(A) You (the "Customer") and Iteratively Inc. (the
"Company") entered into an Agreement for the provision of the
Services ("Agreement").
(B) This Data Processing Agreement ("DPA") shall be supplemental
to the Agreement and apply to the Processing of Customer Personal Data.
In the event of a conflict between any of the provisions of this DPA and
the provisions of the Agreement, the provisions of this DPA shall
prevail.
(C) This DPA is between the Customer and the Company (each a
"Party" and collectively the "Parties").
1. DEFINITONS
1.1 In this DPA, the terms "Personal Data", "Controller",
"Processor", "Data Subject", "Process" and
"Supervisory Authority" shall have the same meaning as set out in
the GDPR or other applicable Data Protection Laws with equivalent terms,
and the following words and expressions shall have the following
meanings unless the context otherwise requires:
- a. "Customer Personal Data" means the personal data described
in Appendix 1 of Exhibit 1, and any other Personal Data that
Company Processes on behalf of Customer in connection with
Company's provision of the Services;
- b. "Data Protection Laws" means the EU General Data Protection
Regulation 2016/679 of the European Parliament and of the Council
("GDPR"), any other European Union legislation relating to
personal data and all other global legislation and regulatory
requirements in force from time to time which apply to a party
relating to the use of Personal Data (including, without limitation,
the privacy of electronic communications); and all applicable
legislation protecting the fundamental rights and freedoms of
persons and their right to privacy with regard to the Processing of
Customer Personal Data;
- c. "European Economic Area" or "EEA" means the Member
States of the European Union together with Iceland, Norway, and
Liechtenstein;
- d. "Security Incident" means a breach of security leading to the
accidental or unlawful destruction, loss, alteration, unauthorized
disclosure of, or access to, any Customer Personal Data that
compromises the security, confidentiality or integrity of such
Customer Personal Data;
- e. "Standard Contractual Clauses" means the Standard Contractual
Clauses (processors) approved by the European Commission Decision
C(2010)593 or any subsequent version thereof released by the
European Commission (which will automatically apply); and which
includes Exhibit 1 to this DPA;
- f. "Subprocessor" means any Processor engaged by the Company to
Process Customer Personal Data on Company's behalf.
2. DATA PROCESSING
2.1 Instructions for Data Processing. Company will only Process
Customer Personal Data in accordance with:
- a. the Agreement, to the extent necessary to provide the Services to
Customer; and
- b. Customer's written instructions, unless Processing is required by
applicable European Union or Member State law to which the Company
is subject, in which case Company shall, to the extent permitted by
applicable law, inform Customer of that legal requirement before so
Processing that Customer Personal Data.
2.2 The Agreement (subject to any changes to the Services) and this DPA
shall be the Customer's complete and final instructions to the Company
in relation to the Processing of Customer Personal Data.
2.3 Processing outside the scope of this Agreement will require prior
written agreement between the Customer and Company on additional
instructions for Processing.
2.4 The Customer shall provide all applicable notices to Data Subjects
required under applicable Data Protection Laws for the lawful Processing
of Customer Personal Data by Company in accordance with the Agreement.
2.5 The Customer will obtain any consents required under applicable Data
Protection Laws for the lawful Processing of Customer Personal Data by
Company in accordance with the Agreement.
2.6 The Customer acknowledges that Company is reliant on the Customer
for direction as to the extent to which Company is entitled to use and
Process the Customer Personal Data. Consequently, Company will not be
liable for any claim brought against the Customer by a Data Subject
arising from any act or omission by Company to the extent that such act
or omission resulted from the Customer's instructions or the
Customer's use of the Services.
2.7 Duration of Processing. Company shall Process Customer Personal
Data for the duration of the provision of Services in accordance with
the Agreement and thereafter only as set forth in the Agreement and this
DPA.
3. SUBPROCESSORS
3.1 Consent to Subprocessor Engagement. The Customer generally
authorizes the engagement of third parties as Subprocessors.
