Data Processing Agreement for On-Premise Subscription Products
Effective November 21, 2022
1. Background and Interpretation
1.1. The Supplier will, upon performance of the Agreement when providing its Product, process personal data on behalf of the Customer, in the capacity of the Customer’s processor. The Supplier will process personal data for which the Customer is the controller.
1.2. This Data Processing Agreement (the “DPA”) forms an integral part of the Agreement. The purpose of this DPA is to ensure a secure, correct, and legal processing of personal data and to comply with applicable requirements for data processing agreements as well as to ensure adequate protection for the personal data processed within the scope of the Agreement.
1.3. Any terms used in this DPA, e.g. processing, personal data, data subjects, supervisory authority, etc., shall primarily have the meaning as stated in the European Parliament and the Council Regulation (EU) 2016/679 (the “GDPR“) and otherwise in accordance with the Agreement, unless otherwise clearly indicated by the circumstances.
1.4. In light of the above, the Parties have agreed as follows:
2. Instructions and Responsibilities
2.1. The type of personal data and categories of data subjects processed by the Supplier under this DPA and the purpose, nature, duration, and objects of this processing, are described in the instructions on the processing of personal data in Appendix 2A or the written instructions that Customer provides from time to time. The Supplier shall not process additional categories of personal data or personal data in relation to other data subjects than those specified in Appendix 2A.
2.2. Customer is responsible for complying with the GDPR. Customer shall in particular:
a) be the point of contact towards data subjects and i.e. respond to their inquiries regarding the processing of personal data;
b) ensure the lawfulness of the processing of personal data, provide information to data subjects pursuant to Articles 12-14 in the GDPR, and maintain a record of processing activities under its responsibility;
c) provide the Supplier with documented instructions for the Supplier’s processing of personal data, including instructions regarding the subject matter, duration, nature, and purpose of the processing as well as the type of personal data and categories of data subjects;
d) immediately inform the Supplier of changes that affect the Supplier’s obligations under this DPA;
e) immediately inform the Supplier if a third party takes action or lodges a claim against the Customer as a result of the Supplier’s processing under this DPA; and
f) immediately inform the Supplier if anyone else is a joint controller with the Customer of the relevant personal data.
2.3. When processing personal data, the Supplier shall:
a) only process personal data in accordance with Customer’s documented instructions, which at the time of the Parties entering into this DPA are set out in Appendix 2A;
b) ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
c) maintain an adequate level of security for personal data by implementing all technical and organizational measures set out in Article 32 of the GDPR in the manner set out in section 3 below;
d) respect the conditions referred to in paragraphs 2 and 4 of Article 28 of the GDPR for engaging a sub-processor;
e) taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as it is possible, for the fulfillment of Customer’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR;
f) assist Customer in ensuring compliance with the obligations pursuant to Articles 32-36 of the GDPR, taking into account the nature of the processing and the information available to the Supplier;
g) at the choice of Customer, delete or return all the personal data to Customer after the end of the Agreement, and delete existing copies, unless EU law or applicable national law of an EU Member State requires the storage of the personal data; and
h) make available to Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 in the GDPR and this DPA and allow for and contribute to audits, including inspections, conducted by Customer or another auditor agreed upon by the Parties.
2.4. The Supplier shall notify the Customer without undue delay, if, in the Supplier’s opinion, an instruction infringes the GDPR. In addition, the Supplier is to immediately inform the Customer of any changes affecting the Supplier’s obligations pursuant to this DPA.
3.1. The Supplier shall implement technical and organisational security measures in order to protect personal data against destruction, alteration, unauthorised disclosure, and unauthorised access. The measures shall ensure a level of security that is appropriate considering the state of the art, the costs of implementation, the nature, scope, context, and purpose of the processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons. The Supplier may amend its technical and organisational measures.
3.2. The Supplier shall notify Customer of accidental or unauthorised access to personal data or any other personal data breach without undue delay after becoming aware of such data breach and pursuant to Article 33 of the GDPR. Such notification shall not in any manner imply that the Supplier has committed any wrongful act or omission, or that the Supplier shall become liable for the personal data breach.
3.3. If the Customer, during the term of this DPA, requires that the Supplier take additional security measures, the Supplier shall as far as possible meet such requirements provided that the Customer pays and takes responsibility for any and all costs associated with such additional measures.
