Last modified:January 07, 2022
This Data Processing Agreement ("DPA") sets forth the parties' agreement regarding the terms and conditions governing the Processing of Personal Data under the V8TE Terms of Service (the"Agreement"). This DPA is effective, and supersedes any prior Data Processing Agreement, as of the date of its last amendment. In performing the Services under the Agreement, V8TE may process certain Personal Data on behalf of Customer, in which case the Parties agree to comply with the terms and conditions set forth in this DPA. For all purposes hereof, the Customer is the Processor of its Personal Data andV8TE is the Sub-processor of such Data, except where the Customer acts as a Sub-processor of Personal Data, in which case V8TE is a Sub- processor. V8TE may update this PAD from time to time. If you have an active V8TE account, we will notify you of any material changes.
1. Purpose and Term (1)
The Subcontractor and other DataProcessors, as listed in Article 7 of this DPA, perform IT services for the Processor under the service agreement between the Parties. IT services are defined as "distributed Data Processing services" which are not characterized by a classical bilateral cooperation between the Subcontractor and the Data Processor, but are generated by several Subcontractors performing successive processing functions. (2) Since the Personal Data will be processed on behalf of the Processor and according to its instructions in this respect, the services constitute Data Processing services on mandate in accordance with the European Regulation 2016/679 (General Data Protection Regulation or"GDPR") and the applicable Data Protection legislation. (3) The terms "Personal Data", "Processing", "Consent", "Collection", "Third Party", "Processor" and "Sub processor"shall be interpreted in accordance with the definitions in Article 4 of the GDPR.
2. Description of Processing
(1) The Processing of the Data of theProcessor carried out under the Contract shall be carried out in accordance with the following stipulations:
(a) Purpose: The purpose of the Processing of Personal Data by the Subcontractor is the provision of Services for the Processor, which involves the Processing of Personal Data, as set forth in the Contract.
(b) Types of Personal Data: The Personal Data provided, the extent of which is determined and controlled by the Processor in its sole discretion, includes names, e-mail addresses, telephone numbers, company job titles and other specific Data entered by the Processor into the Subcontractor's platform.
(c ) Categories of Data Subjects:Processor may transmitPersonal Data via theSubcontractor platform, the scope of which shall be determined and controlled by Processor in its sole discretion and which may include, but is not limited to, data of contact persons and other users of Processor, including employees, contractors, collaborators, customers, prospects, suppliers and subsequent subcontractors ofProcessor.
(d) Duration of Processing: PersonalData shall be Processed for the durationof the Contract, subjectto Article 9 of this DPA.
3. Obligations of the Controller
(1) In connection with the Agreement and its use of the Services, the Data Processor shall be responsible for its own compliance with the applicable data protection and privacy requirements.
(2) TheProcessor warrants that: (a) theProcessor's Processing of Personal Data is based on legal grounds as set forth in the applicable EU DataProtection Legislation, in respect of the Services provided by V8TE under this DPA and the Agreement; and (b) the Controller will inform DataSubjects of its use of Sub-processors for the purpose of Processing their Personal Data, to the extent prescribed by the applicable Data Protection Legislation.
(3) The Controller shall guarantee compliance with the security measures implemented by the Subcontractor and a level of security appropriate to the risk.
(4) TheController shall respond, within a reasonable time and to the extent reasonably possible, to inquiries submitted by Data Subjects regarding the Processing of their PersonalData by the Controller, and shall give appropriate instructions to the Subcontractor in a timely manner.
(5) The Controller shall respond within a reasonable time to inquiries from Data ProtectionAuthorities regarding the Processing of relevant Personal Data by the Controller.
4. Obligations of the Subcontractor
(1) Compliance with instructions
(a) The Subcontractor shall collect, process and use the Personal Data exclusively for the purpose of fulfilling its obligations under the Contract and in accordance with the instructions of the Controller. If the Subcontractor believes that an instruction of the Controller is contrary to the applicable Data Protection Legislation, it shall immediately inform the Controller.
(b) All instructions from the Customer shall be documented in the order form, the description of the Services, the applicable support ticket, in any other written communication or as instructed by the Customer using the Services(including via an API or the Services portal).
(c ) If the Subcontractor is unable to process PersonalData in accordance with theInstructions due to an obligation under the applicable Data Protection Legislation, the Subcontractor shall inform the Controller of such legal obligation as soon as possible prior to the Processing in question, to the extent permitted by the Legislation, and shall cease all Processing until theController issues new instructions that the Subcontractor is able to comply with.
(a) The Subcontractor's internal operating procedures shall comply with the specific requirements of effective Data Protection management.
(b) Subcontractor warrants and undertakes to employ and document reasonable and appropriate technical and organizational security measures for DataProcessing.
(c) Subcontractor shall separately processPersonal Data processed for differentControllers. The Subcontractor undertakes to implement at least the following security measures in order to guarantee separate processing: anonymization and encryption of PersonalData; means to guarantee the constant confidentiality, integrity and availability of the Processing systems and services; means to restore the availability of and access to the PersonalData in a timely manner in the event of a physical or technical security incident; a procedure to regularly test, analyze and evaluate the effectiveness of the technical and organizational measures to ensure the security of the Processing.
(d) The technical and organizational measures may evolve according to technical progress and improvements. In this respect, the Subcontractor may implement other appropriate measures.In such a case, the security level of the defined measures shall not be reduced.
(a) The Subcontractor warrants and undertakes that all employees involved in Data Processing have the required professional qualifications and have been trained in the applicable security and Data Protection requirements.
(b) The Subcontractor warrants that such employees are subject to confidentiality obligations with respect to the Personal Data provided by the Controller.
(c) Insofar as the Contractor is required by law to transmit information concerning the Customer Data to Third Parties, the Contractor shall inform the Controller in writing of the recipient, the date of transmission and the content of the information to be communicated as well as the legal basis, within a reasonable period of time before disclosing the information in question.
(4) Breaches of Personal Data
(a) The Contractor shall promptly notify the Controller of any breach of PersonalData, including any unauthorized or unlawful Processing of Personal Data and any accidental loss, alteration, misuse, disclosure or destruction of, or damage to, Personal Data by its employees, Subcontractors or otherThird Parties involvingPersonal Data provided by the Controller.
(b) The Subcontractor shall, taking into account the nature of the Processing and the information available to it, make reasonable efforts to provide the Customer with information regarding the security incident that affected the Personal Data. This information shall include the date and nature of the incident, the computer system involved, the persons affected, thetime of discovery of the incident, any likely adverse consequences of the Data security incident, and the steps taken by the Subcontractor as a result of the incident.
5. Return or Destruction of Personal Data
(a) Upon termination of the Agreement, Subcontractor shall return or destroy all Personal Data (including copies thereof) processed pursuant to this DPA. This provision shall not affect any legal obligations of the Parties to retain records for the retention periods established by law or contract.
(b) The Subcontractor shall be obliged to transmit the Data to the Data Controller, upon the latter's request, in a form that can be read and further processed.
(c) Any additional costs associated with the return or deletion of Personal Data after termination or expiration of the Agreement shall be borne by the Processor.
6. Assistance to the DataProcessor
(a) If the Subcontractor is in possession of the required information and the Controller does not otherwise have access to the required information, the Subcontractor shall provide reasonable assistance to the Controller for the purposes of any Data Protection Impact Assessments and any prior consultation with supervisory authorities or other competent Data Protection authorities.
