Appendix 5 – Data Processing Agreement
This Data Processing Agreement (the “DPA”) is entered into by you as our customer (“Controller”) and Crystallize as your supplier (the “Processor”).
The DPA forms part of the Service Terms (“Main Agreement”) entered into between the parties.
The DPA sets forth the terms and conditions pursuant to which the Processor shall process Personal Data on behalf of the Controller under the Main Agreement.
1Background and purpose
1.1Applicable Data Protection Laws require that a data processing agreement is entered into between a Controller and a Processor for the Processing of Personal Data and Information.
1.2For the purposes of fulfilling the Main Agreement, certain Personal Data and Information for which the Controller is data controller will be processed by the Processor.
1.3The parties have agreed to enter into this DPA with regard to the Processing of Personal Data, as required by the Applicable Data Protection Laws.
The following terms used in this DPA shall have the meanings set forth below.
“Applicable Data Protection Laws”
Means and includes:
- EU Data Protection Directive 95/46/EC, or other at any time applicable EU legislation, any national or internationally binding data protection laws, treaty or regulations applicable at any time during the term of this DPA to, as the case may be, the Controller or the Processor. “Applicable Data Protection Laws” includes any binding guidance, opinions or decisions of regulatory bodies, courts or other bodies, as applicable, as well as the European Union General Data Protection Regulation (hereinafter referred to as “GDPR”) when it enters into force on 25 May 2018 and national laws adopted pursuant to the GDPR and any relevant sector specific laws and regulations.
- California Consumer Privacy Act (hereinafter referred to as “CCPA”) including any amendments and any implementing regulations thereto that become effective on or after the effective date of this DPA.
- Virginia Consumer Data Protection Act (hereinafter referred to as “VCDPA”) including any amendments and any implementing regulations thereto that become effective on or after the effective date of this DPA.
Means you as Crystallize’s customer and includes:
- “Controller” as such term is defined in the GDPR.
- “Controller” as such term is defined in the VCDPA.
- “Business” as such term is defined in the CCPA.
Means and includes:
- “Data Subject” as such term is defined in the GDPR.
- “Consumer” as such term is defined in the VCDPA.
- “Consumer” as such term is defined in the CCPA.
“Personal Data Breach”
Means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
Means and includes:
- “Personal Data” as such term is defined in the GDPR: any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
- “Personal Data” as such term is defined in the VCDPA: any information that is linked or reasonably associated to an identified or identifiable natural person.
- “Personal Information” as such term is defined in the CCPA: information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
Means and includes:
- “Processing” and “Process” as such terms are defined in the GDPR.
- “Processing” and “Process” as such terms are defined in the VCDPA.
- “Processing” and “Process” as such terms are defined in the GDPR.
Means Crystallize and includes:
- “Processor” as such term is defined in the GDPR.
- “Processor” as such term is defined in the VCDPA.
- “Service provider” as such term is defined in the CCPA.
Means the processing of Personal Data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.
Means selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, Personal Data to another business or a third party for monetary or other valuable consideration.
Means a third-party subcontractor engaged by the Processor (or a Sub-processor) which, will Process Personal Data on behalf of the Controller.
Means an independent public authority which is established pursuant to Applicable Data Protection Laws for enforcing data protection of such regulation.
3Processing of Personal Data
3.1Warranty. The Processor warrants and represents, during the term of this DPA, that:
- It has implemented appropriate technical and organizational measures in such a manner that its processing of Personal Data under this DPA will meet the requirements of the Applicable Data Protection Laws and ensure the protection of the rights and freedoms of the Data Subject.
- That each person processing Personal Data on behalf of the Processor is subject to a duty of confidentiality with respect to the Personal Data.
- The Processor will not sell, retain, use, or disclose Personal Data for any purpose other than for the specific purpose of performing services set forth in this DPA. The Processor further certifies that it has reviewed and understands these restrictions as listed in the CCPA (Cal. Civ. Code § 1798.140(w)(2)).
The Controller warrants and represents, during the term of this DPA, that:
- It is responsible for complying with the Applicable Data Protection Laws as a Controller, including but not limited to, the collection of Personal Data, deciding how to use Personal Data, and obtaining all necessary consents and notices for the lawful processing of Personal Data.
- The Processor shall receive Personal Data pursuant to a “business purpose”, as such term is defined in the CCPA, or for any other purpose permitted by the CCPA.
