Data Processing Addendum Agreement
The Data Processor Addendum Agreement will not apply where 42Gears act as Data Controller.
- Agreement: means the agreement between 42Gears and the Customer whether in any written or electronic form to provide Service to the Customers.
- Data Controller: means natural or legal entity that determines the purpose and means for processing data.
- Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed in connection with the provision of services to Customers by 42Gears.
- Personal Data: Personal data is the information relating to an individual who can be directly or indirectly identified from that data. Identification can be through reference to the information itself, or in conjunction with any other information in our possession or likely to come into such possession.
- Data Processor: means any natural or legal entity who processes the personal data on behalf of the data controller.
- Services: any cloud services or customer support provided by 42Gears to the Customers pursuant to this Agreement.
- Sub-Processor: means any third party service provider that 42Gears may engagae to process personal data of its Customers pursuant to this Agreement.
2. Objectives of Data Processing:
- 42Gears undertakes to process personal data on behalf of the Customer in accordance with the conditions laid down in this Data Processing Addendum Agreement. The processing will be executed exclusively within the framework of the Agreement, and for all such purposes as may be agreed to subsequently.
- 42Gears shall refrain from making use of the personal data for any purpose other than as specified by the Customer. The Customer will inform 42Gears of any such purposes which are not contemplated in this Data Processing Addendum Agreement.
- All personal data processed on behalf of the Customer shall remain the property of the Customer and/or the relevant Data subjects.
- 42Gears shall not, on its behalf make any unilateral decisions regarding the processing of the personal data other than the purpose as set out in the Agreement.
3. 42Gears obligations to process Personal Data:
- 42Gears shall warrant compliance with the applicable data protection laws and regulations governing the protection of personal data, including the General Data Protection Regulations which takes effect from 25May, 2018.
- 42Gears shall furnish to the Customer promptly on request, with details regarding the measures it has adopted to comply with its obligations under this Data Processing Addendum Agreement.
The obligations arising under the terms of this Data Processing Addendum Agreement also apply to each Sub-Processor who processes personal data under the instruction of 42Gears.
4. Allocation of Responsibility:
- 42Gears shall only be responsible for processing the personal data under this Data Processing Addendum Agreement, in accordance with the Customer’s instructions and under the (ultimate) responsibility of the Customer. 42Gears is explicitly not responsible for other processing of personal data, including but not limited to processing for purposes that are not reported by the Customer to 42Gears.
- Customer represents and warrants that it has express consent and/or a legal basis to process the relevant personal data. Furthermore, the Customer represents and warrants that the contents are not unlawful and do not infringe any rights of a third party. In this context, the Customer indemnifies 42Gears of all claims and actions of third parties related to the processing of personal data without express consent and/or legal basis under this Data Processing Addendum Agreement.
- 42Gears is authorised within the framework of the Agreement to engage Sub-processors, with obtaining consent from the Customer. Upon request of the Customer, 42Gears shall inform the Customer about the third party/parties engaged.
- 42Gears shall in any event ensure that the Sub-processor will be obliged to agree in writing to the similar substantial duties that are agreed between the Customer and 42Gears as set out in this Data Processing Addendum Agreement.
6. Duty to Report Security Incident:
- In the event of a data breach or a security incident, 42Gears shall, to the best of its ability, notify the Customer thereof without undue delay, after which the Customer shall determine whether or not to inform the Data subjects and/or the relevant regulatory authority(ies). This duty to report applies irrespective of the impact of the leak.
- 42Gears will endeavour that the furnished information is complete, correct and accurate.
- Under the GDPR or under any applicable law and/or regulation, 42Gears shall cooperate in notifying the relevant authorities and/or Data subjects.
- The Customer remains the responsible party for any obligations in respect thereof.
- 42Gears will endeavour to take adequate technical and organisational measures against loss or any form of unlawful processing (such as unauthorised disclosure, deterioration, alteration or disclosure of personal data) in connection with the processing of personal data under this Data Processing Addendum Agreement.
- 42Gears will endeavour to ensure that the security measures are of a reasonable level, having regard to, the sensitivity of the personal data and the costs related to the security measures.
- The Customer will assure its own security measures for secure transfer of personal data to 42Gears. 42Gears will adopt appropriate security measures to ensure data security while transferring the personal data back to the Customer.
8. Response to Data Subjects:
Where a Data subject submits a request to 42Gears to exercise any of its rights under the General Data Protection Regulation or any applicable law/regulation, 42Gears will forward the request to the Customer and the request will then be dealt with by the Customer, 42Gears will not respond directly to such request without obtaining the prior approval of the Customer. If 42Gears is required to respond to the Data Subject Request directly, it will promptly notify the Customer of such request, unless 42Gears is prohibited to do so under any applicable law/regulation.
9. Data Centre:
42Gears uses AWS to host the service. Information about the locations of the data centre is available at https://aws.amazon.com/security/?nc1=f_cc or as updated by Amazon from time to time.
- In order to confirm compliance with this Data Processing Addendum Agreement, the Customer shall be at liberty to conduct an audit by assigning an independent third party who shall be obliged to observe confidentiality in this regard. Any such audit will follow 42Gears reasonable security requirements, and will not interfere unreasonably with 42Gears business activities.
- The costs of the audit will be borne by the Customer.
11. Duration and Termination:
- This Data Processing Addendum Agreement is entered into for the duration set out in the Agreement, and in the absence thereof, for the duration of the cooperation between the Parties.
- The Data Processing Addendum Agreement may not be terminated in the interim.
- This Data Processing Addendum Agreement may only be amended by the Parties subject to mutual consent.
- 42Gears shall provide its full cooperation in amending and adjusting this Data Processing Addendum Agreement in the event of new legislation.
12. Customer Requests:
42Gears shall comply with the applicable data protection laws and regulations. For the avoidance of doubt we will:
- Provide support to Customer at their request to assess the impact of our services on their privacy (for example, through assisting Customer with a Data Protection Impact Assessment);
- Provide support to Customer in responding to requests from data subjects to exercise their rights under the EU General Data Protection Regulation (GDPR).
42Gears has documented its processing and publishes this in the privacy notice. This can be found on the 42Gears website, or provided at your request.
14. Miscellaneous :
In the case of any inconsistency between documents and the appendices thereto, the following order of priority will apply:
- This Data Processing Addendum Agreement;
- The Agreement;
- Additional conditions, where applicable.
Last Updated: August 30, 2018