This Data Processing Agreement, including any schedules attached to it (hereinafter, the “DPA”), supplements the Terms of Service (hereinafter, the “Agreement”), entered into by and between the Customer, as defined in the Agreement, hereinafter, the “Controller”) and RQ labs Inc. (hereinafter, the “Processor”), a Delaware corporation having its registered office at 355 BRYANT STREET SUITE 403 SAN FRANCISCO, CA 94107. By executing the Agreement, the Controller enters into this DPA on behalf itself and, to the extent required under applicable Data Protection Legislation (as defined below).
Controller and Processor are hereinafter individually referred to as a “Party” and collectively referred to as the “Parties”.
WHEREAS:
Controller and Processor have exchanged the necessary documentation, including without limitation privacy policies, terms of service, records of processing activities, and information and security policies, in order for the Parties to be able to frame the actions to be undertaken under the present DPA; and
Controller and Processor wish to lay down in this DPA the assignment for and further agreements concerning the processing of this Personal Data by Processor under or in connection with the Agreement.
IT IS AGREED AS FOLLOWS:
1. INTERPRETATION
1.1 In this DPA, the following words shall have the hereinafter stated meaning when written with a capital letter:
Agreement: has the meaning given to that term in recital 1 of this DPA;
Approved Sub-Processors: means the Sub-Processors that have been approved by Controller in accordance with article 5;
Data Protection Legislation: means any law, enactment, regulation, regulatory policy, by law, ordinance, or subordinate legislation relating to the processing, privacy, and use of Personal Data, as applicable to Controller, Processor, and/or the Services, including:
A. The US Data Protection Requirements including but not limited to CCPA, CTDPA, CPA, UCPA or VCDPA, as applicable.
B. any judicial or administrative interpretation of any of the above, any guidance, guidelines, codes of practice, approved codes of conduct or approved certification mechanisms issued by any relevant supervisory authority;
Data Security Incident: has the meaning given to that term in article 4.1;
Data Subject: means the individual to whom Personal Data pertains;
Personal Data: means the personal data that Processor or any Approved Sub-Processor will process when providing the Services to the Controller. For the purpose of this definition, "processing" of personal data and "personal data" will have the meaning given to those terms under the applicable Data Protection Legislation.
Privacy Manager: Means the contact person appointed by the Processor for all data protection matters;
Relevant Records: has the meaning given to that term in article 6.1;
Services: means the services that Processor will provide to Controller under or in connection with the Agreement;
1.2 If there is any conflict or inconsistency between any:
1.2.1 term in the main part of this DPA;
1.2.2 term in any of the schedules to this DPA; and
1.2.3 term in the Agreement and its schedules and annexes;
the term falling into the category first appearing in the list above shall take precedence.
2.2 Processor will agree to comply with any security policies and standards that may be made available by the Controller to Processor from time to time.
2.3 Processor will (and will ensure that the Approved Sub-Processors will) only process Personal Data on behalf of the Controller:
2.3.1 in the manner and for the purposes set out in schedule 1, including any of its sub-schedules; and
2.3.2 upon the written instruction of the Controller.
2.4 In addition to the foregoing, the Controller hereby: 2.4.1 instructs Processor to take such steps in the processing of Personal Data on behalf of the Controller as are reasonably necessary for the provision of the Services under or in connection with the Agreement; and
2.4.2 authorizes Processor to provide to the Approved Sub-Processors and on behalf of Controller instructions that are
equivalent to the instructions set out in article 2.4.1.
2.5 The Controller represents and warrants that the documentation it provides to Processor in connection to this DPA for the delineation of its tasks under same agreement, therein included, without limitation its privacy policies and its safety and security policies, are true and accurate on the date as of which such information is provided to Processor in the light of the circumstances and purposes for which such documentation has been provided.
2.6 If in Processor’ reasonable opinion, compliance with Controller’s instructions would constitute a breach of the applicable Data Protection Legislation, Processor will promptly notify Controller thereon in writing within a reasonable delay.
1. If the Controller does not answer to Processor’ reasonable opinion referred above, within a delay of fourteen (14) calendar days of receiving it, Processor will be free to put the particular instruction aside, without incurring any penalty or liability in that regard. If the Controller should persist in its instruction, and the Processor remains unsatisfied, the Parties agree to enter mutual discussions and address the matter, and, if required, contact the relevant authority pursuant to common decision of both Parties.
