July 7, 2022
This Data Processing Addendum, including the Schedule, ("DPA") forms part of the Master Subscription Agreement (“Agreement”) entered into between Uptake Technologies, Inc. and the Customer, as defined in the Agreement. Customer may also be referred to in this DPA as You or Your.
In the course of providing the Services under the Agreement, Uptake may Process Personal Data on Your behalf and the parties hereto agree to comply with the terms and conditions in this DPA in connection with such Personal Data. This DPA shall not replace any comparable or additional rights contained in the Agreement or any other agreement between the parties relating to Processing data other than Personal Data.
1. DEFINED TERMS.
“Controller“ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
“Data Protection Laws” means all data protection laws applicable to the Processing of Personal Data under this DPA, including any local, state, national and/or foreign laws and regulations.
“Data Subject” means an individual to whom Personal Data relates.
“De-identified Data” means data that cannot reasonably be linked to an identified or identifiable natural person.
“Personal Data” means any information describing or relating to (i) an identified or identifiable natural person or household; and (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws), where for each (i) or (ii), such data is Your Data. Personal Data does not include De-Identified Data.
“Personal Data Breach” means any unauthorized access, acquisition or use of Personal Data that requires Data Subject notification pursuant to any Data Protection Laws.
“Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means the Party which Processes Personal Data on behalf of the Controller.
“Sub-processor” means any Processor engaged by Uptake or an Uptake affiliate to assist in fulfilling Uptake’s obligations with respect to the provision of the Services. Sub-Processors may include third parties or Uptake affiliates but will exclude any Uptake employee or consultant.
“Your Data” means the Personal Data that (i) You provide to Uptake and (ii) Uptake collects from You through Your use of the Services.
2. PROCESSING OF PERSONAL DATA.
2.1 Roles of the Parties. The parties acknowledge and agree that, with regard to the Processing of Personal Data, Customer is the Controller, Uptake is the Processor, and that Uptake may engage Sub-processors, pursuant to the requirements set forth in Section 5.
2.2 Your Processing of Personal Data. You shall, in Your use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws, including any applicable requirement to provide notice to Data Subjects of the use of Uptake as Processor. For the avoidance of doubt, Your instructions for the Processing of Personal Data shall comply with applicable Data Protection Laws. You shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which You acquired Personal Data. You specifically acknowledge that Your use of the Services will not violate the rights of any Data Subject that has opted-out from sales or other disclosures of Personal Data to the extent applicable under Data Protection Laws.
2.3 Uptake Processing of Personal Data. Unless otherwise required or authorized by law and subject to any applicable exceptions, limitations, exemptions, and/or exclusions set forth in the Data Protection Laws, Uptake shall not Process Personal Data except as necessary for the purpose of performing the Services as set forth in the Agreement. The parties acknowledge and agree that Uptake is permitted, for the period in which Uptake is providing Services to You and any additional period required or permitted by law, to Process Your Data for the following limited purposes: (i) to provide, improve, repair, service, and develop Uptake’s products and services, and to perform other internal operations, including data analytics and metrics, that are reasonably consistent with expectations around providing support for Uptake’s products and services; (ii) to prevent harm to You, Uptake, and to third parties; (iii) to prevent, detect, protect against, investigate, or respond to security incidents, identify theft, fraud, harassment, or malicious, deceptive, or illegal activity; (iv) to preserve the integrity or security of Uptake’s products, services and internal systems; (v) to comply with any federal, state, or local laws, rules, or regulations to which Uptake is subject; (vi) to cooperate with law enforcement agencies concerning conduct or activity that Uptake or You, reasonably and in good faith, believe may violate federal, state, or local law; (vii) to comply with any civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, local, or other governmental authorities; (viii) to investigate, exercise, prepare for, or defend actual or anticipated legal claims; and (ix) any other purpose that Uptake notifies You of and in accordance with Data Protection Laws.
