Data Processor Agreement
Last Modified: May 2018
This Ethnio Processor Data Processing Addendum (“Processor DPA”) shall amend and apply to all of your agreements (“Agreements”) with Ethnio, Inc., (“Ethnio”) to the extent that Ethnio processes as Your processor any personal data originating from the European Economic Area, the United Kingdom and Switzerland (“Your Data”)
1. Definitions
Words and expressions used in this Processor DPA but not defined herein shall have the meanings given to such words and expressions in the EU Directive 95/46/EC or, from 25 May 2018, the General Data Protection Regulation (2016/679) (“GDPR”), including any subordinate or implementing legislation, and, for transfers of Your Data to Ethnio, Inc., the Commission implementing Decision 2016/1250 (“Privacy Shield”) (“Applicable Data Protection Law”).
“You” refers to the controller who has signed this Processor DPA with Ethnio.
2. Details of the Processing Operations
The subject matter of the processing, including the processing operations carried out by Ethnio on your behalf, the instructions from You to Ethnio, and the security measures deployed by Ethnio, are described in the relevant Agreements between You and Ethnio. Ethnio acts on behalf of and on the instructions of You in carrying out the processing operations.
3. Your Obligations
3.1 You determine the purposes for which Your Data is being or will be processed, and the manner in which they are or will be processed.
3.2 You represent, warrant and agree that with respect to Your Data provided to Ethnio pursuant to this Processor DPA You:
3.2.1 comply with personal data security and other obligations prescribed by Applicable Data Protection Law for controllers;
3.2.2 confirm that the provision of Your Data to Ethnio complies with Applicable Data Protection Law;
3.2.3 have established a procedure for the exercise of the rights of the individuals whose personal data is collected;
3.2.4 only process data that has been lawfully and validly collected and ensure that such data is relevant and proportionate to the respective uses;
3.2.5 ensure that after assessment of the requirements of Applicable Data Protection Law, the security and confidentiality measures implemented are suitable for protection of Your Data against any accidental or unlawful destruction, accidental loss, alteration, unauthorized or unlawful disclosure or access, in particular when the processing involves data transmission over a network, and against any other forms of unlawful or unauthorized processing; and
3.2.6 take reasonable steps to ensure compliance with the provisions of this Processor DPA by Your personnel and by any person accessing or using Your Data on its behalf.
4. Obligations of Ethnio.
4.1 Ethnio carries out the processing of Your Data on your behalf.
4.2 Further to the provisions of Article 28 of the GDPR, Ethnio agrees that it will:
4.2.1 process Your Data only on your behalf and in compliance with Your instructions (including relating to international data transfers), including instructions in this Processor DPA and all Agreements between You and Ethnio, unless required to do so by EU or Member State law to which Ethnio is subject;
4.2.2 immediately inform you if in Ethnio’s opinion an instruction from You infringes Applicable Data Protection Law;
4.2.3 implement appropriate technical and organizational security measures as provided for in Your Agreements with Ethnio prior to the commencement of the processing activities for Your Data, maintain such security measures (or better security measures) for the duration of this Processor DPA, and provide You with reasonable evidence of its privacy and security policies;
4.2.4 take reasonable steps to ensure that (i) persons employed by it and (ii) other persons engaged at its place of business who may process Your Data are aware of and comply with this Processor DPA;
4.2.5 comply with confidentiality obligations in respect of Your Data as detailed in all Agreements and take appropriate steps to ensure that its employees, authorized agents and any sub-processors comply with and acknowledge and respect the confidentiality of Your Data, including after the end of their employment, contract or at the end of their assignment;
4.2.6 inform You of:
4.2.6.1 any legally binding request for disclosure of Your Data by a law enforcement authority, unless otherwise prohibited, such as in order to preserve the confidentiality of an investigation by the law enforcement authorities;
4.2.6.2 any personal data breach within the meaning of Applicable Data Protection Law relating to Your Data which may require a notification to be made to a supervisory authority or data subject under Applicable Data Protection Law (“Security Incident”);
4.2.6.3 any relevant notice, inquiry or investigation by a supervisory authority relating to Your Data; and
4.2.6.4 any requests for access to, rectification or blocking of Your Data received directly from a data subject without responding to that request, unless You have authorized a response or such a response is required by law;
4.2.7 provide reasonable co-operation and assistance to You in respect of Your obligations regarding:
4.2.7.1 requests from data subjects in respect of access to or the rectification, erasure, restriction, blocking or deletion of Your Data;
4.2.7.2 the investigation of any Security Incident and the notification to the supervisory authority and data subjects in respect of such a Security Incident;
4.2.7.3 the preparation of data protection impact assessments and, where applicable, carrying out consultations with the supervisory authority;
4.2.7.4 the security of Your Data, including by implementing the technical and organizational security measures detailed in Your Agreements with Ethnio;
4.2.8 if Ethnio is required by law to process Your Data, take reasonable steps to inform You of this requirement in advance of any processing, unless Ethnio is prohibited from informing You on grounds of important public interest; and
4.2.9 upon reasonable request, make available to You information necessary to demonstrate compliance with the obligations in this Clause 4.
