Data Processing Addendum
1.1 “Affiliate” means an entity that owns or controls, is owned or controlled by, or is under common control or ownership with the applicable party, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
1.2 “Authorized Affiliate” means any Customer Affiliate that is (a) subject to Data Protection Laws and (b) permitted to use the Services under the Agreement.
1.3 “CCPA” means the California Consumer Privacy Act of 2018 and the California Consumer Privacy Act of 2020, including all laws and regulations implementing or supplementing CCPA and successor or modifying legislation.
1.4 “Customer Personal Data” means Personal Data agreed to be received or accessed and Processed by ContractSafe or a Sub-processor on behalf of Customer or an Authorized Affiliate pursuant to the Agreement
1.5 “Data Protection Laws” means all laws and regulations, including laws and regulations pertaining to data privacy and data protection applicable to the Processing of Personal Data under the Agreement, including but not limited to those of a) the European Union, the European Economic Area and their member states, including but not limited to GDPR and state implementing legislation, b) Switzerland and the United Kingdom, including but not limited to the UK GDPR, and c) CCPA and other national, state and provincial data protection laws, where applicable.
1.6 “GDPR” means the European Union (“EU”) General Data Protection Regulation and all laws and regulations (including implementing laws and regulations) of the EU, the European Economic Area (“EEA”) and their Member States, Switzerland and, under the United Kingdom Data Protection Act of 2018, the United Kingdom, in each case to the extent applicable to the Processing of Customer Personal Data under the Agreement.
1.9 “Restricted Transfer” means (a) a transfer of Customer Personal Data from Customer or an Authorized Affiliate to ContractSafe or a Sub-processor, or (b) an onward transfer of Customer Personal Data from or between ContractSafe or a Sub-processor, in each of case (a) or (b) where such transfer is permitted under the Agreement but would be prohibited by Data Protection Laws in the absence of a legal transfer mechanism to be established under this DPA.
1.10 “Services” means the products and/or services provided by ContractSafe under the Agreement.
1.11 “EU Standard Contractual Clauses” means if and to the extent applicable under Section 8 (Restricted Transfers).
means, module two, controller to processor, and module three, processor to processor, of the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the approved version of which is available at http://data.europa.eu/eli/dec_impl/2021/914/oj) and together with the Annexes included referred to in Attachment 1 form a part of this DPA, if and to the extent applicable under Section 8 (Restricted Transfers).
1.12 “UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses approved by the UK Parliament and in force from 21 March 2022 (as may be amended or superseded from time to time), the details of which are provided for in clause 8.3 and in Attachment 3 (UK Addendum) to this DPA, if and to the extent applicable under Section 8 (Restricted Transfers).
1.13 "UK GDPR" means the UK General Data Protection Regulation 2016/679, as implemented by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 and the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2020 (the "UK GDPR"), the Data Protection Act 2018, and the Privacy and Electronic Communications (EC Directive) Regulations 2003 as may be amended and replaced from time to time.
1.14 “Sub-processor” means any third party appointed by or on behalf of ContractSafe to Process Customer Personal Data on behalf of ContractSafe or any ContractSafe Affiliate, including any other ContractSafe Affiliate.
The terms “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing”, “Processor” and “Supervisory Authority” shall have the same meaning as in the GDPR and UK GDPR ; provided, however, that for purposes of CCPA, “Data Subject” shall be synonymous with “Consumer”, and “Personal Data” shall be synonymous with “Personal Information”, as those terms are defined in CCPA, and “Supervisory Authority” shall mean the Office of the Attorney General of the State of California, or its designee or an independent public authority which is established by an EU Member State or the United Kingdom pursuant to the GDPR and UK GDPR or any other independent authority established by a government to investigate and enforce Data Protection Laws. The terms “Commercial Purpose”, “Sell”, and “Service Provider” shall have the same meanings as in CCPA. All capitalized terms defined in the Agreement shall have the same meanings in this DPA.
- APPLICABILITY; PROCESSING OF PERSONAL DATA
2.1 Applicability. This DPA applies only to the extent and as of the time the Data Protection Laws apply to Customer Personal Data and the Processing of such Customer Personal Data by ContractSafe or a Sub-processor under the Agreement. This DPA does not apply to “Service Data” which means any data relating to the Customer’s use, support and/or operation of ContractSafe Services and ContractSafe websites, including information relating to Customer personnel such as activity logs, use patterns, cookie data or other information regarding use of ContractSafe Services and ContractSafe websites. To the extent any Service Data is considered personal data under applicable data protection and privacy laws, ContractSafe is responsible as a Data Controller, and processes such data in accordance with its privacy notice available at www.contractsafe.com/privacy and applicable data protection and privacy laws.
