This Data Processing Agreement (“DPA”) reflects the parties’agreement with respect to the Processing of Personal Data by us on behalf ofyou in connection with CyLogic/CyDrive’s Services under the Terms and Conditions between you and us (also referred to in this DPA as the “Agreement)
This DPA is supplemental to, and forms an integral part of,the Agreement as specified in the Agreement.
We may update the terms of the DPA from time to time. If youhave an active CyDrive subscription, we will let you know when we do via emailor via in-app notification.
1.1. This Data Processing Agreement applies to the processing of personal data subject to EU Data Protection Law for the Servicesto be provided by Data Controller
1.2 Any capitalized terms not otherwise defined in this DPAshall have the meaning given to them in the Agreement.
2.1. Terms used in this Data Processing Agreement that have meanings ascribed to them in the EU data Protection law, including but not limited to “Processing”, “personal data”, “Data Controller” and “Processor,” shall carry the meanings set forth under EU Data Protection Law (the “GDPR”).
2.2. “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.
2.3. “DataProtection Laws” means all applicable worldwide legislation relating to data protection and privacy which applies to the respective party in the role of processing Personal Data in question under the Agreement, including withut limitation European Data Protection Laws, the CCPA and the data protection and privacy laws of Australia and Singapore; in each case, as amended, repealed, consolidated or replaced from time to time.
2.4. “data subject” means the individual to whom Personal Data relates.
2.5. "Europe" means the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingd
2.6. “EuropeanData” means Personal Data that is subject to the protection of European DataProtection Laws.
2.7. "European Data Protection Laws" means data protection laws applicable in Europe, including: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) ("GDPR"); (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; and (iii) applicable national implementations of (i) and(ii); or (iii) in respect of the United Kingdom, any applicable national legislation that replaces or converts in domestic law the GDPR or any other law relating to data and privacy as a consequence of the United Kingdom leaving the European Union; and (iv) Swiss Federal Data Protection Act on 19 June 1992 and its Ordinance; in each case, as may be amended, superseded or replaced.
2.8. “Instructions” means the written, documented instructions issued by a Controller to a Processor, and directing the same to perform a specific or general action with regard to Personal Data (including, but not limited to, depersonalizing, blocking, deletion, making available).
2.9. "PermittedAffiliates" means any of your Affiliates that (i) are permitted to use the Subscription Services pursuant to the Agreement, but have not signed their own separate agreement with us and are not a “Customer” as defined under the Agreement, (ii) qualify as a Controller of Personal Data Processed by us, and(iii) are subject to European Data Protection Laws.
2.10. “Personal Data” means any information relating to an identified or identifiable individual where such information is contained within Customer Data and is protected similarly as personal data, personal information or personally identifiable information under applicable Data Protection Laws.
2.11. “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by us and/or our sub-Processors in connection with the provision of the Subscription Services."Personal Data Breach" will not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
2.12. "PrivacyShield" means the EU-U.S. and Swiss-US Privacy Shield self-certification program operated by the U.S. Department of Commerce and approved by the European Commission pursuant to its Decision of July 12, 2016, and by the SwissFederal Council on January 11, 2017, respectively; as may be amended, superseded or replaced.
2.13. “Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data.
2.14. The terms“Process”, “Processes” and “Processed” will be construed accordingly.
“Processor ”means a natural or legal person, public authority ,agency or other body whichprocessess Personal Data on behalf of the Controller
2.15“Sub-Processor” means any Processor engaged by us or our affiliates to assist in fulfilling our obligations with respect to the provision of the Subscription Services under the Agreement. Sub-Processors may include third parties or our Affiliates but will exclude any HubSpot employee or consultant.
3.1. Insofar as the Data Processor will be processing Personal Data subject to EU Data Protection Law in the course of the performance of the Agreement with the Data Controller, the terms of this data processing Agreement shall apply.
data controller3.2. In the event of a conflict between any provisions of the Agreement and the provisions of this DPA, the provisions of this DPA shall govern and control.
