Global Data Processing Addendum
Last updated: September 11, 2022
This Global Data Processing Addendum (the “DPA”) constitutes an integral part of all agreements between the Customer, identified in the signature block of this DPA, and Dynaboard, Inc., a California corporation, including the Dynaboard Platform Services Agreement, Terms of Service or under any other master subscription agreement or similar agreement (collectively, “the Agreement”), and reflects the parties’ agreement with respect to the processing of Personal Data. This DPA supplements the Agreement and in the event of any conflict between the terms of this DPA and the terms of the Agreement, the terms of this DPA prevail with regard to the specific subject matter of this DPA. This DPA will be effective, and replace any previously applicable terms relating to their subject matter (including any data processing amendment or data processing addendum relating to the Services), from the Terms Effective Date. This DPA will continue to be in effect for the term of the Agreement.
Capitalized terms used in this DPA shall have the meanings given to them in the Agreement and below:
- Affiliate means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. Control, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
- Applicable Data Protection Law means (a) all data protection laws and regulations applicable to the European Economic Area and Switzerland, including the General Data Protection Regulation 2016/679 (“GDPR”), and EU Member State laws supplementing the GDPR; (b) the UK Data Protection Act of 2018, and the UK GDPR (collectively “UK Data Protection Laws”); (c) any other laws and regulations applicable to Processor’s processing of Company Data.
- California Privacy Law means the California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq., and its implementing regulations until January 1, 2023, and thereafter will refer to the California Privacy Rights Act, and its implementing regulations.
- Company Data means any Personal Data that Dynaboard processes on behalf of the Customer in providing the Services including all electronic data, text, messages or other materials submitted to the Service by Authorized Users and Consumer Users in connection with Customer’s use of the Service.
- Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Company Data transmitted, stored or otherwise processed by Processor.
- Data Subject means the identified or identifiable person to whom Personal Data relates.
- Deidentified Information means information that cannot reasonably be used to infer information about, or otherwise be linked to, a particular Data Subject.
- Permitted Purpose means the use of the Company Data to the extent necessary for provision of the Services.
- Personal Data means any information relating to an identified or identifiable natural person that relates to, describes, is capable of being associated with, or could be linked, directly or indirectly, with a particular natural person.
- Processor means the entity which processes Personal Data on behalf of the Controller. To the extent Customer is a Controller, the Processor is Dynaboard, and any Dynaboard entities, including its Affiliates which processes Personal Data on behalf of the Controller. To the extent applicable, this includes a “Service Provider” as defined under California Privacy Law.
- Regulator means any supervisory authority with authority under Applicable Data Protection Law over all or any part of the provision or receipt of the Services or the processing of Personal Data.
- Restricted Transfer means: (i) where the EU GDPR applies, transferring Personal Data collected from a Data Subject located in the European Economic Area (“EEA”) either directly or via onward transfer to a country that has not been issued an adequacy determination by the European Commission; (ii) where the UK GDPR applies, transferring, either directly or via onward transfer, Personal Data collected from a Data Subject located in the United Kingdom to or within any other country which is not subject based on adequacy regulations under Section 17A of the United Kingdom Data Protection Act 2018; and (iii) where the Swiss Federal Act on Data Protection of June 19, 1992 (“Swiss DPA”) applies, transferring either directly or via onward transfer, Personal Data collected from a Data Subject located in Switzerland to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner.
- Services means the products and services that are ordered by Customer through a link or via an Order Form and made available online by Dynaboard, via the applicable subscriber login link and other web pages designated by Dynaboard.
- Sub-Processor means (a) any third-party data processor engaged by Dynaboard to process Company Data in order to provide the Services to Customer or (b) Dynaboard when Dynaboard is processing Company Data and where Customer is a Processor of such Company Data.
- Terms Effective Date means the date the parties agreed to the terms of this DPA.
- Terms such as “processing”, “controller”, and “supervisory authority” shall have the meaning ascribed to them in the Applicable Data Protection Law.
- Customer and Dynaboard have entered into the Agreement pursuant to which Customer is granted a license to access and use the Services. In providing the Services, Dynaboard will engage, on behalf of Customer, in the processing of Personal Data submitted to and stored within the Services by Customer.
- The parties are entering into this DPA to ensure the processing by Dynaboard of Company Data, within the Services of Customer and/or on its behalf, is done in a manner compliant with Applicable Data Protection Law and its requirements regarding the collection, use and retention of Personal Data. The details of processing are outlined in Schedule 1.
