Data Processing Addendum
This Data Processing Addendum (“DPA”) forms part of the service agreement(s) (“Agreement”) between Blueshift Labs, Inc. (“Vendor”) and [Customer] (“Company”) dated [date]. This DPA supplements and amends, as necessary, the Agreement. If the provisions of this DPA and the Agreement conflict, then the provisions of this DPA shall control. Unless otherwise defined herein, all capitalized terms used herein shall have the meanings assigned to such terms in the Agreement.
NOW, THEREFORE, in consideration of the following as set forth in this DPA, the parties hereby agree as follows:
1.1 “Agreement Personal Data” means any information that identifies, relates to, describes, references, is reasonably capable of being associated with, or can reasonably be linked, directly or indirectly, to an individual or household (“Data Subject”) which is processed by Vendor for the purposes of performing its obligations under the Agreement.
1.2 “Data Privacy Legislation” means all laws and regulations, in any country of the world, which protect the privacy rights of individuals, in so far as those laws and regulations apply to the Processing of Agreement Personal Data in connection with this DPA.
1.3 “Personal Data Security Breach” means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, access to, acquisition of or use of any Agreement Personal Data.
1.4 “Processing” means any operation or set of operations which is performed upon Agreement Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.
2. DATA PRIVACY
2.1 Comply with Data Privacy Legislation, and use all reasonable endeavors to assist Company in its own compliance with Data Privacy Legislation, in connection with this DPA.
2.2 Only process the Agreement Personal Data in accordance with Company’s documented instructions, unless otherwise required by law. In particular, Vendor shall not (i) sell the Agreement Personal Data or share the Agreement Personal Data with any third parties without Company’s permission; (ii) retain, use or disclose the Agreement Personal Data for any purpose other than the purposes specified in the Agreement, including retaining, using or disclosing the Agreement Personal Data for a commercial purpose other than to provide Vendor’s services to Company; and (iii) retain, use or disclose the Agreement Personal Data outside of Vendor’s business relationship with Company.
2.3 Vendor hereby certifies that it understands the requirements of Section 2.2 and agrees to comply with them.
2.4 Not disclose the Agreement Personal Data to any other body (including any subprocessor) without Company’s express agreement in writing.
2.5 In the event Vendor receives a Data Subject’s request regarding the Data Subject’s Agreement Personal Data processed by Vendor (each a “Data Subject Request”), it shall forward such Data Subject Request to Company without delay and in any event no later than within forty-eight (48) hours from receipt.
2.6 Comply with all reasonable requests or directions by Company to enable it to verify and/or procure that Vendor is in full compliance with its obligations under this DPA.
2.7 Upon termination of its provision of services, delete or return all Agreement Personal Data to Company and delete any existing copies of the Agreement Personal Data, save where applicable law requires Vendor to retain copies of such data. Vendor shall provide written certification that it and each of its subprocessors have fully complied with this section within sixty (60) days of the termination of the provision of services.
Company acknowledges and agrees that Vendor may (1) engage the Authorized Subprocessors listed in Exhibit A to this Addendum to access and Process Personal Data in connection with the Services and (2) from time to time engage additional Subprocessors for the purpose of providing the Services, including without limitation the Processing of Personal Data. Vendor ensure that each Subprocessor is subject to a written agreement which imposes on the subprocessor materially the same obligations that are imposed on Vendor under this DPA. Vendor shall remain liable to Company for all acts and/or omissions of any Subprocessor to the same extent as if the acts and/or omissions were performed by Vendor.
4.1 At a minimum, implement and maintain reasonable technical and organizational measures to ensure the security and protection of Agreement Personal Data, taking into account the nature and sensitivity of the information to be protected, the risk presented by Processing, the state of the art, and the costs of implementation, in compliance with applicable Data Privacy Legislation.
4.2 Immediately notify Company if Vendor knows, discovers or reasonably believes that there has been any Personal Data Security Breach.
4.3 Upon becoming aware, or upon reasonable suspicion, of a Personal Data Security Breach, (i) immediately investigate, correct, mitigate, remediate and otherwise handle the Personal Data Security Breach, including without limitation, by identifying the Agreement Personal Data affected by the Personal Data Security Breach and taking sufficient steps to prevent the continuation and recurrence of the Personal Data Security Breach; and (ii) provide information and assistance needed to enable Company to evaluate the Personal Data Security Breach and, as applicable, to comply with any obligations to provide timely notice to affected individuals or information about the Personal Data Security Breach to relevant regulators.
4.4 Reimburse Company for the reasonable expenses that Company may incur as a result of such Personal Data Security Breach caused by Vendor’s acts or omissions or those of any of Vendor’s authorized subprocessors, including but not limited to, the expenses incurred in investigating the Personal Data Security Breach and notifying affected individuals, and providing these individuals with the support necessary under the circumstances, such as credit monitoring.
Notwithstanding anything to the contrary in the Agreement, Vendor’s total aggregate liability, including any liability for subprocessors, under or in connection with this DPA, shall not exceed twice the annual subscription fees paid or payable by company under the Agreement when such liability first arose.
IN WITNESS WHEREOF, this DPA is entered into and becomes a binding part of the Agreement with effect from [Insert Date].
Blueshift Labs, Inc.
EXHIBIT A Authorized Subprocessors
Controller acknowledges and agrees that the following entities shall be deemed Authorized Subprocessors that may Process Personal Data pursuant to this Addendum:
Amazon Web Services, Inc.
BSFT Labs India Pvt Ltd. Google, Inc.
Message Systems, Inc. (DBA Sparkpost)
Mailgun Technologies, Inc.