Data Processing Agreement
This DATA PROCESSING AGREEMENT (the "Agreement") is entered into by and between:
Vardhaman Syndicate, a proprietorship firm incorporated under the laws of India with GST registration number 27CCQPK7603D1ZI (Legal entity of "Salespanel"), (and for the sake of this template, the "Data Processor");
and
The customer specified in the relevant Service Agreement (defined below) (the "Customer" and the "Data Controller").
Each of Data Processor and the Customer is referred to as a "Party" and together as the "Parties".
Background
Salespanel is a lead analytics product specialized in lead tracking and lead qualification services. Salespanel provides a tracking code, when integrated on the Customer's website collects data from visitors to the website. The Data Processor offers this technology to its customers as a software-as-a-service (the "Service").
Customer has entered into an agreement (the "Service Agreement") with Data Processor under which the Customer is granted the rights to use the Service, which Service forms the subject matter of the processing of Personal Data under this Agreement.
This Customer Data Processing Agreement ("DPA") reflects the requirements of the European Union's General Data Protection Regulation ("GDPR") as it comes into effect on May 25, 2018. Salespanel's products and services offered in the European Union are GDPR ready and this DPA provides you with the necessary documentation of this readiness.
This DPA is an addendum to the Terms of Service Agreement between Salespanel and the Customer. Customer enters into this DPA on behalf of itself and, to the extent required under Data Protection Laws, in the name and on behalf of its Authorized Affiliates (defined below).
The Data Processor’s Service is rendering the Customer the data controller, whilst Data Processor qualifies as data processor under the applicable data protection laws. In light of the above, Data Processor and Customer have agreed on the following terms to govern the Data Processor’s processing of Personal Data under the Service Agreement.
Definitions
Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:
1."Customer Data" means any data that Salespanel and/or its Subprocessors process on behalf of the Customer in the course of providing the Services under the Agreement;
2."Authorized Affiliate" means any of Customer Affiliate(s) permitted to or otherwise receiving the benefit of the Services pursuant to the Agreement;
3."Processor" means an entity that processes Personal Data on behalf of the Customer;
4."Data Protection Laws" means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
5."EEA" means the European Economic Area;
6."EU Data Protection Laws" means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
7."GDPR" means EU General Data Protection Regulation 2016/679;
8."Data Transfer" means:
8.1a transfer of Company Personal Data from the Customer to a Subprocessor; or
8.2an onward transfer of Company Personal Data from a Subprocessor to it's contracted Subprocessor, or between two establishments of a Subprocessor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);
9."Subprocessor" means any person appointed by or on behalf of Processor to process Personal Data on behalf of the Customer in connection with the Agreement.
The terms, "Commission", "Controller", "Data Subject", "Member State", "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
Scope
1.This DPA applies where and only to the extent that Salespanel processes Personal Data on behalf of the Customer in the course of providing the Services and such Personal Data is subject to Data Protection Laws of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom. The parties agree to comply with the terms and conditions in this DPA in connection with such Personal Data.
2.Role of the Parties: As between Salespanel and the Customer, the Customer is the Controller of Personal Data and Salespanel shall process Personal Data only as a Processor on behalf of the Customer. Nothing in the Agreement or this DPA shall prevent Salespanel from using or sharing any data that Salespanel would otherwise collect and process independently of Customer's use of the Services.
3.Customer Obligations: Customer agrees that (i) it shall comply with its obligations as a Controller under Data Protection Laws in respect of its processing of Personal Data and any processing instructions it issues to Salespanel; and (ii) it has provided notice and obtained (or shall obtain) all consents and rights necessary under Data Protection Laws for Salespanel to process Personal Data and provide the Services pursuant to the Agreement and this DPA.
4.Salespanel Processing of Personal Data: As a Processor, Salespanel shall process Personal Data only for the following purposes: (i) processing to perform the Services in accordance with the Agreement; (ii) processing to perform any steps necessary for the performance of the Agreement; and (iii) to comply with other reasonable instructions provided by Customer to the extent they are consistent with the terms of this Agreement and only in accordance with Customer’s documented lawful instructions. The parties agree that this DPA and the Agreement set out the Customer’s complete and final instructions to Salespanel in relation to the processing of Personal Data and processing outside the scope of these instructions (if any) shall require prior written agreement between Customer and Salespanel.
5.Nature of the Data: Salespanel handles Customer Data provided by Customer. Such Customer Data may contain special categories of data depending on how the Services are used by Customer. The Customer Data may be subject to the following process activities: (i) storage and other processing necessary to provide, maintain and improve the Services provided to Customer; (ii) to provide customer and technical support to Customer; and (iii) disclosures as required by law or otherwise set forth in the Agreement.
6.Salespanel Data: Notwithstanding anything to the contrary in the Agreement (including this DPA), Customer acknowledges that Salespanel shall have a right to use and disclose data relating to and/or obtained in connection with the operation, support and/or use of the Services for its legitimate business purposes, such as billing, account management, technical support, product development and sales and marketing. To the extent any such data is considered personal data under Data Protection Laws, Salespanel is the Controller of such data and accordingly shall process such data in compliance with Data Protection Laws.
