DATA PROCESSING ADDENDUM
Last Updated: July 24, 2019.
Previous versions of this Data Processing Addendum (“DPA”) are available here.
This DPA applies when it is referred to in Service Terms that apply to an Order Form executed by Customer and Athennian. The Service Terms are available in the Legal Terms Portal. Terms having a meaning defined in the Service Terms will have the same meaning when used in this DPA. This DPA is subject to the Service Terms, including the provisions of the Service Terms that limit the liability of Athennian, it affiliates, and other persons.
Athennian may amend this DPA from time to time, with or without prior notice. The amended DPA will become effective when posted in the Legal Terms Portal.
1. APPLICATION OF THIS DPA
If any data submitted by or for Customer to the Athennian Services includes personal data, and if some or all of that personal data is subject to the GDPR, then this DPA governs the processing of the personal data that is subject to the GDPR. Certain terms used in this DPA have the meanings given to them in the “Definitions” section of this DPA.
2. DATA PROCESSING
Customer and Athennian agree that Customer is the controller of Customer Data and Athennian is the processor of Customer Data, as those roles are defined in the GDPR.
2.2 Details of Data Processing.
(a) Subject matter. The subject matter of the processing under this DPA is Customer Data provided by Customer to Athennian in connection with the Services.
(b) Duration. The duration of the processing under this DPA is the duration of the subscription term for the Services, as provided in the Agreement.
(c) Nature and purpose. The nature and purpose of the data processing under this DPA is the provision of the Services ordered by Customer under the Agreement, as more particularly described in the Documentation.
(d) Type of personal data. The type of personal data that will be processed under this DPA is Customer Data provided by Customer to the Services, as more particularly described in the Documentation.
(e) Categories of data subjects. The categories of data subjects whose data will be processed under this DPA may include (i) shareholders, partners, limited partners, directors, officers, employees and other individuals connected with corporations and other entities, the records of which are managed by Customer using the Services, and (ii) Customer’s employees and end-users.
2.3 Compliance with Laws.
Each party will comply with all Applicable Laws in the performance of this DPA, including the GDPR.
3. CUSTOMER INSTRUCTIONS
The parties agree that this DPA, the Agreement, and the provision by Customer of instructions via features, tools and APIs made available by Athennian for the Services constitute Customer’s documented instructions regarding Athennian’s processing of Customer Data (“Documented Instructions”), including with respect to transfers of personal data to a third country or an international organization. Athennian will process Customer Data only in accordance with Documented Instructions. Customer agrees that the Documented Instructions are Customer’s complete and final instructions to Athennian in relation to processing of Customer Data. Additional instructions outside the scope of the Documented Instructions (if any) require prior written agreement between Athennian and Customer, including agreement on any additional fees payable by Customer to Athennian for carrying out such instructions. Customer will ensure that the Documented Instructions comply with all Applicable Laws, and that the processing of Customer Data in accordance with the Documented Instructions will not cause Athennian to be in breach of any Applicable Laws. Customer has sole responsibility for the legality, reliability, integrity, accuracy and quality of Customer Data and of the means by which Customer acquires Customer Data, and will establish the legal basis for processing under Applicable Laws. Athennian will immediately inform Customer if Athennian is of the opinion that a Documented Instruction infringes the GDPR or other Applicable Laws of the European Union or of a member state of the European Union.
4. USE AND DISCLOSURE OF CUSTOMER DATA
4.1 Use and Disclosure of Customer Data.
Athennian will only use Customer Data to provide the Services to Customer, except with the prior written consent of Customer or as otherwise expressly permitted under this DPA or the Agreement. Athennian will not disclose Customer Data outside of Athennian or its Affiliates except (a) as Customer directs or as required to provide the Services, (b) to Customer’s third party service providers as directed by Customer, (c) to sub-processors as described in the section titled “Sub-Processing”, (d) as otherwise described in this DPA or the Agreement, or (e) as required by Applicable Laws of the European Union or of a member state of the European Union to which Athennian is subject.
4.2 Disclosure of Customer Data under Applicable Laws of the European Union.
If Athennian is required to disclose Customer Data by Applicable Laws of the European Union or of a member state of the European Union to which Athennian is subject, then Athennian will promptly notify Customer unless prohibited by law. Upon receipt of any other third-party request for Customer Data, Athennian will promptly notify Customer unless prohibited by law. Athennian will reject the request unless required by law to comply. If the request is valid, Athennian will attempt to redirect the third party to request the Customer Data directly from Customer.
5. ATHENNIAN PERSONNEL
Athennian will ensure that its personnel authorized to process Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Athennian will take steps to ensure that its personnel authorized to process Customer Data do not process Customer Data except pursuant to the Documented Instructions.
6.1 Athennian Security Measures.
Athennian will implement and maintain appropriate technical and organizational measures to protect Customer Data, including measures to protect Customer Data from unauthorized access, use, modification, deletion, loss or disclosure. Those measures will be set forth in an Athennian Security Program. Athennian will make that Athennian Security Program available to Customer, along with other information reasonably requested by Customer regarding Athennian security practices and policies.
