1.1 This agreement re processing of personal data (the "Data Processing Agreement" or "DPA") regulates Vehera Ltd (the "Data Processor") processing of personal data on behalf of the client (the "Data Controller") and is attached as an addendum to the SaaS Service's Terms of Use. During the course of this agreement please note that Vehera and Nasuni Access Anywhere Server references appertain to Vehera LTD (the "Data Processor")
1.2 This agreement refers to widely shared instances of the Vehera's software accessible over the public internet, which is referred to in this document as a "SaaS" service.
1.3 This agreement pertains only to business users of the SaaS service.
2.1 The Data Processing Agreement shall ensure that the Data Processor complies with the applicable data protection and privacy legislation (the "Applicable Law"), including in particular The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679).
3.1 Purpose: The purpose of the processing under the Terms of Use is the provision of the Services by the Data Processor as specified in the Terms of Use.
3.2 In connection with the Data Processor's delivery of the Services to the Data Controller, the Data Processor will process certain categories and types of the Data Controller's personal data on behalf of the Data Controller. If client includes, or authorizes others to include, personal data in the content input into the Services or personal data is generated in performance of the Services (Client Personal Data), Client represents that it is either the data controller of the Client Personal Data or that it has, prior to agreeing to the provisions of this Addendum or extending the benefit of the Cloud Services to any new data controller, been instructed by or obtained the consent of the relevant data controller(s) to agree to the undertakings in this Addendum. Client appoints Vehera LTD as data processors to process (as those terms are defined in EU Directive 95/46/EC, as amended or replaced, from time to time) such Client Personal Data. Client and Vehera LTD agree that any disputes or liability under this Addendum will be subject to the limitation and exclusions of liability in the Agreement.
3.3 "Personal data" includes "any information relating to an identified or identifiable natural person" as defined in GDPR, article 4 (1) (1) (the "Personal Data"). The categories and types of Personal Data processed by the Data Processor on behalf of the Data Controller are listed in sub-appendix A. The Data Processor only performs processing activities that are necessary and relevant to perform the SaaS Services. The parties shall update sub-appendix A whenever changes occur that necessitate an update.
3.4 Processing Operations and Nature of Processing
The Client Personal Data processed by Vehera LTD will be subject to the following basic processing activities:
3.5 The Data Processor shall have and maintain a register of processing activities in accordance with GDPR, article 32 (2).
4.1 The Data Processor may only act on and process the Personal Data in accordance with the documented instruction from the Data Controller (the "Instruction"), unless required by law to act without such instruction. The Instruction for the purposes of this Data Processing Agreement is that the Data Processor may only process the Personal Data with the purpose of delivering the SaaS Services as described in the Terms of Use.
4.2 The Data Controller guarantees to process Personal Data in accordance with the requirements of Data Protection Laws and Regulations. The Data Controller's instructions for the processing of Personal Data shall comply with Applicable Law. The Data Controller will have sole responsibility for the accuracy, quality, and legality of possession and use of Personal Data and the means by which it was obtained.
4.3 The Data Processor will inform the Data Controller of any instruction that it deems to be in violation of Applicable Law and will not execute the instructions until they have been confirmed or modified to the satisfaction of the Data Processor.
5.1 Confidentiality
5.1.1 The Data Processor shall treat all the Personal Data as strictly confidential information. The Personal Data may not be copied, transferred or otherwise processed except as specified in the Instruction, unless the Data Controller has agreed in writing to such actions.
5.1.2 The Data Processor's employees shall be subject to an obligation of confidentiality that ensures that the employees shall treat all the Personal Data under this DPA with strict confidentiality.
5.1.3 Personal Data will only be made available to personnel that require access to such Personal Data for the delivery of the Services under this Data Processing Agreement.
5.2 The Data Processor shall also ensure that employees processing the Personal Data only process the Personal Data in accordance with the Instruction.
5.3 Security
5.3.1 The Data Processor shall implement the appropriate technical and organizational measures as set out in this Agreement and in the Applicable Law, including in accordance with GDPR, article 32. The security measures are subject to technical progress and development. The Data Processor may update or modify the security measures from time-to-time provided that such updates and modifications do not result in the degradation of the overall security.
5.4 The Data Processor shall provide documentation describing the Data Processor's security measures if requested by the Data Controller in writing.
5.5 Data protection impact assessments and prior consultation
5.5.1 If the Data Processor's assistance is necessary and relevant, the Data Processor shall assist the Data Controller in preparing data protection impact assessments in accordance with GDPR, article 35, along with any prior consultation in accordance with GDPR, article 36.
