Data Processing Addendum
Data Processing Addendum Notice
Last updated February 18, 2022
We provide the latest version of OptiSigns DPA for you to review here. If you would like to get it signed and executed with us, please contact us at email@example.com
Signing a DPA does not change our practices regarding the protection of your privacy and your data. Every customer gets the same high standards of privacy and security.
Data Processing Addendum
(i) In this Addendum:
Controller Has the meaning given in applicable Data Protection Laws from time to time.
Data Protection Laws Means, as binding on either party or the services:
- The Directive 95/46/EC (Data Protection Directive) and/or Data Protection Act 1998 or the GDPR;
- Any laws which implement any such laws or regulations; and
- Any laws that replace, extend, re-enact, consolidate, or amend any of the foregoing.
Data Subject Has the meaning given in applicable Data Protection Laws from time to time.
GDPR Means the General Data Protection Regulation (EU) 2016/679.
International Organization Has the meaning in the GDPR.
Personal Data Has the meaning given in applicable Data Protection Laws from time to time.
Personal Data Breach Has the meaning given in applicable Data Protection Laws from time to time.
Processing Has the meaning given in applicable Data Protection Laws from time to time (and related expressions, including process, processed, processing, and processes shall be construed accordingly).
Processor Has the meaning given in applicable Data Protection Laws from time to time.
(b) Your Compliance with Data Protection Laws.
(c) Our Compliance with Data Protection Laws.
Taking into account the state of technical development and the nature of Processing, we shall implement and maintain the technical and organizational measures set out in Section 2(b) of this Addendum to protect the Protected Data against accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure, or access.
(A) that alternative Processing instructions are agreed between the parties in writing; or
(B) otherwise required by applicable law (and shall inform you of that legal requirement before Processing, unless applicable law prevents us doing so on important grounds of public interest).
(ii) Without prejudice to Section 1(e)(i), if we believe that any instruction received by us from you is likely to infringe the Data Protection Laws, we shall promptly inform you and be entitled to cease to provide the relevant Services until the parties have agreed appropriate amended instructions which are not infringing.
(f) Sub-processing and Personnel.
(i) We shall:
(A) not permit any processing of Protected Data by any agent, subcontractor, or other third party (except its or its Sub-Processors’ own employees in the course of their employment that are subject to an enforceable obligation of confidence with regards to the Protected Data) without your authorization;
(B) prior to the relevant Sub-Processor carrying out any processing activities in respect of the Protected Data, appoint each Sub-Processor under a written contract containing materially the same obligations as under this Schedule (including those relating to sufficient guarantees to implement appropriate technical and organizational measures) that is enforceable by us and ensure each such Sub- Processor complies with all such obligations;
(C) remain fully liable to you under this Addendum for all the acts and omissions of each Sub-Processor as if they were our own; and
(D) ensure that all persons authorized by us or any Sub-Processor to process Protected Data are subject to a binding written contractual obligation to keep the Protected Data confidential.
(g) List of Authorized Sub-Processors.
(i) You expressly authorize the appointment of the Sub-Processors listed below.
(A) Amazon: Cloud Hosting
(B) Digital Ocean: Cloud Hosting
(C) Compose.com: Cloud Database
(D) Google: Cloud Storage, Internal Collaboration, Marketing, Analytics
(E) CloudFlare: Content Delivery Network
(F) Transloadit: File Conversion
(G) Zapier: Process Automation
(H) Elastic.io: Log & Monitoring
(I) Sentry.io: Log & Monitoring
(J) HubSpot: Customer Relation Management
(K) Customer.io: Customer Communication
(L) Slack: Internal Communication
(M) ZenDesk: Issue Management
(N) Stripe: Payment Processor
(i) We shall (at your cost) assist you in ensuring compliance with your obligations pursuant to Articles 32 to 36 of the GDPR (and any similar obligations under applicable Data Protection Laws) taking into account the nature of the Processing and the information available.
(ii) We shall (at your cost) taking into account the nature of the Processing, assist you (by appropriate technical and organizational measures), insofar as this is possible, for the fulfilment of your obligations to respond to requests for exercising the Data Subjects’ rights under Chapter III of the GDPR (and any similar obligations under applicable Data Protection Laws) in respect of any Protected Data.
(i) Audits and Processing.
We shall, in accordance with Data Protection Laws, make available to you such information that is in our possession or control as is necessary to demonstrate our compliance with the obligations placed on us under this Addendum and to demonstrate compliance with the obligations on each party imposed by Article 28 of the GDPR (and under any equivalent Data Protection Laws equivalent to that Article 28), and allow for and contribute to your audits, including inspections, (or another auditor mandated by you) for this purpose (subject to a maximum of one audit request in any 12 month period under this paragraph).
We shall notify you without undue delay and in writing on becoming aware of any Personal Data breach in respect of any Protected Data.
(k) Deletion/Return and Survival.
2.Data Processing and Security Details.
(a) Data Processing Details.
(i) Subject-matter of Processing:
Orders, requests, and related software use and access requested through the Company’s platform.
(ii) Duration of the Processing:
Personal Data will be retained for the duration of your engagement with the Company and returned or destroyed in accordance with the terms hereof.
(iii) Nature and purpose of the Processing:
(iv) Type of Personal Data:
(v) Categories of Data Subjects:
(b) Technical and Organizational Security Measures.
We shall implement and maintain the following technical and organizational security measures to protect the Protected Data:
(c) International Data Transfers
(i) Some jurisdictions require that an entity transferring Personal Data to, or accessing Personal Data from, a foreign jurisdiction take extra measures to ensure that the Personal Data has special protections. In the absence of appropriate safeguards pursuant to Article 46, the transfer is subject to the Standard Contractual Clauses approved by the European Commission, and which themselves form part of this DPA (Attachment 1).