Version 1.0 — Effective 20 June 2019
This Data Processing Addendum (“Addendum”) forms part of the Services Agreement or other similar type agreement pertaining to the Processing of Customer Personal Data (the “Agreement”) between Enterprise Bot GmbH (“Enterprise Bot”) and Customer (collectively the “Parties”). This Addendum does not replace nor supersede any pre-existing obligations of the Parties; but rather augments such obligations in context of certain applicable laws and regulations pertaining to the handling and processing of Customer Personal Data.
This Addendum shall become legally binding once Enterprise Bot receives a validly completed and signed copy from Customer.
This Addendum shall not become legally binding, unless Customer has executed a valid Agreement and/or Order Form pursuant to such an Agreement.
1. Subject Matter and Duration.
a) Subject Matter.
This Addendum reflects the Parties’ commitment to abide by Applicable Data Protection Laws concerning the Processing of Customer Personal Data in connection with Enterprise Bot’s execution of the Agreement. All capitalized terms that are not expressly defined in this Data Processing Addendum will have the meanings given to them in the Agreement. If and to the extent language in this Addendum or any of its Exhibits conflicts with the Agreement, this Addendum shall control.b) Duration and Survivalb) Duration and Survival.
b) Duration and Survival.
This Addendum will become legally binding upon the Effective Date of the Agreement or upon the date upon which both Parties have signed this Addendum, if it is completed after the Effective Date of the Agreement. Enterprise Bot will Process Customer Personal Data until the relationship terminates as specified in the Agreement. Enterprise Bot’s obligations and Customer’s rights under this Addendum will continue in effect so long as Enterprise Bot Processes Customer Personal Data.
For the purposes of this Addendum, the following terms and those defined within the body of this Addendum apply.
a) “Applicable Data Protection Law(s)” means the relevant data protection and data privacy laws, rules and regulations to which the Customer Personal Data are subject. “Applicable Data Protections Law(s)” shall include, but not be limited to, EU General Data Protection Regulation 2016/679 (“GDPR”) and Privacy Shield principles and requirements.
b) “Customer Personal Data” means Personal Data pertaining to Customer’s users or employees located in the European Economic Area Processed by Enterprise Bot. The Customer Personal Data and the specific uses of the Customer Personal Data are detailed in Exhibit A attached hereto, as required by the GDPR.
c) “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
d) “Personal Data” shall have the meaning assigned to the terms “personal data” or “personal information” under Applicable Data Protection Law(s).
e) “Privacy Shield” means the EU–U.S. and Swiss–U.S. Privacy Shield Framework established by the US Department of Commerce and the European Commission.
f) “Process,” “Processes,” “Processing,” “Processed” means any operation or set of operations which is performed on data or sets of data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
g) “Processor” means a natural or legal person, public authority, agency or other body which Processes Customer Personal Data on behalf of Customer subject to this Addendum.
h) “Security Incident(s)” means the breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data Processed by Enterprise Bot.
i) “Services” means any and all services that Enterprise Bot performs under the Agreement.
j) “Third Party(ies)” means Enterprise Bot’s authorized contractors, agents, vendors and third party service providers that Process Customer Personal Data (i.e. subprocessors).
3. Data Use and Processing.
a) Compliance with Laws.
Customer Personal Data shall be Processed in compliance with the terms of this Addendum and all Applicable Data Protection Law(s).
b) Documented Instructions.
Enterprise Bot and its Third Parties shall Process Customer Personal Data only in accordance with the documented instructions of Customer or as specifically authorized by this Addendum, the Agreement, or any applicable Statement of Work. Enterprise Bot will, unless legally prohibited from doing so, inform Customer in writing if it reasonably believes that there is a conflict between Customer’s instructions and applicable law or otherwise seeks to Process Customer Personal Data in a manner that is inconsistent with Customer’s instructions.
c) Authorization to Use Third Parties.
To the extent necessary to fulfill Enterprise Bot’s contractual obligations under the Agreement or any Statement of Work, Customer hereby authorizes Enterprise Bot to engage Third Parties (includingsubprocessors). Any Third Party Processing of Customer Personal Data shall be consistent with Customer’s documented instructions and comply with all Applicable Data Protection Law(s).
d) Enterprise Bot and Third Party Compliance.
