This Data Processing Addendum (the “DPA”) is incorporated into the Master Subscription Agreement (the “Agreement”).
- Data Processing.
- In the event of a conflict between any of the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail.
- Under the Agreement, Onna shall process data owned or controlled by Customer which may include personal data.
- The Agreement (subject to any changes to the Platform or Service as agreed between the parties) and this DPA shall be the Customer’s complete and final instructions to Onna in relation to the processing of Customer Personal Data.
- Processing outside the scope of this DPA or the Agreement will require prior written agreement between the Customer and Onna on additional instructions for Processing.
- comply with personal data security and other obligations prescribed by the Data Protection Legislation for data controllers;
- establish a procedure for the exercise of the rights of Data Subjects whose personal data is collected;
- lawfully and validly collect personal data and ensure that such personal data is relevant and proportionate to its respective uses;
- where required by applicable Data Protection Laws, provide all applicable notices to Data Subjects and obtain/will obtain all necessary consents from Data Subjects for the lawful Processing of Customer Personal Data by Onna in accordance with the Agreement; and
- take all such steps as may be required by applicable Data Protection Laws to ensure that the Processing and disclosure of Customer Personal Data by Onna is lawful in accordance with the Agreement;
- shall comply with applicable Data Protection Legislation with respect to its processing of Customer Personal Data hereunder.
- participates in the EU-U.S. and Swiss–U.S. Privacy Shield Frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union, the EEA and Switzerland to the United States and despite the invalidation of the Privacy Shield by the European Union Court of Justice on July 16, 2020, Onna will continue to abide by the Privacy Shield Principles in processing the Customer Personal Data; and
- shall only process Customer Personal Data in accordance with the Instructions, including with regard to international transfers of Customer Personal Data.
- Onna Security Obligations.
- (i) Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Onna shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the measures set out in Schedule 2.
- (ii) Onna will, upon reasonable request from the Customer, allow for and contribute to audits, including inspections, conducted by the Customer (or a third party auditor on behalf of, and mandated by, the Customer) provided such audits or inspections are (a) not conducted more than once per year (unless requested by a Supervisory Authority); (b) conducted only during business hours on a date agreed by the parties; (c) restricted in scope to confirm Onna’s relevant security procedures and (d) conducted to cause minimal disruption to Onna’s operations and business. The Customer shall reimburse Onna any fees or costs incurred by Onna in conducting (or arranging the conduct of) any audits in accordance with this clause 1.5(a)(ii).
- (iii) Upon reasonable request by the Customer, Onna shall make available all information reasonably necessary to demonstrate compliance with this DPA.
- Security Incident Notification and Response.
- (i) Notification and Response. Onna shall promptly notify Customer of becoming aware of a Security Incident. Onna shall also provide Customer with a detailed description of the Security Incident, the type of data that was the subject of the Security Incident and, to the extent known to Onna, the identity of affected persons, as soon as this information can reasonably be collected or otherwise becomes available, as well as all other information which Customer may reasonably request relating to the Security Incident.
- (ii) Mitigation. Onna agrees to promptly take reasonable action to i) investigate and remedy the Security Incident and ii) assist Customer in mitigating the effects of the Security Incident to the extent attributable to Onna’s failure to follow the Information Security Requirements provided in Schedule 2.
- Onna Employees and Personnel. Onna shall treat the Customer Personal Data as Proprietary Information of the Customer, and shall ensure that any employees or other personnel have agreed in writing to protect the confidentiality and security of Customer Personal Data.
- Consent to Subprocessor engagement: The Customer generally authorizes the engagement of third parties as Subprocessors.
- Information about Subprocessors. The Customer agrees that Onna may use Subprocessors including Google Cloud to process Customer Personal Data provided it enters into a written agreement with the Subprocessor which imposes the same material obligations on the Subprocessor with regard to their Processing of Customer Personal Data as are imposed on Onna under this DPA.
