This Data Processing Addendum ("DPA") is entered into between Softledger, Inc. ("Softledger” or "data importer”) and the entity identified as the Customer ("Customer" or "data exporter") and is appended to either (i) the Softledger Master Services Agreement (as applicable); or (ii) other electronic or written agreement incorporating this DPA, governing the Customer's access and use of the Softledger platform and related services (the "Agreement"). The parties agree that this DPA shall be incorporated into and form part of the Agreement and subject to the provisions therein, including limitations of liability.
This DPA sets forth the terms and conditions under which Softledger may receive and process Customer Personal Data from Customer and incorporates the Standard Contractual Clauses. If Customer makes any deletions or revisions to this DPA, those deletions or revisions are hereby rejected and invalid, unless agreed to in writing by Softledger. Customer's signatory represents and warrants that he or she has the authority to bind the Customer to this DPA. This DPA will terminate automatically upon termination of the Agreement, or as earlier terminated pursuant to the terms of this DPA.
Data Processing Terms
"Applicable Privacy Law(s)" means all worldwide data protection and privacy laws and regulations applicable to the Personal Data, if any, processed by Softledger as part of the provision of the Services to Customer under the Agreement, including, where applicable, EU/UK Data Protection Law.
"Customer Personal Data" means any Customer Content that is Personal Data and protected by Applicable Privacy Law(s).
"EU/UK Data Protection Law" means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the "EU GDPR"); (ii) the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (collectively the "UK GDPR"); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); (iv) the Swiss Federal Data Protection Act ("Swiss DPA"), and (v) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii) (iii) or (iv); in each case as may be amended or superseded from time to time;
"Affiliate" means any entity that is directly or indirectly controlled by, controlling or under common control with a party to this DPA.
"Restricted Transfer" means: (i) where the EU GDPR applies, a transfer of Personal Data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of Personal Data from the United Kingdom to any other country which is not subject based to adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; and (iii) where the Swiss DPA applies, a transfer of Personal Data from Switzerland to any other country which is not determined to provide adequate protection for Personal Data by the Federal Data Protection and Information Commission or Federal Council (as applicable).
"Standard Contractual Clauses" means: (i) where the contractual clauses annexed to the European Commission's Implementing Decision (EU) 2021/914 of 4 June 2021 ("EU SCCs"); and (ii) where the UK GDPR applies, standard data protection clauses for processors adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR ("UK SCCs"), as applicable in accordance with Section 8 (Data Transfers).
"Security Incident" means any unauthorized or unlawful breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to Customer Personal Data. A "Security Incident" shall not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
"Subprocessor" means any third party (including any Softledger Affiliate) engaged by Softledger to process any Customer Personal Data (excluding Softledger employees or consultants).
The terms "Controller", "data subject", "Personal Data", "Processor," and "processing," have the meanings given to them in Applicable Privacy Law(s). If and to the extent that Applicable Privacy Law(s) do not define such terms, then the definitions given in EU/UK Data Protection Law will apply.
- Role and Scope of Processing
- The parties acknowledge that with regard to and to the extent of any processing of Customer Personal Data, Customer shall be the Controller and Softledger shall process Customer Personal Data as a Processor on behalf of Customer.
- Softledger will process Customer Personal Data only in accordance with Customer's documented instructions and will not process Customer Personal Data for its own purposes, except where required by applicable law(s). The Agreement, including this DPA, along with Customer’s configuration of any settings or options in the Services (as Customer may be able to modify from time to time), constitute Customer’s complete and final instructions to Softledger regarding the Processing of Customer Personal Data, including for purposes of the Standard Contractual Clauses.
- Each party shall comply with its obligations under Applicable Privacy Law(s) in respect of any Customer Personal Data it Processes under or in connection with the Services or this DPA. Without prejudice to the foregoing, Customer is responsible for determining whether the Services are appropriate for the storage and processing of Customer Personal Data under Applicable Privacy Law(s) and for the accuracy, quality and legality of the Customer Personal Data and the means by which it acquired Customer Personal Data. Customer further agrees that it has provided notice and obtained all consents, permissions and rights necessary for Softledger and its Subprocessors to lawfully process Customer Personal Data for the purposes contemplated by the Agreement (including this DPA).
