This Data Processing Agreement ("Agreement") forms part of the Contract for Services ("Principal Agreement") and complies with Regulation (EU) 2016/679 (General Data Protection Regulation).
The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the GDPR on the protection of natural persons with regard to the processing of personal data.
Agreement Between
Data Controller
The Customer
Data Processor
Next Path Software Consulting Inc.
The Customer ("Controller") and Next Path Software Consulting Inc. (the "Data Processor") are together the "Parties".
WHEREAS
(A) The Customer acts as a Data Controller or can act as a Data Processor.
(B) The Customer wishes to subcontract certain Services, which imply the processing of personal data, to the Data Processor.
(C) The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
(D) The Parties wish to lay down their rights and obligations.
IT IS AGREED AS FOLLOWS:
Definitions
Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meanings:
-
Agreement
"Agreement" means this Data Processing Agreement and all Schedules.
-
Customer Content
Any Personal Data Processed by a Contracted Processor on behalf of Customer including video, audio, text messages, Customer Account Data, Usage data and sensitive data.
-
Contracted Processor
"Contracted Processor" means a Subprocessor.
-
Data Protection Laws
EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of Canada.
-
EEA
"EEA" means the European Economic Area.
-
EU Data Protection Laws
"EU Data Protection Laws" means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR.
-
GDPR
EU General Data Protection Regulation 2016/679.
-
Data Transfer
"Data Transfer" means: (a) a transfer of Customer Personal Data from the Customer to a Contracted Processor; or (b) an onward transfer of Customer Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor, in each case, where such transfer would be prohibited by Data Protection Laws.
-
Services
"Services" means the Online Group Chat and other services the Customer provides.
-
Subprocessor
Any person appointed by or on behalf of Processor to process Personal Data on behalf of the Customer in connection with the Agreement.
The terms "Commission", "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
Data Processing
The data processor shall only store, copy or use Customer Data (including email addresses, telephone numbers, names of Users, IP address, geo-location data, log-in information, etc.) to the extent necessary to perform its obligations under the Agreement and/or for maintenance.
1.3 If the Customer processes personal data, it will only process general personal data. In no circumstance will the data processor accept any responsibility or liability for the processing of sensitive personal data.
The data processor does not have any control over the purposes and means of the processing of personal data. Nothing in the Agreement is intended to transfer control over personal data to the data processor in any way.
Security Measures
The data processor shall take appropriate technical and organizational measures to ensure an appropriate level of security on the data processor Services to protect personal data against destruction, loss, alteration, unauthorized disclosure or access.
In determining the measures to be taken, the data processor shall take account of implementation costs as well as of the nature, scope, context and purposes of the processing operation concerned and the various risks, in terms of probability and severity, for the rights and freedoms of individuals.
1.8 The data processor shall inform the Customer immediately, but in any case within 48 hours, as soon as it finds that there has been any breach with respect to the personal data. This information must enable the Customer to fulfil its obligations under Articles 33 and 34 of the GDPR.
1.9 The data processor is under no obligation to perform assessments as described under Article 35 and/or 36 of the GDPR.
1.11 The data processor agrees to maintain confidentiality over personal data it processes and ensures that persons authorized to process the Personal Data undertake to maintain confidentiality.
Data Subject Rights
At the first request of the Customer, the data processor may cooperate with the parties concerned to exercise their rights with regard to the processing of Personal Data in accordance with Articles 12 to 23 of the GDPR, including:
-
Right to Information & Access
Data subjects may request information about their data and access to it.
-
Right to Erasure ("Right to be Forgotten")
Data subjects may request deletion of their personal data.
-
Right to Rectification & Portability
Data subjects may request correction of inaccurate data and transfer to another controller.
-
Right to Object
Data subjects may object to processing and automated decision-making, including profiling.
This cooperation will in principle be assessed as Additional Services.
1.12 Upon termination of the Agreement, the data processor shall, at request of the Customer, delete all personally identifiable data.
1.13 The customer can ask the data processor to delete personally identifiable information.
1.14 The Customer warrants that the data processing will be carried out in accordance with the law. This means in any case that the Customer warrants that it is entitled to collect data or have data collected and that it is entitled to process these data and have these collected.
1.15 The Customer shall indemnify the data processor for any loss or damage of personal data and costs resulting from any claims by third parties, expressly including the data subjects and supervisory authorities, relating to or arising from any unlawful processing operation and/or any other violation of the GDPR or the Agreement that can be attributed to the Customer.
Audit Rights
The data processor agrees to provide the Customer with the necessary information at the latter's request to ensure that the Customer is able to investigate the data processor's compliance with the provisions of this article.
1.7 The Customer is entitled to engage an independent expert to investigate compliance. The expert will be under an obligation of confidentiality and will sign NDA and Non-Compete agreements. Audits will be done maximum once per year. The costs of audits must be borne by the Customer. The data processor shall cooperate in the audit and make all information that is reasonably relevant to the audit available as soon as possible.
2.1 The Customer is entitled to investigate whether the data processor uses the data processor Services in a manner that complies with the conditions of the Agreement. The data processor undertakes to cooperate with such an audit. The Customer shall bear the costs of such audit. The audit will be by an independent third party approved by the data processor and the findings shall remain confidential. Customer and independent auditor agree to sign a NON-disclosure agreement and NON-Compete agreements.
Sub-processors
The data processor shall be entitled to make use of sub-processors. In case the data processor engages a new sub-processor, it will notify the Customer. The Customer may object against this engagement in writing. If the data processor persists in engaging a sub-processor after objection, the Customer may terminate the agreement with immediate effect.
Current Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| AWS | Cloud storage and computing services | US, Canada |
| Google Cloud | Cloud storage, computing, and ML services | Middle East |
| Hetzner | Cloud hosting and infrastructure | Germany, Finland, US |
| Digital Ocean | Cloud hosting and infrastructure | Global |
| Linode | Cloud hosting and infrastructure | Global |
| Oracle Cloud | Cloud storage and computing services | Global |
| Helpscout | Customer support and helpdesk | United States |
| Stripe | Payment processing services | Global |
1.16 The data processor shall ensure that every processing operation of personal data that is performed by or on behalf of the data processor, including third parties engaged by it for the purposes of the execution of the Agreement, is carried out within the European Economic Area (EEA) or to or from countries that offer an adequate level of protection in accordance with the GDPR.
1.17 The Customer consents to Metered having its primary processing facilities located in Canada.