Last Modified: Feb 10, 2021
This Data Processing Agreement (“Agreement“) forms part of the Contract for Services (“Principal Agreement“) between between the following parties: The Customer ("Controller") and The Next Path Software Consulting Inc. (the “Data Processor”) (together as the “Parties”).
(A) The Customer acts as a Data Controller or Can act as a Data Processor.
(B) The Customer wishes to subcontract certain Services, which imply the processing of personal data, to the Data Processor.
(C) The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
(D) The Parties wish to lay down their rights and obligations.
IT IS AGREED AS FOLLOWS:
1.1 Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:
1.1.1 "Agreement" means this Data Processing Agreement and all Schedules;
1.1.2"Customer Content" means any Personal Data Processed by a Contracted Processor on behalf of Customer including Video Audio, text messages, Customer Account Data, Usage data and sensitive data.
1.1.3 "Contracted Processor" means a Subprocessor;
1.1.4 "Data Protection Laws" means EU Data Protection Laws and, to th extent applicable, the data protection or privacy laws of Canada;
1.1.5 "EEA" means the European Economic Area;
1.1.6 "EU Data Protection Laws" means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
1.1.7 "GDPR" means EU General Data Protection Regulation 2016/679;
1.1.8 "Data Transfer" means:
188.8.131.52 a transfer of Customer Personal Data from the Customer to a Contracted Processor; or
184.108.40.206 an onward transfer of Customer Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor, in each case, where such transfer would be prohibited by Data Protection Laws;
1.1.9 “Services” means the Online Group Chat and other services the Customer provides.
1.1.10 "Subprocessor" means any person appointed by or on behalf of Processor to process Personal Data on behalf of the Customer in connection with the Agreement.
1.2 The Terms "Commission", "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.The data processor shall only store, copy or use Customer Data, including email addresses, telephone numbers and names of Users, ip address, Geo Location data, log in information etc to the extent necessary to perform its obligations under the Agreement and/or for maintenance. The data processor does not have any control over the purposes and means of the processing of personal data. Nothing in the Agreement is intended to transfer control over personal data to The data processor in any way.
1.3. If the Customer processes personal data, it will only process general personal data. In no circumstance will the data processor accept any responsibility or liability for the processing of sensitive personal data.
1.4. The data processor shall take appropriate technical and organizational measures to ensure an appropriate level of security to protect personal data on the data processor Services against destruction, loss, alteration, unauthorized disclosure or access. In determining the measures to be taken, the data processor shall take account and the implementation costs as well as of the nature, scope, context and purposes of the processing operation concerned and the various risks, in terms of probability and severity, for the risks and freedoms of individuals.
1.5 At the first request of the Customer, the data processor may cooperate with the parties concerned to exercise their rights with regard to the processing of Personal Data in accordance with Articles 12 to 23 of the GDPR, including the right to information, access, removal including 'right to be forgotten’, rectification, transferability, objection and rights in respect of automated individual decision making, including profiling. This cooperation will in principle be assessed as Additional Services
1.6. the data processor agrees to provide the Customer with the necessary information at the latter’s request, to ensure that the Customer is able to investigate the data processor’ compliance with the provisions of this article.
1.7. the Customer is entitled to engage an independent expert to investigate whether the data processor fulfils obligations described in this article, which independent expert will be under an obligation of confidentiality in respect of the foregoing and will NDA and Non-Compete agreement with us. Audits will be done maximum once per year. the data processor shall cooperate in the audit and make all information that is reasonably relevant to the audit available as soon as possible. The costs of the audits carried out on the instructions of the Customer must be borne by the Customer.
1.8. the data processor shall inform the Customer immediately, but in any case within 48 hours, as soon as it finds that there has been any breach with respect to the personal data. This information provided must enable the Customer to fulfil its obligations under Articles 33 and 34 of the GDPR
1.9 the data processor is under no obligation to perform an assessments as described under article 35 and/or 36 of the GDPR.
1.10 the data processor shall be entitled to make use of sub-processors without the Customer’s prior Written permission. The list of sub-processors is available upon request. In case the data processor engages a new sub-processor it will notify the Customer. the Customer may object against this engagement in Writing. If the data processor persists in engaging a sub-processor after objection of the Customer, the Customer may terminate the agreement with immediate effect.
1.11 the data processor agrees to maintain confidentiality over personal data it processes and it ensures that the persons authorized to process the Personal Data undertake to maintain confidentiality.
1.12 Upon termination of the Agreement, the data processor shall: at request of the Customer delete all personally identifiable data.
1.13 the customer can ask the data processor to delete personally identifiable information.
1.14 the Customer warrants that the data processing will be carried out in accordance with the law. This means in any case that the Customer warrants that it is entitled to collect data or have data collected and that it is entitled to process these data and have these collected.
1.15 the Customer shall indemnify the data processor for any loss or damage of personal data and costs resulting from any claims by third parties, expressly including the data subjects and supervisory authorities, relating to or arising from any unlawful processing operation and/or any other violation of the GDPR or the Agreement that can be attributed to the Customer
1.16 the data processor shall ensure that every processing operation of personal data that is performed by or on behalf of the data processor, including third parties engaged by it for the purposes of the execution of the Agreement, is carried out within the European Economic Area (EEA) or to or from countries that offer an adequate level of protection in accordance with the GDPR.
1.17 The Customer consents to Metered having its primary processing facilities located in Canada.
2.1 the Customer is entitled to investigate whether the data processor uses the data processor Services in a manner that complies with the conditions of the Agreement. the data processor undertakes to cooperate with such an audit. the Customer shall bear the costs of such audit. The audit will be by an independent third party approved by the data processor and the findings shall remain confidential. Customer and independent auditor agree to sign a NON-disclosure agreement and NON-Compete agreements.