- The parties acknowledge and agree when Customer is a Controller, Dynaboard is a Processor acting on behalf of Customer, and when Customer is a Processor, Dynaboard is a Sub-Processor acting on behalf of Customer. To the extent the GDPR applies to the Company Data, when Customer is acting as a Processor of Company Data, Dynaboard is a Sub-Processor of the Customer, and EU SCC – Module 3 will apply as described in Schedule 3.
- Customer represents and warrants that (i) it has complied, and will continue to comply, with all applicable laws, including Applicable Data Protection Law, in respect of its processing of Company Data and any processing instructions it issues to Processor; and (ii) it has provided, and will continue to provide, all notice and has obtained, and will continue to obtain, all consents and rights necessary under Applicable Data Protection Law for Dynaboard to process Company Data for the purposes described in the Agreement. Dynaboard shall promptly inform Customer if it becomes aware that Customer's processing instructions infringe Applicable Data Protection Law. If Dynaboard is unable to process Company Data in accordance with Customer's processing instructions, Dynaboard will promptly notify Customer of its inability to comply.
- Customer shall have sole responsibility for the accuracy, quality, and legality of Company Data and the means by which Customer acquired the Company Data. Customer specifically acknowledges that its use of the Services will not violate the rights of any Data Subject that has opted-out from sales or other disclosures of Personal Data, to the extent applicable under Applicable Data Protection Law.
- Customer shall be responsible for communications and leading any efforts to comply with all requests made by Data Subjects under the Applicable Data Protection Law, and all communications from Regulators that relate to the Company Data.
- Dynaboard shall process Company Data only in accordance with Customer’s documented lawful instructions as set forth in this DPA, for Permitted Purposes, as necessary to comply with applicable law, or as otherwise agreed to in writing. The parties agree that the Agreement and this DPA set out Customer’s complete and final instructions to Dynaboard in relation to the processing of Company Data, and processing outside the scope of these instructions (if any) shall require prior written agreement between the parties.
- To the extent legally required under California Privacy Law and any other Applicable Data Protection Law, Dynaboard agrees (i) to only use Company Data to provide the Services under the Agreement; (ii) to not collect, retain, use, sell, share, disclose or otherwise process any Company Data, for any purpose other than providing the Services under the Agreement, or as otherwise permitted; and (iii) not to combine Company Data with Personal Data that Dynaboard receives from or on behalf of another person or entity or collects from its own interactions with a Data Subject except to perform the Services. Notwithstanding anything to the contrary in the Agreement (including this DPA), Customer acknowledges that Dynaboard shall have a right to process Personal Data in relation to the support and/or use of the Services for its legitimate business purposes, such as billing, account management, technical support, product development and sales and marketing. Dynaboard understands the restrictions in this section, and hereby certifies that it understands its obligations and will comply with them.
Dynaboard shall implement and maintain reasonable and appropriate technical and organizational measures designed to protect all Company Data from Data Breaches and to preserve their security, integrity, and confidentiality. Such measures shall take into account the state of the art, the costs of implementation and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons so as to ensure a level of security appropriate to the risks represented by the processing and the nature of the Company Data to be protected. At a minimum, these measures must include the measures identified in Schedule 2 of this DPA.
- Customer acknowledges that the Processor’s security measures are subject to technical progress and development and that Dynaboard may update or modify the security measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by Customer. Customer is responsible for reviewing the information made available by Dynaboard relating to data security and making an independent determination as to whether the Services meet Customer’s requirements and legal obligations under Applicable Data Protection Law.
- Notwithstanding the above, Customer agrees that except as provided by this DPA, Customer is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Company Data when in transit to and from the Services and taking any appropriate steps to securely encrypt or backup any Company Data uploaded to the Services.
- Any person that Dynaboard authorizes to process Personal Data (including the Processor's staff, agents, and Sub-processors) (“Personnel”) will be under appropriate obligations of confidentiality (whether a contractual or statutory duty), will receive appropriate training, and are informed about the confidential nature of the Personal Data and their obligations related to it and have access to Personal Data only in accordance with need-to-know principle. The Personnel process the Personal Data only as necessary for the Permitted Purpose.
- Dynaboard will not disclose Company Data to third parties except as permitted by this DPA or the Agreement. If requested or required by a competent governmental authority to disclose Company Data, to the extent legally permissible and practicable, Dynaboard will provide Customer with sufficient prior written notice in order to permit Customer the opportunity to oppose any such disclosure.
