To discuss any of these terms, please reach out to your point of contact at SpotDraft. Please do not download or redline this document.
This Data Processing Agreement (“DPA”) forms part of the Order Form and the Software Services Agreement ("Agreement") executed between the Company (“Data Processor”) and the Customer (also referred to as the Data Controller), collectively the “Parties”, and shall be effective as of the Effective Date of the first Order Form.
IT IS AGREED AS FOLLOWS:
1. Definitions and Interpretation
1.1 Unless otherwise defined herein, capitalized terms and expressions used in this DPA shall have the following meaning:
1.1.1 “DPA” means this Data Processing Agreement and all Schedules.
1.1.2 “Customer Personal Data” means any Personal Data Processed by a Contracted Processor on behalf of Customer pursuant to or in connection with the Agreement.
1.1.3 “Contracted Processor” means a natural or legal person, public authority, agency or other body which Processes Customer Personal Data on behalf of Customer subject to this DPA.
1.1.4 “Applicable Data Protection Laws” the relevant data protection and data privacy laws, rules and regulations to which the Customer Personal Data are subject. “Applicable Data Protection Law(s)” shall include, but not be limited to, EU General Data Protection Regulation 2016/679 (“GDPR”) principles and requirements, the United Kingdom Data Protection Act 2018 (“DPA”), the UK General Data Protection Regulation as defined by the DPA as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019, the Privacy and Electronic Communications Regulations 2003, the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act) (“CCPA”), and its implementing regulations, and any relevant law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding instrument which implements any of the above or which otherwise relates to data protection, privacy or the use of personal data, in each case as applicable and in force from time to time, and as amended, consolidated, re-enacted or replaced from time to time. For the avoidance of doubt, if the Company’s processing activities involving Customer Personal Data are not within the scope of an Applicable Data Protection Law, such law is not applicable for purposes of this DPA.
1.1.5 “EEA” means the European Economic Area.
1.1.6 “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR.
1.1.7 “Data Transfer” means:
(i) a transfer of Customer Personal Data from the Customer to a Contracted Processor; or
(ii) an onward transfer of Customer Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor,
in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws).
1.1.8 “Security Incident(s)” means the breach of security, directly attributable to the Company, leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data Processed by the Company.
1.1.9 “Services” means the Services provided by the Company in accordance with the Agreement.
1.1.10 “Subprocessor” means any person appointed by or on behalf of Processor to process Customer Personal Data in connection with the DPA.
1.1.11 “2021 Standard Contractual Clauses/ SCCs” means the Standard Contractual Clauses issued pursuant to the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec_impl/2021/914/oj.
1.2 The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
2. Processing of Customer Personal Data
2.1 Processor shall:
2.1.1 comply with all Applicable Data Protection Laws in the Processing of Customer Personal Data; and
2.1.2 not Process Customer Personal Data other than any purpose other than for the specific purposes set forth in the DPA or outside the direct business relationship between Customer and the Company, unless obligated to do otherwise by applicable law. In such case, the Company will inform Customer of that legal requirement before the Processing unless legally prohibited from doing so. The Company shall comply with any applicable restrictions under Applicable Data Protection Law(s) on combining Customer Personal Data with personal data that the Company receives from, or on behalf of, another person or persons, or that the Company collects from any interaction between it and any individual. Notwithstanding the foregoing, the Company may Process Customer Personal Data for any purposes ancillary to providing the Services under the Agreement, to the extent permitted by Applicable Data Protection Law(s) for “service providers” (as defined in the CCPA) or Processors. Further details regarding the Company’s processing operations, including the purposes for processing Customer Personal Data, are set forth in Schedule A.
2.1.3 The Company and its Sub-Processors shall process Customer Personal Data only in accordance with the documented instructions of Customer. The Agreement, including this DPA, along with any applicable statement of work, constitute Customer’s complete and final instructions to the Company regarding the Processing of Customer Personal Data, including for purposes of the Standard Contractual Clauses. The Company will, unless legally prohibited from doing so, inform Customer in writing if it reasonably believes that there is a conflict between Customer’s instructions and applicable law or otherwise seeks to Process Customer Personal Data in a manner that is inconsistent with Customer’s instructions.
