Effective on: July 25, 2019
This Praxonomy Data Processing Addendum (this "Addendum") is entered into by and between Praxonomy Limited, a company incorporated and registered in Hong Kong with place of business at 3/F, Remex Centre, 42 Wong Chuk Hang Road, Wong Chuk Hang, Hong ("Praxonomy"), and [FULL COMPANY NAME], a company incorporated and registered in [COUNTRY/STATE OF CORPORATION] with place of business at [REGISTERED OFFICE ADDRESS] (the "Client") (each, a "Party" and, collectively, the "Parties"). This Addendum will become effective when the last Party signs it, as indicated by the date below that Party's signature (the "Effective Date"). The Parties originally entered into the Praxonomy Standard Terms and Conditions of the SaaS Agreement (the "Service Agreement") on [DATE OF SERVICE AGREEMENT].
Recitals
WHEREAS, the Parties entered into the Service Agreement and have retained the power to alter, amend, revoke, or terminate the Service Agreement, as provided in the Service Agreement; and
WHEREAS, the Parties now wish to amend the Service Agreement to ensure that Client Personal Data (as defined below) transferred between the Parties is Processed (as defined below) in compliance with applicable data protection principles and requirements and in accordance with this Addendum, which shall form part of the Service Agreement;
NOW, THEREFORE, in consideration of the mutual agreements set forth in this Addendum, the Parties agree as follows:
- Definitions.
- The definitions used in this Addendum shall have the meanings set forth or referenced in this Addendum. Capitalised definitions, not otherwise defined herein, shall have the meaning given to them in the Service Agreement. Except as modified or supplemented below, the definitions of the Service Agreement, as well as all the other terms and conditions of the Service Agreement, shall remain in full force and effect.
- For the purpose of interpreting this Addendum, the following terms shall have the meanings set out below:
- "Applicable Laws" means all laws applicable to the Processing of Client Personal Data, including EU Data Protection Laws, other laws of the European Union or any Member State thereof, and the laws of any other country to which the Client or the Client Personal Data is subject;
- "Client" means the party that has entered into this Addendum with Praxonomy, as indicated in the opening paragraph of this Addendum, including all affiliates of that entity that are also bound by the Service Agreement, if any;
- "Client Personal Data" means any Personal Data Processed by Praxonomy or a Subprocessor on behalf of the Client pursuant to or in connection with the Service Agreement;
- "Contracted Processor" means Praxonomy, a Subprocessor, or both collectively;
- "EU Data Protection Laws" means the GDPR, the domestic legislation of each Member State implementing and supplementing the GDPR, as well as other laws of the European Union or any Member State thereof to which the Processing of Client Personal Data is subject, as amended, replaced, or superseded from time to time;
- "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation);
- "Restricted Transfer" means any transfer of Client Personal Data that would be prohibited by Aple Laws) in the absence of the execution of the Standard Contractual Clauses or another lawful data transfer mechanism, as set out in Section 12 below;
- "Services" means the services and other activities to be supplied to or carried out by or on behalf of Praxonomy for the Client pursuant to the Service Agreement; and
- "Standard Contractual Clauses" means the European Commission’s Standard Contractual Clauses for the transfer of Personal Data from the European Union to processors established in third countries (controller to processor transfers), as set out in the Annex to Commission Decision 2010/87/EU.
- "Subprocessor" means any person (including any third party but excluding an employee of Praxonomy or an employee of any of its sub-contractors) appointed by or on behalf of Praxonomy to Process Client Personal Data on behalf of the Client in connection with the Service Agreement.
- The terms "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processing", "Processor", "Rights of the Data Subjects", and "Supervisory Authority", whether capitalised or not, shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
- Applicability.
- This Addendum will not apply to the Processing of Client Personal Data, where such Processing is not regulated by Applicable Laws. The Parties to this Addendum hereby agree that the terms and conditions set out herein shall be added as an addendum to the Service Agreement. Except where the context requires otherwise, references in this Addendum to the Service Agreement are to the Service Agreement as amended or supplemented by, and including, this Addendum.
- This Addendum is subject to the terms of the Service Agreement and is incorporated into the Service Agreement. Interpretations and defined terms set forth in the Service Agreement apply to the interpretation of this Addendum. The Terms of this Addendum shall take effect on the Effective Date and shall continue concurrently for the term of the Service Agreement.
- The Parties agree that in the event of any conflict between the Service Agreement (including any annexes and appendices thereto) and this Addendum, the provisions of this Addendum shall control.
- Processing of Client Personal Data.
- In the context of this Addendum and for the purpose of EU Data Protection Laws, the Client acts as a Personal Data Controller and Praxonomy acts as a Personal Data Processor with regard to the Processing of Client Personal Data.
