Data Processing Agreement
Upto11 Data Processing Agreement
(Last update: April 2023)
Introduction
This Data Processing Agreement forms part of and is integrated into the agreement between You and UPTO11 governing Our provision of any Upto11-branded Services to You (collectively, the “Agreement”). If and to the extent We Process Your Personal Data within the scope of the Agreement (hereinafter, “Process/Processing/Processed”), this Data Processing Agreement including its Annexes (collectively, the “DPA”) shall apply to such Processing activities.
As used herein, “We/Us/Our” shall designate the UPTO11entity that entered into the Agreement and “You/Your/Yourself” shall designate the counterparty to the Agreement. Any capitalized terms not otherwise defined herein shall have the meaning ascribed to them in the Agreement.
By entering into the Agreement, You also enter into this DPA on behalf of Yourself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of Your Affiliates, employees and any third parties whose Personal Data You may provide Us in the context of the Services. You hereby authorize Us to Process such Personal Data in accordance with this DPA. All instructions related to this DPA shall be provided solely by You. In case of any conflict, individual terms of this DPA shall take precedence over individual terms of the Agreement. Where individual terms of this DPA are invalid or unenforceable, the validity and enforceability of the other terms of this DPA shall not be affected. In the event of any conflict or inconsistency between the DPA and potential Transfer SCCs (as defined below), the Transfer SCCs shall prevail.
Clause 1
Purpose and scope
(a) With regard to the Processing of Personal Data, You are the controller and determine the purposes and means of Processing of Personal Data (“Controller”). You appoint Us as a processor (“Processor”). We shall Process Personal Data on Your behalf only for the purposes detailed in Annex I, unless we receive further documented instructions from You. (b) You shall be solely responsible for compliance with Your obligations as Controller under the applicable Data Protection Laws, including, but not limited to, the lawful disclosure and transfer of Personal Data to Us.
(c) Processing by Us shall only take place for the duration of the Services as specified in the Agreement.
Clause 2
Instructions
(a) We shall Process Your Personal Data only on documented instructions from You, unless otherwise required to do so under mandatory applicable law. In such case, we shall inform You of the legal requirement before Processing, unless the law prohibits Us from doing so. Subsequent instructions may also be given by You throughout the duration of the Processing of Your Personal Data, provided that such instructions are in the scope of the Agreement and documented.
(b) We shall immediately inform You if, in Our opinion, instructions given by You infringe applicable Data Protection Laws. We shall be entitled to suspend performance against such instruction until You confirm or modify such instruction to bring it into compliance with all applicable Data Protection Laws.
(c) We shall correct or erase Your Personal Data if instructed by You and where included in the scope of the instructions. We shall, upon termination of Processing and upon Your instruction, delete Personal Data within 30 days (or such other period of time agreed in writing between the parties) unless applicable law or competent authority requires retention for a specified period. Upon Your request, we shall certify deletion.
Clause 3
Security of the Processing
(a) We shall implement the technical and organizational measures to ensure a level of security appropriate to the risk of the likelihood and severity of any breach leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to the Personal Data (“Personal Data Breach”). We reserve the right to update the measures and safeguards implemented, provided, however, that the level of security shall not materially decrease during the Agreement Term.
(b) In assessing the appropriate level of security, We shall take into account the state of the art, the costs of implementation, the nature, scope, context and purposes of Processing and the risks involved for the data subjects.
(c) Access to the Personal Data by Our personnel shall be strictly limited to those individuals who need such access to implement, manage and monitor the Services. Any personnel authorized to access the Personal Data have committed themselves to confidentiality obligations similar to the confidentiality terms of the Agreement or are under an appropriate statutory obligation of confidentiality.
Clause 4
Documentation and audits
(a) We shall document Our compliance with the obligations agreed in this DPA.
(b) Upon Your request, and subject to the confidentiality obligations set forth in the Agreement, We shall make available to You or
Your independent third-party auditor information regarding Our compliance with the obligations set forth in this DPA in the form of the third-party certifications and audits.
Clause 5
Use of sub-processors
(a) You hereby consent to use of (i) UPTO11 Affiliates and (ii) the sub-processors listed on Our website a thttps://upto11.co/knowledge-base/list-of-sub-processors/ in connection with Our performance under the Agreement. We are liable for the Processing activities of Our subprocessors to the same extent We would be liable if We were Processing Your Personal Data.
(b) We shall notify You at least four (4) weeks before engaging any new sub-processor(s) under this DPA (“Notification Period”). You may object to any new sub-processor(s) on reasonable grounds related to applicable Data Protection Laws by providing written notice to Us within fourteen (14) days after having received such notice (“Objection Period”). If You do not object within the Objection Period, You shall be deemed to have consented to the new sub-processor. If You do object within the Objection Period, the parties will work together in good faith to find a functionally-equivalent and commercially-reasonable alternative to the new sub-processor. If a solution is not agreed between the parties within the Notification Period, You shall have the right to terminate the relevant Service by providing thirty days’ prior written notice. You shall pay for the Services up to and including the effective date of termination.
