Exelement SyncCloud Data Processing Agreement

Introduction

The Customer (hereinafter referred to as the “Controller”) controls certain Personal Data, which it wishes to provide to Exelement AB org. no. 556643-3172 (hereinafter referred to as the “Processor”) in accordance with the Agreement and, in particular, with the terms set out herein.  

The Parties hereby agree to the terms upon which the Controller will provide the Processor with the Personal Data and the Processor shall Process the Personal Data.  

This Data Processing Agreement shall apply from the date of execution of the Agreement by both Parties and until such time that Processor ceases to Process Personal Data on behalf of Controller.  

Purposes of Processing

Processor shall, in accordance with the Agreement, provide Controller with a Managed SaaS for Data Integration (all of the above is hereinafter referred to as the “Services”).  

Definitions

All capitalized terms not otherwise defined herein shall have the respective meaning given to such terms in the GDPR.

"Agreement"

means the Agreement entered into by the Controller and Processor for subscribing to the Exelement SyncCloud service and in which these annexed Data Protection Terms form an integral part.

"Data Protection Act"

means the data protection laws and regulations at all times valid and applicable within the country where Processor is registered, including but not limited to Regulation (EU) No 679/2016 (the ”General Data Protection Regulation” or the “GDPR”).

"Personal Data"

means any personal data or sensitive personal data as defined in the Data Protection Act, which are subject to, or intended to be subject to, Processing by the Processor for, or on behalf of, the Controller.

"Controller"

a party to the Agreement with the Processor.

"Processor"

Exelement AB org. no. 556643-3172

Instructions

The Processor shall only be entitled to Process the Personal Data for the purposes set out in Article ‎0 above, and in accordance with the Controller’s written instructions, and in any event in compliance with applicable laws and legal obligations.  

The Processor may not Process the Personal Data for a longer period than what is necessary for the fulfilment of its undertakings under the Agreement. Unless the Parties agree otherwise in writing, Personal Data shall be purged (deleted) from the Services with the procedures set out in Appendix A.

Restricted access

The Processor shall restrict access to the Personal Data to only such persons who requires it in order for Processor to provide the Services, or as otherwise may be required to comply with Processor’s obligations according to the Data Protection Act. Furthermore, Processor shall take reasonable steps to ensure the reliability of any of its employees, agents and sub-contractors who may have access to Personal Data.

Security

The Processor shall take Appropriate Technical and Organisational Measures to protect the Personal Data while considering the technical options that are available, the costs to implement the measures, the specific risks that are present with the current Processing of Personal Data, and the sensitivity of the Personal Data that is processed.  Such measures shall at least:

  • Protect the Personal Data against accidental or unlawful destruction, accidental loss or alteration, unauthorized or unlawful storage, processing, access or disclosure (including by use of pseudonymization and encryption for data in transit and at rest, where possible);
  • Treat and safeguard the Personal Data as strictly private and confidential;
  • Restore the availability and access to Personal Data in a timely manner in accordance with Processor’s back-up policy, in the event of a physical or technical incident;
  • At all times having in place and adhering to a suitable, written data protection policy with respect to the processing of Personal Data.

Furthermore, Processor shall not without Controller’s prior consent cause or permit the Personal Data to be processed outside the European Economic Area or such other countries that the EU Commission has determined to provide an adequate level of data protection in accordance with the General Data Protection Regulation (EU 2016/679).

Auditing, Assistance and Reporting

Processor shall co-operate with and assist the Controller when necessary to comply with the Data Protection Act, and to enable Data Subjects to exercise their rights under the Data Protection Act. Processor shall allow for and assist in audits, including inspections, following Controller’s legitimate written request and at such times as agreed between the Parties. The Processor shall in such event make available facilities, personnel, policies, documents and information strictly as necessary and limited for the purpose of the audit, and only as relevant with regards to the Processing of Personal Data on behalf of the Controller and subject to such restrictions for on-site audits as may apply for Processor’s hosting environments.  

An audit shall not grant the Controller access to Processor’s, or any third-party’s, trade secrets or proprietary information unless required to comply with the Data Protection Act. The Controller shall ensure that its personnel conducting such audits are subject to adequate secrecy obligations.  

In the event that a Data Subject, Supervisory Authority, law enforcement authority or any other third-party requests information from the Processor regarding Processing of Personal Data, the Processor shall immediately refer the requesting party to the Controller and may not disclose any Personal Data to the requesting party, nor act on the Controller’s behalf, unless otherwise required by applicable law.  

The Processor shall immediately, or at least within 24 hours notify the Controller about:

  1. any legally binding request for disclosure of the Personal Data by the Supervisory Authority, or a law enforcement authority, unless otherwise prohibited; and
  1. any request received directly from the Data Subjects, without responding to that request, unless it has been authorised by the Controller to do so.

