DATA PROCESSING AGREEMENT
1
GENERAL
1.1
This DPA is applicable between the Customer and SignUp in relation to SignUp's processing of personal
data within the scope of the provision of the SignUp Services, as ordered by the Customer under an
Order Agreement.
1.2
By executing an Order Agreement that references this DPA, the Customer agrees to the terms and
conditions set out herein and that this DPA shall form an integrated part of the Agreement.
1.3
If any provision of this DPA is found by any court of competent jurisdiction to be invalid or
unenforceable, the invalidity of such provision shall not affect the other provisions hereof, and all
provisions not affected by such invalidity shall remain in full force and effect.
1.4
Unless otherwise agreed between the Parties, this DPA shall not be applicable between the Parties if the
Customer is a non-EU entity without any EU-based Affiliates that will use the SignUp Servies and the
contracting SignUp entity (as set out in the Order Agreement) is a non-EU SignUp entity.
1.5
It is acknowledged and agreed that with regard to processing of personal data under this DPA, the
Customer is the controller (for its own part and on behalf of its Affiliates, as the case may be), and
SignUp is the processor for such processing.
1.6
The duration, nature and purpose of the processing, the types of personal data and categories of data
subjects processed under this DPA are specified in Annex 1 hereto, as may be updated by the Parties as
applicable from time to time.
2
DEFINITIONS
Capitalized terms used in this DPA shall have the meaning assigned to them in the General Terms and Conditions, unless the context requires otherwise. In addition to the definitions under the General Terms and Conditions, the below terms shall have the following meaning:
"Applicable Data Protection Laws" means all EU and relevant member state legislation and regulations, including regulations and decisions issued by relevant supervisory authorities, protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data that from time to time apply to SignUp and the Customer, including without limitation the GDPR, including any future interpretations thereof in court precedence from the EU Court of Justice or any other authorized court or supervisory authority.
"DPA" means this data processing agreement and the appendices attached hereto (as amended from time to time in accordance herewith).
"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
"Sub-processor" means any processor engaged by SignUp, by an Affiliate of SignUp or by another Sub-processor, including Affiliates of SignUp acting as processors (as the case may be).
"Standard Contractual Clauses" or sometimes also referred to the "EU Model Clauses" means the standard contractual clauses for the transfer of personal data to third countries pursuant to the Regulation (EU) 2016/679 of the European Parliament and of the Council, based on the Commission Decision (EU) 2021/914 of 4th June 2021. The terms "controller", "processor", "data subject", "processing", "personal data", and "personal data breach", shall have the same meanings as set out in article 4 of the GDPR.
3
CUSTOMER OBLIGATIONS
3.1
Except as may be otherwise required under the Applicable Data Protection Law, the Customer shall, on
behalf of any Affiliate, serve as a single point of contact for SignUp in all matters under this DPA and
shall be responsible for the internal coordination, review and submission of instructions or requests to
SignUp as well as the onward distribution of any information, notifications and reports provided by
SignUp hereunder.
3.2
In its capacity as controller the Customer confirms (for its own part and/or on behalf of its Affiliates, as
the case may be) that it is entitled to provide access to personal data to SignUp for the purposes hereof
and, consequently, that it has a lawful basis and any necessary approvals from any relevant data subjects
for SignUp's performance of the SignUp Services.
3.3
The Customer shall have sole responsibility for the accuracy, quality, and legality of personal data and
the means by which the Customer acquired personal data.
4
SIGNUP'S OBLIGATIONS
4.1
SignUp shall process personal data hereunder solely in accordance with the documented instructions of
the Customer, for the following limited purposes:
(a)
performance of the SignUp Services under the terms of the Agreement;
(b)
where applicable depending on the SignUp Services provided to the Customer under the
Agreement, setting up, operating, and monitoring the underlying infrastructure (hardware,
software, servers, environments, connectivity, etc) required to provide the SignUp Services
to the Customer and to meet the technical, security and organizational requirements for the
processing of the personal data in connection therewith;
(c)
processing initiated by authorized users of the Customer in their use of the SignUp Services;
(d)
executing documented instructions of the Customer provided such instructions relate to and
are consistent with the SignUp Services;
(e)
addressing service issues or technical problems; and/or
(f)
meeting any express requirement under the Applicable Data Protection Laws, in which case
SignUp shall, unless it is prohibited by applicable laws from doing so, inform the Customer
of that legal requirement before processing.
4.2
SignUp is prohibited from processing the Customer's personal data for SignUp's own purposes unless
the Customer has provided its approval for such processing or if SignUp is required to process the
personal data by virtue of applicable laws, in which case SignUp will be the controller for such
processing.
4.3
SignUp will report to the Customer without undue delay any request, demand or order received by
SignUp from a competent supervisory authority or a data subject relating to the processing of personal
data on the Customer's behalf.
