United States Data Processing Addendum

Where Schedule 2 and/or the Statement of Work determines so, this Data Processing Addendum, including its Schedules (“DPA”) forms part of the Agreement to reflect the parties’ agreement with regard to the processing of Personal Data.

1. DEFINITIONS

1.1. In this DPA the following words shall have the correlating meanings:
Data Breach means any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data processed by Us or a Sub-Processor.
Data Protection Laws means the California Consumer Privacy Act of 2018, the California Privacy Rights Act of 2020, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Utah Consumer Privacy Act, the Connecticut Data Privacy Act, any other United States state privacy legislation of similar scope to the aforementioned statutes that become enforceable after execution of this DPA, and any implementing regulations adopted thereunder (all of which as may be amended from time to time), as applicable each party’s respective activities involving the processing of Personal Data under this DPA.
Personal Data means any information relating to an identified or identifiable natural person which is (i) included in Customer Data that we process on behalf of You in the course of providing the Services; and (ii) subject to the Data Protection Laws.
Privacy Notice means the Aspire Digitel Group Privacy Notice.
processing has the meaning given to it under applicable Data Protection Laws and “process,” “processes” and “processed” shall be interpreted accordingly.
Product Fact Sheet means the content described as a ‘product fact sheet’ made available by Us and relevant to the Access Product being procured by You in any Statement of Work.
Revised Instruction means a request for information sent by Us to You pertaining to whether Your instruction post the End Date remains to delete Personal Data.
Services means the Aspire Digitel Group products and services to be provided to You, as set forth in the Agreement.
Sub-Processor means an entity engaged by Us to process Personal Data to assist in fulfilling Our obligations with respect to providing the Services pursuant to the Agreement.

1.2. Where a defined term is used in this DPA and a definition is omitted from this DPA, that defined term will take on the definition given in the Agreement.

1.3. The notice provisions at clause 8.4 of Schedule 1 of the Agreement shall not apply to this DPA. Instead, where there is an obligation to notify in this DPA, an email to the primary contact each party has on file for the other will suffice.

2. SERVICE PROVIDER PROVISIONS

2.1. As between Us and You, with respect to Personal Data we are a “Service Provider” as defined by the California Consumer Privacy Act of 2018 and the California Privacy Rights Act of 2020, a “Processor”, as defined by the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Utah Consumer Privacy Act, the Connecticut Data Privacy Act, and any other term similar in meaning as those terms are understood pursuant to the Data Protection Laws, and the terms of this DPA apply to us to the extent You are a Business, Controller, or any other term similar in meaning as those terms are understood pursuant to the applicable Data Protection Laws.

2.2. The Product Fact Sheet sets out the subject-matter and duration of the processing of Personal Data hereunder, the nature and purpose of the processing, the type of Personal Data and the categories of data subjects. We may amend the Product Fact Sheet from time to time.

2.3. Each party shall comply with its obligations under applicable Data Protection Laws, and You warrant and undertake that You shall not instruct Us to process Personal Data where such processing would be unlawful.

2.4. For the avoidance of any doubt, any configuration of the Services by You (or Us, acting on Your instruction) shall constitute ‘written instructions’ for the purposes of this DPA and in relation to any transfer as a result of such configuration.

2.5. We will process Personal Data only to provide the Services and for the purposes described in the Agreement, or otherwise in accordance with Your documented and agreed-upon lawful instructions, unless processing is required by applicable law, in which case We shall to the extent permitted by applicable law inform You of that legal requirement before the relevant processing. We shall not otherwise:

2.5.1. “sell” or “share” Personal Data, as those terms are defined in the Data Protection Laws;

2.5.2. retain, use, or disclose Personal Data for any purpose other than for the specific purpose of performing the Services as described in the Agreement and this DPA, including retaining, using, or disclosing Personal Data for a commercial purpose other than providing the Services;

2.5.3. retain, use, or disclose Personal Data outside of the direct business relationship between Us and You; or

2.5.4. except as permitted by the Data Protection Laws, combine Personal Data that We receive from, or on behalf of, You with personal information that We receive from, or on behalf of, another person or persons, or collect from Our own interaction with the data subject.