- Dynaboard shall promptly notify Customer in writing of any complaints, questions or requests received from Data Subjects or Regulators regarding the Company Data. Taking into account the nature of the Processing and to the extent legally required and reasonably possible, Dynaboard will provide Customer with commercially reasonable assistance in relation to the handling of a Data Subject’s request to the extent legally required to do so. To the extent Customer, in its use of the Services, does not have the ability to correct, block or delete Company Data, Dynaboard shall comply with any commercially reasonable request by Customer to facilitate such actions to the extent Dynaboard is legally required to do so under Applicable Data Protection Law.
- Dynaboard will retain Company Data only for as long as the Customer deems it necessary for the Permitted Purpose, or as required by Applicable Data Protection Law. At the termination of this DPA, or upon Customer’s written request, Dynaboard will either destroy or return the Company Data to Customer, unless legal obligations require storage of the Company Data.
- To the extent legally required under the Applicable Data Protection Law, upon Customer’s request, Dynaboard will provide reasonable assistance to Customer necessary for Customer to fulfil its obligation under the Applicable Data Protection Law to carry out a data protection impact assessment related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Dynaboard.
- If Dynaboard becomes aware of any Data Breach, Dynaboard will (i) promptly notify Customer of the Data Breach, but in no event later than seventy-two (72) hours after Dynaboard has confirmed a Data Breach impacting Company Data; (ii) investigate the Data Breach and provide Customer with information about the Data Breach; and (iii) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Data Breach. Dynaboard will provide reasonable assistance to Customer in fulfilling its obligations to notify Data Subjects and the relevant authorities in relation to a Data Breach, provided that nothing in this section shall prevent either party from complying with its obligations under the Applicable Data Protection Laws. The Parties agree to coordinate in good faith on developing the content of any related public statements. Processor’s obligation to report or respond to a Data Breach under this Section is not and will not be construed as an acknowledgement by Dynaboard of any fault or liability with respect to the Data Breach. The obligations in this section shall not apply to Data Breaches that are caused by Customer.
- If Dynaboard receives Deidentified Information from Customer, Dynaboard will (i) take reasonable measures to ensure the Deidentified Information cannot be associated with a Data Subject, (ii) publicly commit to maintain and use the Deidentified Information in deidentified form, and (iii) not attempt to reidentify the Deidentified Information except for the sole purpose of determining whether the Processor’s deidentification processes satisfy the requirements of Applicable Data Protection Laws.
- Customer agrees that Dynaboard may appoint Sub-Processors to assist it in providing the Service and processing Company Data provided that such Sub-Processors agree to (i) act only on Dynaboard’s instructions when processing the Company Data (which instructions shall be consistent with Customer’s processing instructions to Dynaboard); and (ii) protect the Company Data to a standard consistent with the requirements of this DPA. Dynaboard shall be liable for the acts and omissions of its Sub-Processors to the same extent Dynaboard would be liable if performing the services of each Sub-Processor directly under the terms of this DPA, unless otherwise set forth in the Agreement.
- Dynaboard shall maintain an up-to-date list of the names and location of all Sub-Processors used for the processing of Company Data under this DPA at https://dynaboard.com/docs/legal/3rd-party-subprocessors (opens in a new tab).
- To the extent Customer reasonably believes the new Sub-Processor processing of Company Data may violate Applicable Data Protection Laws or weaken the security of the Company Data, the Customer may object in writing to Processor’s new Sub-Processor by notifying Dynaboard within ten (10) days after notification described in Section 5(b). Any such written objection shall include Customer’s specific reasons for its objection and proposed options to mitigate alleged risk, if any. In such event, Dynaboard will either (i) instruct the Sub-Processor to cease any further processing of Company Data, in which event this DPA shall continue unaffected, or (ii) allow Customer to terminate this DPA. In the event of termination by Customer pursuant to this Section, Customer shall not be entitled to a pro-rata refund of the remuneration for the Services, unless the objection is based on justified reasons of non-compliance with Applicable Data Protection Law. In the absence of timely and valid objection by Customer, such Sub-Processor may be commissioned to process Company Data.
- Dynaboard (or third parties engaged by Processor) audits its compliance against information security standards on a regular basis. The specific audits, and the information security certifications Dynaboard has achieved, will vary depending on the nature of the Services in question. Subject to obligations of confidentiality, Dynaboard will make available to Customer a summary of its most recent relevant audit report and/or other documentation reasonably required by Customer which Dynaboard makes generally available to its customers, so that Customer can verify Dynaboard’s compliance with this DPA.
