Data Processing Addendum
This Data Processing Addendum (this “Addendum”) is between section.io Incorporated (“Section”) acting on its own behalf and as agent for each Section Affiliate and the business entity or person identified on the applicable Order Form (as hereinafter defined) (“Customer”); and is incorporated into the customer agreement that describes the provision of Services (“Agreement”) between Section and Customer. This Addendum will become effective on the earlier of the date Customer first uses or accesses the Services, or accepts this Addendum or the Agreement or any online registration, quote, Order Form (as such term is defined in the Agreement), or other order processed on or through the Services (each an “Order Form”), which Agreement or Order Form incorporates this Addendum by reference.
The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect.
Should you require an executed and signed version of this Addendum, please email firstname.lastname@example.org.
The parties hereby agree that the terms and conditions set out below shall be added as an addendum to the Agreement. The following obligations shall only apply to the extent required by Data Protection Laws with regard to the relevant Customer Personal Data, if applicable.
1.1. “Affiliate” means an entity that owns or controls, is owned or controlled by, or is or under common control or ownership with either Customer or Section respectively, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
1.2. “CCPA” means the California Consumer Privacy Act of 2018, including any regulations promulgated thereunder.
1.3. “Controller” means the individual or entity that determines the purposes and means of the Processing of Personal Data.
1.4. “Customer Personal Data” means Personal Data submitted to the Services by Customer or its Users that is covered by Data Protection Laws.
1.5. “Data Protection Laws” means, with respect to a party, the data privacy and security laws applicable to such party’s Processing of Customer Personal Data under the Agreement including, in each case to the extent applicable, (a) European Data Protection Laws; and (b) the CCPA.
1.6. “Data Subject” means the identified or identifiable natural person who is the subject of Personal Data.
1.7. “European Data Protection Laws” means, in each case to the extent applicable to the relevant Customer Personal Data or Processing thereof under the Agreement (a) the EU General Data Protection Regulation 2016/679 (“GDPR”); (b) the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”), the Data Protection Act of 2018, and all other laws relating to data protection, the processing of personal data, privacy, or electronic communications in force from time to time in the United Kingdom (collectively, “UK Data Protection Laws”); (c) the Swiss Federal Act on Data Protection (“FDPA”); and (d) any other applicable national rule and legislation on the protection of Personal Data in the European Economic Area, United Kingdom, or Switzerland that is already in force or that will come into force during the term of this Addendum.
1.8. “Personal Data” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household, including, but not limited to, any information that is defined as “personally identifiable information,” “personal information,” “personal data,” or other similar term under Data Protection Laws.
1.9. “Process” means any operation or set of operations performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, alignment, combination, restriction, erasure, destruction, or disclosure by transmission, dissemination, or otherwise making available.
1.10. “Processor” means the individual or entity that Processes Personal Data on behalf of a Controller.
1.11. “Security Incident” means a breach of Section’s security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data in Section’s possession, custody, or control. Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, or other network attacks on firewalls or networked systems.
1.12. “Services” means the services that Section has agreed to provide to Customer under the Agreement.
1.13. “Standard Contractual Clauses” means the European Commission’s decision (C(2021)3972) of 4 June 2021 on Standard Contractual Clauses (Module Two: Transfer controller to processor or Module Three: Transfer processor to processor, as applicable) for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/678 (available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en), as amended from time to time. The parties agree that the details of Exhibits 1 and 2 shall be used to complete the Annexes of the Standard Contractual Clauses.
1.14. “Subprocessor” means any Processor appointed by Section to Process Customer Personal Data on behalf of Customer under the Agreement.
1.15. “Supervisory Authority” means an independent competent public authority established or recognized under Data Protection Laws.
1.16. “User” has the meaning given in the Agreement or, if not defined in the Agreement, means any person authorized by Customer to access or use the Services.
2. PROCESSING OF CUSTOMER PERSONAL DATA.
2.1. Roles of the Parties; Compliance. The parties acknowledge and agree that, as between the parties, with regard to the Processing of Customer Personal Data under the Agreement (a) Customer is a Controller; and (b) Section is a Processor of Customer Personal Data. Each party will comply with the obligations applicable to it in such role under Data Protection Laws with respect to the Processing of Customer Personal Data.
