Data Processing Agreement
This Data Processor Agreement (DPA) constitutes Gluu’s (the “Processor”) and Customer’s (the “Controller”) obligations regarding data processing and is a part of the Agreement.
Appendices to the Processor Agreement
1. Background and Purpose
The Parties have agreed to the provision of certain services from the Processor to the Controller, as described in more detail in the Parties’ separate agreement to this effect and appendix 1 to this agreement (the “Primary Services”).
In this connection, the Processor processes personal data on behalf of the Controller, and for that purpose, the Parties have entered into this agreement and underlying appendices (the “Processor Agreement”)
The purpose of the Processor Agreement is to ensure that the Processor complies with the personal data regulations in force from time to time, including in particular:
the Danish Act on Processing of Personal Data (Act 2000-05-31 no. 429, as amended)
and the Danish Executive Order on Security Measures for Protection of Personal Data (Executive Order 2000-06-15 no. 528, as amended)
the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016) when this takes effect.
The Processor is authorised to process personal data on behalf of the Controller on the terms and conditions set out in the Processor Agreement.
The Processor may only process personal data subject to documented instructions from the Controller (“Instructions”). This Processor Agreement, including appendices, constitutes the Instructions at the date of signature.
The Instructions may be changed or concretised at any time by the Controller. Regardless of the above, clause 14 of this Processor Agreement may only be changed subject to agreement between the Parties.
Unless otherwise specified in the Processor Agreement, the Processor may use all relevant technical aids, including IT systems.
Regardless of the termination of the Processor Agreement, clause 14 of the agreement regarding confidentiality as well as clauses 12, 14, 4 and 16 will remain in force after termination of the Processor Agreement.
The Processor Agreement applies until either (a) termination of the agreement(s) on the provision of the Primary Services or (b) termination of the Processor Agreement.
4. Processor’s obligations
4.1 Technical and organisational security measures
The Processor is responsible for implementing necessary (a) technical and (b) organisational measures to ensure an appropriate security level. The measures must be implemented with due regard to the current state of the art, costs of implementation and the nature, scope, context and purposes of the processing and the risk of varying likelihood and severity to the rights and freedoms of natural persons. The Processor shall take the category of personal data described in Appendix 1 into consideration in the determination of such measures.
Notwithstanding clause 1.1, the Processor shall implement the technical and organisational security measures as specified in (a) Appendix 2 to this Processor Agreement and (b) the agreement(s) on the provision of the Primary Services.
The Processor shall implement the suitable technical and organisational measures in such a manner that the processing by the Processor of personal data meets the requirements of the personal data regulation in force from time to time.
The Parties agree that the provided safeguards as specified in appendix 2 are adequate at the date of conclusion of this Processor Agreement.
4.2 Employee conditions
The Processor shall ensure that employees who process personal data for the Processor have undertaken to observe confidentiality or are subject to an appropriate statutory duty of confidentiality.
The Processor shall ensure that access to the personal data is limited to those employees for whom it is necessary to process personal data in order to meet their obligations to the Controller.
The Processor shall ensure that employees processing personal data for the Processor only process such data in accordance with the Instructions.
4.3 Documentation for compliance with obligations
Upon written request, the Processor shall document to the Controller that the Processor:
- meets its obligations under this Processor Agreement and the Instructions.
- meets the provisions of the personal data regulation in force from time to time, in respect of the personal data processed on behalf of the Controller.
- The Processor’s documentation must be provided within a reasonable time.
- The specific content of the obligations under clause 3.1 is described in Appendix 3 to this Processor Agreement.
4.4 Security Breach
The Processor shall notify the Controller of any personal data breach which may potentially lead to accidental or unlawful destruction, alteration, unauthorised disclosure of, or access to, personal data processed for the Controller (“Security Breach”).
Security Breaches must be reported to the Controller without undue delay.
The Processor shall maintain a record of all Security Breaches. The record must as a minimum document the following:
- the actual circumstances of the Security Breach;
- the effects of the Security Breach; and
- the remedial measures that are taken.
- Upon written request, the record must be made available to the Controller or the supervisory authorities.
The Processor shall to the necessary and reasonable extent assist the Controller in the performance of its obligations in the processing of the personal data covered by this Processor Agreement, including in connection with:
- responses to data subjects on the exercise of their rights;
- Security Breaches;
- impact assessments; and
- prior consultation with the supervisory authorities.
- In this connection, the Processor shall obtain the information to be included in a notification to the supervisory authority provided that the Processor is best suited to do so.