2.2 Authorization. Customer authorizes and requests that ContractSafe Process Customer Personal Data as set forth in the Agreement and this DPA for the purposes set forth below. This DPA addresses (i) the subject-matter and duration of the Processing, (ii) the nature and purpose of the Processing, and (iii) the types of Customer Personal Data, categories of Data Subjects whose Personal Data may be Processed and the obligations and rights of the parties.
2.3 Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Customer Personal Data in connection with the Agreement and this DPA, as between the parties, Customer is the Controller or Processor for a third party Controller (as applicable) and Data Exporter, and ContractSafe is a Processor or Sub-processor (as applicable), Data Importer and Service Provider and may engage ContractSafe Affiliates or other Sub-processors pursuant to the requirements set forth in this DPA.
2.4 Customer’s Obligations. Without limiting any other obligations of Customer under the Agreement or this DPA, Customer shall:
- Comply with all obligations under Data Protection Laws applicable to it, in particular with the principles relating to processing of Personal Data and the lawfulness of Processing, including obtaining and maintaining any required consent or other authorization from Data Subjects, as well as safeguarding the rights of Data Subjects in its use of the Services.
- Promptly notify ContractSafe of any change in the applicability of Data Protection Laws to Customer or Customer Personal Data that may affect the Agreement or ContractSafe’s ability to perform its obligations thereunder or under this DPA.
- Serve as a single point of contact on behalf of all Customer Affiliates for ContractSafe and be solely responsible for the internal coordination, review and submission of instructions or requests of other Controllers that may permitted by Customer under the terms of the Agreement to use the Services. ContractSafe is discharged of any obligation to inform or notify such other Controllers when ContractSafe has provided applicable information or notice to Customer. ContractSafe is entitled to refuse any requests or instructions provided directly by a Data Controller that is not Customer.
2.5 ContractSafe’s Obligations. Without limiting any other obligations of ContractSafe under the Agreement or this DPA, ContractSafe shall:
- Comply with all obligations under Data Protection Laws applicable to it. Notwithstanding the foregoing, Customer shall have sole responsibility and liability for the accuracy, quality, and legality of Personal Data, obtaining necessary consents (if necessary), and the means by which Customer acquired Personal Data before and after processing, and shall indemnify and hold harmless ContractSafe from any third party claims, damages or fines arising from any failure to acquire or use the Personal Data with legal consent or legitimate business purpose or in violation of any data protection legal requirement.
- Process Customer Personal Data on behalf of and in accordance with Customer’s documented instructions as further specified in the Agreement and this DPA or as otherwise required or permitted under Data Protection Laws or as required by other applicable law or judicial process. Without limiting the foregoing, ContractSafe will operate as a “Service Provider” under CCPA where applicable and as such, will not Sell, share, collect or use Customer Personal Data of a California “Consumer” as defined by CCPA or similar definition under Applicable Data Protection Law, except as permitted by law, and only as necessary to perform the business purpose or for ContractSafe to fulfill its obligations under the Agreement. Further, ContractSafe will not Process Customer Personal Data for its own or any other purposes (including any Commercial Purpose) except as otherwise expressly permitted by law or otherwise agreed in writing; provided, however, that Processing of Customer Personal Data by ContractSafe to ensure the security, operational maintenance, analysis, evaluation or development of the Services for the benefit of its customers without disclosing any Customer Personal Data and without having any adverse impact on the technical and organizational measures implemented by ContractSafe to protect Customer Personal Data shall not constitute processing for ContractSafe’s own purposes.
- Provide, at Customer’s request and expense, reasonable cooperation and assistance in connection with Customer’s obligations under Data Protection Laws as they relate to Customer Personal Data.
- Without undue delay, (but no later than 48 hours after discovery), inform Customer of any Personal Data Breach.
- Upon Customer’s request, ContractSafe shall provide Customer with reasonable cooperation and assistance needed to fulfil Customer’s obligation under the GDPR and UK GDPR to carry out a data protection impact assessment related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to ContractSafe shall provide reasonable assistance to Customer in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks relating to this Section 2.5(e)this DPA, to the extent required under the GDPR and UK GDPR. ContractSafe shall have the right to charge the Customer for any reasonable material costs or expenses incurred by ContractSafe in order to assist Customer with data protection impact assessment.
- In the event ContractSafe receives requests from United States law enforcement authorities seeking to access Personal Data from Customer, it will take reasonable steps to oppose such requests in court.
2.6 Purpose of Processing. Customer instructs ContractSafe to Process Customer Personal Data for the following purposes: (i) Processing in accordance with the Agreement and any applicable purchase order or similar document; (ii) Processing initiated by Customer’s authorized users (which may include authorized personnel of Customer’s customers) in their use of the Services in accordance with Customer’s configuration of the Services; and (iii) Processing to comply with other reasonable instructions provided by Customer via ContractSafe’s support service where such instructions are consistent with the terms of the Agreement and applicable Data Protection Laws. Where an instruction cannot be followed due to the architecture of the Services or generates disproportionate efforts, Customer will reimburse ContractSafe for the costs arising from these efforts or ContractSafe may terminate all or applicable parts of the affected Services.
2.7 Further Details of Processing. Further details of the Processing of Customer Personal Data, including, the categories of Customer Personal Data and Data Subjects are set forth in Attachment 1.
- RIGHTS OF DATA SUBJECTS
3.1 Correction, Amendment and Deletion. To the extent Customer, in its use of the Services, does not have the ability to correct, amend, transfer or delete Customer Personal Data, as may be required by Data Protection Laws, ContractSafe shall comply with any commercially reasonable request by Customer to facilitate such actions to the extent ContractSafe is legally permitted to do so. Customer shall be responsible for any material costs arising from ContractSafe’ss provision of such assistance to the extent legally permitted.
3.2 Data Subject Requests. ContractSafe shall, to the extent legally permitted, promptly notify Customer if it receives any complaint, notice or request from a Data Subject related to that person’s Personal Data or either party’s compliance with Data Protection Laws other than if provided as an instruction as set out in Section 2.6 (Purpose of Processing). Customer acknowledges that ContractSafe cannot verify the identity of a Data Subject (other than Customer personnel) as to any particular Customer Personal Data without Customer’s assistance. ContractSafe shall not respond to any such Data Subject request except as required under Data Protection Laws, and ContractSafe shall provide Customer with commercially reasonable cooperation and assistance in relation to handling of a Data Subject’s request according to applicable Data Protection Laws, to the extent legally permitted and to the extent Customer cannot handle the request itself through its use of the Services. Customer shall be responsible for any costs arising from ContractSafe’ss provision of such assistance.
- CONTRACTSAFE PERSONNEL
4.1 Confidentiality. ContractSafe shall ensure that its personnel engaged in the Processing of Customer Personal Data are informed of the confidential nature of the Customer Personal Data, have received appropriate training on their responsibilities, and have executed written confidentiality agreements. ContractSafe shall ensure that such confidentiality obligations set forth in this Section 4.1 survive the termination of the personnel engagement. ContractSafe will promptly notify Customer if any Customer Personal Data is required by law or judicial process to be disclosed by it and will cooperate with Customer regarding the manner of such disclosure (but without prejudice to any obligation to comply with any such law or judicial process).
4.2 Reliability. ContractSafe shall take commercially reasonable steps to ensure the reliability of any ContractSafe personnel engaged in the Processing of Customer Personal Data.
4.3 Limitation of Access. ContractSafe shall ensure that ContractSafe’ss access to Customer Personal Data is limited to those personnel who require such access to perform the Agreement.
5.1 General. ContractSafe will engage Sub-processors to process Customer Personal Data in accordance with this Section 5 and the EU Standard Contractual Clauses and UK Addendum (as applicable).
5.2 Appointment of Sub-processors. Customer acknowledges, agrees, authorizes and herewith consents that (a) ContractSafe Affiliates may act as Sub-processors; and (b) ContractSafe and ContractSafe Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services. A current list of Sub-processors (and the subject matter/nature and location of applicable Processing) is available at https://www.contractsafe.com/gdprsubs.and under the “Infrastructure and Sub-processor Documentation” section of the ContractSafe website, Documentation as well as a mechanism to subscribe to notifications of new Sub-processors for each applicable Service, to which Customer shall subscribe, and if Customer subscribes, ContractSafe shall provide notification of a new Sub-processor(s) before authorizing any new Sub-processor(s) to Process Personal Data in connection with the provision of the applicable Services. In such cases ContractSafe will enter into a written agreement with the Sub-processor that will include contractual obligations substantially similar to those under this DPA relating to data protection, data security and the authorization of further sub-processors, in each case to the extent applicable. The parties agree that copies of Sub-processor agreements provided to Customer by ContractSafe upon request may have all commercial information or clauses unrelated to data processing removed by ContractSafe beforehand; and, that such copies will be provided by ContractSafe in a manner to be determined in its discretion, only upon request by Customer.
5.3 Liability. To the extent required by applicable Data Protection laws, ContractSafe shall be liable for the acts and omissions of its Sub-processors to the same extent ContractSafe would be liable if performing the Services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Agreement.
