Domainbox Data Processing Addendum
Template v1.1
(Mesh Digital Limited as Processor
or Subprocessor)
21 November 2023
This Data Processing Addendum
(“DPA”) is executed by and between you (“Customer”) and Mesh Digital Limited (“Domainbox”)
(collectively, the “Agreement”). Domainbox
and Customer are referred to herein, individually, as a “Party”, and
collectively, as the “Parties”). This
DPA is effective as of the effective date of the Agreement (“Effective Date”)
and governs all Processing of Customer Personal Data under the Agreement.
1
Definitions.
Unless otherwise defined in applicable Data Protection Laws (as defined
below), the capitalized terms listed in this Section have the following
meanings:
1.1 “Affiliate” means any entity that
controls or is under common control with a Party. “Control” means direct or indirect ownership
or control of fifty percent (50%) or more of the voting interests of an entity.
1.2 “Controller” means the natural or legal person,
public authority, agency, or other body which, alone or jointly with others,
determines the purposes and means of processing Customer Personal Data under
the Agreement.
1.3 “Customer Personal Data” means any Personal
Data (as defined below) processed by Domainbox on Customer’s behalf in
connection with Customer’s use of the Services.
Customer Personal Data does not include Domainbox Data.
1.4 “Data Protection Law” means any law
or regulation applicable to processing of Customer Personal Data under the
Agreement.
1.5 “Data Subject” means an identified
or identifiable natural person to whom specific Personal Data relates.
1.6 “De-Identified Data” means data that
cannot reasonably identify, relate to, describe, be capable of being associated
with, or be linked, directly or indirectly, to a specific Data Subject.
1.7 “Domainbox Data” means (a) all information
relating to Domainbox’s business and delivery of the Services, including but
not limited to Personal Data concerning Customer and its employees or
representatives, (b) other data concerning or relating to Customer’s account,
transaction history, use of the Services and identity verification, and (c) subject
to any restrictions under any applicable Data Protection Laws, De-Identified
Data.
1.8
“Personal
Data” means information that relates to an identified or identifiable natural
person, including any information defined as Personal Data, Personal
Information, or Personally Identifiable Information (“PII”) in any applicable Data
Protection Laws. Personal Data does not
include De-Identified Data.
1.9
“Processor”
means a natural or legal person, public authority, agency, or body that
processes Customer Personal Data on behalf of a Controller under the Agreement.
1.10 “Processing” means any operation performed
on Customer Personal Data, such as collection, use, storage, disclosure,
analysis, deletion, or modification, whether by manual or automated means.
1.11 “Sensitive Personal Data” means (a)
social security number, passport number, driver’s license number, or similar
identifier; (b) credit or debit card information, financial information, bank
account numbers, or account passwords; (c) employment, financial, genetic,
biometric, or health information; (d) racial, ethnic, political or religious
affiliation, trade union membership, or information about sexual life or
orientation; (e) account passwords, mother’s maiden name, date of birth, and
other similar information used to authenticate a user’s identity; (f) criminal
history; (h) biometric data used to identify a specific person (e.g.,
fingerprints); or (g) any other information or combination of information that
falls within the definitions of “special categories of data” under any applicable
Data Protection Law.
1.12 “Services” means the products or
services that Domainbox has agreed to provide pursuant to the Agreement that involve
processing of Customer Personal Data.
1.13 “Subprocessor” means any natural or
legal person, public authority, agency, or body with whom Domainbox contracts
to process Customer Personal Data.
1.14 “Transfer” means (a) transfer of Customer
Personal Data from Controller to Processor, whether by physical transfer or by
granting access to Customer Personal Data held or otherwise controlled by
Controller or (b) an onward transfer of Customer Personal Data from a Processor
to a Subprocessor (and any subsequent onward transfer by a Subprocessor to
another Subprocessor).
2
Roles
of the Parties.
2.1 Customer as Controller or Processor.
2.1.1
Where
Customer is a Controller, Customer (a) is solely responsible for determining
the purposes and means of processing Customer Personal Data, (b) has all
necessary authority, grounds, rights, and permissions to provide Customer Personal
Data to Domainbox, and (c) will comply with its obligations as a Controller
under applicable Data Protection Laws.
2.1.2
Where
Customer is a Processor, Customer (a) is solely responsible for complying with
its agreement(s) with the data Controller(s) on whose behalf Customer is
processing Customer Personal Data; (b) has all necessary permissions from the
Controller to provide Customer Personal Data to Domainbox, and (c) will comply
with its obligations as a Processor under applicable Data Processing Laws.
2.1.3
Customer
expressly acknowledges that Domainbox is not responsible for determining which
laws or regulations are applicable to Customer’s business. Customer is solely responsible for
determining that the Services provided by Domainbox and the terms of the
Agreement and this DPA meet Customer’s business, contractual, and legal
obligations. Customer also will ensure
that Customer’s Processing instructions to Domainbox do not violate any
applicable Data Protection Laws.
2.2 Domainbox as Processor or
Subprocessor.
2.2.1
Domainbox
will take all steps reasonably necessary to enable Customer to comply with Customer’s
obligations as a Controller and/or Processor under the Data Protection Laws
consistent with the character, nature, scope, and purpose of the Services
provided by Domainbox. For the avoidance
of doubt, Domainbox is not required to undertake any steps to alter or make Domainbox’s
Services compliant for Customer’s specific use.
Customer’s sole remedy in the event the Services are determined to be
not compliant for Customer’s specific use is termination of any portion of the
Agreement that relates to processing of Customer Personal Data.
2.2.2
Domainbox
will process Customer Personal Data only upon documented instructions for the limited
and specific purposes described in the Agreement, this DPA, or as required by
law.
2.2.3
Domainbox
will not sell, retain, use, or disclose Customer Personal Data for a commercial
purpose other than providing the Services.
2.2.4
Domainbox
will not Process Customer Personal Data outside of the Parties’ direct business
relationship described in the Agreement and this DPA.
2.2.5
Domainbox
will not combine Customer Personal Data with any other data Domainbox collects
(directly or via any third party) other than as expressly permitted under the
Agreement.
2.2.6
Domainbox
will stop all Processing and will notify Customer within three (3) business
days if Domainbox: (a) believes that a Customer instruction violates any applicable
Data Processing Laws or (b) determines Domainbox is unable to comply with any
applicable Data Processing Laws or its obligations under this DPA.
2.3 Affiliates.
2.3.1
Customer
Affiliates. For purposes of this DPA, any Personal Data
provided to Domainbox or Domainbox’s Affiliates by a Customer Affiliate for
processing on Customer’s and/or Customer’s Affiliate’s behalf shall be deemed
to be Customer Personal Data and to have been provided by Customer. Customer represents that it will take all
measures reasonably necessary to ensure its Affiliates comply with all Customer
obligations with respect to this DPA. Customer
is responsible for its Affiliates’ compliance with all terms of this DPA.
2.3.2
Domainbox
Affiliates. For purposes of this DPA, any Customer Personal
Data received by Domainbox’s Affiliates shall be deemed to have been received
by Domainbox. Domainbox represents that it
will take all measures reasonably necessary to ensure that its Affiliates comply
with Domainbox’s obligations with respect to processing of Customer Personal Data
under this DPA. Domainbox is responsible
for Domainbox’s Affiliates’ compliance with all terms of this DPA.
3
Domainbox’s
Use of Subprocessors.
3.1 Customer provides general
authorization for Domainbox to engage subprocessors.
3.2 A list of Domainbox’s Subprocessors
is available by contacting privacy@domainbox.com.
3.3 Before transferring Customer Personal
Data to a Subprocessor, Domainbox will: (a) enter into a written agreement with
the Subprocessor that is at least as protective of Customer Data as this DPA;
(b) conduct due diligence to confirm the Subprocessor can comply with the
material terms of this DPA and the Data Protection Laws as they relate to Domainbox’s
processing of Customer Data, including the information security requirements of
Sections 5, 6, and 8, and of Schedule 2 of this DPA.
3.4 Domainbox is liable for its
Subprocessors’ acts and omissions, including any acts or omissions of its
Subprocessors’ subprocessors.
3.5 New Subprocessors; Right to Object.
3.5.1
Domainbox
will exercise reasonable efforts to notify Customer in writing at least sixty (60)
days in advance if Domainbox intends to appoint new a Subprocessor; provided,
however, that sixty (60) days’ advance notice is not required and Domainbox
will notify Customer without undue delay after the appointment of a new
Subprocessor if immediate appointment is required to maintain the security of Customer
Personal Data or to comply with applicable law.
