This DPA is incorporated into and forms part of the Agreement. For matters not addressed under this DPA, the terms of the Agreement apply. With respect to the rights and obligation of the parties vis-à-vis each other, in the event of a conflict between the terms of the Agreement and this DPA, the terms of this DPA will control. 

IN WITNESS WHEREOF, the parties have caused this Data Processing Addendum to be duly executed. Each party warrants and represents that its respective signatories, whose signatures appear below, are on the date of signature duly authorized.

CUSTOMER SUPPLIER

Attachment 1

Details of the Processing

This attachment includes certain details of the Processing of Personal Data as required by Article 28(3) GDPR.

Nature and Purpose of Processing 

Supplier will Process Personal Data as necessary to perform the Services pursuant to the Agreement, and as further instructed by Customer in its use of the Services. 

Duration of Processing 

Subject to Clause 11 of the DPA, and notwithstanding Clause 7.3 of the Agreement, Supplier shall Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing. Unless otherwise agreed upon in writing, Supplier shall, at the choice of the Customer, return Personal Data, to Customer or delete existing copies after the end of the provision of the Services and certify to the Customer that it has done so in accordance with the procedures specified in Attachment 2 to this DPA, unless mandatory laws require the storage of Personal Data. In that case Supplier warrants that it shall guarantee the confidentiality of the Personal Data and shall not actively process Personal Data transferred anymore.

Categories of Data Subjects 

employees, candidates for a job posts, participants in a research survey, researchers, professors […]

Type of Personal Data 

name, surname, job title, email address, behavioral and personality traits.

CUSTOMER SUPPLIER

Attachment 2 

Description of the technical and organizational security measures implemented by Supplier in accordance with Article 28.3 of the GDPR, which form part of the DPA :

  1. Personnel. a. Personnel has executed written confidentiality agreements that survive termination of their employment contract; b. Personnel is regularly and appropriately trained; c. There is segregation of duties and personnel’s access to Personal Data is limited as appropriate and necessary to their roles; d. A Security Officer has been appointed in written, who supervises compliance with security measures.
  2. Physical and environmental security. a. Controlled access to facilities; b. Emergency and contingency plans for various disasters, including fire, are in place, and drills are in practice regularly; c. A Clean Desk policy is implemented; d. Destruction of physical records in paper shredders and of electronic records by overwriting with the use of special software, like file erasers, file shredders, file pultivizers, or, for daily destruction, by formatting; e. Portable devices are encrypted and accessed only by secure codes.
  3. Data Security. a. Use of anti-virus, anti-malware and anti-spyware software, and of industry-standard firewalls of the latest update; b. Undertaking of specific hardening activities; c. Capacity planning with view to work load and future requirements; d. Remote access based on encryption and safe protocols; e. Regular implementation of vulnerability and penetration tests; f. Change control: all changes to platform, application, and production infrastructure (for example software update, development of new software, antivirus installation or deinstallation) are tested in an isolated environment not affecting real data; central administration of changes by specific users; regular controls that no software has been installed out of the regular process; g. logical and physical (where applicable) separation of Customer’s data.
  4. Access Control and Authentication. a. A procedure for user account creation and deletion, with appropriate approvals is in place; b. Industry standard practices to identify and authenticate users who attempt to access information systems are utilized; c. De-activated or expired identifiers are not granted to other individuals.
  5. Password Policy. a. Access to all systems, applications and software is password protected; b. Admissible passwords comply with password configurations (e.g. minimum length, expiration, complexity etc); c. Change of passwords is enforced regularly; d. Passwords are not written in their actual form, either physically or electronically; e. Passwords are retained electronically in a non-readable form. Retrieval of their initial form is not possible; f. After three attempts of unsuccessful access authorization, access is prohibited to the user; g. Industry standard procedures to deactivate passwords that have been corrupted or inadvertently disclosed; h. Customer is responsible for protecting the confidentiality of his login and password. 
  6. Log Retention Policy. a. Log files are retained for all crucial systems; b. Following information is necessarily retained at a minimum: i) identification of user who required access to personal data, date and time of the request, system for which access was requested, whether access has been granted or not; ii) Same information with regard to non-authorized access efforts; iii) Printing requests and other export requests of files with Personal Data; iv) Modifications in crucial files of the system or in the users’ rights; v) Changes in the parameters of apps and systems vi) Crucial events and of any action that may be considered as an attack or a security incident (e.g. port scanning). The retention of events is directly supervised by the Security Officer and the System Administrator; c. Log files may only be assessed by the Security Officer and the System Administrator; d. Deletion of log files has to be authorized by both the Security Officer and a member of the senior management.
  7. Service Continuity and Disaster Recovery. a. Supplier utilizes facilities (data centers), for Personal Data and their back-ups, providing adequate emergency and contingency plans and guarantees; b. Supplier has in place adequate data recovery procedures. 
  8. Incident Monitoring and Management. An Incident means any security incident that may lead to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data transmitted, stored or otherwise processed (potential Personal Data Breach). Supplier has in place a policy for Incident Monitoring and Management, which includes i) internal reporting of potential Personal Data Breaches, ii) recovery of a Personal Data Breach, iii) risk assessment, iv) notification of Personal Data Breach to the Data Controller, the Supervisory Authority and the affected data subject, as applicable, v) evaluation and response measures to prevent similar breaches.  
  9. Audit and Review. Internal and external audit takes place on an annual basis. Technical and Organizational Security Measures are reviewed annually, and in case of a major change.    

CUSTOMER SUPPLIER

Attachment 3

The list of non -Affiliate Sub-processors approved by the Customer as of the effective date of the DPA is as set forth below; 

Non – Affiliate Sub-processor Description of Processing  Contact InformationLocation of Facilities (including back up facilities)
Hetzner Online GmbH Dedicated server hostinghttps://www.hetzner.com/support-form/Sigmundstraße 135, 90431 Nürnberg, Germany
Dropbox Backups (doubly encrypted)https://www.dropbox.com/contactMultiple Locations in EU & US
GoogleBusiness emailhttps://about.google/contact-google/EU
MailgunTransactional email sendinghttps://www.mailgun.com/contact/EU Data Centers

CUSTOMERSUPPLIER