Data Processing Agreement

In the course of providing products and/or services to Customer, LogicManager may Process Personal Data on behalf of Customer and the parties agree to comply with the following provisions with respect to any Personal Data.

This Data Processing Addendum forms part of the Master Subscription Agreement (“Agreement”) between Customer and LogicManager. In the event of any conflicts between the terms of this Data Processing Addendum and the Agreement as it relates to the processing of Personal Data, the terms of this Agreement shall control.

Introduction

Customer is a Controller of certain Personal Data and wishes to appoint LogicManager as a Processor to Process this Personal Data on its behalf.

The parties are entering into this DPA to ensure that LogicManager conducts such data Processing in accordance with Customer’s instructions and Applicable Data Protection Law requirements, and with full respect for the fundamental data protection rights of the Data Subjects whose Personal Data will be Processed.

Definitions

In this DPA, the following terms shall have the following meanings:

“Controller”, “Processor”, “Data Subject”, “Personal Data” and “Processing” (and “Process”) shall have the meanings given in Applicable Data Protection Law. “Personal Data” shall include “Personal information” as that term is defined under Applicable Data Protection Law.

“Applicable Data Protection Law” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland, the United Kingdom and the United States and its states, applicable to the Processing of Personal Data under the Agreement.

“Standard Contractual Clauses” means the model clauses for the transfer of Personal Data to Processors established in third countries approved by the European Commission from time to time, the approved version of which in force at present is that set out in the European Commission’s Decision 2010/87/EU of 5 February 2010.

Data Processing

  1. Relationship of the Parties. Customer (the Controller) appoints LogicManager as a Processor to Process the Personal Data that is the subject matter of the Agreement. Each party shall comply with the obligations that apply to it under Applicable Data Protection Law.
  2. Purpose Limitation. LogicManager shall Process the Personal Data as a Processor only as necessary to perform its obligations under the Agreement, except where otherwise required or allowed by Applicable Data Protection Law applicable to LogicManager. In no event shall LogicManager Process the Personal Data for its own purposes or those of any third party except as set forth in the Agreement. Except as otherwise agreed upon by the parties or as otherwise permitted under Applicable Data Protection Law, LogicManager shall not (i) sell the Personal Data, or (ii) retain, use or disclose the Personal Data for any commercial purpose.
  3. International Transfers. Customer acknowledges and agrees that LogicManager may transfer and process Personal Data anywhere where LogicManager or its sub-processors maintain data processing operations. If Personal Data processed under this Agreement is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the Personal Data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU approved Standard Contractual Clauses for the transfer of personal data.
  4. Confidentiality of Processing. LogicManager shall ensure that any person that it authorizes to Process the Personal Data (including LogicManager’s employees, agents and subcontractors) (an “Authorized Person”) shall be subject to a duty of confidentiality (whether a contractual duty or a statutory duty) and shall not permit any person to Process the Personal Data who is not under such a duty of confidentiality. LogicManager shall ensure that all Authorized Persons Process the Personal Data only as necessary for the Permitted Purpose.
  5. Security. LogicManager shall implement appropriate technical and organizational measures to protect the Personal Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Personal Data (a “Security Incident”). Such measures shall take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
  6. Subprocessing. Customer consents to LogicManager engaging third party sub-processors to Process the Personal Data provided that: (i) LogicManager imposes data protection terms on any sub-processor it appoints that protect the Personal Data to substantially similar terms to the terms of this DPA; and (ii) LogicManager remains fully liable for any breach of this DPA that is caused by an act, error or omission of its sub-processor. Upon request, LogicManager shall make available to Customer the current list of sub-processors for the Services. Such sub-processor lists shall include the identities of those sub-processors and their country of location. LogicManager will provide thirty (30) days’ notice to Customer in the event of any change in sub-processors used to Process the Personal Data. Customer may object to LogicManager’s appointment or replacement of a third party sub-processor within thirty (30) days of such notice, provided such objection is on reasonable grounds relating to the protection of the Personal Data. In such event, LogicManager will either not appoint or replace the sub-processor or, if this is not possible, Customer may suspend or terminate this DPA.
  7. Cooperation and Data Subjects’ Rights. LogicManager shall provide all reasonable and timely assistance (including by appropriate technical and organizational measures) to Customer to enable Customer to respond to: (i) any request from a Data Subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a Data Subject, regulator or other third party in connection with the Processing of the Personal Data. In the event that any such request, correspondence, enquiry or complaint is made directly to LogicManager, LogicManager shall promptly inform Customer providing details of the same.
  8. Data Protection Impact Assessment. If LogicManager believes or becomes aware that its Processing of the Personal Data is likely to result in a high risk to the data protection rights and freedoms of Data Subjects, it shall promptly inform Customer and provide Customer with all such reasonable and timely assistance as Customer may require in order to conduct a data protection impact assessment and, if necessary, consult with its relevant data protection authority.
  9. Security Incidents. Upon becoming aware of a Security Incident, LogicManager shall inform Customer without undue delay and shall provide all such timely information and cooperation as Customer may require in order for Customer to fulfil its data breach reporting obligations under (and in accordance with the timescales required by) Applicable Data Protection Law. LogicManager shall further take all such measures and actions as are necessary to remedy or mitigate the effects of the Security Incident and shall keep Customer apprised of all developments in connection with the Security Incident.
  10. Deletion or Return of Data. After termination or expiration of the Agreement, or upon Customer’s request, LogicManager shall destroy or return to Customer all Personal Data (including all copies of the Personal Data) in its possession or control (including any Personal Data subcontracted to a third party for Processing). This requirement shall not apply to the extent that LogicManager is required by law to retain some or all of the Personal Data, in which event LogicManager shall isolate and protect the Personal Data from any further Processing except to the extent required by such law.
  11. Audit. LogicManager shall permit Customer to audit LogicManager’s compliance with its obligations under this DPA upon Customer’s advance written request and at Customer’s sole expense. LogicManager shall make available all information, systems, and staff reasonably necessary to conduct such audit. Customer will not exercise its audit rights more than once in any twelve (12) calendar month period, except (i) if and when required by instruction of a competent data protection authority; or (ii) Customer reasonably believes a further audit is necessary due to a Security Incident suffered by LogicManager.