4.3 Ethnio shall, upon Your request (not to exceed one request per calendar year) by email to info@ethn.io, certify compliance with Sections 4-6 of this Processor DPA in writing. Ethnio will provide, upon request, to any customer, a Standard Reporti on Controls at a Service Organization, view our data hosting partner. If a Report does not provide, in Your reasonable judgment, sufficient information to confirm Ethnio’s compliance with the terms of this Processor DPA, then You or an accredited third-party audit firm agreed to by both You and Ethnio may audit Ethnio’s compliance with the terms of this Processor DPA during regular business hours in a manner that is not disruptive to Ethnio’s business, upon reasonable advance notice to Ethnio of no less than 60 days and subject to reasonable confidentiality procedures. You are responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time Ethnio expends for any such audit, in addition to the rates for support services performed by Ethnio and any expenses incurred by Ethnio in complying with this Clause 4.3 and Clause 4.2.7. Before the commencement of any such audit, You and Ethnio shall mutually agree upon the timing, duration and scope of the audit, which shall not involve physical access to the servers from which the data processing services are provided. You shall promptly notify Ethnio of information regarding any non-compliance discovered during the course of an audit. You may not audit Ethnio more than once annually.
4.4 Further to the provisions of Privacy Shield, Ethnio, Inc. agrees that it will provide any EU Personal Data with at least the same level of protection as required under the Privacy Shield Principles, as described here: www.privacyshield.gov/EU-US-Framework.
5. Transfer, Disclosure and Third Parties
5.1 You acknowledge and agree that (a) Ethnio’s affiliates may be retained as sub-processors and (b) Ethnio and Ethnio’s affiliates may engage third parties in connection with the provision of the data processing services. Ethnio or a Ethnio affiliate shall enter into contractual arrangements with such sub-processors requiring them to guarantee a similar level of data protection compliance and information security to that provided for herein. For the purposes of this Clause 5, You hereby authorise Ethnio to engage sub-processors required to assist Ethnio for the purposes of providing the data processing services.
5.2 A current list of sub-processors for the data processing services is accessible via ethn.io/legal. We will provide reasonable notice to You before we engage a new sub-processor of Your Data, including the date on which the new sub-processor will begin processing Your Data (the “Sub-Processor Effective Date”). You may object to Ethnio’s engagement of a new sub-processor by ceasing to use the applicable product, program or feature prior to the Sub-Processor Effective Date. Your continued use of the applicable product, program or feature on or after the Sub-Processor Effective Date constitutes your acceptance of the new sub-processor.
6. Post-termination obligations
You and Ethnio agree that on the termination of the data processing services, Ethnio and any sub-processors shall, subject to the limitations described in any relevant Agreements, return all of Your Data and copies of such data to You or securely destroy them and demonstrate to Your satisfaction that it has taken such measures, unless applicable law prevents it from returning or destroying all or part of Your Data. In such case, Ethnio or sub-processor agree to preserve the confidentiality of Your Data retained by it and that it will only actively process Your Data after such date in order to comply with the laws to which it is subject.
7. Governing law and jurisdiction
This Processor DPA and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by, and construed in accordance with, the laws of the United States.
The parties to this Processor DPA irrevocably agree that the courts of Ireland shall have exclusive jurisdiction to settle any dispute or claim that arises out of or in connection with this Processor DPA or its subject matter or formation (including non-contractual disputes or claims).
8. Conflicts
In the event of any conflict between the terms of this Processor DPA and any other terms between You and Ethnio, including but not limited to the terms of any Agreements, the terms in this Processor DPA will prevail.