3.5.2
If
Customer reasonably objects to a new Subprocessor, Customer must notify Domainbox
in writing within thirty (30) days after the Subprocessor’s appointment. In Domainbox’s sole discretion, Domainbox may
use commercially reasonable efforts to address Customer’s objection. If the Parties are unable to resolve Customer’s
objection within thirty (30) days, Customer may terminate this DPA and any
portion of the Agreement relating to the processing of Customer Personal Data.
3.5.3
If
Customer does not object to a new Subprocessor within thirty (30) days of
notice of Subprocessor’s appointment, Customer will be deemed to have accepted
the new Subprocessor.
3.5.4
Notice
of a new Subprocessor may be provided by updating the Subprocessor list
described in Section 3.2.
4
Legal
Process and Other Third Party Requests for Customer Personal Data.
4.1 Domainbox will not respond to any
informal request for any Customer Personal Data from a government body, law
enforcement agency, or other person except in response to a subpoena, search
warrant, court order, or other similar legal process (collectively, “Legal
Process”), unless such disclosure is determined by Domainbox in its reasonable
discretion to be (a) required by law, (b) necessary to protect Domainbox’s
systems or data from harm or misuse, or (c) necessary to protect Domainbox or
any other person from damage or physical harm.
4.2 Unless prohibited by law, Domainbox
will notify Customer promptly if it receives any Legal Process that requires Domainbox
to provide access to or disclose Customer Personal Data.
4.3 Unless otherwise required by law, Domainbox
will cooperate with Customer (at Customer’s reasonable expense) in any efforts
by Customer to prevent disclosure of Customer Personal Data in response to
Legal Process.
5
Data
Security.
5.1 Domainbox maintains an information
security program that includes appropriate and documented technical and
organizational measures to ensure a level of security appropriate to the risk
of Processing Customer Personal Data under the Agreement, including any
specific measures required by applicable Data Protection Laws.
5.2 Customer expressly acknowledges
that Domainbox provides security features and functionality that Customer can
use to protect Customer Personal Data. Customer
is solely responsible for taking appropriate risk-based steps to protect the
security of Customer’s account and Customer Personal Data within Customer’s
control, including by using security features and functionality provided by Domainbox. Customer also is solely responsible for ensuring
that all content that Customer places or causes to be placed within the
Services is free of vulnerabilities that could result in the compromise of
Customer Personal Data and Domainbox’s systems, including but not limited to
malicious software. Domainbox is not
responsible for backing up Customer Personal Data.
5.3 Customer is required to comply with
all Payment Card Industry Data Security Standard Requirements (“PCI-DSS”) and
may only provide Domainbox with Customer Personal Data containing credit, debit
or other payment cardholder information (“PCI-DSS Data”) in connection with Domainbox
Services specifically designed to Process such PCI-DSS Data. Customer is solely responsible for any
violation of PCI-DSS requirements if Customer uses Domainbox Services to
process or store PCI-DSS Data outside of Domainbox’s PCI-DSS compliant Service
offerings.
5.4 In addition to any measures
required for Domainbox to comply with its obligations under applicable Data Protection
Laws and PCI-DSS Requirements for Domainbox’s PCI-DSS complaint Services, Domainbox
will implement the specific technical and organizational measures identified in
Schedule 2 of this DPA.
6
Data
Security Incidents.
6.1 Domainbox offers Customer extensive
opportunities to access and control Customer Personal Data Processed on
Customer’s behalf. Domainbox is not
responsible for any accidental or unlawful destruction, loss, alteration,
unauthorized disclosure of, or access to Customer Personal Data that does not
result from a compromise of Domainbox’s systems. Examples of Security Incidents for which Domainbox
is not responsible include Customer’s failure to maintain the secrecy of its
passwords, downloading of malicious content, or any other security
vulnerability caused by or introduced into the Services and Customer’s hosted environment
by Customer.
6.2 Domainbox will use commercially reasonable
efforts to notify Customer of a breach of security of Domainbox’s systems
leading to the accidental or unlawful, destruction, loss, alteration,
unauthorized disclosure of, or access to Customer Personal Data (“Security
Incident”) within the time period required under applicable law.
6.3 Domainbox will take appropriate, risk-based
steps that are reasonably necessary to contain, mitigate, and remediate a
Security Incident without unreasonable delay.
6.4 Domainbox will provide information reasonably
requested by Customer to assess the impact of a Security Incident on Customer Personal
Data and for Customer to provide notice of the Security Incident to
governmental authorities, affected Data Subjects, or any other person.