Furthermore, the Processor shall, if possible, immediately notify the Controller in case of accidental or unauthorized access to the Controller’s Personal Data or other security incident involving the Controller’s Personal Data, or at least within 24 hours. Such notification shall at least:

  1. describe the nature of the Personal Data incident, including, if possible, the categories and number of data subjects concerned and categories of Personal Data concerned;
  1. provide name and contact details to the Data Protection Officer or other contact point where further information can be obtained;
  1. describe the likely consequences of the Personal Data incident; and
  1. describe what actions have been taken, or which the Processor proposes to take, to correct the Personal Data incident, including, where appropriate, measures to reduce any adverse effects.

Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.

Sub-Processing

The Controller hereby agrees to that parts of the Services may be provided through sub-processors via third party services subject to Processor having entered into separate data processing agreements with such sub-processors that comply with the Data Protection Act. The current sub-processors are listed in Appendix B.

The Controller hereby agrees that the Processor may, when necessary for the purposes of maintaining, developing and/or enhancing the Services, exchange sub-processors or to add other sub-processors. The agreement is however conditional upon the Processor giving the Controller reasonable (in any event no less than thirty (30) days prior written notice of such an intended change or addition including details of the provider, the purpose and scope of sub-processing and – upon separate request – the related data processing agreement.  

The Controller may object to such notified change in the event of its reasonable concerns with regards to the appropriate protection of Personal Data. Such objection shall be detailed in writing within fifteen (15) working days from the Processor’s original notice whereafter the Parties shall in good faith endeavour to settle the situation. In the event that the Controller’s reasonable concerns still remain after conclusion of such good faith effort, then the Controller shall have the right to terminate the Agreement forthwith by written notice without liability for either Party. However, in the event of Controller’s termination as per the above and for the purposes of enabling Controller’s exit, Processor will undertake to ensure that none of Controller’s Personal Data is processed by such new sub-processor during a period of up to five (5) months counted from the date of Processor’s original notice (notwithstanding that the new sub-processor is used for other customers of the Processor).

Ownership of Data  

The Processor hereby acknowledges and agrees that the Personal Data supplied to the Processor by the Controller pursuant to the Agreement are and shall remain the absolute property of the Controller and the Processor shall never at any time receive ownership of the Personal Data. Upon the termination of the Agreement, Processor will delete all such Personal Data. Controller may also in writing request Processor to instead return all such data before deleting any remaining copies.

Liability

Each Party is liable in accordance with the Data Protection Act. Neither Party excludes or limits its liability in relation to this Agreement.  

Confidentiality

The Processor shall not, without the prior written consent of the Controller, divulge the whole or any part the Personal Data to any person except its employees or consultants subject to the same policies and requirements as employees, and then only to those who need to know the same, and only to the extent necessary for the proper performance of the Agreement.  

To the extent that any Personal Data is disclosed to employees or consultants of the Processor in accordance with Article ‎0, the Processor shall ensure that such individuals are bound by non-disclosure undertakings no less onerous than those set forth herein and in the Agreement.

Future changes to the Data Protection Act

In the event that either Party deems changes of this Data Protection Terms to be necessary due to changes of the Data Protection Act, the Parties shall negotiate any such change in good faith and amend any changes agreed by written amendment to the Agreement. A change shall be deemed necessary if needed in order to avoid any form of new/additional liability or risk of liability for either Party.

Appendix A – DESCRIPTION OF PROCESSING

  1. TYPES OF PERSONAL DATA

Supplier will process the following types of personal data:

  • First and Last name
  • Title
  • Contact information (company, email, phone, address)
  1. Categories of data subjects
  • Employees or consultants of the Controller
  • Controller’s users authorized by Controller to use the Services provided by Processor
  • Invoice contact persons of Controller’s customer
  1. Duration of processing

For the duration of the subscription period and, if any, period before or after the subscription period that the Services are provided to the Controller.

  1. Subject matter, nature and purpose of processing

The objective of Processing of Personal Data is to provide the Services pursuant to the Agreement.

  1. Place of processing

Always within European Union. Currently in AWS, Europe location in Germany.  

  1. Technical and organizational security measures

Supplier has implemented the following technical and organizational security measures to ensure compliance with Article 32 in the GDPR:  

  • Access control
  • Information Classification (and handling)
  • Physical and Environmental Security
  • Management of Technical Vulnerabilities
  • Communications Security
  • Privacy and Protection of Personally Identifiable Information

Appendix B – Sub-Processors

Subject to Article 8 in the Data Processing Agreement, Controller approves of the following.

Sub-Processor

Purpose the Processing

Categories of Personal Data

Location

AWS

Provider of the cloud computing platform

Employees or consultants of the Controller

Controller’s users authorized by Controller to use the Services provided by Processor  

Europe

Elastic.io

SyncCloud customer supporting

Employees or consultants of the Controller

Controller’s users authorized by Controller to use the Services provided by Processor  

Europe

Cyclr

SyncCloud integration supporting platform

Employees or consultants of the Controller

Controller’s users authorized by Controller to use the Services provided by Processor  

Europe