2.2. Customer Instructions. Section will Process Customer Personal Data only (a) in accordance with Customer’s documented instructions, including the instructions set forth in the Agreement (including any Processing reasonably necessary and proportionate to achieve the business purpose outlined in the Agreement) and this Addendum, and any instructions initiated by Users via the Services; (b) as necessary to provide the Services and prevent or address technical problems with the Services or violations of the Agreement or this Addendum; or (c) as required by applicable law. As part of the Services, Section maintains a growing global network of points of presence (“PoPs”). Section’s PoPs will process requests and transmit cache content (including Personal Data) in accordance with Customer’s configurations of the Services. Customer Personal Data will automatically transmit across national borders in response to Customer’s clients’ requests and Customer’s configurations. Customer’s instructions, including, without limitation, its configurations and its clients’ requests, shall comply with Data Protection Laws. Customer shall be responsible for: (i) giving adequate notice and making all appropriate disclosures to Data Subjects regarding Customer’s use and disclosure and Section’s Processing of Customer Personal Data; and (ii) obtaining all necessary rights, and, where applicable, all appropriate and valid consents to disclose such Customer Personal Data to Section to permit the Processing of such Customer Personal Data by Section for the purposes of performing Section’s obligations under the Agreement or as may be required by Data Protection Laws. Customer shall notify Section of any changes in, or revocation of, the permission to use, disclose, or otherwise process Customer Personal Data that would impact Section’s ability to comply with the Agreement or Data Protection Laws.
2.3. Details of Processing. The parties acknowledge and agree that the purpose of the Processing of Customer Personal Data, the types of Customer Personal Data Processed, the categories of Data Subjects, and other details regarding the Processing of Customer Personal Data are as set forth in Exhibit 1.
2.4. Processing Subject to the CCPA. Section shall not (a) sell (as defined in the CCPA) any Customer Personal Data; (b) retain, use, or disclose any Customer Personal Data for any purpose other than for the specific purpose of providing the Services and as otherwise permitted by the CCPA, including retaining, using, or disclosing Customer Personal Data for a commercial purpose (as defined in the CCPA) other than provision of the Services; or (c) retain, use, or disclose Customer Personal Data outside of the direct business relationship between Section and Customer. Section hereby certifies that it understands its obligations under this Section and will comply with them. Notwithstanding anything in the Agreement, the parties acknowledge and agree that Section’s access to Customer Personal Data does not constitute part of the consideration exchanged by the parties in respect of the Agreement.
Section shall take reasonable steps to ensure that individuals that process Customer Personal Data are subject to obligations of confidentiality or are under an appropriate statutory obligation of confidentiality.
4.1. Security Measures. Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Section shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with the security standards in Exhibit 2 and those specified at https://www.section.io/legal-stuff/security-statement/, as updated from time to time (the “Security Measures”). Customer acknowledges that the Security Measures may be updated from time to time upon reasonable notice to Customer to reflect process improvements or changing practices, provided that the modifications will not materially decrease Section’s security obligations hereunder.
4.2. Security Incidents. Upon becoming aware of a confirmed Security Incident, Section will (a) notify Customer of the Security Incident without undue delay after becoming aware of the Security Incident and (b) take reasonable steps to identify the cause of such Security Incident, minimize harm, and prevent a recurrence. Section will take reasonable steps to provide Customer with information available to Section that Customer may reasonably require to comply with its obligations as Controller to notify impacted Data Subjects or Supervisory Authorities. Section’s notification of or response to a Security Incident under this Section will not be construed as an acknowledgement by Section of any fault or liability with respect to the Security Incident.
4.3. Customer Responsibilities. Customer agrees that, without limitation of Section’s obligations under this Section, Customer is solely responsible for its and its Users’ use of the Services, including (a) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of Customer Personal Data; and (b) securing the account authentication credentials, systems, and devices Customer uses to access the Services. Customer is responsible for reviewing the information made available by Section relating to data security and making an independent determination as to whether the Services meet Customer’s requirements and legal obligations under Data Protection Laws.
