Data Processing Agreement
THE DATA CONTROLLER AND DATA PROCESSOR HEREBY AGREE AS FOLLOWS:
This Data Processing Agreement (“Agreement”) is supplementary to, and forms part of, the terms for Biteable’s service (the “Terms”) between the Biteable entity (either Biteable, LLC with offices at 4001 South 700 East, Suite 500, Salt Lake City, UT 84107 or Biteable Pty Ltd of Level 2, 162 Macquarie Street, Hobart, Tasmania, Australia) (“Biteable”) and Customer (“Customer”) as identified in the order form referencing this Agreement. In the event of any conflict between this Agreement and the Terms, this Agreement shall prevail to the extent of such conflict.
1. Subject matter of this Data Processing Agreement
1.1. This Data Processing Agreement applies exclusively to the processing of Personal Data in the scope of this agreement between the parties for the provision of the services set forth in the Biteable Terms of Service. In this capacity, Data Processor may have access to Personal Data, subject to the Terms of Service between Data Processor and Data Controller (the “Terms”) during the provision of Biteable’s services (“Services”).
1.2. The term “EU Data Protection Law” shall mean Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, and all accompanying EU directives and regulations and member state laws and regulations.
1.3. Terms such as “Processing”, “Personal Data,” “Data Controller” and “Processor” shall have the meaning ascribed to them in the EU Data Protection Law or other applicable Australian or United States federal or state data protection law, or foreign data protection law. All references to Biteable (the Data Processor) in this Data Processing Agreement are references to Biteable Inc., except when the Data Controllers is a resident of Australia. For those Data Controllers, all Biteable references are to Biteable Pty Ltd.
1.4. Insofar as the Data Processor will be processing Personal Data subject to EU Data Protection Law or other applicable Australian, United States, or foreign data protection law on behalf of the Data Controller in the course of the Services, the terms of this Data Processing Agreement shall apply. Personal Data may include but not be limited to names and addresses; phone numbers or other contact information; payment information; photos, videos, audio, and/or text content.
1.5. To the extent that the Personal Data meets the California Consumer Privacy Act (“CCPA”)’s definition of “Personal Information,” Data Controller and Data Processor are each a “service provider” as defined by the CCPA and neither will: (i) sell the Personal Data; (ii) retain, use, or disclose the Personal Data for any purpose other than for the specific purpose of performing the Services; (iii) retain, use, or disclose the Personal Data for a commercial purpose other than providing the Services; or (iv) retain, use, or disclose the Personal Data outside of the direct business relationship between the Parties. Data Processor and Data Controller agree that they understand these restrictions and will comply with them.
2. The Data Controller and the Data Processor
2.1. By its agreement to the Terms, the Data Controller will determine the scope, purposes, and manner by which the Personal Data may be accessed or processed by the Data Processor. The Data Processor will process the Personal Data only as agreed to by the Data Controller in the Terms.
2.2. The Data Processor will only process the Personal Data as required to comply with legal obligations to which the Data Processor is subject.
2.3. The Parties have agreed to the Terms in order to benefit from the expertise of the Processor in processing the Personal Data for the purposes set forth in the Terms. The Data Processor shall be allowed to exercise its own discretion in the selection and use of such means as it considers necessary to pursue those purposes, subject to the requirements of this Data Processing Agreement and the Terms.
2.4. Data Controller warrants that it has all necessary rights to provide the Personal Data to Data Processor for the Processing to be performed in relation to the Services. To the extent required by the EU Data Protection Law or other applicable Australian, United States, or foreign data protection law, Data Controller is responsible for ensuring that any necessary data subject consents to this Processing are obtained, and for ensuring that a record of such consents is maintained. Should such a consent be revoked by the data subject, Data Controller is responsible for communicating the fact of such revocation to the Data Processor, and pursuant to the Terms, Data Processor remains responsible for implementing any Data Controller instruction with respect to the further processing of that Personal Data.
2.5. Data Controller grants authorization to Data Processor to appoint third parties as processors. Please email Data Processor at email@example.com at any time to request a list of our sub-processors. When Data Processor engages another processor for carrying out specific processing activities on behalf of Customer, the same data protection obligations as set out in this Data Protection Agreement shall be imposed on that sub-processor as required by any relevant law.
