Data Processing Addendum
THIS ADDENDUM is made on May 24, 2018 between:
DASHEROO, incorporated under the laws of Utah, whose registered office is at 3300 Ashton Blvd Suite 210, Lehi, UT 84043 (“Supplier”); and
together the “parties”.
(A) Supplier and the Customer have entered into an agreement (or agreements) for the provision by Supplier to the Customer of certain services including data visualization and analytics presentation (the “Agreement”); and
(B) Supplier and the Customer have agreed to enter into this Addendum to the Agreement in relation to data processing.
IT IS NOW AGREED AS FOLLOWS:
1. DEFINITIONS AND INTERPRETATION
1.1. The parties agree that this Addendum will be incorporated as an addendum to the Agreement. To the extent of any conflict between this Addendum and the remaining sections of the Agreement, this Addendum will prevail.
1.2. In this Addendum, the following words and expressions will have the following meanings:
“Addendum” shall mean this addendum, including its appendix;
“Agreement” shall have the meaning given in recital (A) above;
“Customer Personal Data” shall mean all personal data controlled by the Customer which is processed by Supplier in connection with the Services;
“Data Protection Legislation” shall mean all applicable laws relating to data protection and privacy including (without limitation) the EU Data Protection Directive (95/46/EC) as implemented in each jurisdiction, the EU General Data Protection Regulation (2016/679) (“GDPR”), the EU Privacy and Electronic Communications Directive 2002/58/EC as implemented in each jurisdiction, and any amending or replacement legislation from time to time; 30923841
“Services” shall mean the services provided by Supplier to the Customer pursuant to the Agreement.
1.3. In this Addendum, the terms "personal data", "process", “data controller”, “data processor” and "data subject" shall have the meanings set out in the Data Protection Legislation.
2. NATURE OF THE DATA
2.1. The categories of Customer Personal Data to be processed by Supplier and the processing activities to be performed under this Addendum are set out in Appendix 1.
2.2. The parties record their intention that the Customer shall be the data controller and Supplier shall be a data processor and in relation to all Customer Personal Data.
3. OBLIGATIONS OF THE CUSTOMER
3.1. The Customer shall comply with its obligations under the Data Protection Legislation in respect of Customer Personal Data, and shall ensure that its instructions and disclosures of Customer Personal Data to Supplier are lawful.
3.2. The Customer acknowledges that Supplier is entitled to rely on the Customer’s instructions in respect of the processing of Customer Personal Data.
3.3. The Customer agrees that it is solely responsible for determining whether the technical and organizational security measures adopted by Supplier in accordance with clause 4.1.3 are appropriate, taking into account the nature, scope, context and purposes of the processing.
4. OBLIGATIONS OF SUPPLIER
4.1. Subject at all times to Supplier’s obligations under the Agreement, Supplier undertakes to:
4.1.1. only process Customer Personal Data for and on behalf of the Customer, in accordance with the instructions set out under the Agreement or as otherwise given by the Customer from time to time. Supplier shall notify the Customer if it is required, by applicable law, to process Customer Personal Data other than in accordance with those instructions, and shall inform the Customer of the relevant legal requirement before undertaking such processing (unless the relevant legal requirement prohibits the provision of such information on important grounds of public interest);
4.1.2. ensure that those of its personnel who are involved in processing Customer Personal Data are bound by appropriate obligations of confidentiality;
4.1.3. implement appropriate technical and organizational measures to protect any Customer Personal Data processed by it against unauthorised and unlawful processing and against accidental loss, destruction, disclosure, damage or alteration;
4.1.4. taking into account the nature of the processing and the information available to Supplier, provide reasonable assistance to the Customer in ensuring compliance with its obligations under the Data Protection Legislation in relation to security, data breach notification, data protection impact assessments and prior consultation with a supervisory authority, where applicable from time to time;
4.1.5. make available to the Customer (or its third party appointees bound by appropriate obligations of confidentiality) such records as the Customer may reasonably require to demonstrate compliance by Supplier with its obligations under this Addendum; and
4.2. Supplier shall notify the Customer promptly, and in any event within seven (7) days, if it receives:
4.2.1. a request from a data subject to have access to his/her Customer Personal Data; or
4.2.2. a complaint or request relating to the Customer’s obligations under the Data Protection Legislation.
4.3. Nothing in this Addendum shall prevent either party from complying with any legal obligation imposed by a regulator or court. Each party shall however, where possible, discuss with the other party the appropriate response to any request from a regulator or court for disclosure of information.
5.1. The Customer agrees that the Supplier may subcontract the processing of the Customer Personal Data to any associated company of the Supplier and/or any sub-contractor (a “Sub-processor”). The Supplier shall ensure Sub-processors are subject to contractual obligations which provide the same standard of protection for Customer Personal Data as those imposed on the Supplier under this Addendum. The Supplier shall inform the Customer of any intended changes concerning the addition or replacement of any Subprocessor within a reasonable time prior to implementation of such change. In the event the Customer objects to such a change, the parties will work together in good faith to resolve such objection. The Supplier shall be responsible for the performance of its Sub-processors.
6. TERM AND TERMINATION
6.1. This Addendum shall commence on the date stated at the top of it and shall continue in full force and effect until the later of:
6.1.1. the termination or expiration of the Agreement; or
6.1.2. the termination of the last of the Services to be performed pursuant to the Agreement.
6.2. Upon termination of this Addendum, the Customer shall have ten (10) days to request the return of the Customer Personal Data, after which period Supplier will destroy all Customer Personal Data in its possession, unless required to retain such Customer Personal Data under any applicable Law.
APPENDIX 1: Description of Data Processing
The data processing activities carried out by Supplier under this Addendum are as follows:
Description of Services:
Dasheroo is an application that enables Customers to visualize their business data on a centralized dashboard to track KPIs and performance over time.
Subject-matter of Processing:
Dasheroo processes certain Customer Personal Information on behalf of its Customers in relation to the display of their data on a dashboard and tracking trends over time. The content of the Customer Personal Information is determined by its Customers, the data controllers, who connect their different third party data sources into Dasheroo.
Duration of Processing:
For the duration of the Services to which this Addendum relates.
Nature and purpose of Processing:
To enable Dasheroo to provide the Customer with certain Services in relation to metrics and statistics they are viewing on their dashboard in accordance with the Terms.
Type of Personal Data:
Customer Personal Information relating to Customers and provisioned end users of the Services which is uploaded by such Customers or provisioned end users and/or otherwise collected by or on behalf of the Customer or provisioned end user as a result of use of the Services. Dasheroo also collects information about visitors to it web properties. The collected information may include without limitation, data pulled into Dasheroo, personal contact information, demographic information, location information, profile data, unique IDs, passwords, usage activity, transaction history, and online behavior.
Categories of Data Subjects:
Dasheroo’s Customers and their provisioned users of its Services, as well as visitors to Dasheroo’s web properties.