Enterprise Bot agrees to (i) enter into a written agreement with Third Parties regarding such Third Parties’ Processing of Customer Personal Data that imposes on such Third Parties (including subprocessors) data protection and security requirements for Customer Personal Data that are compliant with Applicable Data Protection Law(s); and (ii) remain responsible to Customer for Enterprise Bot’s Third Parties’ failure to perform their obligationswith respect to the Processing of Customer Personal Data.
e) Right to Object to Third Parties.
Enterprise Bot shall make available to Customer a list of Third Parties that Process Customer Personal Data upon reasonable request. Prior to engaging any new Third Parties that Process Customer Personal Data, Enterprise Bot will notify Customer via email and allow Customer thirty (30) days to object. If Customer has legitimate objections to the appointment of any new Third Party, the parties will work together in good faith to resolve the grounds for the objection for no less than thirty (30) days, and failing any such resolution, Customer may terminate the part of the service performed under the Agreement that cannot be performed by Enterprise Bot without use of the objectionable Third Party. Enterprise Bot shall refund any pre-paid fees to Customer in respect of the terminated part of the Service.
Any person or Third Party authorized to Process Customer Personal Data must agree to maintain the confidentiality of such information or be under an appropriate statutory or contractual obligation of confidentiality.
g) Personal Data Inquiries and Requests.
Enterprise Bot agrees to comply with all reasonable instructions from Customer related to any requests from individuals exercising their rights in Personal Data granted to them under Applicable Data Protection Law(s) (“Privacy Request”). At Customer’s request and without undue delay, Enterprise Bot agrees to assist Customer in answering or complying with any Privacy Request in so far as it is possible.
h) Data Protection Impact Assessment and Prior Consultation.
Enterprise Bot agrees to provide reasonable assistance at Customer’s expense to Customer where, in Customer’s judgement, the type of Processing performed by Enterprise Bot is likely to result in a high risk to the rights and freedoms of natural persons (e.g., systematic and extensive profiling, Processing sensitive Personal Data on a large scale and systematic monitoring on a large scale, or where the Processing uses new technologies) and thus requires a data protection impact assessment and/or prior consultation with the relevant data protection authorities.
i) Demonstrable Compliance.
Enterprise Bot agrees to keep records of its Processing in compliance with Applicable Data Protection Law(s) and provide any necessary records to Customer to demonstrate compliance upon reasonable request.
4. Cross-Border Transfers of Personal Data.
a) Cross-Border Transfers of Personal Data.
Enterprise Bot shall not transfer Customer Personal Data across international borders except with the European Economic Area. Any cross-border transfer of Customer Personal Data must be supported by an approved adequacy mechanism.
b) Standard Contractual Clauses.
Enterprise Bot and Customer will use the Standard Contractual Clauses in Exhibit B as the adequacy mechanism supporting the transfer and Processing of Customer Personal Data.
5. Information Security Program.
Enterprise Bot agrees to implement appropriate technical and organizational measures designed to protect Customer Personal Data as required by Applicable Data Protection Law(s) and as may be further described in the Agreement (the “Information Security Program” ). Such measures shall include:
i) Pseudonymization of Customer Personal Data where appropriate, and encryption of Customer Personal Data in transit;
ii) The ability to ensure the ongoing confidentiality, integrity, availability of Enterprise Bot’s Processing and Customer Personal Data;
iii) The ability to restore the availability and access to Customer Personal Data in the event of a physical or technical incident;
iv) A process for regularly testing, assessing and evaluating of the effectiveness of Enterprise Bot’s Information Security Program to ensure the security of Customer Personal Data from reasonably suspected or actual accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access.
6. Security Incidents.
a) Security Incident Procedure.
Enterprise Bot will deploy and follow policies and procedures to detect, respond to, and otherwise address Security Incidents including procedures to (i) identify and respond to reasonably suspected or known Security Incidents, mitigate harmful effects of Security Incidents, document Security Incidents and their outcomes, and (ii) restore the availability or access to Customer Personal Data in a timely manner.
