Data Processing Agreement

Appendix 1

Data Processing Addendum

Precisely’s data processing addendum (which hereinafter is referred to as the or this “DPA”) is an appendix to Precisely’s Terms.

Precisely (the “Processor”) will process personal data for which the Customer is the data controller under applicable data protection law. Since the Customer determines the purposes and means of the processing of personal data within and through the Precisely Platform, the Customer will be referred to as the “Controller” in this DPA. Furthermore, the Processor and the Controller will individually be referred to as a “Party” and jointly the “Parties”.

Introduction

1. Processor provides Controller with the Services pursuant to the Terms.
2. When providing the Services, Processor will process personal data on behalf of Controller. This DPA regulates processing of personal data in accordance with the provisions of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, the “GDPR”) and any national or European Union law as applicable from time to time (“Applicable Data Protection Legislation”).
3. In the event of any conflict or inconsistency between the Terms and this DPA related to the processing of personal data, the provisions of this DPA shall prevail.

1. Agreement Documents

1.1 The following sub-appendices are hereby incorporated into this DPA:

• Sub-Appendix I – List of Parties and Description of Processing
• Sub-Appendix II – Technical and Organisational Measures
• Sub-Appendix III – List of Sub-Processors

2. Processing of Personal Data

2.1 The subject-matter, categories of personal data and data subjects, duration, nature and purpose of the processing are set out in Sub-Appendix I (List of Parties and Description of Processing).

2.2 Controller is responsible for ensuring that the processing is carried out in accordance with the Applicable Data Protection Legislation and for providing Processor with accurate and sufficient instructions.

2.3 Processor undertakes to process personal data only in accordance with the instructions under this DPA, the Terms and documented instructions given by Controller from time to time, unless the processing is required by Applicable Data Protection Legislation. In such case, Processor shall inform Controller of the processing and the legal requirements on which the processing is based, prior to processing the personal data, unless providing such information is prohibited under the Applicable Data Protection Legislation.

2.4 Processor shall promptly inform Controller if Processor is unable to fulfil its obligations under this DPA or Processor deems that instructions provided by Controller infringe the Applicable Data Protection Legislation, are inadequate or incorrect. In such case Controller shall adjust its instructions.

3. Security Measures

3.1 The Parties shall take appropriate technical and organisational security measures necessary to ensure a level of security appropriate to the risks presented when processing personal data and, when necessary, implement and maintain the technical and organisational security measures set out in article 32 of the GDPR.

3.2 The technical and organisational security measures agreed upon between the Parties are set out in Sub-Appendix II (Technical and Organisational Measures). Controller shall ensure that such measures comply with the provisions of the Applicable Data Protection Legislation.

4. Transfer Outside of the EU/EEA

4.1 Processor may only transfer personal data to a country outside the EU/EEA in accordance with instructions provided by Controller, as further set out in the appendices to this DPA as updated from time to time. If personal data is transferred to a country outside the EU/EEA, the Parties shall ensure that the transfer is subject to an adequate security measure in accordance with Chapter V of the GDPR, for example by executing the applicable module of EU Commission’s approved Standard Contractual Clauses or binding corporate rules. To the extent necessary to ensure adequate protection of personal data, the Parties shall agree upon additional safeguards in the appendices to this DPA.

5. Use of Sub-Processors

5.1 Processor hereby obtains a general written authorisation from Controller to use sub-processors to process personal data on behalf of Controller. The list of sub-processors authorised by Controller for the processing of personal data upon the effective date of this DPA is set out in Sub-Appendix III (List of Sub-Processors). Processor shall inform Controller in writing of the addition or replacement of sub-processors at least thirty (30) days before the change takes place, in order to give the Controller opportunity to object to the change. Controller shall object in writing within seven (7) days of Processor informing the Controller of the change. Controller may object to the use of a sub-processor only if there is reason to believe that the sub-processor does not comply with the requirements of the Applicable Data Protection Legislation and state the reasons for the objection. Processor shall provide Controller with the information necessary for Controller to exercise its right to object.

5.2 Processor shall ensure that a written agreement imposes on sub-processors at least equivalent obligations in relation to the processing of personal data as those imposed on Processor under this DPA. Processor shall be fully liable to Controller for the performance by the sub-processor of its obligations, as for its own under this DPA.

