This Data Processing Addendum (“DPA”) forms part of the Agreement entered into by and between Customer and Company. The purpose of this DPA is to reflect the parties’ agreement with regard to the processing of Services Personal Data in accordance with the requirements of Data Protection Laws.
CCPA: means the California Consumer Privacy Act of 2018, Cal. Civ. Code Sections 1798.100-1798.199, including its regulations and the implemented amendments made by the California Privacy Rights Act of 2020.
Controller: the person who, either alone or with others, determines the purpose and means of the processing of Personal Data;
Company Personnel: employees, agents and independent contractors of the Company.
Company Platform: Company’s software as a service platform available at http://platform.carbonchain.io/login;
Customer: the party identified as Customer in the Order Form;
Data Protection Laws: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the “EU GDPR”); (ii) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (the “UK GDPR”); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); (iv) all U.S. laws and regulations that apply to processing of personal data under this Agreement including but not limited to CCPA; and (v) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii), (iii) or (iv); in each case as may be amended or superseded from time to time;
Data Subject: an identified or identifiable natural person about whom the Personal Data relates;
EEA: the European Economic Area;
Personal Data Breach: means any breach of security leading to the accidental or un-lawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Services Personal Data;
Processing and process: has the meaning given to that term in the EU GDPR or UK GDPR, as applicable.
Processor: a person which processes Personal Data on behalf of the Controller.
Restricted Transfer: (i) where the EU GDPR applies, a transfer of personal data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not subject based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018;
Services Personal Data: Personal Data processed on the Company Platform. This excludes Personal Data which is not processed on the Company Platform, e.g. billing and support communications for which Company acts as Controller; and
Standard Contractual Clauses: (i) where the EU GDPR applies, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”); and (ii) where the UK GDPR applies, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses adopted pursuant to or permitted under Article 46 of the UK GDPR (“UK SCCs”).
Note: Capitalised Terms not defined in the DPA are as defined in the Agreement.
3.1. The Customer is the controller of all Services Personal Data and the Company acts as a processor of Services Personal Data.
3.2. Services Personal Data includes, without limitation, (a) processing by Customer or Authorised Users on the Company Platform; or (b) processing by Company on behalf of Customer or Authorised Users on the Company Platform due to such events as (i) data import or export; (ii) transfer and processing occurring due to an integration with a third party service requested by the Customer, or (iii) information relating to support processed through the Company Platform.
3.3. The Company is the controller of all Personal Data processed in connection with the Services that is not processed through the Company Platform. This includes emails between the Customer and Company and other interactions between the Customer and Company that do not occur through the Services. The processing of Personal Data by Company that is not processed through the Company Platform is subject to Company’s Privacy Notice and Cookie Policy available at https://www.carbonchain.com/privacy-policy.
3.4. Under no circumstance is Customer permitted to use the Services to process ‘special categories of personal data’ as such term in understood under the GDPR or any other information which is subject to elevated data processing responsibilities in Customer’s jurisdiction, or any jurisdiction in which Company operates, including without limitation social security numbers, driver’s license numbers, national ID numbers, medical or health care data, or credit card or other payment or banking information.
4.1. The details of the processing contemplated under this DPA are contained at Schedule 2.
4.2. The Company may provide notice of change to Schedule 2, or to the remainder of this DPA, where an update is required due to changes to the Services or Services or changes required due to applicable Data Protection Laws, including their interpretation.
5.1 As the processor with respect to Personal Data, Company acknowledges and agrees that:
5.1.1. Company must, and shall procure that its sub-processors shall, process Services Personal Data only for the purposes of fulfilling its obligations under this Agreement and in accordance with relevant documented instructions from Customer (unless required to do so by a Union or member state law to which Company is subject; in such a case Company shall inform Customer of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest). Customer agrees to provide Company with documented instructions relating to Services Personal Data under the Agreement.
5.1.2. Company agrees to make reasonable efforts to assist Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of the processing and the information available to Company.
