This Data Processing Agreement (“DPA”) amends and forms part of the Terms of Service (the “Agreement”) between 4400 WE Technologies, Inc. (“Company” or “Borderless”) and Customer as defined in the Agreement (“Customer”). This DPA prevails over any conflicting term of the Agreement, but does not otherwise modify the Agreement.
In this DPA:
“Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing”, “Processor”, and “Supervisory Authority” have the meaning given to them in Data Protection Law;
“Data Protection Law” means the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and the e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC), their national implementations in the European Economic Area (“EEA”), including the European Union, and all other data protection laws of the EEA, the UK, and Switzerland, each as applicable, and as may be amended or replaced from time to time;
“Data Subject Rights” means all rights granted to Data Subjects by Data Protection Law, including the right to information, access, rectification, erasure, restriction, portability, objection, the right to withdraw consent, and the right not to be subject to automated individual decision-making;
“International Data Transfer” means any disclosure of Personal Data by an organization subject to Data Protection Law to another organization located outside the EEA, the UK, or Switzerland;
“Instructions” mean the instructions given by Customer with regard to the Processing of Personal Data;
“Personnel” means any natural person acting under the authority of Company;
“SCCs” means the clauses annexed to the EU Commission Implementing Decision 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, as amended or replaced from time to time;
“Sensitive Data” means any type of Personal Data that is designated as a sensitive or special category of Personal Data, or otherwise subject to additional restrictions under Data Protection Law or other laws to which the Controller is subject;
“Services” means the services provided by Company to Customer under the Agreement;
“Subprocessor” means a Processor engaged by a Processor to carry out Processing on behalf of a Controller; and
“UK Addendum” means the addendum to the SCCs issued by the UK Information Commissioner under Section 119A(1) of the UK Data Protection Act 2018 (version B1.0, in force March 21, 2022).
Capitalized terms used but not defined herein have the meaning given to them in the Agreement.
This DPA applies to the Processing of Personal Data by Company in the context of the Agreement.
The subject matter, nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects are set out in Annex I, which is an integral part of this DPA.
Where Customer is a Controller and appoints Company as a Processor on behalf of Customer, Customer and Company agree to comply with the provisions set forth in Sections IIand III of this DPA.
Customer and Company agree that Company may Process Personal Data relating to the contracting, onboarding, management and payment of Customer employees and contractors. Company is the Controller for such Processing and Company is responsible for compliance with the requirements of Data Protection Law applicable to Controllers in relation to such Processing activities. Where Customer and Company act as independent Controllers in the context of the Agreement, they agree to comply with the provisions set forth in Section Iand III of this DPA. For the avoidance of doubt, the Agreement and the DPA do not establish or confirm a joint-Controller relationship between the Customer and Company.
Section I – Customer and Company as Independent Controllers
Security, Compliance and Cooperation
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Customer and Company shall implement appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk.
Customer and Company will notify each other without undue delay after becoming aware of a Personal Data Breach affecting Personal Data Processed in the context of the Agreement.
Customer and Company will assist each other with the fulfilment of their obligations under Data Protection Law to: (i) comply with requests to exercise Data Subject Rights; (ii) conduct data protection impact assessments, and (iii) conduct prior consultations with Supervisory Authorities.
Customer will inform the Data Subjects about the Processing of their Personal Data, and must rely on a valid legal ground for said Processing, as required by Data Protection Law.
Customer and Company will cooperate in good faith and inform each other, unless prohibited by Data Protection Law, if: (i) they receive a request, complaint or other inquiry regarding the Processing of Personal Data from a Data Subject or Supervisory Authority; or (ii) they receive a binding or non-binding request to disclose Personal Data from law enforcement, courts or any government body.
Each party will maintain records of Processing of Personal Data to the extent required by Data Protection Law.
Customer and Company will comply with Data Protection Law at all times and will enter into contractual agreements with their Processors which impose the required obligations under Data Protection Law.
Section II – Company as Processor on behalf of Customer
Company will Process Personal Data to provide the Services in accordance with Customer’s documented instructions.
The Instructions are documented in this DPA, the Agreement, and any applicable statement of work.