6.5 Domainbox’s acknowledgement of a
Security Incident or decision to notify Customer of a Security Incident is not
an admission of fault or liability.
7
Data
Subject Rights.
7.1 Customer is solely responsible for
responding to any request to exercise a Data Subject’s rights under the Data
Protection Laws, Customer’s privacy policies, or Customer’s terms of service,
including but not limited to requests to know, access, correct, or delete Customer
Personal Data (“Data Subject Requests”).
7.2 Domainbox will not respond to a
Data Subject Request except on documented instructions from Customer or as
otherwise required under applicable law.
7.3 Domainbox will notify Customer of
any Data Subject Request. Customer is
solely responsible for responding to any Data Subject request. If Customer has exhausted all means available
to respond to a Data Subject Request – subject to Customer’s agreement to pay Domainbox’s
reasonable expenses in advance – Domainbox will provide Customer with
assistance reasonably necessary to allow Customer to respond to a Data Subject
Request.
8
Data
Protection Impact Assessments, Prior Consultation, and Compliance Inquiries.
8.1 Data Protection Impact Assessments;
Prior Consultation. At Customer’s expense, Domainbox will provide
reasonable assistance to Customer in conducting any data protection impact
assessments and consultations with government authorities or regulators
concerning processing of Customer Personal Data.
8.2 Compliance Inquiries.
Customer may periodically request information reasonably necessary to
confirm Domainbox’s compliance with its obligations under applicable Data Protection
Laws. If Domainbox fails to respond to
Customer’s request within forty-five (45) days, Customer may terminate the
Agreement. For the avoidance of doubt,
nothing in this DPA gives Customer the right to conduct an audit of Domainbox’s
business, systems, or services. Domainbox’s
obligation under this section is limited to providing Customer with information
reasonably necessary to confirm that Domainbox is in compliance with its
obligations under applicable Data Protection Laws.
9
Jurisdiction
Specific Requirements and International Data Transfers of Personal Data.
9.1 Processing of Customer Personal
Data under this DPA may involve Processing regulated by one or more Data Protection
Laws and/or may involve the international transfer of Customer Personal Data.
9.2 If Customer Personal Data
originates from the United Kingdom, the terms relating to the UK Data
Protection Laws specified in Schedule 3 (Section 1) to this DPA apply.
9.3 If Customer Personal Data
originates from the European Union/European Economic Area (“EU/EEA) or
Switzerland the terms relating to applicable EU/EEA, UK and/or Swiss Data
Protection Laws specified in Schedule 3 (Sections 2 and/or 3) to this DPA
apply.
9.4 If a valid international data
transfer mechanism (“Mandatory Transfer Mechanism”) is required to lawfully Transfer
Customer Personal Data, the terms specified in Schedule 4 to this DPA apply.
10
General.
10.1 Complete Agreement; Interpretation.
This DPA constitutes the entire agreement between the Parties concerning
the subject matter of this DPA and supersedes all prior or contemporaneous
representations, understandings, agreements, and communications between the
Parties, whether written or verbal, regarding the subject matter of this DPA. In the event of a conflict between this DPA
and the Agreement (or any other agreement between the Parties), this DPA will
govern and control with respect to the subject matter of this DPA. If there is a conflict between any terms of
this DPA and the Mandatory Transfer Provisions described in Schedule 4, those
Mandatory Transfer Provisions shall prevail.
10.2 Amendment.
This DPA may be modified or amended by Domainbox in its sole discretion
pursuant to the procedures set forth in the Agreement. If Customer disagrees with such amendment,
Customer’s sole remedy is to terminate that portion of the Agreement relating
to the Processing of Customer Personal Data on thirty (30) days’ notice. Unless expressly agreed by the Parties in
writing, any amendment of this Agreement is effective only with respect to
Processing that occurs after the date of such amendment.
10.3 Waiver.
The waiver of any breach of this DPA is effective only if in writing by
an authorized representative of the Party waiving such breach and no such
waiver will be construed as a waiver of any subsequent breach.
10.4 Severance.
If any provision of this DPA is found to be unenforceable, then that
provision shall be modified to the extent necessary to make it enforceable and
the remainder of this DPA shall remain in effect as written. However, if modifying any unenforceable
provision would result the failure of the essential purpose of this DPA, the
entire DPA shall be considered null and void unless amended pursuant to Section
10.2.