4.4
Taking into account the nature of the processing, SignUp will assist the Customer in complying with its
obligation to respond to requests of data subjects under Applicable Data Protection Laws (including
requests for exercising data subjects' rights under the Applicable Data Protection Law) by appropriate
technical and organizational measures, insofar as this is possible provided that SignUp will provide such
assistance to the extent:
(a)
the information is available to SignUp, and such information is not otherwise available to the
Customer or the requested assistance cannot practicably be performed by the Customer;
(b)
the Customer acknowledges that SignUp has no responsibility to interact directly with any
data subject or supervisory authority in respect of any request, demand or order (except as
expressly provided under the Applicable Data Protection Law or as otherwise agreed by the
Parties in writing); and
(c)
to the extent legally permitted, the Customer shall be responsible for any costs arising from
SignUp's provision of such assistance.
4.5
Subject to applicable legal retention obligations, upon termination of the Agreement SignUp will return
to the Customer or delete any personal data that has been processed on the Customer's behalf under this
DPA. If the Customer has not instructed SignUp whether the personal data should be returned or deleted
within fourteen (14) calendar days from termination of the Agreement, SignUp is entitled to delete the
personal data.
4.6
SignUp will only rely on personnel in the processing of personal data who are contractually or by
statutory obligation bound to maintain confidentiality, ensure that access to personal data processed is
limited to those personnel who require such access to perform the applicable SignUp Services, and take
commercially reasonable steps to ensure the reliability of personnel engaged in the processing of
personal data hereunder.
4.7
SignUp will promptly inform the Customer if, in its opinion, any instruction or request violates
Applicable Data Protection Law, and SignUp disclaims any obligation or liability with regard to any
such instructions or requests.
4.8
The Customer may request SignUp to provide assistance if the Customer is carrying out a data
protection impact assessment. Such assistance will in such case consist of SignUp providing relevant
information to the Customer regarding the personal data processed in the SignUp Services. SignUp shall
be entitled to charge the Customer its Professional Services Fees on a time and material basis for such
assistance.
4.9
The Customer accepts that any requests for information, assistance or activities beyond SignUp's
ordinary course of business, routines or practices, or what is otherwise commercially reasonable, shall
be specifically agreed in an Order Agreement and may be subject to additional fees and charges.
5
SECURITY
In connection with its processing of personal data hereunder SignUp will provide for and maintain appropriate administrative, physical, technical and organizational security measures for such processing, which are intended to protect personal data against accidental or unauthorized loss, destruction, alteration, disclosure or access, and to ensure a level of security appropriate to the particular risks involved in the processing. In this connection:
(a)
it is acknowledged that further details on the administrative, physical, technical and
organizational security measures that will be implemented and maintained by SignUp in
processing the personal data are described or referred to in Annex 1 hereto; and
(b)
SignUp will not materially decrease the overall security of any SignUp Services with respect
to processing of personal data.
6
PERSONAL DATA BREACH
6.1
SignUp will inform the Customer without undue delay after it becomes aware of any personal data
breach in connection with the processing of personal data under this DPA, overserving the following
process:
(a)
SignUp will investigate the personal data breach and take reasonable measures to identify its
root cause(s) and, where such breach is caused by SignUp or a SignUp Sub-processor;
(b)
as information is collected or otherwise becomes available, to the extent legally permitted,
SignUp will provide the Customer with a description of the personal data breach, the type of
the data to which the breach relates, and, other information the Customer may reasonably
request concerning the affected data subject(s) where such information is available to
SignUp; and
(c)
the Parties agree to coordinate in good faith on developing the content of any related public
statements or any required notices for the affected data subject(s) and/or the competent
supervisory authorities.
6.2
The obligations set out above will not apply, to the extent that the personal data breach is caused by the
Customer, the Customer's Affiliate or anyone acting for the Customer, save that SignUp will inform the
Customer of the personal data breach and provide information it discovers up to the stage it identifies
the breach is caused by the Customer, the Customer's Affiliate or anyone acting for the Customer.
SignUp may charge the Customer for any assistance that the Customer may request when a personal
data breach is attributable to or caused by the Customer.
7
AUDITS
SignUp shall upon the Customer's request, make all necessary information available to demonstrate compliance hereof and allow for audits, including inspections, to be performed by the Customer (or an independent third-party auditor mandated by the Customer that is reasonably acceptable to SignUp and subject to signature of a confidentiality agreement with SignUp) of SignUp relevant to the personal data processed under this DPA.
8
SUB-PROCESSORS
8.1
SignUp may delegate the processing of personal data to a Sub-processor. SignUp shall ensure that
SignUp has concluded a data processing agreement with such Sub-processor on terms equivalent to and
not less restrictive than the provisions in this DPA. Moreover, SignUp shall remain fully liable for the
conduct of any of its Sub-processors as for its own conduct.
8.2
Subject to Section 8.1, the Customer hereby gives its general written consent and authorization to
SignUp to use Sub-processors for processing of personal data solely for the purposes set forth in this
DPA. The current list of SignUp Sub-processors is available at GDPR-Sub-Processors - SignUp
Software ("Sub-processor List"). SignUp shall update the Sub-processor List before authorizing any
new Sub-processor(s) to process personal data in connection with the provision of the SignUp Services.