Appendix 1

Data exporter

The data exporter is (please specify briefly your activities relevant to the transfer):

  • Data exporter is (i) Customer which is subject to the data protection laws and regulations of the EU, the EEA and/or their member states, Switzerland and/or the UK and, (ii) its Affiliates (as defined in the Agreement).

Data importer

The data importer is (please specify briefly activities relevant to the transfer):

  • LogicManager is a provider of governance, risk, and compliance software and services which process personal data upon the instruction of the data exporter in accordance with the terms of the Agreement.

Data subjects

The personal data transferred concern the following categories of data subjects (please specify):

Data exporter may submit Personal Data to data importer through Software, Services, or Software-as-a-Service (“Services”), as applicable, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:

  • Prospects, customers, business partners and vendors of data exporter (who are natural persons)
  • Employees or contact persons of data exporter’s prospects, customers, business partners and vendors
  • Employees, agents, advisors, freelancers of data exporter (who are natural persons)
  • Data exporter’s Users authorized by data exporter to use LogicManager’s products and/or services (who are natural persons)

Categories of data

The personal data transferred concern the following categories of data (please specify):

Data exporter may submit Personal Data to the data importer through Services, as applicable, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:

  • First and last name
  • Title/Position
  • Contact information (company, email, phone, physical business address)
  • User behavior (including user account activity & metadata)
  • Other relevant data which the data exporter elects to send to the data importer for processing.

Special categories of data (if appropriate)

The personal data transferred concern the following special categories of data (please specify):

  • The data importer does not intentionally collect or process any special categories of data. However, the data exporter may submit special categories of data to the data importer through Services, as applicable, the extent of which is determined and controlled by the data exporter in its sole discretion.

Processing operations

The personal data transferred will be subject to the following basic processing activities (please specify):

  • Aggregation and processing by LogicManager products and services for use by the data exporter in its normal business activities.