5.4 Changes to List of Current Sub-processors. ContractSafe may remove, replace or appoint suitable and reliable further Sub-processors in its sole discretion. To the extent required under applicable Data Protection Laws ContractSafe will inform Customer about any changes to the list of Sub-processors in a timely fashion, which may be by announcing them to the Customer through automated notice, such as the mechanism described at Section 5.2 of this DPA. Customer may object to any change of Sub-processors in writing on legitimate grounds based on data protection or security concerns, detailed in writing, within 10 business days after receipt of ContractSafe’s notice, and, if Customer so objects, ContractSafe will use reasonable efforts to make available to Customer a change in the affected Services or recommend a commercially reasonable change to Customer’s configuration or use of the affected Services to avoid processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening Customer. If ContractSafe is unable to make available such change within a reasonable period of time, which shall not exceed sixty (60) days, Customer may terminate the applicable order document(s) in respect only to those Services which cannot be provided by ContractSafe without the use of the objected-to new Sub-processor, by providing written notice to ContractSafe. Customer shall receive a refund of any unused prepaid fees for the period following the effective date of termination in respect of such terminated Services.
6.1 Controls for the Protection of Personal Data. ContractSafe shall maintain administrative, physical and technical safeguards for protection of the security, confidentiality and integrity of Customer Personal Data as set forth in the “Description of the technical and organizational security measures implemented by the data importer” as amended from time to time, a current copy of which is included as part of Attachment 1.
6.2 Third-Party Certifications and Audits. Upon Customer’s written request at reasonable intervals, ContractSafe shall provide a copy of ContractSafe’s then most recent third-party audits or certifications, as applicable, or any summaries thereof or other information that ContractSafe generally makes available to its customers at the time of such request evidencing ContractSafe’s compliance with Section 6.1. In the absence of such audits or certificates, and to the extent ContractSafe is required to submit to audits under applicable Data Protection Laws, Customer may, at its own cost, audit the technical and organizational measures taken by ContractSafe.
6.3 Audit restrictions.
(a) Unless otherwise required by Data Protection Laws, Customer’s audit right pursuant to Section 6.2 (Third-Party Certifications and Audits) is limited to once in any twelve-month period and may not be conducted by a competitor of ContractSafe.
(b) An audit may not exceed three business days.
(c) Customer shall provide ContractSafe with at least thirty (30) days’ prior written notice (unless a Supervisory Authority or applicable Data Protection Law requires a shorter notice period).
(d) Customer and ContractSafe shall mutually agree the scope and determine the agenda of the audit in advance. The audit shall, to the extent possible, rely on certifications and audit reports or other verifications available to confirm ContractSafe’s compliance with Section 6.1 and shall exclude any third party penetration testing, or repetitive audits, requests for information.
(e) Customer shall conduct the audit under reasonable time, place and manner conditions and provide ContractSafe with a copy of the audit report and will inform ContractSafe without undue delay and comprehensively about any errors or irregularities related to Processing of Customer Personal Data detected during the audit.
(f) If an audit determines that ContractSafe is required to take corrective technical and/or organizational security measures, ContractSafe will at its sole discretion determine which measures are best suitable to ensure compliance and perform such measure within a reasonable time frame.
6.4 Data Protection Checks by Supervisory Authorities. ContractSafe will provide the Customer and Supervisory Authorities (as applicable) with all information and assistance reasonably necessary to investigate Personal Data Breaches or otherwise to demonstrate that the Services comply with Data Protection Laws to the extent that such inspections concern the Processing of Customer Personal Data under the Agreement, and will without undue delay implement the requirements of such Supervisory Authority in agreement with and at the cost of Customer.7. RETURN AND DELETION OF PERSONAL DATA
At any time upon Customer’s request, ContractSafe will return to Customer all Customer Personal Data and any copies thereof or will destroy all such Customer Personal Data as required by Data Protection Laws, except to the extent Data Protection Laws or any other applicable law or judicial process imposed upon ContractSafe prevents it from doing so or as necessary under applicable Data Protection Laws. Any certification required by applicable Data Protection Laws may only be done upon written request.
- RESTRICTED TRANSFERS FOR PERSONS LOCATED IN THE EUROPEAN UNION, EEA OR UNITED KINGDOM
8.1 UK Addendum Application. Customer and each Authorized Affiliate (each as Controller under Module Two or as the transferring Processor under Module Three, but in either case as “data exporter”) and ContractSafe (as Processor under Module Two or as the receiving Processor under Module Three, but in either case as “data importer”) hereby enter into the UK Addendum in respect of such Restricted Transfer; provided, however, that:
- The UK Addendum shall apply only to Customer Personal Data that is subject to the UK GDPR;
- The UK Addendum shall come into effect hereunder upon the commencement of the applicable Restricted Transfer; and
- The parties hereby incorporate Part 1 of the UK Addendum into this DPA which sets out Tables 1 – 4 and the terms and applicability of certain sections of the UK Addendum shall be as follows:
- For the purposes of Table 1 of the UK Addendum:
- The parties' details and key contacts are those as set out in Annex 1 to the EU Standard Contractual Clauses.
- Execution of the EU Standard Contractual Clauses shall be construed as execution of the UK Addendum in parallel.
- For the purposes of Table 2 of the UK Addendum:
- Module One (Controller to Controller) and Module 4 (Processor to Controller) shall not apply.
- Module Two (Controller to Processor) shall apply, as applicable to the actual role of Customer in connection with Restricted Transfers;
- Module Three (Processor to Processor) shall apply, as applicable to the actual role of Customer in connection with Restricted Transfers;
- Clause 7 (optional docking clause for third parties) shall be included and applied as agreed between the parties from time to time;
- Clause 9(a) (use of sub-processors - authorization), option 2 (general written authorization) shall apply to both Module Two and Module Three and the applicable time period for notice therein shall be as set forth in Section 5.4 of this DPA; and
- For the purposes of Table 3 of the UK Addendum “Appendix Information” means the information which must be provided for the selected modules as set out in:
- Annex 1A: List of Parties: The Parties are those listed in Annex 1A of the EU Standard Contractual Clauses.
- Annex 1B: Description of Transfer: The description are those set forth in Attachment 1 to this DPA.
- Annex II: Technical and organizational measures including technical and organizational measures to ensure the security of the data: The technical and organizational measures are those set forth in Attachment 1 to the DPA.
- Annex III: List of Sub processors (Modules 2 and 3 only): Not applicable (general authorization has been provided pursuant to option 2 of clause 9(a)).
- For the purposes of Table 4 of the UK Addendum, both the Importer and the Exporter may end the UK Addendum in accordance with Section 19 of the Mandatory Clauses.
- The following additional terms shall apply to Restricted Transfers under the UK Addendum with respect to the obligations set out under the EU Standard Contractual Clauses:
- The requirement to provide certificate of deletion under Clauses 8.5 and 16(d) are satisfied by Section 7 of this DPA;
- Customer may exercise its right of audit under Clauses 8.9 (c), and (d) and (e), and Clause 13(b) as set out in, and subject to the requirements of Section 6 of this DPA; and
- Customer may exercise its right to request a copy of sub-processor agreements under Clause 9(c) subject to the redaction of confidential information as set out in such agreements, and subject to the requirements of Section 5 of this DPA.
8.2 EU Standard Contractual Clauses. By entering into this DPA, the parties are deemed to have signed the EU Standard Contractual Clauses incorporated herein, including their Annexes. Customer and each Authorized Affiliate (each as Controller under Module Two or as the transferring Processor under Module Three, but in either case as “data exporter”) and ContractSafe (as Processor under Module Two or as the receiving Processor under Module Three, but in either case as “data importer”) hereby enter into the EU Standard Contractual Clauses in respect of such Restricted Transfer; provided, however, that:
- The EU Standard Contractual Clauses shall apply only to Customer Personal Data that is subject to the GDPR and / or that is subject to applicable data privacy laws of Switzerland and which is processed by ContractSafe (as Processor or Sub-processor) outside the European Union or Switzerland ;
- The Standard Contractual Clauses shall come into effect hereunder upon the commencement of the applicable Restricted Transfer; and
- The terms and applicability of certain sections of the EU Standard Contractual Clauses shall be as follows:
- Module Two(Controller to Processor) shall apply, as applicable to the actual role of Customer in connection with Restricted Transfers;
- Module Three(Processor to Processor) shall apply, as applicable to the actual role of Customer in connection with Restricted Transfers; iii. Clause 7 (optional docking clause for third parties) shall be included and applied as may be agreed between the parties from time to time;
- The requirement to provide certificate of deletion under Clauses 8.5 and 16(d) are satisfied by Section 7 of this DPA;
- Customer may exercise its right of audit under Clauses 8.9 (c), and (d) and (e), and Clause 13(b) Clauses as set out in, and subject to the requirements of Section 6 of this DPA;
- Clause 9(a) (use of sub-processors - authorization), whether under Module Two or Module Three, shall be Option 2 of such Clause (general written authorization), and the applicable time period for notice therein shall be as set forth in Section 5.4 of this DPA;
