1.1. “Breach” means a breach by Dataform of its security obligations in this DPA that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data stored or otherwise processed within Dataform’s platform.
1.2. “Customer Data” means: (a) all data in Customer’s databases, (b) other Customer Confidential Information used to provision the Software and to create Models for Customer’s Software implementation, and (c) all analytical results generated by the Software. Customer Data includes Customer’s Personal Data.
1.3. “EU Data Protection Law” means the EU Data Protection Directive 95/46/EC prior to the date the General Data Protection Regulation 2016/679 (“GDPR”) comes into force, and the GDPR after such date.
1.4. “Personal Data” means any information relating to an identified natural person or a natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, in each case that is processed by Dataform under the License Agreement (each such person a “data subject”).
1.5. “Process” (whether or not capitalized) means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination.
2.1. Relationship of the Parties. Customer (the controller) appoints Dataform as a processor to process the Customer Data described in the License Agreement: (a) for the purposes described in the License Agreement, (b) to the extent Dataform has a legitimate interest in processing personal data as part of its business operations, or (c) with Customer’s prior written consent (collectively the “Permitted Purpose”). Each party will comply with the obligations that apply to it under EU Data Protection Law. If Dataform becomes aware that processing for the Permitted Purpose infringes EU Data Protection Law, it will promptly inform Customer.
2.2. Confidentiality of Processing. Dataform will treat Customer Data as Customer’s confidential information. Dataform shall ensure that it shall protect the Customer Data in accordance with the confidentiality obligations under the License Agreement.
2.3. Cooperation and Data Subjects' Rights. Dataform will provide reasonable and timely assistance to Customer (at Customer's expense) to enable Customer to respond to: (a) any request from a data subject to exercise any of its rights under EU Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (b) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Customer Data. If any such request, correspondence, enquiry or complaint is made directly to Dataform, Dataform will promptly inform Customer providing full details of the same.
2.4. Customer Data Return and Disposal. Within 30 days after a written request by Customer or the termination or expiration of the License Agreement, Dataform will: (a) if requested by Customer, provide Customer with a copy of any Customer Data in Dataform’s possession that Customer does not already have; and (b) securely destroy all Customer Data in Dataform’s possession in a manner that makes such Customer Data non-readable and non-retrievable. Notwithstanding the foregoing, Dataform may retain copies of Customer Data: (x) to the extent Dataform has a separate legal right or obligation to retain some or all of the Customer Data; (y) stored inadvertently (such as in email records) or that is incorporated into records of Dataform’s business operations (such as accounting records), and (z) in backup systems until the backups have been overwritten or expunged in accordance with Dataform’s backup policy, normally 90 - 180 days.
2.5. International Transfers. Dataform will not transfer Personal Data outside the European Economic Area (“EEA”) unless it takes such measures as are necessary to provide adequate protection for such Personal Data consistent with the requirements of EU Data Protection Law.
2.6. Subprocessing. Customer consents to Dataform engaging Dataform affiliates and third party sub-processors (Annex 1) to process Customer Data for the Permitted Purpose provided that: (a) Dataform will maintain an up-to-date list of its sub-processors (Annex 1), which it will update with details of any change in subprocessors at least 10 days prior to any such change; and (b) Dataform will impose data protection terms on any sub-processor it appoints as required to protect Customer Data to the standard required by the GDPR. Customer may object to Dataform's appointment or replacement of a sub-processor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such event, Dataform will either not appoint or replace the sub-processor or, if this is not possible, Customer may suspend or terminate the License Agreement (without prejudice to any fees incurred by Customer prior to suspension or termination).
2.7. Data Protection Impact Assessment. Dataform will provide reasonable cooperation to Customer (at Customer's expense) in connection with any data protection impact assessment that Customer may be required to perform under EU Data Protection Law.
Security in Dataform-Managed Deployments. In deployments where Dataform manages the Software hosting environment, Dataform shall implement procedural, technical, and administrative safeguards on its Software and the hosting environment designed to: (a) protect from accidental or unlawful destruction of Customer Data in storage when cached in the Software Instance, and in transit between Customer’s databases and the Software Instance; and (b) protect against any loss, alteration, unauthorized disclosure of or access to Customer Data in the Software Instance.
4.1. Customer Responsibilities. Customer is responsible for security relating to its environment and databases and security relating its configuration of the Software. This includes implementing and managing procedural, technical, and administrative safeguards on its software and networks sufficient to: (a) ensure the confidentiality, security, integrity, and privacy of Customer Data in transit, at rest, and in storage; (b) protect against any anticipated threats or hazards to the security and integrity of Customer Data; and (c) protect against any unauthorized processing, loss, use, disclosure or acquisition of or access to Customer Data. Notwithstanding any other provision of this DPA, the License Agreement or any other agreement related to the Software and Services, Dataform will have no obligations or liability as to any breach or loss resulting from: (x) Customer’s environment, databases, systems or software, or (y) Customer’s security configuration or administration of the Software.
4.2. Appropriate Permissioning. Customer is solely responsible for provisioning Users on the Software, including: (a) methods of authenticating Users (such as industry-standard secure username/password policies); (b) restricting access by User or group, and from the database level down to the row or column level; (c) managing admin privileges; (d) deauthorizing personnel who no longer need access to the Software; (e) setting up any API usage in a secure way; and (e) regularly auditing any public access links Users create and restricting the permission to create public links, as necessary.
5.1. Breach Notice. If it becomes aware of a confirmed breach, Dataform shall inform Customer via email without undue delay. Dataform shall further take any such reasonably necessary measures and actions to remedy or mitigate the effects of the Breach and will keep Customer informed of all material developments in connection with the Breach.
5.2. Cooperation. Dataform will provide reasonable information and cooperation to Customer so that Customer can fulfill any data breach reporting obligations it may have under (and in accordance with the timescales required by) applicable law.
6.1. Amendment; Enforcement of Rights. No modification of or amendment to this DPA, nor any waiver of any rights under this DPA, will be effective unless in writing signed by the parties to this DPA. The failure by either party to enforce any rights under this DPA will not be construed as a waiver of any rights of such party.
6.2. Governing Law. This DPA will be governed by and construed in accordance with the laws of the jurisdiction governing the License Agreement unless otherwise otherwise required by EU Data Protection Law, in which case this DPA will be governed by the laws of the United Kingdom.
|Subprocessor name||Nature of subprocessing||Country|
|Github, Inc.||Repository of software code used to implement Dataform software deployments.||USA|
|Google LLC||Hosting services for Dataform software deployments; business management; analytics||USA|
|Intercom, Inc.||Support chat services within the Dataform software; Email delivery service||USA|
|Segment.io, Inc.||Event tracking for applications for service improvement and support||USA|