DATA PROCESSING ADDENDUM
Please sign and return the enclosed copy of this Addendum as instructed to acknowledge the supplementation of these terms to the Agreement.
Effective date (Required): ___________________
Customer name (Required): ___________________
Signature (Required): ___________________
Name (Required): ___________________
Title (Optional): ___________________
EU Representative (Required only where applicable): ____________________
Contact details: _____________________
Data Protection Officer (Required only where applicable): ____________________
Contact details: _____________________
“Adequate Country” means a country or territory that is recognized under EU Data Protection Laws as providing adequate protection for Personal Data.
“Customer Data” means any Personal Data that Parami processes on behalf of Customer as a Data Processor in the course of providing Services, as more particularly described in this DPA.
“Data Breach” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data.
“Data Protection Laws” means all data protection and privacy laws applicable to the processing of Personal Data under the Agreement, including, where applicable, EU Data Protection Law.
“Data Controller” means an entity that determines the purposes and means of the processing of Personal Data.
“Data Processor” means an entity that processes Personal Data on behalf of a Data Controller.
“Data Subject” means an identified or identifiable natural person.
“EU Data Protection Law” means (i) prior to 25 May 2018, Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of Personal Data and on the free movement of such data (“Directive“) and on and after 25 May 2018, Regulation 2018/679 of the European Parliament and of the Council of 27 April 2018 on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR“); and (ii) Directive 2002/58/EC concerning the processing of Personal Data and the protection of privacy in the electronic communications sector and applicable national implementations of it (as may be amended, superseded or replaced).
“EEA” means, for the purposes of this DPA, the European Economic Area, United Kingdom and Switzerland.
“Personal Data” means any information relating to a Data Subject.
“Processing” has the meaning given to it in the GDPR and “process“, “processes” and “processed” shall be interpreted accordingly.
“Services” means any product or service provided by Parami to Customer pursuant to the Agreement.
“Sub-processor” means any Data Processor engaged by Parami to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement or this DPA.
- Relationship with the Agreement
2.1. The terms used in this Addendum shall have the meanings set forth in this Addendum.
2.2. The parties agree that this DPA shall replace any existing DPA the parties may have previously entered into in connection with the Services.
2.3. Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict so far as the subject matter concerns the processing of Customer Data.
2.4. Any claims brought under or in connection with this DPA shall be subject to the terms and conditions, including but not limited to the exclusions and limitations, set forth in the Agreement.
2.5. In no event shall any party limit its liability with respect to any individual’s data protection rights under this DPA or otherwise. Customer further agrees that any regulatory penalties incurred by Parami in relation to the Customer Data that arise as a result of, or in connection with, Customer’s failure to comply with its obligations under this DPA or any applicable Data Protection Laws shall count toward and reduce Parami’s liability under the Agreement as if it were liability to the Customer under the Agreement.
2.6. No one other than a party to this DPA, its successors and permitted assignees shall have any right to enforce any of its terms.
2.7. This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.
- Processing of Customer Data
3.1 Role of the Parties. As between Parami and Customer, Customer is the Data Controller of Customer Data, and Parami shall process Customer Data only as a Data Processor acting on behalf of Customer.
3.2 Customer Processing of Customer Data. Customer agrees that (i) it shall comply with its obligations as a Data Controller under Data Protection Laws in respect of its processing of Customer Data and any processing instructions it issues to Parami; and (ii) it has provided notice and obtained (or shall obtain) all consents and rights necessary under Data Protection Laws for Parami to process Customer Data and provide the Services pursuant to the Agreement and this DPA.
3.3 Parami Processing of Customer Data. Parami shall process Customer Data only for the
purposes described in this DPA and only in accordance with Customer’s instructions.
3.4 Details of Data Processing
(a) Subject matter: The subject matter of the data processing under this DPA is the Customer Data.
(b) Duration: As between Parami and Customer, the duration of the data processing under this DPA is until the termination of the Agreement in accordance with its terms.
