Data Processing Addendum
This Data Processing Addendum (the “DPA”) is incorporated into the Master Subscription Agreement (the “Agreement”).
1. Data Processing.
- In the event of a conflict between any of the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail.
- Under the Agreement, Onna shall process data owned or controlled by Customer which may include personal data.
- The Agreement (subject to any changes to the Platform or Service as agreed between the parties) and this DPA shall be the Customer’s complete and final instructions to Onna in relation to the processing of Customer Personal Data.
- Processing outside the scope of this DPA or the Agreement will require prior written agreement between the Customer and Onna on additional instructions for Processing.
1.2 Representations and Warranties of Customer. Customer agrees that with respect to Customer Personal Data (defined below), the Customer shall:
- comply with personal data security and other obligations prescribed by the Data Protection Legislation for data controllers;
- establish a procedure for the exercise of the rights of Data Subjects whose personal data is collected;
- lawfully and validly collect personal data and ensure that such personal data is relevant and proportionate to its respective uses;
- where required by applicable Data Protection Laws, provide all applicable notices to Data Subjects and obtain/will obtain all necessary consents from Data Subjects for the lawful Processing of Customer Personal Data by Onna in accordance with the Agreement; and
- take all such steps as may be required by applicable Data Protection Laws to ensure that the Processing and disclosure of Customer Personal Data by Onna is lawful in accordance with the Agreement.
1.3 The Customer agrees to defend, indemnify and keep indemnified, and hold harmless, at its own expense, Onna against all costs, claims, damages and expenses incurred by Onna or for which Onna may become liable due to any failure by the Customer to comply with clause 1.2(d) and clause 1.2(e).
1.4 Representations and Warranties of Onna. Onna warrants and represents in respect of Customer Personal Data that it:
- shall comply with applicable Data Protection Legislation with respect to its processing of Customer Personal Data hereunder.
- participates in the EU-U.S. and Swiss–U.S. Privacy Shield Frameworks as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union, the EEA and Switzerland to the United States and despite the invalidation of the Privacy Shield by the European Union Court of Justice on July 16, 2020, Onna will continue to abide by the Privacy Shield Principles in processing the Customer Personal Data; and
- shall only process Customer Personal Data in accordance with the Instructions, including with regard to international transfers of Customer Personal Data.
1.5 Data Security, Audits and Security Incidents.
- Onna Security Obligations.
- Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Onna shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the measures set out in Schedule 2.
- Onna will, upon reasonable request from the Customer, allow for and contribute to audits, including inspections, conducted by the Customer (or a third party auditor on behalf of, and mandated by, the Customer) provided such audits or inspections are (a) not conducted more than once per year (unless requested by a Supervisory Authority); (b) conducted only during business hours on a date agreed by the parties; (c) restricted in scope to confirm Onna’s relevant security procedures and (d) conducted to cause minimal disruption to Onna’s operations and business. The Customer shall reimburse Onna any fees or costs incurred by Onna in conducting (or arranging the conduct of) any audits in accordance with this clause 1.5(a)(ii).
- Upon reasonable request by the Customer, Onna shall make available all information reasonably necessary to demonstrate compliance with this DPA.
- Onna Security Obligations.
- Security Incident Notification and Response.
- Notification and Response. Onna shall promptly notify Customer of becoming aware of a Security Incident. Onna shall also provide Customer with a detailed description of the Security Incident, the type of data that was the subject of the Security Incident and, to the extent known to Onna, the identity of affected persons, as soon as this information can reasonably be collected or otherwise becomes available, as well as all other information which Customer may reasonably request relating to the Security Incident.
- Mitigation. Onna agrees to promptly take reasonable action to i) investigate and remedy the Security Incident and ii) assist Customer in mitigating the effects of the Security Incident to the extent attributable to Onna’s failure to follow the Information Security Requirements provided in Schedule 2.