- To the extent that the Customer reasonably determines such report does not sufficiently verify Dynaboard’s compliance with its obligations under this DPA, Customer may audit Dynaboard’s compliance with this DPA up to once per year, unless requested by a Supervisory Authority (Supervisory Authority not listed in the Terms). Such an audit will be conducted by an independent third party (“Auditor”) reasonably acceptable to Dynaboard. Before the commencement of any such on-site audit, Customer must submit in writing a detailed proposed audit plan to Dynaboard at least 30 business days in advance of the proposed audit date. The proposed audit plan must describe the proposed scope, duration and date of the audit, as well as the proposed Auditor. Dynaboard will review the proposed audit plan and provide Customer with any concerns or questions and will work cooperatively with Customer to agree on a final audit plan before the proposed audit date. Prior to the start of an audit, the parties will agree to reasonable time, duration, place, manner and conditions for the audit. The results of the inspection and all information reviewed during such inspection will be deemed Processor’s confidential information. Notwithstanding any other terms, the Auditor may only disclose to the Customer specific violations of the DPA, if any, and the basis for such findings, and shall not disclose to Customer any of the records or information reviewed during the inspection.
- To the extent Customer’s use of the Services involves a Restricted Transfer of Company Data, the terms set forth in Schedule 3 – Cross-Border Transfer Mechanisms will apply. In the event any conflict or inconsistency exists between this DPA and the terms set forth in Schedule 3, in relation to Personal Data collected from individuals while they were located in the EEA, Switzerland or the United Kingdom, the terms in Schedule 3 shall apply.
- Insofar as the Agreement involves the transfer of Company Data from any jurisdiction where Applicable Data Protection Law requires that additional steps, or safeguards, be imposed before the data can be transferred to a second jurisdiction, Dynaboard agrees to cooperate with Customer to take appropriate steps to comply with Applicable Data Protection Laws.
- To the extent Dynaboard processes Company Data originating from and protected by Applicable Data Protection Law in one of the jurisdictions listed in Schedule 4 (Jurisdiction Specific Terms) of this DPA, the terms specified in Schedule 4 with respect to the applicable jurisdiction(s) apply in addition to the terms of this DPA.
- Notwithstanding anything to the contrary in this DPA or the Agreement, Dynaboard and its Affiliates’ total liability, taken together in the aggregate, arising out of or related to this DPA, and all DPAs between Customer and its Affiliates and Dynaboard, whether in contract, tort or under any other theory of liability, is subject to the Limitation of Liability section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together.
- For the avoidance of doubt, Dynaboard and its Affiliates’ total liability for all claims from the Customer and all of its Affiliates arising out of or related to the Agreement and each DPA shall apply in the aggregate for all claims under both the Agreement and all DPAs established under this Agreement, including by Customer and its Affiliates and, in particular, shall not be understood to apply individually and severally to Customer and/or to any of its Affiliates that are a contractual party to any such DPA.
Any provision of this DPA that is prohibited or unenforceable in any jurisdiction shall, as to that jurisdiction alone, be ineffective to the extent of such prohibition or unenforceability without invaliding the remaining provisions hereof, and any such prohibition or unenforceability in any jurisdiction shall not invalidate or render unenforceable such provision in any other jurisdiction. The parties will attempt in good faith to agree upon a valid and enforceable provision that is a reasonable substitute and shall incorporate such substitute provision into this DPA.
This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by Applicable Data Protection Law.
- This DPA may not be amended or modified except by a writing signed by both parties hereto. This DPA may be executed in counterparts. The terms and conditions of this DPA are confidential and each party agrees and represents, on behalf of itself, its employees and agents to whom it is permitted to disclose such information that it will not disclose such information to any third party; provided, however, that each party shall have the right to disclose such information to its officers, directors, employees, auditors, attorneys and third party contractors who are under an obligation to maintain the confidentiality thereof and further may disclose such information as necessary to comply with an order or subpoena of any administrative agency or court of competent jurisdiction or as reasonably necessary to comply with any applicable law or regulation. This DPA, the Schedules, and the Agreement constitute the entire understanding between the parties with respect to the subject matter herein, and shall supersede any other arrangements, negotiations or discussions between the parties relating to that subject-matter.
- If you are accepting this DPA on behalf of Customer, you warrant that: (i) you have full legal authority to bind Customer to the terms of this DPA; (ii) you have read and understand this DPA; and (iii) you agree, on behalf of Customer, to the terms of this DPA.
- Schedule 1: List of Parties and Details of Processing and Transfer
- Schedule 2: Description of Technical and Organizational Security Measures
- Schedule 3: Cross-Border Transfer Mechanisms
- Schedule 4: Jurisdiction Specific Terms
The DPA here is provided here only as a reference. If you're a Dynaboard customer and would like to sign a DPA with Dynaboard, please email us at firstname.lastname@example.org with subject-line: DPA Signing Request for a signable copy.