2.4 Details of the Processing. The subject-matter of Processing of Personal Data by Uptake is the provision of the Services that involve the Processing of Personal Data. You acknowledge and agree that, in each and every instance where You provide, submit, or transfer any of Your Data to Uptake for Processing, such provision, submission or transfer does not constitute a "sale" as such term is defined under applicable Data Protection Laws.
2.5 Data Minimization. You agree to provide to Uptake only the Personal Data that is necessary for Uptake to provide the Services.
3. RIGHTS OF DATA SUBJECTS
Uptake shall, to the extent legally permitted, notify You if Uptake receives a request from a Data Subject to exercise the Data Subject's right to delete, correct, or access data, or concerning any other rights under applicable Data Protection Laws, each such request being a “Data Subject Request.” Taking into account the nature of the Processing, Uptake shall provide reasonable assistance to You for the fulfillment of Your obligation to respond to a Data Subject Request under Data Protection Laws. In addition, to the extent You, in Your use of the Services, do not have the ability to address a Data Subject Request, Uptake shall upon Your reasonable request, provide commercially reasonable efforts to assist You in responding to such Data Subject Request, to the extent Uptake is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws. To the extent legally permitted, You shall be responsible for any costs arising from Uptake’s provision of such assistance.
4. UPTAKE PERSONNEL
Uptake shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received reasonable training on their responsibilities and have executed written confidentiality agreements. Uptake shall ensure that such confidentiality obligations survive the termination of the personnel engagement. Uptake shall take commercially reasonable steps to ensure the reliability of any Uptake personnel engaged in the processing of Personal Data. Uptake shall ensure that Uptake's access to Personal Data is limited to those personnel who are necessary to provide the Services.
5. SUB-PROCESSORS
You acknowledge and agree that Uptake may engage affiliate and third-party Sub-processors to assist with or conduct the Processing of Your Data for the purpose of performing the Services, provided that Uptake: (i) exercises appropriate due diligence in selecting the Sub-processor; (ii) requires the Sub-processor to enter into a written contract that requires the Sub-processor to comply, in substance, with the confidentiality and security requirements under this DPA; and (iii) monitors the subcontractor to confirm that it complies in substance with the confidentiality and security requirements under this DPA.
6. SECURITY
Uptake shall implement and maintain reasonable administrative, technical and physical safeguards appropriate to the complexity, nature and scope of its activities aimed at protecting Your Data against accidental or unlawful destruction, loss, or unauthorized access or disclosure.
7. PERSONAL DATA BREACH MANAGEMENT AND NOTIFICATION
Uptake shall notify You without undue delay after becoming aware of a Personal Data Breach. Uptake shall make reasonable efforts to identify the cause of such Personal Data Breach and take such steps as Uptake deems necessary and reasonable to remediate the cause of such a Personal Data Breach to the extent the remediation is within Uptake’s reasonable control. The obligations herein shall not apply to incidents that are caused by You. You are solely responsible for maintaining current and accurate contact information with Uptake, including for Your administrators. At Your request, Uptake will provide reasonable assistance and co-operation to assist You in fulfilling any applicable notification obligations under Data Protection Laws with respect to a Data Incident. Uptake’s notification of, or response to, a Personal Data Breach shall not be construed as an acknowledgment by Uptake of any fault or liability with respect to its performance under the Agreement or this DPA.
8. RETURN OR DELETION OF PERSONAL DATA
Upon termination of the Services for which Uptake is Processing Personal Data, Uptake shall, upon Your request, and subject to the limitations described in the Agreement, return all of Your Data in Uptake’s possession to You or securely destroy Your Data, and demonstrate to Your satisfaction that it has taken such measures, unless applicable law prevents it from returning or destroying all or part of Your Data.
9. AUDITS AND ASSESSMENTS
Uptake shall, on written request, make available to You information that is reasonably necessary to demonstrate compliance with Uptake’s obligations under this DPA and permit and contribute to reasonable audits conducted by You or an auditor retained by You. Upon Your request, Uptake shall provide You with reasonable cooperation and assistance needed to fulfill Your obligations under Data Protection Laws to carry out a data protection impact assessment related to Your use of the Services, to the extent You do not otherwise have access to the relevant information, and to the extent such information is available to Uptake.