Subject to this Section, Customer generally authorizes Section to engage Subprocessors as Section considers reasonably appropriate for the Processing of Customer Personal Data. A list of Section’s Subprocessors, including their functions and locations, is available upon Customer’s request and may be updated by Section from time to time in accordance with this Section. Section will notify Customer of the addition or replacement of any Subprocessor at least 10 days prior to such engagement. If Customer objects in writing to such changes within 10 days of being informed thereof on reasonable data protection grounds, Section will use commercially reasonable efforts to (a) work with Customer in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Subprocessor; or (b) take corrective steps requested by Customer in its objection and proceed to use the new Subprocessor. Where such change or corrective steps cannot be made within a reasonable period of time, which shall not exceed 30 days of Section’s receipt of Customer’s notice, Customer may, as its sole and exclusive remedy available under this Section, terminate the relevant portion of the Services which require the use of the proposed Subprocessor by providing written notice to Section. When engaging any Subprocessor, Section will enter into a written contract with such Subprocessor containing data protection obligations not less protective than those in this Addendum. Section shall be liable for the acts and omissions of the Subprocessor to the extent Section would be liable under the Agreement.
6. DATA SUBJECT RIGHTS
Section will, taking into account the nature of the Processing of Customer Personal Data and the functionality of the Services, provide Customer with self-service functionality through the Services or other reasonable assistance as necessary for Customer to perform its obligations under Data Protection Laws to fulfill requests by Data Subjects to exercise their rights under Data Protection Laws. Section reserves the right to charge Customer on a time and materials basis in the event that Section considers, in its reasonable discretion, that such assistance is onerous, complex, frequent, or time consuming. If Section receives a request from a Data Subject under any Data Protection Laws with respect to Customer Personal Data, Section will advise the Data Subject to submit the request to Customer and Customer will be responsible for responding to any such request.
7. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
In the event that Customer considers that the Processing of Customer Personal Data requires a privacy impact assessment to be undertaken or requires assistance with any prior consultations to any Supervisory Authority, following written request from Customer, Section shall use reasonable commercial efforts to provide relevant information and assistance to Customer to fulfil such request, taking into account the nature of Section’s Processing of Customer Personal Data and the information available to Section. Section reserves the right to charge Customer on a time and materials basis in the event that Section considers, in its reasonable discretion, that such assistance is onerous, complex, frequent, or time consuming.
8. RELEVANT RECORDS AND AUDIT RIGHTS
8.1. Review of Information and Records. Section will make available to Customer all information reasonably necessary to demonstrate compliance with the obligations set out in this Addendum and allow for and contribute to reviews of relevant records maintained by Section. Such information will be made available to Customer upon written request no more than annually and subject to the confidentiality obligations of the Agreement or a mutually-agreed non-disclosure agreement.
8.2. Audits. If Customer requires information for its compliance with Data Protection Laws in addition to the information provided under Section 8.1, at Customer’s sole expense and to the extent Customer is unable to access the additional information on its own, Section will allow for and cooperate with Customer or an auditor mandated by Customer (“Mandated Auditor”), provided that (a) Customer provides Section with reasonable advance written notice including the identity of any Mandated Auditor, which shall not be a competitor of Section, and the anticipated date and scope of the audit; (b) Section approves the Mandated Auditor by notice to Customer, with such approval not to be unreasonably withheld; (c) the audit is conducted during normal business hours and in a manner that does not have any adverse impact on Section’s normal business operations; (d) Customer or any Mandated Auditor complies with Section’s standard safety, confidentiality, and security procedures in conducting any such audits; (e) any records, data, or information accessed by Customer or any Mandated Auditor in the performance of any such audit, or any results of any such audit, will be deemed to be the Confidential Information of Section; (f) Customer may initiate such audit not more than once per calendar year unless otherwise required by a Supervisory Authority; and (g) all such audits shall be at Customer’s sole expense.
8.3. Results of Audits. Customer will promptly notify Section of any non-compliance discovered during the course of an audit and provide Section any audit reports generated in connection with any audit under this Section 8, unless prohibited by Data Protection Laws or otherwise instructed by a Supervisory Authority. Customer may use the audit reports only for the purposes of meeting Customer’s regulatory audit requirements and confirming that Section’s Processing of Customer Personal Data complies with this Addendum.
9. DATA TRANSFERS
9.1. Data Processing Facilities. Section may, subject to Section 9.2, Process Customer Personal Data in the United States or anywhere Section or its Subprocessors maintains facilities. Subject to Section’s obligations in this Section, Customer is responsible for ensuring that its use of the Services comply with any cross-border data transfer restrictions of Data Protection Laws.