Enterprise Bot agrees to provide prompt written notice without undue delay and within the time frame required under Applicable Data Protection Law(s) (but in no event longer than forty-eight (48) hours) to Customer’s Designated POC if it knows or reasonably suspects that a Security Incident has taken place. Such notice will include all available details required under Applicable Data Protection Law(s) for Customer to comply with its own notification obligations to regulatory authorities or individuals affected by the Security Incident.
a) Right to Audit; Permitted Audits.
Enterprise Bot shall make available to Customer and its regulators all information necessary to demonstrate compliance with Applicable Data Protection Laws and this Addendum. Customer and its regulators shall have the right to inspect Enterprise Bot’s architecture, systems, and documentation which are relevant to the security and integrity of Customer Personal Data, or as otherwise required by a governmental regulator:
i) Following any notice from Enterprise Bot to Customer of an actual or reasonably suspected Security Incident involving Customer Personal Data;
ii) Upon Customer’s reasonable belief that Enterprise Bot is not in compliance with Applicable Data Protection Laws, this Addendum or its security policies and procedures under the Agreement;
iii) As required by governmental regulators;
iv) Or otherwise in accordance with GDPR regulations.
b) Audit Terms. Any audits described in this Section shall be:
i) Conducted by Customer or its regulator, or through a third party independent contractor selected by one of these parties.
ii) Conducted during reasonable times.
iii) Conducted upon reasonable advance notice to Enterprise Bot.
iv) Of reasonable duration and shall not unreasonably interfere with Enterprise Bot’s nor Third Party day-to-day operations.
v) Conducted in such a manner that does not violate any agreement between Enterprise Bot and its cloud providers.
c) Third Parties.
In the event that Customer conducts an audit through a third party independent auditor or a third party accompanies Customer or participates in such audit, such third party shall be required to enter into a non-disclosure agreement containing confidentiality provisions substantially similar to those set forth in the Agreement to protect Enterprise Bot’s and Enterprise Bot’s customers’ confidential and proprietary information. For the avoidance of doubt, regulators shall not be required to enter into a non-disclosure agreement.
d) Audit Results.
Upon Enterprise Bot’s request, after conducting an audit, Customer shall notify Enterprise Bot of the manner in which Enterprise Bot does not comply with any of the applicable security, confidentiality or privacy obligations or Applicable Data Protection Laws herein. Upon such notice, Enterprise Bot shall make any necessary changes to ensure compliance with such obligations at its own expense and without unreasonable delay and shall notify Customer when such changes are complete. Notwithstanding anything to the contrary in the Agreement, Customer may conduct a follow-up audit within six (6) months of Enterprise Bot’s notice of completion of any necessary changes. To the extent that a Enterprise Bot audit and/or Customer audit identifies any material security vulnerabilities, Enterprise Bot shall remediate those vulnerabilities within fifteen (15) days of the completion of the applicable audit, unless any vulnerability by its nature cannot be remedied within such time, in which case the remediation must be completed within a mutually agreed upon time not to exceed sixty (60) days.
8. Data Storage and Deletion.
a) Data Storage.
Enterprise Bot will abide by the following with respect to storage of Customer Personal Data:
i) Enterprise Bot will not store or retain any Customer Personal Data except as necessary to perform the Services under the Agreement.
ii) Enterprise Bot uses subprocessor cloud services which process and store Personal Data in one or more countries. Customer may contact Enterprise Bot for any queries regarding countries where Customer Personal Data is Processed or stored.
b) Data Deletion. Enterprise Bot will abide by the following with respect to deletion of Customer Personal Data:
i) Within thirty (30) calendar days of the Agreement’s expiration or termination, or sooner if requested by Customer, Enterprise Bot will securely destroy (per subsection (iii) below) all copies of Customer Personal Data (including automatically created archival copies).
ii) Upon Customer’s request, Enterprise Bot will promptly return to Customer a copy of all Customer Personal Data within thirty (30) days and, if Customer also requests deletion of the Customer Personal Data, will carry that out as set forth above.
iii) Deletion of Customer Personal Data will be conducted in accordance with standard industry practices.
iv) Upon Customer’s request, Enterprise Bot will provide evidence that Enterprise Bot has deleted all Customer Personal Data. Enterprise Bot will provide the “Certificate of Deletion” within thirty (30) days of Customer’s request.