3.2 Information about Subprocessors. A current list of Subprocessors
is
available here ("Subprocessor
List"), and may be updated by Company from time to time in accordance
with this DPA. Customer may sign up to receive notices of additions to
the Subprocessor List by completing the email sign-up process on the
Subprocess List web page referenced above.
3.3 Requirements for Subprocessor Engagement. When engaging any
Subprocessor, Company will:
3.4 Opportunity to Object to Subprocessor Changes. Customer may, on
reasonable and objective grounds, object to Company's use of a new
Subprocessor by providing Company with written notice within fifteen
(15) days after Company has provided notice to the Customer as described
herein with documentary evidence that reasonably shows that the
Subprocessor does not or cannot comply with the requirements in this DPA
or Data Protection Laws ("Objection"). In the event of an Objection,
Customer and Company will work together in good faith to find a mutually
acceptable resolution to address such Objection, including but not
limited to reviewing additional documentation supporting the
Subprocessor's compliance with the DPA or Data Protection Laws. To the
extent Customer and Company do not reach a mutually acceptable
resolution within a reasonable timeframe, Company will use reasonable
endeavors to make available to the Customer a change in the Services, or
will recommend a commercially reasonable change to the Services to
prevent the applicable Subprocessor from Processing the Customer
Personal Data. If Company is unable to make available such a change
within a reasonable period of time, which shall not exceed thirty (30)
days, Customer shall have the right to terminate the relevant Services
(i) in accordance with the termination provisions in the Agreement; (ii)
without liability to Customer or Company, and (iii) without relieving
Customer from its payment obligations under the Agreement up to the date
of termination.
4. INTERNATIONAL TRANSFERS
4.1 In accordance with Customer's instructions under Section 2.1,
Company may access and Process Customer Personal Data on a global basis
as necessary to perform the Services, including for IT security
purposes, maintenance and performance of the Services and related
infrastructure, technical support, and change management.
4.2 To the extent that the Processing of Customer Personal Data by
Company involves the transfer of such Personal Data from the EEA to a
country or territory outside the EEA, other than a country or territory
that has received a binding adequacy decision as determined by the
European Commission (an "EEA Transfer"), such EEA Transfer shall be
governed by the Standard Contractual Clauses (attached as Exhibit 1) or
other binding and appropriate transfer mechanisms that provide an
adequate level of protection in compliance with Data Protection Laws. In
the event of any conflict between any terms in the Standard Contractual
Clauses and this DPA, the Standard Contractual Clauses shall prevail.
4.3 To the extent that the Processing of Customer Personal Data by
Company involves the transfer of such Personal Data from Argentina to a
country or territory outside Argentina, other than a country or
territory that has received a binding adequacy decision as determined by
the National Directorate for Personal Data Protection (an "Argentina
Transfer"), such Argentina Transfer shall be governed by the
Argentinean Model Clauses incorporated herein by reference or other
binding and appropriate transfer mechanisms that provide an adequate
level of protection in compliance with Data Protection Laws. In the
event of any conflict between any terms in the Argentinean Model Clauses
and this DPA, the Argentinean Model Clauses shall prevail.
5. DATA SECURITY, AUDITS AND SECURITY NOTIFICATIONS
5.1 Company Security Obligations. Taking into account the state of
the art, the costs of implementation and the nature, scope, context and
purposes of Processing, as well as the risk of varying likelihood and
severity for the rights and freedoms of natural persons, Company shall
implement appropriate technical and organizational measures to ensure a
level of security appropriate to the risk of the Processing, including
the measures set out in Appendix 2 of Annex 1 and (as appropriate) any
other measures listed in Article 32(1) of the GDPR.
5.2 Security Audits. The Customer may, upon reasonable notice and at
reasonable times, audit (either by itself or using independent third
party auditors) Company's compliance with the security measures set out
in this DPA (including the technical and organizational measures as set
out in Appendix 2 of Exhibit 1). Company shall assist with and
contribute to any audits conducted in accordance with this Section 5.2.
Such audits may be carried out once per year, or more often if required
by Data Protection Law or Customer's applicable Supervisory Authority.
