Data Processing Agreement
Effective as of September 21, 2023
This Data Processing Agreement (the "DPA") is made and entered into on March 15, 2021 between Opsware Data Inc. (“Opsware Data”) and company (“Company”).
1. Definitions
“Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
"Data Protection Laws" means, as applicable, (i) the California Consumer Protection Act of 2018 (“CCPA”), (ii) the Personal Information Protection and Electronic Documents Act (“PIPEDA”), (iii) the General Data Protection Regulation ((EU) 2016/679) (“GDPR”), and (iv) such other applicable data protection laws, rules, or regulations, as may come into effect during the Term, each as amended, modified, and/or supplemented by the guidance or regulatory decisions of the relevant data protection or supervisory authority.
“Company Data” means all data or information including any Personal Information, Personal Data and Sensitive Personal Data, in whatever form or medium which is (i) supplied directly or indirectly by Company, or (ii) in respect of which access is granted to Company’s Systems by Company or provided to Opsware Data in connection with this Agreement, or (iii) produced or generated by or on behalf of Company in connection with this Agreement.
“Systems” means all electronic software, devices, means of electronic communication, electronic, analog, and/or physical hard-copy storage used in, or monitored as part of, and/or otherwise involved in providing, the Services, and all devices and applications on which any personal data or Company Data is Processed including third party systems or networks where the parties have shared access to personal data.
Terms such as Personal Information, Personal Data, Sensitive Personal Data, Controller, Opsware Data, Supervisory Authority, processing, data subject, technical and organizational measures shall have the meanings ascribed to them in the Data Protection Laws.
2. Roles Of The Parties
For the purpose of this DPA and Data Protection Law, Opsware Data shall be deemed a Processor and Service Provider, as defined under applicable law. Company shall be deemed the Controller and Business hereunder.
3. Opsware Data Obligations
Opsware Data shall:
a. process the Company Data only as necessary to perform the Services, to comply with its legal obligations, and/or as directly instructed by Company in writing;
b. ensure it complies with any obligations of a data processor and service provider under the Data Protection Laws in respect of this processing and otherwise perform the Services as a data processor and service provider in accordance with the Data Protection Laws; and
c. include all appropriate privacy notices including a privacy policy to ensure data subjects are made aware of the nature and purpose of the processing, how to assert their data protection rights under the Data Protection Laws, appropriate cookie policy and cookie banners, and how to contact the Opsware Data regarding the processing of personal data.
4. Audit
In addition to any right of audit that the Company may have under the Agreement, the Company, its designated representatives and any relevant supervisory authority (with the power to carry out an audit of the Opsware Data's processing activities) shall, upon reasonable notice to Opsware Data, have the right, one (1) time in any twelve (12) month period, to have access to Opsware Data personnel and premises to conduct an audit of Opsware Data's Systems and operations, in order to verify that Opsware Data is operating in accordance with its obligations under this Agreement.
5. Cooperation
Opsware Data shall provide the Company with such assistance and co-operation as the Company may reasonably request to enable the Company to comply with any obligations imposed on the Company by the Data Protection Laws in relation to Company Data processed by Opsware Data, including, but not limited to providing information, upon request of the Company, regarding its compliance with this DPA and Data Protection Laws.
6. Back-Up and Retention
Opsware Data shall maintain appropriate backup and retention policies as required by applicable Data Protection Laws and other applicable law in order to provide support for any audits, legal requirements, and/or customer complaints. Such backup and retention policies shall be designed in accordance with data and storage minimization principles and Opsware Data shall ensure that backups are secured and protected using appropriate technical and organizational measures.
7. Subprocessors
Opsware Data may employ subprocessors in order to provide the Services. Opsware Data shall upon request provide to Company a list of all subprocessors who have access to Company Data, and Opsware Data shall enter into a processing agreement with subprocessor which contains substantially terms and conditions as set forth in this DPA, including sufficient guarantees that it will implement appropriate technical and organizational measures to comply with Data Protection Laws. In addition, any subprocessor must comply with the same or substantially similar confidentiality requirements set out in the Agreement. Opsware Data will remain liable for any subprocessor’s compliance with its obligations for processing the Company Data.