- The Customer may exercise its right to request a copy of sub-processor agreements under Clause 9(c) confidential information as set out in, and subject to the requirements of Section 5 of this DPA;
- The version of Clause 13(a) (supervision - applicable Supervisory Authority) that applies to the Customer in connection with Restricted Transfers shall be included, and if in accordance , with the provisions of such Clause 13(a), the parties may select the applicable Supervisory Authority, such Supervisory Authority shall be that of the United Kingdom;
- Except as otherwise expressly agreed in writing, Option 1 of Clause 17 (governing law - selected by the parties) shall apply, and the governing law under such Option shall be that of the United Kingdom;
- The applicable forum under Clause 18(b) (choice of forum and jurisdiction) shall be the United Kingdom; provided, however, that if Module Three applies and Customer is headquartered in the United States, then, subject to the rights of Data Subjects under Clause 18(c) (right of data subject to bring proceedings in the member state where the data subject resides), the forum shall be as set forth in the Agreement;
- The details required or permitted to be described in Attachment 1 as to the parties and the description of the Restricted Transfer shall be as set forth in Attachment 1 to this DPA, and the competent Supervisory Authority shall be as set forth in Clause 13 (supervision - applicable Supervisory Authority) and Section 8.2(c)(v) above;
- The technical and organizational measures required or permitted to be described in Annex II shall be as set forth in the Agreement and in Attachment 1 to this DPA; and
- LIMITATION OF LIABILITY
9.1. To the extent permitted by Data Protection Laws, each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Authorized Affiliates and ContractSafe, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together.
9.2. For the avoidance of doubt, to the extent permitted by Data Protection Laws, ContractSafe’ss and its Affiliates’ total liability for all claims from the Customer and all of its Authorized Affiliates arising out of or related to the Agreement and each DPA shall apply in the aggregate for all claims under both the Agreement and all DPAs established under this Agreement, including by Customer and all Authorized Affiliates, and, in particular, shall not be understood to apply individually and severally to Customer and/or to any Authorized Affiliate that is a contractual party to any such DPA.
9.3. Also for the avoidance of doubt, each reference to the DPA in this DPA means this DPA including its Schedules and Appendices.
- GENERAL TERMS
10.1 Governing Law and Jurisdiction. Without prejudice to the EU Standard Contractual Causes and UK Addendum: (i) the parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity; and (ii) this DPA and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Agreement.
10.2 Order of Precedence. Nothing in this DPA reduces ContractSafe’s or Customer’s (or Customer Affiliates or their respective users’) obligations under the Agreement or Applicable Data Protection Laws in relation to the protection of Customer Personal Data or permits any party to Process (or permit the Processing of) Customer Personal Data in a manner which is prohibited by the Agreement. Notwithstanding the foregoing, in the event of any conflict or inconsistencies between this DPA and the EU Standard Contractual Clauses or the UK Addendum, the applicable Standard Contractual Clauses or UK Addendum shall prevail.
10.3 Changes in Data Protection Laws. Either party may propose variations to this DPA if and as they may apply to a particular Data Protection Law, which such party believes in good faith are required as a result of any change in, or decision of a competent authority under, that Data Protection law. In the event of such a proposal, the parties agree to work together in good faith to implement mutually agreed changes. Customer shall not unreasonably withhold or delay agreement to any consequential variations to this DPA proposed by ContractSafe to protect ContractSafe and its Affiliates and Sub-processors against additional risks associated with such changes.
10.4 Severance. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
10.5 Legal Effect. This DPA shall only become legally binding between Customer and ContractSafe when the DPA has been executed via digital signature or other legally binding mechanism.
Certain Details of Processing of Customer Personal Data
Subject matter and duration of the Processing of Customer Personal Data
The subject matter and duration of the Processing of the Customer Personal Data are set out in the Agreement (including ordering documents) and this DPA.
The nature and purpose of the Processing of Customer Personal Data
The nature and purpose of the Processing of the Customer Personal Data are set out in the Agreement and this DPA namely contract storage, administration and administration and improvement of the Services.
The types of Customer Personal Data to be transferred and Processed
Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion and uploaded into or accessed by Customer, which may include, but is not limited to the following categories of Personal Data: Employee/agent email address, contact information, IP address and use history; Customer client information as contained in contracts which is stored but not accessed by ContractSafe LLC and contract administration data.
Sensitive data to be transferred
None are anticipated.
The categories of Data Subjects to whom the Customer Personal Data relates
Data Subjects will be determined by Customer in its discretion which may include Customer employees agents, clients, members and designees.
The period for which the Customer Personal Data will be retained
The period for which Customer Personal Data will be retained is set out in the Agreement and this DPA.