- Praxonomy shall:
- process Client Personal Data only to the extent, and in such manner, as is necessary for the provision of services under the Service Agreement and for no other purpose;
- not Process Client Personal Data other than on the Client's relevant documented instructions, including with regard to transfers of Client Personal Data to a country or organisation outside of the EEA, unless such Processing is required by Applicable Laws to which the relevant Contracted Processor is subject, in which case Praxonomy shall, to the extent permitted by Applicable Laws, inform the Client of that legal requirement before the applicable act of Processing;
- only conduct transfers of Client Personal Data to Subprocessors outside of the EEA, in compliance with all applicable conditions, as laid down in the EU Data Protection Laws;
- not retain, delete, or otherwise Process Client Personal Data contrary to or in the absence of the direct instructions of the Client, provided, however, that the Client expressly and irrevocably authorises such retention, deletion, or other Processing if and to the extent required or allowed by any applicable law; and
- immediately inform the Client in the event that, in Praxonomy's opinion, a Processing instruction given by the Client may infringe Applicable Laws.
- The Client shall provide to Praxonomy the name and contact details of the Client's data protection officer, if any, and the name and contact details of the Client's representative in the European Union, if any for the purposes of agreeing and documenting the Client Personal Data and other information to be Processed. The Client shall promptly update, when necessary, all such information, and keep all such information complete and up to date, by providing Praxonomy with the updated information, as necessary.
- The Client instructs Praxonomy (and authorises Praxonomy to instruct each Subprocessor) to Process Client Personal Data, and in particular, transfer Client Personal Data to any country or territory, as reasonably necessary for the provision of the Services and consistent with the Service Agreement and this Addendum.
- The Client retains control of the Client Personal Data and remains responsible for its compliance obligations under the EU Data Protection Laws, and for the Processing instructions it gives to Praxonomy.
- The Client represents and warrants that it has all necessary rights to provide the Client Personal Data to Praxonomy for the purpose of Praxonomy and its Subprocessors Processing such data within the scope of this Addendum and the Service Agreement.
- Praxonomy Personnel.
- Praxonomy shall take reasonable steps to ensure the reliability of any employee, agent, or contractor of any Contracted Processor who may have access to the Client Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know or access the relevant Client Personal Data, as strictly necessary for the purposes of the Service Agreement, and to comply with Applicable Laws in the context of that individual’s duties to the Contracted Processor, ensuring that all such individuals are subject to formal confidentiality undertakings or professional or statutory obligations of confidentiality.
- Security of Processing.
- Taking into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity to the rights and freedoms of natural persons, Praxonomy shall, with regard to Client Personal Data, implement and maintain appropriate technical and organisational security measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
- In assessing the appropriate level of security, Praxonomy shall take account, in particular, of the risks that are presented by the nature of such Processing activities, and particularly those related to possible Personal Data Breaches.
- Subprocessing.
- The Client authorises Praxonomy to appoint (and permit each Subprocessor appointed in accordance with this Section 6 to appoint) Subprocessors in accordance with this Section 6 and any possible further restrictions, as set out in the Service Agreement and this Addendum.
- Praxonomy may continue to use those Subprocessors already engaged by Praxonomy as of the Effective Date subject to Praxonomy meeting the obligations set out in Section 6.4. The list of Praxonomy Subprocessors is located at: https://www.praxonomy.com/legal/subprocessors.
- Praxonomy shall, at least 45 days before appointing any new Subprocessor, inform the Client of the appointment by updating the list of Praxonomy Subprocessors on Praxonomy’s website. If the Client objects to Praxonomy’s appointment of such Subprocessor, Client may, as its sole and exclusive remedy, terminate the Service Agreement by giving written notice to Praxonomy within 30 days of the notice of such appointment.
- With respect to each Subprocessor, Praxonomy shall:
- carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Client Personal Data required by this Addendum, the Service Agreement, and Applicable Laws before the Subprocessor first Processes Client Personal Data or, where applicable, in accordance with Section 6.2; and
- ensure that the arrangement between: on the one hand, (i) Praxonomy, or (ii) the relevant intermediate Subprocessor; and on the other hand, the respective prospective Subprocessor, is governed by a written contract, including terms which offer at least the same level of protection for Client Personal Data as those set out in this Addendum, and that such terms meet the requirements of Article 28(3) of the GDPR.
- Rights of the Data Subjects.
- Taking into account the nature of the Processing (in particular, that the Processing is carried out through a hosted technology platform which is not bespoke or specific to the Client), Praxonomy shall assist the Client by implementing appropriate technical and organisational measures, insofar as this is reasonable and possible, for the fulfilment of the Client's obligations, as reasonably understood by the Client, to respond to requests to exercise Rights of the Data Subjects under the Applicable Laws.
- With regard to Rights of the Data Subjects within the scope of this Section 7, Praxonomy shall:
- promptly notify the Client if it receives, or becomes aware that, any other Contracted Processor receives, a request from a Data Subject under any Applicable Laws in respect of Client Personal Data; and
- ensure that it does not, and require that any other Contracted Processor does not, respond to that request, except on the documented instructions of the Client, or as required by Applicable Laws to which the Contracted Processor is subject, in which case Praxonomy shall, to the extent permitted by Applicable Laws, inform the Client of that legal requirement before the Contracted Processor responds to the request.
- Personal Data Breach.
- Praxonomy shall notify the Client without undue delay upon Praxonomy becoming aware of a Personal Data Breach affecting Client Personal Data and shall require any Subprocessor to notify Praxonomy without undue delay of any Personal Data Breach of which it becomes aware, providing the Client with sufficient information to allow the Client to meet any obligations pursuant to the Applicable Laws to report to the Supervisory Authorities or any other competent authorities and inform the Data Subjects of the Personal Data Breach.
- Praxonomy shall co-operate with the Client and take all reasonable commercial steps to assist the Client in the investigation, mitigation, and remediation of each such Personal Data Breach.
- Praxonomy’s notification of or response to a Personal Data Breach under this Section 8 will not be construed as an acknowledgement by Praxonomy of any fault or liability with respect to the Personal Data Breach. Client shall be responsible for Praxonomy’s reasonable costs in respect of its assistance pursuant to this Section 8 unless the Personal Data Breach is as a result of a breach by Praxonomy of its obligations under this Addendum or a breach by a Praxonomy Subprocessor of the Subprocessor’s obligations under the agreement implemented between Praxonomy and that Subprocessor.
- Data Protection Impact Assessment and Prior Consultation.
- Praxonomy shall provide the Client with relevant documentation, such as, if available, an audit report (upon a written request and subject to obligations of confidentiality), with regard to any data protection impact assessments, and prior consultations with Supervisory Authorities or other competent data privacy authorities, when the Client reasonably considers that such data protection impact assessments or prior consultations are required pursuant to Article 35 or 36 of the GDPR, or pursuant to the equivalent provisions of any other Applicable Laws but, in each such case, solely with regard to Processing of Client Personal Data by, and taking into account the nature of the Processing and information available to, the respective Contracted Processors.
- Deletion or Return of Client Personal Data.
- Praxonomy shall provide the Client with the technical means, consistent with the way the Services are provided, to request the deletion of Client Personal Data within the term of this Addendum and the Service Agreement, unless Applicable Laws require or allow storage of any such Client Personal Data.
- Praxonomy shall promptly, within six months following the date of termination of Services involving the Processing of Client Personal Data, delete all Client Personal Data, as well as delete existing copies, unless Applicable Laws require or allow storage of any such Client Personal Data. Additionally, Praxonomy shall, if requested by the Client within 30 days following the date of termination of Services, return such personal data to the Client.
- Audit Rights.
- Where the Client is entitled to and desires to review Praxonomy's compliance with the EU Data Protection Laws, the Client may request, and Praxonomy will provide (subject to obligations of confidentiality) relevant documentation, or any relevant audit report Praxonomy might have been issued. If the Client, after having reviewed such audit report(s), still reasonably deems that it requires additional information, Praxonomy shall further reasonably assist and make available to the Client, upon a written request and subject to obligations of confidentiality, all other information (excluding legal advice) and/or documentation reasonably necessary to demonstrate compliance with this Addendum, and the obligations pursuant to Articles 32 to 36 of the GDPR in particular, and shall, subject to receiving reasonable notice and subject further to Client complying with any reasonable requirements and conditions imposed by Praxonomy, allow and contribute to audits, including remote inspections of the Services, by the Client or an auditor mandated by the Client with regard to the Processing of the Client Personal Data by the Contracted Processors. Praxonomy shall provide the assistance described in this Section 11, insofar as in Praxonomy's reasonable opinion such audits, and the specific requests of the Client, do not interfere with Praxonomy's business operations or cause Praxonomy to breach any legal or contractual obligation to which it is subject.
- The Client agrees to pay Praxonomy, upon receipt of invoice, a reasonable fee based on the time spent, and materials expended, in relation to the Client exercising its rights under this Section 11 or Clause 5(f) of the Standard Contractual Clauses, as set out in Exhibit B, attached hereto and incorporated by reference, and which constitute an integral part of this Addendum (the "Standard Contractual Clauses").
- Restricted Transfers.
- The Client (as "data exporter") and Praxonomy (as "data importer") hereby enter into, as of the Effective Date, the Standard Contractual Clauses. The Parties are deemed to have accepted and executed the Standard Contractual Clauses in their entirety, including the appendices.
- With regard to any Restricted Transfer from the Client to Praxonomy within the scope of this Addendum, one of the following transfer mechanisms shall apply, in the following order of precedence:
- the Standard Contractual Clauses (insofar the prospective Restricted Transfer would be considered lawful under this mechanism); or
- any other lawful basis, as laid down in Applicable Laws.
- In cases where the Standard Contractual Clauses apply and there is a conflict between the terms of the Addendum and the terms of the Standard Contractual Clauses, the terms of the Standard Contractual Clauses shall control.
- General Terms.
- All clauses of the Service Agreement that are not explicitly amended or supplemented by the clauses of this Addendum shall remain in full force and effect and shall apply so long as they do not contradict Applicable Laws.
- Should any provision of this Addendum be found invalid or unenforceable pursuant to any applicable law, then the invalid or unenforceable provision will be deemed superseded by a valid, enforceable provision that most closely matches the intent of the original provision and the remainder of the Addendum will continue in effect.
- If Praxonomy makes a determination that it can no longer meet its obligations in accordance with this Addendum, it shall promptly notify the Client of that determination, and cease the Processing or take other reasonable and appropriate steps to remediate.
DPA Exhibits and Appendices_18102018