3.2Instructions. The Processor undertakes to only Process Personal Data in accordance with documented instructions communicated by the Controller from time to time, unless required to do so pursuant to the Applicable Data Protection Laws. The Processor shall at any time be able to demonstrate it keeps records of the specific and current instructions from the Controller and how such instructions are implemented. The Controller’s Initial Instructions (see clause 10) to the Processor regarding the subject-matter and duration of the Processing, the nature and purpose of the Processing, the type of Personal Data and categories of data subjects are set forth in this DPA and in Attachment 1. Any instructions to Processor exceeding the scope of the Initial Instructions shall entitle Processor to receive renumeration in accordance with clause 10.
3.3 Continuous compliance. The Processor shall, when processing Personal Data under this DPA, comply with Applicable Data Protection Laws and applicable recommendations by the Supervisory Authority or other competent authorities. The Processor shall accept to make any changes and amendments to this DPA and the Processing that are required under Applicable Data Protection Laws, however subject to clauses 3.2 and 10.
3.4Data protection officer. The Processor shall designate a person responsible for data protection and compliance with the GDPR at the Processor.
3.5Privacy by design. To the extent the Processor designs the systems, procedures or processes under which the Processing take place, the Processor shall design such systems as to comply with the GDPR art. 25.
3.6 Data portability. To the extent the Processor designs the systems, procedures or processes under which the Processing takes place, the Processor shall ensure that data portability in compliance with the GDPR art. 20 may take place.
3.7 Assistance. The Processor shall assist the Controller in fulfilling its legal obligations under Applicable Data Protection Laws, including but not limited to the Controller’s obligation to respond to requests for exercising the Data Subject's rights to request information (register extracts) and for Personal Data to be corrected, blocked or erased at the Controller’s request. Upon request by the Controller, the Processor shall provide all necessary information to enable the Controller to conduct and document Data Protection Assessments under the Applicable Data Protection Laws.
3.8Information. The Processor shall immediately inform the Controller if the Processor does not have sufficient instructions on how to process Personal Data in a particular situation or if any instruction provided under this DPA or otherwise infringes Applicable Data Protection Laws.
3.9 Third party requests. If Data Subjects, competent authorities or any other third parties request information from Processor regarding the processing of Personal Data covered by this DPA, the Processor shall refer such request to the Controller. The Processor may not, without prior written consent from the Controller, transfer or in any other way disclose Personal Data or any other information relating to the processing of Personal Data to any third party. In the event the Processor, according to the Applicable Data Protection Laws, is required to disclose Personal Data that the Processor processes on behalf of the Controller, Processor shall be obliged to inform the Controller thereof immediately in writing. If the Controller does not give its written consent to disclosure, the Controller shall to the fullest possible extent under the law contest any such request and assist the Controller in same. If a transfer of Personal Data is to take place, the Processor shall ensure that it takes place subject to confidentiality and Processing obligations similar to those stipulated in the DPA.
3.10 No representative. The Processor may not in any legal capacity act on behalf of or as a representative of the Controller.
3.11 Additional measures. Upon the Controller’s reasonable request the Processor shall implement additional reasonable technical and organizational security measures and adjustments to the Processing activities. The Controller shall notify the Processor of any adjustments to the Controller’s instructions concerning security and the Processing of Personal Data in reasonable time in order to enable the necessary amendments to procedures to be implemented.
3.12Demonstration of compliance. The Processor shall at all times be able to demonstrate that it complies with the DPA and Applicable Data Protection Laws
3.13Transparency. The Processor undertakes to make available to the Controller all information and provide all assistance necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including on-site inspections, conducted by the Controller or another auditor mandated by the Controller. Upon request, the Processor shall make available to the Controller all information in its possession necessary for the Controller to demonstrate compliance with the obligations of the Applicable Data Protection Laws. The Processor shall further allow, and contribute to, reasonable audits and inspections by the Controller or the Controller’s designated auditor. Alternatively, the Processor may arrange for a qualified and independent auditor to conduct an audit of the Processor’s policies and technical and organizational measures in support of the obligations under the Applicable Data Protection Laws using an appropriate and accepted control standard or framework and audit procedure for such audits. The processor shall provide a report of such audit to the controller upon request.
3.14Auditor’s statement. The Processor undertakes to provide the Controller with a yearly auditor's Statement regarding the extent to which the Processors technical and organizational measures are in compliance with the Applicable Data Protection Laws.
3.15 Deletion. The Processor shall upon the Controller’s request and further instructions return or delete all Personal Data that the Processor has been Processing on behalf of the Controller under this DPA, unless the Applicable Data Protection Laws requires further storage of the relevant Personal Data.