2.2 Personal Data Inquiries and Requests. Upon written request from the Customer, the Company shall provide reasonable assistance and comply with all reasonable instructions from Customer related to any requests from individuals exercising their rights in Customer Personal Data granted to them under Applicable Data Protection Laws (e.g., access, rectification, erasure, data portability, etc.). If a request is sent directly to the Company, the Company shall promptly notify Customer and shall not respond to the request unless Customer has authorized the Company to do so. Where necessary, Customer shall inform the Company of any other individual rights requests that the Company must comply with and provide the information necessary for the Company to comply with the request.
2.3 Government Access Requests. Unless prohibited by Applicable Data Protection Laws or a legally binding request of law enforcement, the Company shall promptly notify Customer of any request by government agency or law enforcement authority for access to or seizure of Customer Personal Data, and shall render reasonable assistance to Customer, if Customer wishes to contest the access or seizure.
3. Processor Personnel
Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Customer Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know or access the relevant Customer Personal Data, as strictly necessary for the purposes of the Agreement, and to comply with Applicable Laws in the context of that individual's duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
4. Security
4.1 Taking into account the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall, in relation to the Customer Personal Data, implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
4.2 In assessing the appropriate level of security, Processor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
5. Sub- Processing
5.1 The Company may engage Sub-Processors in accordance with this section.
5.2 A list of Sub-Processors is referenced in Schedule B.
5.3 The Company will fully be responsible for any failure by a Sub-Processor to perform the Processing for which it was engaged.
5.4 The Company shall impose on Sub-Processors data protection obligations that are at least as stringent as those in this DPA, including an obligation to implement GDPR-compliant technical and organizational measures.
6. Data Subject Rights
6.1 Taking into account the nature of the Processing, Processor shall assist the Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer obligations, as reasonably understood by Customer, to respond to requests to exercise Data Subject rights under the Applicable Protection Laws.
6.2 Processor shall:
6.2.1 promptly notify Customer if it receives a request from a Data Subject under any Applicable Data Protection Law in respect of Customer Personal Data; and
6.2.2 ensure that it does not respond to that request except on the documented instructions of Customer or as required by Applicable Data Protection Laws to which the Processor is subject, in which case Processor shall to the extent permitted by Applicable Data Protection Laws and inform Customer of that legal requirement before the Contracted Processor responds to the request.
7. Personal Data Breach
7.1 Processor shall notify Customer without undue delay upon Processor becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
7.2 Processor shall co-operate with the Customer and take reasonable commercial steps as are directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
8. Data Protection Impact Assessment and Prior Consultation
Processor shall provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Customer reasonably considers to be required by the provisions of any Applicable Data Protection Laws, in each case solely in relation to Processing of Customer Personal Data, and taking into account the nature of the Processing and information available to the Contracted Processors.
9. Data Storage
The Company will not store or retain any Customer Personal Data except as necessary to perform the Services under the Agreement and this DPA.
10. Deletion or return of Customer Personal Data
10.1 Subject to this section 10, the Company shall promptly, and in any event within 90 calendar days of the date of cessation of any Services involving the Processing of Customer Personal Data (the “Cessation Date”), delete and procure the deletion of all copies of those Customer Personal Data.
10.2 Upon Customer’s request, the Company will promptly return to Customer a copy of all Customer Personal Data within thirty (30) calendar days.
10.3 All deletion of Customer Personal Data will be conducted in accordance with standard industry practices for deletion of sensitive data.
10.4 Upon Customer’s request, and within 30 calendar days, the Company will provide a certificate of deletion as evidence of deletion of all Customer Personal Data.
11. Audit rights
11.1 Subject to this section 11, Data Processor shall make available to the Customer on request all information necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits, including inspections, by the Customer or an auditor mandated by the Customer in relation to the Processing of the Customer Personal Data by the Contracted Processors.
11.2 Information and audit rights of the Customer only arise under section 11.1 to the extent that the DPA does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.
12. Data Transfer
12.1 The Customer acknowledges that the Customer Personal Data may be Processed outside the EEA, if the following conditions are met:
12.1.1 The Company shall ensure adequacy measures are in place with each of its Sub-Processors that may Process the Personal Data outside the EEA, whether binding corporate rules, or SCCs, and upon Customer’s request will provide proof of such adequacy measures without undue delay; and
12.1.2 all such Processing will be performed in accordance with the SCCs.
12.1.3 The SCCs between the Company and Customer shall take effect on the earlier of:
a. the final date of signature of the SCCs; or
b. retroactively, on the date of first transfer of Personal Data outside the EEA.
