XTYPE DATA PROCESSING ADDENDUM
This Data Processing Addendum (“Addendum”) forms part of the Agreement between the party identified in the Agreement (“Customer”) and XTYPE.IO LTD. (“Xtype”), and applies to the extent that (i) Xtype processes Personal Data on behalf of Customer in the course of providing Services, and (ii) the Agreement expressly incorporates this Addendum by reference. This Addendum does not apply where Xtype is the Controller. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified in this Addendum, the terms of the Agreement shall remain in full force and effect. Except where the context requires otherwise, references in this Addendum to the Agreement are to the Agreement as amended by, and including, this Addendum.
- In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
The agreement between Customer and Xtype under which Xtype provides Services to Customer;
Any of Customer’s Affiliate(s) which (a) is subject to the data protection laws and regulations of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom, and (b) is permitted to use the Services pursuant to the Agreement, but is not a “customer” as defined under the Agreement;
The Customer named in the Agreement together with Authorized Affiliates;
“Data Protection Laws”
EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
The European Union, the European Economic Area and/or their member states and Switzerland;
“EU Data Protection Laws”
EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
Personal data that is submitted to the Services by Customer and processed by Xtype or a Subprocessor for the purpose of providing the Services to Customer;
“Personal Data Breach”
A breach of security of the Services leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data;
The services and other activities ordered or subscribed to by Customer from Xtype in the Agreement;
“Standard Contractual Clauses”
The European Commission’s standard contractual clauses for the transfer of personal data to processors established in third countries (controller-to-processor transfers) under Directive 95/46/EC (notified under document C(2010) 593);
Any person or entity (including any third party and any Xtype Affiliate, but excluding an employee of Xtype or any of its sub-contractors) appointed by or on behalf of Xtype or any Xtype Affiliate to process Personal Data on behalf of Xtype in connection with the Agreement.
- The terms “controller”, “data subject”, “member state”, “personal data”, “process”, “processing”, and “supervisory authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
- In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
- PROCESSING OF PERSONAL DATA
- As between Xtype and Customer, Xtype will process Personal Data under the Agreement only as a processor acting on behalf of the Customer.
- Xtype will only process Personal Data on behalf of and in accordance with Customer’s documented instructions. Customer instructs Xtype to process Personal Data for the following purposes: (a) as reasonably necessary for the provision of the Services and consistent with the Agreement; and (b) to comply with other reasonable instructions provided by Customer via support ticket, email, or otherwise where such instructions are consistent with the terms of the Agreement.
- The subject matter of the processing of Personal Data is the provision of the Services under the Agreement. Xtype will process Personal Data for the duration of the Agreement, unless otherwise agreed between Xtype and Customer in writing or as required by applicable law. The nature and purpose of Xtype’s processing of Personal Data is to perform the Services pursuant to the Agreement and as instructed by Customer in its use of the Services. The Personal Data processed may include but is not limited to the following categories of data subjects: Customer’s employees, contractors, suppliers, and vendors, and other third parties (who are natural persons). The Personal Data processed may include but is not limited to the following categories: name, title, identification data, or email address.
- Customer shall, in its use or receipt of the Services, transfer Personal Data in accordance with the requirements of Data Protection Laws and ensure that its instructions for the processing of Personal Data shall comply with Data Protection Laws. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data. Customer takes full responsibility to keep the amount of Personal Data provided to Xtype to the minimum necessary for the performance of the Services.
- Xtype restricts its personnel from processing Personal Data without authorization (unless required to so by applicable law) and will ensure that any person authorized by Xtype to process Personal Data is subject to an obligation of confidentiality. Xtype shall take commercially reasonable steps to ensure the reliability of any Xtype personnel engaged in the processing of Personal Data. Xtype shall ensure that its access to Personal Data is limited to those personnel performing Services in accordance with the Agreement.
- Xtype shall in relation to the Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
- In assessing the appropriate level of security, Xtype shall take account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons.
- Customer authorizes (a) Xtype to appoint Xtype’s Affiliates as Subprocessors; and (b) Xtype and Xtype’s Affiliates to appoint third parties as Subprocessors in connection with the provision of the Services. As a condition to appointing a third-party as a Subprocessor, Xtype or a Xtype Affiliate will enter into a written agreement with each third-party Subprocessor containing data protection obligations that provide at least the same level of protection for Personal Data as those in this Addendum (to the extent applicable to the Services provided by such third-party Subprocessor). Xtype will be responsible for any acts and omissions of its Subprocessors that cause Xtype to breach any of Xtype’s obligations under this Addendum.
- Xtype may continue to use those Subprocessors already engaged by Xtype as of the date of this Addendum, and a list of such Subprocessors is available at ____________________ or is provided by Xtype to Customer upon Customer’s request.
- Xtype agrees (i) to provide prior notice to Customer of any new engagement of a Subprocessor to process Personal Data if the Customer has subscribed to receive notification via the mechanisms that Xtype provides for the specific Service; and (ii) if Customer objects to a new Sub-processor on reasonable data protection grounds within ten (10) days of receiving the notice, to discuss with Customer those concerns in good faith with a view to achieving resolution.