- Softledger shall promptly notify Customer if it makes a determination that Customer's instructions infringe Applicable Privacy Law(s) (but without obligation to actively monitor Customer's compliance with Applicable Privacy Law(s)) and in such event, Softledger shall not be obligated to undertake such Processing until such time as the Customer has updated its processing instructions and Softledger has determined that the incidence of non-compliance has been resolved.
- Details of Data Processing:
- Subject matter: The subject matter of the data processing under this DPA is the Customer Personal Data.
- Duration: As between Customer and Softledger, the duration of the processing is the term of the Agreement plus any period after the termination or expiry of the Agreement during which Softledger will process Customer Personal Data in accordance with the Agreement.
- Purpose: Softledger will process Customer Personal Data as necessary to perform the Services pursuant to the Agreement, as further instructed by Customer in its use of the Services.
- Nature of the processing: The provision of the Services as described in the Agreement and initiated by the Customer from time to time.
- Types of Customer Personal Data. Customer Personal Data uploaded to the Services into Customer's Softledger account.
- Categories of data subjects: The data subjects could include Customer's employees, consultants, agents and third parties authorized to use the Services as "Users" under Customer's Softledger account and any other data subjects whose personal data is submitted to Softledger by Customer through the Services.
- Customer grants Softledger a general authorization to subcontract the processing of Customer Personal Data to a Subprocessor on the list provided to Customer by Softledger from time to time ("Subprocessor List") and Softledger will:
- provide 10 days prior written notice to Customer in the event of the engagement of any new or replacement Subprocessor, including updating the Subprocessor List;
- impose substantially the same data protection terms on any Subprocessor it engages as contained in this DPA (including data transfer provisions, where applicable); and
- remain liable to Customer for any breach of this DPA caused by an act, error or omission of such Subprocessor.Customer grants Softledger a general authorization to subcontract the processing of Customer Personal Data to a Subprocessor on the list provided to Customer by Softledger from time to time ("Subprocessor List") and Softledger will:
- Customer may object to Softledger’s appointment of any new or replacement Subprocessor promptly in writing within thirty (30) days after receipt of notice in accordance with (3.1 (a)) and on reasonable grounds related to Subprocessor's ability to comply with Applicable Privacy Law(s). In such case, the parties shall discuss Customer´s concerns in good faith with a view to achieving a commercially reasonable resolution. If the parties cannot reach such resolution, Softeldger shall have the right, at its sole discretion, to either not appoint the disputed Subprocessor, or permit Customer to suspend or terminate the applicable Order and/or the Agreement. In the event, Customer exercises its right of termination under this Section 3.2, Softledger will refund to Customer a pro rata share of any prepaid fees for the remaining and unexpired portion of the applicable Subscription Term from the date of termination. These procedures are Customer’s exclusive remedy and Softledger’s entire liability for resolving Customer’s objections to Softledger’s appointment of Subprocessor’s under this DPA.
- Softledger all reasonably cooperate with Customer to enable Customer to respond to any requests, complaints or other communications from data subjects and regulatory or judicial bodies relating to the processing of Customer Personal Data, including requests from data subjects seeking to exercise their rights under Applicable Privacy Law(s). In the event that any such request, complaint or communication is made directly to Softledger, Softledger shall, once it has identified the request is from or related to a data subject for whom the Customer is responsible, pass this onto Customer and shall not respond to such communication without Customer's express authorization (unless required to do so in order to comply with applicable law(s)).
- To the extent Softledger is required under Applicable Privacy Law(s), Softledger will assist Customer to conduct a data protection impact assessment and, where legally required, consult with applicable data protection authorities in respect of any proposed processing activity that presents a high risk to data subjects.
- Taking into account the nature of the processing, Customer agrees that it is unlikely that Softledger would become aware that Customer Personal Data transferred under the Standard Contractual Clauses is inaccurate or outdated. Nonetheless, if Softledger becomes aware that Customer Personal Data transferred under the Standard Contractual Clauses is inaccurate or outdated, it will inform Customer without undue delay. Softledger will reasonably cooperate with Customer to erase or rectify inaccurate or outdated Customer Personal Data transferred under the Standard Contractual Clauses.