9.2. Standard Contractual Clauses. If Customer transfers Customer Personal Data to Section that is subject to European Data Protection Laws, and such transfer is not subject to an alternative adequate transfer mechanism under European Data Protection Laws or otherwise exempt from cross-border transfer restrictions, then Customer (as “data exporter”) and Section (as “data importer”) agree that the applicable terms of the Standard Contractual Clauses shall apply to and govern such transfer and are hereby incorporated herein by reference. The Standard Contractual Clauses shall automatically terminate once the Customer Personal Data transfer governed thereby becomes lawful under European Data Protection Laws in the absence of such Standard Contractual Clauses on any other basis. In accordance with Clause 2 of the Standard Contractual Clauses, the parties wish to supplement the Standard Contractual Clauses with business-related clauses, which shall neither be interpreted nor applied in such a way as to contradict the Standard Contractual Clauses (whether directly or indirectly) or to prejudice the fundamental rights and freedoms of data subjects. Section and Customer therefore agree that the applicable terms of the Agreement and this Addendum shall apply if, and to the extent that, they are permitted under the Standard Contractual Clauses, including, without limitation, the following:
a) Instructions. The instructions described in Clause 8.1(a) of the Standard Contractual Clauses are as set forth in Section 2.2 of this Addendum.
b) Copies of Clauses. In the event a Data Subject requests a copy of the Standard Contractual Clauses or this Addendum in accordance with Clause 8.3 of the Standard Contractual Clauses, data exporter shall make all redactions reasonably necessary to protect business secrets or other confidential information of data importer.
c) Certification of Deletion. Certification of deletion of Customer Personal Data under Clause 8.5 and Clause 16(d) of the Standard Contractual Clauses shall be provided upon the written request of data exporter.
d) Onward Transfer Implementation. Data importer shall be deemed in compliance with Clause 8.8 of the Standard Contractual Clauses to the extent such onward transfers occur in accordance with Article 4 of the Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
e) Audits and Certifications. Any information requests or audits provided for in Clause 8.9 of the Standard Contractual Clauses shall be fulfilled in accordance with Section 8 of this Addendum.
f) Engagement of New Subprocessors. Pursuant to Clause 9(a) Option 2 of the Standard Contractual Clauses, data exporter acknowledges and expressly agrees that data importer may engage new Subprocessors as described in Section 5 of this Addendum. With respect to Clause 9 of the Standard Contractual Clauses, the parties select the time period set forth in Section 5 of this Addendum.
g) Liability. The relevant Sections of the Agreement which govern indemnification and limitation of liability, shall apply to data importer’s liability under Clause 12(a), 12(d), and 12(f) of the Standard Contractual Clauses.
h) Supervisory Authority. For purposes of Clause 13 of the Standard Contractual Clauses, the parties agree that the supervisory authority shall be the supervisory authority identified in Exhibit 1, unless otherwise agreed by the parties as mandated by the established rules of selection of the relevant supervisory authority.
i) Governing Law. With respect to Clause 17 of the Standard Contractual Clauses, the parties select the law of the Netherlands.
j) Choice of Forum and Jurisdiction. With respect to Clause 18 of the Standard Contractual Clauses, the parties agree that any dispute arising from the Standard Contractual Clauses shall be resolved by the courts of the Netherlands.
k) Transfers from the United Kingdom. If Customer transfers Customer Personal Data to Section that is subject to the UK GDPR, this Section shall apply to the Standard Contractual Clauses to the extent that the UK GDPR applies to Customer’s Processing when making that transfer. As used in this Section, “Approved Addendum” means the template addendum issued by the Information Commissioner’s Office of the United Kingdom and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022 (available at: https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf), as it is revised under Section 18 of such addendum. The parties acknowledge that the information required to be set forth in “Part 1: Tables” of the Approved Addendum shall be completed in accordance with this Section 9.2, Exhibit 1, and Exhibit 2 of this Addendum. “Part 2: Mandatory Clauses” of the Approved Addendum, as it is revised under Section 18 of the Approved Addendum, is hereby incorporated herein by reference.
l) Transfers from Switzerland. If Customer transfers Customer Personal Data to Section that is subject to the FDPA, the following modifications shall apply to the Standard Contractual Clauses to the extent that the FDPA applies to Customer’s Processing when making that transfer: (a) the term “member state” as used in the Standard Contractual Clauses shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from suing for their rights in their place of habitual residence in accordance with Clause 18(c) of the Standard Contractual Clauses; (b) the Standard Contractual Clauses shall also protect the data of legal entities until the entry into force of the revised FDPA on or about 1 January 2023; (c) references to the GDPR or other governing law contained in the Standard Contractual Clauses shall also be interpreted to include the FDPA; and (d) the parties agree that the supervisory authority as indicated in Annex I.C of the Standard Contractual Clauses shall be the Swiss Federal Data Protection and Information Commissioner.
