This Data Processing Addendum (“DPA”) forms part of the LockDocs Terms of Service Agreement (the “Agreement”) between LockDocs, defined under “We, Our, Us” in the Agreement (“Vendor”), and its customer, defined as “You or Your” in the Agreement (“Customer”) (collectively the “Parties”). This DPA applies to all Processing of Personal Data by Vendor in the context of the Agreement. This DPA prevails over any conflicting term of the Agreement, but does not otherwise modify the Agreement.
1.1. “Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing”, “Processor”, and “Supervisory Authority” shall have the same meaning ascribed to them in Data Protection Laws;
1.2. “Data Protection Laws” means all applicable data protection and privacy laws in force from time to time which apply to a party relating to the Processing of Personal Data, including, but not limited to: a) in the EU, the General Data Protection Regulation (EU) 2016/679 (“EU GDPR”); b) in the UK, the retained version of the EU GDPR as enacted into UK law (“UK GDPR”), the Data Protection Act 2018; and c) any applicable decisions, guidelines, guidance notes and codes of practice issued from time to time by courts, supervisory authorities and other applicable government authorities;
1.3. “Personnel” means employees or independent contractors engaged by the Vendor to provide Services;
1.4. “Subprocessor” means a Processor engaged by Vendor to Process Personal Data on behalf of Customer.
2. Processor, Controller.
LockDocs is a Processor appointed by Customer to process Personal Data on Customer’s behalf. Customer is a Controller.
3. Customer Instructions for Processing.
Vendor will only Process Personal Data on the instructions of Customer, and not for any other purpose. Customer may issue additional instructions to Vendor as necessary to comply with Data Protection Laws.
Vendor will notify Customer before engaging a new Subprocessor. Subprocessors. Customer authorizes Vendor to engage the Subprocessors listed in Appendix 1. Vendor will obtain sufficient guarantees from all Subprocessors that they will implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of Data Protection Laws and this DPA. Vendor will enter into a written agreement with all Subprocessors which imposes the same obligations on the Subprocessors as this DPA imposes on Vendor.
5. International Data Transfers.
Customer acknowledges and agrees that Vendor may, in the course of providing the Services, process, access or store (or permit any Subprocessor to process, access or store) Personal Data outside the European Union, United Kingdom or European Economic Area (as applicable), provided that such processing takes place in accordance with the requirements of Data Protection Laws. In addition, Customer shall ensure that:
a) Customer is entitled to transfer the Personal Data to the Vendor so that the Vendor may lawfully use, process, and transfer the Personal Data in accordance with the Agreement on the Customer’s behalf; and b) all transfers of the Personal Data by the Customer to the Vendor shall (to the extent required under Data Protection Laws) be effected by way of adequate safeguards and in accordance with Data Protection Laws.
6. Processor Personnel and Vendor Compliance Measures.
Vendor will implement appropriate technical and organizational measures, including for the security of Processing and to ensure that Personnel do not Process Personal Data except on the instructions of the Controller. Vendor will ensure that all Personnel authorized to Process Personal Data are subject to a contractual or statutory obligation of confidentiality. Vendor must maintain records of all Processing of Personal Data as required under Data Protection Laws. Vendor will inform Customer without undue delay if it believes that an instruction by Customer violates Data Protection Laws, in which case Vendor may suspend the Processing until Customer has modified, or confirmed the lawfulness of, the instructions in writing.
7. Security and Personal Data Breach.
Vendor will implement technical and organizational measures to ensure a security level appropriate to the risk of the Processing, including the encryption and pseudonymization of Personal Data; measures to detect Personal Data Breaches in a timely manner; measures to ensure the ongoing confidentiality, integrity, availability, and resilience of Processing; measures to restore the availability and access to Personal Data in a timely manner in the event of an incident; processes for regularly testing, assessing and evaluating the effectiveness of the security measures.
7.1. Notification of a Personal Data Breach. Vendor will notify Customer without undue delay after becoming aware of a Personal Data Breach. Vendor’s notification of a Personal Data Breach shall at a minimum:
a) describe the nature of the Personal Data Breach, the categories and numbers of data subjects concerned, and the categories and numbers of Personal Data records concerned; b) communicate the name and contact details of the Vendor’s data protection officer or other relevant contact from whom more information may be obtained; c) describe the likely consequences of the Personal Data Breach; and d) describe the measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
8. Compliance Assistance.
Vendor will assist Customer in complying with its obligations under Data Protection Laws, including: replying to inquiries, complaints or requests from Data Subjects to exercise their rights under Data Protection Laws; replying to investigations, inquiries from and prior consultations with Supervisory Authorities; conducting data protection impact assessments; and notifying Personal Data Breaches. Unless prohibited by Data Protection Laws, Vendor will inform Customer without undue delay if it receives a request, complaint or other inquiry from a Data Subject or Supervisory Authority; receives a request to disclose Personal Data from law enforcement, courts or a government body; is subject to a legal obligation that requires it to Process Personal Data in contravention of Customer’s instructions; or is otherwise unable to comply with Data Protection Laws or this DPA.
Vendor will make available to Customer all information necessary to demonstrate compliance with Data Protection Laws and this DPA and allow for and contribute to audits, including inspections, conducted by a Supervisory Authority, Customer or another auditor mandated by Customer. Parties each bear their own costs related to an audit. If an audit determines that the Vendor violated Data Protection Laws or this DPA, Vendor bears all costs related to the audit.
If a Party receives a compensation claim from a person relating to processing of the Personal Data under this DPA, it shall promptly provide the other Party with notice and full details of such claim. The Party with conduct of the action shall:
a) make no admission of liability nor agree to any settlement or compromise of the relevant claim without the prior written consent of the other Party (which shall not be unreasonably withheld or delayed); and b) consult fully with the other Party in relation to any such action, but the terms of any settlement or compromise of the claim will be exclusively the decision of the party that is responsible for paying the compensation.
The disclaimers, liability exclusions and limitations of liability set out under the Agreement shall apply also to this DPA.
Vendor must keep all Personal Data and all information relating to the Processing thereof, in strict confidence.
The Processing will last no longer than the term of the Agreement. Upon termination of the Processing, Customer must confirm with Vendor within thirty (30) days after termination of Processing whether the Personal Data provided by Customer to Vendor should be deleted or returned to the Customer. Vendor will comply with Customer’s choice within ninety (90) days after confirmation.
13. Modifications, Notifications, Invalidity and Severability.
This DPA may only be modified by a written amendment signed by both Parties. Vendor may be contacted via email at [email protected]. If any provision of this DPA is found invalid or unenforceable by any competent court or administrative body, all other provisions will remain unaffected and in full force and effect.
Vendor engages the following Subprocessors:
Description of the Processing (MVP release)
The Personal Data Processed concern the following categories of data (please specify):