Data Processing Addendum
1. INTRODUCTION
1.1 This DPA sets out the parties’ respective obligations and all other terms governing the parties’ Processing of Personal Data in connection with the Software Services Agreement (the “Agreement”).
2. DEFINITIONS AND INTERPRETATION
2.1 Capitalised terms used but not defined in this DPA shall have the meaning set forth in the Agreement.
2.2 The following terms have the following meanings when used in this DPA:
“Controller” has the meaning given to that term in Data Protection Law;
“Data Protection Law” means any laws or regulations that apply from time to time to the Processing of Personal Data by either Party under this Agreement and to include the EU Data Protection Directive 95/46/EC, the EU Privacy & Electronic Communications Directive 2002/58/EC, Regulation (EU) 2016/679, the U.S. Privacy Laws, the UK Data Protection Act 2018 (“DPA 2018”), the UK GDPR as defined by section 3(10), as amended by section 205(4) of the DPA 2018 (“UK GDPR”), all national implementing legislation and subordinate legislation in the United Kingdom and any applicable decisions made under them;
“Data Subject” means an individual who is the subject of any of the Disclosed Data;
“Data Subject Request” means a written request by or on behalf of a Data Subject to exercise any rights conferred by Data Protection Law;
“Disclosed Data” means the Personal Data disclosed to Direct Software by or on behalf of You in connection with the Purpose, as set out in Annex I to this DPA.
“European Economic Area” means the member states of the European Economic Area, from time to time, and for the purposes of this Agreement will include the United Kingdom notwithstanding any departure of the United Kingdom from the European Economic Area;
“GDPR” means Regulation (EU) 2016/679 and the UK GDPR;
“Personal Data” and “Processing” each have the meanings given to them in Data Protection Law and “Process” and any other tense or part of that verb will be interpreted accordingly;
“Processor” has the meaning given to that term in Data Protection Law and means the same as “Service Provider” or “Contractor” as those terms are defined in the U.S. Privacy Laws;
“Purpose” means the provision by Direct Software of the Services under this Agreement; and
“Sale” and “Selling” have the meaning defined in the U.S. Privacy Laws;
“Sensitive Data” means data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, criminal convictions and offences or related security measures, genetic data, biometric data, data concerning health or data concerning a natural person’s sex life or sexual orientation, and shall include “Sensitive Personal Data,” as applicable, as defined in the CCPA;
“Share,” “Shared,” and “Sharing” have the meaning defined in the CCPA;
“Sub-Processor” has the meaning given to that term in Clause 5.1 below;
“U.S. Privacy Laws” means, collectively, all U.S. federal and state privacy laws and their implementing regulations, as amended or superseded from time to time, that apply generally to the processing of individuals’ Personal Data and that do not apply solely to specific industry sectors (e.g., financial institutions), specific demographics (e.g., children), or specific classes of information (e.g., health or biometric information). U.S. Privacy Laws include, but are not limited to, the following:
• California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (“CCPA”);
• Colorado Privacy Act;
• Connecticut Personal Data Privacy and Online Monitoring Act;
• Delaware Personal Data Privacy Act;
• Indiana Consumer Data Protection Act;
• Iowa Consumer Data Protection Act;
• Kentucky Consumer Data Protection Act;
• Maryland Online Data Privacy Act;
• Minnesota Consumer Data Privacy Act;
• Montana Consumer Data Privacy Act;
• Nebraska Data Privacy Act;
• Nevada Consumer Health Data Privacy Act (Senate Bill 370, 82nd Session, 2023);
• New Hampshire Act Relative to the Expectation of Privacy;
• New Jersey Act Concerning Online Services, Consumers, and Personal Data;
• Oregon Consumer Privacy Act;
• Rhode Island Data Transparency and Privacy Protection Act;
• Tennessee Information Privacy Act;
• Texas Data Privacy and Security Act;
• Utah Consumer Privacy Act; and
• Virginia Consumer Data Protection Act.
In the event of a conflict in the meanings of defined terms in the U.S. Privacy Laws, the meaning from the law applicable to the state of residence of the relevant Consumer applies.
2.3 Where any expressions defined in this Agreement by reference to a particular Data Protection Law and such Data Protection Law is amended, extended, applied, consolidated or re-enacted such that the relevant expression is no longer used, the expressions shall be interpreted to refer to the terms used within the Data Protection Law as amended, extended, applied, consolidated or re-enacted as most closely relate to the meaning of those expressions prior to the amendment, extension, application, consolidated or re-enacted of such Data Protection Law.
3. YOUR OBLIGATIONS
3.1 You and Direct Software acknowledge that, for the purposes of Data Protection Law, You are the Controller and Direct Software is the Processor of any Disclosed Data. Each party will comply with its obligations under Data Protection Law.
3.2 You warrant and represent that the Processing of the Disclosed Data instructed by You under this Agreement is lawful.