- Onna Employees and Personnel. Onna shall treat the Customer Personal Data as Proprietary Information of the Customer, and shall ensure that any employees or other personnel have agreed in writing to protect the confidentiality and security of Customer Personal Data.
- Consent to Subprocessor engagement: The Customer generally authorizes the engagement of third parties as Subprocessors.
- Information about Subprocessors. The Customer agrees that Onna may use Subprocessors including Google Cloud to process Customer Personal Data provided it enters into a written agreement with the Subprocessor which imposes the same material obligations on the Subprocessor with regard to their Processing of Customer Personal Data as are imposed on Onna under this DPA.
- Subprocessor Changes. Onna shall notify the Customer from time to time of the identity of any Subprocessors it engages. If the Customer (acting reasonably) does not approve of a new Subprocessor, then the Customer may request that Onna moves the Customer Personal Data to another Subprocessor and Onna shall, within a reasonable time following receipt of such request, use all reasonable endeavors to ensure that the Subprocessor does not Process any of the Customer Personal Data. If it is not reasonably possible to use another Subprocessor, and Customer continues to object for a legitimate reason, either Party may terminate the Agreement on thirty (30) days written notice. If the Customer does not object within thirty (30) days of receipt of the notice, the Customer is deemed to have accepted the new Subprocessor.
- Onna shall at all times remain responsible for compliance with its obligations under the DPA and will be liable to the Customer for the acts and omissions of any Subprocessor approved by the Customer as if they were the acts and omissions of Onna.
- Security Incident Notification and Response.
2. Data Transfers
2.1 To the extent legally required, the EU SCCs form part of this DPA and take precedence over the rest of this DPA to the extent of any conflict, and, except as set forth below, they will be deemed completed as follows:
- Customer, the exporter, acts as a controller and Onna, the importer, acts as Customer's processor with respect to the Customer Personal Data subject to the EU SCCs, and its Module 2 applies. Their contact information is set forth in Schedule 1.
- Clause 7 (the optional docking clause) is included.
- Under Clause 9 (Use of sub-processors), the parties select Option 2 (General written authorization). Onna shall provide notification to Customer 30 days in advance of any intended additions or replacements of sub-processors.
- Under Clause 11 (Redress), the optional requirement that data subjects be permitted to lodge a complaint with an independent dispute resolution body does not apply.
- Under Clause 17 (Governing law), the parties choose Option 1 (the law of an EU Member State that allows for third-party beneficiary rights). The parties select the law of the EU member state in which the Customer is established, or, if no such country exists, Spain.
- Under Clause 18 (Choice of forum and jurisdiction), the parties select the courts of the country identified under Clause 17.
- Annexes I and II of the EU SCCs are set forth in Schedule 1 of the DPA.
- Annex III of the EU SCCs (List of subprocessors) is inapplicable.
2.2 With respect to Customer Personal Data for which UK GDPR governs the transfer, to the extent legally required, the UK SCCs forms part of this DPA and takes precedence over the rest of this DPA to the extent of any conflict and shall be deemed completed as follows (with capitalized terms not defined elsewhere having the definition set forth in the UK SCCs:
- Table 1 of the UK SCCs: The Parties, their details, and their contacts are those set forth in Schedule 1.
- Table 2 of the UK SCCs: the "Approved EU Standard Contractual Clauses" shall be the EU SCCs as set forth in Section 7(b) of this DPA.
- Table 3 of the UK SCCs: Annexes I(A), I(B), and II are in Schedule 1 of the DPA, and Annex III is in Schedule 3.
- Table 4 of the UK SCCs: neither party may exercise the right set forth in Section 19 of the UK SCCs.
2.3 With respect to Customer Personal Data for which the Swiss FADP governs the transfer, the EU SCCs shall be deemed to have the following differences to the extent required by the Swiss FADP:
- References to the GDPR in the EU SCCs are to be understood as references to the Swiss FADP insofar as the data transfers are subject exclusively to the Swiss FADP and not to the GDPR.
