Data Processing Addendum

DATA PROCESSING ADDENDUM FOR APPAEGIS CUSTOMERS

This Data Processing Addendum (“DPA”) supplements the negotiated addendum between the organization identified below (“Customer”) and Appaegis Inc. (“Appaegis”) governing Customer’s use of the Services, along with any subsequent amendments and orders (the “Addendum”). It is applicable when the GDPR applies to Customer’s use of the Services to process Personal Data.

This DPA shall be effective on the later of the effective date of the Addendum or the date both parties execute this DPA (“Effective Date”). Unless otherwise defined in the Addendum, all capitalized terms used in this DPA will have the meanings given to them in Section 27 of this DPA.

  1. Processing of Personal Data
    1. Scope: This DPA applies when Personal Data is processed by Appaegis. In this context, Appaegis will act as processor to Customer, who can either act as controller or processor of Personal Data.
    2. Customer Controls: Customer can use Service Controls to assist it with its obligations under the GDPR, including its obligations to respond to requests from data subjects. In the event Appaegis becomes aware that Personal Data transferred under the Standard Contractual Clauses is inaccurate or outdated, it will inform Customer without undue delay. Appaegis will cooperate with Customer to erase or rectify inaccurate or outdated Personal Data transferred under the Standard Contractual Clauses by providing the Service Controls that Customer can use to erase or rectify Personal Data.
    3. Details of Personal Data Processing:
      1. Subject Matter: The subject matter of data processing under this DPA is Personal Data.
      2. Duration: As between Customer and Appaegis, the duration of data processing under this DPA is determined by Customer.
      3. Purpose: The purpose of data processing under this DPA is the provision of the Services initiated by Customer from time to time.
      4. Nature of the Processing: Compute, storage and such other Services as described in the Documentation and initiated by Customer from time to time.
      5. Types of Personal Data: Personal Data uploaded to the Services under Customer’s Appaegis account.
      6. Categories of Data Subjects: The data subjects could include Customer’s customers, employees, suppliers and End Users.
    4. Compliance with Laws: Each party will comply with all laws, rules and regulations applicable to it and binding on it in the performance of this DPA including the GDPR.
  1. Customer Instructions
    1. The parties agree that this DPA and the Addendum (including Customer providing instructions via the Services) constitute Customer’s documented instructions regarding Appaegis’ processing of Personal Data (“Documented Instructions”). Appaegis will process Personal Data only in accordance with Documented Instructions. Additional instructions outside the scope of the Documented Instructions (if any) require prior written addendum between Customer and Appaegis, including addendum on any additional fees payable by Customer to Appaegis for carrying out such instructions. In the event Appaegis reasonably believes that Documented Instructions infringe the GDPR, it will immediately inform Customer, in which case, Customer is entitled to withdraw or modify its Documented Instructions.
  1. Confidentiality of Personal Data

    Appaegis will not access or use, or disclose to any third party, any Personal Data, except, in each case, as necessary to maintain or provide the Services, or as necessary to comply with the law or a valid and binding order of a governmental body (such as a subpoena or court order). If a governmental body sends Appaegis a demand for Personal Data, Appaegis will attempt to redirect the governmental body to request that data directly from Customer. As part of this effort, Appaegis may provide Customer’s basic contact information to the governmental body. If compelled to disclose Personal Data to a governmental body, then Appaegis will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Appaegis is legally prohibited from doing so.

  1. Confidentiality Obligations of Appaegis Personnel

    Appaegis restricts its personnel from processing Personal Data without authorisation by Appaegis as described in the Security Standards. Appaegis imposes appropriate contractual obligations upon its personnel, including relevant obligations regarding confidentiality, data protection and data security.

