DATA PROCESSING ADDENDUM

This Data Processing Addendum (“DPA“) is made and entered into by and between dotData and Licensee, pursuant to the dotData Software License Agreement (the “Agreement”) and establishes the terms and conditions under which dotData will Process Personal Data in connection with its provisioning of the Software and related support and services to the Licensee under the Agreement. This DPA is supplemental to, and is hereby incorporated by reference and made part of, the Agreement. dotData and Licensee may be referred to herein individually as a “party” and collectively the “parties”. Any capitalized terms used but not otherwise defined herein shall have the meaning given to such terms in the Agreement.

1. DEFINITIONS

The following terms shall have the meanings set forth below:

Data Controller means the entity which determines the purposes and means of the Processing of Personal Data, and shall include “businesses” and words of similar import under applicable Data Privacy Laws.
Data Processor means the entity which Processes Personal Data on behalf of the Data Controller and shall include a “service providers” and words of similar import under applicable Data Privacy Laws.
Data Privacy Laws means United States federal and state data protection and privacy laws and regulations, guidance and codes of practice relating to data privacy, data protection, information security and privacy applicable to a Party’s collection and Processing of Personal Data, including without limitation the California Consumer Privacy Act of 2018 (“CCPA”) as amended by the California Consumer Rights Act of 2020 (“CPRA”).
“Data Subject” means an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
Personal Data means any information relating to a Data Subject, or as otherwise defined under applicable Data Privacy Laws.
Privacy Policy means dotData’s privacy policy available at: https://dotdata.com/privacy-policy/ as updated from time to time.
Processing means any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
Subprocessor means a third-party processor of Personal Data with whom Data Processor has entered into a written agreement for processing Personal Data as part of the provisioning of Software and/or services to Data Controller.
Subprocessor Page means the then-current list of Subprocessor’s as listed at: https://dotdata.com/dotdata-subprocessors/.

2. DATA PROCESSING OBLIGATIONS

With respect to the parties’ rights and obligations under this DPA, Licensor will act as a Data Processor under, and subject to, the Agreement with respect to Personal Data provided to it by the Licensee under or in connection with the Agreement, and Licensee is the “Data Controller” under applicable Data Privacy Laws. Details of the Processing are set out below.
Personal Data may be hosted via Amazon Web Services hosting (“AWS Services”) located in the United States, Japan, or other countries as offered by Data Processor from time to time, and as selected by Data Controller under the Agreement. Data Controller’s use of the AWS Services is subject to the AWS Service Terms available at: https://aws.amazon.com/service-terms/, and any other applicable terms referenced in the AWS Terms, as updated by Amazon from time to time. Any Processing of Personal Data by or on behalf of the Data Controller in any jurisdiction other than a jurisdiction supported by Data Processor, is at the sole risk of the Data Controller, and Data Controller shall be solely responsible for Data Controller’s use of the Software, Processing of Personal Data, and compliance with applicable laws (including Data Privacy Laws) in such jurisdictions.
The subject matter, description, nature, and duration of the Processing is as set forth in Annex A to this DPA.
The Data Processor agrees to comply with the following obligations in its Processing of Personal Data:
1. Process Personal Data on documented instructions from the Data Controller, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by United States law to which the Data Processor is subject; in such a case, the Data Processor shall inform the Data Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
2. Process Personal Data in accordance with Data Processor’s then-current Privacy Policy.
3. Ensure that persons authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4. Implement and maintain commercially reasonable technical and organizational security measures that are designed to protect the integrity, confidentiality and security of Personal Data against unauthorized disclosure and/or access by unauthorized third-parties and are consistent with current industry standards and generally accepted best practices.
5. Subject to Section 4 below, where Data Processor engages a Subprocessor for carrying out specific Processing activities on behalf of the Data Controller: (i) do so by way of a contract which imposes on the Subprocessor, in substance, data protection obligations consistent with the obligations imposed on Data Processor in the DPA, provided that, there shall be no requirement to enter into subcontracts with Data Processor’s affiliates; (ii) at Data Controller’s request, provide or make available a copy of the privacy and security sections of such Subprocessor agreement and any subsequent amendment subject to Data Processor’s obligations of confidentiality to the Subprocessor, and (iii) require that its Subprocessors maintain security and data protection practices that are consistent with this DPA.
6. Assist the Data Controller, at the cost of Data Controller, in ensuring compliance with the obligations concerning security breaches, data protection impact assessments, and prior consultation with supervisory authorities, taking into account the nature of Processing and the information available to the Data Processor.
7. At the choice of the Data Controller, delete or return all the Personal Data to the Data Controller after the end of the provision of services relating to Processing, and delete existing copies unless United States law or the law of the Data Controller’s jurisdiction requires storage of the Personal Data.
8. Make available to the Data Controller, at the cost of Data Controller, all information reasonably necessary to demonstrate compliance with the obligations imposed on Data Processor under applicable Data Privacy Laws and allow for and contribute to reasonable audits (where required by Data Privacy Laws or a regulatory authority) for the limited purposes of demonstrating such compliance. Any such audits or inspections will be permitted in a non-production environment only on Data Controller’s Personal Data and subject to any confidentiality restrictions and obligations of Data Processor. Data Processor may apply its reasonable charges associated with the provision of such information and access. Audits shall take place upon reasonable notice to Data Processor during normal business hours, in a manner to minimize impact on Data Processor’s business operations.
9. Maintain a record of all Processing activities carried out on behalf of Data Controller.
10. Immediately inform the Data Controller if, in the opinion of the Data Processor, an instruction would breach applicable Data Privacy Laws.

