Data Protection Agreement | Dataform

Data Protection Agreement

Last updated: 20180610

This GDPR Data Processing Addendum (“DPA”) forms part of the Master Services Agreement or the Terms of Use available at dataform.co/terms or such other location as the Terms of Use may be posted from time to time (as applicable, the “Agreement”), entered into by and between the Customer and Tada Science, Inc. (“Dataform”), pursuant to which Customer has accessed Dataform’s Application Services as defined in the applicable Agreement. The purpose of this DPA is to reflect the parties’ agreement with regard to the processing of personal data in accordance with the requirements of Data Protection Legislation as defined below. This DPA shall not replace or supersede any agreement or addendum relating to processing of personal data negotiated by Customer and referenced in the Agreement, and any such individually negotiated agreement or addendum shall apply instead of this DPA. In the course of providing the Application Services to Customer pursuant to the Agreement, Dataform may process personal data on behalf of Customer. Dataform agrees to comply with the following provisions with respect to any personal data submitted by or for Customer to the Application Services or collected and processed by or for Customer through the Application Services.

1. Definitions

1.1. “Breach” means a breach by Dataform of its security obligations in this DPA that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data stored or otherwise processed within Dataform’s platform.

1.2. “Customer Data” means: (a) all data in Customer’s databases, (b) other Customer Confidential Information used to provision the Software and to create Models for Customer’s Software implementation, and (c) all analytical results generated by the Software. Customer Data includes Customer’s Personal Data.

1.3. “EU Data Protection Law” means the EU Data Protection Directive 95/46/EC prior to the date the General Data Protection Regulation 2016/679 (“GDPR”) comes into force, and the GDPR after such date.

1.4. “Personal Data” means any information relating to an identified natural person or a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, in each case that is processed by Dataform under the License Agreement (each such person a “data subject”).

1.5. “Process” (whether or not capitalized) means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination.

2. Handling of Customer Data

2.1. Relationship of the Parties. Customer (the controller) appoints Dataform as a processor to process the Customer Data described in the License Agreement: (a) for the purposes described in the License Agreement, (b) to the extent Dataform has a legitimate interest in processing personal data as part of its business operations, or (c) with Customer’s prior written consent (collectively the “Permitted Purpose”). Each party will comply with the obligations that apply to it under EU Data Protection Law. If Dataform becomes aware that processing for the Permitted Purpose infringes EU Data Protection Law, it will promptly inform Customer.

2.2. Confidentiality of Processing. Dataform will treat Customer Data as Customer’s confidential information. Dataform shall ensure that it shall protect the Customer Data in accordance with the confidentiality obligations under the License Agreement.

2.3. Cooperation and Data Subjects' Rights. Dataform will provide reasonable and timely assistance to Customer (at Customer's expense) to enable Customer to respond to: (a) any request from a data subject to exercise any of its rights under EU Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (b) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Customer Data. If any such request, correspondence, enquiry or complaint is made directly to Dataform, Dataform will promptly inform Customer providing full details of the same.

2.4. Customer Data Return and Disposal. Within 30 days after a written request by Customer or the termination or expiration of the License Agreement, Dataform will: (a) if requested by Customer, provide Customer with a copy of any Customer Data in Dataform’s possession that Customer does not already have; and (b) securely destroy all Customer Data in Dataform’s possession in a manner that makes such Customer Data non-readable and non-retrievable. Notwithstanding the foregoing, Dataform may retain copies of Customer Data: (x) to the extent Dataform has a separate legal right or obligation to retain some or all of the Customer Data; (y) stored inadvertently (such as in email records) or that is incorporated into records of Dataform’s business operations (such as accounting records), and (z) in backup systems until the backups have been overwritten or expunged in accordance with Dataform’s backup policy, normally 90 - 180 days.

2.5. International Transfers. Dataform will not transfer Personal Data outside the European Economic Area (“EEA”) unless it takes such measures as are necessary to provide adequate protection for such Personal Data consistent with the requirements of EU Data Protection Law.