5.6 Rights of the data subjects
5.6.1 If the Data Controller receives a request from a data subject for the exercise of the data subject's rights under the Applicable Law and the correct and legitimate reply to such a request necessitates the Data Processor's assistance, the Data Processor shall assist the Data Controller by providing the necessary information and documentation. The Data Processor shall be given reasonable time to assist the Data Controller with such requests in accordance with the Applicable Law.
5.6.2 Vehera recognizes that the right to use personal data is exclusive to Customer as data controller and Vehera does not claim any rights over the personal data. To the extent permitted by law, Vehera will inform Customer of requests made directly to Vehera from data subjects exercising their rights regarding personal data. Since it is the Customer, not Vehera, which retains control over the access, additions, deletions, modifications and monitoring of personal data, Customer shall be responsible to respond to such requests of data subjects. Similarly, if Vehera receives any subpoena or similar order from a court or other governmental authority which relates to the processing of personal data on behalf of the Customer, it will promptly pass on the same to Customer without responding to it, unless otherwise required by applicable law, and Customer shall promptly respond to the same.
5.7 Personal Data Breaches
5.7.1 The Data Processor shall give immediate notice to the Data Controller if a breach occurs that can lead to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to, personal data transmitted, stored or otherwise processed re the Personal Data processed on behalf of the Data Controller (a "Personal Data Breach").
5.7.2 The Data Processor shall make reasonable efforts to identify the cause of such a breach and take those steps it deems necessary to establish the cause, and to prevent such a breach from reoccurring.
5.8 Documentation of Compliance and Audit Rights
5.8.1 At its sole cost and expense, Customer may audit Vehera's compliance with its obligations under this DPA up to once per year and upon at least 14 days advance written notice to Vehera, with such notice to include a detailed proposed audit plan; provided that to the extent required by the GDPR or applicable law, Customer or the relevant data protection authority may perform more frequent audits.
The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Vehera will review the proposed audit plan and provide Customer with any concerns or questions and work cooperatively with Customer to agree on a final audit plan.
Vehera will contribute to such audits by providing the information and assistance reasonably necessary to conduct the audit, including any relevant records of processing activities applicable to Customer's use of the Vehera Solution where such records are not otherwise available to the Customer through the Vehera Solution.
The audit must be conducted during regular business hours, may not unreasonably interfere with Vehera business activities, and be conducted subject to the agreed final audit plan and Vehera's or the applicable sub processor's internal policies. Customer will provide Vehera any audit reports generated as part of any audit under paragraph unless prohibited by the GDPR, applicable law, or the applicable data protection authority. Customer may use the audit reports only for the purposes of meeting Customer's regulatory audit requirements and/or confirming compliance with the requirements of this DPA.
The audit reports are Confidential Information of the parties under the terms of the Agreement. Where assistance requested of Vehera in conjunction with such audit requires the use of resources different from or in addition to those required of Vehera under the Agreement, Customer shall pay for such additional resources at Vehera's then-current rates.
5.8.2 The Data Controller may be requested to sign a non-disclosure agreement reasonably acceptable to the Data Processor before being furnished with the above.
5.9 Data Transfers
5.9.2 Where Vehera LTD initiates a data transfer it will not transfer the Data Controller's personal data to countries outside the European Economic Area. If the Data Controller initiates a transfer of data it has explicitly added and controls it will be responsible for ensuring that such transfer is pursuant to Articles 45 and 46.
6.1 The Data Processor is given general authorisation to engage third-parties to process the Personal Data ("Sub-Processors") without obtaining any further written, specific authorization from the Data Controller, provided that the Data Processor notifies the Data Controller in writing about the identity of any new potential Sub-Processor (and its processors, if any) before any agreements are made with the relevant Sub-Processors and before the relevant Sub-Processor processes any of the Personal Data. If the Data Controller wishes to object to the relevant Sub- Processor, the Data Controller shall give notice hereof in writing within ten (10) business days from receiving the notification from the Data Processor. Absence of any objections from the Data Controller shall be deemed a consent to the relevant Sub-Processor.
6.2 In the event the Data Controller objects to a new Sub-Processor and the Data Processor cannot accommodate the Data Controller's objection, the Data Controller may accept the new Sub-Processor or terminate the Services.