10.5 Notices.
Except as expressly stated herein, notices required under this DPA will
be provided in accordance with the Notice requirements set forth in the Agreement.
10.6 Liability.
This DPA does not provide any basis for either Party or any other person
to recover damages of any type other than those set forth in the Agreement and
subject to all limitations set forth therein.
10.7 Enforcement.
The terms of this DPA may only be enforced by the Parties on behalf of
themselves and their respective Affiliates in accordance with the dispute
resolution provisions set forth in the Agreement. This restriction on enforcement has no
effect, however, on an individual Data Subject’s ability to enforce their rights
under the Data Protection Laws.
10.8 Termination.
Unless terminated earlier pursuant to the Agreement or any other
applicable provision of this DPA or any applicable Data Protection Laws, this
DPA shall terminate upon the completion of Processing or termination of the
Agreement, whichever is later. Following
termination of this DPA, Domainbox will return, delete, or de-identify Customer
Personal Data pursuant to the terms of the Agreement and this DPA, unless Domainbox
is required to maintain Customer Personal Data pursuant to applicable law. If Domainbox is required to retain Customer Personal
Data following termination of the Agreement, Domainbox will continue to comply
with its obligations relating to the Processing of Customer Personal Data under
this DPA and will promptly return or delete any such Customer Personal Data
after retention is no longer legally required.
10.9 Governing Law and Jurisdiction.
This DPA is governed by the laws stipulated in the Agreement, except to
the extent otherwise required by the Data Protection Laws, in which case the
laws of the jurisdiction prescribed by the Data Protection Laws apply. No provision of this DPA shall be deemed to
limit any person’s rights or obligations under any applicable Data Protection
Laws.
Schedule
1: Details of Processing of Customer Personal Data
This
Schedule 1 includes details of Processing Customer Personal Data Required under
the Data Protection Laws.
Subject
matter and duration of Processing of Customer Personal Data:
The
subject matter and duration of Processing of Customer Personal Data are
described in the Agreement.
The
nature and purpose of Processing of Customer Personal Data:
Processing
of Customer Personal Data by Domainbox is reasonably required to provide the
Services as described in the Agreement.
Type
of Personal Data and Categories of Data Subjects:
The
types of Customer Personal Data and categories of Data Subjects are controlled
by Customer and/or the Controller who provided Customer Personal Data to Customer
in its/their sole discretion.
Sensitive
Data or Special Categories of Data:
Sensitive Data may, from
time-to-time, be Processed pursuant to the Agreement. The types of Sensitive Data Processed under
the Agreement are determined by Customer and/or the Controller who provided
Sensitive Data to Customer in its/their sole discretion.
Obligations
and Rights of the Controller:
The
obligations and rights of Customer are described in the Agreement and this DPA.
Schedule 2: Technical and
Organizational Security Measures
Pursuant
to Section 5.3 of the DPA, Domainbox will implement and maintain the following
specific technical and organizational measures to protect Customer Personal
Data.
1
Applicability.
1.1 The requirements of this Schedule 2
apply to Domainbox and any Subprocessor (including but not limited to any cloud
service provider) used by Domainbox to provide the Services and/or Process Customer
Personal Data.
1.2 If Domainbox uses any Subprocessor
to provide the Services and/or Process Customer Personal Data, Domainbox shall
ensure that such Subprocessor complies with each of the requirements of this
Schedule.
2
Information
Privacy and Data Security Management.
2.1 Risk Management Process.
Domainbox shall maintain an appropriate risk management process to
frame, assess, respond to and monitor risk to Customer Personal Data,
consistent with Domainbox’s obligations under the Agreement, the DPA, and
applicable law.
2.2 Information Security Program Scope.
At a minimum, Domainbox’s information security program, including all
applicable privacy and data protection policies, shall be designed to:
2.2.1
Protect
the confidentiality, integrity and availability of Customer Personal Data in Domainbox’s
possession or control or to which Domainbox has access; and
2.2.2
Protect
against reasonably anticipated threats or hazards to the confidentiality,
integrity, and availability of Customer Personal Data.
2.3 Information Security Program
Updates. Domainbox will regularly review and update
its information security program in accordance with industry standard practices
and frameworks appropriate to the type, volume, and sensitivity of Customer Personal
Data processed by Domainbox.