(b) The Subcontractor shall at all times maintain an agent responsible for assisting the Controller (i) in responding to inquiries regarding the entrusted Data Processing from Data Subjects; and(ii) in fulfilling all legal information and disclosure obligations incumbent on the Controller associated with the entrusted Data Processing. The DataProtection Officer can be contacted directly at privacy@V8TE.com. TheSubcontractor will ensure that this information is up to date at all times. 5. Requests from Data Subjects
(1) The Subcontractor will provide reasonable assistance to the Controller, through appropriate technical and organizational measures, for the purpose of fulfilling the Controller's obligation to respond to requests from Data Subjects wishing to exercise their rights.
(2) V8TE provides specific tools to assist customers in responding to requests received from Data Subjects. These include our APIs and interfaces for event searches, deletions and message content retrieval.
(3) If a Data Subject contacts Subcontractor directly to exercise his or her rights under applicable Data Protection Legislation, Subcontractor will notify Customer within 7 days of receipt of the request. V8TE will assist theCustomer, at the Customer's expense, with appropriate technical and organizational measures, as far as reasonably possible, for the purpose of fulfilling the Customer's obligation to respond to requests from Data Subjects to exercise their rights.
7. Transfers of Data
8. Further Subcontracting
(1) Subcontracting for purposes of thisDPA means services that are directly related to the performance of the Contract. It does not include the following ancillary services:telecommunications services, postal or transport services, maintenance services and user support tools. The Subcontractor shall, however, be obliged to enter into appropriate and binding contractual agreements and to take appropriate inspection measures in order to ensure the protection and security of Customer Data, even in the case of outsourcing of ancillary services.
(2) The list of companies providing critical and important services directly related to the execution of the Contract will be provided upon request. The Data Processor expressly agrees to their designation.
(3) TheSubcontractor may change the list of Subcontractors provided that it informs the Controller in advance of the engagement of other Subcontractors and that the Controller has not objected on reasonable grounds to the planned outsourcing in writing (including by e-mail) within 30 days. Subcontractor shall not use theSubsequent Subcontractor so objected to until reasonable steps have been taken to remove the objections raised by Customer and Customer has received a reasonable written explanation of such steps. IfSubcontractor and Processor fail to remove such objection, either party may terminate the Agreement by written notice to the other.
(4) Subcontractor warrants that theSubsequent Subcontractor performs the Processing activities pursuant to a written agreement imposing on the Subsequent Subcontractor at least the same obligations as those imposed onSubcontractor by this Agreement. Subcontractor shall monitor the compliance of the Subcontractor on a regular basis.
(1) Subcontractor shall make available, upon reasonable written request by the Processor, such information as is reasonably necessary to demonstrate Customer's compliance with this DPA.
(2) The Controller, or a third party auditor appointed by the Controller, may, upon written request and at least 30 days prior notice to the Subcontractor, during normal business hours and without interrupting the Subcontractor's business operations, conduct an inspection of the Subcontractor's business operations to the extent necessary under applicable Data Protection Legislation. The Data Processor shall guarantee strict confidentiality.
(3) Customer shall bear all costs and expenses incurred by Subcontractor as a result of providing such information and exercising such audit rights.
10. Termination of the Contract
(1) ThisDPA shall terminate automatically and simultaneously with the termination of the Contract.
(2) TheController may terminate the contractual relationship without notice if the Subcontractor commits a serious breach of this DPA or the requirements of the applicable Data ProtectionLegislation.
11. Final Provisions
(1) To the extent that this DPA does not contain specific provisions, the provisions of the ServiceProvision Agreement shall apply. In the event of any inconsistencies between this DPA and the Service Provision Agreement, the provisions of this DPA shall prevail.
(2) If any provision of this PAD is held invalid, the validity of the remaining provisions of the PAD shall not be affected.
(3) This PAD has been drafted in theFrench language. The authoritative version for purposes of interpretation of this PAD shall be the French version. Governing Law and Jurisdiction The parties to this PAD hereby submit to the jurisdiction of the courts specified in theAgreement with respect to any disputes or claims arising in any way out of this PAD, including disputes concerning its existence, validity or termination or the consequences of its invalidity.