Processor Personnel
Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Subprocessor who may have access to the Customer Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Company Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual’s duties to the Subprocessor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
Security
1.Security Measures: Salespanel shall implement and maintain appropriate technical and organizational security measures to protect Personal Data from Security Incidents and to preserve the security and confidentiality of the Personal Data, in accordance with Salespanel's security standards described in Annex B (“Security Measures”).
2.Confidentiality of Processing: Salespanel shall ensure that any person who is authorized by Salespanel to process Personal Data (including its staff, agents and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
3.Security Incident Response: Upon becoming aware of a Security Incident, Salespanel shall notify Customer without undue delay and shall provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer.
4.Updates to Security Measures: Customer acknowledges that the Security Measures are subject to technical progress and development and that Salespanel may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by the Customer.
Subprocessing
Customer hereby gives general written authorisation for Salespanel to engage subprocessors for carrying out specific processing activities on behalf of the Customer. When engaging subprocessors, Salespanel undertakes to ensure that the contract entered into between Salespanel and any subprocessor shall impose, as a minimum, the same data protection obligations as set out in this DPA.
The Sub-processors currently engaged by Salespanel and authorized by Customer are listed in Annex A.
Salespanel shall notify the Customer of any intended changes concerning the addition or replacement of the subprocessors in Schedule 3, to which the Customer may object. If the Customer has made no such objection within ten (10) days from the date of receipt of the notification, the Customer is assumed to have made no objection.
Salespanel may transfer (including allowing access to) Personal Data to its subprocessors outside the EEA. The parties shall jointly take all reasonably required measures necessary for ensuring that such transfer is in accordance with Applicable Laws, which may include entering into model clauses for data transfer outside of the European Economic Area (EEA).
Data Subject Rights
Taking into account the nature of the Processing, Processor shall assist the Customer by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfillment of the Customer obligations, as reasonably understood by Processor, to respond to requests to exercise Data Subject rights under the Data Protection Laws.
Deletion and/or Return of Company Personal Data
Upon deactivation of the Services, all Personal Data shall be deleted, save that this requirement shall not apply to the extent Salespanel is required by applicable law to retain some or all of the Personal Data, or to Personal Data it has archived on back-up systems, which such Personal Data Salespanel shall securely isolate and protect from any further processing, except to the extent required by applicable law.
Warranty
If and to the extent another legal entity than the Customer is the controller, independently or jointly, for all or part of the Personal Data processed by Salespanel on behalf of the Customer under this DPA, the Customer warrants that it has necessary authority and mandate to enter into this DPA on behalf of such legal entity.
The Customer warrants that the processing of Personal Data is carried out in accordance with Applicable Laws, including obtaining necessary licenses, permits or approvals for the processing and notifying the processing to competent authorities or data protection officials and informing the data subjects of the processing.
Limitation of liability
Unless caused by the gross negligence or intent of Salespanel, Salespanel shall in no event be liable to the Customer for any losses or damages, whether direct or indirect (including, without limitation, damages for loss of production, loss of data, loss of business or profit, loss of use, loss of goodwill or any indirect or consequential damages) arising out of or in connection with this DPA.
Indemnification
The Customer shall hold Salespanel harmless and indemnify for third party claims, damages as well as administrative penalties or fines issued by courts or authorities if and to the extent Salespanel is held liable by a competent court, authority or any other dispute resolution body for processing of personal that is contrary to the applicable Data Protection Laws, unless such liability has arisen as a consequence of Salespanel’s failure to perform its obligations under this DPA.
Audit
Salespanel is obliged to, upon Customer’s reasonable request and at Customer’s cost, make available to the Customer all information necessary and strictly limited to the purpose of demonstrating compliance with the obligations of the data processor under applicable Data Protection Laws.
The Customer may, pursuant to the relevant provision of the Agreement but in any case notwithstanding what is set out in the Agreement once per calendar year at the cost of the Customer, carry out or mandate a third party auditor, which is not direct competitor to Salespanel and acting under confidentiality undertaking, to carry out an audit strictly limited to verifying Salespanel’s compliance with the obligations of data processors under applicable Data Protection Laws. The audit shall be carried out during Salespanel’s normal working hours without disturbance to the normal operations of Salespanel.
Assignment
The Customer may only assign the rights or obligations under this DPA to a third-party with the prior written consent of Salespanel.
Salespanel may assign its rights and obligations under this DPA to (i) any company within its group of companies, or (ii) a third party in case of a merger, joint venture or transfer of businesses or substantially all parts of businesses. Any such assignment of rights shall not be considered as Salespanel engaging a subprocessor.
Miscellaneous
Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict.
This DPA is a part of and incorporated into the Agreement so references to "Agreement" in the Agreement shall include this DPA.
In no event shall any party limit its liability with respect to any individual's data protection rights under this DPA or otherwise.
This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by Data Protection Laws.