- The term "member state" in EU SCCs shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs.
- References to personal data in the EU SCCs also refer to data about identifiable legal entities until the entry into force of revisions to the Swiss FADP that eliminate this broader scope.
- Under Annex I(C) of the EU SCCs (Competent supervisory authority):
- Where the transfer is subject exclusively to the Swiss FADP and not the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner.
- Where the transfer is subject to both the Swiss FADP and the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner insofar as the transfer is governed by the Swiss FADP, and the supervisory authority is as set forth in the EU SCCs insofar as the transfer is governed by the GDPR.
3.1 Supervisory Authorities. Onna will co-operate with, and provide reasonable assistance to, Customer in the event of any enquiry or investigation by a Supervisory Authority in relation to processing of the Customer Personal Data.
3.2 Security Audit. Upon request and subject to the Customer’s confidentiality obligations in the Agreement, Onna will once a year provide Customer with a copy of its SOC 2 Type II assessment containing the results of its annual security review for SOC 2 Type II compliance.
4. Access Requests and Data Subject
4.1 Data Subject Requests. Save as required (or where prohibited) under applicable law, Onna shall notify Customer of any request received by Onna or any Subprocessor from a Data Subject in respect of their personal data included in the Customer Personal Data, and shall not respond to the Data Subject.
4.2 Onna shall provide Customer with the ability to correct, delete, block, access or copy the Customer Personal Data in accordance with the functionality of the Platform or Service.
4.3 Government Disclosure. Onna shall notify Customer of any request for the disclosure of Customer Personal Data by a governmental or regulatory body or law enforcement authority (including any Supervisory Authority) unless otherwise prohibited by law or a legally binding order of such body or agency.
4.4 Data Subject Rights. Where applicable, and taking into account the nature of the Processing, Onna shall use all reasonable endeavors to assist Customer by implementing any other appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising Data Subject rights laid down in the Data Protection Legislation.
5. Data Protection Impact Assessment and Prior Consultation
5.1 To the extent required under the Data Protection Legislation, Onna shall provide reasonable assistance to the Customer with any data protection impact assessments and with any prior consultations to any Supervisory Authority of Customer, in each case solely in relation to Processing of Customer Personal Data and taking into account the nature of the Processing and information available to Onna.
6.1 Deletion of data. Subject to clause 6.2 below, Onna shall, within ninety (90) days of the date of termination of the Agreement:
- if requested to do so by the Customer, return a complete copy of all Customer Personal Data by secure file transfer in such a format as notified by the Customer to Onna; or
- if requested to do so by the Customer, delete and use all reasonable efforts to procure the deletion of all other copies of Customer Personal Data Processed by Onna or any Subprocessors.
6.2 Onna and its Subprocessors may retain Customer Personal Data to the extent required by applicable laws and only to the extent and for such period as required by applicable laws and always provided that Onna shall ensure the confidentiality of all such Customer Personal Data and shall ensure that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose.
7.1 Governing Law. This DPA and any dispute or claim arising out of it or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the laws of the country in which the Customer is established.
7.2 Limitation of Liability. The parties’ respective liability under this DPA shall be subject to the limitations of liability under the Agreement including under Article 9 thereof.
8.1 “Customer Personal Data” means personal data which is provided to or made available to Onna by Customer or Customer’s affiliate in connection with Onna’s provision of the Platform and the Service and is more particularly described in Schedule 1.
8.2 “Data Protection Legislation” means all data protection and privacy laws applicable to a party and its Processing of Personal Customer Data under the Agreement, including, where applicable and without limitation, (i) EU Regulation 2016/674 (“EU GDPR”); (ii) equivalent requirements in the United Kingdom including the Data Protection Act 2018 and the UK General Data Protection Regulation (“UK GDPR”); (iii) the Swiss Federal Act on Data Protection (“Swiss FADP”); (iv) United States federal and/or state data protection or privacy statutes, including but not limited to California Consumer Privacy Act, as amended by the California Privacy Rights Act and together with associated regulations (“CCPA”); in each case, as may be amended, superseded or replaced from time to time; and/or (iv) any other data protection and privacy laws applicable to a party and its Processing of Personal Customer Data in connection with the Agreement.
