Last Modified: Feb 10, 2021
This Data Processing Agreement (“Agreement“) forms part of the Contract for Services (“Principal Agreement“) between between the following parties: The Client ("Controller") and The Next Path Software Consulting Inc. (the “Data Processor”) (together as the “Parties”).
(A) The Company acts as a Data Controller.
(B) The Company wishes to subcontract certain Services, which imply the processing of personal data, to the Data Processor.
(C) The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
(D) The Parties wish to lay down their rights and obligations.
IT IS AGREED AS FOLLOWS:
1.1 Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:
1.1.1 "Agreement" means this Data Processing Agreement and all Schedules;
1.1.2"Company Personal Data" means any Personal Data Processed by a Contracted Processor on behalf of Company pursuant to or in connection with the Principal Agreement;
1.1.3 "Contracted Processor" means a Subprocessor;
1.1.4 "Data Protection Laws" means EU Data Protection Laws and, to th extent applicable, the data protection or privacy laws of Canada;
1.1.5 "EEA" means the European Economic Area;
1.1.6 "EU Data Protection Laws" means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
1.1.7 "GDPR" means EU General Data Protection Regulation 2016/679;
1.1.8 "Data Transfer" means:
1.1.8.1 a transfer of Company Personal Data from the Company to a Contracted Processor; or
1.1.8.2 an onward transfer of Company Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);
1.1.9 “Services” means the Online Group Chat and other services the Company provides.
1.1.10 "Subprocessor" means any person appointed by or on behalf of Processor to process Personal Data on behalf of the Company in connection with the Agreement.
1.2 The Terms "Commission", "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
The data processor shall only store, copy or use company Data, including email addresses, telephone numbers and names of Users, ip address, Geo Location data, log in information etc to the extent necessary to perform its obligations under the Agreement and/or for maintenance. The data processor does not have any control over the purposes and means of the processing of personal data. Nothing in the Agreement is intended to transfer control over personal data to The data processor in any way. The data processor shall inform company with undue delay if, in its opinion, an instruction given by company in writing to us at email compliance@deadsimplechat.com infringes any applicable privacy regulation.1.3. If the company processes personal data, it will only process general personal data. In no circumstance will the data processor accept any responsibility or liability for the processing of sensitive personal data.
1.4. The data processor shall take appropriate technical and organizational measures to ensure an appropriate level of security to protect personal data on the data processor Services against destruction, loss, alteration, unauthorized disclosure or access. In determining the measures to be taken, the data processor shall take account of the state of the art and the implementation costs as well as of the nature, scope, context and purposes of the processing operation concerned and the various risks, in terms of probability and severity, for the risks and freedoms of individuals.
1.5 At the first request of the company, the data processor may cooperate with the parties concerned to exercise their rights with regard to the processing of Personal Data in accordance with Articles 12 to 23 of the GDPR, including the right to information, access, removal including 'right to be forgotten’, rectification, transferability, objection and rights in respect of automated individual decision making, including profiling. This cooperation will in principle be assessed as Additional Services
1.6. the data processor agrees to provide the company with the necessary information at the latter’s request, to ensure that the company is able to investigate the data processor’ compliance with the provisions of this article.
1.7. the company is entitled to engage an independent expert to investigate whether the data processor fulfils obligations described in this article, which independent expert will be under an obligation of confidentiality in respect of the foregoing and will NDA and Non-Compete agreement with us. Audits will be done maximum once per year. the data processor shall cooperate in the audit and make all information that is reasonably relevant to the audit available as soon as possible. The costs of the audits carried out on the instructions of the company must be borne by the company.
1.8. the data processor shall inform the company immediately, but in any case within 48 hours, as soon as it finds that there has been any breach with respect to the personal data. This information provided must enable the company to fulfil its obligations under Articles 33 and 34 of the GDPR
1.9 the data processor is under no obligation to perform an assessments as described under article 35 and/or 36 of the GDPR.
1.10 the data processor shall be entitled to make use of sub-processors without the company’s prior Written permission. The list of sub-processors is available upon request. In case the data processor engages a new sub-processor it will notify the company. the company may object against this engagement in Writing. If the data processor persists in engaging a sub-processor after objection of the company, the company may terminate the agreement with immediate effect. the data processor remains responsible for the performance of sub-processors it engages.
1.11 the data processor agrees to maintain confidentiality over personal data it processes and it ensures that the persons authorized to process the Personal Data undertake to maintain confidentiality.
1.12 Upon termination of the Agreement, the data processor shall: at request of the company delete all personal data.
1.13 the company assesses and informs the data processor about how long certain personal data may be stored on the data processor Cloud. Upon the Written request of the company the data processor will delete requested data. the data processor assesses, at its sole discretion, whether this deletion is deemed an Additional Service or not
1.14 the company warrants that the data processing will be carried out in accordance with the law. This means in any case that the company warrants that it is entitled to collect data or have data collected and that it is entitled to process these data and have these collected.
1.15 the company shall indemnify the data processor for any loss or damage of personal data and costs resulting from any claims by third parties, expressly including the data subjects and supervisory authorities (such as the Dutch Data Protection Authority), relating to or arising from any unlawful processing operation and/or any other violation of the GDPR or the Agreement that can be attributed to the company
1.16 the data processor shall ensure that every processing operation of personal data that is performed by or on behalf of the data processor, including third parties engaged by it for the purposes of the execution of the Agreement, is carried out within the European Economic Area (EEA) or to or from countries that offer an adequate level of protection in accordance with the GDPR.
1.17 the data processor shall ensure in-transit encryption of all data.
2.1 the data processor is entitled to investigate whether the company uses the data processor Services in a manner that complies with the conditions of the Agreement. the company undertakes to cooperate with such an audit. the data processor shall bear the costs of such audit, as long as no infringements of the Agreement are found. If the company is found to infringe the Agreement, the company will bear the costs of the audit.