(c) Purpose: The purpose of the data processing under this DPA is the provision of the Services to the Customer and the performance of Parami’s obligations under the Agreement (including this DPA) or as otherwise agreed by the parties.
(d) Subject-Matter and nature of the processing: The subject-matter of Processing of Personal Data by Parami is the provision of the services to Customer that involves the Processing of Personal Data.
Personal Data will be subject to those Processing activities as may be specified in the Agreement and an
(e) Data Subjects: Customer’s contacts and other end users including Customer’s employees, contractors, collaborators, suppliers, subcontractors (collectively, “Users“), customers (“Subscribers“), and prospects.
(f) Types of Customer Data:
- (i) Customer and Users: identification, publicly available social media profile information, e-mail, IT information (IP addresses, usage data, cookies data, browser data); financial information (credit card details, account details, payment information).
- (ii) Subscribers: identification and publicly available social media profile information (name, date of birth, gender, geographic location), chat history, navigational data (including chatbot usage information), application integration data, and other electronic data submitted, stored, sent, or received by end users and other personal information, the extent of which is determined and controlled by the Customer in its sole discretion.
4.1 Authorized Sub-processors. Customer agrees that Parami may engage Sub-processors to process Customer Data. The Sub-processors currently engaged by Parami are listed in Annex A, and Customer hereby authorizes these specific Sub-processors.
4.2 Sub-processor Obligations. Parami shall: (i) enter into a written agreement with the Subprocessor imposing data protection terms that require the Sub-processor to protect the Customer Data to the standard required by Data Protection Laws; and (ii) remain responsible for the Sub-processor’s compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause Parami to breach any of its obligations under this DPA.
4.3. Sub-processor List. When requested by the Customer, Parami shall make available to
Customer an up-to-date list of all Sub-processors used for the processing of Customer Data. Parami shall notify Customer (for which email shall suffice) if it adds or removes Sub-processors, at least 10 days prior to any such changes.
4.4. Objection. Customer may object in writing to Parami’s appointment of a new Sub-processor within five (5) calendar days of such notice, provided that such objection is based on reasonable grounds relating to data protection. If Parami is reasonably able to provide the Services to Customer in accordance with the Agreement without using the Sub-processor and decides to do so, then Customer will have no further rights under this clause 4.4 in respect of the proposed use of the Sub-processor. If Parami requires use of the Sub-processor in its discretion and, after discussion by the parties of Customer’s concerns in good faith with a view to achieving resolution, is unable to satisfy Customer as to the suitability of the Sub-processor or the documentation and protections in place between Parami and the Sub-processor within ninety (90) days from Customer’s notification of objections, Customer may
within thirty (30) days following the end of the ninety (90) day period referred to above, terminate the Agreement or the applicable Services (as Customer may decide) with at least thirty (30) days written notice. If Customer does not provide a timely objection to any new or replacement Sub-processor in accordance with this clause 4.4, Customer will be deemed to have consented to the Sub-processor and waived its right to object.
5.1 Adequate Measures. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Parami shall, in relation to the Customer Data, implement and maintain throughout the term of this Addendum, the technical and organizational measures set forth in Annex B (the “Security Measures”).
5.2 Confidentiality of processing. Parami shall ensure that any person who is authorized by
Parami to process Customer Data (including its staff, agents and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
5.3 Customer Responsibilities. Customer acknowledges and agrees that it has reviewed and assessed the Security Measures and deems them appropriate for the protection of Customer Data. Customer acknowledges that the Security Measures are subject to technical progress and development and that Parami may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by the Customer. Customer agrees that, except as provided by this DPA, Customer is responsible for its secure use of the Services, including securing its account authentication credentials and protecting the security
of Customer Data when in transit from the Service.