CONFIDENTIALITY AND SECURITY
3.1 Processor undertakes to treat all Personal Data strictly confidential. Unless Controller requires otherwise in writing, Processor will not disclose Personal Data to any third party other than:
3.1.1 to those of its employees, Approved Sub-Processors, and employees of the Approved Sub-Processors to whom such disclosure is strictly necessary for the provision of the Services, provided that:
(i) any disclosure under this article 3.1.1 is made subject to strict obligations of confidentiality and data protection no less onerous than those imposed upon Processor under this DPA, under the Agreement, and consistent with any procedures specified by Controller from time to time;
(ii) the persons to whom Personal Data may be disclosed pursuant to article 3.1.1 will have received appropriate training regarding the data protection obligations that Processor and the Approved Sub-Processors must comply with under applicable Data Protection Legislation and under this DPA;
(iii) Processor will implement measures to ensure that any persons to whom Personal Data may be disclosed pursuant to article 3.1.1 will not process Personal Data except on instruction from the Controller; or
3.2.2 to the extent required by law, by any governmental or other regulatory authority, or by a court or other authority of competent jurisdiction, provided that Processor will:
(i) give written notice to Controller of any disclosure of Personal Data that Processor or any Approved Sub-Processor is required to make under article 3.1.1, promptly after it becomes aware of that requirement (unless such notice is prohibited by applicable legislation); and
(ii) co-operate with Controller regarding the timing and content of such disclosure and any action which Controller may wish to take to challenge the validity of such requirement.
3.2 In regard to the Controller, the Processor will (and will ensure that the Approved Sub-Processors will) implement the necessary security measures and will keep these measures in place for the entire term of this DPA.
4.1 Processor will provide Controller with written notice, promptly, but in any event without undue delay of becoming aware of any actual or potential:
4.1.1 breach of security that leads (or may lead) to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, any Personal Data (or any media or carrier containing the same) held by Processor or Approved Sub-Processors;
4.1.2 unauthorized processing of any Personal Data held by Processor or the Approved Sub-Processors;
4.1.3 breach by Processor or by any Approved Sub-Processor of the obligations of this DPA or under applicable Data Protection Legislation; or
4.1.4 enforcement proceeding, action, lawsuit, or any pending or threatened enforcement proceeding, action, lawsuit, brought or threatened against Processor or Approved Sub-Processors relating in any way to Personal Data; (each a “Data Security Incident”).
4.2 After the receipt of the notice referred under article 4.1, the Parties will further coordinate on in common accord on the provision by Processor to the Controller of a written notice containing at least the following information, as may be required for notification to the competent Data Protection Authority and the completion of each Party’s internal registers:
4.2.1 a reasonably detailed description of the nature of the Data Security Incident including (without limitation):
(i) the categories and number (including the minimum and maximum number) of affected Data Subjects; and
(ii) the categories and number (including the minimum and maximum number) of affected data records
concerned;
4.2.2 the name and contact details of the Privacy Manager or other representatives of Processor who may provide
additional information about the Data Security Incident to Controller;
4.2.3 when the Data Security Incident took place (date or time period);
4.2.4 the type of Personal Data that are affected by the Data Security Incident, such as (non-exhaustively) name and
address details; telephone numbers; email addresses; login details; government-issued unique identifiers
(including (without limitation) tax and social insurance numbers); copies of identity documents (such as
passports); gender, date of birth and/or age and other details;
4.2.5 whether the affected Personal Data had been encrypted, hashed, or otherwise rendered incomprehensible, inaccessible, or unintelligible for unauthorized persons and how this took place;
4.2.6 the (suspected) cause of the Data Security Incident;
4.2.7 relationship with any earlier Data Security Incidents;
4.2.8 the likely consequences of the Data Security Incident;
4.2.9 the measures taken and proposed to be taken by Processor and the Approved Sub-Processors pursuant to article
4.5; and
4.2.10 Any additional information as may be requested by the Controller in relation to the data breach.
4.3 In addition to the coordination referred under article 4.2, the Parties will coordinate with each other to further investigate the Data Security Incident. Processor will (and will ensure that the Approved Sub-Processors will) fully cooperate with Controller, in handling of the Data Security Incident, including, without limitation, by:
4.3.1 assisting with any investigation (including any investigation conducted by or on behalf of a competent public
authority);
4.3.2 providing an external auditor mandated by the Controller with physical access to the facilities and operations
affected;
4.3.3 facilitating interviews with employees of Processor or of any Approved Sub-Processor and others involved in the
matter; and
4.3.4 making available all Relevant Records, logs, files, data reporting, and other materials that may be useful for the
investigation of the Data Security Incident or for allowing Controller to notify the Data Security Incident to a
competent public authority or to the affected Data Subjects.