3.3. Subject to the provisions of the Agreement, to the extent that the Data Processor’s data processing activities are not adequately described in the Agreement, the data controller will determine the scope, purposes, and manner by which the personal data may be accessed or processed by the Data Processor. Data Processor will process the Personal Data only as set forth in Data Controller’s written instructions and no personal data will be processed unless explicitly instructed by the Controller.
3.4. The data processor will only process the Personal Data to the extent that this is required for the provision of the Services. Should the Data Processorreasonably believe that a specific processing activity beyond the scope of the data Controller’s instructions is required to comply with a legal obligation to which the Data Processor is subject, the Data Processor shall inform the data controller of that legal obligation and seek explicit authorization from the data Controller before undertaking such processing. The Data Processor shall never process the Personal Data in a manner inconsistent with the data controller's documented instructions. The Data Processor shall immediately notify the Data Controller if, in its 3 opinions, any instruction infringes this Regulation or other Union or Member State data protection provisions. Such notification will not constitute a general obligation on the part of the data processor to monitor or interpret the laws applicable to the Data Controller, and such notification will not constitute legal advice to the Data Controller.
3.5. The Parties have entered into an Agreement in order to benefit from the capabilities of the Processor in securing and processing the Personal Data. The Data Processor shall be allowed to exercise its own discretion in the selection and use of such means as it considers necessary to pursue those purposes, provided that all such discretion is compatible with the requirements of this Data Processing Agreement, in particular the Data Controller’s written instructions.
3.6. The DataController warrants that it has all necessary rights to provide the personal data to the Data Processor for the Processing to be performed in relation to the Services, and that one or more lawful bases set forth in EU Data protection law support the lawfulness of the Processing. To the extent required by EU DataProtection Law, the Data Controller is responsible for ensuring that all necessary privacy notices are provided to data subjects, and unless another legal basis set forth in EU Data Protection Law supports the lawfulness of the processing, that any necessary data subject consents to the Processing are obtained, and for ensuring that a record of such consents is maintained. Should such a consent be revoked by a data subject, the Data Controller is responsible for communicating the fact of such revocation to the Data Processor, and the data processor remains responsible for implementing Data Controller’s instruction with respect to the processing of that Personal Data.
4.1. Without prejudice to any existing contractual arrangements between the Parties, the Data Processor shall treat all Personal Data as confidential and it shall inform all its employees, agents and/ or approved sub-processors engaged in processing the Personal Data of the confidential nature of the Personal Data. The Data Processor shall ensure that all such persons or parties have signed an appropriate confidentiality agreement, are otherwise bound to a duty of confidentiality, or are under an appropriate statutory obligation of confidentiality.
5.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, theData Controller and Data Processor shall implement appropriate technical and organizational measures to ensure a level of security of the processing of personal data appropriate to the risk.
5.2. Both parties shall maintain all necessary written security policies that are fully implemented and applicable to the processing of Personal Data. At a minimum, such policies should include the assignment of internal responsibility for information security management, devoting adequate personnel resources to information security, carrying out verification checks on permanent staff who will have access to the Personal Data, conducting appropriate background checks, requiring employees, vendors and others with access to Personal Data to enter into written confidentiality agreements, and conducting training to make employees and others with access to the Personal Data aware of information security risks presented by the Processing.
5.3. At the request of the Data Controller, the Data Processor shall demonstrate the measures it has taken pursuant to this Article 5 and shall allow the Data Controller to audit and test such measures. Unless otherwise required by the supervisory Authority of competent jurisdiction, the Data Controller shall be entitled on giving at least 30 days’ notice to the Data Processor to carry out have carried out by a third party who has entered into a confidentiality agreement with the Data Processor, audits of the Data Processor´s premises and operations as these relate to the Personal Data. The Data Processor shall cooperate with such audits carried out by or on behalf of the Data Controller and shall grant the Data Controller´s auditors reasonable access to any premises and devices involved with the Processing of the Personal Data. TheData Processor shall provide the Data Controller and/or the Data Controller´sauditors with access to any information relating to the Processing of the personal Data as may be reasonably required by the Data Controller to ascertain the Data Processor´s compliance with this Data Processing Agreement, and/or to ascertain the Data Processor’s compliance with any approved code of conduct or approved certification mechanism referenced in Article 5.4.