- Data Subject Rights and Requests
Parami will provide reasonable assistance, including by appropriate technical and organizational measures and taking into account the nature of the Processing, to enable Customer to respond to any request from Data Subjects seeking to exercise their rights under the Data Protection Law with respect to Personal Data (including access, rectification, restriction, deletion or portability of Personal Data, as applicable), to the extent permitted by the law. If such request is made directly to Parami, Parami will inform Customer and will advise Data Subjects to submit their request to Customer. Customer shall be solely responsible for responding to any Data Subjects’ requests.
- Data Breach
7.1 Notification of Data Breach. Parami shall, to the extent permitted by law, notify Customer without undue delay upon Parami or any Sub-processor becoming aware of a Data Breach affecting Customer Data and will provide Customer with sufficient information to allow Customer to meet any obligations to report or inform Data Subjects of the Data Breach under the Data Protection Laws.
7.2 Assistance to Customer. Parami shall cooperate with Customer and take such reasonable commercial steps to assist in the investigation, mitigation and remediation of each such Data Breach.
- Data Transfers
8.1 Customer acknowledges and accepts that the provision of the Services under the Agreement may require the processing of Customer Data by sub-processors in countries outside the EEA.
8.2 If, in the performance of this DPA and/or the Agreement, Parami transfers any Customer Data to, or permits processing of Customer Data by, a Sub-processor located outside of the EEA and not in an Adequate Country, then, in advance of any such transfer, Parami shall ensure that the transfer is compliant with the EU Data Protection Laws.
- Return or Deletion of Data
9.1 If you are a resident of the EEA, upon termination or expiration of the Agreement, Parami shall (at Customer’s election) delete or return to Customer all Customer Data (including copies) in its possession or control, save that this requirement shall not apply to the extent Parami is required by applicable law to retain some or all of the Customer Data, or to Customer Data it has archived on back-up systems, which Customer Data Parami shall securely isolate and protect from any further processing, except to the extent required by applicable law.
10.1 This DPA does not confer any third-party beneficiary rights, it is intended for the benefit of the parties hereto and their respective permitted successors and assigns only, and is not for the benefit of, nor may any provision hereof be enforced by, any other person.
10.2 This DPA shall be governed by and construed in accordance with the laws of the country of territory stipulated for this purpose in the Agreement, and each of the parties agrees to submit to the choice of jurisdiction as stipulated in the Agreement in respect of any claim or matter arising under this DPA.
10.3 This DPA is the final, complete and exclusive agreement of the parties with respect to the subject matter hereof and supersedes and merges all prior discussions and agreements between the parties with respect to such subject matter. Other than in respect of statements made fraudulently, no other representations or terms shall apply or form part of this DPA. Each party represents and warrants to the other that the performance of such party’s obligations hereunder have been duly authorized and that this DPA is a valid and legally binding agreement on each such party, enforceable in accordance with its terms.
List of Sub-Processors
These Sub-processors set out below provide cloud hosting and storage services; content delivery and review services; assist in providing customer support; and provide incident tracking, response, diagnosis and resolution services.
- Amazon Web Services, Inc.
- Facebook, Inc.
- Stripe, Inc
- PayPal, Inc
- eBay, Inc
- Tencent Holdings Limited (WeChat)
- Zapier Inc
- Microsoft Inc
- Google Inc
Parami’s personnel (employees and contractors) will not process customer data without authorization. Personnel are obligated to maintain the confidentiality of any customer data and this obligation continues even after their engagement ends.
Technical and Organization Measures.
Parami has implemented and will maintain appropriate technical and organizational measures, internal controls, and information security routines intended to protect customer data against accidental loss, destruction, or alteration; unauthorized disclosure or access; or unlawful destruction as follows:
Organization of Information Security.
Confidentiality. Parami’s personnel with access to customer data are subject to confidentiality obligations.
Risk Management. Parami conducts regular testing and monitoring of the effectiveness of its safeguards, controls, systems, including conducting penetration testing. Parami implements measures, as needed, to address vulnerabilities discovered in a timely manner.