4.4 Processor will duly document any Data Security Incident. Such documentation must contain at least the information set out in paragraphs 4.2.1 through 4.2.10 as well the results of the investigation referred to in article 4.3.
4.5 Processor will not release or publish any filing, communication, notice, press release, or report concerning any Data Security Incident without Controller’s prior written approval unless Processor is required to do so pursuant to applicable law. In the latter case, the Processor will provide the Controller with reasonable prior written notice where lawful to do so in order to provide the Controller with the reasonable opportunity to object to such disclosure.
4.6 Processor will take the measures that are reasonably necessary:
4.6.1 to remedy any Data Security Incident;
4.6.2 prevent any recurrence of the Data Security Incident or any further Data Security Incidents;
4.6.3 to mitigate the impact of the Data Security Incident on the privacy of the Data Subjects; and
4.6.4 to mitigate any adverse impact of the Data Security Incident on the Controller.
5.1 Processor may add or replace a sub-processor, and the same shall reflect in the list of Sub-Processors as given under Schedule 1. In case of objection by the Controller to such addition or replacement, The Controller shall communicate the same objection to Processor via Email. In the absence of such an objection, the sub-processor will be considered an Approved Sub-Processor.
5.2 Processor and the Sub-Processor will enter into a written data processing agreement setting out the same, considered functionally rather than formally, (or more onerous) obligations as those set out in this DPA.
5.3 For the purpose of article 5.1, the Controller hereby accepts the subcontracting of the processing of Personal Data to the Sub-Processors described in schedule 1. The Sub-Processors described in schedule 1 will be deemed to be the Approved Sub-Processors for the purpose of this DPA.
5.4 The Processor will not be liable for acts and omissions of the Approved Sub-Processors unless the same was foreseeable to the Processor.
AUDIT
6.1 Processor will keep at its normal place of business detailed, accurate and up-to-date records describing in reasonable detail (such records hereafter referred to as “Relevant Records”):
6.1.1 the processing of Personal Data by Processor and the Approved Sub-Processors (including, without limitation, the
nature and the purpose of the processing, the type of Personal Data and the categories of data subjects);
6.1.2 a list of all the Approved Sub-Processors;
6.1.3 for each Approved Sub-Processor:
(i) a description of the processing conducted by the Approved Sub-Processor (including, without limitation, the nature and the purpose of the processing, the type of Personal Data and the categories of data subjects); and
(ii) a copy of the data processing agreement entered into by the Approved Sub-Processor pursuant to article 5.1.2;
6.1.4 a description of the measures taken pursuant to article 3;
6.1.5 if applicable, the information referred to in article 4.3; and;
6.1.6 any other information that:
(i) Processor or the Approved Sub-Processors are required to document under or pursuant to applicable Data Protection Legislation; or
(ii) is necessary to demonstrate to the Controller that Processor’s and the Approved Sub-Processors' compliance with this DPA and with applicable Data Protection Legislation.
6.2 Processor will permit the Controller’s third party representatives as well as any competent authority to:
6.2.1 gain access to, and take copies of, the Relevant Records and any other information that is available to Processor;
and
6.2.2 inspect all systems used by Processor for processing Personal Data;
during normal business hours for the purpose of auditing Processors' compliance with their obligations under this DPA and with the applicable Data Protection Legislation.
6.3 Processor will provide all reasonable assistance to the conduct of such audits.
6.4 Any such audit will be subject to the Controller's representative agreeing to reasonable confidentiality obligations in respect of the information obtained, provided that all information obtained may be disclosed to the Controller.
6.5 Following an audit, if Controller or any competent public authority in their reasonable opinion deems that Processor or any Approved Sub-Processor is failing to comply with any of its obligations under this DPA or under any applicable Data Protection Legislation:
6.5.1 Processor will provide to Controller an action plan to:
(i) remediate the deficiencies identified in the audit; and
(ii) ensure that such deficiencies or any similar deficiencies will not (re-)occur in the future (“Remediation Plan”);
6.5.2 promptly upon the validation of the Remediation Plan by the Controller and/or the competent public authority, as the case may be, the Processor will implement the Remediation Plan. Not less than once a month Processor will update Controller and/or the competent public authority, as the case may be, on the status of the implementation of the Remediation Plan;
6.5.3 upon completion of the Remediation Plan, Processor will notify Controller or the competent public authority, as the case may be, and Controller or the competent public authority will be entitled to conduct another audit in accordance with this article 6 in order to verify whether the Remediation Plan has been duly implemented; and
6.5.4 Processor will bear any costs and expenses resulting from:
(i) the conduct of such audit falling under the application of article 6.5;
(ii) the preparation, validation, and implementation of any Remediation Plan; and
(iii) any follow-up audit to verify due implementation and completion of any Remediation Plan.