  1. Security of Personal Data Processing
    1. Technical and Organizational Measures by Appaegis: Appaegis has implemented and will maintain the technical and organizational measures for the Appaegis Network as described in the Security Standards and this Section. In particular, Appaegis has implemented and will maintain the following technical and organizational measures:
      1. security of the Appaegis Network as set out in Section 1.1 of the Security Standards;
      2. physical security of the facilities as set out in Section 1.3 of the Security Standards;
      3. measures to control access rights for Appaegis employees and contractors to the Appaegis Network as set out in Section 1.2 of the Security Standards; and
      4. processes for regularly testing, assessing and evaluating the effectiveness of the technical and organizational measures implemented by Appaegis as described in Section 2 of the Security Standards.
    2. Technical and Organizational Measures by Customer: Customer can also elect to implement technical and organizational measures to protect Personal Data. Such technical and organizational measures can be obtained by Customer from Appaegis, or directly from a third-party supplier.
  1. Sub-Processing
    1. Sub-processor Obligations: Customer provides general authorisation to Appaegis’ use of subprocessors to provide processing activities on Personal Data on behalf of Customer (“Sub-processors”) in accordance with this Section. The Appaegis website (at https://www.appaegis.com/sub-processors) lists Sub-processors that are currently engaged by Appaegis. At least 30 days before Appaegis engages a Sub-processor, Appaegis will update the applicable website and provide Customer with a mechanism to obtain notice of that update. In the event, Customer objects to a Sub-processor, Customer can:
      1. terminate the Addendum pursuant to its terms; or
      2. cease using the Service for which Appaegis has engaged the Sub-processor.
    2. Sub-processor Obligations: Where Appaegis authorizes a Sub-processor as described in Section 6:
      1. Appaegis will restrict the Sub-processor’s access to Personal Data only to what is necessary to provide or maintain the Services in accordance with the Documentation, and Appaegis will prohibit the Sub-processor from accessing Personal Data for any other purpose;
      2. Appaegis will enter into a written addendum with the Sub-processor and, to the extent that the Sub-processor performs the same data processing services provided by Appaegis under this DPA, Appaegis will impose on the Sub-processor the same contractual obligations that Appaegis has under this DPA; and
      3. Appaegis will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause Appaegis to breach any of Appaegis’ obligations under this DPA.
  1. Appaegis’ Assistance with Data Subject Requests 

    Appaegis shall provide reasonable and timely assistance to Customer (at Customer's expense) to enable Customer to respond to:

    1. any request from a data subject to exercise any of its rights under GDPR (including its rights of access, correction, objection and erasure, as applicable); and
    2. any other correspondence, enquiry or complaint received from a data subject, regulator or other third party, in each case in respect of Personal Data that Appaegis processes on Customer's behalf.

    In the event that any request, correspondence, enquiry or complaint (referred above) is made directly to Appaegis, Appaegis acting as a processor shall not respond to such communication directly without Customer's prior authorization, unless legally compelled to do so, and instead, after being notified by Appaegis, Customer shall respond. If Appaegis is legally required to respond to such a request, Appaegis will promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so.

    To the extent Appaegis is required under GDPR, Appaegis shall (at Customer's request and expense) provide reasonably requested information regarding the Services to enable the Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by GDPR.

  1. Optional Security Features

    Customer can elect to implement technical and organizational measures to protect Personal Data. Such technical and organizational measures can be obtained by Customer from Appaegis, or directly from a third-party supplier. The Customer is responsible for:

    1. implementing the technical and organizational measures, as appropriate;
    2. properly configuring the Services;
    3. using the Service Controls to allow Customer to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident (for example backups and routine archiving of Personal Data); and
    4. taking such steps as Customer considers adequate to maintain appropriate security, protection, and deletion of Personal Data, which includes use of encryption technology to protect Personal Data from unauthorized access and measures to control access rights to Personal Data.
  1. Security Incident Notification
    1. Security Incident: Appaegis will:
      1. notify Customer of a Security Incident without undue delay after becoming aware of the Security Incident; and
      2. take appropriate measures to address the Security Incident, including measures to mitigate any adverse effects resulting from the Security Incident.
    2. Assistance by Appaegis:To enable Customer to notify a Security Incident to supervisory authorities or data subjects (as applicable), Appaegis will cooperate with and assist Customer by including in the notification under Section 9.1(a) such information about the Security Incident as Appaegis is able to disclose to Customer, taking into account the nature of the processing, the information available to Appaegis, and any restrictions on disclosing the information, such as confidentiality. Taking into account the nature of the processing, Customer agrees that it is best able to determine the likely consequences of a Security Incident.
    3. Failed Security Incident: Customer acknowledges that a Failed Security Incident will not be subject to this Section 9. For the purposes of this DPA, a Failed Security Incident is one that results in no unauthorized access to Personal Data or to any of Appaegis’ equipment or facilities storing Personal Data, and could include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents.
    4. No Acknowledgment of Fault or Liability: Appaegis’ obligation to report or respond to a Security Incident under this Section 9 is not and will not be construed as an acknowledgement by Appaegis of any fault or liability of Appaegis with respect to the Security Incident.
    5. Communication: Appaegis will deliver notification(s) of Security Incidents, if any, to one or more of Customer’s administrators by any means Appaegis selects, including via email. During the term of this DPA, Customer shall have an ongoing obligation to report any change in its contact information and maintain secure transmission at all times.
  1. Appaegis Certifications and Audits
    1. Certifications: In addition to the information contained in this DPA, upon Customer’s request, and provided that the parties have an applicable non-disclosure addendum in place, Appaegis will make available the certifications issued for the SOC2 Type 2 compliance (or the certifications or other documentation evidencing compliance with such alternative standards as are substantially equivalent to SOC2 Type 2 compliance).
    2. Appaegis Audits: Appaegis uses external auditors to verify the adequacy of its security measures. This audit:
      1. will be performed at least annually;
      2. will be performed according to SOC2 Type 2 compliance or such other alternative standards that are substantially equivalent to SOC2 Type 2 compliance; and
      3. will be performed by independent third-party security professionals at Appaegis’ selection and expense. Customer acknowledges that any audit report generated by external auditors will be Appaegis’ Confidential Information.
    3. Privacy Impact Assessment and Prior Consultation: Appaegis will assist Customer in complying with Customer’s obligations in respect of data protection impact assessments and prior consultation, by providing the information Appaegis makes available under this Section 10.
  1. Audits by Appaegis