- DATA SUBJECT RIGHTS
- Taking into account the nature of the processing, Xtype shall assist Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer’s obligations, as reasonably understood by Customer, to respond to requests to exercise data subject rights under the Data Protection Laws in respect to Personal Data (“Data Subject Request”).
- Xtype shall: (i) promptly notify Customer if Xtype receives a Data Subject Request; (ii) not respond to a Data Subject Request except on the documented instructions of Customer or as required by applicable laws, in which case Xtype shall to the extent permitted by applicable laws inform Customer of that legal requirement before responding to the Data Subject Request; and (iii) to the extent Customer does not have the ability to address a Data Subject Request in relation to the Services, Xtype shall, upon Customer’s request, provide commercially reasonable efforts to assist Customer to the extent Xtype is legally permitted to do so and the response is required under Data Protection Law. To the extent permitted by applicable law, Customer shall be responsible for any costs arising from Xtype’s provision of such assistance.
- PERSONAL DATA BREACH
- Xtype shall notify Customer without undue delay upon Xtype becoming aware of a Personal Data Breach affecting Personal Data which may require a notification to be made to a supervisory authority or data subject under Data Protection Law or which Xtype is required to notify to Customer under Data Protection Law, providing Customer with sufficient information to allow Customer to meet any obligations to report or inform data subjects of the Personal Data Breach under Data Protection Law.
- To the extent such Personal Data Breach is caused by a violation of this Addendum by Xtype, Xtype shall provide commercially reasonable cooperation and assistance in identifying the cause of such Personal Data Breach and take commercially reasonable steps to remediate the cause to the extent the remediation is within Xtype’s control.
- IMPACT ASSESSMENT
- Xtype shall provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with supervising authorities or other competent data privacy authorities, which Customer reasonably considers to be required of Customer by Data Protection Law, in each case solely in relation to processing of Personal Data taking into account the nature of the processing and information available to Xtype.
- DELETION OR RETURN OF PERSONAL DATA
- Upon expiration or termination of the Services involving the processing of Personal Data, Xtype shall, upon Customer’s request, and subject to any limitations described in the Agreement, return to Customer, or securely destroy, all Personal Data and demonstrate to Customer’s satisfaction that Xtype has taken such measures, unless applicable law prevents it from returning or destroying all or part of Personal Data. Xtype shall preserve the confidentiality of any retained Personal Data and will only actively process such Personal Data after such date as required by applicable law and in accordance with this Addendum.
- AUDIT RIGHTS
- Xtype shall provide Customer on request information necessary to demonstrate compliance with this Addendum and the processing of the Personal Data.
- To the extent required under Data Protection Law, Customer may additionally request, subject to the confidentiality obligations set forth in the Agreement, an on-site audit of Xtype’s procedures relevant to the protection of Personal Data, or if Customer is not a competitor of Xtype, a copy of a Subprocessor’s then-current certification and audit, by notifying Xtype in writing. Before the commencement of any such on-site audit, Xtype and Customer shall mutually agree upon the scope, timing, and duration of the audit. Customer shall reimburse Xtype for any time expended for any such on-site audit at Xtype’s then-current rates, which shall be reasonable taking into account the resources to be expended by Xtype. Customer shall promptly notify Xtype with information regarding any noncompliance discovered during the course of an audit, and Xtype shall use commercially reasonable efforts to address any confirmed non-compliance. Information and audit rights of the Customer only arise under this section 10 to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.
- RESTRICTED TRANSFERS
- Xtype may transfer Personal Data from the EEA to countries outside the EEA only if such transfer is required in connection with the Services and at least one of the following safeguards is implemented: (a) the transfer is subject to the terms set out in the Standard Contractual Clauses, (b) the transferee is located in a country that has been deemed to provide an adequate level of protection for personal data by the European Commission..
- If Customer transfers Personal Data from the EEA to an Xtype entity located in a country which does not ensure an adequate level of data protection within the meaning of applicable Data Protection Laws, the terms of the Standard Contractual Clauses shall apply to Customer as the “data exporter” and Xtype as the “data importer”, to the extent such transfers are subject to such applicable Data Protection Laws.
- GENERAL TERMS
- Nothing in this Addendum reduces Xtype’s obligations under the Agreement in relation to the protection of Personal Data or permits Xtype to process (or permit the processing of) Personal Data in a manner which is prohibited by the Agreement. In the event of any conflict or inconsistency between this Addendum and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail. Any claims brought under this Addendum will be subject to the same terms and conditions, including any exclusions and limitations of liability, set out in the Agreement, except that any limitations of liability will not apply with respect to any data subject rights under the Standard Contractual Clauses. If any provision of this Addendum is determined to be unenforceable by a court of competent jurisdiction, that provision will be severed and the remainder of terms will remain in full effect.