2.6. Subprocessing. Customer consents to Dataform engaging Dataform affiliates and third party sub-processors (Annex 1) to process Customer Data for the Permitted Purpose provided that: (a) Dataform will maintain an up-to-date list of its sub-processors (Annex 1), which it will update with details of any change in subprocessors at least 10 days prior to any such change; and (b) Dataform will impose data protection terms on any sub-processor it appoints as required to protect Customer Data to the standard required by the GDPR. Customer may object to Dataform's appointment or replacement of a sub-processor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such event, Dataform will either not appoint or replace the sub-processor or, if this is not possible, Customer may suspend or terminate the License Agreement (without prejudice to any fees incurred by Customer prior to suspension or termination).

2.7. Data Protection Impact Assessment. Dataform will provide reasonable cooperation to Customer (at Customer's expense) in connection with any data protection impact assessment that Customer may be required to perform under EU Data Protection Law.

3. Dataform Security Measures

Security in Dataform-Managed Deployments. In deployments where Dataform manages the Software hosting environment, Dataform shall implement procedural, technical, and administrative safeguards on its Software and the hosting environment designed to: (a) protect from accidental or unlawful destruction of Customer Data in storage when cached in the Software Instance, and in transit between Customer’s databases and the Software Instance; and (b) protect against any loss, alteration, unauthorized disclosure of or access to Customer Data in the Software Instance.

4. Customer Security Measures.

4.1. Customer Responsibilities. Customer is responsible for security relating to its environment and databases and security relating its configuration of the Software. This includes implementing and managing procedural, technical, and administrative safeguards on its software and networks sufficient to: (a) ensure the confidentiality, security, integrity, and privacy of Customer Data in transit, at rest, and in storage; (b) protect against any anticipated threats or hazards to the security and integrity of Customer Data; and (c) protect against any unauthorized processing, loss, use, disclosure or acquisition of or access to Customer Data. Notwithstanding any other provision of this DPA, the License Agreement or any other agreement related to the Software and Services, Dataform will have no obligations or liability as to any breach or loss resulting from: (x) Customer’s environment, databases, systems or software, or (y) Customer’s security configuration or administration of the Software.

4.2. Appropriate Permissioning. Customer is solely responsible for provisioning Users on the Software, including: (a) methods of authenticating Users (such as industry-standard secure username/password policies); (b) restricting access by User or group, and from the database level down to the row or column level; (c) managing admin privileges; (d) deauthorizing personnel who no longer need access to the Software; (e) setting up any API usage in a secure way; and (e) regularly auditing any public access links Users create and restricting the permission to create public links, as necessary.

5. Data Breach Notification and Resolution.

5.1. Breach Notice. If it becomes aware of a confirmed breach, Dataform shall inform Customer via email without undue delay. Dataform shall further take any such reasonably necessary measures and actions to remedy or mitigate the effects of the Breach and will keep Customer informed of all material developments in connection with the Breach.

5.2. Cooperation. Dataform will provide reasonable information and cooperation to Customer so that Customer can fulfill any data breach reporting obligations it may have under (and in accordance with the timescales required by) applicable law.

6. Miscellaneous.

6.1. Amendment; Enforcement of Rights. No modification of or amendment to this DPA, nor any waiver of any rights under this DPA, will be effective unless in writing signed by the parties to this DPA. The failure by either party to enforce any rights under this DPA will not be construed as a waiver of any rights of such party.

6.2. Governing Law. This DPA will be governed by and construed in accordance with the laws of the jurisdiction governing the License Agreement unless otherwise otherwise required by EU Data Protection Law, in which case this DPA will be governed by the laws of the United Kingdom.

Annex 1 - List of subprocessors

Subprocessor nameNature of subprocessingCountry
Auth0, Inc.AuthentificationUSA
Github, Inc.Repository of software code used to implement Dataform software deployments.USA
Google LLCHosting services for Dataform software deployments; business management; analyticsUSA
Intercom, Inc.Support chat services within the Dataform software; Email delivery serviceUSA
Segment.io, Inc.Event tracking for applications for service improvement and supportUSA