2.6. We will comply with applicable Data Protection Laws and will provide a level of privacy protection for Personal Data consistent with the requirements of those Data Protection Laws. We will promptly notify You if We make a determination that We can no longer meet Our obligations under this DPA or comply with applicable Data Protection Laws. You shall have the right, including upon notice from Us pursuant to the preceding sentence, to take reasonable and appropriate steps to help ensure that We use Personal Data in a manner consistent with Our obligations under the Data Protection Laws, and to remediate any unauthorized Processing of Personal Data.

2.7. Notwithstanding anything to the contrary herein, We shall have the right to collect and analyze data and other information relating to the provision, use and performance of various aspects of the Services and related systems and technologies (including, without limitation, information concerning Customer Data, and data and insights derived therefrom) on an aggregated and anonymized basis, and We will be free (during and after the term hereof) to (i) use such information and data internally to improve and enhance the Services and for other development, diagnostic and corrective purposes in connection with the Services and Our other offerings, and (ii) disclose such data solely in aggregate and de-identified form in connection with Our business. No rights or licenses are granted except as expressly set forth herein.

2.8. We will ensure that individuals authorized by Us to process Personal Data under the Agreement are subject to appropriate obligations of confidentiality.

2.9. Each party shall take appropriate technical and organizational measures against unauthorized or unlawful processing of Personal Data or its accidental loss, destruction, or damage. Company shall implement and maintain commercially reasonable technical and organizational security measures designed to protect Personal Data from Data Breaches. Our general security measures are set out in clause 4 to this DPA. You agree that You are responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Personal Data when in transit, and taking any appropriate steps to securely encrypt or backup Personal Data, as well as the security obligations outlined in the Agreement.

2.10. We may engage Sub-Processors as We consider reasonably appropriate for the processing of Personal Data in accordance with the terms of the Agreement (including but not limited to in connection with support, maintenance and development, staff augmentation and the use of third-party data centers). In addition to any entity within The Aspire Digitel Group, any Sub-Processors in place as of the Effective Date shall be outlined in the Product Fact Sheet and are accepted by You, save for where it is explicitly stated otherwise in the relevant Statement of Work. By You signing this Agreement, You are providing Us with general written authorization to add a Sub-Processor and/or replace or remove a Sub-Processor where We deem necessary, provided that We shall notify You (which may be by email, through Our customer success portals, or otherwise within the relevant Aspire Digitel Group Product itself) of the appointment of a new Sub-Processor and You may, on reasonable grounds, object to the appointment of a Sub-Processor by notifying Us in writing within 14 days of receipt of Our notification (or other such timescale as may be specified on Our notification), giving reasons for Your objection. The parties shall work together to reach agreement on the engagement of Sub-Processors, and, for the avoidance of doubt, We shall not share Personal Data with any Sub-Processor You have objected to in accordance with this Agreement. We shall ensure that all Sub-Processors are bound by contract with Us which include appropriate data processing terms and We shall remain liable for Sub-Processors’ acts and omissions in connection with this Agreement.

2.11. In the event that any data subject exercises its rights under applicable Data Protection Laws against You, We shall use reasonable commercial efforts to assist You in fulfilling Your obligations as a Business, Controller, or any other term similar in meaning as those terms are understood pursuant to the Data Protection Laws and provide You with a suitable response without undue delay (and in any event within 5 days) following written request from You provided that We may: (a) extend such time period (provided always that We shall use all reasonable endeavors to provide such assistance within a time period to enable You to comply with Your obligations under the applicable Data Protection Laws); and/or (b) charge You on a time and materials basis in the event that We consider, in Our reasonable discretion, that such assistance is onerous, complex, frequent or time consuming. We shall promptly notify You in writing in the event that We receive any request, complaint, notice or other communication direct from a third party or data subject which relates directly or indirectly to the processing of Personal Data.

