This Data Processing Addendum along with the exhibits thereto (collectively referred to as “DPA”) supplements the agreement signed by and between STACKONE TECHNOLOGIES LIMITED, a company incorporated in England and Wales under company number 14684360 and having its registered offices at Camburgh House, 27 New Dover Road, Canterbury, Kent, United Kingdom, CT1 3DN (“StackOne”) and the Customer, defined in the (“Agreement”) and is incorporated by reference.
This DPA contains terms to ensure that adequate safeguards are in place with respect to the protection of Personal Data to be processed by StackOne in the delivery of the Service for the Purpose pursuant to the Agreement, as required by the Applicable Data Protection Laws. Any terms not defined in this DPA shall have the meaning set forth in the Agreement. Except as modified below, this DPA automatically expires upon deletion of all Personal Data as described herein. StackOne reserves the right to modify or update this DPA in its sole discretion. Customer’s acceptance of such modifications and/or updates shall be indicated by Customer’s continued use of the Service and shall be effective immediately.
THIS DATA PROCESSING ADDENDUM will take effect as of the Effective Date of the Agreement, between Customer and StackOne.
1. Definitions
1.1. The following expressions are used in this DPA:
(a) "Non-Adequate Country" means a country or territory that is not recognized under the GDPR or the UK GDPR, as applicable, as providing adequate protection for personal data;
(b) “CCPA” means including the California Consumer Privacy Act of 2018 and any binding regulations promulgated thereunder;
(b) "Data Protection Laws" means any applicable local, national or international laws, rules and regulations related to privacy, security, data protection, and/or the processing of Personal Information, as amended, replaced or superseded from time to time, including but not limited to EU/UK Data Protection Laws and United States Data Protection Laws;
(c) EU/UK Data Protection Laws” means the GDPR and the UK GDPR and any legislation and/or regulation implementing or made pursuant to them, or which amends, replaces, re-enacts or consolidates any of them;
(d) "GDPR" means the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679);
(e) "Personal Data" means all data which is defined and regulated as ‘Personal Data’ in the EU Data Protection Laws and that StackOne processes on behalf of Customer in connection with the Service;
(f) "UK GDPR" means the United Kingdom General Data Protection Regulation;
(g) "United States Data Protection Laws" means any United States’ state or federal data protection law as such law may be amended, replaced, or consolidated from time to time, including but not limited to the CCPA;
(h) "processing", "data controller", "data subject", "supervisory authority" and "data processor" will have the meanings ascribed to them in the UK GDPR.
2. Status of the parties
2.1 The Agreement(s) determines the subject matter and the duration of StackOne’s processing of Personal Data, as well as the nature and purpose of any collection, use and other processing of Personal Data (collectively, the “Particulars”) and the rights and obligations of Customer. Appendix 1 to the Standard Contractual Clauses specifies the Particulars and will apply to all processing of Personal Data subject to this DPA, regardless of whether such processing is subject to Section 8 of this DPA.
2.2 In respect of the parties' rights and obligations under this DPA regarding the Personal Data, the parties hereby acknowledge and agree that (a) for Customer Personal Data, Customer is the Data Controller and StackOne is the Data Processor and accordingly, (b) for End Customer Personal Data, End Customer is the Data Controller, Customer is the Data Processor and StackOne is the Data Processor or subprocessor. For the avoidance of doubt Partner(s) will be a Data Processor of End Customer Personal Data.
2.3 StackOne agrees that it will process all Personal Data in accordance with its obligations pursuant to this DPA.
2.4 Each of StackOne and Customer will notify each other of one or more individuals within its organisation authorised to respond from time to time to enquiries regarding Personal Data and each of StackOne and Customer will deal with such enquiries promptly.
3. General Obligations Relating to the Processing of Personal Data
3.1 As between the parties, Customer is solely responsible for obtaining, and represents and covenants that it has obtained and will obtain, all necessary consents, licences and approvals for the processing, or otherwise has a valid legal basis under Data Protection Laws for the Processing of any Personal Data as part of the Services (the “Customer Legal Basis Assurance”). Each of Customer and StackOne warrant in relation to Personal Data that it will comply with (and will ensure that any of its staff and/or subcontractors comply with) the Data Protection Laws, provided, however, that StackOne’s warranty is subject to Customer Legal Basis Assurance.
3.2 To the extent that it provides its Personal Data to StackOne, Company is solely responsible for ensuring the accuracy, quality, and legality of Personal Data Processed by StackOne including the means by which the Personal Data was obtained.
3.3 Company undertakes that all instructions for the Processing of Personal Data under the Agreement or this DPA or as otherwise agreed will comply with the Data Protection Laws, and such instructions will not cause StackOne to be in breach of any Data Protection Laws
3.4 Each of Customer and StackOne agree that it shall notify the other immediately if it determines that it can no longer meet its obligations under applicable Data Protection Laws or this DPA.
3.5 With respect to all Personal Data, StackOne agrees that it will:
(a) only process the Personal Data in order to provide the Services and will act only in accordance with this Agreement and Customer's written instructions. The terms of the Agreement and this DPA constitute the Customer’s written instructions to StackOne in relation to the processing of personal data. For the avoidance of doubt, the Customer can issue further instructions for processing at any time subject to the approval of StackOne;
(b) in the unlikely event that applicable law requires StackOne to process Personal Data other than pursuant to Customer's instructions, immediately notify Customer (unless prohibited from so doing by applicable law);
(c) implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks that are presented by the processing, in particular, protection against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data in StackOne’s possession or under its control. Such measures include the security measures specified in StackOne’s information security policies which can be accessed at trust.stackone.com;
(d) ensure that its personnel have access to such Personal Data only as necessary to perform the Service in accordance with the Agreement and this DPA, and that any persons whom it authorises to have access to the Personal Data are under obligations of confidentiality and will adhere with the Agreement and this DPA;
(e) without delay after becoming aware and in any case within forty-eight (48) hours, notify Customer of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data in StackOne’s possession or under its control (including when transmitted, stored or otherwise processed by StackOne) (a "Security Breach");
(f) taking into account the nature of the processing, promptly provide Customer with reasonable cooperation and assistance in respect of the Security Breach and information in StackOne's possession concerning the Security Breach, including, to the extent known to StackOne, the following: (i) the nature of the Security Breach; (ii) the categories and approximate number of data subjects concerned; (iii) the categories and approximate number of Personal Data records concerned; (iv) the likely consequences of the Security Breach; (v) a summary of the unauthorised recipients of the Personal Data; and (vi) the measures taken or proposed to be taken by StackOne to address the Security Breach, including, where appropriate, measures to mitigate its possible adverse effects;
(g) Insofar as a Security Breach relates to Customer, StackOne will not make, disclose, release or publish any finding, admission of liability, communication, notice, press release or report concerning any Security Breach or disclosure request which directly or indirectly identifies Customer (including in any legal proceeding or in any notification to regulatory or supervisory authorities or affected individuals) without Customer’s prior written approval, unless, and solely to the extent that, StackOne is compelled to do so pursuant to applicable Data Protection Laws. In the latter case, unless prohibited by such laws, StackOne shall provide Customer with reasonable prior written notice to provide Customer with the opportunity to object to such disclosure and in any case, StackOne shall limit the disclosure to the minimum scope required.
(h) return or delete Customer’s Personal Data within thirty (30) days of termination or expiration of the Term, save where otherwise agreed with the Customer. StackOne shall comply with all reasonable directions provided by Customer with respect to the return or disposal of Personal Data. This requirement shall not apply to the extent StackOne is required by any applicable law to retain some or all of the Personal Data, in which event StackOne shall isolate and protect the Personal Data from any further processing except to the extent required by such law.
(i) assist Customer when reasonably requested in relation to Customer’s obligations under Data Protection Laws with respect to: (i) data protection impact assessments (as such term is defined in the applicable Data Protection Laws); (ii) subject access requests; (iii) notifications to the supervisory authority/regulators under applicable Data Protection Laws and/or communications to data subjects by Customer in response to any Security Breach; and (iv) Customer’s compliance with its obligations under applicable Data Protection Laws with respect to the security of processing.
(j) assist Customer by appropriate technical and organizational measures, insofar as this is possible, to respond to data subjects’ requests to exercise their rights under applicable Data Protection Laws. StackOne will notify Customer of requests received by StackOne, unless otherwise required by applicable law. StackOne will not make changes to such Personal Data except as agreed in writing with Customer.
4. Obligations Relating to the Processing of Personal Data subject to EU/UK laws
4.1 With respect to all Personal Data subject to EU/UK Data Protection Laws, StackOne agrees that it will:
(a) as soon as possible after becoming aware, inform Customer if, in StackOne's opinion, any instructions provided by Customer under Clause 3.1(a) infringe the GDPR or UK GDPR;
(b) maintain records of its processing activities as required by EU/UK Data Protection Laws and to demonstrate its compliance with this DPA and make such records available to the applicable supervisory authority and/or the Customer upon request.
5. Obligations Relating to the Processing of Personal Data subject to United States Data Protection Laws
5.1 With respect to all Personal Data subject to United States Data Protection Laws, StackOne agrees that it will:
(a) not share, sell, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means, Personal Data to another person or entity for: (a) monetary or other valuable consideration; or (b) cross-context behavioral advertising for the benefit of a business in which no money is exchanged.
(b) not retain, use, or disclose Personal Data for any purpose (including any commercial purpose) other than for the specific purpose of StackOne’s provision of Services and in accordance with this DPA.
(c) not combine Personal Data with personal data it receives from or on behalf of another person or entity or collects from its own interactions with a Data Subject.
5.2 StackOne agrees that the terms "Aggregate Consumer Information", “Service Provider”, “Approved Business Purpose” and "De-identified" will have the meanings ascribed to them in Cal. Civ. Code §1798.140, as that code section may be amended or replaced from time to time, and that StackOne will process such Personal Data accordingly.
5.3 In respect of the parties' rights and obligations under this DPA regarding the Personal Data, the parties hereby acknowledge and agree that StackOne is a Service Provider.
5.4 Notwithstanding the foregoing, and for the purpose of addressing other prospective data protection laws, StackOne shall not process any Personal Data (regardless of where that individual resides) other than for a) the specific purpose of StackOne’s performance of its Services or b) an Approved Business Purpose.
5.5 Subject to StackOne’s compliance with this DPA, Customer agrees to make Personal Data of Customer and, where relevant, End Customer available to StackOne for the limited and specified purpose of providing the Services. Customer reserves the right to take reasonable and appropriate steps to help ensure that StackOne processes Personal Data in a manner consistent with Customer’s obligations under United States Data Protection Laws, including without limitation the right, upon notice, to stop and remediate any unauthorized processing of Personal Data.
6. Sub-processing
6.1 Customer authorises StackOne to appoint sub-processors in accordance with this Section 6. StackOne publishes a list of its sub-processors at trust.stackone.com (“Sub-processor List”).
6.2 When any new sub-processor is engaged, StackOne will add them to the Sub-processor List. StackOne will give Customer prior written notice of any changes to the Sub-processor List, including full details of the processing to be undertaken by that respective Sub-processor, giving Customer fourteen (14) days to object upon reasonable data protection grounds by providing written notice of such objection to StackOne.
6.3 If Customer objects to the authorisation of any future sub-processor on reasonable data protection grounds within fourteen (14) days of notification of the proposed authorisation, StackOne will use its reasonable efforts to provide an alternative or workaround to avoid processing of Personal Data by the objected-to sub-processor to the satisfaction of Customer within a reasonable period of time.
6.4 StackOne will require its sub-processors to comply with terms that provide substantially the same protection of Personal Data as those imposed on StackOne in the Agreement and this DPA. StackOne will be liable for all the acts and omissions of its sub-processors in relation to the Agreement and this DPA.
7. Audit and records
7.1 StackOne will, in accordance with applicable Data Protection Laws, make available to Customer such relevant information in StackOne's possession or control as Customer may reasonably request with a view to demonstrating StackOne's compliance with the obligations of data processors under applicable Data Protection Law in relation to its processing of Personal Data.
7.2 StackOne shall allow for and contribute to audits, including inspections, by Customer, or a third-party auditor mandated by Customer, in order to assess StackOne’s compliance with this DPA and Data Protection Laws. Such audits may be undertaken no more than once in a twelve (12) month period by providing StackOne with reasonable notice. Customer shall reimburse StackOne for any time expended for any such on-site audit at StackOne’s then-current professional services rates, which shall be made available to Customer upon request. Before the commencement of any such on-site audit, Customer and StackOne shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Customer shall be responsible.
8. Data transfers
8.1 Customer will ensure that Customer and Customer’s authorised users are entitled to transfer the Personal Data, including Customer Personal Data and End Customer Personal Data, to StackOne so that StackOne, and its sub-processors, may lawfully process the Personal Data in accordance with this DPA.
8.2 Customer has the option to select the jurisdiction in which the End Customer Personal Data will be processed including within the EEA and the United States. The Customer acknowledges that their choice may involve the use of sub-processors located in countries outside the UK and EEA.
8.3 Insofar as the Agreement involves the transfer of Personal Data from the EEA to a Non-Adequate Country, the parties agree to comply with the Standard Contractual Clauses – Module 2, incorporated by reference in Exhibit 1.
8.4 Insofar as the Agreement involves the transfers of Personal Data outside of the United Kingdom (UK) and/or governed by the UK DPA, the International Data Transfer Addendum (IDTA) to the EU Commission Standard Contractual Clauses (Version B1.0) issued by the UK Information Commissioner for Parties making Restricted Transfers, as amended, updated, or superseded from time to time, will apply as follows stated in Exhibit 2.
8.5 In the event that the European Commission, any applicable data protection authority, or other body with competent authority and jurisdiction and/or the analogous competent authority in the EEA or United Kingdom revises and thereafter publishes new Standard Contractual Clauses or as otherwise required or implemented by such authority, such new Standard Contractual Clauses will supersede and replace the existing Standard Contractual Clauses. If such revision or publication requires that this DPA be adjusted to accommodate new or changing requirements, the parties agree to promptly negotiate in good faith to amend this DPA.
8.6 Except as covered or permitted by the Standard Contractual Clauses, applicable law, or a country in respect of which a valid adequacy decision has been issued by the European Commission, as the case may be, StackOne shall not process Personal Data outside the European Economic Area or the United Kingdom without the express written consent of the Customer.
9. General
9.1 This DPA is without prejudice to the rights and obligations of the parties under the Agreement which will continue to have full force and effect. This DPA is incorporated into and made a part of the Agreement by this reference. In the event of any conflict between the terms of this DPA and the terms of the Agreement, the terms of this DPA will prevail so far as the subject matter concerns the processing of Personal Data.
9.2 Customer and StackOne each agree that the governing law and venue provisions in the Agreement apply to this DPA.
Exhibit 1 - Standard Contractual Clauses - Controller to Processor
The parties hereby agree that they will comply with the EU Standard Contractual Clauses: Module 2, which are incorporated herein by reference, a copy of which can be found at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en. The parties agree that the following terms apply:
1. Clause 7: The parties have chosen not to include Clause 7.
2. Clause 9(a): The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least fourteen (14) days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.
3. Clause 11(a): The parties do not incorporate the optional language allowing a data subject to lodge a complaint with an independent dispute resolution body at no cost to the data subject.
4. Clause 13(a):
[Where the data exporter is established in an EU Member State:] The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.
[Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679:] The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.
5. Clause 17: These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of the Republic of Ireland.
6. Clause 18(b): The parties agree that those shall be the courts of the Republic of Ireland.
ANNEX I
A. LIST OF PARTIES
1. Data exporter(s): Customer
Signature and date: as per the Agreement
Role (controller/processor): Controller and/or Processor
2. Data importer(s): StackOne Technologies Limited
Signature and date: Refer to the Agreement
Role (controller/processor): Processor and/or subprocessor
B. DESCRIPTION OF TRANSFER
Data subjects: The Personal Data transferred concerns the following categories of data subjects:
Customers’ and End Customers’ end users including, but not limited to: employees, contractors, vendors, customers, prospects.
Categories of Personal Data: Any Personal Data that the Data Controller selects and instructs the Data Processor, or subprocessor to process via the Service including, but not limited to: name, email, phone number, address, account information, financial information, health information, gender, marital status, work history.
Special categories of data (if appropriate):
Sensitive data transferred to Data Processor by a Data Controller, or on its behalf, as permitted in this Agreement for the provision of the Service (e.g., religion, medical information, racial or ethnic origin, social security number etc.)
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):
On a continuous basis.
Nature of the processing:
The provision of the Service as described in the Agreement(s).
Purpose(s) of the data transfer and further processing:
The provision of the Service as described in the Agreement(s).
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
For the duration of the relevant Agreement(s) and Order Form(s).
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:
The same as for the Data Importer.
Processing operations: As described in the Agreement(s)
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13.
Where the data exporter is established in an EU Member State: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established.
Where the data exporter is not established in an EU Member State, it appoints the following representative supervisory authority pursuant to Article 27(1) of Regulation (EU) 2016/679:
Data Protection Commission
21 Fitzwilliam Square South
Dublin 2
D02 RD28
Ireland
ANNEX II - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
The Data Importer currently abides by the security standards as set out in its security policies which can be found here: trust.stackone.com. The Data Importer may update or modify these security standards from time to time provided such updates and modifications will not result in a degradation of the overall security of the Services during the term of the applicable Services Agreement.
ANNEX III – AMENDMENTS TO ENABLE THE TRANSFER OF DATA FROM SWITZERLAND TO A THIRD COUNTRY
Pursuant to the FDPIC’s guidance titled “The transfer of personal data to a country with an inadequate level of data protection based on recognised standard contractual clauses and model contracts,” dated 27 August 2021, the parties are adopting the GDPR standard for all data transfers under the FADP and under the GDPR. To the extent personal data is transferred outside of Switzerland to a country with an inadequate level of data protection, the following amendments to the Standard Contractual Clauses provided for in this Schedule 2 shall apply:
1. Annex I.C: The competent supervisory authority shall be the FDPIC, insofar as the data transfer is governed by the FADP; and shall be the EU authority referenced in Annex I.C insofar as the data transfer is governed by the GDPR.
2. The term “member state” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c).
3. The Standard Contractual Clauses shall also protect the data of legal entities until the entry into force of the revised FADP.
Exhibit 2 - IDTA
This Exhibit 2 is intended to provide appropriate safeguards for the purposes of transfers of Personal Data to a third country or an international organisation in reliance on Articles 46 of the UK GDPR and with respect to data transfers from controllers to processors and/or processors to processors.
1. Table 1: Parties
a. The Start Date is the Effective Date of the Agreement.
b. The Parties are set forth in Annex I.A of the EU Commission SCCs to which this IDTA is appended.
2. Table 2: Selected SCCs, Modules and Selected Clauses
a. Addendum EU SCCs: The version of the Approved EU SCCs to which this IDTA is appended, including the Appendix Information, applies.
3. Table 3: Appendix Information
a. Annex 1A: List of Parties: The Parties are set forth in Annex I.A of the EU Commission SCCs to which this IDTA is appended.
b. Annex 1B: Description of Transfer: The Description of the Transfer is set forth in Annex I.B of the EU Commission SCCs to which this IDTA is appended.
c. Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: The technical and organisational measures are set forth in Annex II of the EU Commission SCCs to which this IDTA is appended.
d. Annex III: List of Sub-processors: Option 2 - General Authorisation
4. Table 4: Ending this Addendum when the Approved Addendum Changes:
a. Neither party may end this IDTA as set out in Section 19.
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)