xTuple Data Processing Addendum (DPA)
All terms defined or used in the Agreement shall have the same meaning in this Addendum unless otherwise specified.
Whereas Data Controller may provide xTuple, a company located in the United States, with access to personally identifiable information about European Economic Area individuals to act as a Processor in connection with services performed by xTuple for or on behalf of Data Controller pursuant to the Agreement;
Now therefore, good and valuable consideration, the sufficiency of which is hereby acknowledged, Data Controller and xTuple agree as follows:
SECTION I — DEFINITIONS
1. “Controller” means any person or organization that, alone or jointly with others, determines the purposes and means of the Processing of EU Personal Data.
2. “EU Personal Data” means personally identifiable information about individuals located in the European Union and may include, but not limited to, the following: (i) categories of data subjects: customers, vendors, or employees and (ii) types of personal data: names, telephone numbers or email addresses.
3. “GDPR” means the European Union General Data Protection Regulation.
4. “Process(es)” or “Processing” of EU Personal Data means any operation or set of operations that is performed on EU Personal Data, whether by automated means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure or dissemination, and erasure or destruction.
5. “Processor” means any natural or legal person, public authority, agency, or other body that Processes EU Personal Data on behalf of Controller.
SECTION II — PRIVACY, CONFIDENTIALITY, AND INFORMATION SECURITY
1. Authority to Process EU Personal Data
(a) Data Controller and xTuple agree that Data Controller is the Controller and xTuple is the Processor of EU Personal Data, except in those instances when Data Controller is a Processor, in which case xTuple is a subprocessor.
(b) These Addendum terms do not apply where xTuple is a Controller of EU Personal Data.
(c) xTuple will Process EU Personal Data only with Data Controller’s written instructions and solely for the following purposes, (a) on behalf of and for the benefit of Data Controller in connection with the Agreement; and (b) to carry out its obligations pursuant to this Addendum, the Agreement, and (c) as required by applicable law.
(d) Data Controller will have the exclusive authority to determine the purposes for and means of Processing EU Personal Data.
(e) This Addendum and the Agreement are Data Controller’s complete instructions to xTuple for the Processing of EU Personal Data. All additional instructions shall be made as a written amendment to this Addendum signed by both parties.
2. Disclosure of and Access to EU Personal Data
(a) xTuple will hold all EU Personal Data in confidence.
(b) xTuple will (a) provide at least the same level of privacy protection for EU Personal Data received from Data Controller, as is required by the GDPR; (b) promptly notify Data Controller if at any time xTuple determines that it can no longer meet its obligation to provide the same level of protection as is required by the GDPR; and (c) take commercially reasonable steps to remedy any failures to properly Process such EU Personal Data if, at any time, Data Controller notifies xTuple that Data Controller has reasonably determined xTuple is not Processing the EU Personal Data in compliance with the GDPR.
(c) xTuple will only transfer EU Personal Data outside the country in which Data Controller or its personnel original delivered it to xTuple for Processing where adequate data privacy safeguards are in place, such as binding corporate rules, the Model Clauses, or the Privacy Shield principles, unless required by law, in which case, xTuple will, unless such prior disclosure is prohibited, notify Data Controller of such requirement before Processing.
(d) xTuple will not share, transfer, disclose, or otherwise provide access to any EU Personal Data to any third party or contract any of xTuple’s rights or obligations concerning EU Personal Data to a third party, unless Data Controller has authorized xTuple to do so in writing, except as required by law. Where xTuple, with the consent of Data Controller, provides to a third party access to EU Personal Data or contracts such rights or obligations to a third party, xTuple will, with each third party, (a) enter into a written agreement that imposes obligations on the third-party that are consistent with the GDPR, (b) transfer the EU Personal Data to the third party only for the limited and specified purposes as instructed by Data Controller, (c) require the third party to notify xTuple if the third party determines that it can no longer meet its obligation to provide the same level of protection as is required by the GDPR; and (d) upon notice, take reasonable and appropriate steps to stop and remediate unauthorized Processing.
(e) Data Controller hereby provides its consent for xTuple to use the subprocessors on Exhibit A to provide the services. To the extent that xTuple makes any changes with regard to the use of its subprocessors, it shall inform Data Controller and provide Data Controller with the right to object to such change. To the extent Data Controller has a reasonable objection to such change in subprocessors, the parties shall cooperate to address the objection in a reasonable manner.
(f) xTuple may replace a subprocessor if the reason for the change is beyond xTuple’s reasonable control. In such instance, xTuple shall notify Data Controller of the replacement as soon as reasonably practicable, and Data Controller shall retain the right to object to the replacement subprocessor pursuant to section (e) above.
(g) xTuple will promptly inform Data Controller in writing of any requests with respect to EU Personal Data received from Data Controller’s customers, consumers, employees, or other associates. Data Controller will be responsible for responding to any such request, but xTuple will reasonably cooperate with Data Controller to address any such request or a request by an individual about whom xTuple holds EU Personal Data for access, correction, restriction, objection, erasure or data portability of his or her EU Personal Data.
(h) xTuple shall implement appropriate technical and organizational measures designed to protect the EU Personal Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, access or use (each a “Security Incident”) and in accordance with Vendor’s security standards.
(i) xTuple shall notify Data Controller within forty-eight (48) hours of a Security Incident, and shall provide such timely information as Data Controller may reasonably require to enable Data Controller to fulfil any data breach reporting obligations under the GDPR. xTuple will take steps to immediately identify and remediate the cause of such Security Incident.
(j) Subject to applicable law, xTuple will notify Data Controller immediately in writing of any subpoena or other judicial or administrative order by a government authority or proceeding seeking access to or disclosure of EU Personal Data. Data Controller may, if it so chooses, seek a protective order, and xTuple will reasonably cooperate with Data Controller in such action, provided Data Controller reimburses xTuple for all costs, fees, and legal expenses associated with the action. xTuple will have the right to approve or reject any settlements that affect xTuple.
(k) The parties agree that the European Commission Standard Contractual Clauses for the Transfer of Personal Data to Processors Established in Third Countries (2010/87/EU) (“Model Processor Contract”), attached here as Exhibit B, are incorporated by reference for purpose of the Mobile Processor Contract, where xTuple is the “data importer,” Data Controller is the “data exporter,” and the data processing activities in Appendix 1 to the Model Processor Contract shall be such activities as necessary for us to perform our Services for Data Controller, and the data security measures in Appendix 2 to the Model Processor Contract shall be those identified in the Agreement and this Addendum.
3. xTuple will comply with applicable data protection and privacy laws, including, but not limited to, the GDPR, to the extent such laws apply to xTuple in its role as a Processor.
4. Data Controller certifies that it:
(a) Has obtained the written consent, affirmative opt-in, other written authorization (“Consent”) from applicable individuals or organizations in the European Union (including as necessary trade unions or labor officials, or has another legitimate, legal basis for collecting, delivering or making accessible EU Personal Data to xTuple (as well at its subsidiaries, affiliates, and subprocessors), and such Consent or other legitimate basis allows xTuple (and its subsidiaries, affiliates, and subprocessors) to Process the EU Personal Data pursuant to the terms of the Agreement and this Addendum, and
(b) Has ensured that the collection, delivery and disclosure to xTuple of EU Personal Data is in compliance with the GDPR as Controller and all laws applicable to Data Controller and otherwise complies with applicable privacy and data protection laws, including the delivery of comprehensive information notice, as needed.
5. xTuple will assist Data Controller in ensuring that its secure Processing obligations, as Controller, under the GDPR are met, which may include assisting Data Controller in a consultation with a supervisory authority where a data protection impact assessment indicates that the intended Processing would result in a high risk. Upon request, xTuple shall make available to Data Controller the information necessary to demonstrate compliance with the GDPR and will allow for and contribute to audits, including inspections, to confirm xTuple’s compliance with this Addendum by Controller or another auditor mandated by Controller. All expenses resulting from this Section 5 will be incurred by Data Controller, unless xTuple is found materially noncompliant.
6. Upon termination of the Agreement, xTuple shall either return all EU Personal Data Processed on behalf of Data Controller or delete or destroy the EU Personal Data, including any existing copies, at Data Controller’s expense, if any, unless xTuple has a legal obligation to maintain such EU Personal Data.
IN WITNESS WHEREOF, the parties acknowledge their agreement to the foregoing by due execution of this Addendum by their respective authorized representatives. The Addendum cannot be modified or amended by either party except with a separate written document signed by both parties.