6.2 Customer Responsibilities.
Customer is solely responsible for making an independent determination as to whether Athennian’s technical and organizational measures for the Services meet Customer’s requirements, including any of its security obligations under the GDPR or other Applicable Laws. Customer agrees that (taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing as well as the risks to individuals) Athennian’s technical and organizational measures for the Services provide a level of security appropriate to the risk.
Customer agrees that Athennian may use sub-processors to provide the Services to Customer, to fulfill its contractual obligations under this DPA, or to provide certain services on its behalf. Customer consents to Athennian’s use of sub-processors as described in this section.
7.2 Agreements with Sub-processors.
Athennian will enter into a written agreement with the sub-processor (a) permitting the sub-processor to access and use Customer Data only to deliver the services Athennian has retained the sub-processor to provide and for no other purpose, and (b) requiring the sub-processor to provide at least the level of data protection required of Athennian under this DPA. Athennian will be liable for the acts and omissions of any sub-processors to the same extent as if the acts or omissions were performed by Athennian.
7.3 Sub-Processor List.
A list of the sub-processors that are currently engaged by Athennian to carry out processing activities on Customer Data on behalf of Customer is available on the Legal Terms Portal. Athennian will provide Customer with a mechanism to obtain a current list of sub-processors authorized to process personal data, and a mechanism to obtain notice of changes to that list. At least 14 days before Athennian engages any new sub-processor to carry out processing activities on Customer Data on behalf of Customer, Athennian will update the applicable list and provide Customer with a mechanism to obtain notice of that update through the Legal Terms Portal.
7.4 Controller Objection to New Sub-Processor.
Customer may object to Athennian’s use of a new sub-processor where there are reasonable grounds to believe that the new sub-processor will be unable to comply with the terms of this DPA or the Agreement. If Customer objects to Athennian’s use of a new sub-processor, Customer will notify Athennian promptly in writing within ten days after notification regarding such sub-processor. Customer’s failure to object in writing within such time period will constitute approval to use the new sub-processor. Customer acknowledges that Athennian’s inability to use a particular new sub-processor may result in delay in performing the Services, inability to perform the Services, or increased fees. Athennian will notify Customer in writing of any change to Services or fees that would result from Athennian’s inability to use a new sub-processor to which Customer has objected. Customer may either execute a written amendment to the Agreement implementing such change or elect to terminate the Agreement by notice to Athennian. If Customer elects to terminate the Agreement, then Customer will pay to Athennian a termination fee equal to the total of the minimum fees payable for the Services for the remainder of the subscription term applicable to the Services. Such termination will not constitute termination for breach of the Agreement. Athennian will have a right to terminate the Agreement if Customer unreasonably objects to a sub-processor, or does not agree to a written amendment to the Agreement implementing changes in fees or Services resulting from the inability to use the sub-processor at issue.
8. DATA SUBJECT RIGHTS
Athennian will, to the extent legally permitted, promptly notify Customer if (a) Athennian receives a request from a data subject for access to his or her own personal data, or for the rectification or erasure of such personal data, (b) Athennian receives any other request or query from a data subject relating to his or her own personal data, or (c) a data subject exercises any rights under the GDPR, such as rights of objection, restriction of processing, data portability or the right not to be subject to automated decision making (each, a “Data Subject Request”). Taking into account the nature of the processing, Athennian will assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer’s obligations to respond to Data Subject Requests. Customer will pay for assistance performed by Athennian at the Professional Services Rates.
9. PERSONAL DATA BREACHES
Athennian will notify Customer without undue delay after becoming aware of a personal data breach, and will provide Customer with detailed information about the personal data breach to the extent reasonably possible and to the extent known. Athennian will use commercially reasonable efforts to provide to Customer the information required by Customer to fulfill any obligations under Applicable Laws to notify Customer regulators and data subjects of the personal data breach.
10.1 Athennian Audits.
For the purpose of evaluating Athennian’s compliance with the terms of this DPA, Athennian will provide Customer’s internal or external auditors with escorted access to Athennian’s office premises and to documents and records related to the Services, at Customer’s expense. For greater certainty, Customer auditors will not be entitled to access the data centers of the Data Center Service Provider from which the Services are provided without the consent of the Data Center Service Provider (which Athennian will request if asked to do so by Customer). Athennian will provide the Customer auditors with any assistance that they may reasonably request in connection with such audits. The audits must be conducted in a manner that minimizes the disruption on Athennian's operations, during normal business hours, on at least 30 days’ prior notice, and not more than once each calendar year. External auditors must enter into a nondisclosure agreement with Athennian substantially similar to the confidentiality provisions of the Agreement. Customer will pay for work performed by Athennian to escort and assist the Customer auditors at the Professional Services Rates.
