DATA PROCESSOR AGREEMENT
This Data Processor Agreement is entered into on today's date between
[Name of Controller]
[Central Business Register No.]
311 Fourth Avenue, Suite #517
San Diego, CA 92101
(collectively "the Parties")
1. BACKGROUND, SCOPE AND PURPOSE
The Controller has either subscribed to services under the Processor's subscription terms and conditions or entered into a Statement of Work agreement, if the Controller is an Enterprise Customer. In the following, both terms and conditions and the Statement of Work agreement will seperately be referred to as a "Main Agreement".
The Processor delivers a photo editing service (the “Service”) to the Controller. When providing these services to the Controller, the Processor processes personal data for which the Controller is responsible, thus the Processor processes personal data on behalf of the Controller.
The scope of this Agreement is to govern the relationship between the Controller and the Processor as well as the Processor’s processing of personal data on behalf of the Controller.
This Agreement constitutes an appendix to the Main Agreement entered into between the Parties. In the event of conflicts between the agreements, this Agreement shall take precedence.
The Parties have entered into this Data Processor Agreement (“Agreement”) in order to fulfil the requirement of a written agreement between a data controller and a data processor of personal data as set out in section 28(3) of the EU General Data Protection Regulation 2016/679 (the “GDPR”).
2. PROCESSING OF DATA
The Processor may only process personal data under the instructions of the Controller. The Controller’s instructions are stated in Appendix 1, thus the Processor may only process the categories of personal data and data regarding the data subjects as listed in Appendix 1 as amended from time to time.
The Controller is responsible for obtaining the data subject’s consent to the processing of data in question in accordance with article 7 and article 8 of the GDPR.
The Processor is not entitled to process the Controller’s personal data for any other purposes than the ones set forth in Appendix 1, as amended from time to time, unless the Controller has given prior written consent to the processing in question.
Upon written request from the Controller, the Processor must correct, block or delete personal data, which is incorrect or incomplete.
Upon written request from the Controller, the Processor must present the necessary documentation proving that the processing of personal data is carried out in accordance with the applicable data protection laws and the GDPR, thus the Processor must keep records of its processing activities.
The Processor must assist the Controller in fulfilling its legal obligations under GDPR chapter 3 concerning the rights of the data subject. If the Processor receives a request from a data subject for access to the data subject’s registered personal data, or a data subject objects to the processing of his or her personal data, the Processor must inform the Controller of the request or objection without undue delay.
The Processor must delete personal data, copies and records thereof when it is no longer reasonably necessary in order for the Processor to perform its obligations under the Main Agreement. In any case the Processor deletes the personal data received from Controller, when the data has been stored with the Processor for 31 days.
In some cases, the Controller may wish for the Processor to process personal data for a longer period than 31 days. If the Controller wishes for the Processor to keep processing the personal data past these 31 days, it rests with the Controller to provide the Processor with the necessary documentation proving a substantiated purpose for extended processing.
3. USE OF SUB PROCESSORS
By signing this Agreement, the Controller hereby authorizes the Processor to use sub processors.
Upon the signing of this Agreement, the Processor uses the sub processors listed in Appendix 1.
Before the Processor engages a new sub processor or replaces a current sub processor, the Processor shall notify the Controller thereof and provide information about the new sub processor’s name and location for processing.
If the Controller has a reasonable basis to object to the Processor’s use of a new sub processor or replacement of a current sub processor, and therefore wishes to terminate this Agreement and the Main Agreement, the Controller shall notify the Processor within 10 business days after receipt of the Processor’s notice.
The Processor ensures, that any sub processor, engaged by the Processor to carry out specific processing activities on behalf of the Controller, is bound by data protection obligations no less stringent than the ones set forth in this Agreement. If the sub processor fails to fulfil its data protection obligations, the Processor is liable to the Controller for the performance of the sub processor’s obligations.
Upon the Controller’s request, the Processor must provide the Controller with sufficient information to ensure the Controller, that the sub processors engaged by the Processor have taken the necessary technical and organizational security measures.
All employees employed by the Processors receive appropriate training, adequate instructions and guidelines for processing personal data.
The Processor must limit access to personal data to the relevant employees and ensure that these are authorized to process the personal data.
The Processor must ensure that those of the Processor’s employees, who process personal data, are bound by adequate confidentiality obligations. Such obligations shall survive the termination of this Agreement.
The Controller is entitled to, at its own cost, take proportionate and commercially reasonable measures to validate the Processor’s compliance with this Agreement, either by conducting an audit itself or by using a third party to conduct an audit.
If the Controller takes on a third party to conduct the audit on behalf of the Controller, the Controller must ensure that the third party carrying out the audit enters into a non-disclosure agreement and that such third party takes necessary security measures when conducting the audit.
Audits must be conducted during the Processor’s business hours and the Processor must be notified of planned audits within reasonable time prior to the audit. The audit shall not grant the Controller access to the Processor’s trade secrets or proprietary information unless this is required in order for the Controller to comply with the applicable data protection law.
6. DATA TRANSFER
The Processor is not entitled to transfer or hand over data to third parties or sub processors without prior written instruction or consent hereto from the Controller, unless such transfer or handing over is provided by law.
By signing this Agreement, the Controller grants the Processor consent to process personal data outside the EU/EEA, provided that the Processor guarantees the existence of a sufficient legal basis for the transfer. The Processor must thus guarantee that the third country in question has an adequate level of protection or the Processor must, on behalf of the Controller, enter in to a separate data protection agreement with the sub processor, using the EU Commission’s Model Contracts for the transfer of personal data to third countries.
7. SECURITY MEASURES
The Processor must, while keeping in mind the state of the art and the cost of their implementation, take the necessary technical and organizational security measures to ensure a level of security in accordance with the GDPR and appropriate to the risk presented to the processing and the nature of the personal data to be protected. The Processor shall take into account the requirements set out in article 32 of the GDPR and the security measures shall thus include but not be limited to
safeguarding personal data against being destroyed accidentally or illegally, lost, altered, damaged or made known to unauthorized persons, misused or in any other way illegally processed,
taking measures to prevent transfers to any unauthorized person or entity,
ensuring that records are maintained of access to personal data, and
taking measures to ensure personal data remains available.
Security measures taken by the Processor are stated in Appendix 2.
The Processor shall periodically asses data security risks related to the provisioning of the services to the Controller.
Upon the Controller’s request, the Processor must provide the Controller with sufficient information to ensure the Controller, that the Processor has taken the necessary technical and organizational security measures.
8. BREACH OF DATA SECURITY
The Processor must notify the Controller of personal data security breaches, operational malfunctions or suspected security breaches relating to the processing of personal data without undue delay and within 24 hours after the security breach has been discovered, unless the Processor is able to demonstrate that the data security breach is unlikely to result in a risk to the rights and freedoms of data subjects.
The notification in clause 8.1 must (if relevant) contain:
a description of the data security breach including the categories and approximate amount of data and data subjects concerned,
the name and contact details of the Processor’s data protection officer,
a description of the likely consequences of the data security breach,
a description of the measures taken or proposed to be taken by the Controller to address the data security breach, including, where appropriate, measures to mitigate its possible adverse effects.
Where and in so far as it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay.
The Processor shall document any data security breaches. The documentation shall only include information necessary for the Controller to verify compliance with the applicable data protection law to the relevant supervisory authority.
The Controller is responsible for notifying the relevant supervisory authority about the data security breach.
9. LIMITATION OF LIABILITY
Pursuant to article 82(2) of the GDPR, the Processor shall only be liable for damage caused by processing where the Processor has not complied with obligations of the GDPR specifically directed to processors or where the Processor has acted outside or contrary to this Agreement.
The Processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.
The Processor’s cumulative liability to the Controller or any other party for any loss or damages resulting from claims, demands or actions arising out of relating to this Agreement shall not exceed the total paid-in fee from the Controller to the Processor during the 12 months prior to the date where the claim is first brought against the Processor.
Any amendments to this Agreement and the Appendixes must be in writing and signed by the Parties in order to be binding.
11. TERM AND TERMINATION
This Agreement shall enter into force on the date of signing and shall remain in force for as long as the Processor processes personal data on behalf of the Controller.
Upon termination of the Main Agreement, this Agreement will be terminated accordingly.
If one of the Parties is in breach of this Agreement, the other Party shall be entitled to terminate this Agreement with a written notice of 10 business days to rectify the breach. If the Party in breach has not remedied the breach within 10 business days, the Party not in breach is entitled to terminate the Agreement immediately.
Upon termination of this Agreement, the Controller must notify the Processor to delete or return the personal data. The Processor is obliged to destroy or return the personal data as requested, unless legislation imposed upon the Processor prevents it from destroying or returning all or parts of the personal data. The Controller must allow for a period of 30 days in order for the Processor to complete the full deletion of personal data.
12. GOVERNING LAW AND DISPUTES
Any disputes arising from this Agreement must be resolved and governed as agreed in section 9 of the Processor’s terms and conditions or, if the Controller is an Enterprise Customer, according to the Statement of Work agreement. The only amendment to these dispute resolving clauses shall be that this Agreement is governed by the GDPR and the applicable data protection laws in addition to US Law.
This appendix constitutes a part of the Agreement and must be filled out by the Parties.
The personal data processed by the Processor on behalf of the Controller concerns the following categories of data subjects:
Persons on photos belonging to, purchased by or in other ways legally obtained by the Controller.
CATEGORIES OF PERSONAL DATA
The Processor processes the following categories of personal data on behalf of the Controller:
Photographs of data subjects.
It is possible for the Controller to manually upload photos via Service provided by the Processor. However, the Processor does not process sensitive personal data, thus the Controller may not use the Service to upload photos, which in any contain sensitive personal data and thus make the Processor process sensitive personal data. The Controller’s distribution of sensitive personal data to the Processor will be construed as a breach of this Agreement.
The following processing activities will be carried out by the Processor on behalf of the Controller:
Editing of photos and storage of photos submitted by the Controller, systematization and analysis of data and storing of data via sub processors and thus transferring data to sub processors. Data will be accessed by the Processor for the purpose of editing photos, maintenance of the Processor’s systems, global analytics or support to the Controller. Upon instruction from the Controller, the Processor will forward the Controller’s data to third parties appointed by the Controller.
PRE-APPROVED SUB PROCESSORS
The following sub processors used by the Processor are pre-approved by the Controller:
|Entity name and address||Entity type||Entity Country|
|Amazon Web Services||Hosting provider||Ireland|
The processing of personal data by the Processor on behalf of the Controller will take place in the following location:
For the Processor:
Denmark, Germany, Netherland, Spain, USA, Vietnam, Cambodia, Bangladesh, Brazil
For the pre-approved sub processors:
This appendix constitutes a part of the Agreement and must be filled out by the Parties.
The Parties have agreed to the following security measures to be taken in connection with the Processors processing of personal data on behalf of the Controller:
PHYSICAL ACCESS CONTROL
Measures to prevent physical access of unauthorized persons to IT systems that handle personal data:
Buildings and systems used for data processing are safe. Data processing media is stored properly and is not available to unauthorized third parties, thus such media is kept locked when unattended. The Processor only uses high quality hard- and software and continues to update these if relevant.
SYSTEM ACCESS CONTROL
Measures to prevent unauthorized persons from using IT systems:
The Processor maintains a 2-factor authentication system for accessing personal data processing systems. Employee accounts are not shared and inactive sessions are terminated after 60 minutes. Through CloudWatch and network event monitoring the Processor keeps network logs and a log of detection of intrusion.
DATA ACCESS CONTROL
Measures to ensure that the Processor’s employees only have access to the personal data pursuant to their access rights:
The access to personal data is role based. Data can only be accessed by the Processor or the Controller. Access to databases are IP restricted. The Processor has also introduced log-in and password procedures ensuing that only employees with access rights have access to personal data. The Processor keeps a list of employees that have access to the Controller’s data, and only key employees have access to databases.
TRANSMISSION ACCESS CONTROL
Measures to ensure that personal data cannot be read, copied, altered or deleted by unauthorized persons during electronic transmission or during transport or storage on data media and that those areas can be controlled and identified where transmission of personal data is to be done via transmission systems:
All data submitted by the Controller is encrypted upon transfer to the Processor. All data is encrypted on storage.
ENTRY CONTROL AND TRACEABILITY
Measures to ensure that it can be subsequently reviewed and determined if and from whom personal data was entered, altered or deleted in the IT systems, as well as measures to ensure the accountability and traceability of the processing of personal data:
The Processor applies a log monitoring solution to collect and compare logged events. All Elastic Load Balancing traffic is monitored via CloudWatch. CloudWatch alerts the Processor of any issues in the system. The Processor keeps a log of all Service access and errors as well a Windows event log. All such logs are collected by logbeat and filebeat services. Thus the Processor keeps network logs and a log of detection of intrusion. All logs are stored for 30 days. The logs contain information on who accessed data, from which IP address the data was access, which data were accessed and when data was accessed. The Processor performs internal audits to ensure, that all security measures stated in this Appendix are taken and that each new feature or amendment to services provided by the Processor live up to these standards.
Measures to ensure that personal data is protected against accidental destruction or loss:
The Processor has set up and maintained web application firewall and anti-virus software as well as back-up procedures as layers of security. The Processor uses Cloudflare to prevent DDOS, as well as the Processor maintains an Auto Scale Group able to scale up in case of growing traffic. Processor uses Amazon Inspector and W3AF as scanning tools. The Processor also uses a LINQ Entity Framework/SGL Parameter to prevent SQL Injection, as well as the Processor uses VisualCodeGrepper to scan code and detect security issues.The Processor maintains recovery processes to allow for continuation of data processing and to provide and effective and accurate recovery of personal data.
Measures to provide a description of any procedures established to ensure an adequate level of transparency to the Controller regarding the Processor and sub processors processing of personal data:
The Controller will always be able to access data submitted to the Processor as well as the Controller will be able to download such date after submission.
Measures to ensure that the Controller is allowed to access, rectify, delete, block and manage objections to the processing of personal data:
The Controller is able to download data submitted by the Controller to the Service provided by the Processor. If the Controller wishes to rectify, delete or block data or in any other way wishes to manage objections to the processing of personal data, the Processor must notify the Processor of such wishes, in such cases where the Controller is not able to carry out the action itself.
Measures to ensure the portability of personal data, if the migration of data is requested by the Controller or data subjects:
Data submitted by the Controller will be downloadable through the Service provided by the Processor and thus the Controller will be able to migrate the data.
DATA RETENTION AND DELITION
Measures to ensure that personal data is adequately erased or destroyed when use of the personal data is no longer necessary:
Personal data is stored for 31 days, after which it is deleted if the Controller has not pleaded clause 2.8 of this Agreement. Data is deleted upon request from the Controller.
After the termination of this Agreement, clause 11.4 of the Agreement applies.