5.1.3. Company will not disclose any Services Personal Data to a third party, except at Customer’s specific request or where obliged to do so under any statutory or other legal requirement (in which case Company will use reasonable endeavors to advise Customer in advance of such disclosure and in any event immediately thereafter); and
5.1.4. Company will transfer Services Personal Data outside the European Economic Area (“EEA”), solely under the terms of Section “Transfers of Personal Data Outside the EEA” (below).
5.1.5. Company will not "sell" or "share" Personal Data, as such terms are defined in the CCPA.
6.1. As the controller relating to Personal Data, Customer acknowledges and agrees that:
6.1.1. Customer have and will continue to abide by an appropriate privacy policy relating to the collection and use of Personal Data.
6.1.2. Customer shall, at all times, comply with Customer’s obligations as controller and shall procure that Customer’s subcontractors or agents and all Authorized Users comply with their obligations under all applicable Data Protection Laws in relation to all Services Personal Data processed on Customer’s behalf under this DPA.
6.1.3. Customer shall ensure that Customer’s personnel and all relevant third parties have, been informed of, and have given their consent, as required by applicable Data Protection Laws, to the specific use, processing, and transfer of Services Personal Data as contemplated by this DPA and the processing of Personal Data by Company related to the Services that occurs outside of the Services. This also includes consent to use of cookies and more particularly the specific cookies that are used by Company in delivering the Services, and the specific data collected.
6.1.4. Customer shall comply with:
(a) all applicable Data Protection Laws in connection with the processing of Services Personal Data and the Personal Data that occurs outside the Services and in the exercise and performance of Customer’s respective rights and obligations under this Agreement; and
(b) the terms of this Data Processing Agreement and the Agreement.
6.1.5. Customer warrants, represents and undertakes, that:
(a) all data sourced by Customer for use in connection with the Services shall comply in all respects, including in terms of its collection, storage and processing (which shall include Customer providing all of the required fair processing information to, and obtaining all necessary consents from, Data Subjects), with applicable Data Protection Laws;
(b) all instructions given by it to Company in respect of Personal Data shall at all times be in accordance with Data Protection Laws; and
6.1.6. Customer shall not withhold, delay or condition Customer’s agreement to any change to this Agreement requested by Company in order to ensure the Services and Company (and each sub-processor) can comply with Data Protection Laws.
7.1. Each party agrees to take appropriate, and industry standard, technical and organizational measures against unauthorized or unlawful access or processing of Personal Data in connection with this Data Processing Agreement and the Agreement or its accidental loss, destruction or damage, such as appropriate Company Platform and network access controls, intrusion detection and prevention Services, network segmentation and encryption.
7.2. Company shall, and shall procure that its sub-processors shall, take all reasonable steps to ensure that Services Personal Data processed in connection with this Data Processing Agreement and the Agreement is processed in compliance with the obligations under Article 32 of the GDPR relating to security of processing.
8.1. Company will promptly notify Customer of any known or reasonably suspected breach of security leading to a Personal Data Breach.
8.2. In respect of any Personal Data Breach, the Company shall:
8.2.1. notify the Customer of the Personal Data Breach without undue delay (but in no event later than 48 hours after becoming aware of the Personal Data Breach); and
8.2.2. provide the Customer without undue delay (and wherever possible, no later than 72 hours after becoming aware of the Personal Data Breach) with such details as the Customer reasonably requires regarding:
(a) the nature of the Personal Data Breach (including in respect of Services Personal Data, the categories and approximate numbers of data subjects and Services Personal Data records concerned);
(b) any investigations into such Personal Data Breach;
8.2.3. the likely consequences of the Personal Data Breach; and
8.2.4. any measures taken, or that the Company recommends, to address the Personal Data Breach, including to mitigate its possible adverse effects,provided that, (without prejudice to the above obligations) if the Company cannot provide all these details within the timeframes set out in this clause 7.2, it shall (before the end of such timeframes) provide the Customer with reasons for the delay and when it expects to be able to provide the relevant details (which may be phased), and give the Customer regular updates on these matters.
8.3. If a Personal Data Breach occurs the Company shall:
8.3.1. take such steps and do all acts and things as the Customer requires in order to mitigate the effects of the Personal Data Breach; and
8.3.2. restore to the last available backup any Customer Data that has been lost, damaged or destroyed by the Personal Data Breach.