6. Duties of Processor

6.1 Processor shall, upon Controller’s reasonable request, assist Controller as far as reasonably possible and with regard to the nature of the processing, in fulfilling its obligations to respond to requests from data subjects to exercise their rights under the Applicable Data Protection Legislation. Processor shall notify Controller within five (5) days if Processor receives any requests from data subjects. Processor may not respond to any requests without Controller’s specific prior written instruction to do so.

6.2 Processor shall, to the extent possible, taking into account the nature of processing and the information available to Processor, assist Controller in fulfilling Controller’s obligations under Articles 32–36 GDPR.

6.3 Processor shall, upon Controllers reasonable request, provide Controller with the information necessary to demonstrate compliance with the obligations of this DPA.

6.4 In the event that Processor, according to the Applicable Data Protection Legislation, is required to disclose personal data that Processor processes on behalf of Controller to supervisory authorities, Processor shall inform Controller thereof and request confidentiality in connection with the disclosure of the requested information.

6.5 Upon the reasonable request made by Controller or by an external auditor appointed by Controller, Processor shall allow an audit for the purpose of verifying that the processing of personal data by the Processor is carried out in accordance with Applicable Data Protection Legislation and this DPA.

7. Personal Data Breach

7.1 Processor shall notify Controller in writing within twenty-four (24) hours after becoming aware of a personal data breach. Processor shall, to the extent possible, provide Controller with a description of the breach, its nature, its likely consequences and information on the measures taken or proposed to be taken to remedy and mitigate the consequences of the breach.

7.2 If Controller notifies a breach to the supervisory authority, Processor shall, upon Controller’s reasonable request, assist Controller and provide the requested information.

8. Confidentiality

8.1 Processor undertakes not to disclose or otherwise make personal data processed under this DPA available to any third party without Controller’s prior written consent, except for sub-processors engaged in accordance with this DPA.

8.2 Processor shall ensure that only staff and other representatives that require access to personal data have access to such information. Processor shall ensure that such persons are bound by confidentiality undertakings or subject to a statutory obligation of confidentiality.

8.3 Processor undertakes to ensure that confidentiality agreements are in place with any sub-processors engaged.

9. Remuneration

9.1 Processor is entitled to reasonable remuneration for costs and work incurred by Processor as a result of its obligations as specified below:

1. In case of new instruction from the Controller, that lead to extra costs or expenses for the Processor.
2. For assistance provided to Controller in fulfilling Controller’s obligations to respond to requests from data subjects to exercise their rights under the Applicable Data Protection Legislation in accordance with section 6.1 above.
3. For facilitating and assisting Controller or an external auditor appointed by Controller to perform audits in accordance with section 6.5 above.
4. For implementing technical and organisational security measures specifically requested by Controller in addition to the measures set out in Sub-Appendix II (Technical and Organisational Measures).

10. Liability

10.1 If a Party processes personal data in violation with this DPA or Applicable Data Protection Legislation, the Party shall compensate the other Party for direct damages suffered due to such wrongful processing and/or violation of this DPA in accordance with the liability provisions set out in the Terms.

10.2 The Parties confirm that they are responsible, accountable and liable in their respective roles as controller and processor in accordance with the requirements set out in the GDPR and this DPA. Any administrative fines, fees or penalties imposed by the supervisory authority and/or compensation to data subjects shall be subject to the liability in accordance with Articles 82–84 of the GDPR.

11. Term and Termination

11.1 This DPA enters into force at the time of entry into force of the Terms and remains in force thereafter for as long as Processor processes personal data on behalf of Controller.

11.2 Processor has the right to terminate this DPA immediately by written notice to Controller if instructions given by Controller infringe Applicable Data Protection Legislation and Controller, after being notified of such circumstances, subsequently insist on applying to such instructions.  

12. Return and Destruction of Personal Data

12.1 Upon termination or expiry of this DPA, Processor shall without undue delay stop processing personal data and at Controller’s request either delete or return all personal data to Controller or to the party designated by Controller and delete any remaining copies, unless prohibited to do so by Applicable Data Protection Legislation.