The obligations and rights of Customer and Customer Affiliates
The obligations and rights of Customer and Authorized Affiliates are set out in the Agreement and this DPA.
Providing the Service (Contract management and storage) Administering and Reporting on the use of the Services, supporting the Services, offering a improving the Services.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):
The transfers will occur on a continuous basis throughout the duration of the Agreement.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:
Sub-processors will provide on a continuous basis throughout the duration of the Agreement provide the services set forth on the Sub-Processors list at https://www.contractsafe.com/gdprsubs continuously for the duration of the Agreement
Description of the technical and organisational security measures
Within ContractSafe’s area of responsibility, and taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, ContractSafe has in relation to the Customer Personal Data implemented will maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk as set forth at https://www.contractsafe.com/dataprotectionpolicy and as otherwise agreed in writing in the Agreement. These include administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Customer Personal Data including protection intended against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss, alteration, disclosure or access of or to Customer Personal Data. Measures may include:
- Measures of encryption of personal data
- Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
- Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
- Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing
- Measures for user identification and authorisation
- Measures for the protection of personal data during transmission
- Measures for the protection of personal data during storage
- Measures for ensuring physical security of locations at which personal data are processed
- Measures for ensuring events logging
- Measures for ensuring system configuration, including default configuration
- Measures for internal IT and IT security governance and management
- Measures for certification/assurance of processes and products
- Measures for ensuring data minimisation
- Measures for ensuring data quality
- Measures for ensuring limited data retention
- Measures for ensuring accountability
- Measures for allowing data portability and ensuring erasure
- Vetting Sub-Processors for similar appropriate technical and organizational measures as appropriate.
Entering into this Addendum
- Each Party agrees to be bound by the terms and conditions set out in this Addendum, in exchange for the other Party also agreeing to be bound by this Addendum.
- Although Annex 1A and Clause 7 of the Approved EU SCCs require signature by the Parties, for the purpose of making Restricted Transfers, the Parties may enter into this Addendum in any way that makes them legally binding on the Parties and allows data subjects to enforce their rights as set out in this Addendum. Entering into this Addendum will have the same effect as signing the Approved EU SCCs and any part of the Approved EU SCCs.
Interpretation of this Addendum
- Where this Addendum uses terms that are defined in the Approved EU SCCs those terms shall have the same meaning as in the Approved EU SCCs. In addition, the following terms have the following meanings:
This International Data Transfer Addendum which is made up of this Addendum incorporating the Addendum EU SCCs.
Addendum EU SCCs
The version(s) of the Approved EU SCCs which this Addendum is appended to, as set out in Table 2 (please see clause 8.1 of the DPA), including the Appendix Information.
As set out in Table 3 (please see clause 8.1 of the DPA).
The standard of protection over the personal data and of data subjects’ rights, which is required by UK Data Protection Laws when you are making a Restricted Transfer relying on standard data protection clauses under Article 46(2)(d) UK GDPR.
The template Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18.
Approved EU SCCs
The Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
The Information Commissioner.
A transfer which is covered by Chapter V of the UK GDPR.
The United Kingdom of Great Britain and Northern Ireland.
UK Data Protection Laws
All laws relating to data protection, the processing of personal data, privacy and/or electronic communications in force from time to time in the UK, including the UK GDPR and the Data Protection Act 2018.
As defined in section 3 of the Data Protection Act 2018.
- This Addendum must always be interpreted in a manner that is consistent with UK Data Protection Laws and so that it fulfils the Parties’ obligation to provide the Appropriate Safeguards.
- If the provisions included in the Addendum EU SCCs amend the Approved SCCs in any way which is not permitted under the Approved EU SCCs or the Approved Addendum, such amendment(s) will not be incorporated in this Addendum and the equivalent provision of the Approved EU SCCs will take their place.
- If there is any inconsistency or conflict between UK Data Protection Laws and this Addendum, UK Data Protection Laws applies.
- If the meaning of this Addendum is unclear or there is more than one meaning, the meaning which most closely aligns with UK Data Protection Laws applies.
- Any references to legislation (or specific provisions of legislation) means that legislation (or specific provision) as it may change over time. This includes where that legislation (or specific provision) has been consolidated, re-enacted and/or replaced after this Addendum has been entered into.
- Although Clause 5 of the Approved EU SCCs sets out that the Approved EU SCCs prevail over all related agreements between the parties, the parties agree that, for Restricted Transfers, the hierarchy in Section 10 will prevail.
- Where there is any inconsistency or conflict between the Approved Addendum and the Addendum EU SCCs (as applicable), the Approved Addendum overrides the Addendum EU SCCs, except where (and in so far as) the inconsistent or conflicting terms of the Addendum EU SCCs provides greater protection for data subjects, in which case those terms will override the Approved Addendum.
- Where this Addendum incorporates Addendum EU SCCs which have been entered into to protect transfers subject to the General Data Protection Regulation (EU) 2016/679 then the Parties acknowledge that nothing in this Addendum impacts those Addendum EU SCCs.
Incorporation of and changes to the EU SCCs
- This Addendum incorporates the Addendum EU SCCs which are amended to the extent necessary so that:
- together they operate for data transfers made by the data exporter to the data importer, to the extent that UK Data Protection Laws apply to the data exporter’s processing when making that data transfer, and they provide Appropriate Safeguards for those data transfers;
- Sections 9 to 11 override Clause 5 (Hierarchy) of the Addendum EU SCCs; and
- this Addendum (including the Addendum EU SCCs incorporated into it) is (1) governed by the laws of England and Wales and (2) any dispute arising from it is resolved by the courts of England and Wales, in each case unless the laws and/or courts of Scotland or Northern Ireland have been expressly selected by the Parties.
- Unless the Parties have agreed alternative amendments which meet the requirements of Section 12, the provisions of Section 15 will apply.
- No amendments to the Approved EU SCCs other than to meet the requirements of Section 12 may be made.
- The following amendments to the Addendum EU SCCs (for the purpose of Section 12) are made:
- References to the “Clauses” means this Addendum, incorporating the Addendum EU SCCs;
- In Clause 2, delete the words: “and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679”;
- Clause 6 (Description of the transfer(s)) is replaced with: “The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter’s processing when making that transfer.”;
- Clause 8.7(i) of Module 1 is replaced with: “it is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;
- Clause 8.8(i) of Modules 2 and 3 is replaced with: “the onward transfer is to a country benefitting from adequacy regulations pursuant to Section 17A of the UK GDPR that covers the onward transfer”;
- References to “Regulation (EU) 2016/679”, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)” and “that Regulation” are all replaced by “UK Data Protection Laws”. References to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws
- References to Regulation (EU) 2018/1725 are removed;
- References to the “European Union”, “Union”, “EU”, “EU Member State”, “Member State” and “EU or Member State” are all replaced with the “UK”;
- The reference to “Clause 12(c)(i)” at Clause 10(b)(i) of Module one, is replaced with “Clause 11(c)(i)”;
- Clause 13(a) and Part C of Annex I are not used;
- The “competent supervisory authority” and “supervisory authority” are both replaced with the “Information Commissioner”;
- In Clause 16(e), subsection (i) is replaced with: “the Secretary of State makes regulations pursuant to Section 17A of the Data Protection Act 2018 that cover the transfer of personal data to which these clauses apply;”;
- Clause 17 is replaced with: “These Clauses are governed by the laws of England and Wales.”;
- Clause 18 is replaced with: "Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts.”; and
- The footnotes to the Approved EU SCCs do not form part of the Addendum, except for footnotes 8, 9, 10 and 11.
Amendments to this Addendum16.The Parties may agree to change Clauses 17 and/or 18 of the Addendum EU SCCs to refer to the laws and/or courts of Scotland or Northern Ireland.
17. If the Parties wish to change the format of the information included in Part 1: Tables of the Approved Addendum, they may do so by agreeing to the change in writing, provided that the change does not reduce the Appropriate Safeguards.
18. From time to time, the ICO may issue a revised Approved Addendum which:
- makes reasonable and proportionate changes to the Approved Addendum, including correcting errors in the Approved Addendum; and/or
- reflects changes to UK Data Protection Laws;
The revised Approved Addendum will specify the start date from which the changes to the Approved Addendum are effective and whether the Parties need to review this Addendum including the Appendix Information. This Addendum is automatically amended as set out in the revised Approved Addendum from the start date specified.19. If the ICO issues a revised Approved Addendum under Section 18, if any Party selected in Table 4 “Ending the Addendum when the Approved Addendum changes”, will as a direct result of the changes in the Approved Addendum have a substantial, disproportionate and demonstrable increase in:
- its direct costs of performing its obligations under the Addendum; and/or
- its risk under the Addendum,
and in either case it has first taken reasonable steps to reduce those costs or risks so that it is not substantial and disproportionate, then that Party may end this Addendum at the end of a reasonable notice period, by providing written notice for that period to the other Party before the start date of the revised Approved Addendum.
- The Parties do not need the consent of any third party to make changes to this Addendum, but any changes must be made in accordance with its terms.
Date Last Revised: January 10, 2023