Company will make available to Customer all information necessary to demonstrate compliance with the data processing obligations laid down in this DPA including by allowing for and contributing to reasonable audits to determine Company’s compliance with its obligations under this DPA. These audits (of frequency of no more than once per year, except where there is reason to suspect a breach of the obligations may have occurred) may be conducted by Customer, auditors mandated by Customer, or public authorities in competent jurisdictions, subject to Customer and Customer’s auditors (if relevant) undertaking reasonable and appropriate confidentiality obligations.
Company shall, and shall procure that its sub-processors shall, ensure that any persons to whom Company discloses Services Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality with respect to the Personal Data.
Sub-processors appointed by Company:
11.1. The Services is provided on a software-as-a-service, hosted basis. As such, Company uses third party providers to provide certain services, including hosting. These are listed at Schedule 3.
11.2. These sub-processors will have access to certain data, including relevant Services Personal Data, however such sub-processors are only permitted to process data, for the purposes of providing their specifically contracted services to Company.
11.3. Company will use commercially reasonable efforts to ensure that such sub-processors utilize reasonable industry recognized security measures to protect against loss, misuse and unauthorized viewing of the information Customer provides to Company. While Company holds ISO 27001 certification, not all Company sub-processors have achieved this certification, however, if Company sub-processors do not have IS0 27001, they have SOCII compliance and their access to the Services is limited to specific tasks.
Third Party Providers Appointed by Customer:
11.4. Customer may elect to subscribe to services that can integrate with Services.
11.5. Where Customer chooses to integrate with a third party service, this may entail providing Company with access to Personal Data held by such third party service, and may require the providers of such third party service to have access to Services Personal Data. Company will only transfer Services Personal Data to providers of third party service or other third parties appointed by Customer on written instructions from Customer. Customer must notify Company and put in place a written contract between Customer and Company as required under Article 28 GDPR relating to any extra categories of Personal Data that Company will process on behalf of Customer due to such integration.
11.6. With regard to third party providers, Customer acknowledges and agrees that:
11.6.1. Company has no contractual relationship with such third parties, and no responsibility for Services Personal Data once such a transfer commences, nor for the duration such third party holds the relevant data. Company does not audit the adequacy or otherwise confirm the security or organizational measures employed by such third parties, which is Customer’s sole responsibility.
11.6.2. Customer is responsible for ensuring that Customer’s and Company’s use of the Services and integration with a third party service complies with any service terms of the applicable third party service. Company is not required to maintain Services Personal Data collected in breach of any relevant data protection or other applicable laws.
11.7. Company makes no representations as to the appropriateness or legality of Customer’s choice to permit such third parties to have access to its Services Personal Data, and Customer is responsible for ensuring that it has all requisite consents and has provided any required notices to data subjects with respect to this processing of their data. Company is not responsible for the processing of Services Personal Data by third party services.
11.8. COMPANY HEREBY DISCLAIMS ALL RESPONSIBILITY FOR THE ACTIONS OF SUCH THIRD PARTIES OR FOR LOSS, DAMAGES, OR CLAIMS ARISING AS A RESULT OF DEPLOYING INTEGRATION CODE FACILITATING TRANSFERS OF PERSONAL DATA OR MAKING A TRANSFER OF PERSONAL DATA ON CUSTOMER’S BEHALF. COMPANY MAKES NO REPRESENTATIONS OR WARRANTIES AS TO THE SUITABILITY OF SUCH THIRD PARTY FOR RECEIPT OF PERSONAL DATA NOR OF THE SUITABILITY OF THE THIRD PARTY SERVICES TO PROCESS PERSONAL DATA.
12.1. Company may only authorise a sub-processor to process Services Personal Data provided that Company has entered into a written agreement with such sub-processor on terms which are substantially the same as those set out in this DPA. Where a sub-processor fails to fulfil its data protection obligations, Company shall remain liable to Customer for the performance of the data protection obligations of the relevant sub-processor.