8.3 “European Economic Area” or “EEA” means the Member States of the European Union together with Iceland, Norway, and Liechtenstein.
8.4 “Instructions” means Customer’s written instructions, including the terms of the Agreement, to Onna in respect of the Customer Personal Data, as issued from time to time to the extent necessary to provide the Platform and the Service to the Customer unless Processing is required by European Union or Member State law to which Onna is subject, in which case Onna shall, to the extent permitted by European Union or Member State law, inform the Customer of that legal requirement before Processing that Customer Personal Data.
8.5 “Security Incident” means any accidental, unauthorized, or unlawful destruction, loss, alteration, disclosure of, or access to, Customer Personal Data.
8.6 “Service” means the service provided by Onna to Customer under the Agreement.
8.7 “Standard Contractual Clauses” means (i) where the GDPR or Swiss FADP applies, the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”); or (ii) where the UK GDPR applies, the United Kingdom International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (“UK SCCs”).
8.8 “Subprocessor” means any Processor engaged by Onna who agrees to receive from Onna Customer Personal Data.
8.9 The terms “personal data”, “Controller”, “Processor”, “Data Subject”, “Process” and “Supervisory Authority” shall have the same meaning as set out in the Data Protection Legislation.
8.10 Unless otherwise set out below, each capitalized term in this DPA shall have the meaning set out in the Agreement, and the following capitalized terms used in this DPA shall be defined as follows:
SCHEDULE 1: Description of Data Processing
A. List of Parties
Contact person’s name, position, and contact details:
Activities relevant to the data transferred under these Clauses: Provision of the Services.
Signature and date:
Role (controller/processor): Controller
Contact person’s name, position, and contact details:
Activities relevant to the data transferred under these Clauses: Use of the Services.
Signature and date:
Role (controller/processor): Processor
B. Description of Transfer
MODULE TWO: Transfer controller to processor
Categories of data subjects
End users and any other data subjects whose data the Customer extracts, transfers, and loads onto the Platform or Service.
Categories of personal data transferred
Contact information and usage information of the Customer as well as any other personal data the Customer or end users submit to the Platform or Service.
Any other Personal Data contained in any data the Customer or its end users extracts, transfers, and loads onto the Platform or Service.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
On a continuous basis for as long as Customer is engaging Onna.
Nature of the processing
The Processing of Customer Personal Data provided by the Customer to Onna through the Platform or otherwise in connection with the provision of the Service.
Purpose(s) of the data transfer and further processing
The purpose of the processing are as set out in the Agreement and this DPA.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: For so long as the exporter is engaging Onna.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: As set forth above.
C. Competent Supervisory Authority
The parties shall follow the rules for identifying such authority under Clause 13 and, to the extent legally permissible, select the supervisory authority of the country identified in Clause 17.
SCHEDULE 2: Security Measures
Onna maintains internal policies and procedures, or procures that its Subprocessors do so, which are designed to:
- secure any Customer Personal Data processed by Onna against accidental or unlawful loss, access or disclosure;
- identify reasonably foreseeable and internal risks to security and unauthorized access to the Customer Personal Data processed by Onna;
- minimize security risks, including through risk assessment and regular testing.
Onna will, and will use reasonable efforts to procure that its Subprocessors conduct periodic reviews of the security of their network and the adequacy of their information security program as measured against industry security standards and its policies and procedures.
Onna will, and will use reasonable efforts to procure that its Subprocessors periodically evaluate the security of their network and associated services to determine whether additional or different security measures are required to respond to new security risks or findings generated by the periodic reviews.