4. Sub-processors and Transform to Third Countries
4.1. Customer hereby grants the Supplier with a general authorisation to engage sub-processors. Sub-processors are listed in the list of sub-contractors in Appendix 2B. The Supplier shall enter into a data processing agreement with each sub-processor, according to which, the same data protection obligations as set out in this DPA, are imposed upon the sub-processor.
4.2. The Supplier shall inform Customer of any intended changes concerning the addition or replacement of sub-processors, thereby giving Customer the opportunity to object to such changes. Such objection shall be made in writing and within thirty (30) calendar days after the Supplier has informed Customer about the intended changes. If Customer objects to the Supplier engaging a sub-processor and the Parties cannot agree, within a reasonable time, on the new sub-processor’s engagement in the processing of personal data, the Supplier can terminate the Agreement.
4.3. If the Supplier and/or sub-processors transfers personal data outside the EU/EEA, such transfer shall always comply with the applicable data protection requirements according to the GDPR and related data protection legislation. The Supplier shall keep Customer informed about the legal grounds for the transfer.
5. Compensation and Limitation of Liability
5.1. The Supplier is not entitled to any additional compensation for the processing of personal data in accordance with this DPA, instead the compensation provided pursuant to the Agreement also encompasses the measures in this DPA.
5.2. Each Party shall be responsible for any damages and administrative fines imposed to it under articles 82 and/or 83 of the GDPR.
5.3. Notwithstanding any limitation of liability in the Agreement, each Party’s liability under this DPA shall be limited to direct damages. In addition, the Supplier's liability shall be limited to an amount corresponding to the fees paid by the Customer to the Supplier under the Agreement for a period of six (6) months before the damage occurred.
6. Term and Termination
6.1. This DPA becomes effective when the Agreement has been entered into.
6.2. Upon termination of the Agreement, the Supplier shall at the choice of Customer, delete all the personal data or return it to Customer, and ensure that each sub-processor does the same.
6.3. This DPA remains in force as long as the Supplier processes personal data on behalf of Customer, including deletion or returning of personal data according to section 6.2 above. This DPA shall thereafter cease to apply. Sections 5 and 6.2 shall continue to apply even after this DPA has been terminated.
7.1. If provisions of the GDPR change or if a supervisory authority issues guidelines, decisions or regulations regarding the application of the GDPR during the term of this DPA, with the result that this DPA does not meet the requirements for a data processing agreement, the Parties shall change this DPA to meet the requirements.
7.2. Any other changes to this DPA than following from section 7.1 above or changes in Customer’s documented instructions, shall be made in writing and signed by the Parties’ authorized representatives, to be binding.
8.1. In the event of deviating provisions between the Agreement and this DPA, the provisions of this DPA shall prevail with regard to processing of personal data and nothing in the Agreement shall be deemed to restrict or modify obligations set out in this DPA, notwithstanding anything to the contrary in the Agreement.
8.2. This DPA supersedes and replaces all data processing agreements between the Parties potentially existing prior to this DPA.
Instructions on Processing of Personal Data
The Supplier processes personal data in order to fulfil the Agreement. This means that the Supplier processes personal data for the following purposes:
To handle customer support cases,
To work with key End-Users designated by the Customer for purposes of the customer success program. This program is available to opt-in to for certain customer accounts
Categories of personal data
Categories of personal data that will be processed by the Supplier include:
Role in organisation, and
Information about how the Product is used provided by the Customer for the purposes of support and customer success.
Categories of data subjects
The personal data will be processed for as long as the End-User continues to actively use the Service and for twelve (12) months thereafter if the End-User has provided information about which Customer they are associated with.
The Supplier process the personal data of End-Users in the following ways.
The End-User’s name and e-mail address, as well as contextual information provided by the End-User, is collected in order to provide customer support when customers open a support request via e-mail or via the Supplier’s support portal.
The name and e-mail address regarding key End-Users designated by the Customer may be stored in the Supplier’ CRM system by Customer Success Specialists to support activities related to the customer success program..
Information Security Measures
No sub-processors are involved in your regular usage of our On-Premise applications. However, we do rely on sub-processors to support your end-users' ability to get value out of your purchase via our Customer Support and Customer Success functions. In the table below you can see exactly which purposes we utilize sub-processors for end-users of any of our On-Premise applications.
Please see our sub-processors page to find links to related documents such as DPAs for the sub-processors above as well as a full list of the subprocessors that process personal data, even those that aren't relevant to this DPA.