2.4 Risk Assessments and Testing.
Domainbox will regularly conduct risk assessments for all systems
processing Customer Personal Data and will periodically conduct third-party
penetration testing on applications and infrastructure used to provide the
Services as reasonably deemed necessary by Domainbox.
2.5 Continuity and Resiliency. Domainbox will implement appropriate measures
to protection the integrity and availability of its systems that Process
Customer Personal Data, including measures such as performance and availability
monitoring, design of redundant and resilient systems, use of uninterruptable
power supplies, DDoS protections, load and stress testing, and other similar
measures.
3
Organizational
Security.
3.1 Accountability.
Domainbox will develop and implement written information security
policies and procedures that clearly define responsibility for protection of Customer
Personal Data within Domainbox, including designation of one or more specific
individuals to be responsible for the administration of Domainbox’s information
security program and protection of Customer Personal Data.
3.2 Asset Management and Controls.
Domainbox will maintain an asset management policy and asset controls,
including asset classification and an inventory of devices and systems that are
used to provide the Services and/or process Customer Personal Data.
3.3 Physical Security.
Domainbox also shall implement risk-based controls to maintain the
physical security of its facilities, including implementing reasonable measures
to ensure that only authorized users have access to Domainbox’s electronic
devices, network, critical systems, applications, server room, communication
rooms, and work environments. Measures
that Domainbox may employ, where appropriate, include but are not limited to alarms,
CCTV monitoring, visitor access management, and destruction of Personal Data on
physical devices before disposal/recycling.
4
Security
Operations.
4.1 Secure System Configuration.
Domainbox will establish controls to ensure that systems used to provide
the Services and/or Process Customer Personal Data are securely configured.
4.2 Vulnerability and Patch Management.
Domainbox will establish and maintain a vulnerability and patch
management system that ensures all systems used to provide the Services and/or
Process Customer Personal Data are patched against known security
vulnerabilities in a reasonable time period based on the criticality of the
patch and sensitivity of the Customer Personal Data.
4.3 Malware Prevention.
Domainbox will implement detection, prevention, and remediation controls
to protect against malicious software (including appropriate user awareness
programs).
4.4 Logging and Auditing.
Domainbox will employ a log management program that defines the scope,
creation, storage, analysis, and disposal of logs using risk-based industry
standards.
4.5 Security Incident Detection and
Response. Domainbox will maintain risk-based systems
for detecting Security Incidents as required by Section 6 of the Agreement,
including use of intrusion detection and intrusion prevention systems.
5
Training. Domainbox
will ensure that its personnel receive regular training regarding their
confidentiality and data protection obligations as they relate to Customer Personal
Data.
6
Access
Controls.
6.1 Unique Identification.
Domainbox will assign individual unique user credentials to personnel
with access to Customer Personal Data, including but not limited to personnel
with administrative access.
6.2 Password Management.
Domainbox will implement policies and procedures for password
management, including centralized password management and password policies.
6.3 Multi-Factor Authentication.
Domainbox will implement multi-factor authentication for remote access
to networks, systems, or applications used to Process and/or store Customer
Personal Data.
6.4 Least Privilege.
Domainbox will restrict access to Customer Personal Data to those
personnel who are bound by appropriate confidentiality obligations and have a
“need to know” or “need to access” for purposes of providing the Services.
7
Data
Security Controls.
7.1 Data Segregation.
Domainbox will maintain Customer Personal Data in logically separate and
secure environments.
7.2 Encryption and other Measures.
Domainbox will employ appropriate risk-based measures to protect Customer
Personal Data, including encryption, pseudonymization, and other appropriate
measures such as employing algorithms for hashing secrets, including passwords
and API tokens used for accessing systems containing Customer Personal Data.
Schedule 3: Jurisdiction Specific
Terms
1
United
Kingdom.
1.1 References to “GDPR” will be deemed
to be references to the corresponding laws and regulations of the United
Kingdom, including, without limitation the UK GDPR and UK Data Protection Act
of 2018.
1.2 When Company engages a
Subprocessor, it will:
1.2.1
Require
the Subprocessor to comply with those technical and organizational measures set
forth in Sections 5, 6, and 8, and Schedule 2 of the DPA that are appropriate
to the nature of processing by the Subprocessor, including but not limited to
all technical and organizational measures required by Article 28 of the UK GDPR;
and
1.2.2
Require
the Subprocessor to agree in writing to only process Customer Personal Data in (a)
the UK, (b) the EU/EEA, (c) another country that the United Kingdom has
declared to have an “adequate” level of data protection, or (d) on terms set
forth in Schedule 4 regarding international Transfers of Customer Personal Data.