Storage. Parami’s database and data processing servers are hosted in a data center located in the EU and operated by a third party vendor. Parami maintains complete administrative control over the virtual servers, and no third-party vendors have logical access to customer data.
Software Development and Acquisition: For the software developed by Parami, Parami follows secure coding standards and procedures set out in its standard operating procedures.
Change Management: Parami implements documented change management procedures that provide a consistent approach for controlling, implementing, and documenting changes (including emergency changes) for Parami’s software, information systems or network architecture. These change management procedures include appropriate segregation of duties.
Third Party Provider Management: In selecting third party providers who may gain access to, store, transmit or use customer data, Parami conducts a quality and security assessment pursuant to the provisions of its standard operating procedures.
Human Resources Security. Parami informs its personnel about relevant security procedures and their respective roles, as well as of possible consequences of breaching the security rules and procedures. Such consequences include disciplinary and/or legal action.
Physical and Environmental Security.
(a) Physical Access to Facilities. Parami limits access to facilities where information systems that process customer data are located to identified authorized individuals who require such access for the performance of their job function. Parami terminates the physical access of individuals promptly following the date of the termination of their employment or services or their transfer to a role no longer requiring access to customer data.
(b) Protection from Disruptions. Parami uses commercially-reasonable systems and measures to protect against loss of data due to power supply failure or line interference.
Communications and Operations Management.
(a) Security Documents. Parami maintains security documents describing its security measures and the relevant procedures.
(b) Data Recovery Procedures. (i) On an ongoing basis, Parami maintains multiple copies of customer data from which it can be recovered. (ii) Parami stores copies of customer data and a data recovery procedures in a different place from where the primary computer equipment processing the customer data is located. (iii) Parami has procedures in place governing access to copies of customer data. (iv) Parami has anti-malware controls to help avoid malicious software gaining unauthorized access to customer data.
(c) Encryption; Mobile Media. Parami uses HTTPS encryption on all data connections. Parami restricts access to customer data in media leaving its facilities. Parami further has a destruction policy for hardware in the data center that stores customer data.
(d) Event Logging. Parami logs the use of data-processing systems. Logs are maintained for at least 10 days.
(a) Records of Access Rights. Parami maintains a record of security privileges of individuals having access to customer data.
(b) Access Authorization. (i) Parami maintains and updates a record of personnel authorized to access systems that contain customer data. (ii) Parami deactivates authentication credentials of employees or contract workers immediately upon the termination of their employment or services
(c) Least Privilege. (i) Technical support personnel are only permitted to have access to customer data when needed for the performance of their job function. (ii) Parami restricts access to customer data to only those individuals who require such access to perform their job function.
(d) Integrity and Confidentiality. (i) Parami instructs its personnel to disable administrative sessions when leaving the Parami’s premises or when computers are unattended. (ii) Parami stores passwords in a way that makes them unintelligible while they are in force.
(e) Authentication. (i) Parami uses commercially reasonable practices to identify and authenticate users who attempt to access information systems. (ii) Parami ensures that de-activated or expired identifiers are not granted to other individuals. (iii) Parami maintains commercially reasonable procedures to deactivate login credentials that have been corrupted or inadvertently disclosed or pursuant to a number of failed login attempts.
(f) Network Design. Parami has controls to avoid individuals assuming access rights they have not been assigned to gain access to customer data they are not authorized to access.
Network Security. Parami’s information systems have security controls designed to detect and mitigate attacks by using logs and alerting.
Information Security Incident Management.
(a) Record of Breaches. Parami maintains a record of security breaches with a description of the breach, the time period, the consequences of the breach, the name of the reporter, and the procedure for recovering data.
(b) Record of Disclosure. Parami tracks disclosures of customer data, including what data has been disclosed, to whom, and at what time, unless prohibited by law.
© 2019 by Parami Co. Ltd