3.1. The Data Controller and Data Processor shall implement the appropriate technical and organizational measures to ensure a level of security of the processing of Personal Data appropriate to the risk. These measures shall include as appropriate:
a. the pseudonymization and encryption of personal data as directed by law or contract;
b. implementing the appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including applying these measures to all persons who are granted access to the personal data.
c. in assessing the appropriate level of security, account shall be taken of the risks that are presented by processing.
d. Data Processor shall notify Data Controller without undue delay after becoming aware of a Personal Data breach. This notice will comply with all relevant legal standards and contractual obligations. Data Processor’s notification or response under this Section shall not be construed as an acknowledgement by Processor of any fault or liability with respect to such breach.
e. as appropriate, the Data Processor shall at all times have in place written security policies with respect to the processing of Personal Data, outlining the measures set forth in this Section 3.
f. at the request of the Data Controller, Data Processor will make available to Data Controller all information necessary to demonstrate compliance with all relevant data privacy law requirements and allow for audits, including inspections, conducted by Data Controller and immediately inform Data Controller if, in its opinion, an instruction infringes relevant data privacy law requirements. In accordance with relevant legal requirements, Data Processor may charge a fee (based on Data Processor’s reasonable costs) for any audits under this Section if the request is manifestly unfounded or excessive. If Data Controller requests a service that will incur a fee, Data Processor will inform Data Controller of the fee amount in writing in advance.
4. Improvements to Security
4.1. The Parties acknowledge that security requirements are constantly changing and that effective security requires frequent evaluation and regular improvements of outdated security measures. The Data Processor will therefore evaluate the measures as implemented in accordance with Section 3 of this Agreement on an on-going basis and will supplement and improve these measures in order to maintain compliance with the requirements set out in Section 3 of this Agreement.
4.2. If an amendment to this Agreement is necessary in order to execute a Data Controller’s instruction to the Data Processor to improve security measures as may be required by applicable data protection laws, the Parties shall negotiate an amendment to this Agreement.
5. Data Transfers
5.1. Data Controller acknowledges and agrees that Data Processor processes data in the United States and Australia and that Data Controller’s provision of Personal Data to Data Processor for processing is the transfer of Personal Data to the United States.
6. Information Obligations and Incident Management
6.1. When the Data Processor becomes aware of a personal data breach that impacts the Processing of the Personal Data that is the subject of the Terms, it shall promptly notify the Data Controller about the breach and shall cooperate with the Data Controller to take suitable further steps in respect of the Incident. Data Processor’s notification or response under this Section shall not be construed as an acknowledgement by Data Processor of any fault or liability with respect to the breach.
6.3. The Data Processor shall at all times have in place written procedures which enable it to respond to a breach.
6.4. Any notifications made to the Data Controller pursuant to this Section 6 shall be addressed to Customer and shall contain:
a. a description of the nature of the Incident, including where possible the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned;
b. a description of the likely consequences of the Incident; and
c. a description of the measures taken or proposed to be taken by the Data Processor to address the Incident including, where appropriate, measures to mitigate its possible adverse effects.
7. Returning or Destruction of Personal Data
7.1. Without prejudice to the Terms or any relevant legal requirements, upon termination of this Data Processing Agreement, upon the Data Controller’s written request, or upon fulfillment of all purposes agreed in the context of the Services whereby no further processing is required, the Data Processor shall, at the discretion of the Data Controller, either delete, destroy, or return all Personal Data to the Data Controller and destroy or return any existing copies. Data Processor may charge a fee (based on Data Processor’s reasonable costs) for responding to data deletion requests under this Section if the request is manifestly unfounded or excessive. If Data Controller requests a service that will incur such a fee, Data Processor will inform Data Processor of the fee amount in advance.
7.2. The Data Processor shall notify all third parties supporting its own processing of the Personal Data of the termination of the Data Processing Agreement and shall ensure that all such third parties shall either destroy the Personal Data or return the Personal Data to the Data Controller, at the discretion of the Data Controller.
8. Assistance to Data Controller
8.1. The Data Processor shall assist the Data Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Data Controller’s obligation to respond to requests for exercising the data subject’s rights under the EU Data Protection Law or other relevant legal requirement. The Data Processor shall assist the Data Controller in ensuring compliance with the obligations pursuant to Section 3 of this Agreement and prior consultations with supervisory authorities required under Article 36 of the EU Data Protection Law taking into account the nature of processing and the information available to the Data Processor.
8.2. The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with the Data Processor’s obligations and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.
9.1. Termination or expiration of this Data Processing Agreement shall not discharge the Data Processor from its security obligations pursuant to Section 3 of this Data Processing Agreement.
9.2. The Data Processor shall process Personal Data until the date of termination of the Data Processor/Data Controller engagement, unless directed otherwise by a relevant law or regulation, or instructed otherwise by the Data Controller, or until such data is returned or destroyed on the instruction of the Data Controller.