Logo
Logo

Legal

Definitions


“Affiliate” means, with respect to a party, any person or entity that controls, is controlled by, or is under common control with such party, where “control” means ownership of fifty percent (50%) or more of the outstanding voting securities (but only as long as such person or entity meets these requirements).


“Data Controller” means the entity which determines the purposes and means of the Processing of Personal Data, including, a “Business” as that term is defined under Section 1798.140(c) of the CCPA.


“Data Processor” means a natural or legal person, public authority, agency, or other body which Processes Data on behalf of a Controller, including any


“Service Provider” as that term is defined under Section 1798.140(v) of the CCPA.


“Data Protection Laws” means, as and to the extent they apply to that Party, any applicable laws and regulations in relation to the privacy or Processing of Personal Data, including as may be applicable, but not limited to: (a) the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”); (b) the California Consumer Privacy Act, Cal. Civ. Code§ 1798.100 et seq., and its implementing regulation (“CCPA”); and (c) and any laws intended to implement, replace or supplement any of the foregoing, as amended, consolidated, re-enacted or replaced from time to time, in each case, as applicable to the Processing of Personal Data under the Agreement.


“Data Subject” means the identified or identifiable person to whom Personal Data relates.


“Personal Data” means any information relating to an identified or identifiable natural person, including without limitation, information about Customer employees that is Processed by Abluva pursuant to this DPA.


“Process” (or “Processing” or “Processed”) means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.


“Sub-processors” means each third party with which Abluva contracts in connection with the performance by that third party (or its employees, contractors or agents) of any part of the Services and each other downstream third-party contractor that is engaged for such purposes.


The terms “Transfer”,“Supervisory Authority” and “appropriate technical and organizational measures” shall be interpreted in accordance with the applicable Data Protection Laws.



Roles of the parties


For the purpose of this DPA, the Parties acknowledge and confirm that Customer is a Controller and Abluva is a Processor for the Processing of Personal Data. Each party shall, and agrees to, comply with Data Protection Laws with respect to the performance of its obligations hereunder.



Description of processing activities


Personal information is processed for the period necessary to fulfill the purposes for which it is collected, to comply with legal and regulatory obligations and for the duration of any period necessary to establish, exercise or defend any legal rights. In order to determine the most appropriate retention periods for your personal information, we consider the amount, nature and sensitivity of your information, the reasons for which we collect and process your personal information, and applicable legal requirements.


In some instances, we may choose to anonymize personal information instead of deleting it, for statistical use, for instance. When we choose to anonymize, we make sure that there is no way that the personal information can be linked back to any specific individual.


While we retain this information, we will protect it within commercially acceptable means to prevent loss and theft, as well as unauthorized access, disclosure, copying, use or modification. That said, please note that no method of electronic transmission or storage is 100% secure and we cannot guarantee absolute data security.



Transfer of data


Where Abluva Processes Personal Data that is subject to the GDPR, the terms and conditions set forth in the standard contractual clauses issued by the European Commission attached hereto at Exhibit A (the “Standard Contractual Clauses”) shall apply to such Processing. The Parties agree that the terms in the Standard Contractual Clauses are incorporated by reference into this DPA. Customer is defined as data exporter and Abluva is defined as data importer within the terms of the Standard Contractual Clauses. If there is a conflict between the provisions of this DPA or the data privacy provisions of the Agreement and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.



Abluva Obligations


Processing of Data. Abluva shall only Process such Personal Data in accordance with Customer’s written instructions from time-to-time (including as set out in the Agreement, or as provided as submissions through the Services) or as required for Abluva to provide, manage and facilitate the provision of the Services. In addition to, and without limiting, the foregoing obligations, to the extent Abluva Processes any Personal Data subject to the CCPA, Abluva (a) shall not further collect, use, retain, access, share, transfer, or otherwise Process Personal Data for any purpose not related to providing the Services and shall not retain, use, or disclose Personal Data outside of the direct business relationship between Customer and Abluva; and (b) is prohibited from “selling” Personal Data (as defined under Section 1798.140(t) of the CCPA). Pursuant to Section 1798.40 the CCPA, Abluva hereby certifies that it understands and agrees to and shall comply with the restrictions set forth under clauses (a) and (b) of this Section 5.1. Abluva promptly inform Customer if, in its opinion, the Customer’s instructions infringe or violate any Data Protection Laws, or if Abluva is unable to comply with the Customers’ instructions


Security; Confidentiality . Abluva will implement appropriate industry standard technical and organizational measures reasonable designed to ensure a level of security appropriate to the risk. In assessing the appropriate level of security, Abluva must take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects and the risks that are presented by the Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed. Abluva will take reasonable steps to ensure that any person acting under its authority who has access to Personal Data is bound by enforceable contractual or statutory confidentiality obligation to protect Personal Data that are at least as protective as those obligations herein.


Data Breach . Abluva shall inform Customer without undue delay, as soon as it has become aware of a security breach that results in the accidental or unlawful destruction, loss, alteration or unauthorized disclosure or access to unencrypted Personal Data in Abluva’s possession or control (a “Data Breach”). Abluva shall provide all reasonable information in Abluva’s possession concerning such Data Breach insofar as it affects Customer, including the following, to the extent then known: (a) the possible cause and consequences for the Data Subjects of the Data Breach; (b) the categories of Personal Data involved; (c) a summary of the possible consequences for the relevant Data Subjects; (d) a summary of the unauthorized recipients of the Personal Data; and (e) the measures taken by Abluva to mitigate any damage. Abluva shall use reasonable efforts to provide Customer updates of further developments concerning a Data Breach.


Assistance to Customer . Will assist Customer, at Customer’s cost and expense, in complying with data security, data breach notifications, data protection impact assessments, and prior consultations with supervisory authorities requirements under Data Protection Laws, taking into account the nature of the Processing and the information available to Abluva. To the extent authorized under applicable law, Customer shall be responsible for any costs arising from Abluva’s provision of such assistance. If Abluva receives a request from a Data Subject to exercise a Data Subject right provided for under the Data Protection Laws in relation to that Data Subject’s Personal Data, Abluva will promptly notify Customer of the request and provide a copy of the request to Customer. Abluva will use commercially reasonable efforts to assist Customer with responding to any such request upon Customer’s written request for assistance.


Return/Destruction of Personal Data . Upon termination of the Agreement or this DPA for any reason, or on Customer’s instructions, promptly cease to Process the Personal Data and subject to sections below, and shall return and/or destroy a complete copy of all the Personal Data in Abluva’s possession or control, unless any Data Protection Law prevents it from returning or destroying all or part of the Personal Data or requires storage of the Personal Data (in which case Abluva must keep them confidential).



Customer Obligations


General . Customer represents and warrants that (a) it has the necessary rights to transfer or make available such Personal Data to Abluva (including that Customer has, or has procured, the necessary legal authority, permissions and/or consents for Abluva to process the Personal Data to provide the Services); (b) Customer’s instructions comply with (and will not cause Abluva to be in breach of) any Data Protection Laws; (c) that Customer has taken all necessary steps to ensure that any Data Subjects are aware of the nature of the Processing of the Personal Data to be undertaken; and (d) Customer is in compliance with all Data Protection Laws. Customer is responsible for handling and responding to all Data Subject rights requests under Data Protection Laws, including, but not limited to, communicating with the Data Subject making the request. Customer further agrees to cooperate with Abluva to fulfil their respective data protection compliance obligations in accordance with the Data Protection Laws.


Affiliates . Where an Affiliate of Customer is the Data Controller over any Personal Data processed by Abluva under this DPA, Customer will procure that any relevant Affiliate complies with its obligations under the Data Protection Laws and Section 6.1 in respect of such Personal Data. Customer shall remain responsible for its Affiliates performance under this DPA.


Sub-Processors . Customer gives a general authorization to Abluva to disclose Personal Data to Sub-Processors; provided that, each Sub-Processor shall be bound by a written agreement which imposes on the Sub-Processor the same data protection obligations as are imposed on Abluva under this DPA to the extent applicable to the nature of the service provided by the Sub-Processors. Where the Sub-Processor fails to fulfil its data protection obligations under such agreement, Abluva shall remain fully liable towards Customer for the performance of the Sub-Processor’s obligations under such agreement. Abluva’s current Sub-Processors are listed on Schedule A hereto. Abluva shall give Customer reasonable prior written notice of Abluva’s appointment of any new Subprocessor, including reasonable details of the Processing to be undertaken by the Subprocessor. If, within seven (7) business days of receipt of that notice, Customer notifies Abluva in writing of any objections (on reasonable grounds) to the proposed appointment, then Abluva shall not appoint (nor disclose any Personal Data to) the proposed Subprocessor. If Customer does not provide notice of its objections to the new subprocessor within such seven (7) day period above, then the Subprocessor shall be deemed accepted.


Audit and Records . Subject to any audit provisions and procedures in the Agreement, Abluva shall make available to Customer, on request, all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections by Customer, a Supervisory Authority, or an independent auditor mandated by Customer or Customer Affiliate of Abluva’s data processing facilities, procedures and documentation which relate to the Processing of Personal Data in order to ascertain compliance with the terms of this DPA. Abluva shall fully cooperate with Customer in respect of any such audit and, at the request of Customer, provide Customer with evidence of compliance with its obligations under this DPA. Notwithstanding the foregoing, the audit rights and obligations in this Section shall not apply if the audit rights included in the Agreement meet the requirements of the Data Protection Laws.


Changes in Data protection laws . Notwithstanding any provisions to the contrary in this DPA, if any change in Data Protection Laws may require or result in any variation to this DPA, Abluva will modify this DPA as necessary to incorporate such change(s) and provide a copy of the modified DPA to Customer. Customer shall notify Abluva of any objection to such modifications of the DPA within thirty (30) days’ of Abluva’s dispatch of such modified DPA. If Abluva does not receive any objection from Customer within this thirty (30) day period, Customer will be deemed to have accepted such modifications and such modifications will become binding and enforceable as part of this DPA. Should Customer submit objections to Abluva within the above-referenced thirty (30) days, Customer and Abluva agree to discuss and negotiate in good faith any such necessary modifications to this DPA to address the changes with a view to agreeing and implementing modifications as mutually agreeable to both Customer and Abluva as soon as is reasonably practicable but no later than thirty (30) days following Abluva’s receipt of Customer’s objections. If Customer and Abluva are unable to reach agreement on modifications to this DPA within such thirty (30) day time period, Abluva may terminate the Agreement without notice to Customer.



Schedule A
Description of Processing Activities


Data Subjects
The Personal Data concerns the following categories of Data Subjects: Employee name and email


Categories of data
The Personal Data concerns the following categories of data: N/A


Special categories of data (if appropriate)
The Personal Data transferred concern the following special categories of data:N/A


Geographic Location of the Processing of data
Abluva will Process Personal Data in the following locations:N/A


Subcontractors
Abluva’s Subcontractors that will have access to or otherwise Process Personal Data are: N/A