- Subprocessor Changes. Onna shall notify the Customer from time to time of the identity of any Subprocessors it engages. If the Customer (acting reasonably) does not approve of a new Subprocessor, then the Customer may request that Onna moves the Customer Personal Data to another Subprocessor and Onna shall, within a reasonable time following receipt of such request, use all reasonable endeavors to ensure that the Subprocessor does not Process any of the Customer Personal Data. If it is not reasonably possible to use another Subprocessor, and Customer continues to object for a legitimate reason, either Party may terminate the Agreement on thirty (30) days written notice. If the Customer does not object within thirty (30) days of receipt of the notice, the Customer is deemed to have accepted the new Subprocessor.
- Onna shall at all times remain responsible for compliance with its obligations under the DPA and will be liable to the Customer for the acts and omissions of any Subprocessor approved by the Customer as if they were the acts and omissions of Onna.
- Representations and Warranties of Customer. Customer agrees that with respect to Customer Personal Data (defined below), the Customer shall:
- The Customer agrees to defend, indemnify and keep indemnified, and hold harmless, at its own expense, Onna against all costs, claims, damages and expenses incurred by Onna or for which Onna may become liable due to any failure by the Customer to comply with clause 1.2(d) and clause 1.2(e).
- Representations and Warranties of Onna. Onna warrants and represents in respect of Customer Personal Data that it:
- Data Security, Audits and Security Incidents.
- Data Transfers outside the EEA. To the extent that Customer Personal Data is transferred outside the EEA, the terms of the transfer shall be governed by (i) Onna’s active and valid Privacy Shield certification if such transfer is to the United States or (ii) if the certification does not apply or is inactive or invalid, then the Standard Contractual Clauses will apply. In all such cases, for the purposes of implementing the Standard Contractual Clauses: (i) Customer is the data exporter and Onna is the data importer; and (ii) Appendix 1 of this DPA shall serve as Appendix 1 of the Standard Contractual Clauses, and Appendix 2 of this DPA shall serve as Appendix 2 of the Standard Contractual Clauses.
- Supervisory Authorities. Onna will co-operate with, and provide reasonable assistance to, Customer in the event of any enquiry or investigation by a Supervisory Authority in relation to processing of the Customer Personal Data.
- Security Audit. Upon request and subject to the Customer’s confidentiality obligations in the Agreement, Onna will once a year provide Customer with a copy of its SOC 2 Type II assessment containing the results of its annual security review for SOC 2 Type II compliance.
- Access Requests and Data Subject
- Data Subject Requests. Save as required (or where prohibited) under applicable law, Onna shall notify Customer of any request received by Onna or any Subprocessor from a Data Subject in respect of their personal data included in the Customer Personal Data, and shall not respond to the Data Subject.
- Onna shall provide Customer with the ability to correct, delete, block, access or copy the Customer Personal Data in accordance with the functionality of the Platform or Service.
- Government Disclosure. Onna shall notify Customer of any request for the disclosure of Customer Personal Data by a governmental or regulatory body or law enforcement authority (including any Supervisory Authority) unless otherwise prohibited by law or a legally binding order of such body or agency.
- Data Subject Rights. Where applicable, and taking into account the nature of the Processing, Onna shall use all reasonable endeavors to assist Customer by implementing any other appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising Data Subject rights laid down in the UK GDPR or GDPR.
- Data Protection Impact Assessment and Prior Consultation
- To the extent required under the Data Protection Legislation, Onna shall provide reasonable assistance to the Customer with any data protection impact assessments and with any prior consultations to any Supervisory Authority of Customer, in each case solely in relation to Processing of Customer Personal Data and taking into account the nature of the Processing and information available to Onna.
- if requested to do so by the Customer, return a complete copy of all Customer Personal Data by secure file transfer in such a format as notified by the Customer to Onna; or
- if requested to do so by the Customer, delete and use all reasonable efforts to procure the deletion of all other copies of Customer Personal Data Processed by Onna or any Subprocessors.
- Deletion of data. Subject to clause 6.2 below, Onna shall, within ninety (90) days of the date of termination of the Agreement:
- Onna and its Subprocessors may retain Customer Personal Data to the extent required by applicable laws and only to the extent and for such period as required by applicable laws and always provided that Onna shall ensure the confidentiality of all such Customer Personal Data and shall ensure that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.
- Governing Law. This DPA and any dispute or claim arising out of it or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the laws of the country in which the Customer is established.
- Limitation of Liability. The parties’ respective liability under this DPA shall be subject to the limitations of liability under the Agreement including under Article 9 thereof.
- “Customer Personal Data” means personal data which is provided to or made available to Onna by Customer or Customer’s affiliate in connection with Onna’s provision of the Platform and the Service and is more particularly described in Schedule 1 to Exhibit B: Description of Data Processing.
- “Data Protection Legislation” means all data protection and privacy laws applicable to a party and its Processing of Personal Customer Data under the Agreement, including, where applicable and without limitation, (i) EU Regulation 2016/674 (“EU GDPR”); (ii) its incorporation into the laws of England and Wales, Scotland and Northern Ireland by virtue of Section 3 of the UK European Union (Withdrawal) Act 2018 (“UK GDPR”); (iii) the Swiss Federal Act on Data Protection (“FADP”); (iv) United States federal and/or state data protection or privacy statutes, including but not limited to the CCPA and the California Privacy Rights Act of 2020 (“CPRA”); in each case, as may be amended, superseded or replaced from time to time; and/or (iv) any other data protection and privacy laws applicable to a party and its Processing of Personal Customer Data in connection with the Agreement.
- “European Economic Area” or “EEA” means the Member States of the European Union together with Iceland, Norway, and Liechtenstein.
- “Instructions” means Customer’s written instructions, including the terms of the Agreement, to Onna in respect of the Customer Personal Data, as issued from time to time to the extent necessary to provide the Platform and the Service to the Customer unless Processing is required by European Union or Member State law to which Onna is subject, in which case Onna shall, to the extent permitted by European Union or Member State law, inform the Customer of that legal requirement before Processing that Customer Personal Data.
- “Security Incident” means any accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure of, or access to, Customer Personal Data.
- “Service” means the service provided by Onna to Customer under the Agreement.
- “Standard Contractual Clauses” (i) where the GDPR or Swiss FADP applies, the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”); or (ii) where the UK GDPR applies, the applicable standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR (“UK SCCs”).
- “Subprocessor” means any Processor engaged by Onna who agrees to receive from Onna Customer Personal Data.
- The terms “personal data”, “Controller”, “Processor”, “Data Subject”, “Process” and “Supervisory Authority” shall have the same meaning as set out in the Data Protection Legislation.
- Unless otherwise set out below, each capitalized term in this DPA shall have the meaning set out in the Agreement, and the following capitalized terms used in this DPA shall be defined as follows:
SCHEDULE 1: Description of Data Processing
End users and any other data subjects whose data the Customer extracts, transfers, and loads onto the Platform or Service.
Categories of data
Contact information and usage information of the Customer as well as any other personal data the Customer or end users submit to the Platform or Service.
Any other Personal Data contained in any data the Customer or its end users extracts, transfers, and loads onto the Platform or Service.
The Processing of Customer Personal Data provided by the Customer to Onna through the Platform or otherwise in connection with the provision of the Service.
Subject matter and duration of the Processing of Customer Personal Data
The subject matter and duration of the processing are as set out in the Agreement and this DPA.
The nature and purpose of the Processing of Customer Personal Data
The Processing of Customer Personal Data provided by the Customer to Onna through the Platform or otherwise in connection with the provision of the Service.
The obligations and rights of the Customer
The obligations and rights of the Customer are as set out in this DPA.
SCHEDULE 2: Security Measures
Onna maintains internal policies and procedures, or procures that its Subprocessors do so, which are designed to:
- secure any Customer Personal Data processed by Onna against accidental or unlawful loss, access or disclosure;
- identify reasonably foreseeable and internal risks to security and unauthorized access to the Customer Personal Data processed by Onna;
- minimize security risks, including through risk assessment and regular testing.
Onna will, and will use reasonable efforts to procure that its Subprocessors conduct periodic reviews of the security of their network and the adequacy of their information security program as measured against industry security standards and its policies and procedures.
Onna will, and will use reasonable efforts to procure that its Subprocessors periodically evaluate the security of their network and associated services to determine whether additional or different security measures are required to respond to new security risks or findings generated by the periodic reviews.