10. INTERNATIONAL TRANSFERS
All transfers of Your Data out of the European Union, European Economic Area, United Kingdom, and Switzerland to countries that do not ensure an adequate level of data protection within the meaning of the Data Protection Laws in Europe and United Kingdom, including transfers into the United States, are governed by the standard contractual clauses for transfers from controllers to processors, processors to processors and/or controllers to controllers, as applicable, approved by the UK Information Commissioner and/or the European Commission, as amended or superseded from time to time (the “Standard Contractual Clauses” or “SCCs”). For Personal Data subject to the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the relevant SCCs are the Standard Contractual Clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and the Council approved by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as currently set out at https://eur-lex.europa.eu/eli/....For Personal Data subject to UK Data Protection Laws, the relevant SCCs are the International Data Transfer Agreement, and the International Data Transfer Addendum, which are currently available at https://ico.org.uk/for-organisations/guide-to-data-protection... To the extent applicable, the parties agree that the terms of the transfer shall be governed by the applicable SCCs, as well as the operative provisions and additional terms contained in Schedule 1 to this DPA.
Schedule 1
Transfer Mechanisms for European Data Transfers
1. STANDARD CONTRACTUAL CLAUSES OPERATIVE PROVISIONS AND ADDITIONAL TERMS
For the purposes of the SCCs, You are the data exporter and Uptake is the data importer and the Parties agree to the following:
1.1 Reference to the Standard Contractual Clauses. The relevant provisions contained in the Standard Contractual Clauses are incorporated by reference and are an integral part of this DPA.
1.2 Certification of Deletion. The parties agree that the certification of deletion of Personal Data that is described in clauses 8.5 and 16(d) of the Standard Contractual Clauses shall be provided by Uptake to You only upon Your written request.
1.3 Instructions. This DPA and the Agreement are Your complete and final documented instructions at the time of signature of the Agreement to Uptake for the Processing of Personal Data. Any additional or alternate instructions must be consistent with the terms of this DPA and the Agreement. For the purposes of clause 8.1(a), the instructions by You to Process Personal Data are set out in Section 2.3 of the DPA and include onward transfers to a third party located outside Europe for the purpose of the provision of the Services.
1.4 Security of Processing. For the purposes of clause 8.6(a), You are solely responsible for making an independent determination as to whether the security measures meet Your requirements and agree that (taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the Processing of Your Data as well as the risks to individuals) the security measures and policies implemented and maintained by Uptake provide a level of security appropriate to the risk with respect to Your Data. For the purposes of clause 8.6(c), Personal Data Breaches will be handled in accordance with Section 7 (Personal Data Breach Management and Notification) of the DPA.
1.5 Audits of the SCCs. The parties agree that the audits described in clause 8.9 of the Standard Contractual Clauses shall be carried out in accordance with Section 9 of the DPA.
1.6 General authorization for use of Sub-processors. Option 2 under clause 9 shall apply. For the purposes of clause 9(a), Uptake has Your general authorization to engage Sub-processors in accordance with Section 5 of the DPA. Upon written request, Uptake shall make available to You the current list of Sub-processors. Where Uptake enters into a processor to processor SCC with a Sub-processor in connection with the provision of the Services, You hereby grant Uptake and Uptake’s affiliates authority to provide a general authorization on Controller's behalf for the engagement of Sub-processors by Sub-processors engaged in the provision of the Services, as well as decision making and approval authority for the addition or replacement of any such Sub-processors.
1.7 Complaints - Redress. For the purposes of clause 11, and subject to Section 3 of the DPA, Uptake shall inform Data Subjects on its website of a contact point authorized to handle complaints. Uptake shall inform You if it receives a complaint by, or a dispute from, a Data Subject with respect to Personal Data and shall without undue delay communicate the complaint or dispute to You. Uptake shall not otherwise have any obligation to handle the request (unless otherwise agreed with You). The option under clause 11 shall not apply.