2.12. We shall notify You without undue delay after becoming aware of any Data Breach. We will make reasonable efforts to identify the cause of the Data Breach and will undertake such steps as We deem necessary and reasonable in order to remediate the cause of such Data Breach. We will provide information related to the Data Breach to You in a timely fashion and as reasonably necessary for You to maintain compliance with the Data Protection Laws.

2.13. Upon Your written request, We shall provide You with reasonable cooperation and assistance as needed to fulfil Your obligation under the Data Protection Laws to carry out a data protection impact assessment related to Your use of the Services, to the extent You do not otherwise have access to the relevant information, and to the extent such information is available to Us. We may charge You for such assistance on a time and materials basis.

2.14. Following the earlier of termination or expiry of the Agreement (the “End Date”), Your instruction is for Us to delete Personal Data held by Us. Before deleting Personal Data, We will seek a Revised Instruction from You on or shortly after the End Date confirming Your instruction. You will have 30 days from the date the Revised Instruction was sent by Us to respond (the “Timeframe”). You may, at no additional cost and within the Timeframe, choose to have Personal Data returned to You in the format specified in the Product Fact Sheet, the Exit Policy, or as otherwise agreed with Us. Where applicable law requires Us to retain all or some Personal Data, We shall notify You of this lawful requirement.

2.15. Where requested by You, We shall make available all information reasonably necessary to demonstrate Our compliance with the foregoing clauses 2.2 to 2.14 inclusive, and shall allow for and contribute to audits (including inspections) conducted by You or another auditor mandated by You (where such persons are subject to binding obligations of confidentiality) on a frequency of no more than once per annum (save where requested by the relevant supervisory authority) with reasonable prior Notice during Business Hours. You will ensure that your representatives make all reasonable endeavors to minimize any business interruption to Us during any such audit. We may charge You for any assistance required to facilitate such audits on a time and materials basis.

2.16. Without prejudice to any other provision in the Agreement which may apply, You shall have in place and maintain any and all appropriate consents from the relevant data subjects for processing the Personal Data of the data subjects affected by this Agreement, and You must comply with the Data Protection Laws in respect of all Personal Data which is disclosed to Us, or collected by the You in relation to Your use of the Services. We will not be liable for any claim brought against You arising from any action or omission by Us to the extent that such action or omission resulted directly from Your instructions or any failure of You to comply with this DPA.

2.17. Nothing in this DPA is intended to govern the processing of Personal Data as it relates to personal data collected by Us (or a third party or agent instructed by Us) as an independent controller. For information on how We process personal data as an independent controller, please see Our Privacy Notice available on Our website.

2.18. Some of Our Services may have an API, allowing the transfer of data (which may include personal data) to and from the Services to a third-party product (“Third-Party API”) or a separate Service (only where You have a license to this separate Service will the API be turned on). Where an API exists, We use reasonable commercial efforts to document this in the Product Fact Sheet. Whether a Third-Party API is turned on or off is at Your discretion, where it is turned on, You are authorizing Us to share the relevant data through the Third-Party API and where relevant, receive data from the Third-Party API for input into the relevant Service. We are not liable or responsible for the quality or accuracy of data transferred to Us via a Third-Party API. Nor are We liable for what happens to the data once transferred outbound via a Third-Party API (the “Transferred API Data”). For the avoidance of doubt, the Transferred API Data will be governed by the contract held between You and the relevant third-party.

3. DETAILS OF PROCESSING

3.1. For details of how personal data is processed under this Agreement, please register to see our “GDPR Portal” at https://aspire-digitel-group-support.force.com/Support/s/gdpr-hub.

3.2. If you are not already registered on the GDPR Portal you will need to do so. If you have any problems registering, please contact [email protected]

3.3. We reserve the right to change the location of the Product Fact Sheets. Where We do change the location, We will notify You.