3.3 You warrant and represent that You will be solely responsible for You and Your Users’ own compliance with Data Protection Laws while using Direct Software services and systems.
3.4 You agree that You are responsible for ensuring that the security of the Services is appropriate for Your intended use and the storage, hosting, or processing of Personal Data.
4. OBLIGATIONS OF DIRECT SOFTWARE
4.1 Direct Software will:
(a) Process the Disclosed Data only to the extent, and in such a manner, as is necessary for the limited and specific Purpose of delivering services and in accordance with Your documented instructions, which are documented in the Agreement, this DPA and any statement of work. Direct Software is prohibited from (i) Selling or Sharing Your Disclosed Data, (ii) retaining, using, or disclosing Your Disclosed Data for any purpose other than for the specific purpose of performing the services specified in Annex I, (iii) retaining, using, or disclosing Your Disclosed Data outside of the direct business relationship between the Parties, and (iv) combining Your Disclosed Data with Personal Data obtained from, or on behalf of, sources other than You, except as expressly permitted under applicable Data Protection Law;
(b) in accordance with Direct Software’s obligations under Data Protection Law, implement appropriate technical and organisational measures so as to ensure a commercially appropriate level of security is adopted to mitigate the risks associated with the Processing of such Disclosed Data, including the security measures listed in Annex II, which You acknowledge are appropriate in relation to the risks associated with Processing Your Disclosed Data;
(c) ensure that the Disclosed Data is processed only by Affiliates, employees, contractors, Sub-Processors or other personnel that are subject to an appropriate duty of confidentiality with respect to Your Disclosed Data;
(d) not transfer any of the Disclosed Data to a third party outside the European Economic Area, except upon and in accordance with Data Protection Law , and where the Sub-Processor ensures appropriate safeguards pursuant to Articles 46 or 47 of the GDPR, or the onward transfer is to a country benefitting from an adequacy decision;
(e) comply with the obligations of the Data Protection Laws and shall provide the level of privacy protection required by the Data Protection Laws. Upon Your reasonable request, Direct Software shall make available to You all information in Direct Software’s possession necessary to demonstrate Direct Software’s compliance with this subsection;
(f) promptly notify You if it determines that it can no longer meet its obligations under applicable Data Protection Laws. Upon receiving notice from Direct Software in accordance with this subsection, You may direct Direct Software to take reasonable and appropriate steps to stop and remediate unauthorized use of Your Disclosed Data.
4.2 At Your cost and expense Direct Software will take the following actions, as are reasonably necessary in each case, to enable You to demonstrate compliance with Data Protection Law in connection with this Agreement:
(a) promptly comply with any commercially reasonable request from You requiring Direct Software to update or otherwise amend, transfer, delete or destroy the Disclosed Data, provided that Direct Software will not be in breach of any other obligation under this Agreement to the extent that Direct Software cannot perform that obligation as a result of its compliance with this Clause 4.2(a);
(b) assist You to the extent reasonably required under Data Protection Law in responding to any relevant Data Subject Request;
(c) assist You to the extent reasonably required with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Direct Software;
(d) subject to compliance with Direct Software’s relevant policies and procedures and upon reasonable notice permit You have a reasonable right of audit in relation to Direct Software’s records and procedures relating to the Processing of Disclosed Data provided that Direct Software will not be obliged to disclose any information which is subject to third party confidentiality undertakings and such right of audit shall not be exercised more than once in any 12 month period (other than where required by a regulator). The audit shall be conducted during normal business hours and in a manner that causes minimal disruption.
5. SUB-PROCESSING
5.1 You agree that Direct Software may deliver the Services or Software to You with the assistance of its Affiliates, licensors, and service providers in connection with the Processing of the Disclosed Data (each a “Sub-Processor”). Direct Software shall maintain a record of any Sub-Processors that are utilised or otherwise contemplated by Direct Software from time to time. A list of Direct Software’s Sub-Processors is available upon request. Direct Software shall impose obligations on that Sub-Processor substantially equivalent to those applying to Direct Software under this DPA with respect to Your Disclosed Data. You authorise the use of the following as a Sub-Processor:
(a) any Affiliate of Direct Software;
(b) any such Processors as contemplated by that record as at the date of the Agreement; and
(c) any other Sub-Processors utilised by Direct Software from time to time, provided that where there is an addition or replacement of any Sub-Processor, Direct Software shall inform You in advance of any such intended changes. If You, acting reasonably, object in writing to such addition or replacement within 30 calendar days of receipt of notice, the Parties shall discuss in good faith Your concerns and Direct Software shall use reasonable efforts to make a change to the affected Services or to propose a commercially reasonable change that avoids the need to utilise that Sub-Processor. If Direct Software is unable to implement such a change within 60 days of receipt of Your objection, then You acknowledge that its sole remedy is to terminate this Agreement (in respect of those affected Services only) on not less than 30 days’ notice in writing.