- Data Access & Security Measures
- Softledger will ensure that any personnel tasked with the processing of Customer Personal Data are subject to an appropriate duty of confidentiality (whether a contractual or statutory duty) and that they process Customer Personal Data only for the purpose of delivering the Services.
- Softledger will implement and maintain reasonable and appropriate technical and organizational security measures with the aim of protecting Customer Personal Data from Security Incidents in accordance with the measures listed in Schedule 2 ("Security Measures"). Customer acknowledges that the Security Measures are subject to technical progress and development and that Softleger may update or modify the Security Measures from time to time, provided that such updates and modifications do not degrade or diminish overall security of the Services.
- Security Incidents
In the event of a Security Incident, Softledger shall inform Customer without undue delay and will provide written details of the Security Incident to Customer, including the type of data affected and the identity of affected person(s), once such information becomes known or available to Softledger. Softledger shall, to the extent possible, provide timely information and cooperation to Customer to allow Customer to fulfil its data breach reporting obligations under Applicable Privacy Law(s) and shall take reasonable steps to remedy or mitigate the effects of the Security Incident. The obligations herein shall not apply to Security Incidents that are caused by the Customer or its users.
- Security Reports & Inspections
- Upon request, Softledger shall provide copies of any certifications, audit report summaries and/or other relevant documentation it holds, where reasonably required by Customer to verify Softledger's compliance with this DPA.
- While it is the parties' intention ordinarily to rely on Softledger's obligations set forth in Section 7.1 to verify Softledger's compliance with this DPA, following a confirmed Security Incident or where a data protection authority requires it, Customer may provide Softledger with thirty (30) days’ prior written notice requesting that a third-party conduct an audit of Softledger's operations ("Audit"); provided that (i) any Audit shall be conducted at Customer’s expense; (ii) the parties shall mutually agree upon the scope, timing and duration of the Audit; (iii) the Audit shall not unreasonably impact Softledger's regular operations.
- Any written responses or Audit described in this Section 7 shall be subject to the confidentiality provisions of the Agreement. The parties agree that the audits described in Clause 8.9 of EU SCCs shall be carried out in accordance with this Section 7 (Security Reports & Instructions).
- Customer Personal Data that Softledger processes under the Agreement may be processed in any country in which Softledger, its Affiliates, and Sub-processors maintain facilities to perform the Services, as further detailed in the Subprocessor List. Softledger shall not process or transfer Customer Personal Data (nor permit such data to be processed or transferred) outside of EEA, Switzerland or UK, unless it first takes such measures as are necessary to ensure the transfer is in compliance with this EU/UK Data Protection Law.
- The parties agree that, when the transfer of Customer Personal Data from Customer to Softledger is a Restricted Transfer, it shall be governed by the EU SCCs, which the parties hereby enter into and incorporate into this DPA as Annex III. In the event that any provision of this DPA contradicts, directly or indirectly, the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
- To extent that and for so long as the EU SCCs as implemented in accordance with Section 8.2 cannot be used to lawfully transfer Customer Personal Data in compliance with the UK GDPR, the UK SCCs shall be incorporated by reference and form an integral part of this DPA and shall apply to transfers of Personal Data governed by the UK GDPR. For the purposes of the UK SCCs, the relevant annexes, appendices or tables shall be deemed populated with the relevant information set out in this DPA.
- If Softledger adopts an alternative lawful data export mechanism for the transfer of personal data not described in this DPA ("Alternative Transfer Mechanism"), the Alternative Transfer Mechanism shall apply instead of any applicable transfer mechanism described in this DPA (but only to the extent such Alternative Transfer Mechanism complies with EU/UK Data Protection Law and extends to the territories to which the relevant Customer Personal Data is transferred).