7.1. Processor will (and will ensure that the Approved Sub-Processors will) fully cooperate with Controller when handling requests from Data Subjects exercising their rights, including (without limitation) their right to be informed about the processing of their Personal Data, under applicable Data Protection Legislation.
7.2. Processor shall:
7.1.1 without undue delay notify the Controller when Processor (or any Approved Sub-Processors) receives a request from a Data Subject under any of the applicable Data Protection Legislation in respect of the Personal Data; and
7.1.2 take all required actions and provide all required information, by e-mail to the Privacy Manager or by letter to the address of the Processor as indicated above within fifteen (15) days as of its receipt, unless otherwise instructed by the Controller; and
7.1.3 ensures that it (or any Approved Sub-Processor) does not respond to that request except on the documented instructions of Controller or as required by applicable Data Protection Legislation to which Processor is subject.
8.1 This DPA enters into force on its signature and will remain in force as long as Processor will provide the Services under the Agreement unless this DPA is terminated earlier in accordance with this article 10.
8.2 The Controller has the right, without prejudice to its other rights or remedies, to terminate this DPA immediately (without the necessity for judicial action) by written notice to Processor if the latter is in material breach of this DPA and either that breach is not capable of remedy or, if the breach is capable of remedy, Processor has failed to remedy the breach within thirty (30) days after receiving written notice of default from Controller requiring it to do so.
8.3 Notwithstanding any other breach which qualifies as material under article 8.2, any breaches by Processor of articles 2, 3, 4, or 5, will be considered a material breach allowing Controller to terminate this DPA in accordance with article 8.2.
TRANSFERABILITY Processor is not entitled to transfer the rights and/or obligations arising from this DPA to a third party without prior written approval from the Controller.
RETURN/DESTRUCTION OF PERSONAL DATA 1 0.1 Unless stated otherwise for a specific project, within 90 (ninety) days after expiration or termination of this DPA, Processor will (and will ensure that the Approved Sub-Processors will):
10.1.1 at the option of Controller:
(i) return to Controller in a then commonly used electronic format all Personal Data that, as of the termination date or expiration date, are in the possession or under the control of Processor and/or the Approved Sub-Processors;
(ii) destroy or purge their computer systems and files of any Personal Data that, as of the termination date or expiration date, are in the possession or under the control of Processor and the Approved Sub-Processors; and
10.1.2 deliver to Controller a written notice in order to:
(i) confirm that such return, destruction, and purging have been carried out; and
(ii) identify in reasonable detail which Personal Data Processor and the Approved Sub-Processors are required by the applicable law to retain after termination or expiration of this DPA.
10.2 The provisions set out in article 10.1.1 will not apply to any personal data that Processor and the Approved Sub-Processors are required by the applicable law to retain after termination or expiration of this DPA, in which case:
10.2.1 the provisions of this DPA will survive the termination or expiration of this DPA and will continue to apply to these Personal Data; and
10.2.2 Processor will (and will ensure that the Approved Sub-Processors will) perform their obligations under article 10.1 promptly when Processor and the Approved Sub-Processors are no longer required to retain this Personal Data.
11.1 Each Party (“Defaulting Party”) shall be liable in relation to the other party (“Non Defaulting Party”) for any material breach or infringement it commits against the provisions set out in this DPA and/or for any breach of the provisions of the applicable Data Protection Legislation, bringing harm to the Non-defaulting Party but excluding any harm arising from administrative fines or private damages which are compensated to the other Party in the manner set out under Section 11.2. The Parties’ liability extends to the actions committed by their legal representatives, subcontractors, employees, or any other agents.
(i) The liability of the Defaulting Party does not include any damages resulting from operational loss, profit loss, loss of goodwill, and any other indirect loss and consequential damage. Data loss shall not be considered falling under the scope of indirect loss.
(ii) Any damages owed by the Defaulting Party to the Non-defaulting Party shall be further limited in accordance with the provisions relating to the limitations of liability as set out under the Agreement concluded between the Parties, or any other applicable agreement between the Parties setting out the main relationship between them and in reason of which this Agreement for the processing of personal data is constituted.
(iii). The previous limitations of liability do not apply in those circumstances where the Defaulting Party acted intentionally, or where the harm was caused by wilful misconduct or by gross negligence.
11.2 Nothing in this article 11 of the DPA will affect any Party’s liability to the Data Subjects to the extent that the limitation of such rights is prohibited by the Data Protection Laws.