Customer may reasonably issue additional instructions as necessary to comply with Data Protection Law. Company may charge a reasonable fee to comply with any additional instructions.
Unless prohibited by applicable law, Company will inform Customer if Company is subject to a legal obligation that requires Company to Process Customer Personal Data in contravention of Customer’s documented instructions.
Company will ensure that all personnel authorized to Process Customer Personal Data are subject to an obligation of confidentiality.
Security and Personal Data Breaches
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Company will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the measures listed in Annex II.
Customer acknowledges that the security measures in Annex II are appropriate in relation to the risks associated with Customer’s intended Processing and will notify Company prior to any intended Processing for which Company’s security measures may not be appropriate.
Company will notify Customer without undue delay after becoming aware of a Personal Data Breach involving Customer Personal Data. If Company’s notification is delayed, it will be accompanied by reasons for the delay.
Customer hereby authorizes Company to engage Subprocessors. A list of Company’s current core Subprocessors is included in Annex III.
Company will enter into a written agreement with Subprocessors which imposes the same obligations as required by Data Protection Law.
Company will notify Customer prior to any intended change to Subprocessors. Customer may object to the addition of a Subprocessor based on reasonable grounds relating to a potential or actual violation of Data Protection Law by providing written notice detailing the grounds of such objection within thirty (30) days following Company’s notification of the intended change. Customer and Company will work together in good faith to address Customer’s objection. If Company chooses to retain the Subprocessor, Company will inform Customer at least thirty (30) days before authorizing the Subprocessor to Process Customer Personal Data, and Customer may immediately discontinue using the relevant parts of the Services, and may terminate the relevant parts of the Services within thirty (30) days.
Taking into account the nature of the Processing, and the information available to Company, Company will assist Customer, including, as appropriate, by implementing technical and organizational measures, with the fulfillment of Customer’s own obligations under Data Protection Law to: comply with requests to exercise Data Subject Rights; conduct Data Protection Impact Assessments, and prior consultations with Supervisory Authorities; and notify a Personal Data Breach.
Company will maintain records of Processing of Customer Personal Data in accordance with Data Protection Law.
Company may charge a reasonable fee for assistance under this Section 8. If Company is at fault, Company and Customer shall each bear their own costs related to assistance.
Upon reasonable request, Company must make available to Customer all information necessary to demonstrate compliance with the obligations of this DPA and allow for and contribute to audits, including inspections, at reasonable intervals or if there are indications of non-compliance, and performed by an independent auditor as agreed upon by Customer and Company. The foregoing shall only extend to those documents and facilities relevant and material to the Processing of Customer Personal Data and shall be conducted during normal business hours and in a manner that causes minimal business disruption.
Company will inform Customer if Company believes that Customer’s instruction under Section 9.1 infringes Data Protection Law. Company may suspend the audit or inspection or withhold requested information until Company has modified or confirmed the lawfulness of the instructions in writing.
Company and Customer each bear their own costs related to an audit.
Termination of the Processing
This DPA is terminated upon the termination of the Agreement.
Customer may request return of Customer Personal Data up to ninety (90) days after termination of the Agreement. Unless required or permitted by applicable law, Company will delete all remaining copies of Customer Personal Data within one hundred eighty (180) days after returning Customer Personal Data to Customer.
Section III – Common Provisions
International Data Transfers
Customer hereby authorizes Company to perform International Data Transfers outside the EEA or Switzerland:
to any country subject to a valid adequacy decision of the European Commission;
on the basis of an organization’s binding corporate rules approved by EEA Supervisory Authorities, and provided that for International Data Transfers outside Switzerland, the Swiss Federal Data Protection and Information Commissioner has been duly notified thirty (30) days in advance where required; and
to any data importer with whom Company has entered into SCCs, and provided that for International Data Transfers outside Switzerland, the Swiss Federal Data Protection and Information Commissioner has been duly notified thirty (30) days in advance where required.