1.8 Liability. Uptake’s liability under clause 12(b) shall be limited to any damage caused by its Processing where Uptake has not complied with its obligations under the GDPR specifically directed to Processors, or where it has acted outside of or contrary to lawful instructions of You, as specified in Article 82 GDPR.
1.9 Supervision. Clause 13 shall apply as follows:
- 1.9.1 Where You are established in an EU Member State, the supervisory authority with responsibility for ensuring compliance by You with Regulation (EU) 2016/679 as regards the data transfer shall act as competent supervisory authority.
- 1.9.2 Where You are not established in an EU Member State but fall within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and have appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679, the supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established shall act as competent supervisory authority.
- 1.9.3 Where You are not established in an EU Member State but fall within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without, however, having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679, Data Protection Commission, 21 Fitzwilliam Square South, Dublin 2, D02 RD28, Ireland shall act as competent supervisory authority.
- 1.9.4 Where You are established in the United Kingdom or fall within the territorial scope of application of UK Data Protection Laws, the Information Commissioner's Office shall act as competent supervisory authority.
- 1.9.5 Where You are established in Switzerland or fall within the territorial scope of application of Swiss Data Protection Laws, the Swiss Federal Data Protection and Information Commissioner shall act as competent supervisory authority insofar as the relevant data transfer is governed by Swiss Data Protection Laws.
- 1.9.6 Where You are established in the United States or fall within the territorial scope of application of U.S. Data Protection Laws, the authority set forth in the applicable state territory shall act as the competent supervisory authority insofar as the relevant data transfer is governed by applicable U.S. Protection Laws and do not fall under U.S. federal supervision.
1.10 Notification of Government Access Requests. For the purposes of clause 15(1)(a), Uptake shall notify You (only) and not the Data Subject(s) in case of government access requests. You shall be solely responsible for promptly notifying the Data Subject as necessary.
1.11 Governing Law. The governing law for the purposes of clause 17 shall be the law of the EU Member State in which the data exporter is established. Where such law does not allow for third-party beneficiary rights, they shall be governed by the law of another EU Member State that does allow for third-party beneficiary rights. The parties agree that this shall be the law of the United Kingdom.
1.12 Choice of forum and jurisdiction. The courts under clause 18 shall be those designated in the Venue section of the Agreement. If the Agreement does not designate an EU Member State court as having exclusive jurisdiction to resolve any dispute or lawsuit arising out of or in connection with this Agreement, the parties agree that the courts of either (i) where the Agreement designates a State or District of the United States as having exclusive jurisdiction, that State or District of the United States; or (ii) where the Agreement designates the United Kingdom as having exclusive jurisdiction, the United Kingdom, shall have exclusive jurisdiction to resolve any dispute arising from the Standard Contractual Clauses. For Data Subjects habitually resident in Switzerland, the courts of Switzerland are an alternative place of jurisdiction in respect of disputes.
1.13 Data Exports from the United Kingdom and Switzerland under the Standard Contractual Clauses. In case of any transfers of Personal Data from the United Kingdom and/or transfers of Personal Data from Switzerland subject exclusively to the Data Protection Laws of Switzerland (“Swiss Data Protection Laws”), (i) general and specific references in the Standard Contractual Clauses to GDPR or EU or Member State Law shall have the same meaning as the equivalent reference in the UK Data Protection Laws or Swiss Data Protection Laws, as applicable; and (ii) any other obligation in the Standard Contractual Clauses determined by the Member State in which the data exporter or Data Subject is established shall refer to an obligation under UK Data Protection Laws or Swiss Data Protection Laws, as applicable. In respect of data transfers governed by Swiss Data Protection Laws, the Standard Contractual Clauses also apply to the transfer of information relating to an identified or identifiable legal entity where such information is protected similarly as Personal Data under Swiss Data Protection Laws until such laws are amended to no longer apply to a legal entity.
1.14 Conflict. The Standard Contractual Clauses are subject to this DPA and the additional safeguards set out hereunder. The rights and obligations afforded by the Standard Contractual Clauses will be exercised in accordance with this DPA, unless stated otherwise. In the event of any conflict or inconsistency between the body of this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.