- Name of Data Exporter: See signature line
- Address: __________________________________________
- Contact Person’s Name: ____________________________
- Position: ________________________________________
- Contact details: ___________________________________
- Activities relevant to the data transferred under these Clauses: _________________________________________
- Role: Controller / Processor [pick one]: _________________________________
- Name of Data Importer: Dynaboard, Inc.
- Address: 548 Market Street, PMB 58073, San Francisco, CA 94104
- Contact Person’s Name: Alexander Kern
- Position: CEO
- Contact details: email@example.com
- Activities relevant to the data transferred under these Clauses: Responsible for overseeing contracting and data protection compliance in relation to data.
- Role: Processor / Sub-Processor
Categories of data subjects whose personal data is transferred. Depending on the Services used, could include Authorized Users, Consumer Users, suppliers and subcontractors; and any other person who transmits data via the Services, including individuals collaborating and communicating with Authorized Users and Consumer Users.
Categories of personal data transferred. Dynaboard transfers and processes the Personal Data submitted, stored, sent or received by the Authorized Users and/or Consumer Users via the Services (as that term is defined in the Agreement).
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as, for instance, strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures. The Services are not designed to process any sensitive data. Authorized Users and/or Consumer Users may submit special categories of Personal Data to the data exporter via the Services, the extent of which is determined and controlled by the data exporter.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis). Continuous.
Nature of the processing. Dynaboard will process personal data submitted, stored, sent or received by the Authorized Users and/or the Consumer Users for the purposes of providing the Services and related technical support to Customer in accordance with the Agreement.
Purpose(s) of the data transfer and further processing. Dynaboard will transfer and further process such personal data for the purposes of providing the Services to Customer.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period. The applicable Subscription Term (as defined in the Agreement) plus the period from expiry of such Subscription Term until deletion of all personal data by Dynaboard in accordance with such Agreement.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing. Same as above. For more information on Dynaboard’s sub-processors, see https://dynaboard.com/docs/legal/3rd-party-subprocessors (opens in a new tab).
Dynaboard implements and maintains the security standards set out below. Dynaboard may update or modify such security standards from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services.
User Authorization & Authentication
Users can authenticate into Dynaboard’s collaborative editor using either SSO or an OTP (one-time PIN) that verifies they have access to the provided email.
User created applications hosted on Dynaboard also support authorization using SSO from various providers (a complete list can be found in the application) or OTP.
Dynaboard is deployed using a multi-tenant architecture at both the platform and infrastructure layers. Access to customer provided data is segregated based on unique IDs for each user, workspace, or application.
System and Organization Control 2 (SOC 2) is a report on the controls at a service organization that covers security, availability, processing integrity, confidentiality, and privacy. Dynaboard has undergone a SOC 2 Type 1 audit.
Backups & Business Continuity
Backups of critical systems, records, and configurations are performed frequently so that they can be used for the purpose of data recovery in the event of a disaster or media failure.
The restoration of backups are periodically tested to verify the reliability of restoring Company Data in the event of a disaster or failure.
Dynaboard collects and monitors audit logs and alerts on key events stemming from production systems, applications, databases, servers, message queues, load balancers, and critical services, as well as IAM user and admin activities. Dynaboard implements SIEM-based filters, parameters, and alarms to trigger alerts on logging events that deviate from established system and activity baselines.
Penetration Testing & Vulnerability Scans
Dynaboard schedules third-party security assessments and penetration tests at least annually.
Dynaboard uses a proactive vulnerability and patch management process that prioritizes and implements patches based on potential impact classification.
Dynaboard retains Company Data for as long as an account is active or in accordance with the agreement(s) between Dynaboard and the Customer, unless Dynaboard is required by law to dispose of it earlier or keep it longer.
Dynaboard disposes of Company Data within 30 days of a request by a current or former customer or in accordance with the Customer’s agreement(s) with Dynaboard. Dynaboard may retain and use data necessary for the contract such as proof of contract in order to comply with its legal obligations, resolve disputes, and enforce agreements.
Dynaboard hosting and service providers are responsible for (i) removing data from disks allocated for Dynaboard’s use before they are repurposed and (ii) destroying decommissioned hardware.
Data Encryption Measures
In Transit: Dynaboard uses strong cryptography and security protocols (e.g. TLS 1.1+ or an equivalent protocol with a default of TLS 1.3) to safeguard sensitive data during transmission over open, public networks.
At Rest: 256 bit and 128 bit Advanced Encryption Standard (AES-256 and AES-128) is used to encrypt data while at rest in Dynaboard systems.