3. DATA SUBJECT RIGHTS

In accordance with Data Privacy Laws, the Data Processor shall, reasonably cooperate with Data Controller, to the extent reasonably practicable, for the fulfillment of the Data Controller’s obligation to respond to requests for exercising a Data Subject’s rights set forth in applicable Data Privacy Laws. Such rights may include the right to access, correct, delete, or transfer Personal Data concerning the Data Subject, as well as the right to object to and restrict the Processing of their Personal Data.
The Data Processor shall promptly notify the Data Controller if it receives a request from a Data Subject in relation to their Personal Data. The Data Processor shall not respond to any such Data Subject request without the Data Controller’s prior written consent, except to confirm that the request relates to the Data Controller, to which the Data Processor shall direct the Data Subject.
Furthermore, the Data Processor agrees to provide reasonable assistance to the Data Controller, including by appropriate technical and organizational measures, insofar as this is commercially reasonable, in the fulfillment of the Data Controller’s obligations to conduct data protection impact assessments and to consult with supervisory authorities or regulatory bodies, to the extent required by applicable Data Privacy Laws. Data Processor may apply its reasonable charges associated with the provision of such information and cooperation.

4. DATA TRANSFERS

Data Controller acknowledges and consents that Subprocessors may be engaged by Data Processor in its discretion, including Subprocessors that are based outside the state, province, country or other jurisdiction in which Data Processor stores Personal Data, subject to Data Processor taking steps to provide that the transfer is made in compliance with applicable Data Privacy Laws if transfers are made to those Subprocessors.
If the Data Processor transfers Data Controller’s Personal Data outside of the United States, the Data Processor agrees to comply with the following conditions, to the extent required by applicable Data Privacy Laws:
1. The Data Processor shall ensure that the transfer is to a country that has been deemed to provide an adequate level of protection for Personal Data by the Data Privacy Laws or is under an approved certification mechanism provided by the Data Privacy Laws which is recognized as providing an adequate level of protection.
2. In the absence of an adequacy decision or approved certification mechanism, the Data Processor shall comply with Section 2.4.5 above.
3. The Data Processor shall conduct a risk assessment regarding the proposed transfer of Personal Data, taking into account the nature of the Processing, the countries involved, and the protective measures in place.
4. The Data Processor agrees to provide the Data Controller with all necessary information to demonstrate compliance with the obligations set out in this clause and the Data Privacy Laws concerning the transfer of Personal Data.
5. Any Subprocessor engaged by the Data Processor for the Processing of Personal Data outside of the United States shall be subject to a written contract that imposes data protection obligations as protective as those set out in this Addendum, including obligations regarding data transfers, in compliance with the Data Privacy Laws.
6. This clause shall apply in addition to, and not in substitution for, any other obligations set out in this Addendum or under the Data Privacy Laws.