    In the event Customer chooses to conduct any audit, including any inspection, it has the right to request or mandate on its own behalf under the GDPR or the Standard Contractual Clauses, that Appaegis make available to Customer all information reasonably necessary to conduct the audit. If Appaegis declines to follow any reasonable instruction requested by Customer regarding audits, including inspections, Customer is entitled to terminate the Addendum in accordance with its terms.

  1. Transfer of Personal Data

    The Standard Contractual Clauses will apply to any transfer of Personal Data between Customer (as data exporter) and Appaegis (as data importer) to locations both inside and outside of the European Economic Area (“EEA”). To the extent such transfer involves a transfer of Personal Data originating from Customer in the EEA or Switzerland to Appaegis or its Sub-processors located in countries outside the EEA that have not received a binding adequacy decision (each a “Data Transfer”), the parties agree that the Standard Contractual Clauses (Controller-to-Processor Clauses) would apply to such transfer of Personal Data.

  1. Termination of the DPA

    The DPA would continue to be in force until the termination of the Addendum (the “Termination Date”).

  1. Return or Deletion of Personal Data 

    At any time up to the Termination Date, and for 90 days following the Termination Date, subject to the terms and conditions of the Addendum, Appaegis will return or delete Personal Data when Customer uses the Service Controls to request such return or deletion. No later than the end of this 90-day period, Customer will close all accounts containing Personal Data.

  1. Duties to Inform

    Where Personal Data becomes subject to confiscation during bankruptcy or insolvency proceedings, or similar measures by third parties while being processed by Appaegis, Appaegis will inform Customer without undue delay. Appaegis will, without undue delay, notify all relevant parties in such action (for example, creditors, bankruptcy trustee) that any Personal Data subjected to those proceedings is Customer’s property and area of responsibility and that Personal Data is at Customer’s sole disposition.

  1. Entire Addendum; Conflict

    This DPA constitutes the entire addendum between the parties with respect to the subject matter hereof and supersedes all prior understandings regarding such subject matter, whether written or oral. To the extent a conflict exists between this DPA and the Addendum regarding the subject matter of this DPA, the terms of this DPA will govern. To the extent a conflict exists between this DPA and the Standard Contractual Clauses regarding the subject matter of this DPA, the Standard Contractual Clauses will govern. Except as amended by this DPA, the Addendum will remain in full force and effect. Nothing in this DPA varies or modifies the Standard Contractual Clauses.

  1. Limitation of Liability

    Notwithstanding anything to the contrary in the Addendum or this DPA, the liability of each party and each party’s affiliates under this DPA shall be subject to the exclusions and limitations of liability set out in the Addendum.

  1. Amendment

    No amendment or modification of this DPA will be binding unless in writing and signed by the parties.

  1. Waiver

    Any waiver by a party of a breach of any provision of this DPA will not operate as or be construed as a waiver of any further or subsequent breach.

  1. Survival

    Provisions of this DPA that by their nature are to be performed or enforced following any termination of this DPA will survive such termination.