By signing this DPA, Customer and Company conclude Module 1 (Controller-to-Controller) and Module 2 (Controller-to-Processor) of the SCCs, which are hereby incorporated and completed as follows: the “data exporter” is Customer; the “data importer” is Company; the optional docking clause in Clause 7 is implemented; Option 1 of Clause 9(a) is implemented and the time period therein is specified in Section 7.3 above; the optional redress clause in Clause 11(a) is struck; Option 1 in Clause 17 is implemented and the governing law is the law of Ireland; the courts in Clause 18(b) are the Courts of Dublin, Ireland; Annex I, II and III to the SCCs are Annex I, II and III to this DPA respectively. For International Data Transfers from Switzerland: (i) Data Subjects who have their habitual residence in Switzerland may bring claims under the SCCs before the courts of Switzerland and (ii) the SCCs cover Personal Data pertaining to legal entities until the entry into force of the revised Swiss Federal Act on Data Protection of 2020.
Customer hereby authorizes Company to perform International Data Transfers outside the UK:
to any country subject to a valid adequacy decision of the UK government;
on the basis of an organization’s binding corporate rules approved by the UK Information Commissioner; and
to any data importer with whom Company has entered into the UK Addendum or other standard contractual clauses issued by the UK Information Commissioner, as appropriate.
By signing this DPA, Customer and Company conclude the UK Addendum which is hereby incorporated and applies to International Data Transfers outside the UK. Part 1 of the UK Addendum is completed as follows: (i) in Table 1, the “Exporter” is Customer and the “Importer” is Company, their details are set forth in this DPA and the Agreement; (ii) in Table 2, the first option is selected and the “Approved EU SCCs” are the SCCs referred to in Section 11.2 of this DPA; (iii) in Table 3, Annexes 1 (A and B), II, and III to the “Approved EU SCCs” are Annex I,II, and III to this DPA respectively; and (iv) in Table 4, both the “Importer” and the “Exporter” can terminate the UK Addendum.
If Company’s compliance with Data Protection Law applicable to International Data Transfers is affected by circumstances outside of Company’s control, including if a legal instrument for International Data Transfers is invalidated, amended, or replaced, then Customer and Company will work together in good faith to reasonably resolve such non-compliance. In the event that additional, replacement or alternative SCCs or UK Addendum are approved by Supervisory Authorities, Company reserves the right to amend the Agreement and this DPA by adding to or replacing, the SCCs or UK Addendum that form part of it at the date of signature in order to ensure continued compliance with Data Protection Law.
Customer must make all notifications required under this DPA to email@example.com.
Where Company has paid compensation, damages or fines, Company is entitled to claim back from Customer that part of the compensation, damages or fines, corresponding to Customer’s part of responsibility for the compensation, damages or fines.
Company and Customer must keep all Personal Data and all information relating to the Processing thereof, in strict confidence.
Applicable law and jurisdiction
This DPA is governed by the laws of Ireland. Any disputes relating to this DPA will be subject to the exclusive jurisdiction of the courts of Dublin, Ireland.
Modification of this DPA
This DPA may only be modified by a written amendment signed by both Customer and Company.
Invalidity and severability
If any provision of this DPA is found by any court or administrative body to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.
DESCRIPTION OF THE TRANSFER
LIST OF PARTIES
Name: Customer (as defined above)
Address: See signature page above.
Contact person’s name, position, and contact details: See signature page above.
Activities relevant to the data transferred under these Clauses: Customer receives Company’s services as described in the Agreement and Company Processes Personal Data on behalf of Customer in that context.
Signature and date: See signature page above.
Role (controller/processor): Controller
Name: Company (as defined above)
Address: See signature page above.
Contact person’s name, position and contact details: See signature page above.
Activities relevant to the data transferred under these Clauses: Company provides its services to Customer as described in the Agreement and Processes Personal Data on behalf of Customer in that context.
Signature and date: See signature page above.
Role (controller/processor): Processor or Controller
DESCRIPTION OF INTERNATIONAL DATA TRANSFER
Categories of Data Subjects whose Personal Data is transferred:
Categories of Personal Data transferred:
Sensitive Data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
The frequency of the International Data Transfer (e.g. whether the Personal Data is transferred on a one-off or continuous basis): On a continuous basis.