10. DELETION OR RETURN OF CUSTOMER PERSONAL DATA
Following termination or expiration of the Agreement, Section shall, at Customer’s option, delete or return Customer Personal Data and all copies to Customer, except as required by applicable law.
11. GENERAL TERMS
This Addendum will, notwithstanding the expiration or termination of the Agreement, remain in effect until, and automatically expire upon, Section’s deletion or return of all Customer Personal Data. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (a) amended as necessary to ensure its validity and enforceability, while preserving the intent of the provision as closely as possible; or, if this is not possible, (b) construed in a manner as if the invalid or unenforceable part had never been contained therein. To the extent of any conflict or inconsistency between this Addendum and the other terms of the Agreement, this Addendum will govern. Unless otherwise expressly stated herein, the parties will provide notices under this Addendum in accordance with the Agreement, provided that all such notices may be sent via email. Any liabilities arising in respect of this Addendum are subject to the limitations of liability under the Agreement. This Addendum will be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Data Protection Laws.
EXHIBIT 1: DETAILS OF PROCESSING OF CLIENT PERSONAL DATA
This Exhibit 1 includes certain details of the Processing of Customer Personal Data as required by Article 28(3) GDPR, similar provisions of Data Protection Laws, and the Standard Contractual Clauses. The contact details of the parties shall be as specified in the Agreement and this Addendum.
The categories of Data Subject to whom Customer Personal Data relates
The types of Data Subject shall be as is contemplated or related to the Processing described in any Order Form that makes reference to, is incorporated under, or is subject to the Agreement. This includes, without limitation, the identified or identifiable persons contained in content or requests caused to be submitted to data importer via the Services it offers according to, by, or at the direction of data exporter’s configuration of such Services.
The categories of Customer Personal Data
The types of Customer Personal Data shall be as is contemplated or related to the Processing described in any Statement of Work or Order Form that makes reference to, is incorporated under, or is subject to the Agreement. This includes, without limitation, Personal Data relating to an identified or identifiable persons contained in content or requests, including internet protocol (IP) addresses, caused to be submitted to data importer via the Services it offers according to, by, or at the direction of data exporter’s configuration of such Services.
The sensitive data included in Customer Personal Data
Sensitive data in Customer Personal Data or Customer’s requests may include, personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership.
Frequency of the transfer of Customer Personal Data
Continuous basis for the term of the Agreement.
The nature and purpose of the Processing of Customer Personal Data
The nature and purposes of Processing shall be as is further described in the Agreement or in any Statement of Work or Order Form that makes reference to, is incorporated under, or is subject to the Agreement. Customer Personal Data may be transferred through a third party hosted cloud environment or through SFTP or API protocols. All transfers shall be in accordance with this Addendum.
The subject matter and duration of the Processing of Customer Personal Data
The subject matter and duration of the Processing of Customer Personal Data are set out in the Agreement and this Addendum.
The period for which Customer Personal Data will be retained
As set forth in the Agreement.
The subject matter and duration of the Processing of Customer Personal Data by Subprocessors
The subject matter and duration of the Processing of Customer Personal Data by any Subprocessors is as set out in the Agreement and this Addendum.
Autoriteit Persoonsgegevens Bezuidenhoutseweg 30 P.O. Box 93374 2509 AJ Den Haag/The Hague Tel. +31 70 888 8500 Fax +31 70 888 8501 Website: https://autoriteitpersoonsgegevens.nl/
The above supervisory authority shall apply unless otherwise agreed by the parties as mandated by the established rules of selection of the relevant supervisory authority, or Sections 9.2(k) and 9.2(l) of this Addendum apply.
EXHIBIT 2: SECURITY MEASURES
With respect to Customer Personal Data transferred to or received by Section under the Agreement, Section has implemented, and will maintain, a comprehensive written information security program (“Information Security Program”) that includes appropriate administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of Customer Personal Data. In particular, the Information Security Program will include where appropriate or necessary to ensure the protection of Customer Personal Data the safeguards described at https://www.section.io/legal-stuff/security-statement/, as updated from time to time.