3.16Creation. When you signup to Crystallize with a social networking credential, such as with your Facebook or Google account, we will ask permission to access basic information from that account, such as your name and email address. We use this information strictly for identification purposes. You can stop sharing that information with us at any time by removing Crystallizes access to that account.
4.1Consent. The Processor may not engage Sub-processors without prior specific or general written consent of the Controller. The Controller’s initial consents are set out in Attachment 1. If the Controller acts under a general written consent given by the Controller, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors. Controller may to object to such changes.
4.2Down-stream obligations. The Processor shall ensure that any Sub-processors (and any Sup-processors of such) are bound by written agreements that require them to comply with data processing obligations corresponding to those contained in this DPA. The Processor shall remain fully liable to the Controller for the performance of the Sub-processor's obligations.
4.3Proof of audit. The Controller may request that the Processor audit the Sub-processor or provide confirmation that such an audit has occurred, or, where available, obtain or assist the Controller in obtaining a third-party audit report concerning Sub-processor’s operations to ensure compliance with Applicable Data Protection Laws. The Controller will also be entitled, upon written request, to receive copies of the relevant terms of the Processor’s agreement with Sub-processors that may Process Personal Data and a precise description of the Processing performed by the Sub-processor.
5Transfer to third countries
5.1Legal basis. Any transfer of Personal Data to a state which is not a member state of either the EU or the European Economic Area (EEA) requires the prior written consent of the Controller and shall only occur if the conditions for transfer to third countries or international organizations laid down in the Applicable Data Protection Laws, hereunder Chapter V of the GDPR have been fulfilled.
5.2Withdrawal of consent. The Controller may at any time withdraw its consent to third country transfers provided under clause 5.1. In such case, the Processor shall immediately cease any further transfer and shall, upon the Controllers request, provide written confirmation of this.
6Information security and confidentiality
6.1General.The Processor shall, in order to assist the Controller in fulfilling its legal obligations, including but not limited to security measures and privacy impact assessments, be obliged to take appropriate technical and organizational measures to protect the Personal Data which is Processed. The Processor shall comply with any written information security requirements or policies communicated by the Controller from time to time.
6.2Adequate security. The Processor shall maintain adequate security for the Personal Data appropriate to the risk of Processing. The Processor shall protect the Personal Data against destruction, modification, unlawful dissemination, or unlawful access. Having regard to the state of the art and the costs of implementation and taking into account the nature, scope, context and purposes of the processing as well as the risk of varying likelihood and severity for the rights and freedoms of individuals, the technical and organizational measures to be implemented by the Processor shall include, inter alia, as appropriate:
- The Pseudonymization and encryption of Personal Data;
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services Processing Personal Data;
- The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
- A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing, and;
- Compliance with best industry practices.
6.3 Additional measures. In addition to the technical and organizational measures mentioned in clause 6.1 and 6.2, the Processor shall implement the following measures:
- Access control whereby access to the Personal Data is managed through a technical system for authorization control. There shall be procedures for allocating and removing authorizations.
- User IDs and passwords used to access Personal Data shall be personal and shall not be shared.
- Secure communications whereby external data communication connections shall be protected using technical functions ensuring that the connection is authorized and encrypted for Personal Data in transit in communication channels outside systems controlled by the Processor.
- It shall be possible to follow up access to the Personal Data retrospectively through a log or similar information base. The logs shall be protected and accessed only through authorized personnel. It shall be possible for the Processor to check the information base and report back to the Controller.
- A process to ensure secure data destruction when fixed or removable storage media no longer are used for their purpose.
- Computer equipment and removable storage media containing Personal Data at the Processor’s premises shall be locked up when not under supervision in order to protect against unauthorized use, impact and theft.
- Routines for entering into confidentiality agreements with suppliers providing repair and service of equipment used to store Personal Data.
- Routines for supervising the service performed by suppliers at the premises of the Processor. Storage media containing the Personal Data shall be locked up if supervision is not possible.
6.4 Records. The Processor shall maintain a record of all categories of Processing activities carried out on behalf of the Controller. The Processor shall prepare and keep updated a description of its technical, organizational and physical measures to be and maintain compliant with the Applicable Data Protection Laws.
6.5Data access. The Processor shall be obliged to ensure that only persons that directly require access to Personal Data in order to fulfil the Processor’s obligations in accordance with the Main Agreement have access to such information. The Processor shall ensure that any persons involved in the processing of Personal Data have committed themselves to confidentiality or are under proper statutory obligation of confidentiality.
6.6The duties of confidentiality set forth in clause 6.4. and 6.5. of the DPA shall survive the expiry or termination of the DPA.