12.2. Customer provide a general authorisation to Company to engage the sub-processors as are appointed on the date this DPA comes into force.
12.3. Company will with thirty (30) days’ notice inform Customer of any intended change in the sub-processors that will process Services Personal Data under this Agreement and Customer shall be entitled to make any objections thereto. If no objections have been received within ten (10) days, the proposed sub-processor shall be deemed accepted. If Customer does not agree to the sub-processor, the parties shall attempt to settle the disagreement and if the parties cannot agree on the use of a sub-processor, Company may terminate this Agreement by providing written notice, such termination to take effect on the later of (i) the date on which Company will commence using the services of the relevant sub-processor in relation to the Services provided to Customer or (ii) one (1) month after the date of Customer’s written notice.
13.1. Services Personal Data may be transferred or stored outside the country where Customer or Customer’s Authorised Users are located in order to carry out the Services and our other obligations under the Agreement.
13.2. The parties agree that when the transfer of Services Personal Data from Customer to Company is a Restricted Transfer it shall be subject to the appropriate Standard Contractual Clauses as follows:
13.2.1. in relation to data that is protected by the EU GDPR, the EU SCCs will apply completed as follows:
(i) Module Two will apply;
(ii) in Clause 7, the optional docking clause will apply;
(iii) in Clause 9, Option 2 will apply, and the time period for prior notice of subprocessor changes shall be as set out in Clause 11.3 of this DPA;
(iv) in Clause 11, the optional language will not apply;
(v) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
(vi) in Clause 18(b), disputes shall be resolved before the courts of Ireland;
(vii) Annex I of the EU SCCs shall be deemed completed with the information set out in Schedule 5 to this Agreement;
(viii) Annex II of the EU SCCs shall be deemed completed with the information set out in Schedule 4 to this Agreement; and
(ix) Annex III of the EU SCCs shall be deemed completed with the information set out in Schedule 3 to this Agreement;
13.2.2. in relation to System Data that is protected by the UK GDPR, the UK SCCs will apply completed as follows:
(i) Annex 1A of the UK SCCs shall be deemed completed with the information set out in Schedule 5 to this Agreement
(ii) Annex 1B shall be deemed completed with the information set out in Schedule 2 of this Agreement
(iii) Annex II of the UK SCCs shall be deemed completed with the information set out in Schedule 4 to this Agreement;
(iv) Annex III of the UK SCCs shall be deemed completed with the information set out in Schedule 3 to this Agreement; and
(v) Table 4 of the UK SCCs shall be answered with “neither party”.
13.2.3. in the event that any provision of this Agreement contradicts, directly or indirectly, the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
13.3 The parties agree that when the transfer of Services Personal Data from Company to Customer is a Restricted Transfer it shall be subject to the appropriate Standard Contractual Clauses as follows:
13.3.1 in relation to data that is protected by the EU GDPR, the EU SCCs will apply completed as follows:
(i) Module Four will apply;
(ii) in Clause 7, the optional docking clause will apply;
(iii) in Clause 11, the optional language will not apply;
(v) in Clause 17, the EU SCCs will be governed by Irish law;
(vi) in Clause 18, disputes shall be resolved before the courts of Ireland;
(vii) Annex I of the EU SCCs shall be deemed completed with the information set out in Schedule 5 to this Agreement;
13.3.2. in relation to System Data that is protected by the UK GDPR, the UK SCCs will apply completed as follows:
(i) Annex 1A of the UK SCCs shall be deemed completed with the information set out in Schedule 5 to this Agreement;
(ii) Annex 1B shall be deemed completed with the information set out in Schedule 2 of this Agreeement;
(iii) Annex II of the UK SCCs shall be deemed completed with the information set out in Schedule 4 to this Agreement; and
(v) Table 4 of the UK SCCs shall be answered with “neither party”.
13.3.3. in the event that any provision of this Agreement contradicts, directly or indirectly, the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
13.4. Where Customer opts to send Services Personal Data to providers of third party services via integration, Customer agrees that providers of third party services are not sub-processors of Company for data protection purposes and such providers are Customer’s directly-contracted data processors acting under Customer’s instructions.