- Deletion & Return
- Upon Customer's request, or upon termination or expiry of this DPA, Softledger shall destroy or return to Softledger all Customer Personal Data in its possession in accordance with Softledger’s then-current data deletion timelines and policies, which may be requested by Customer at any time. This requirement shall not apply to the extent that Softledger is required by any applicable law to retain some or all of the Customer Personal Data, in which event Softledger shall isolate and protect such Customer Personal Data from any further processing except to the extent required by such law. The parties agree that the certification of deletion of Personal Data described in Clause 8.5 and 16.(d) of EU SCCs shall be provided by Softledger to Customer only upon Customer's written request.
California Consumer Privacy Act (CCPA)
- To the extent that Customer has users of the Services who are residents of the state of California in the United States and the CCPA applies, the terms set forth in this Section 10 shall apply to this DPA.
- The following amendments shall be made to the definitions set forth in Section 1 of this DPA:
- The following amendments shall be made to the definitions set forth in Section 1 of this DPA:
- “Business” has the meaning given to it in the CCPA.
- “Service Provider” has the meaning given to in the CCPA.
- For purposes of Customer Personal Data constituting “personal information” under the CCPA, Customer is a Business and Softledger is a Service Provider. Customer’s transfer of Customer Personal Data to Softledger is not a sale, and Softledger provides no monetary or other valuable consideration to Customer in exchange for Personal Data.
- Softledger agrees to comply with all applicable requirements of the CCPA, and if and to the extent agreed between Customer and Softledger in writing as set forth in this DPA.
- As applicable to the Services, Softledger shall reasonably assist Customer in responding (at Customer’s expense) to any request from a data subject (including “verifiable consumer requests”, as such term is defined in the CCPA), relating to the processing of Customer Personal Data under the Agreement.
- Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between any provision in this DPA and any provision in the Agreement, this DPA controls and takes precedence. With effect from the effective date, this DPA is part of, and incorporated into the Agreement.
- In no event does this DPA restrict or limit the rights of any data subject or of any competent supervisory authority.
- Any claim or remedy Customer may have against Softledger, its employees, agents and Subprocessors, arising under or in connection with this DPA (including the Standard Contractual Clauses), whether in contract, tort (including negligence) or under any other theory of liability, shall to the maximum extent permitted by law be subject to the limitations and exclusions of liability in the Agreement. Accordingly, any reference in the Agreement to the liability of a party means the aggregate liability of that party under and in connection with the Agreement and this DPA together.
- This DPA may not be modified except by a subsequent written instrument signed by both parties.
- This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Applicable Privacy Law(s) or the Standard Contractual Clauses.
- If any part of this DPA is held unenforceable, the validity of all remaining parts will not be affected.
A. LIST OF PARTIES
MODULE TWO: Transfer controller to processor Data
- Name: The entity identified as the "Customer" in this DPA.
Address: The address for the Customer associated with its Softledger account or otherwise specified in the DPA or this Agreement.Contact person’s name, position and contact details: The contact details associated with the Customer's account, or otherwise specified in this DPA or the Agreement.Activities relevant to the data transferred under these Clauses: The activities specified in Annex 1(B) below. Role (controller/processor): Controller
- Data importer(s):
- Name: Softledger, Inc. (“Softledger”)Address: 202 Bicknell Ave, Santa Monica, CA 90405 Contact person’s name, position and contact details:
|Contact person's name, position and contact details:||Ben Taylor, firstname.lastname@example.org|
|DPO (if applicable) name contact details:||n/a|
| || |
Activities relevant to the data transferred under these Clauses: The activities specified in Annex 1(B) below. Role (controller/processor): Processor
B. DESCRIPTION OF TRANSFER MODULE TWO: Transfer controller to processor
- Categories of data subjects whose personal data is transferred:
Customer employees, consultants, agents and authorized third parties to use the Services as "users" under Customer's account and any other data subjects whose personal data that may be submitted to Softledger by Customer through the Services.
- Categories of personal data transferred:
name, email address and other personal data as may be submitted by Customer through the Services, including as Customer Content.
- Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
- The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Customer Personal Data may be transferred on a continuous or one-off basis depending on the Customer's use of the Services and the Customer's processing instructions.
- Nature of the processing
- Purpose(s) of the data transfer and further processing
For Softledger to provide, maintain and improve the Services provided to data exporter pursuant to the Agreement.
- The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
Softledger will retain Customer Personal Data for up to 180 days after termination or expiry of the Agreement.
- For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
Duration: The term of the Agreement plus any period after the termination or expiry of the Agreement during which Softledger will process Customer Personal Data in accordance with the Agreement.
Subject matter: The subject matter of the data processing under this DPA is the Customer Personal Data.
Nature of the processing: The provision of the Services as described in the Agreement and initiated by the Customer from time to time.
C. COMPETENT SUPERVISORY AUTHORITY MODULE TWO: Transfer controller to processor
Identify the competent supervisory authority/ies in accordance with Clause 13
The data exporter's competent supervisory authority will be determined in accordance with the GDPR.
TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
MODULE TWO: Transfer controller to processor
Softledger uses the following technical and organizational measures to protect personal information:
- Measures of pseudonymization and encryption of personal data
- Measures including the principle of least authority (POLA) for server/network/and application access
- Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
- Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
- Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing
- Measures for user identification and authorization Measures for the protection of data during transmission
- Measures for the protection of data during storage
- Measures for ensuring physical security of locations at which personal data are processed
- Measures for ensuring events logging
- Measures requiring secure passwords that are changed regularly
- Measures for ensuring system configuration, including default configuration Measures for internal IT and IT security governance and management Measures for certification/assurance of processes and products
- Measures for ensuring data minimization
- Measures for ensuring data quality
- Measures for ensuring limited data retention
- Measures for ensuring accountability
- Measures for allowing data portability and ensuring erasure
- Measures to ensure only active and authorized employees can access company systems
The technical and organizational measures that the data importer will impose on sub-processors are substantially similar to those outlined above and are further described in the DPA
Standard Contractual Clauses
Subject to Section 8.2 of this DPA, where transfer of Customer Personal Data to Softledger is a Restricted Transfer and EU/ UK Data Protection Law require that appropriate safeguards are put in place, such transfer shall be governed by the EU SCCs as follows:
- Module Two (Transfer Controller to Processor) will apply;
- in Clause 7 (Docking Clause), the optional docking clause will apply;
- in Clause 9 (Use of Subprocessors), Option 2 will apply, and the time period for prior notice of subprocessor changes shall be as set out in Clause 3.1 of this DPA;
- in Clause 11 (Redress), the optional language to permit data subjects to lodge complaints with an independent dispute resolution body will not apply;
- in Clause 17 (Governing Law), Option 1 will apply, and the EU SCCs will be governed by Dutch law;
- in Clause 18(b) (Choice of forum and jurisdiction), disputes shall be resolved before the courts of Amsterdam, the Netherlands;
- subject to paragraph (c) below, in relation to Customer Personal Data protected by the UK GDPR, the EU SCCs will apply (in accordance with paragraph (a) above) but with the following modifications:
- any references in the EU SCCs to "Directive 95/46/EC" or "Regulation (EU) 2016/679" shall be interpreted as references to the UK GDPR; references to specific Articles of "Regulation (EU) 2016/679" are replaced with the equivalent Article or Section of UK GDPR;
- references to "EU", "Union" and "Member State law" are all replaced with "UK"; Clause 13(a) and Part C of Annex II of the EU SCCs are not used; references to the "competent supervisory authority" and "competent courts" shall be interpreted as references to the Information Commissioner and the courts of England and Wales;
- Clause 17 of the EU SCCs is replaced to state that "The Clauses are governed by the laws of England and Wales" and Clause 18 of the EU SCCs is replaced to state "Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts";
- to extent that and for so long as the EU SCCs as implemented in accordance with paragraphs (a) and (b) above cannot be used to lawfully transfer Customer Personal Data in compliance with the UK GDPR, the UK SCCs shall be incorporated by reference and form an integral part of this DPA and shall apply to transfers of Personal Data governed by the UK GDPR. For the purposes of the UK SCCs, the relevant annexes, appendices or tables shall be deemed populated with the information set out in Annex 1 and Annex 2 of this DPA.