Data Processing Addendum

If you, producing party (the “Producing Party” or “you” or “your”) are subject to various Data Protection Laws (as defined below) then the terms of this Data Processing Addendum (“DPA”) are incorporated by reference into any agreement between you and the party receiving any Customer Data (the “Recipient Party”, “we”, “us” and “our”) (the “Agreement”). By agreeing to the terms of this DPA, Producing Party and Recipient Party are agreeing to abide by the various data protection laws (“Data Protection Laws”) applicable to the processing of personal information in the jurisdictions where you and us are located or doing business. Capitalized terms not herein defined shall have the same meanings in the Agreement.

In the course of providing services under the Agreement, Recipient Party may process certain personal information on your behalf (“Customer Data”) and where Recipient Party processes such personal Information on behalf of Producing Party and Recipient Party and Producing Party agree to comply with the terms and conditions in this DPA in connection with such Customer Data.

Data Processing Clauses

1. Recipient Party’s obligations
1.1 We shall process Customer Data and information provided by you or your Authorized End Users within the scope of the Agreement, for the purpose of service provision during the term of the Agreement, and pursuant to your documented instructions (unless required to process Customer Data other than instructed by applicable law, in which case we will, before processing Customer Data in accordance with that law, inform you unless that law prohibits us from doing so). You warrant your collection and sharing of Customer Data with us and our processing of Customer Data solely in accordance with the Agreement shall comply with Data Protection Laws. We shall not compile copies or duplicates without your approval, except for copies made for backup or disaster recovery purposes.
1.2 Annex A of this DPA contains a list of the categories of Customer Data, the data subjects concerned, the nature and purpose of processing.
2. Authority to issue instructions
2.1 We agree, without limitation, to strictly follow any instructions given by you under the Agreement as well as those issued on an individual basis regarding the collection, processing and/or usage of Customer Data. This includes but is not limited to instructions on the blocking, correction or deletion of Customer Data. Our obligations under this Section 2.1 shall be subject to Section 2.3.
2.2 Instructions may only be issued by your authorized officers, data protection officers or the manager of your legal department, if applicable (hereinafter “persons authorized to issue instructions“). The persons authorized to issue instructions shall have the right to make written appointments of additional persons authorized to issue instructions.
2.3 You warrant that you shall give only lawful instructions conforming to applicable Data Protection Laws. If we hold the view that any instruction of yours contravenes Data Protection Laws and/or the Agreement, we will notify you, and we are entitled to suspend execution of the instruction concerned, until you confirm such instruction in writing. We have the right to deny the execution of an instruction – even if issued in writing – in case we conclude that we would be liable under Data Protection Laws if we execute the instructions you have provided.
3. Data Security
3.1 We undertake to maintain appropriate technical and organizational measures for protection of the security (including protection against unauthorized or unlawful processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Data), pursuant to applicable Data Protection Laws, and keep Customer Data confidential. We will ensure that such persons with access to Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.2 We agree that we make our applicable employees familiar with the relevant provisions of data protection regulations. We shall supervise compliance of such employees with applicable Data Protection Laws.
4. Sub-Processing
4.1 In accordance with the provisions of this DPA and the Agreement, you acknowledge and agree that Recipient Party, Recipient Party affiliates (“Recipient Party Affiliates“) or the third parties providers engaged to provide the Services provided (which are hereby designated as sub-processors for the purpose of processing Customer Data) may store or process Customer Data in various data centers around the world and that Customer Data might not be hosted within the country in which you are located provided that (a) notwithstanding any notice requirement in the Agreement, we shall not engage a sub-processor processing Customer Data without your authorization and give you an opportunity to review such engagement and reasonable time to make any objection to such changes (we may provide notice via electronic communication or published on our website); and (b) the sub-processors processing Customer Data are subject to the same data protection obligations or the same level of protection as are contained in the DPA. Producing Party agrees to raise any reasonable objections in writing within ten (10) business days such notification. You confirm that Section 4.1. constitutes general written authorization for the purposes of GDPR. We shall remain liable for any processing of Customer Data carried out by sub-processors engaged under the Agreement. Upon your request, we will tell you where Customer Data is located. Notwithstanding anything to the contrary in this Section, if we and you have agreed that Customer Data will be stored in any particular location, we will store such Customer Data in the agreed location.
4.2 You acknowledge and agree that Recipient Party may transfer Customer Data to any country outside the European Economic Area (“EEA”) or to any country which has not been the subject of a European Commission adequacy decision provided such a transfer is made pursuant to an appropriate legal transfer mechanism, such as a valid certification under the EU-US Privacy Shield Framework, EU Commission Model Clauses or any other legal transfer mechanism. To the extent that the legal transfer mechanism relied on is declared invalid (by, for example, a competent court or authority), Recipient Party shall cooperate with Producing Party in good faith to find an alternative legal transfer mechanism.
5. Audit
5.1 Recipient Party has obtained third-party certifications and audits and upon Producing Party’s request shall make these reports available to Producing Party. Recipient Party shall make available to Producing Party information regarding Recipient Party’s compliance with the obligations set forth in this DPA.
5.2 You have the right to audit our compliance with the Data Protection Laws and the stipulations entered into between the Parties (including the technical and organizational measures), by requesting information about and reasonably inspecting storage of the Customer Data, and implemented policies and security incident reports, subject to reasonable prior notice of at least ten (10) business days in advance and, to the extent reasonably possible, without interfering with our regular business operations. Producing Party and Recipient Party shall mutually agree upon the scope, timing and duration of the audit.
5.3 Upon your request, Recipient Party shall provide reasonable cooperation needed to fulfill Producing Party’s obligations under the General Data Protection Regulation (“GDPR”) to carry out a data impact assessment related to Producing Party’s use of the services, to the extent that Producing Party does not otherwise have access to the information requested, and to the extent such information is available to Recipient Party. Recipient Party shall provide reasonable assistance and cooperation to Producing Party in these circumstances.
5.4 Producing Party agrees that, taking into account the nature of the processing of Customer Data under the Agreement, by providing the assistance and information contained in this Agreement, we have assisted you in ensuring compliance with your obligations in respect of data protection impact assessments and prior consultation under Articles 35 and 36 of the GDPR.
6. Security Incident Management
6.1 In accordance with the Data Protection Laws and other industry standards, Recipient Party has appropriate policies and procedures in place to manage a security incident (“Incident”).
6.2 In accordance with the Data Protection Laws, Recipient Party shall notify you without undue delay in the event of a data breach relating to Customer Data, of which Recipient Party reasonably suspects or knows to have occurred, and which requires a notification to be made to a supervisory authority under the applicable Data Protection Laws. Recipient Party shall provide commercially reasonable cooperation and assistance in identifying the cause of the Incident and take all commercially reasonable steps to remediate the Incident to the extent within Recipient Party’s control.
6.3 You agree that, given the nature of the processing, Section 6.1 satisfies our obligation to assist you with your obligations under Articles 33 and 34 of the GDPR.
6.4 In addition, we shall notify you reasonable notice about:

(a) Any legally binding request for disclosure of the Customer Data by a law enforcement authority or other organization or body, unless prohibited by law; and

(b) Any request received directly by us from a data subject or other deletion request. Taking into account the nature of the processing activities, Recipient Party shall reasonably cooperate with Producing Party to fulfill Producing Party’s obligation to respond to any individual’s request for data deletion, and such rights are afforded to the individual under the Data Protection Laws. To the extent legally permitted Producing Party shall be responsible for any reasonable costs or fees associated with responding to such requests.

7. Deletion of Data
7.1 Upon expiration or earlier termination of the processing services, or such earlier time as you request, we agree, at your request, to:

(a) return to you or your designee; or

(b) securely destroy or render unreadable or undecipherable,
the relevant Customer Data in our possession, custody or control.

7.2 We shall ensure from an organizational perspective that Customer Data can be deleted within a reasonable time frame consistent with your request or deletion requirements established in the Agreement, except that we shall not be obliged to delete Customer Data from archival and back-up files except as in line with our company data deletion schedule as permitted under Data Protection Laws. If you request deletion of Customer Data in archival and back-up-files, you shall bear the costs including costs for business interruptions associated with such request.
8. Final Provisions
8.1 Unless specifically stipulated to the contrary by Producing Party and Recipient Party, the duration of the commissioned data processing specified by this DPA shall be coterminous with the term of the Agreement.
8.2 Notwithstanding any notice requirements in the Agreement, we may update this DPA from time to time to better reflect changes to the law, new regulatory requirements or improvement to the service. If any update to the DPA materially affects your use of the service or your rights herein, we will provide 30 calendar days’ prior notice or in-product notification. Your continued use of the service shall constitute acceptance to be bound by the updated DPA.
8.3 In the event of a conflict between this DPA and any other provision of the Agreement between you and us, this DPA will prevail; provided that if you and we have agreed in an Order Form to any terms that are different from this DPA, the terms in such Order Form will prevail.
9. California Consumer Protection Act Provisions
9.1 This section applies to the extent that Recipient Party processes Customer Data subject to the California Consumer Protection Act (“CCPA”).
9.2 Producing Party and Recipient Party acknowledge and agree that Recipient Party is a “service provider” and may receive personal information pursuant to the business purpose of providing services to Producing Party in accordance with the Agreement. For the avoidance of doubt, Recipient Party shall not (i) sell personal information; (ii) retain, use, or disclose personal information for any purpose other than for the specific purpose of performing the services, including retaining, using or disclosing personal information outside of the direct business relationship between Producing Party and Recipient Party. Recipient Party acknowledges its obligations under the CCPA and shall comply with all requirements of the CCPA to the extent applicable to Recipient Party and its products and services.
Download Coiled DPA Form