Privacy Shield and GDPR Data Processing Addendum for Squelch Hosted Services
(last updated August 20, 2018)
This Privacy Shield and GDPR Data Processing Addendum (“DPA”) forms part of the Squelch Hosted Service Terms and any applicable Order Form (together, the “Agreement”), entered into by and between the Customer and Squelch, Inc. (“Squelch”), pursuant to which Customer accesses, uses and has accessed and used Squelch’s Hosted Service (as defined in the Agreement).
Squelch and Customer agree as follows:
- Definitions and Scope.
- For purposes of this Addendum:
- “GDPR” means General Data Protection Regulation (Regulation (EU) 2016/679).
- “Personal Data” means any information that has been provided by or for Customer to the Hosted Service or collected and Processed by or for Customer through the Hosted Service, relating to an identified or identifiable individual within the European Union. An identifiable individual is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that individual.
- “Process” and “Processing” mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- Any capitalized but undefined terms herein shall have the meaning set forth in the Agreement.
- This Addendum applies to the Personal Data that Squelch receives from Customer, or otherwise Processes for or on behalf of Customer, in connection with the Agreement. For the purposes of this Addendum, Customer is the data controller and Squelch is the data processor, each as defined in the GDPR.
- The subject matter of the data processing under this Addendum involves the following:
- Subject matter, nature and purpose of Processing: the use of the Hosted Service by Customer for its data processing as initiated by Customer from time to time.
- Anticipated duration of Processing: For so long as Personal Data is retained in the Hosted Service at Customer’s direction.
- Categories of Personal Data subject to Processing under the Agreement: the Customer Data uploaded or otherwise provided to the Hosted Service under Customer’s account.
- Categories of data subjects (i.e., the individuals to whom the Personal Data relate): data subjects may include Customer’s customers, employees, suppliers and end-users.
- For purposes of this Addendum:
- Privacy Shield
- Squelch will use and disclose the Personal Data only to lawfully provide services to Customer and otherwise as permitted under the Agreement.
- Squelch will provide at least the same level of substantive protection for the Personal Data as is required under the EU-U.S. and Swiss-U.S. Privacy Shield programs, though this Addendum does not require Squelch to join such programs, and Squelch does not represent that it is a member of such programs, nor that it complies with the dispute resolution or jurisdictional requirements of such programs. If Squelch determines that it can no longer provide this level of protection, Squelch will promptly notify Customer of this determination, and Customer shall have the right to terminate the Agreement or any component of it without penalty upon notice to Squelch.
- Upon notice, Squelch will take reasonable and appropriate steps to stop and remediate unauthorized Processing of the Personal Data.
- Customer may provide this Addendum and a copy of the relevant privacy provisions of the Agreement to the U.S. Department of Commerce upon its request (as required under the Accountability for Onward Transfer Principle of the Privacy Shield programs).
- General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”)
- Customer’s instructions for the Processing of Personal Data shall comply with the GDPR. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data. Customer shall ensure that Customer is entitled to transfer the relevant Personal Data to Squelch so that Squelch and its sub-processors may lawfully Process the Personal Data in accordance with this Addendum and the Agreement on Customer’s behalf.
- Squelch will Process the Personal Data only on behalf of and in accordance with documented instructions from Customer, including with regard to transfers of Personal Data, unless required to do so by European Union or member state law to which Squelch is subject. In such case, Squelch shall inform Customer of that legal requirement before Processing, unless that law prohibits providing such information on important grounds of public interest within the meaning of the GDPR. Customer instructs Squelch to Process Personal Data for the following purposes: (i) Processing in accordance with the Agreement, which includes updating the Hosted Service and preventing or addressing service or technical issues; (ii) Processing initiated by Customer’s Authorized Users in their use of the Hosted Service; and (iii) Processing to comply with other reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement.
- Squelch will ensure that the persons Squelch authorizes to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Without limiting the foregoing, Squelch will take steps to ensure that any natural person acting under the authority of the Squelch and who has access to Personal Data does not Process the Personal Data except on instructions from Customer unless required to do so by European Union or member state law as described above.
- Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for impact on the individuals to whom the Personal Data relates, Squelch shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the following (among other things) as appropriate:
- the pseudonymization and encryption of Personal Data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services;
- the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.
In assessing the appropriate level of security, Squelch shall in particular take account of the risks presented by the Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Personal Data.
- Customer acknowledges and expressly agrees that Squelch’s subsidiaries may be retained as sub-processors for the Processing of Personal Data and that Squelch may subcontract the collection or other Processing of Personal Data; provided that Squelch shall be liable for the acts and omissions of its sub-processors to the same extent it would be liable if performing the services of each sub-processor directly under the terms of this DPA and the Agreement. Further:
- Squelch shall ensure that each sub-processor is subject to the same data protection obligations as set out herein.