13. Security Incidents.
The Company will deploy and follow policies and procedures to detect, respond to, and otherwise address Security Incidents including procedures to (i) identify and respond to reasonably suspected or known Security Incidents, mitigate harmful effects of Security Incidents, document Security Incidents and their outcomes, and (ii) restore the availability or access to Customer Personal Data in a timely manner.
The Company shall provide prompt written notice without undue delay and within the time frame required under Applicable Data Protection Law(s) (but in no event longer than seventy-two (72) hours) to Customer upon becoming aware of occurrence of a Security Incident. Such notice will include all available details required under Applicable Data Protection Law(s) for Customer to comply with its own notification obligations to regulatory authorities or individuals affected by the Security Incident.
14. Termination
This DPA shall be co-terminus with the Agreement.
15. Consequences of Termination
15.1 Upon termination of this DPA:
15.1.1 Data Processor shall, at the Customer’s option, either forthwith:
(i) Return to Customer, or to another data processor designated by the Customer, all of the Customer Personal Data and any copies thereof which it is processing or has processed upon behalf of Customer. The return of the Customer Personal Data shall result in the full deletion of the Personal Data existent in the IT equipment used by the Data Processor; or
(ii) Destroy all of the Customer Personal Data and any copies thereof which it has Processed on behalf of the Customer promptly and in any case within 30 days of being requested to do so by the Customer. The Data Processor shall, upon Customer’s request, certify the deletion of such data in writing to the Customer; and
(iii) Data Processor shall cease processing Customer Personal Data on behalf of the Data Controller.
16. Enforcement and Indemnity
16.1 Without prejudice to any other rights or remedies that the Data Controller may have, Data Processor hereby acknowledges and agrees that a person with rights under this DPA may be irreparably harmed by any breach of its terms and that damages alone may not be an adequate remedy. Accordingly, a person bringing a claim under this DPA shall be entitled to the remedies of injunction, specific performance or other equitable relief for any breach of the terms of this DPA.
16.2 Data Processor agrees that it will (in addition to, and without affecting, any other rights or remedies that Data Controller may have whether under statute, common law or otherwise) indemnify and hold harmless Data Controller, on demand from and against all claims, liabilities, costs, expenses, loss or damage incurred by Data Controller arising directly from a breach of this DPA by Data Processor or enforcement of any rights under it.
17. General Terms
17.1 Confidentiality. Each Party must keep this DPA and information it receives about the other Party and its business in connection with this DPA (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:
(a) disclosure is required by law;
(b) the relevant information is already in the public domain.
18. Notices, Governing Law and Jurisdiction
18.1 Notices, Governing Law and Jurisdiction shall be in accordance with the Agreement.
SCHEDULE A
PROCESSING ACTIVITIES
1. Description of the Customer Personal Data Processed by the Company is set out below:
· First and last name
· Title
· Position
· Employer
· Contact information (company, email, phone, physical business address)
· Identification Data (email addresses and phone numbers)
· Electronic identification data (IP addresses)
2. Nature of processing of Customer Personal Data
Processing of the data uploaded by Customer to the Company’s contract management SaaS application.
3. Purpose of the processing of Personal Data
The purpose of Processing of Customer Personal Data by the Company is for the performance of the Services pursuant to the Agreement
4. Categories of Data Subjects
· Prospects, customers, business partners and vendors of Customer (who are natural persons).
· Employees or contact persons of Customer’s prospects, customers, business partners and vendors.
· Employees, agents, advisors, freelancers of Customer (who are natural persons).
5. Duration of the processing
The Processing will continue until the expiration or termination of this DPA.
6. Return and Deletion of Personal Data
The Company does not retain any Customer Personal Data unless there is a valid reason to do so. The Customer Personal Data is deleted in accordance with this DPA after termination or expiry of the DPA, in a and a certificate of data deletion can be provided, if requested.
TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
The Company has all the relevant security measures and policies in place to ensure utmost security of its customers' data. The Company has policies and procedures such as patch management, access control, asset management, business continuity & disaster recovery, confidentiality, network security, and multiple others to ensure the security of the data. Additionally, the Company is ISO 27001:2013 and SOC 2 Type 1&2 certified and complies with all the guidelines and controls.
SCHEDULE B
LIST OF SUB-PROCESSORS
The list of sub-processors is available here.