- Finally, the Processor shall assist with the tasks specified in appendix 4.
- The Processor is entitled to payment for time spent and materials consumed for assistance pursuant to this clause 6 unless otherwise specified in Appendix 3.
5. Controller’s obligations
The obligations of the Controller are set out in Appendix 5.
The Processor may only use a third party for the processing of personal data for the Controller (“Sub-Processor”) provided that it is specified in:
- appendix 6 to this Processor Agreement; or
- Instructions from the Controller.
- The Processor and the Sub-Processor shall conclude a written agreement imposing the same data protection obligations on the Sub-Processor as those of the Processor (including in pursuance of this Processor Agreement).
- Upon written request, the Controller must receive all agreements concluded with any Sub-Processors.
- Moreover, the Sub-Processor also acts only under the Instructions of the Controller. All communication with the Sub-Processor is handled by the Processor, unless otherwise specifically agreed. Any changed or concretised Instructions from the Controller must immediately be passed on by the Processor to the Sub-Processor.
- The Processor is directly responsible for the Sub-Processor’s processing of personal data in the same manner as had the processing being carried out by the Processor.
7. Transfer to third countries and international organisations
The Processor may only transfer personal data to third countries or international organisations to the extent specified in:
- appendix 7 to this Processor Agreement; or
- Instructions from the Controller.
- In any case, personal data may only be transferred to the extent permitted under the personal data regulation in force from time to time.
- If personal data are transferred to a third country, the Controller shall assist the Processor free of charge in connection with the conclusion of necessary agreements, or the Controller shall authorise the Processor to conclude the required agreements on behalf of the Controller.
8. Data processing outside the scope of the Instructions
The Processor may process personal data outside the scope of the Instructions in cases where required by EU law or national law to which the Processor is subject.
shall notify the Controller of the reason. The notification must be made before processing is carried out and must include a reference to the legal requirements forming the basis of the processing.
Notification should not be made if such notification would be contrary to EU law or national law.
9. Fees and Costs
The Parties are only entitled to payment for the performance of this Processor Agreement if specifically specified herein or in the agreement(s) on the delivery of the Primary Services.
Regardless of the above requirements, a Party is not entitled to payment for assistance or implementation of changes to the extent that such assistance or change is a direct consequence of the Parties’ breach of this Processor Agreement.
10. CHANGE of Instructions
Before any changes are made to the Instructions, the Parties shall to the widest possible extent discuss and, if possible agree on, the implementation of the changes, including time and costs of implementation.
Unless otherwise agreed, the following applies:
- The Processor shall, without undue delay, execute implementation of changes to the Instructions and ensure that such changes are implemented without undue delay in relation to the nature and scope of the change.
- The Processor is entitled to payment of all costs directly related to changes to the Instructions, including costs of implementation and increased costs for the delivery of the Primary Services.
- An indicative estimate of the time and cost of implementation must be communicated to the Controller without undue delay.
- The changes to the Instructions are only considered to apply once the changes have been implemented, provided that the implementation is carried out in accordance with this clause 2 and unless the Controller explicitly communicates a deviation from this clause.
- Processors are exempt from liability for failure to deliver the Primary Services if (including in terms of time) delivery of the Primary Services would be contrary to the changed Instructions or delivery in accordance with the changed Instructions is not possible. This may be the case (i) where the changes cannot be technical, practically or legally implemented, (ii) where the Controller explicitly communicates that the changes have to apply before implementation is possible or (iii) during the period until the parties have made any necessary changes to the agreement(s) in accordance with the change procedures herein.
The regulation of breach of the agreement(s) on the delivery of the Primary Services also applies to this Processor Agreement as were this Processor Agreement an integral part thereof. If this is not considered in the agreement(s) on the delivery of the Primary Services, the general remedies for breach laid down in applicable law will apply to this Processor Agreement.
12. Liability and limitation of liability
The regulation of liability and limitation of liability in the agreement(s) on the delivery of the Primary Services also applies to this Processor Agreement as were this Processor Agreement an integral part thereof. If this is not considered in the agreement(s) on the delivery of the Primary Services, the provisions in this clause 12 will apply to this Processor Agreement.
The Parties are liable according to the general rules of applicable law, subject, however, to the limitations set out in this section.
The Parties disclaim any liability for indirect losses and consequential losses, including loss of profits, loss of goodwill, loss of savings and revenue, including expenses to recover lost revenue, interest loss and loss of data.