Infrastructure Security Measures
Dynaboard uses infrastructure and content delivery network services provided by Google Cloud Platform (‘GCP’), Vercel, and Cloudflare to host or process Company Data submitted to Dynaboard. Information on the security practices of GCP (opens in a new tab), Vercel (opens in a new tab), and Cloudflare (opens in a new tab) can be found on their respective websites.
Personnel Security Measures
All Dynaboard employees are required to complete a background check. Prior to accessing sensitive information, employees are required to sign an industry-standard confidentiality agreement protecting Dynaboard confidential information.
Dynaboard has a security awareness training program in place to promote the understanding of security policies and procedures. All employees are required to undergo training following initial employment and annually thereafter.
We take security seriously at Dynaboard. If you discover a vulnerability or would like to get in touch with us for any security-related reason, please email us at firstname.lastname@example.org.
- “EC” means the European Commission.
- “EEA” means the European Economic Area.
- “EEA Personal Data” is Company Data collected from data subjects when they are located in the EEA.
- “Standard Contractual Clauses” means (i) where the EU GDPR applies, the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for transferring personal data to third countries under Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCC”); (ii) where the UK GDPR applies the International Data Transfer Agreement A1.0 issued by the ICO (“UK IDTA”), and (iii) where the Swiss DPA applies, the applicable standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection and Information Commissioner (“Swiss SCC”).
- “Swiss Personal Data” means Company Data collected from Data Subjects when they are located in Switzerland.
- “UK Personal Data” means Company Data collected from Data Subjects when they are located in the United Kingdom.
Cross-Border Data Transfer Mechanisms
2.1 EEA Personal Data. The parties agree that the Standard Contractual Clauses will apply to any Restricted Transfer of Company Data from the EEA or Switzerland, either directly or via onward transfer. To the extent there is any conflict between the DPA and the applicable EU SCC in relation to the processing of EEA Personal Data, the terms of the EU SCC will prevail. To the extent applicable, the Standard Contractual Clauses will be deemed entered into (and incorporated into this DPA by this reference) and completed as follows:
- Module Two (Controller to Processor) of the Standard Contractual Clauses will apply where Customer is a Controller of Controller Data and Dynaboard is Processing Company Data.
- Module Three (Processor to Processor) of the Standard Contractual Clauses will apply where Customer is a Processor of Company Data and Dynaboard is Processing Company Data as Sub-Processor. A copy of Module Two and Three of the EU SCC can be found at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en. (opens in a new tab)
For each Module, where applicable, the parties agree that the following terms apply:
- in Clause 7, the optional docking clause will not apply;
- certification of deletion of Company Data that is described in Clause 8.5 of the Standard Contractual Clauses shall be provided by Dynaboard to Customer only upon Customer’s request;
- in Clause 9, Option 2 will apply and the time period for prior notice of Sub-Processor changes will be as set forth in the DPA;
- in Clause 11, the optional language will not apply;
- in relation to Clause 13(a), see (ix) below;
- in Clause 17 (Option 1), the Standard Contractual Clauses will be governed by Irish law;
- in Clause 18(b) of the Standard Contractual Clauses, disputes will be resolved before the courts of Ireland;
- in Annex I, Part A of the Standard Contractual Clauses: please see Schedule 1 of this DPA;
- in Annex I, Part B of the Standard Contractual Clauses: please see Schedule 1 of this DPA;
- in Annex I, Part C of the Standard Contractual Clauses: The Irish Data Protection Commission will be the competent supervisory authority;
- Schedule 2 (Technical and Organizational Security Measures) of the DPA to which this Schedule 3 is attached serves as Annex II of the Standard Contractual Clauses; and
- the liability described in Clause 12 of the Standard Contractual Clauses shall in no event exceed the limitations set forth in the Agreement, and under no circumstances and under no legal theory (whether in contract, tort, negligence or otherwise) will either party to this DPA, or their affiliates, officers, directors, employees, agents, service providers, suppliers, or licensors be liable to the other party or any third party for any lost profits, lost sales of business, lost data (being data lost in the course of transmission via Customer’s systems or over the Internet through no fault of Dynaboard), business interruption, loss of goodwill, or for any type of indirect, incidental, special, exemplary, consequential or punitive loss or damages, regardless of whether such party has been advised of the possibility of or could have foreseen such damages. For the avoidance of doubt, this section shall not be construed as limiting the liability of either party with respect to claims brought by Data Subjects.