5.4. The DataProcessor’s adherence to either an approved code of conduct or to an approved certification mechanism recognized under EU Data Protection Law may be used as an element by which the Data Processor may demonstrate compliance with the requirements set out in Article 5.1.
6.1. The Parties acknowledge that security requirements are constantly changing, and that effective security requires frequent evaluation and regular improvements of outdated security measures. The Data Processor will therefore evaluate the measures as implemented in accordance with Article 5 on an ongoing basis inorder to maintain compliance with the requirements set out in Article 5. The Parties will negotiate in good faith the cost, if any, to implement material changes required by specific updated security requirements set forth in the EU Data Protection Law or by the data protection authority of competent jurisdiction.
6.2. Where an amendment to the Agreement is necessary in order to execute a Data Controllerinstruction to the Data Processor to improve security measures as may be required by changes in EU Data Protection Law from time to time, the Parties shall negotiate an amendment to the Agreement in good faith.
7.1. The DataProcessor shall promptly notify the Data Controller of any planned permanent or temporary transfers of Personal Data to a third country, including a country outside of the European Economic Area without an adequate level of protection, and shall only perform such a transfer after obtaining authorization from the Data Controller, which may be refused at its own discretion. Annexe 4 provides a list of transfers for which the Data Controller grants its authorization upon the conclusion of this DPA.
7.2. To the extent that the Data Controller or the Data Processor are relying on a specific statutory mechanism to normalize international data transfers and that mechanism is subsequently modified, revoked, or held in a court of competent jurisdiction to be invalid, the Data Controller and the Data Processor agree to cooperate in good faith 6 to promptly suspend the transfer or to pursue a suitable alternate mechanism that can lawfully support the transfer.
8.1. When the data processor becomes aware of an incident that has a material impact on the processing of the Personal Data that is the subject of the Agreement, it shall promptly notify the Data Controller about the incident, shall at all times cooperate with the Data Controller, and shall follow the Data Controller’s instructions with regard to such incidents, in order to enable the Data Controller to perform a thorough investigation into the incident, to formulate a correct response, and to take suitable further steps in respect of the incident.
8.2. The term“incident” used in Article 8.1 shall be understood to mean in any case: (a) a complaint or a request with respect to the exercise of a data subject’s rights under EU Data Protection Law; (b) an investigation into or seizure of the Personal Data by government officials, or a specific indication that such an investigation or seizure is imminent; (c) any unauthorized or accidentalaccess, processing, deletion, loss or any form of unlawful processing of the Personal Data; (d) any breach of the security and/or confidentiality as set outin Articles 4 and 5 of this DPA leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the personal Data, or any indication of the such breach having taken place or being about to take place; (e) where, in the opinion of the Data Processor, implementing an instruction received from the Data Controller would violate applicable laws to which the Data Controller or the Data Processor are subject.
8.3. The DataProcessor shall at all times have in place written procedures which enable it to promptly respond to the Data Controller about an incident. Where the incident is reasonably likely to require a data breach notification by the Data Controller under EU Data Protection Law, the Data Processor shall implement its written procedures in such a way that it is in a position to notify the Data Controller without undue delay after the Data Processor becomes aware of such an incident.
8.4. Any notifications made to the Data Controller pursuant to this Article 8 shall be made by sending an email tolegal@CyLogic.com (executive) of the Data Controller whose contact details are provided below and, in order to assist the Data Controller in fulfilling its obligations under EU Data Protection Law, should contain: (a) a description of the nature of the incident, including where possible the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned; (b) the name and contact details of the Data Processor’s data protection officer or another contact point where more information can be obtained; (c) a description of the likely consequences of the incident; and (d) a description of the measures taken or proposed to be taken by the Data Processor to address the incident including, where appropriate, measures to mitigate its possible adverse effects.
9.1. The data processor shall not subcontract any of its Service-related activities consisting (partly) of the processing of the Personal Data or requiring Personal Data to be processed by any third party without the prior written authorization of the Data Controller.
9.2. The DataController authorizes the Data Processor to engage sub processors for the service-related Data Processing activities. Data Processor shall inform the Data Controller of any addition or replacement of such sub-processors giving the Data Controller an opportunity to object to such changes. If the Data Controller timely sends the Processor a written objection notice, setting for the reasonable basis for the objection, the Parties will make a good-faith effort to resolve Data Controller’s objection. In the absence of a resolution, the Data Processor will make commercially reasonable efforts to provide Data Controller with the same level of service described in the Agreement, without using the sub processor to process Data Controller’s Personal Data. If the DataProcessor’s efforts are not successful within a reasonable time, each Party may terminate the portion of the service which cannot be provided without the sub-processor, and the Data Controller will be entitled to a pro-rated refund of the applicable service fees.
9.3. Notwithstanding any authorization by the Data Controller within the meaning of the preceding paragraph, the Data Processor shall remain fully liable vis-à-vis the Data Controller for the performance of any such sub-processor that fails to fulfil its data protection obligations.
9.4. The DataProcessor shall ensure that the sub-processor is bound by data protection obligations compatible with those of the Data Processor under this DPA, shall supervise compliance thereof, and must in particular impose on its subprocessors the obligation to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of EU Data Protection Law.
9.5. The Data Controller may request that the Data Processor audit a Third-PartySub-processor or provide confirmation that such an audit has occurred (or, where available, obtain or assist the customer in obtaining a third-party audit report concerning the Third-Party Sub-processor’s operations) to ensure compliance with its obligations imposed by the Data Processor in conformity with this DPA.
10.1. Upon termination of this DPA, upon the Data Controller’s written request, or upon fulfilment of all purposes agreed in the context of the Services whereby no further processing is required, the Data Processor shall, at the discretion of the Data Controller, either delete, destroy or return all Personal Data to the data Controller and destroy or return any existing copies.
10.2. The data processor shall notify all third parties supporting its own processing of the personal data of the termination of the Data Processing Agreement and shall ensure that all such third parties shall either destroy the Personal Data or return the Personal Data to the Data Controller, at the discretion of the data controller.
11.1. The DataProcessor shall assist the Data Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of theData Controller’s obligation to respond to requests for exercising the data subject’s rights under the EU Data Protection Law.
11.2. Taking into account the nature of processing and the information available to the data processor, the Data Processor shall assist the Data Controller in ensuring compliance with obligations pursuant to Section 5 (Security), as well as other data Controller obligations under EU Data Protection Law that are relevant to the Data Processing, including notifications to a supervisory authority or toData Subjects, the process of undertaking a Data Protection Impact Assessment, and with prior consultations with supervisory authorities.
11.3. The DataProcessor shall make available to the Data Controller all information necessary to demonstrate compliance with the Data Processor’s obligations and allow for and contribution to audits, including inspections, conducted by the data controller or another auditor mandated by the Data Controller.
12.1. The DataProcessor indemnifies the Data Controller and holds the Data Controller harmless against all claims, actions, third-party claims, losses, damages and expenses incurred by the Data Controller arising out of a breach of this data processing Agreement and/or the EU Data Protection Law by the Data Processor. The Data Controller indemnifies the Data Processor and holds the Data Processor harmless against all claims, actions, third-party claims, losses, damages and expenses incurred by the Data Processor arising out of a breach of this data processing Agreement and/or the EU Data Law by the Data Controller.
13.1. This DPA shall come into effect on the effective date of the Agreement.
13.2. Termination or expiration of this DPA shall not discharge the Data Processor from its confidentiality obligations pursuant to Article 4.
13.3. The DataProcessor shall process Personal Data until the date of expiration or termination of the Agreement between the parties, unless instructed otherwise by the Data Controller, or until such data is returned or destroyed on the instruction of the Data Controller.
14.1. In the event of any inconsistency between the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail.
14.2. This DataProcessing Agreement is governed by the laws of [Country]. Any disputes arising from or in connection with this Data Processing Agreement shall be brought exclusively before the competent court of [Jurisdiction].