5. DATA BREACH NOTIFICATION

In the event of a data breach involving Data Controller’s Personal Data Processed under this DPA, the Data Processor shall without undue delay, notify the Data Controller of the breach. This notification shall include, which shall include a summary in reasonable detail the impact on Data Controller of the breach as well as corrective action taken or to be taken by Data Processor, including:
1. The nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
2. The name and contact details of the Data Processor’s data protection officer or other contact point where more information can be obtained;
3. The measures taken or proposed to be taken by the Data Processor to address the Personal Data breach, including, where appropriate, measures to mitigate its possible adverse effects.
The Data Controller shall be responsible for notifying the relevant supervisory authority and data subjects about the data breach, unless otherwise agreed upon in writing. The Data Processor shall assist the Data Controller in the documentation, investigation, and notification of the breach as well as in any mitigation efforts, to the extent legally permissible and in accordance with the terms of this Addendum.
Both parties agree to cooperate fully with each other and to share all relevant information in relation to the investigation and resolution of any data breach. This includes providing assistance in any regulatory or legal proceedings arising from the data breach.

6. DATA RETENTION AND DELETION

In accordance with Data Privacy Laws, the Data Processor shall not retain any Personal Data longer than is necessary to fulfill the purposes for which it was collected or as required by applicable law. Upon termination or expiry of this Agreement, or upon request by the Data Controller, the Data Processor shall, at the choice of the Data Controller, delete or return all Personal Data to the Data Controller, and delete existing copies unless Union or Member State law requires storage of the Personal Data.
The Data Processor shall ensure that any Subprocessors are contractually obliged to meet substantially the same conditions for data retention and deletion as those set forth in this DPA.
The Data Processor shall, upon written request from the Data Controller, provide written certification to the Data Controller that it has fully complied with this clause within thirty (30) days of the termination or expiry of this Agreement or the receipt of a deletion request from the Data Controller.

7. LIABILITY

Data Processor’s liability under this DPA is subject to the limitations of liability and exclusions set forth in the Agreement.

8. TERM AND TERMINATION

This DPA shall commence on the Effective Date of the Agreement and shall continue in effect until the earlier of (i) the date upon which all Processing of Personal Data by the Data Processor on behalf of the Data Controller is completed; or (ii) the termination of the Agreement, unless otherwise terminated in accordance with the provisions of this Agreement.
Upon termination or expiration of this DPA for any reason, the Data Processor shall, at the choice of the Data Controller, delete or return to the Data Controller all Personal Data in Data Processor’s possession or control at the time of termination, and delete existing copies unless applicable law requires storage of the Personal Data.
The obligations of confidentiality set forth herein shall survive the termination or expiration of this Agreement.

9. ENTIRE AGREEMENT

This DPA, together with the Agreement, represents the full and complete agreement and understanding between the parties with respect to the Processing of Personal Data, and supersedes and replaces all prior agreements, understandings, and representations. This DPA may only be amended by written agreement between the parties. Except as otherwise set forth in this DPA to the contrary, all applicable terms and conditions of the Agreement are in full force and effect and apply with respect to this DPA.

ANNEX 1 Details of the Processing (PDF)

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Dive Deeper

Products

Our On-Demand Webinars

Case Studies

Industry

Need

News

News

Events

News

Case Study: Sumitomo Mitsui Trust Bank Increases Close Rates by 20X with AI

DATA PROCESSING ADDENDUM

1. DEFINITIONS

2. DATA PROCESSING OBLIGATIONS

3. DATA SUBJECT RIGHTS

4. DATA TRANSFERS

5. DATA BREACH NOTIFICATION

6. DATA RETENTION AND DELETION

7. LIABILITY

8. TERM AND TERMINATION

9. ENTIRE AGREEMENT