Nature of the processing: The Personal Data will be processed and transferred as described in the Agreement.
Purpose(s) of the International Data Transfer and further Processing: The Personal Data will be transferred and further processed for the provision of the services as described in the Agreement.
The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period: Personal Data will be retained for as long as necessary taking into account the purpose of the Processing, and in compliance with applicable laws, including laws on the statute of limitations and Data Protection Law.
For International Data Transfer to (Sub)Processors, also specify subject matter, nature and duration of the Processing: For the subject matter and nature of the Processing, reference is made to the Agreement and this DPA. The Processing will take place for the duration of the Agreement.
COMPETENT SUPERVISORY AUTHORITY
The competent authority for the Processing of Personal Data relating to Data Subjects located in the EEA is the Supervisory Authority of Ireland.
The competent authority for the Processing of Personal Data relating to Data Subjects located in the UK is the UK Information Commissioner.
The competent authority for the Processing of Personal Data relating to Data Subjects located in Switzerland is the Swiss Federal Data Protection and Information Commissioner.
TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Company will, at a minimum, implement the following types of security measures:
Physical access control
Technical and organizational measures to prevent unauthorized persons from gaining access to the data processing systems available in premises and facilities (including databases, application servers and related hardware), include:
Establishing security areas, restriction of access paths;
Establishing access authorizations for employees and third parties;
Access control system (ID reader, magnetic card, chip card);
Key management, card-keys procedures;
Door locking (electric door openers etc.);
Surveillance facilities, video/CCTV monitor, alarm system; and
Securing decentralized data processing equipment and personal computers.
Virtual access control
Technical and organizational measures to prevent data processing systems from being used by unauthorized persons include:
User identification and authentication procedures;
Strong ID/password security procedures (special characters, minimum length and complexity requirements, change of password);
Automatic blocking (e.g. password or timeout);
Monitoring of break-in-attempts and turn-off the user ID upon several erroneous passwords attempts;
Encryption of archived data media.
Data access control
Technical and organizational measures to ensure that persons entitled to use a data processing system gain access only to such Customer Personal Data in accordance with their access rights, and that Customer Personal Data cannot be read, copied, modified or deleted without authorization, include:
Internal policies and procedures;
Control authorization schemes;
Differentiated access rights (profiles, roles, transactions and objects);
Monitoring and logging of accesses;
Disciplinary action against employees who access Customer Personal Data without authorization;
Reports of access;
Deletion procedure; and
Technical and organizational measures to ensure that Customer Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media (manual or electronic), and that it can be verified to which companies or other legal entities Customer Personal Data are disclosed, include:
Technical and organizational measures to monitor whether Customer Personal Data have been entered, changed or removed (deleted), and by whom, from data processing systems, include:
Logging and reporting systems; and
Audit trails and documentation.
Control of instructions
Technical and organizational measures to ensure that Customer Personal Data are Processed solely in accordance with the instructions of the Controller include:
Unambiguous wording of the contract;
Formal commissioning (request form); and
Criteria for selecting the Processor.
Technical and organizational measures to ensure that Customer Personal Data are protected against accidental destruction or loss (physical/logical) include:
Anti-virus/firewall systems; and
Disaster recovery plan.
Technical and organizational measures to ensure that Customer Personal Data collected for different purposes can be Processed separately include:
Segregation of functions (production/testing); and
Procedures for storage, amendment, deletion, transmission of data for different purposes.
Technical and organizational measures to test, assess and evaluate the effectiveness of the technical and organizational measures implemented in order to ensure the security of the processing include:
Periodical review and test of disaster recovery plan;
Testing and evaluation of software updates before they are installed;
Test bed for specific penetration tests and Red Team attacks.
Technical and organizational measures to improve the overall management of IT and ensure that the activities associated with information and technology are aligned with the compliance efforts include:
Processes for data minimization;
Processes for data quality;
Processes for limited data retention;
Processes for ensuring accountability; and
Data subject rights policies.
LIST OF SUBPROCESSORS
Company uses the following core Subprocessors. For a complete list of Company’s then-current Subprocessors, Customer must contact Company at: firstname.lastname@example.org.