2
European
Union/European Economic Area.
2.1 Subprocessors
2.1.1
When
Domainbox engages a Subprocessor, it will:
2.1.1.1
Require
the Subprocessor to comply with those technical and organizational measures set
forth in Sections 5, 6, and 8 of the DPA, and Schedule 2 of the DPA that are appropriate
to the nature of processing by the Subprocessor, including but not limited to
all technical and organizational measures required by Article 28 of the EU
General Data Protection Regulation (“GDPR”); and
2.1.1.2
Require
the Subprocessor to agree in writing to only process Customer Personal Data (a)
in the EU/EEA, (b) in a country that the European Commission has declared to
have an “adequate” level of data protection, or (c) on terms set forth in
Schedule 4 regarding international Transfers of Customer Personal Data.
2.2 Liability for Regulatory Penalties.
Notwithstanding any other term set forth in this DPA or the Agreement
(including either Party’s indemnification obligations under the Agreement),
neither Party will be responsible for any fines issued or levied by any
regulatory authority or government body on the other Party, including any fines
under Article 83 of the EU GDPR.
3
Switzerland.
3.1 When Domainbox engages a
Subprocessor, it will:
3.1.1
Require
the Subprocessor to comply with those Technical and Organizational Measures set
forth in Sections 5, 6, and 8, and Schedule 2 of the DPA that are appropriate
to the nature of processing by the Subprocessor, including but not limited to
all Technical and Organizational Measures required by Article 28 of the GDPR;
and
3.1.2
Require
the Subprocessor to agree in writing to only process Customer Personal Data (a)
in Switzerland, (b) in the EU/EEA, (c) in another country that the European
Commission has declared to have an “adequate” level of data protection, or (d)
on terms set forth in Schedule 4 regarding international Transfers of Customer Personal
Data.
3.2 To the extent Customer Personal
Data Transfers from Switzerland are made subject to the EU Standard Contractual
Clauses (as defined in Schedule 4), the following amendments apply:
3.2.1
References
to “Member State” will be interpreted to include Switzerland; and
3.2.2
To
the extent Transfers are subject to the Federal Act on Data Protection (“FADP”)
references to “Regulation (EU) 2016/679” will be deemed to be references to the
FADP.
3.3 To the extent required by the FADP,
the EU Standard Contractual Clauses will be deemed to include data relating to
legal entities as Customer Personal Data.
Schedule 4: International Mandatory
Cross Border Transfer Mechanisms
1
Definitions.
1.1 The “EU Standard Contractual
Causes” mean the standard contractual clauses approved by the European
Commission and attached in the annex to decision 2021/914 of June 2021.
1.2 The UK International Data Transfer Agreement
(“UK IDTA”) issued by the UK Information Commissioner, Version B1.0, is deemed
to be executed by the Parties as of the Effective Date of the Agreement, and
the EU Standard Contractual Clauses are deemed amended as specified by the UK
IDTA in relation to data transfers from the UK.
2
Order
of Precedence.
2.1 No Mandatory Transfer Mechanism is
used if a transfer is made to a country that has been deemed to offer an
adequate level of data protection by the Data Protection Laws of the country
from which such Customer Personal Data is transferred.
2.2 If a Transfer is required and such
Transfer is covered by more than one Mandatory Transfer Mechanism, the Transfer
will be subject to a single Mandatory Transfer Mechanism in accordance with the
following order of precedence: (a) the UK IDTA; (b) the EU Standard Contractual
Clauses; or (c) any other applicable Mandatory Transfer Mechanism permitted
under the applicable Data Protection Law.
2.3 If a Mandatory Transfer Mechanism
is deemed invalid after execution of this Agreement, all future Transfers will
be deemed made by the next applicable valid Mandatory Transfer Mechanism.
3
United
Kingdom International Data Transfer Agreement.
3.1 The UK IDTA applies to Transfers of
Customer Personal Data transferred from the United Kingdom to any country
outside the United Kingdom that is not recognized by the competent United
Kingdom regulatory authority or government body as providing an adequate level
of Personal Data protection.