8.3
The Customer may object to SignUp's use of a new Sub-processor by notifying SignUp in writing within
ten (10) Business Days from when the Sub-processor List was updated. In the event the Customer
objects to a new Sub-processor, SignUp will use commercially reasonable efforts to provide the SignUp
Services without engaging the Sub-processor subject to the objection. If such work-around is not
possible, the Customer shall be entitled to terminate the relevant SignUp Service. In the event of such
termination, the Customer shall not be entitled to any refund of any fees paid to SignUp within the scope
of the Agreement.
9
LIMITATION OF LIABILITY
9.1
The Parties liability with respect to data subjects' claims for compensation shall be handled in
accordance with article 82 of the GDPR.
9.2
The Parties acknowledge and agree that neither Party shall have an obligation to indemnify the other
Party for any administrative fines imposed by a supervisory authority or a court under Applicable Data
Protection Legislation.
9.3
For the purposes of Section 9.2 above, both Parties shall, to a reasonable extent, provide information to
the other Party which may be useful within the scope of a supervisory matter or a court proceeding.
9.4
Without prejudice to the foregoing, the Parties' liability under this DPA shall be limited in accordance
with the provisions of the General Terms and Conditions.
10
TRANSFER OF PERSONAL DATA
10.1
The Customer acknowledges and agrees that SignUp is only entitled to transfer personal data to a
country located outside the EU/EEA under the following circumstances:
(a)
the country is subject to an adequacy decision made by the European Commission, or, in the
absence of an adequacy decision;
(b)
SignUp has taken measures to ensure that the transfer is lawful, e.g. by ensuring that there is
a transfer mechanism in place subject to article 46 GDPR or a specific derogation according
to article 49 GDPR.
10.2
Where personal data is transferred outside the EU/EEA on the basis of a transfer mechanism under
article 46 GDPR, SignUp will conduct a risk analysis in accordance with the recommendations 01/2020
and 02/2020 of the European Data Protection Board. The Customer is, in accordance with Section 7
above, entitled to receive information about the result of such risk analysis.
10.3
The Sub-processor List includes information about any potential third-country transfers made by
SignUp within the scope of the Agreement.
1
EXFLOW AND EXDOC
The following description of processing relates to Customer’s that are using ExFlow and ExDoc.
| Name | Desc |
|---|---|
| Description of processing | Personal data will be processed to a limited extent within the scope of providing implementation services, Consultancy Services and Support Services and only in cases where SignUp needs access to the Customer's environment (which is only provided upon Customer's approval). Generally, there will be no need to access any personal data, but in circumstances where said services requires access to an invoice, processing of data in that invoice will occur. |
| Purpose of the processing | The purpose of the processing is to be able to provide the implementation, Consultancy Services or Support Services in accordance with the Agreement. |
| Categories of personal data | Any data that may be available on an invoice, typically name, title, personal identification number, and other invoicing related identifiers. |
| Categories of data subjects | Generally persons employed by or representing the Customer, or any other individual whose personal data appears on an invoice. |
| Retention and erasure | SignUp will not store any data on behalf of the Customer. |
2
EXFLOW WEB
| Name | Desc |
|---|---|
| Description of processing | ExFlow Web is a cloud-based interface for approval of invoices. The processing that will be carried out is mainly storage and processing of invoices through the ExFlow Web application. |
| Purpose of the processing | The purpose is to provide the ExFlow Web service to the Customer. |
| Categories of personal data | Any data that may be available on an invoice, typically name, title, personal identification number, and other invoicing related identifiers. |
| Categories of data subjects | Generally persons employed by or representing the Customer, or any other individual whose personal data appears on an invoice. |
| Retention and erasure | Invoices are stored for sixty (60) days and are thereafter automatically erased by SignUp. |
3
EXFLOW DATA CAPTURE
| Name | Desc |
|---|---|
| Description of processing | The processing in ExFlow Data Capture includes processing of invoices in a cloud-based environment. This will include storage and processing of invoice data. |
| Purpose of the processing | The purpose of the processing is to provide the ExFlow Data Capture service in order for the Customer to be able to seamlessly interpret and extract critical invoice data. |
| Categories of personal data | Any data that may be available on an invoice, typically name, title, personal identification number, and other invoicing related identifiers. |
| Categories of data subjects | Generally persons employed by or representing the Customer, or any other individual whose personal data appears on an invoice. |
| Retention and erasure | Personal data is stored for ninety (90) days and is thereafter automatically erased. |
4
EXFLOW E-INVOICING
| Name | Desc |
|---|---|
| Description of processing | The processing in ExFlow e-invoicing includes cloud based transmission of invoice data, which may include personal data. |
| Purpose of the processing | The purpose of the processing is to be able to send, receive and verify invoice data on behalf of the Customer. |
| Categories of personal data | Name, title, personal identification number, contact information, IP address and other data that may appear on an invoice. |
| Categories of data subjects | Generally persons employed by or representing the Customer, or any other individual whose personal data appears on an invoice. |
| Retention and erasure | For as long as necessary, however not longer than ninety (90) days, whereafter the personal data is automatically erased. |