The Parties’ liability for all cumulative claims under this Processor Agreement is limited to the total amounts due for the Primary Services for the 12-month period immediately preceding the wrongful act. If the Processor Agreement has not been in force for 12 months, the amount is calculated as the agreed payment for the Primary Services for the period during which the Processor Agreement has been in force divided by the number of months for which the Processor Agreement has been in force and then multiplied by 12.
The following are not covered by the limitation of liability in this clause 12:
- Loss as a result of the other Party’s grossly negligent or intentional acts.
Expenses and resource consumption in connection with the performance of a Party’s obligations in relation to a supervisory authority or the data subject, including compensation to a data subject, to the extent that these are caused by a breach by the other Party.
13. Force Majeure
The regulation of force majeure in the agreement(s) on the delivery of the Primary Services also applies to this Processor Agreement as were this Processor Agreement an integral part thereof. If this is not considered in the agreement(s) on the delivery of the Primary Services, the provisions in this clause 13 will apply to this Processor Agreement.
The Processor cannot be held liable for situations normally referred to as force majeure, including, but not limited to, war, riots, terrorism, insurrection, strike, fire, natural disasters, currency restrictions, import or export restrictions, interruption of traffic, interruption or failure of energy supply, public data systems and communication systems, long-term illness of key staff, virus and occurrence of force majeure at subcontractors.
Force majeure may only be asserted for the number of working days for which the force majeure situation lasts.
The regulation of confidentiality in the agreement(s) on the delivery of the Primary Services also applies to this Processor Agreement as were this Processor Agreement an integral part thereof. If this is not considered in the agreement(s) on the delivery of the Primary Services, the provisions in this clause 14 will apply to this Processor Agreement.
Information regarding the content of this Processor Agreement, the underlying Primary Services or the other Party’s business which is either, in connection with the disclosure to the receiving Party, designated as confidential information, or which, by its nature or otherwise, should be considered as confidential, must be treated as confidential and subject to at least the same degree of care and discretion as the Party’s own confidential information. Data, including personal data, are always confidential information.
However, the duty of confidentiality does not apply to information which is or becomes publicly available without this being the result of a breach of a Party’s duty of confidentiality, or information which is already in the possession of the receiving Party without any similar duty of confidentiality or information which is developed independently by the receiving Party.
15.1 Termination for cause or breach
The Processor Agreement may only be terminated according to the provisions on termination in the agreement(s) on the delivery of the Primary Services.
Termination of this Processor Agreement is subject to – and allows for – simultaneous termination of the parts of the agreement(s) on the delivery of the Primary Services that concern personal data processing pursuant to the Processor Agreement.
15.2 Effects of termination
The Processor’s authority to process personal data on behalf of the Controller lapses on termination of the Processor Agreement for whatever reason.
The Processor may continue to process personal data for up to three months after the termination of the Processor Agreement to the extent that this is necessary to take the required statutory measures. During the same period, the Processor is entitled to let the personal data be included in the Processor’s usual backup procedure. The processing by the Processor during this period is assumed to comply with the Instructions.
The Processor and any Sub-Processors shall return all personal data processed by the Processor under this Processor Agreement to the Controller on termination of the Processor Agreement, provided that the Controller is not already in possession of the personal data. The Processor is then obliged to delete all personal data from the Controller. The Controller may request adequate information for such deletion.
16. Dispute resolution
The regulation of dispute resolution, including governing law and venue, in the agreement(s) on the delivery of the Primary Services also applies to this Processor Agreement as were this Processor Agreement an integral part thereof. If this is not considered in the agreement(s) on the delivery of the Primary Services, the provisions in this clause 16 will apply to this Processor Agreement.
The Processor Agreement is subject to Danish law with the exception of (a) rules leading to the use of law other than Danish law and (b) the UN Convention on Contracts for the International Sale of Goods (CISG).
Should any dispute arise in connection with the Processor Agreement or its performance, the Parties shall in a positive, cooperative and responsible spirit seek to initiate negotiations for the purpose of settling the dispute. If necessary, attempts must be made to transfer negotiations to executive level in the Parties’ respective organisations.
If the Parties are unable to solve the dispute by negotiation, the Parties are entitled to demand that the dispute is finally settled by the ordinary courts of law. The court in Copenhagen has been selected as the venue. However, the referral arrangements of the Danish Administration of Justice Act to the High Court and the Maritime and Commercial Court still apply.