  1. Assignment

    Appaegis may assign this DPA to an affiliate or in connection with a merger of Appaegis or the sale of substantially all Appaegis’ assets.

  1. Binding Effect

    This DPA will be binding upon and inure to the benefit of the parties, their successors, and permitted assigns.

  1. Unenforceability and Severability

    If for any reason, a court of competent jurisdiction or duly appointed arbitrator finds any provision or portion of this DPA to be unenforceable, the remainder of this DPA will continue in full force and effect.

  1. Headings

    The headings are for convenience only and do not affect the interpretation of this DPA.

  1. Third Party Rights

    Except to the extent expressly provided by the Standard Contractual Clauses with respect to data subjects, this DPA does not give rise to any rights for third parties to enforce any term of this DPA.

  1. Authority of Signatories

    Each person signing this DPA represents and warrants that they are duly authorized and have legal capacity to execute it.

  1. Definitions

    Unless otherwise defined in the Addendum, all capitalized terms used in this DPA will have the meanings given to them below:

    1. Appaegis Network: means Appaegis’ data center facilities, servers, networking equipment, and host software systems (for example, virtual firewalls) that are within the control of Appaegis and are used to provide the Services.
    2. controller: has the meaning given to it in the GDPR.
    3. Controller-to-Processor Clauses: means the standard contractual clauses between controllers and processors for Data Transfers, as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, and currently located at https://www.appaegis.com/sub-processors.
    4. Customer: has the meaning first given above.
    5. Data Transfer: has the meaning given to it in Section 12.
    6. Documentation: means the user guides, online help, release notes, training materials and other documentation provided or made available by Appaegis to Customer regarding the use or operation of the Services.
    7. Documented Instructions: has the meaning given to it in Section 2.1.
    8. EEA: means the European Economic Area
    9. End Users: means each person that is permitted by Customer to use the Services.
    10. GDPR: means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
    11. Personal Data: means “personal data” (as defined in the GDPR) that is uploaded to the Services under Customer’s accounts.
    12. processing: has the meaning given to it in the GDPR and “process”, “processes” and “processed” will be interpreted accordingly.
    13. processor: has the meaning given to it in the GDPR.
    14. Security Standards: means the security standards attached to the Addendum, or if none are attached to the Addendum, attached to this DPA as Schedule 1.
    15. Security Incident: means a breach of Appaegis’ security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
    16. Services: means the same services that Appaegis provides to Customer as defined in the Addendum.
    17. Service Controls: means the controls, including security features and functionalities, that the Services provide, as described in the Documentation.
    18. Standard Contractual Clauses: means the Controller-to-Processor Clauses.
    19. Sub-processor(s): has the meaning given to it in Section 6.1.
    20. Termination Date: has the meaning given to it in Section 13.

Schedule 1

SECURITY STANDARDS

    Capitalized terms not otherwise defined in this document have the meanings assigned to them in the Addendum.

  1. Information Security Program

    Appaegis will maintain an information security program designed to:

    1. help Customers secure Personal Data against accidental or unlawful loss, access or disclosure,
    2. identify reasonably foreseeable risks to security and unauthorized access to the Appaegis Network, and
    3. minimize security risks, including through regular testing and risk assessment. Appaegis will designate one or more employees to coordinate and be accountable for the information security program.

    The information security program will include the following measures:

    1. Appaegis Network Security: Appaegis Network will be accessible to contractors, employees and any other person as necessary to provide the Services. Appaegis will use firewalls or functionally equivalent technology and authentication controls to manage access to the Appaegis Network from each network connection and user. Appaegis will also maintain corrective action and incident response plans to respond to potential security threats.
    2. Restricted Employee and Contractor Access: Appaegis provides access to its facilities to only those employees and contractors who have a legitimate business need for such access privileges. Appaegis promptly revokes access privileges when an employee or contractor no longer has a need for the access privileges assigned to him/her.
    3. Physical Security Protection: All physical access to Appaegis’ facilities by employees and contractors is logged and routinely audited. In addition, Appaegis also monitors access points to its facilities using video surveillance cameras and other electronic intrusion detection systems designed to detect unauthorized access to the facilities.
  1. Continued Evaluation

    Appaegis will conduct periodic reviews of the security of its Appaegis Network and adequacy of its information security program as measured against industry security standards and its policies and procedures. Appaegis will continually evaluate the security of its Appaegis Network and associated Services to determine whether additional or different security measures are required to respond to new security risks or findings generated by the periodic reviews.