10.2 Demonstration of Compliance.
At Customer’s written request, Athennian will provide Customer with information to demonstrate Athennian’s compliance its obligations under this DPA. Customer will pay for work performed by Athennian in response to the request at the Professional Services Rates.
11. PRIVACY IMPACT ASSESSMENTS AND PRIOR CONSULTATIONS
Taking into account the nature of the Services and the information available to Athennian, Athennian will assist Customer in complying with Customer’s obligations in respect of data protection impact assessments and prior consultation pursuant to Articles 35 and 36 of the GDPR. Customer will pay for assistance performed by Athennian at the Professional Services Rates.
12. TRANSFERS OF PERSONAL DATA
Customer Data will be stored in Canada, unless otherwise specified in the Order Form (the “Region”). Customer consents to the storage of Customer Data in, and the transfer of Customer Data into and out of, the Region, including the transfer of Customer Data across international borders. Athennian will not move Customer Data from the Region, except (i) as provided below, (ii) with the consent of Customer, or (iii) as necessary to comply with Applicable Laws or a binding order of a Governmental Authority (such as a subpoena or court order). If Customer provides Customer Data as part of a request for Support Services, Athennian may store and process that Customer Data in the locations from which Athennian provides those Support Services. To investigate fraud, abuse or violations of the Agreement, Athennian may process Customer Data where Athennian maintains its support and investigation personnel. Athennian does not control or limit the locations from which Customer or Customer’s end-users may access Customer Data or to which they may move Customer Data (except as otherwise provided under “Export Compliance” in the Agreement). Customer may interconnect the Services with certain other services provided by third parties. Athennian does not control or limit the locations from such third parties may access Customer Data or to which they may move Customer Data (except as otherwise provided under “Export Compliance” in the Agreement).
12.2 Application of Standard Contractual Clauses.
The Standard Contractual Clauses will not apply to Customer Data that is transferred, either directly or by onward transfer, to (a) any country that is a member of the EEA, (b) an organization in the United States that is a participant in the Privacy Shield Framework (or any successor recognized by the European Commission), (c) Canada or any other country recognized by the European Commission as providing an adequate level of protection for personal data (as described in the GDPR), (d) any organization within the Athennian group of companies that is subject to binding corporate rules under the GDPR, or (e) any country or organization where the transfer is otherwise permitted under the GDPR. The Standard Contractual Clauses will apply to all other transfers of Personal Data to a country that is not a member of the EEA.
13. TERMINATION OF THIS DPA
This DPA will continue in force until the expiry or termination of the Agreement (the “Termination Date”).
14. RETURN OR DELETION OF CUSTOMER DATA
On request by Customer made within 90 days after the Termination Date, Athennian will make any Customer Data in Athennian’s possession or control available to Customer for export or download in JSON/BSON or similar open source format as reasonably agreed between the parties. After such 90-day period, Athennian will have no obligation to maintain or provide any Customer Data, and will delete or destroy all copies of Customer Data in its systems or otherwise in its possession or control, unless legally prohibited by Applicable Laws of the European Union or of a member state of the European Union to which Athennian is subject.
15. RECORDS OF PROCESSING ACTIVITIES
Athennian will maintain all records required by Article 30(2) of the GDPR and, to the extent applicable to the processing of Customer Data on behalf of Customer, will make those records available to Customer upon request.
16.1 Entire Agreement.
Except as amended by this DPA, the Agreement will remain in full force and effect.
16.2 Order of Precedence.
In the event of any inconsistency between a term of this DPA and a term of the Agreement, the term of this DPA will take precedence over the term of the Agreement.
16.3 Changes to Applicable Data Protection Laws.
If either party seeks changes to this DPA to comply with a change in Applicable Laws or a binding and final decision of a regulator with jurisdiction over the party’s processing of personal data, then the parties will discuss in good faith how to address any necessary changes.
“Agreement” has the meaning specified in the Service Terms that refer to this DPA.
“Applicable Laws” has the meaning specified in the Agreement and, for the purpose of this DPA, includes the GDPR.
“Customer Data” means personal data that is part of the data submitted by or for Customer to the Athennian Services and that is subject to the GDPR.
“Data Center Service Provider” has the meaning specified in the Agreement.
“data subject” has the meaning given to it in the GDPR.
“Documentation” has the meaning specified in the Agreement.
“EEA” means the European Economic Area.
“GDPR” means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“Governmental Authority” has the meaning specified in the Agreement.
“Legal Terms Portal” has the meaning specified in the Agreement.
“personal data” has the meaning given to it in the GDPR.
“personal data breach” has the meaning given to it in the GDPR.
“processing” has the meaning given to it in the GDPR, and “process”, “processes” and “processed” will be interpreted accordingly.
“Professional Services Rates” has the meaning specified in the Agreement.
“Services” has the meaning specified in the Agreement.
“Standard Contractual Clauses” means the Standard Contractual Clauses (Processor) attached as an annex to the European Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC, or any successors to those clauses approved by the European Commission.
END OF DATA PROCESSING ADDENDUM