In the event of any discrepancies between this Processor Agreement and the agreement(s) on the delivery of the Primary Services, this Processor Agreement takes precedence, unless otherwise directly specified in the Processor Agreement.
1. Primary Service
The Primary Service consists of the following: An online platform that allows customers and their employees to Understand, Execute and Improve business processes.
2. Personal data
Types of personal data processed in connection with the delivery of the Primary Service:
- General personal data, including Full name, Email (work), Title, Profile Picture, Team/Department.
- Service data for delivery of the Primary Service, including Change metadata (date/time and the user who updated content or completed tasks, comments left to activities by the user and Access Log.
DOCUMENTATION FOR COMPLIANCE WITH OBLIGATIONS
As part of the Processor’s demonstration to the Controller of compliance with its obligations according to clause 4.3 of the Processor Agreement, the following points must be completed and observed.
1. General documentation to the Controller
Upon written request, the Processor is obliged to submit the following general documentation to the Controller:
- A declaration from the Processor’s management specifying that, during the processing of personal data on behalf of the Controller, the Processor continuously ensures compliance with its obligations under this Processor Agreement.
- A description of the practical measures, both technical and organisational, implemented by the Processor to ensure compliance with its obligations under the Processor Agreement. The description may include a presentation of established and implemented management systems for information security and for processing of personal data as well as a description of other initiatives taken. As part thereof, the Processor is also obliged to participate in follow-up meetings with the Controller.
- A description of the control measures taken and implemented by the Processor for measurement and control of the effect of the established management system for information security and processing of personal data and performance measurements thereof.
The general documentation must be provided no later than ten working days after the Controller has made its written request to the Processor, unless otherwise specifically agreed. The Processor shall prepare documentation for its own account.
2. Physical meeting at the Processor’s premises
Upon request, the Processor shall participate in a physical meeting at the premises of the Processor or the Controller. At the meeting, the Processor must be able to give an account of compliance and how compliance is ensured. A request for a meeting must be made subject to at least 45 days’ notice.
Upon written request, the Processor shall contribute to and give access to audit.
The audit must be conducted by an independent third party selected by the Controller and approved by the Processor. The Processor may not reject a suggested third party without reasonable cause. The independent third party must accept a general confidentiality agreement with the Processor. A request for audit must be made subject to at least 10 days’ notice.
The Processor is entitled to payment for time spent and materials consumed for assistance pursuant to this clause 4 unless otherwise specified in Appendix 3.
4. Other conditions
The above points should not be considered exhaustive, and the Processor, therefore, undertakes to take any such actions and measures as are necessary for the demonstration of the Processor’s obligation under clause 4 of the Processor Agreement.
The Processor is not obliged to follow a request from the Controller according to this appendix 3 if the request is in violation of the personal data regulation. The Processor shall notify the Controller if the Processor finds that this is the case.
The Controller has the following obligations
- To ensure that the personal data are up-to-date
- To ensure that any content inside Gluu is lawful in relation to the personal data regulation in force from time to time.
- That instructions given to own personnel and suppliers are appropriate in relation to this Processor Agreement and the Primary Service.
The Controller hereby approves that the Processor uses the following Sub-Processors:
- Microsoft Data Center-South County Business Park, One Microsoft Place, Carmanhall and Leopardstown, Dublin, D18 P521, Ireland
- Intercom – 3rd Floor, Stephens Ct. 18-21 St. Stephen’s Green, Dublin 2, Ireland
- Google – Barrow St, Dublin 4, Ireland
- Zapier Inc – 243 Buena Vista Avenue, Suite 508, Sunnyvale, CA 94086, United States
- Stripe inc – 185 Berry Street, Suite 550, San Francisco, CA 94107, USA
- Sendgrid Inc – 1801 California Street, Denver, CO 80202, USA
- MailChimp / Mandrill – 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308 USA
- Pipedrive OÜ, Paldiski mnt 80, Tallinn 10617, Estonia
The Processor may use a Sub-Processor without prior specific written approval from the Controller. The Processor may only withhold such approval if specifically and reasonably justifiable.
The Processor is allowed to make objections to such a Sub-Processor if reasonably justifiable.
TRANSFER TO THIRD COUNTRIES AND INTERNATIONAL ORGANISATIONS
Personal data may not be subjected to processing by the Processor or a Sub-Processor in a country outside the European Union or EEA (a “Third Country”) or an international organisation unless specifically permitted by the Controller.
The Processor shall notify the Controller of the transfer before it takes place.