6.3 The Data Processor shall complete a written sub-processor agreement with any Sub-Processors. Such an agreement shall at minimum provide the same data protection obligations as the ones applicable to the Data Processor, including the obligations under this Data Processing Agreement. The Data Processor shall on an ongoing basis monitor and control its Sub-Processors' compliance with the Applicable Law. Documentation of such monitoring and control shall be provided to the Data Controller if requested in writing.
6.4 The Data Processor is accountable to the Data Controller for the actions and omission of any Sub-Processor processing the Data Controller's data on behalf of the Data Processor in the same way as for its own actions and omissions.
6.5 The Data Processor is at the time of entering into this Data Processing Agreement using the Sub- Processors listed in sub-appendix B. If the Data Processor initiates sub-processing with a new Sub-Processor, such new Sub-Processor shall be added to the list in sub-appendix B under paragraph 2.
7.1 The Data Controller shall remunerate the Data Processor for time spent to perform the obligations under section 5.5, 5.6, 5.7 and 5.8 of this Data Processing Agreement based on the Data Processor's hourly rates.
7.2 If changes to the Applicable Law, including new guidance or courts practice, result in additional costs to the Data Processor, the Data Controller shall indemnify the Data Processor for such documented costs.
8.1 Liability of the parties under this DPA is governed by the Agreement, provided that except for the intentional misconduct of Vehera, Customer shall defend, indemnify and hold harmless Vehera, its affiliated companies, their respective officers, directors, employees, agents, successors and assigns of the foregoing, and their authorized distributors and resellers, from and against any and all claims, losses, liabilities, damages, penalties, fines, costs and expenses (including reasonable attorneys' fees and costs) arising out of this DPA. This paragraph controls in the event of any conflict between this paragraph and any other provision of the Agreement or any other document.
8.2 For the avoidance of doubt: Vehera LTD total liability for all claims from the Customer and all of its Authorized Affiliates arising out of or related to the Agreement and each DPA shall apply in the aggregate for all claims under both the Agreement and all DPAs established under this Agreement, including by Customer and all Authorized Affiliates, and, in particular, shall not be understood to apply individually and severally to Customer and/or to any Authorized Affiliate that is a contractual party to any such DPA.
8.3 Each party's liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Authorized Affiliates and Vehera LTD, whether in contract, tort or under any other theory of liability, is subject to the limitations described in the Terms Of Use, and any reference in to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together.
8.4 The limitation of liability does not apply to a party's expenses and resources used to perform the other party's obligations, including payment obligations, towards a relevant data protection agency or any other authority.
8.5 Nothing in this DPA relieves the processor of its own direct responsibilities and liabilities under the GDPR.
9.1 This agreement shall remain in force until the Service is terminated.
10.1 The Data Processor will appoint a Data Protection Officer where such appointment is required by Data Protection Laws and Regulations or if it otherwise sees fit.
11.1 Following expiration or termination of the Agreement, the Data Processor will delete all Personal Data in its possession as provided in the Agreement except to the extent the Data Processor is required by Applicable law to retain some or all of the Personal Data (in which case the Data Processor will archive the data and implement reasonable measures to prevent the Personal Data from any further processing) or such deletion is technically or operationally impossible or impractical. The terms of this DPA with regard to protecting personal data will continue to apply to such retained Personal Data.
12.1 The contact information for the Data Processor is provided on the Nasuni Access Anywhere Server website.
These clauses shall be governed the laws of the United Kingdom
1. Personal Data
1.1 The Data Processor processes the following types of Personal Data in connection with its delivery of the Services:
1.1.1 Information about employees of the Data Controller relevant for providing the service, including but not limited to:
1.1.1.1. Name
1.1.1.2. Email address
1.1.1.3. Telephone Number
1.1.2. Contact information for individuals who may or may not be employees of the Data Controller:
1.1.2.1. Name
1.1.2.2. Email Address.
2. Categories of data subjects
2.1 The Data Processor processes personal data about the following categories of data subjects on behalf of the Client:
2.1.1. Employees of the Data Controller
2.1.2. Other data subjects whose personal data the Data Controller has stored using the Service's Contacts feature.
1. APPROVED SUB-PROCESSORS
1.1 The following Sub-Processors shall be considered approved by the Data Controller at the time of entering into this Agreement:
i. Amazon Web Services
ii. Microsoft
iii. Zoho
iv. Bitly
v. MaxMind
vi. Google
vii. Twilio
2. New Sub-Processors
2.1 The following Sub-Processors have been added and communicated to the Data Controller prior to the relevant sub-processing:
[Intentionally left blank]