2.2 Swiss Personal Data. In accordance with guidance issued by the Swiss Federal Data Protection and Information Commissioner (FDPIC) titled “The transfer of personal data to a country with an inadequate level of data protection based on recognised standard contractual clauses and model contracts,” dated 27 August 2021, the parties hereby agree to adopt the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council annexed to the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021(the “EU SCC”) as adapted herein in order to comply with Swiss legislation and thus be suitable for ensuring an adequate level of protection for data transfers from Switzerland to a third country in accordance with Article 6 paragraph 2 letter a of the Federal Act on Data Protection (“FADP”). To the extent there is any conflict between the DPA and this Section 2.2, the terms of this Section will prevail in relation to Swiss Personal Data. The parties agree that in relation to Restricted Transfer of Swiss Personal Data, Module 2 of the EU SCC apply with the following amendments:
- For purposes of Annex I.C under Clause 13 of Standard Contractual Clauses, insofar as the data transfer is governed by the Switzerland Federal Act on Data Protection of 19 June 1992 (SR 235.1; FADP) or the FADP’s revised 25 September 2020 version, the Supervisory Authority shall be Switzerland’s Federal Data Protection and Information Commissioner (FDPIC);
- The term “member state” must not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in Switzerland in accordance with Clause 18(c) of the Standard Contractual Clauses. The Standard Contractual Clauses shall also protect the data of Switzerland legal entities until the entry into force of the 25 September 2020 revised version of the Federal Act on Data Protection (revised FADP). Any references in the Standard Contractual Clauses to “Directive 95/46/EC” or “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss DPA.
- 2.3 UK Personal Data. If the processing of Company Data involves a Restricted Transfer of UK Data, the parties agree that such transfer(s) will be carried out in accordance with and subject to the International Data Transfer Agreement A1.0 issued by the ICO (“UK IDTA”), which can be found at https://ico.org.uk/media/for-organisations/documents/4019538/international-data-transfer-agreement.pdf (opens in a new tab). To the extent there is any conflict between the DPA and the UK IDTA in relation to the processing of UK Personal Data, the terms of the UK IDTA will prevail. To the extent applicable, the UK IDTA will be deemed entered into (and incorporated into this Addendum by this reference) and completed as follows:
Part 1: Tables
Table 1: Parties and signatures
|Start date||The Effective Date of the Addendum|
|The Parties||Exporter (who sends the Restricted Transfer)||Importer (who receives the Restricted Transfer)|
|Parties’ details||See Schedule 1.||See Schedule 1.|
|Key Contact||See Schedule 1.||See Schedule 1.|
|Importer Data Subject Contact||See Schedule 1.||See Schedule 1.|
|Signatures confirming each Party agrees to be bound by this IDTA||See DPA.||See DPA.|
Table 2: Transfer Details
|UK country’s law that governs the IDTA:|
|Primary place for legal claims to be made by the Parties|
|The status of the Exporter|
In relation to the Processing of the Transferred Data:
|The status of the Importer|
In relation to the Processing of the Transferred Data:
|Whether UK GDPR applies to the Importer|
If the Importer is the Exporter’s Processor or Sub-Processor – the agreement(s) between the Parties which sets out the Processor’s or Sub-Processor’s instructions for Processing the Transferred Data:
Other agreements – any agreement(s) between the Parties which set out additional obligations in relation to the Transferred Data, such as a data sharing agreement or service agreement:
If the Exporter is a Processor or Sub-Processor – the agreement(s) between the Exporter and the Party(s) which sets out the Exporter’s instructions for Processing the Transferred Data:
The Importer may Process the Transferred Data for the following time period:
|Ending the IDTA before the end of the Term|
|Ending the IDTA when the Approved IDTA changes|
Which Parties may end the IDTA as set out in Section 29.2:
|Can the Importer make further transfers of the Transferred Data?|
|Specific restrictions when the Importer may transfer on the Transferred Data|
The Importer MAY ONLY forward the Transferred Data in accordance with Section 16.1.:
First review date: Effective Date of the Addendum. The Parties must review the Security Requirements at least once:
Table 3: Transferred Data
|Transferred Data||The personal data to be sent to the Importer under this IDTA consists of that data outlined in Schedule 1 of the DPA. The categories of Transferred Data will update automatically if the information is updated in the Linked Agreement referred to.|
|Special Categories of Personal Data and criminal convictions and offences||The Transferred Data includes data relating to that data outlined in Schedule 1 of the DPA. The categories of special category and criminal records data will update automatically if the information is updated in the Linked Agreement referred to.|
|Relevant Data Subjects||The Data Subjects of the Transferred Data are those data subjects outlined in Schedule 1 of the DPA. The categories of Data Subjects will update automatically if the information is updated in the Linked Agreement referred to.|
|Purpose||The Importer may Process the Transferred Data for the purposes set out in the Addendum. The purposes will update automatically if the information is updated in the Linked Agreement referred to.|
Table 4: Security Requirements
|Security of Transmission||As set out in Schedule 2 of the DPA to which this Schedule is attached.|
|Security of Storage||As set out in Schedule 2 of the DPA to which this Schedule is attached.|
|Security of Processing||As set out in Schedule 2 of the DPA to which this Schedule is attached.|
|Organisational security measures||As set out in Schedule 2 of the DPA to which this Schedule is attached.|
|Technical security minimum requirements||As set out in Schedule 2 of the DPA to which this Schedule is attached.|
|Updates to the Security Requirements||The Security Requirements will update automatically if the information is updated in the Linked Agreement referred to.|
Part 2: Extra Protection Clauses
|Extra Protection Clauses:||N/A|
Part 3: Commercial Clauses
|Commercial Clauses||See parties’ Master Service Agreement.|
Part 4: Mandatory Clauses
|Mandatory Clauses||Part 4: Mandatory Clauses of the Approved IDTA, being the template IDTA A.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 5.4 of those Mandatory Clauses.|
- The definition of “Applicable Data Protection Law” includes the Australian Privacy Principles and the Australian Privacy Act (1988).