3.2 For Transfers subject to the UK
IDTA, the UK IDTA is deemed entered into by the Parties and completed as
follows:
3.2.1
In Table 1 of the IDTA, the Parties’ details
and key contact information is located in Section 4.3 of this Schedule 4.
3.2.2
In
Table 2 of the IDTA, information about the version of the EU Standard
Contractual Clauses, modules and selected clauses to which the UK IDTA is
appended is located in Section 4 of this Schedule.
3.2.3
In
Table 3 of the UK IDTA:
3.2.3.1
The
list of Parties is located in Section 4.3 of this Schedule 4.
3.2.3.2
The
description of the transfer is set forth in Schedule 1.
3.2.3.3
Annex
II is located in Schedule 2.
3.2.3.4
Company’s
list of Subprocessors is located in Schedule 5.
3.2.3.5
In
Table 4 of the UK IDTA, both Domainbox and Company may end the UK IDTA in
accordance with its terms.
3.3 The UK Information Commissioner
shall act as the competent supervisory authority insofar as the relevant
Transfer is governed by UK Data Protection Laws and Regulations.
4
The
EU Standard Contractual Clauses.
4.1 For Personal Data Transfers from
the EU/EEA and Switzerland that are subject to the EU Standard Contractual
Clauses, Module Two (Controller to Processor) or Module Three (Processor to
Processor) applies depending on whether Domainbox is a Controller or Processor
with respect to the Customer Personal Data to be Transferred.
4.2 With respect to Modules Two and
Three of the EU SCCs:
4.2.1
In
Clause 7, the optional docking clause will not apply.
4.2.2
In
Clause 9, Option 2 will apply and the process for providing notice and the time
period for objections to Subprocessor changes will be as set forth in Section 3
of the DPA.
4.2.3
In
Clause 11, the optional language will not apply.
4.2.4
In
Clause 17 (Option 1), the EU Standard Contractual Clauses will be governed by
the internal laws of Germany.
4.2.5
In
Clause 18(b), disputes relating to the DPA shall be resolved in the Federal
Republic of Germany.
4.3 For purposes of Annex I, Part A:
4.3.1
Data
Exporter
4.3.1.1
The
Data Exporter will be Customer.
4.3.1.2
Customer
may be contacted at the addresses set forth in the notice provision of the
Agreement.
4.3.1.3
By
entering into this DPA, Customer is deemed to have signed the EU Standard
Contractual Clauses, including their Annexes, as of the Effective Date of the
Agreement.
4.3.2
Data
Importer
4.3.2.1
The
Data Importer will be Domainbox and/or authorized affiliates of Domainbox.
4.3.2.2
Domainbox
may be contacted at the addresses set forth in the notice provision of the
Agreement or at privacy@domainbox.com.
4.3.2.3
By
entering into this DPA, Domainbox is deemed to have signed these EU Standard
Contractual Clauses, including their Annexes, as of the Effective Date of the
Agreement.
4.4 For purposes of Annex I, Part B:
4.4.1
The
categories of Data Subjects are described in Schedule 1.
4.4.2
The
sensitive data (if any) Transferred is described in Schedule 1.
4.4.3
The
frequency of Transfer is the duration of the Agreement and DPA.
4.4.4
The
nature of Processing is described in Schedule 1.
4.4.5
The
purpose of Processing is described in Schedule 1.
4.4.6
The
period of Processing is described in Schedule 1.
4.5 For purposes of Annex I, Part C, in
accordance with clause 13, the competent supervisory authority is defined as
follows:
4.5.1
For
transfers of Personal Data from the EU/EEA, the Supervisory Authority is the North
Rhine-Westphalia State Commissioner for Data Protection and Freedom of
Information.
4.5.2
The
Swiss Federal Data Protection and Information Commissioner shall act as the
competent supervisory authority insofar as the relevant Transfer or Onward
Transfer is governed by Swiss Data Protection Laws and Regulations.
4.6 In Annex II of the EU Standard
Contractual Clauses, Schedule 2 contains the technical and organizational
measures implemented by Company as Data Importer under the DPA.
4.7 In Annex III of the EU Standard
Contractual Clauses, the list of Company’s Subprocessors is available by
contacting privacy@domainbox.com.
5
Conflict.
To the extent there is any conflict or inconsistency between the EU
Standard Contractual Clauses or the UK IDTA and any other terms in this Data
Processing Addendum, the provisions of the EU Standard Contractual Clauses or
the UK IDTA, as applicable, will prevail.