- The current list of sub-processors for the Hosted Service who process Customer-supplied Personal Data is available upon request. Squelch shall make available to Customer a mechanism to subscribe to notifications of new sub-processors for the Service, to which Customer shall subscribe, and if Customer subscribes, Squelch shall provide notification of a new sub-processor (s) before authorizing any new sub-processor(s) to process Personal Data in connection with the provision of the applicable Hosted Service.
- In the event Customer has a reasonable objection to such new sub-processor, Customer may object to Squelch’s use of a new sub-processor by notifying Squelch promptly in writing within ten (10) days after receipt of Squelch’s notice. Such notice shall explain the reasonable grounds for the objection. Upon receipt of such notice, Squelch will use reasonable efforts to make available to Customer a change in the Hosted Service or recommend a commercially reasonable change to Customer’s configuration or use of the Hosted Service to avoid processing of Personal Data by the objected-to new sub-processor without unreasonably burdening Customer. If Squelch is unable to make available such change within a reasonable period of time, which shall not exceed sixty (60) days, Customer may terminate the applicable Subscription Order(s) with respect only to those elements of the Hosted Service which cannot be provided by Squelch without the use of the objected-to new sub-processor by providing written notice to Squelch. Upon such termination, Squelch will refund Customer any prepaid fees covering the remainder of the term of such Subscription Order(s) following the effective date of termination with respect to such terminated elements of the Hosted Service, without imposing a penalty for such termination on Customer.
- Taking into account the nature of the Processing, Squelch will assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests by individuals (or their representatives) for exercising their rights under the GDPR (such as rights to access their Personal Data).
- Squelch will assist Customer in ensuring Customer’s compliance with the security obligations of the GDPR, as relevant to Squelch’s role in Processing the Personal Data, taking into account the nature of Processing and the information available to Squelch.
- “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data. Squelch shall notify Customer without undue delay, and in no event later than seventy-two (72) hours, after becoming aware of a Personal Data Breach concerning Personal Data Processed by Squelch or any of its sub-processors and where available, provide a description of the nature of the Personal Data Breach, the name and contact information of the data protection officer or point of contact, likely consequences of the Personal Data Breach, and description of any measures taken or proposed to address the Personal Data Breach and/or mitigate its possible adverse effects. Squelch shall use reasonable efforts to assist Customer with any communications required as a result of such a Personal Data Breach.
- Squelch will provide reasonable assistance to and cooperation with Customer for Customer’s performance of a data protection impact assessment of the Processing or proposed Processing of the Personal Data involving Squelch.
- Squelch will provide reasonable assistance to and cooperation with Customer for Customer’s consultation with supervisory authorities in relation to the Processing or proposed Processing of the Personal Data involving Squelch.
- Squelch will, in coordination with Customer, comply with any applicable obligation of Squelch itself under the GDPR to consult with a supervisory authority in relation to its Processing or proposed Processing of the Personal Data.
- Squelch will, at the choice of Customer, return to Customer and/or securely destroy all Personal Data upon the end of the provision of services relating to Processing except to the extent that European Union or member state law requires storage of the Personal Data.
- Customer may contact Squelch in accordance with the “Notices” provisions of the Agreement to request an audit of the procedures relevant to the protection of Personal Data, no more than once per calendar year during the term of the Agreement. Customer shall reimburse Squelch for any time expended for any such audit at Squelch’s then-current professional services rates, which shall be made available to Customer upon request. Before the commencement of any such audit, Customer and Squelch shall mutually agree upon the auditor (which may not be a Squelch competitor), the scope, timing, and duration of the audit, and the reimbursement rate for which Customer shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by Squelch.
- Squelch will make reasonably available to Customer all information necessary for Customer to comply with Customer’s recordkeeping obligations under the GDPR with respect to Squelch’s Processing of the Personal Data.
- To the extent legally permitted, Customer shall be responsible for any costs arising from Squelch’s provision of any assistance and cooperation required to be provided by Squelch hereunder, including any fees for associated with provision of additional functionality; provided, however, that this paragraph shall not apply to activities undertaken by Squelch under Section 3.9 if the relevant Personal Data Breach was caused by Squelch.
- If the GDPR takes effect in European Economic Area jurisdictions that are outside the European Union, references in this Addendum to the European Union and its member states shall be deemed amended to include such jurisdictions, consistent with their adoption of the GDPR.
- Legal Effect
The terms of this DPA will end simultaneously and automatically with the termination of the Agreement, provided however that the provisions of this DPA shall survive any termination or expiration of the Agreement for so long as Squelch or its sub-processors have custody, control or possession of Personal Data which is the subject of this DPA. This DPA is part of and subject to the terms of the Agreement. Customer’s remedies with respect to any breach by Squelch of the terms of this DPA will be subject to any aggregate limitation of liability that applies to the Customer under the Agreement. With regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and the Agreement, the provisions of this DPA shall prevail with regard to the parties’ data protection obligations.