DATA PROCESSING ADDENDUM
Updated: January 18 2019
Supplier: Vivantio Limited (registered in England, company number 4952363) and Vivantio, Inc. (Registered in California, corporation number 3300449)
Supplier’s Registered Address: Vivantio Limited, 25-31 Boulevard, Weston super Mare, BS23 1NX, UK and Vivantio, Inc., 200 Portland St, Boston, MA 02114, US
Client: As identified in the Order Form
Collectively “the Parties”
“Personal Data” has the meaning set out in the Data Protection Laws and Regulations.
“Processor” means the entity which Processes Personal Data on behalf of the Controller.
“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
“Client Data” means all data, including Personal Data, supplied by the Client to the Supplier.
“Data Protection Laws and Regulations” means the Data Protection Act 1998, the GDPR and any subsequent UK data protection legislation.
“Data Subject” means an individual who is the subject of Personal Data.
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“Losses” means all damages, liabilities, demands, costs, expenses, claims, actions and proceedings (including all consequential, direct, indirect, special or incidental loss or punitive damages or loss, legal and other professional fees, cost and expenses, fines, penalties, interest and loss of profit or any other form of economic loss (including loss of reputation)).
“Supervisory Authority” means an independent public authority which is established by an EU Member State pursuant to the GDPR.
This Data Processing Addendum (“DPA”), along with the Supplier’s Standard Terms and Conditions, forms part of the contract agreement between the Supplier and the Client for the service(s) specified in the Order Form (together the “Agreement”) to reflect the Parties’ agreement with regard to the Processing of Personal Data.
This DPA shall not replace any comparable or additional rights relating to Processing of Personal Data contained in the Supplier’s Standard Terms and Conditions agreed when placing an order with the Supplier. Any defined terms which are not defined within this DPA shall have the same meaning as defined within the Supplier’s Standard Terms and Conditions.
1. Processing of Personal Data
1.1 Roles of the Parties. The Parties acknowledge and agree that with regard to the Processing of Personal Data, the Client is the Controller and the Supplier is the Processor.
1.2 Client’s Processing of Personal Data. The Client shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations. For the avoidance of doubt, Client’s instructions to the Supplier for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. The Client shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which the Client acquired Personal Data. The Client warrants that it has acquired all necessary consents and authority for the Processing of all Personal Data as carried out by the Supplier and shall indemnify and keep indemnified on demand the Supplier from and against all Losses suffered or incurred by it arising out of or in connection with any breach of this Clause 1.2 by the Client.
1.3 Supplier’s Processing of Personal Data. The Supplier shall treat Personal Data as Confidential Information and shall only Process Personal Data on behalf of and in accordance with the Client’s documented instructions for the following purposes: (i) Processing in accordance with the Agreement and applicable Order Form(s); (ii) Processing initiated by users in their use of the Services; and (iii) Processing to comply with other documented reasonable instructions provided by Client (e.g., via email) where such instructions are consistent with the terms of the Agreement.
1.4 Details of Processing. The subject-matter of Processing of Personal Data by the Supplier is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 1 (Details of the Processing) to this DPA.
1.5 Sub-Processors. The Supplier will not permit any processing of the Client’s data by any agent, subcontractor, or other third party that the Client has not been made aware in the Vivantio Security Overview documentation, without written authorization by the Client and shall only work with any such sub-processor under a written contract containing materially the same obligations as under this DPA.
2. Rights of Data Subjects
2.1 Data Subject Request. The Supplier shall, to the extent legally permitted, promptly notify the Client if the Supplier receives a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making (“Data Subject Request”). Taking into account the nature of the Processing, the Supplier shall assist the Client by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Client’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations. In addition, to the extent the Client, in its use of the Services, does not have the ability to address a Data Subject Request, the Supplier shall upon the Client’s request provide commercially reasonable efforts to assist the Client in responding to such Data Subject Request, to the extent the Supplier is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws and Regulations. To the extent legally permitted, the Client shall be responsible for any costs arising from the Supplier’s provision of such assistance.