- The definition of “Personal Data” includes “Personal Information” as defined under Applicable Data Protection Law.
- The definition of “Applicable Data Protection Law” includes the Lei Geral de Proteção de Dados (LGPD).
- The definition of “Data Breach” includes a security incident that may result in any relevant risk or damage to Data Subjects.
- The definition of “Processor” includes “operator” as defined under Applicable Data Protection Law.
- For the sake of clarity, Dynaboard’s obligations to a Customer under the DPA are only those express obligations imposed by LGPD on a "Data Processor (operador)" for the benefit of a "Data Controller (Controlador)" (including new Section 4(j) below), as such terms "Data Controller (controlador)" and "Data Processor (operador)" are defined by the LGPD. In addition, a new section 4(j) to the DPA will apply:
- Each party is responsible to fulfil its respective obligations set out in the LGPD, and Customer will only issue processing instructions, as set forth in the DPA, that enable Dynaboard to fulfill its LGPD obligations. The EU Standard Contractual Clauses will be used for transfers to Non-Adequate Countries as per the LGPD.
- European Economic Area (EEA). Notwithstanding anything to the contrary in this DPA or in the Agreement (including, without limitation, either party’s indemnification obligations), neither party will be responsible for any GDPR fines issued or levied under Article 83 of the GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the GDPR.
- The definition of “Applicable Data Protection Law” includes the Protection of Privacy Law (PPL).
- The definition of “controller” includes “Database Owner” as defined under Applicable Data Protection Law.
- The definition of “processor” includes “Holder” as defined under Applicable Data Protection Law.
- The definition of “Applicable Data Protection Law” includes the Act on the Protection of Personal Information (APPI).
- The definition of “Personal Data” includes “Personal Information” as defined under Applicable Data Protection Law.
- The definition of “Controller” includes “Business Operator” as defined under Applicable Data Protection Law.
- The definition of “Processor” includes a business operator entrusted by the Business Operator with the handling of Company Data in whole or in part (also a “trustee”), as described under Applicable Data Protection Law. As a trustee, Processor will ensure that the use of the Company Data is securely controlled.
- The definition of “Applicable Data Protection Law” includes the Personal Data Protection Act 2012 as amended from time to time, and its accompanying regulations (“PDPA”).
- For the sake of clarity, Dynaboard’s obligations to Customer under the DPA are only those express obligations imposed by PDPA on a “Data Processor (data intermediary)” when processing personal data on behalf of “Data Controller (organisation)” pursuant to a contract, as “organisation” and “data intermediary" are defined by the PDPA.
- The definition of “Applicable Data Protection Law” includes the Protection of Personal Information Act (“POPIA”).
- For the sake of clarity, Dynaboard’s obligations to Customer under the DPA are those that POPIA requires that Dynaboard as “Operator” have in place with a “Responsible Party”, as “Responsible Party” and “Operator” are referenced in POPIA.
- Switzerland. The definition of “Applicable Data Protection Law” includes the Swiss Federal Act on Data Protection.
- Thailand. The definition of “Applicable Data Protection Law” includes the Personal Data Protection Act B.E. 2562 (2019) (“PDPA”).
- United Kingdom (UK). Notwithstanding anything to the contrary in this DPA or in the Agreement (including, without limitation, either party’s indemnification obligations), neither party will be responsible for any UK GDPR fines issued or levied under Article 83 of the UK GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the UK GDPR.