13. Governing Law and Dispute Resolution

13.1 This DPA shall be governed by Swedish law, excluding applicable conflicts of law rules.

13.2 Any dispute, controversy or claim arising out of or in connection with this DPA, or the breach, termination or invalidity thereof, shall be settled in accordance with the dispute resolution provisions set out in the Terms.

Sub-Appendix 1.1

Description of Processing

This Sub-Appendix I (Description of Processing) describes the processing of personal data under the DPA.

Controller is responsible for informing Processor in case of any additional categories of data subjects and/or categories of personal data will be included in the processing and, especially, whether any special categories of personal data will be included in the processing.

Sub-Appendix 1.2

Technical and Organisational Measures

This Sub-Appendix II (Technical and Organisational Measures) specifies the technical and organisational measures taken to ensure a high level of security for the processing of personal data.

List of Technical and Organisational Measures

The following technical and organisational measures have been explicitly agreed between the Parties:

1. Processor has organisational management and dedicated staff responsible for the development, implementation, and maintenance of Processor’s information security measures.
2. Processor aims to primarily process personal data of European customers within the EU/EEA. When Processor agrees with Controller to process personal data outside of the EU/EEA, Processor always ensure that appropriate safeguards are in place to protect such personal data. Processor ensures that any sub-processor also implements appropriate technical and organisational measures. Processor only contract trusted and reputable companies, who have the appropriate certifications and/or provide other sufficient guarantees about their security measures as required under the GDPR. Each processing assignment is governed by a written data processing agreement in accordance with article 28.3 GDPR.
3. Processor conduct audit and risk assessment procedures for the purposes of periodic review and assessment of risks to Processor’s organisation, monitoring and maintaining compliance with Processor’s policies and procedures, and reporting the condition of its information security and compliance to senior internal management.
4. Processor maintains information security policies and make sure that policies and measures are regularly reviewed and where necessary, improve them.
5. Processor ensures that communication with Processor’s applications utilise cryptographic protocols such as TLS to protect information in transit over public networks.
6. Processor has implemented data security controls which include logical segregation of data, restricted (e.g. role-based) access and monitoring, and where applicable, utilisation of commercially available and industry-standard encryption technologies.
7. Processor has developed logical access controls designed to manage electronic access to data and system functionality based on authority levels and job functions, (e.g. granting access on a least privilege and need-to-know basis, use of unique IDs and passwords for all users, periodic review and revoking/changing access promptly when employment terminates or changes in job functions occur).
8. Processor has implemented password controls designed to manage and control password strength, and usage including prohibiting users from sharing passwords.
9. Processor conducts system audits or event logging and related monitoring procedures to proactively record user access and system activity for routine review.
10. Processor ensures appropriate physical and environmental security of data centre and server room facilities containing client confidential information designed to: (i) protect information assets from unauthorized physical access, (ii) manage, monitor and log movement of persons into and out of those facilities, and (iii) guard against environmental hazards such as heat, fire and water damage.
11. Processor has established operational procedures and controls to provide for configuration, monitoring, and maintenance of technology and information systems according to prescribed internal and adopted industry standards, including secure disposal of systems and media to render all information or data contained therein as undecipherable or unrecoverable prior to final disposal or release from Processor’s possession.
12. Processor has change management procedures and tracking mechanisms in place designed to test, approve and monitor all changes to Precisely technology and information assets.
13. Processor has designed incident/problem management procedures to allow Processor to investigate, respond to, mitigate and notify of events related to Processor’s technology and information assets.
14. Processor has a business continuity and disaster recovery plan in place to ensure the continuity of Processor’s services in the event of an incident and perform regular backups. The database is backed up daily, whereafter daily backups are saved for a week. Similarly, weekly backups are saved for one month while monthly backups are saved indefinitely. Files uploaded to the platform are continuously backed up. Backups are encrypted in transit and at rest using strong encryption. Processor regularly perform backup testing (minimum every six months) to ensure the successful and timely recovery of data in the event of an incident. Processor’s hosting provider is equipped with tools to keep traffic stability in the event of a DDoS attack.

Sub appendix 1.3

List of Sub-Processors

This Sub-Appendix III (List of Sub-Processors) sets out the sub-processors of the Processors approved by the Controller.

Lists of Sub-Processors

Sub-processors that Controller is not able to opt-out of:

Sub-Processors that Controller can opt-out of if requested:

‍