3. Supplier’s Personnel
3.1 Confidentiality. The Supplier shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. The Supplier shall ensure that such confidentiality obligations survive the termination of the personnel engagement.
3.2 Reliability. The Supplier shall take commercially reasonable steps to ensure the reliability of any Supplier personnel engaged in the Processing of Personal Data.
3.3 Limitation of Access. The Supplier shall ensure that Supplier’s access to Personal Data is limited to those personnel performing Services in accordance with the Agreement.
4.1 Controls for the Protection of Client Data. The Supplier shall maintain appropriate technical and organizational measures for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Client Data), confidentiality and integrity of Client Data, as set forth in the Vivantio Security Overview documentation. The Supplier regularly monitors compliance with these measures. The Supplier will not materially decrease the overall security of the Services during a subscription term.
4.2 Audits. The Supplier shall, on reasonable notice, allow for and contribute to audits, including inspections, by the Client in relation to its compliance with this DPA.
5. Client Data Incident Management and Notification
5.1 The Supplier maintains security incident management policies and procedures and shall notify the Client without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Client Data transmitted, stored or otherwise Processed by the Supplier or of which the Supplier becomes aware (a “Client Data Incident”). The Supplier shall make reasonable efforts to identify the cause of such Client Data Incident and take those steps as the Supplier deems necessary and reasonable in order to remediate the cause of such a Client Data Incident and/or complaint (to the extent the remediation is within the Supplier’s reasonable control) including any notification of the Client Data Incident to the Supervisory Authorities and/or communication to any affected Data Subjects. The obligations herein shall not apply to incidents that are caused by the Client or the Client’s users.
6. Return and Deletion of Client Data
6.1 The Supplier shall return Client Data to the Client at the termination of the Agreement or, to the extent allowed by applicable law, delete Client Data in an appropriate manner. The return of Client data may incur a charge and will be supplied in an appropriate format.
7. European Specific Provisions
7.1 GDPR. With effect from 25 May 2018, the Supplier will Process Personal Data in accordance with the GDPR requirements directly applicable to the Supplier’s provision of its Services.
7.2 Data Protection Impact Assessment. With effect from 25 May 2018, upon the Client’s request, the Supplier shall provide the Client with reasonable cooperation and assistance needed to fulfil the Client’s obligation under the GDPR to carry out a data protection impact assessment related to the Client’s use of the Services, to the extent the Client does not otherwise have access to the relevant information, and to the extent such information is available to the Supplier. The Supplier shall provide reasonable assistance to the Client in the cooperation or prior consultation with the Supervisory Authority regarding high risk processing in the performance of its tasks relating to Section 7.2 of this DPA, to the extent required under the GDPR.
7.3 Transfer mechanisms for data transfers. The Supplier will not transfer Personal Data from the European Union to countries which do not ensure an adequate level of data protection within the meaning of Data Protection Laws and Regulations of the foregoing territories. The Supplier may transfer Personal Data to data centers in the U.S. to provide the Services to the Client but only to data centers that comply with the EU-U.S. Privacy Shield.
Schedule 1 – Details of Processing
Nature and Purpose of Processing
The Supplier will Process Personal Data as necessary to perform the Services pursuant to the Agreement, as further specified in the Documentation, and as further instructed by the Client in its use of the Services.
Duration of Processing
Subject to Section 6 of the DPA, the Supplier will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon by the Parties in writing and/or to the extent that any applicable law requires the Supplier to retain any such Personal Data after the termination or expiry of the Agreement.
Categories of Data Subjects
The Client may submit Personal Data to the Services, the extent of which is determined and controlled by the Client in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:
- Prospects, customers, business partners and vendors of the Client (who are natural persons)
- Employees or contact persons of the Client’s prospects, customers, business partners and vendors
- Employees, agents, advisors, freelancers of the Client (who are natural persons)
- The Client’s users authorized by the Client to use the Services
Type of Personal Data
The Client may submit Personal Data to the Services, the extent of which is determined and controlled by the Client in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:
- First and last name
- Contact information (company, email, phone, physical business address)
- ID data
- Professional life data
- Personal life data
- Connection data
- Localization data