Any third party engaged by Customer to conduct an audit must be
pre-approved by Company (such approval not to be unreasonably withheld)
and sign Company's confidentiality agreement. Customer must provide
Company with a proposed audit plan at least two weeks in advance of the
audit, after which Customer and Company shall discuss in good faith and
finalize the audit plan prior to commencement of audit activities.
Audits may be conducted only during regular business hours, in
accordance with the finalized audit plan, and may not unreasonably
interfere with Company's regular business activities. The Customer shall
reimburse Company for any costs or expenses incurred by Company in
granting access to its data processing facilities or procuring access to
its Subprocessors' data processing facilities. Information obtained or
results produced in connection with an audit are Company confidential
information and may only be used by Customer to confirm compliance with
this DPA and complying with its requirements under Data Protection Laws.
5.3 Upon the Customer's written request, Company shall make available
all information reasonably necessary to demonstrate compliance with this
DPA as required by Data Protection Laws.
5.4 Security Incident Notification.
5.5 Company Employees and Personnel. Company shall treat the
Customer Personal Data as the Confidential Information of Customer, and
shall put procedures in place to ensure that:
- a. access to Customer Personal Data is limited to those employees or
other personnel who have a business need to have access to such
Customer Personal Data; and
- b. any employees or other personnel have agreed in writing to protect
the confidentiality and security of Customer Personal Data and do
not Process such Customer Personal Data other than in accordance
with this DPA.
6. ACCESS REQUESTS AND DATA SUBJECT RIGHTS
6.1 Data Subject Requests. Save as required (or where prohibited)
under applicable law, Company shall promptly notify the Customer of any
request received by Company or any Subprocessor from a Data Subject in
respect of their Personal Data included in the Customer Personal Data,
and shall not respond to the Data Subject, where the Data Subject
identifies Customer as its Data Controller. If a Data Subject does not
identify a Data Controller, Company will instruct the Data Subject to
contact the relevant Data Controller.
6.2 Company shall, where possible, and taking into account the nature of
the processing, use reasonable endeavors to assist the Customer with its
obligations in connection with handling Data Subject access requests
under applicable Data Protection Laws by:
- a. providing the Customer with the ability to correct, delete, block,
access or copy the Personal Data of a Data Subject, or
- b. if functionality or other means under (a) are not available,
Customer may submit a support request for Company to correct,
delete, block, access or copy Customer Personal Data within the
Company Services at the Customer's request on its behalf.
6.3 Government Disclosure. Company shall promptly notify the
Customer of any request for the disclosure of Customer Personal Data by
a governmental or regulatory body or law enforcement authority
(including any Supervisory Authority) unless otherwise prohibited by law
or a legally binding order of such body or agency and without responding
to such request unless otherwise required by applicable law (including
to provide acknowledgement of receipt of the request).
6.4 Data Subject Rights. Where applicable, and taking into account
the nature of the Processing, Company shall use reasonable endeavors to
assist the Customer by implementing other appropriate technical and
organizational measures, insofar as this is possible, for the fulfilment
of the Customer's obligation to respond to Data Subject requests as
required by the GDPR.
7. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
7.1 To the extent required under applicable Data Protection Laws,
Company shall provide reasonable assistance to the Customer with any
data protection impact assessments and with any prior consultations to
any Supervisory Authority of the Customer, in each case solely in
relation to Processing of Customer Personal Data and taking into account
the nature of the Processing and information available to Company,
including by providing Customer with documentation regarding the
Processing operations.
8. RETRIEVAL AND DELETION OF PERSONAL DATA
8.1 Retrieval and Deletion of Personal Data. Subject to Section
8.2 below, Company shall:
- a. within ninety (90) days of the date of termination or expiration of
the Agreement, return to Customer a complete copy of Customer
Personal Data then available in the Services in electronic format or
otherwise make available to Customer such data for ninety (90) days
after termination or expiration of the Agreement ("Retrieval
Period"); and
- b. After such Retrieval Period, delete and use all reasonable efforts
to procure the deletion of all other copies of Customer Personal
Data Processed by Company or any Subprocessors.