13.5. In making a request for Company to transfer Services Personal Data, subject to GDPR and related privacy regulations outside of the EEA, Customer confirms that there is “an adequate level of protection” in place for such transfer as such term in understood under GDPR.
13.6. Customer will indemnify and hold harmless Company, its subsidiaries and affiliates (and their respective employees, directors, officers, shareholders, attorneys, agents and representatives) from and against any and all claims, costs, losses, damages, judgments, penalties, interest and expenses (including reasonable attorneys' fees and costs) from any claim, action, audit, investigation, regulatory action, inquiry or other proceeding that arises out of or relates to use of Services Personal Data by third party services providers, or other transferees, or Customer’s failure to comply with any applicable laws and regulations in connection with the transfer of the Services Personal Data outside the EEA including any applicable data protection legislation or that arises out of or relates to any subsequent use of the Services Data by the relevant transferee. This indemnification obligation set forth herein shall survive the termination of Customer’s use of the Services and/or the termination of the Agreement.
13.7. Company agrees to enter into a SCC Agreement with Customer where reasonably required to ensure an “adequate level of protection” is in place for the transfer of such Personal Data outside the EEA.
13.8. The parties agree to cooperate where, due to changes in law or practice, an alternate data transfer mechanism is required to be put into operation to ensure an “adequate level of protection” is in place for transfer of data outside the EEA under GDPR.
14.1. Company will promptly assist Customer with all notices, requests or other enquiries relating to the data protection rights which may be received by Customer or Company, at Customer’s reasonable expense.
14.2. Company will not respond to any subject access request without the Customer’s prior written approval unless required to do so by law or direction of a relevant regulator.
Immediately on termination or expiry of this Agreement, or otherwise on Customer’s request, Company must and shall procure that its sub-processors shall:
i) return all Services Personal Data to Customer; or
ii) destroy all the Services Personal Data, in a manner agreed to by Customer;
at Customer’s election, unless a law binding on Company or its sub-processors prevents it from doing as requested or unless otherwise agreed in the Agreement (for example, where the Customer has requested Company continue to store Services Personal Data in order to ensure compliance with a legal obligation).
The obligations contained in this DPA are without prejudice to Company's other obligations under this Agreement and apply notwithstanding any permitted use or disclosure of confidential information in this Agreement.
17.1. Subject to clauses 17.2, the costs of Company and its sub-processors to comply with their respective obligations as data processors under Data Protection Laws applicable in a specific jurisdiction shall be borne by Company and its sub-processors to the extent compliance with such obligations is necessary for Company and/or its sub-processors’ compliance with applicable Data Protection Laws in their role as data processors in the jurisdiction in question.
17.2. Notwithstanding clause 17.1, if Customer request Company to take on compliance activities which go beyond the activities that Company is required to do as a processor under applicable Data Protection Laws, Company shall be entitled to its reasonable costs and the above shall be notified to Company and agreed pursuant to a further SOW.
18.1. By using the Services to process Services Personal Data, Customer warrants and represents, that Customer’s collection and processing of Services Personal Data does not breach the rights of any person or entity, including rights of publicity, privacy or under applicable Data Protection Laws, that Customer is entitled to transfer the relevant Services Personal Data to Company, and that Company is entitled to transfer Services Personal Data to its sub-processors and all third party providers (as directed) so that they each respectively may lawfully use, process and transfer such Services Data in accordance with this DPA and the Agreement.
18.2. The liability of the Company relating to Personal Data processed in connection with the Services is limited to direct losses related to:
18.2.1. any breach by the Company of any of its Personal Data obligations under this DPA; or
18.2.2. the Company (or any person acting on its behalf) acting outside or contrary to the lawful processing Instructions of the Customer in respect of the processing of Services Personal Data.
18.3. Any claims brought under or in connection with this DPA shall be subject to the Agreement, including but not limited to, the exclusions and limitations of liability set forth in the Agreement.
19.1. The parties agree that this DPA shall replace any existing data protection terms the parties may have previously entered into in connection with the Services relating to Services Personal Data.
19.2. Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict.