Data Processing Addendum
This Data Processing Agreement (“Agreement”) forms part of the Gather Terms of Service between
You and/or the other person on whose behalf you are acting acts as a Data Controller. (the “Client”)
SAAS ASSEMBLY LIMITED, (the “Data Processor”)
(together the “Parties”)
WHEREAS
(A) The Client acts as a Data Controller.
(B) The Client wishes to subcontract certain Services, which imply the processing of personal data, to the Data Processor.
(C) The Parties wish to lay down their rights and obligations.
IT IS AGREED AS FOLLOWS:
1. Definitions and Interpretation
1.1 Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:
1.1.1 “Agreement” means this Data Processing Agreement;
1.1.2 “Client Personal Data” means any Personal Data Processed by a Contracted Processor on behalf of the Client pursuant to or in connection with the Gather Terms of Service;
1.1.3 “Contracted Processor” means a Subprocessor;
1.1.4 “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
1.1.5 “EEA” means the European Economic Area;
1.1.6 “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
1.1.7 “GDPR” means EU General Data Protection Regulation 2016/679;
1.1.8 “Data Transfer” means:
1.1.8.1 a transfer of Client Personal Data from the Client to a Contracted Processor; or
1.1.8.2 an onward transfer of Client Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);
1.1.9 “Services” means the service having the core functionality described on the Website, as the Website is updated from time to time or as outlined in the Gather Terms of Service.
1.1.10 “Subprocessor” means any person appointed by or on behalf of the Data Processor to process Personal Data on behalf of the Client in connection with the Agreement.
1.2 The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
2. Processing of Client Personal Data
2.1 The Data Processor shall:
2.1.1 comply with all applicable Data Protection Laws in the Processing of Client Personal Data; and
2.1.2 not Process Client Personal Data other than on the relevant Client’s documented instructions.
2.2 The Client instructs the Data Processor to process Client Personal Data inline with its Services. This personal data includes but is not limited to:
Name
Email address
Address
IP address
Telephone number
Order information (e.g. details concerning products or services purchased and time of purchase but excluding payment method details)
3. Data Processor Personnel
The Data Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Client Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Client Personal Data, as strictly necessary for the purposes of the Gather Terms of Service, and to comply with Applicable Laws in the context of that individual’s duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
4. Security
4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Data Processor shall in relation to the Client Personal Data implement appropriate technical and organisational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
4.2 In assessing the appropriate level of security, Data Processor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
5. Subprocessing
5.1 Parties agree that the Data Processor may appoint (or disclose any Client Personal Data to) the following Subprocessors as infrastructure providers that are necessary for the delivery of the Services:
Name |
Subprocessor Services Description |
Entity Country |
Heroku.com (Subsidiary of Salesforce.com) |
Cloud application platform |
USA |
Amazon web services Inc |
Cloud services provider |
USA |
Google Inc |
Cloud services provider and analytics provider |
USA |
Rollbar |
Application error notification cloud provider |
USA |
Sentry.io |
Application error notification cloud provider |
USA |
Mailgun.com |
Email delivery cloud provider |
USA |
Papertrail.com |
Application logging cloud provider |
USA |
Intercom.com |
Customer support and communications cloud provider |
USA |
NewRelic.com |
Application performance cloud provider |
USA |
Stripe.com |
Payments processor cloud provider |
USA |
Trevor.io |
Data querying cloud provider |
UK |
Segment.com |
Event based analytics cloud provider |
USA |
6. Data Subject Rights
6.1 Taking into account the nature of the Processing, the Data Processor shall assist the Client by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfillment of the Client obligations, as reasonably understood by Client, to respond to requests to exercise Data Subject rights under the Data Protection Laws.
6.2 The Data Processor shall:
6.2.1 promptly notify Client if it receives a request from a Data Subject under any Data Protection Law in respect of Client Personal Data; and
6.2.2 ensure that it does not respond to that request except on the documented instructions of Client or as required by Applicable Laws to which the Data Processor is subject, in which case the Data Processor shall to the extent permitted by Applicable Laws inform Client of that legal requirement before the Contracted Processor responds to the request.
7. Personal Data Breach
7.1 The Data Processor shall notify Client without undue delay upon the Data Processor becoming aware of a Personal Data Breach affecting Client Personal Data, providing Client with sufficient information to allow the Client to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
7.2 The Data Processor shall cooperate with the Client and take reasonable commercial steps as are directed by Client to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
8. Data Protection Impact Assessment and Prior Consultation
The Data Processor shall provide reasonable assistance to the Client with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Client reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Client Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.
9. Deletion or return of Client Personal Data
The Data Processor shall promptly and in any event within 28 business days of the date of cessation of any Services involving the Processing of Client Personal Data (the “Cessation Date”), delete and procure the deletion of all copies of those Client Personal Data.
10. Audit Rights
10.1 Subject to this section 10, The Data Processor shall make available to the Client on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by the Client or an auditor mandated by the Client in relation to the Processing of the Client Personal Data by the Contracted Processors. Such audits shall be conducted at the Client's expense, and the Client shall bear all costs associated with the audit, including any fees charged by the auditor, unless otherwise agreed upon in writing between the Parties. Any fees charged by Data Processor to Client shall reasonably account for the Data Processor's costs in facilitating the audits, which may include but are not limited to, the provision of necessary resources, personnel, and documentation. The specific details regarding the allocation of costs and the reasonableness of expenses shall be agreed upon in writing between the Parties prior to the commencement of the audit.
10.2 Information and audit rights of the Client only arise under section 10.1 to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.
11. Data Sharing
For the avoidance of doubt the Data Processor does not participate in Data Sales.
12. General Terms
12.1 Notices. All notices and communications given under this Agreement must be in writing and will be delivered by email to the address or email address set out in the heading of this Agreement at such other address as notified from time to time by the Parties changing address.
13. Governing Law and Jurisdiction
13.1 This Agreement is governed by the laws of New Zealand.
13.2 Any dispute arising in connection with this Agreement, will be resolved in the same manner as if it were a dispute under the Gather Terms of Service.