This Data Processing Agreement (“DPA”) forms part of the Terms of Use (or other similarly titled written or electronic agreement addressing the same subject matter) (“Agreement”) between Customer (as defined in the Agreement) and Complyance Inc. under which the Processor provides the Controller with the software and services (the “Services”). The Controller and the Processor are individually referred to as a “Party” and collectively as the “Parties”.
The Parties seek to implement this DPA to comply with the requirements of EU GDPR (defined hereunder) in relation to Processor’s processing of Personal Data (as defined under the EU GDPR) as part of its obligations under the Agreement.
This DPA shall apply to Processor’s processing of Personal Data, provided by the Controller as part of Processor’s obligations under the Agreement.
Except as modified below, the terms of the Agreement shall remain in full force and effect.
Terms not otherwise defined herein shall have the meaning given to them in the EU GDPR or the Agreement. The following terms shall have the corresponding meanings assigned to them below:
This DPA sets out various obligations of the Processor in relation to the Processing of Personal Data and shall be limited to the Processor’s obligations under the Agreement. If there is a conflict between the provisions of the Agreement and this DPA, the provisions of this DPA shall prevail.
The Controller authorizes permission to the Processor to process the Personal Data to the extent of which is determined and regulated by the Controller. The current nature of the Personal Data is specified in Annex I to Schedule 1 to this DPA.
The objective of Processing of Personal Data by the Processor shall be limited to the Processor’s provision of the Services to the Controller and or its Client, pursuant to the Agreement.
The Processor will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing by the Controller.
Any Data Transfer for the purpose of Processing by the Processor in a country outside the European Economic Area (the “EEA”) shall only take place in compliance as detailed in Schedule 1 to the DPA. Where such model clauses have not been executed at the same time as this DPA, the Processor shall not unduly withhold the execution of such template model clauses, where the transfer of Personal Data outside of the EEA is required for the performance of the Agreement.
Having regard to the state of technological development and the cost of implementing any measures, the Processor will take appropriate technical and organizational measures against the unauthorized or unlawful processing of Personal Data and against the accidental loss or destruction of, or damage to, Personal Data to ensure a level of security appropriate to: (a) the harm that might result from unauthorized or unlawful processing or accidental loss, destruction or damage; and (b) the nature of the data to be protected [including the measures stated in Annex II of Schedule 1]
SCHEDULE 1
ANNEX I
A. LIST OF PARTIES
Data exporter(s):
Name : Customer (As set forth in the relevant Order Form).
Address: As set forth in the relevant Order Form.
Contact person’s name, position, and contact details: As set forth in the relevant Order Form.
Activities relevant to the data transferred under these Clauses: Recipient of the Services provided by Complyance Inc. in accordance with the Agreement.
Signature and date: Signature and date are set out in the Agreement.
Role Controller/ Processor): Controller
Data importer(s):
Name: Complyance Inc.
Address: 2810 N church St, Wilmington,Delaware 19802, US
Contact person’s name, position, and contact details: Meiyappan M M, CISO , meiyappanmm@complyance.io
Activities relevant to the data transferred under these Clauses: Provision of the Services to the Customer in accordance with the Agreement.
Signature and date: Signature and date are set out in the Agreement.
Role (controller/processor): Processor.
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
Customer’s authorized users of the Services.
Categories of personal data transferred
Name, Address, Date of Birth, Age, Education, Email, Gender, Image, Job, Language, Phone, Related person, Related URL, User ID, Username.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
No sensitive data collected.
The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis).
Continuous basis
Nature of the processing Data Analytics and Generating various Reports
Purpose(s) of the data transfer and further processing
The purpose of the transfer is to facilitate the performance of the Services more fully described in the Agreement and accompanying order forms.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
The period for which the Customer Personal Data will be retained is more fully described in the Agreement, Addendum, and accompanying order forms.
For transfers to (sub-) processors, also specify subject matter, nature, and duration of the processing
The subject matter, nature, and duration of the Processing more fully described in the Agreement, Addendum, and accompanying order forms.
C.COMPETENT SUPERVISORY AUTHORITY
Data exporter is established in an EEA country.
The competent supervisory authority is as determined by application of Clause 13 of the EU SCCs.
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Description of the technical and organisational security measures implemented by Complyance Inc. as the data processor/data importer to ensure an appropriate level of security, taking into account the nature, scope, context, and purpose of the processing, and the risks for the rights and freedoms of natural persons.
ANNEX III
LIST OF SUB-PROCESSORS
The controller has authorized the use of the following sub-processors: