This Data Processing Addendum ("DPA") is incorporated into and forms a part of the agreement between Enhancio, Inc. ("Enhancio") and Customer that governs Customer’s access to and use of the Services provided by Enhancio ("Agreement").
1. Definitions
In this DPA, the following terms (and derivations thereof) have the meanings set out below:
“Controller” means the individual or entity that determines the purposes and means of the Processing of Personal Data.
“Customer” means the individual or entity that has entered into the Agreement and agreed to the incorporation of this DPA into the Agreement.
“Customer Content” means any data, file attachments, text, images, personal information, or other content that is uploaded or submitted to the online Service by Customer or Partners or Users and is processed by Enhancio on behalf of Customer.
“Customer Personal Data” means Personal Data that is contained within Customer Content.
“Data Breach” means a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Content.
“Data Protection Laws” means, to the extent applicable to a Party, the data protection or privacy laws of any country regarding the Processing of Customer Personal Data.
“Data Subject” means an identified or identifiable natural person.
“Enhancio Personnel” means any individual authorized by Enhancio to Process Customer Personal Data.
“Parties” or “Party” means Customer and/or Enhancio as applicable.
“Personal Data” means any information relating to, identifying, describing, or capable of being associated with a Data Subject.
“Process” means any operation or set of operations performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, normalization, storage, adaptation, alteration, retrieval, consultation, use, alignment, combination, restriction, erasure, destruction or disclosure by transmission, dissemination or otherwise making available.
“Processor” means the individual or entity that Processes Personal Data on behalf of a Controller.
“Professional Services” means implementation, configuration, integration, and other professional services related to the online Services that are provided by Enhancio and purchased by Customer as Service.
“Services” means the Subscription Services, Professional Services, and any other online service or application provided or controlled by Enhancio for use with the Subscription Services.
“Subprocessor” means any individual or entity (including any third party but excluding Enhancio Personnel) appointed by or on behalf of Enhancio to Process Customer Personal Data in connection with the Agreement.
“Subscription Services” means the subscription-based Demand Automation services and applications that are provided by Enhancio and purchased by Customer.
“Supervisory Authority” means an independent competent public authority established or recognized under Data Protection Laws.
“User” means any individual authorized or invited by Customer or another User to access and use the online Services under the terms of the Agreement.
2. Roles of Parties
2.1.
Customer and Enhancio agree that, as between the Parties, Customer is a Controller and Enhancio is a Processor of Customer Personal Data and that each Party is solely responsible for its compliance with Data Protection Laws applicable to it and for fulfilling any of its related obligations to third parties, including Data Subjects and Supervisory Authorities.
2.2. Customer as Controller.
2.2.1.
Customer is solely responsible for the accuracy of Customer Personal Data and the legality of the means by which Customer acquires Customer Personal Data.
2.2.2.
Customer’s instructions to Enhancio to Process Customer Personal Data will comply with Data Protection Laws and be duly authorized, with all necessary rights, permissions, and consents secured.
2.3 Enhancio as Processor.
2.3.1. Enhancio will Process Customer Personal Data only:
(a) as instructed by Customer in writing or as initiated by Users via an online Service;
(b) as necessary to provide the Services; or
(c) as required by applicable law.
2.3.2. Enhancio will ensure that Enhancio Personnel:
(a)
access Customer Personal Data only to the extent necessary to perform Enhancio’s Processing obligations under this DPA and the Agreement;
(b)
are bound by confidentiality obligations with respect to Customer Personal Data substantially as protective as those set forth in this DPA and the Agreement; and
(c)
are subject to appropriate training relating to the Processing of Customer Personal Data.
2.3.3.
Enhancio will not disclose Customer Personal Data to a third party for monetary or other consideration except as otherwise permitted under this DPA or the Agreement.
2.3.4.
At Customer’s written request and to the extent Customer is unable to access the relevant information on its own, Enhancio will provide reasonable assistance to Customer in relation to data protection impact assessments and consultations with Supervisory Authorities, considering the nature of Enhancio’s Processing of Customer Personal Data and the information available to Enhancio.
2.3.5.
Enhancio will not assess the type or substance of Customer Content to identify whether it is Customer Personal Data or subject to any specific legal requirements.
3. Security
3.1.
Enhancio will implement and maintain technical, physical, and organizational measures and controls designed to protect and secure Customer Content (including the return and deletion thereof) in accordance with the Agreement.
3.2.
Customer acknowledges that, through its Users, Customer:
(a)
controls the type and substance of Customer Content; and
(b)
sets User permissions to access Customer Content; and therefore, Customer is responsible for reviewing and evaluating whether the documented functionality of an online Service meets Customer’s required security obligations relating to Customer Personal Data under Data Protection Laws.
4. Subprocessors
4.1.
Customer authorizes Enhancio to use any Subprocessors subject to the terms and conditions of this Section 4.
4.2.
Enhancio will carry out appropriate due diligence on each Subprocessor and have a written agreement with each Subprocessor that includes provisions for Processing Customer Personal Data that are substantially as protective as those set out in this DPA.
4.3.
Enhancio is responsible for Subprocessors’ acts and omissions, including a Subprocessor’s appointment of another Subprocessor.
5. Data Subject Requests
5.1.
Enhancio will provide Customer access to end-user’s Personal Data via the Demand Automation Platform to allow Customer to respond to Data Subject requests relating to Customer Personal Data.
5.2.
Enhancio will notify Customer in writing without undue delay of any requests Enhancio receives directly from a Data Subject relating to Customer Personal Data:
(a)
to confirm that such request relates to Customer;
(b)
as required by applicable law.
5.3.
At Customer’s written request and to the extent Customer is unable to access Customer Personal Data on its own, Enhancio will provide reasonable assistance to Customer in accessing Customer Personal Data for Customer to respond to such Data Subject requests.
6. Data Breach
6.1.
Enhancio will notify Customer in writing without undue delay upon Enhancio becoming aware of a Data Breach.
6.2.
Enhancio will investigate and, as necessary, mitigate or remediate a Data Breach in accordance with Enhancio’s security incident policies and procedures (“Breach Management”).
6.3.
Subject to Enhancio’s legal obligations, Enhancio will provide Customer with information available to Enhancio as a result of its Breach Management, including the nature of the incident, specific information disclosed (if known), and any relevant mitigation efforts or remediation measures (“Breach Information”), for Customer to comply with its obligations under Data Protection Laws as a result of a Data Breach.
6.4.
If Customer requires information relating to a Data Breach in addition to the Breach Information, at Customer’s sole expense and written request and to the extent Customer is unable to access the additional information on its own, Enhancio will reasonably cooperate with Customer as requested by Customer to attempt to collect and provide such additional information.
7. Audit Rights
7.1.
Enhancio will use external auditors to annually audit and verify the adequacy of its security measures and controls (“Audit”). The Audit will:
(a)
be performed by independent third party security professionals at Enhancio's selection and expense;
(b)
include testing of the security measures and controls of the Demand Automation Platform; and
(c)
include penetration testing of the Demand Automation Platform and result in the generation of a penetration test report.
The reports generated by the Audit (“Reports”) will be made available to Customer upon written request no more than annually subject to the confidentiality obligations of the Agreement or a mutually-agreed non-disclosure agreement. For clarity, each Report will only discuss the Demand Automation Platform in general commercial availability at the time the Report was issued; subsequently released Services, if covered by a Report, will be in the next annual iteration of such Report.
7.2.
If Customer requires information for its compliance with Data Protection Laws in addition to the Reports, at Customer’s sole expense and written request and to the extent Customer is unable to access the additional information on its own, Enhancio will allow for and cooperate with a Customer mandated audit by a third-party auditor in relation to the Enhancio’s Processing of Customer Personal Data (“Customer Audit”), provided that:
7.2.1.
Customer provides Enhancio reasonable advance notice including the identity of the auditor and the anticipated date and scope of the Customer Audit;
7.2.2.
Enhancio approves the auditor by notice to Customer, with such approval not to be unreasonably withheld;
7.2.3.
Customer and the auditor act to avoid causing any damage, injury, or disruption to Enhancio’s premises, equipment, or business in the course of such Customer Audit; and
7.2.4.
Customer initiates only one Customer Audit in any calendar year unless otherwise required by a Supervisory Authority.
8. International Transfers
8.1.
The Parties acknowledge and agree that the Processing of Customer Personal Data by Enhancio may involve an international transfer of Customer Personal Data from Customer to Enhancio (“International Transfer”).
8.2.
Enhancio will ensure that there are adequate safeguards in place to protect Customers personal data and that will comply with legal obligations if at all data is transferred out of EU area. These adequate safeguards might comprise a data transfer agreement with the recipient based on standard contractual clauses approved by the European Commission for transfers of personal data to countries outside EU.
9. General
9.1.
Amendment; Waiver. Unless otherwise expressly stated herein, this DPA may be modified only by a written agreement executed by an authorized representative of each Party. The waiver of any breach of this DPA will be effective only if in writing, and no such waiver will operate or be construed as a waiver of any subsequent breach.
9.2.
Severance. If any provision of this DPA is held to be unenforceable, then that provision is to be construed either by modifying it to the minimum extent necessary to make it enforceable (if permitted by law) or disregarding it (if not permitted by law), and the rest of this DPA is to remain in effect as written. Notwithstanding the foregoing, if modifying or disregarding the unenforceable provision would result in failure of an essential purpose of this DPA, the entire DPA will be considered null and void.
9.3.
Order of Precedence. Regarding the subject matter of this DPA, in the event of any conflict between this DPA and any other written agreement between the Parties (including the Agreement), this DPA will govern and control. Any data processing agreements that may already exist between Parties are superseded and replaced by this DPA in their entirety.
9.4.
Notices. Unless otherwise expressly stated herein, the parties will provide notices under this DPA in accordance with the Agreement, provided that all such notices may be sent via email.
9.5.
Governing Law and Jurisdiction. Unless prohibited by Data Protection Laws, this DPA is governed by the laws stipulated in the Terms of Service and the Parties to this DPA hereby submit to the choice of jurisdiction and venue stipulated in the Terms of Service, if any, with respect to any dispute arising under this DPA.
9.6.
Enforcement. Regardless of whether Customer or its affiliate(s) or a third-party is a Controller of Customer Personal Data, unless otherwise required by law:
(a)
only Customer will have any right to enforce any of the terms of this DPA against Enhancio; and
(b)
Enhancio’s obligations under this DPA, including any applicable notifications, will be to only Customer.
9.7.
Liability. As between the Parties to this DPA, each Party’s liability and remedies under this DPA are subject to the aggregate liability limitations and damages exclusions set forth in the Agreement.
9.8.
Variations in Data Protection Laws. If any variation is required to this DPA as a result of a change in or subsequently applicable Data Protection Law, then either Party may provide written notice to the other Party of that change in law. The Parties will then discuss and negotiate in good faith any variations to this DPA necessary to address such changes, with a view to agreeing and implementing those or alternative variations as soon as practicable, provided that such variations are reasonable with regard to the functionality and performance of the Services and Enhancio’s business operations.
9.9.
Reservation of Rights. Notwithstanding anything to the contrary in this DPA:
(a)
Enhancio reserves the right to withhold information the disclosure of which would pose a security risk to Enhancio or its customers or is prohibited by applicable law or contractual obligation; and
(b)
Enhancio’s notifications, responses, or provision of information or cooperation under this DPA are not an acknowledgement by Enhancio of any fault or liability.
9.10.
Enhancio as Controller. Enhancio may collect Personal Data directly from Data Subjects (which may be duplicative of Customer Personal Data) in accordance with Enhancio’s internal policies and publicly posted Privacy Policy, and nothing in this DPA will prohibit Enhancio from Processing such Personal Data as a Controller under Data Protection Laws, provided that Enhancio conspicuously notifies such Data Subjects that such information will be handled in accordance with Enhancio’s Privacy Policy.