5.2 Where a Sub-Processor is located outside the European Economic Area, Direct Software shall comply with Clause 4.1(d) for such international data transfers.
5.3 Direct Software will contractually require its Sub-Processors to implement the same or at least equivalent technical and organizational measures to be able to provide assistance to You.
6. OBLIGATIONS ON TERMINATION
6.1 Except to the extent that Direct Software is required by law to retain any copies of any Disclosed Data, upon the expiry or termination of this Agreement Direct Software, and our Sub-Processors, will deliver to You or destroy and/or permanently delete from its information technology systems all copies of any Disclosed Data in its possession. If You require Direct Software to extract and/or transfer to You any Disclosed Data then an administration fee may apply.
6.2 Nothing in this Agreement relieves either party of its own direct responsibilities and liabilities under Data Protection Law.
ANNEX I
DESCRIPTION OF DATA PROCESSING ACTIVITIES
Category of Data Subjects whose Personal Data is processed by Direct Software:
• Company’s employees
• Company’s prospects & contacts that they upload to Direct Software.
Categories of Personal Data processed by Direct Software:
• First and last name
• Contact information including billing address, email address, and telephone number
• Payment or credit/debit card details and details about payments
• Content of emails in mailboxes connected to our Services
• Prospect email addresses and other contact information uploaded by customers.
Sensitive Data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures. None
Nature and purpose(s) of the Processing: The Personal Data will be processed and transferred as described in the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Personal Data will be retained for as long as necessary taking into account the purpose of the Processing, and in compliance with applicable laws, including laws on the statute of limitations and Data Protection Law.
ANNEX II
TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Direct Software will apply the following types of security measures to the Disclosed Data:
1. Physical access control
Technical and organizational measures to prevent unauthorized persons from gaining access to the data processing systems available in the premises and facilities of Direct Software’s infrastructure (managed by AWS) (including databases, application servers and related hardware), where Disclosed Data are Processed, include:
- Establishing security areas, restriction of access paths;
- Establishing access authorizations for employees and third parties;
- Access control system (ID reader, magnetic card, chip card);
- Key management, card-keys procedures;
- Door locking (electric door openers etc.);
- Security staff;
- Surveillance facilities, video/CCTV monitor, alarm system; and
- Securing decentralized data processing equipment and personal computers.
2. Virtual access control
Technical and organizational measures to prevent data processing systems from being used by unauthorized persons include:
- User identification and authentication procedures;
- Strong ID/password security procedures (special characters, minimum length and complexity requirements, change of password);
- Automatic blocking (e.g. password or timeout);
- Creation of one master record per user, user-master data procedures per data processing environment; and
- Encryption of archived data media.
3. Data access control
Technical and organizational measures to ensure that persons entitled to use a data processing system gain access only to such Disclosed Data in accordance with their access rights, and that Disclosed Data cannot be read, copied, modified or deleted without authorization, include:
- Internal policies and procedures;
- Control authorization schemes;
- Differentiated access rights (profiles, roles, transactions and objects);
- Monitoring and logging of accesses;
- Disciplinary action against employees who access Disclosed Data without authorization;
- Reports of access;
- Access procedure;
- Change procedure;
- Deletion procedure; and
- Encryption.
4. Disclosure control
Technical and organizational measures to ensure that Disclosed Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Disclosed Data are disclosed, include:
- Encryption/tunneling;
- Logging; and
- Transport security.
5. Entry control
Technical and organizational measures to monitor whether Disclosed Data have been entered, changed or removed (deleted), and by whom, from data processing systems, include:
- Logging and reporting systems; and
- Audit trails and documentation.
6. Availability control
Technical and organizational measures to ensure that Disclosed Data are protected against accidental destruction or loss (physical/logical) include:
- Backup procedures;
- Uninterruptible power supply (UPS);
- Remote storage;
- Anti-virus/firewall systems; and
- Disaster recovery plan.
7. Separation control
Technical and organizational measures to ensure that Disclosed Data collected for different purposes can be Processed separately include:
- Separation of databases;
- Segregation of functions (production/testing); and
- Procedures for storage, amendment, deletion, transmission of data for different purposes.
8. Testing controls
Technical and organizational measures to test, assess and evaluate the effectiveness of the technical and organizational measures implemented in order to ensure the security of the processing include:
- Periodical review and test of disaster recovery plan;
- Testing and evaluation of software updates before they are installed;
- Authenticated (with elevated rights) vulnerability scanning; and
- Test bed for specific penetration tests and Red Team attacks.
9. IT governance
Technical and organizational measures to improve the overall management of IT and ensure that the activities associated with information and technology are aligned with the compliance efforts include:
- Certification/assurance of processes and products;
- Processes for data minimization;
- Processes for data quality;
- Processes for limited data retention;
- Processes for ensuring accountability; and
- Data subject rights policies.