8.2 Legally Required Retention of Personal Data. Company and its
Subprocessors may retain Customer Personal Data to the extent required
by applicable laws and only to the extent and for such period as
required by applicable laws and always provided that Company shall
protect the confidentiality of all such Customer Personal Data and shall
Process such Customer Personal Data only as necessary for the purpose(s)
specified in the applicable laws requiring its storage and for no other
purpose.
EXHIBIT 1
STANDARD CONTRACTUAL CLAUSES (PROCESSORS)
For the purposes of this Exhibit 1, references to the "data
exporter" and "data importer" shall be to the Customer referenced
above and Iteratively Inc. respectively (each a "party"; together
"the parties").
Data Exporter and Data Importer have agreed on the following Contractual
Clauses (the Clauses) in order to adduce adequate safeguards with
respect to the protection of privacy and fundamental rights and freedoms
of individuals for the transfer by the data exporter to the data
importer of the personal data specified in Appendix 1.
Clause 1
Definitions
For the purposes of the Clauses:
- a. 'personal data', 'special categories of data',
'process/processing', 'controller', 'processor', 'data
subject' and 'supervisory authority' shall have the same meaning
as in Directive 95/46/EC of the European Parliament and of the
Council of 24 October 1995 on the protection of individuals with
regard to the processing of personal data and on the free movement
of such data;
- b. 'the data exporter' means the controller who transfers the
personal data;
- c. 'the data importer' means the processor who agrees to receive from
the data exporter personal data intended for processing on his
behalf after the transfer in accordance with his instructions and
the terms of the Clauses and who is not subject to a third
country's system ensuring adequate protection within the meaning of
Article 25(1) of Directive 95/46/EC;
- d. 'the subprocessor' means any processor engaged by the data
importer or by any other subprocessor of the data importer who
agrees to receive from the data importer or from any other
subprocessor of the data importer personal data exclusively intended
for processing activities to be carried out on behalf of the data
exporter after the transfer in accordance with his instructions, the
terms of the Clauses and the terms of the written subcontract;
- e. 'the applicable data protection law' means the legislation
protecting the fundamental rights and freedoms of individuals and,
in particular, their right to privacy with respect to the processing
of personal data applicable to a data controller in the Member State
in which the data exporter is established;
- f. 'technical and organisational security measures' means those
measures aimed at protecting personal data against accidental or
unlawful destruction or accidental loss, alteration, unauthorised
disclosure or access, in particular where the processing involves
the transmission of data over a network, and against all other
unlawful forms of processing.
Clause 2
Details of the transfer
The details of the transfer and in particular the special categories of
personal data where applicable are specified in Appendix 1 which forms
an integral part of the Clauses.
Clause 3
Third-party beneficiary clause
- The data subject can enforce against the data exporter this Clause,
Clause 4(b) to (i), Clause 5(a) to (e), and (g) to (j), Clause 6(1)
and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party
beneficiary.
- The data subject can enforce against the data importer this Clause,
Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and
Clauses 9 to 12, in cases where the data exporter has factually
disappeared or has ceased to exist in law unless any successor
entity has assumed the entire legal obligations of the data exporter
by contract or by operation of law, as a result of which it takes on
the rights and obligations of the data exporter, in which case the
data subject can enforce them against such entity.
- The data subject can enforce against the subprocessor this Clause,
Clause 5(a) to (e) and (g), Clause 6, Clause 7, Clause 8(2), and
Clauses 9 to 12, in cases where both the data exporter and the data
importer have factually disappeared or ceased to exist in law or
have become insolvent, unless any successor entity has assumed the
entire legal obligations of the data exporter by contract or by
operation of law as a result of which it takes on the rights and
obligations of the data exporter, in which case the data subject can
enforce them against such entity. Such third-party liability of the
subprocessor shall be limited to its own processing operations under
the Clauses.
- The parties do not object to a data subject being represented by an
association or other body if the data subject so expressly wishes
and if permitted by national law.
Clause 4
Obligations of the data exporter
The data exporter agrees and warrants:
- a. that the processing, including the transfer itself, of the personal
data has been and will continue to be carried out in accordance with
the relevant provisions of the applicable data protection law (and,
where applicable, has been notified to the relevant authorities of
the Member State where the data exporter is established) and does
not violate the relevant provisions of that State;
- b. that it has instructed and throughout the duration of the personal
data processing services will instruct the data importer to process
the personal data transferred only on the data exporter's behalf
and in accordance with the applicable data protection law and the
Clauses;
- c. that the data importer will provide sufficient guarantees in respect
of the technical and organisational security measures specified in
Appendix 2 to this contract;
- d. that after assessment of the requirements of the applicable data
protection law, the security measures are appropriate to protect
personal data against accidental or unlawful destruction or
accidental loss, alteration, unauthorised disclosure or access, in
particular where the processing involves the transmission of data
over a network, and against all other unlawful forms of processing,
and that these measures ensure a level of security appropriate to
the risks presented by the processing and the nature of the data to
be protected having regard to the state of the art and the cost of
their implementation;
- e. that it will ensure compliance with the security measures;
- f. that, if the transfer involves special categories of data, the data
subject has been informed or will be informed before, or as soon as
possible after, the transfer that its data could be transmitted to a
third country not providing adequate protection within the meaning
of Directive 95/46/EC;
- g. to forward any notification received from the data importer or any
subprocessor pursuant to Clause 5(b) and Clause 8(3) to the data
protection supervisory authority if the data exporter decides to
continue the transfer or to lift the suspension;
- h. to make available to the data subjects upon request a copy of the
Clauses, with the exception of Appendix 2, and a summary description
of the security measures, as well as a copy of any contract for
subprocessing services which has to be made in accordance with the
Clauses, unless the Clauses or the contract contain commercial
information, in which case it may remove such commercial
information;
- i. that, in the event of subprocessing, the processing activity is
carried out in accordance with Clause 11 by a subprocessor providing
at least the same level of protection for the personal data and the
rights of data subject as the data importer under the Clauses; and
- j. that it will ensure compliance with Clause 4(a) to (i).
Clause 5
Obligations of the data importer
The data importer agrees and warrants:
- a. to process the personal data only on behalf of the data exporter and
in compliance with its instructions and the Clauses; if it cannot
provide such compliance for whatever reasons, it agrees to inform
promptly the data exporter of its inability to comply, in which case
the data exporter is entitled to suspend the transfer of data and/or
terminate the contract;
- b. that it has no reason to believe that the legislation applicable to
it prevents it from fulfilling the instructions received from the
data exporter and its obligations under the contract and that in the
event of a change in this legislation which is likely to have a
substantial adverse effect on the warranties and obligations
provided by the Clauses, it will promptly notify the change to the
data exporter as soon as it is aware, in which case the data
exporter is entitled to suspend the transfer of data and/or
terminate the contract;
- c. that it has implemented the technical and organisational security
measures specified in Appendix 2 before processing the personal data
transferred;
- d. that it will promptly notify the data exporter about:
- e. any legally binding request for disclosure of the personal data by a
law enforcement authority unless otherwise prohibited, such as a
prohibition under criminal law to preserve the confidentiality of a
law enforcement investigation,
- f. any accidental or unauthorised access, and
- g. any request received directly from the data subjects without
responding to that request, unless it has been otherwise authorised
to do so;
- h. to deal promptly and properly with all inquiries from the data
exporter relating to its processing of the personal data subject to
the transfer and to abide by the advice of the supervisory authority
with regard to the processing of the data transferred;
- i. at the request of the data exporter to submit its data processing
facilities for audit of the processing activities covered by the
Clauses which shall be carried out by the data exporter or an
inspection body composed of independent members and in possession of
the required professional qualifications bound by a duty of
confidentiality, selected by the data exporter, where applicable, in
agreement with the supervisory authority;
- j. to make available to the data subject upon request a copy of the
Clauses, or any existing contract for subprocessing, unless the
Clauses or contract contain commercial information, in which case it
may remove such commercial information, with the exception of
Appendix 2 which shall be replaced by a summary description of the
security measures in those cases where the data subject is unable to
obtain a copy from the data exporter;
- k. that, in the event of subprocessing, it has previously informed the
data exporter and obtained its prior written consent;
- l. that the processing services by the subprocessor will be carried out
in accordance with Clause 11;
- m. to send promptly a copy of any subprocessor agreement it concludes
under the Clauses to the data exporter.
Clause 6
Liability
- The parties agree that any data subject, who has suffered damage as
a result of any breach of the obligations referred to in Clause 3 or
in Clause 11 by any party or subprocessor is entitled to receive
compensation from the data exporter for the damage suffered.
- If a data subject is not able to bring a claim for compensation in
accordance with paragraph 1 against the data exporter, arising out
of a breach by the data importer or his subprocessor of any of their
obligations referred to in Clause 3 or in Clause 11, because the
data exporter has factually disappeared or ceased to exist in law or
has become insolvent, the data importer agrees that the data subject
may issue a claim against the data importer as if it were the data
exporter, unless any successor entity has assumed the entire legal
obligations of the data exporter by contract of by operation of law,
in which case the data subject can enforce its rights against such
entity. The data importer may not rely on a breach by a subprocessor
of its obligations in order to avoid its own liabilities.
- If a data subject is not able to bring a claim against the data
exporter or the data importer referred to in paragraphs 1 and 2,
arising out of a breach by the subprocessor of any of their
obligations referred to in Clause 3 or in Clause 11 because both the
data exporter and the data importer have factually disappeared or
ceased to exist in law or have become insolvent, the subprocessor
agrees that the data subject may issue a claim against the data
subprocessor with regard to its own processing operations under the
Clauses as if it were the data exporter or the data importer, unless
any successor entity has assumed the entire legal obligations of the
data exporter or data importer by contract or by operation of law,
in which case the data subject can enforce its rights against such
entity. The liability of the subprocessor shall be limited to its
own processing operations under the Clauses.
Clause 7
Mediation and jurisdiction
- The data importer agrees that if the data subject invokes against it
third-party beneficiary rights and/or claims compensation for
damages under the Clauses, the data importer will accept the
decision of the data subject: (a) to refer the dispute to mediation,
by an independent person or, where applicable, by the supervisory
authority; (b) to refer the dispute to the courts in the Member
State in which the data exporter is established.
- The parties agree that the choice made by the data subject will not
prejudice its substantive or procedural rights to seek remedies in
accordance with other provisions of national or international law.
Clause 8
Cooperation with supervisory authorities
- The data exporter agrees to deposit a copy of this contract with the
supervisory authority if it so requests or if such deposit is
required under the applicable data protection law.
- The parties agree that the supervisory authority has the right to
conduct an audit of the data importer, and of any subprocessor,
which has the same scope and is subject to the same conditions as
would apply to an audit of the data exporter under the applicable
data protection law.
- The data importer shall promptly inform the data exporter about the
existence of legislation applicable to it or any subprocessor
preventing the conduct of an audit of the data importer, or any
subprocessor, pursuant to paragraph 2. In such a case the data
exporter shall be entitled to take the measures foreseen in Clause 5
(b).
Clause 9
Governing Law
The Clauses shall be governed by the law of the Member State in which
the data exporter is established.
Clause 10
Variation of the contract
The parties undertake not to vary or modify the Clauses. This does not
preclude the parties from adding clauses on business related issues
where required as long as they do not contradict the Clause.
Clause 11
Subprocessing
- The data importer shall not subcontract any of its processing
operations performed on behalf of the data exporter under the
Clauses without the prior written consent of the data exporter.
Where the data importer subcontracts its obligations under the
Clauses, with the consent of the data exporter, it shall do so only
by way of a written agreement with the subprocessor which imposes
the same obligations on the subprocessor as are imposed on the data
importer under the Clauses. Where the subprocessor fails to fulfil
its data protection obligations under such written agreement the
data importer shall remain fully liable to the data exporter for the
performance of the subprocessor's obligations under such agreement.
- The prior written contract between the data importer and the
subprocessor shall also provide for a third-party beneficiary clause
as laid down in Clause 3 for cases where the data subject is not
able to bring the claim for compensation referred to in paragraph 1
of Clause 6 against the data exporter or the data importer because
they have factually disappeared or have ceased to exist in law or
have become insolvent and no successor entity has assumed the entire
legal obligations of the data exporter or data importer by contract
or by operation of law. Such third-party liability of the
subprocessor shall be limited to its own processing operations under
the Clauses.
- The provisions relating to data protection aspects for subprocessing
of the contract referred to in paragraph 1 shall be governed by the
law of the Member State in which the data exporter is established.
- The data exporter shall keep a list of subprocessing agreements
concluded under the Clauses and notified by the data importer
pursuant to Clause 5 (j), which shall be updated at least once a
year. The list shall be available to the data exporter's data
protection supervisory authority.
Clause 12
Obligation after the termination of personal data processing services
- The parties agree that on the termination of the provision of data
processing services, the data importer and the subprocessor shall,
at the choice of the data exporter, return all the personal data
transferred and the copies thereof to the data exporter or shall
destroy all the personal data and certify to the data exporter that
it has done so, unless legislation imposed upon the data importer
prevents it from returning or destroying all or part of the personal
data transferred. In that case, the data importer warrants that it
will guarantee the confidentiality of the personal data transferred
and will not actively process the personal data transferred anymore.
- The data importer and the subprocessor warrant that upon request of
the data exporter and/or of the supervisory authority, it will
submit its data processing facilities for an audit of the measures
referred to in paragraph 1.
APPENDIX 1
DETAILS OF THE TRANSFER FORMING PART OF THE STANDARD CONTRACTUAL
CLAUSES
Data exporter
The data exporter is the Customer.
Data importer
The data importer is Iteratively Inc.
Data subjects
The personal data transferred concern the following categories of data
subjects: Employees.
Categories of data
The personal data transferred concern the following categories of data:
Data Importer does not process or store its Data Exporter customers'
analytics data. Collected analytics data is sent directly from the Data
Exporter's systems to their ultimate third-party destination, as
designated by Data Exporter.
Personal data processed by Data Importer encompasses information about a
customer's employees, as follows:
- Email
- First and last name
- Company name
- IP address
Processing operations
The personal data transferred will be subject to the following basic
processing activities: transmitting, collecting, storing and analyzing
data in order to provide the Service to the Customer, and any other
activities related to the provision of the Service or specified in the
Agreement. The subject matter of the processing includes providing
software-as-a-service that helps companies define, instrument, and
collect high-quality digital analytics.
APPENDIX 2
TECHNICAL AND ORGANISATIONAL SECURITY MEASURES
Description of the technical and organizational security measures
implemented by the data importer in accordance with Clauses 4(d) and
5(c) (or document/legislation attached):
-
Company maintains internal policies and procedures, or procures that
its Subprocessors do so, which are designed to:
- (a) secure any personal data Processed by Company against
accidental or unlawful loss, access or disclosure;
- (b) identify reasonably foreseeable and internal risks to
security and unauthorized access to the personal data Processed
by Company;
- (c) minimize security risks, including through risk assessment
and regular testing.
- Company will, and will use reasonable efforts to procure that its
Subprocessors conduct periodic reviews of the security of their
network and the adequacy of their information security program as
measured against industry security standards and its policies and
procedures.
- Company will, and will use reasonable efforts to procure that its
Subprocessors periodically evaluate the security of their network
and associated Services to determine whether additional or different
security measures are required to respond to new security risks or
findings generated by the periodic reviews.
- Additional detail regarding Data Importer's technical and
organizational security measures may be found at
https://iterative.ly/security/.