(c) Where We engage a sub-processor for carrying out Processing activities, We shall do so by way of a binding contract which imposes on the sub-processor, in substance, the same data protection obligations as those contained in this DPA.
Clause 6
International transfers
We abide by the terms of the Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 as set out in Module Two (Controller to Processor) (“SCC”), which is deemed incorporated herein by this reference. The SCC shall apply to Upto11 in its role as the “data importer.” The SCC shall apply to You and, to the extent legally required, all of Your Affiliates established within the European Union, the European Economic Area and/or its member states, and/or Switzerland, in their role as “data exporters.” The International Data Transfer Addendum attached to the SCC shall apply to You and, to the extent legally required, all of Your Affiliates established within the United Kingdom, in their role as “data exporters.” Annex I to this DPA shall fulfill the requirements of Annex I.B (Description of Transfer) of the SCCs.
Clause 7
Assistance to the Controller
(a) We shall promptly notify You of any request we receive from a data subject, provided We are able to correlate that data subject to You based on the information provided by the data subject. We shall not respond to the request, unless authorized to do so by You or required by Data Protection Laws.
(b) Taking into account the nature of the Processing, We will reasonably assist You to fulfill Your obligations as Controller to respond to data subject requests.
(c) We shall not be liable in cases where You fail to respond to a data subject’s request completely, correctly, in a timely manner, or otherwise in accordance with Data Protection Laws.
(d) Taking into account the nature of the Processing and the information available to Us, if you request, We shall assist You in carrying out a data protection impact assessment in cases where the Processing is likely to result in a high risk to the rights and freedoms of natural persons.
Clause 8
Notification of Personal Data Breach
(a) In the event of a Personal Data Breach, we shall cooperate with and reasonably assist You to comply with Your obligations under applicable Data Protection Laws, taking into account the nature of Processing and the information available to Us.
(b) In the event of a Personal Data Breach by Us, We shall notify You without undue delay after becoming aware of the breach. Such notification shall contain, at least: (a) a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects and data records concerned); (b) the details of a contact point where more information can be obtained; (c) its likely consequences and the measures taken to address the breach.
(c) You shall send the contact details of the person to notify in case of Personal Data Breaches to legal@UPTO11.co
(d) Where, and insofar as, it is not possible to provide all of the information specified in (b) above at the same time, the initial notification shall contain the information then-available and further information shall, as it becomes available, subsequently be provided without undue delay.
Clause 9
Final provisions
(a) Each party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement.
(b) This DPA constitutes the entire agreement between the parties regarding Our Processing activities, and supersedes all prior and contemporaneous agreements, proposals and representations, whether written or oral, concerning the subject matter hereof. Upon notification to You, We may update this DPA from time-to-time. Any revised version shall become effective upon renewal of Your Subscription under the Agreement.
(c) If You are domiciled in the European Union, the European Economic Area and/or their member states, Switzerland, and the United Kingdom, this DPA is subject to the laws of the country in which You are domiciled. For all other cases, this DPA is subject to the laws applicable to the Agreement. For any disputes arising out of or in connection with this DPA, the parties submit to the exclusive jurisdiction of the courts established in the country whose laws govern this DPA.
Annex A
Categories of data subjects whose Personal Data is Processed
Employees of the Controller. Further categories of data subjects, depending on the Controller’s use of the Services. Categories of Personal Data Processed User Account related data such as name, username/ID, contact details, log and protocol data. Further categories of Personal Data (incl. sensitive data), depending on the Controller’s use of the Services.
Nature of the Processing
— Provision of the Upto11 Services: The Service provides tools and features to integrate and automate various third-party applications, websites and services maintained by the Controller. Personal Data is primarily used to provide access to the Service by the Processor. If Personal Data is used for application-related usage analysis, the data will be anonymized.
— Support Services: Personal Data of Controller’s employees issuing Support Services requests (“tickets”) may be Processed by Processor for the purposes of administering the Support Services. Processor’s personnel may access Controller’s instance on a case-by-case basis if requested by the Controller (e.g. “shadowing”). Purpose(s) for which the Personal Data is Processed on behalf of the Controller Purpose of the Processing is (i) the rendering of the Services by the Processor to the Controller, as agreed in the Agreement between the parties; (ii) Processing initiated by Users in the course of their use of or access to the Services; and (iii) Processing to comply with other reasonable and documented instructions provided by the Controller that are consistent with the terms of the Agreement.
Duration of the Processing
The duration of the Processing equals the Term of the Agreement.