7Personal data breach
7.1 Assistance.In case of a Personal Data Breach involving Personal Data Processed on behalf of the Controller, the Processor shall, taking into account the nature of Processing and the information available to the Processor, assist the Controller in ensuring compliance with the Controller’s obligations pursuant to the Applicable Data Protection Laws, including article 33 in the GDPR. The Processor shall notify the Controller without undue delay, but not later than 24 hours after becoming aware of such a Personal Data Breach. The notification shall at least:
- Describe the nature of the Personal Data breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
- Communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
- Describe the likely consequences of the Personal Data breach;
- Describe the measures taken or proposed to be taken by the Controller to address the Personal Data breach, including, where appropriate, measures to mitigate its possible adverse effects.
8Term and termination
8.1Duration. The DPA applies for the duration of the Main Agreement, however subject to any obligations which according to their nature require additional duration.
8.2Termination. If a party materially breaches its obligations under the DPA, the non-breaching party may terminate the DPA and the Main Agreement. The party seeking termination shall provide the other party with a prior written notice of 10 days in reasonable detail of such material breach and the opportunity to resolve the breach. The Controller may choose to partially terminate the DPA and the Main Agreement.
If the party in breach does not resolve the breach within 10 days of receipt of written notice of a breach, then the party that is not in default may terminate this DPA and the Main Agreement on the Date specified in the written notice of termination.
8.3The Processor’s non-fulfilment of Applicable Data Protection Laws and the Parties’ non-fulfilment of the warranties in clause 3.1 shall always be deemed material breach.
8.4A material breach of this DPA by the Processor is also deemed a material breach of the Main Agreement.
9EFFECT OF TERMINATION
9.1Upon termination or expiry of this DPA, the Processor shall cease its Processing activities. Upon written instructions from the Controller, the Processor shall delete and/or return all Personal Data to the Controller and delete existing copies of such data unless Applicable Data Protection Laws require the continued storage of the Personal Data. The Processor shall ensure that any Sub-processor does the same.
9.2Regardless of the reason for termination or expiry of the DPA the Processor shall upon the Controllers written request accept to postpone the effective termination of this DPA with up to 90 days to allow the Controller to secure its data before return or deletion. Current prices under the Main Agreement shall apply.
9.3Upon request by the Controller, the Processor shall provide a written notice of the measures taken regarding the Personal Data upon the completion of the Processing.
10.1The Processor's renumeration for carrying out the Initial Instructions under this DPA is agreed to under the Main Agreement. Any additional renumeration for scope exceeding the scope agreed to under the Main Agreement (“Initial Instructions”), will be in accordance to the unit prices stipulated in the Main Agreement. If no unit prices are agreed to, Controllers standard unit prices will apply.
No additional liability to what follows from the Main Agreement is assumed by entering into the DPA. Any limitations of liability stipulated in the Main Agreement or otherwise shall apply equally to this DPA.
12.1Assignment. The Processor may not assign this DPA, in whole or in part, or delegate any of its duties hereunder to a third party by change in control, or otherwise, without the Controller’s prior written approval.
12.2No-waiver. No delay or failure of either party to enforce any provision of this DPA will operate as a waiver of the right to enforce that or any other provision of this DPA, nor will any single or partial exercise of any such rights preclude any other or further exercise thereof. To be effective, any waiver must be in writing, signed by the party providing the waiver.
12.3Severability. In the event that any provision of this DPA is held by a court of competent jurisdiction to be invalid, illegal or unenforceable, the remaining provisions of the DPA will remain in full force and effect, and shall be construed so as to best effectuate the intention of the parties executing it.
12.4Survival. Without prejudice to other provisions of this DPA, any obligations which either expressly or by their nature are to continue after the termination or expiration of this DPA shall survive and remain in effect.
12.5Counterparts. This DPA may be executed in one or more counterparts, each of which shall be deemed an original. The parties may rely on a scanned signature to bind the other party and may deliver such signatures electronically.
13.1All notices, requests, claims, demands and other communications under this DPA from one party to the other shall be in writing, in English.
14Governing law and dispute resolution
14.1This DPA shall be governed by and construed in accordance with the laws of Norway without reference to any conflict of laws principles under which different law might otherwise be applicable, except for U.S. customers, for whom New York law shall apply, notwithstanding conflict-of-laws principles.
14.2The parties agree that the courts of Norway shall have sole and exclusive jurisdiction and be legal venue for any matter arising out of this DPA, except for U.S. customers who consent to the exclusive jurisdiction of the state and federal courts located in the state of New York for any dispute arising between the parties to this agreement.