8. Data Subject Rights
a. With respect to Personal Data for which Company shall be the primary point of contact as the controller and Opsware Data shall act as a processor to assist Company in processing such requests.
b. Where Opsware Data may act as a controller over Personal Data collected from Company’s personnel, Opsware Data shall be the primary point of contact and shall act in all ways as a controller.
c. The parties shall communicate any rectification or erasure of personal data requested by data subjects to each other in order to maintain the Personal Information in accordance with the Data Protection Laws.
d. Opsware Data shall maintain a log or similar record of each data rights request and shall provide such log to Company upon request.
9. Liability
a. Opsware Data shall be liable for damages or liability that directly relates to Opsware Data's breach of the Data Protection Laws for damage caused to data subjects as determined by a Supervisory Authority (or similar regulatory authority) or court of competent jurisdiction resulting in an award of damages to the data subject or fines except where Company has directed Opsware Data to take action (or not to take action) in contradiction of Data Protection Law.
b. Opsware Data shall, immediately on demand, fully indemnify and hold harmless Company and Company’s Affiliates, their directors, officers, and employees (collectively, the “Indemnified Parties”) from and against all costs, claims, administrative fines, demands, expenses (including legal costs and disbursements on a full indemnity basis), losses (including direct and indirect losses, loss or corruption of data, loss of reputation, goodwill and profits), actions, proceedings and liabilities of whatsoever nature arising from or incurred by the Indemnified Parties, in connection with any failure, whether negligent or otherwise, of the Opsware Data or any subcontractors to comply with the provisions of this DPA and/or Data Protection Law in respect of its processing of Company Data ("Losses"). All or any such Losses suffered by an Indemnified Party, shall, for the purposes of this section, be deemed to have been suffered by the Company. The rights under this section are in addition to any indemnification rights under the Agreement and shall survive termination.
10. Security
Opsware Data shall employ (and shall ensure all subprocessors employ) technical and organisational measures to adequately protect Company Data from loss, destruction, or unauthorised disclosure or access to Company Data taking into account the nature, scope, context and purposes of processing as well as the varying likelihood and severity of risk to the rights and freedoms of data subjects with regard to Opsware Data' performance of the Services, and shall use best practices to mitigate the risk, including, but not limited to:
a. Opsware Data and any subcontractor personnel will enter into appropriate confidentiality agreements and security measures including applicable IT security policies regarding the processing of the Company Data and provide all reasonable assistance to Company so it can demonstrate compliance with applicable Data Protection Law;
b. Opsware Data will provide a written description of the technical and organisational measures employed by Opsware Data and/or any subprocessor for processing of Company Data;
c. Opsware Data will maintain appropriate access controls, including, but not limited to, limiting access to Personal Data to the minimum number of subprocessor personnel who require such access in order to provide the services to Opsware Data; and
d. Opsware Data will implement appropriate safeguards to protect against unauthorized access, collection, use, copying, modification, disposal or disclosure, unauthorized, unlawful, or accidental loss, destruction, acquisition, or damage or any other unauthorized processing.
11. Breach
In the event of any actual or suspected incident (including a Data Breach) which may involve unauthorised or unlawful access to or Processing, loss, alteration or destruction of or damage to Personal Information, or disclosure of Personal Information in breach of this Agreement or the Data Protection Legislation, the Opsware Data shall:
a. notify Company in writing immediately, and no later than forty eight (48) hours after the Data Breach is identified, providing: (i) all information known about the Data Breach; (ii) any relevant contact point for Company, and (iii) such details of the circumstances as Company may require;
b. describe the nature of the Data Breach (to the extent such information is available), including the possible categories and approximate number of individuals concerned and the categories and approximate number of Personal Information records concerned;
c. describe the likely consequences of the Data Breach, in particular, the likely consequences to impacted individuals;
d. communicate the name and contact details of the Opsware Data's Data Protection Officer or other contact point where Company can obtain further information;
e. keep Company regularly informed of any further developments or information available in connection with the Data Breach and at Company’s request undertake a full investigation, at Opsware Data's cost, and provide Company with a full written report on the Data Breach;
f. carry out all mitigating steps reasonably necessary in relation to the Data Breach to prevent future incidents;
g. provide such information as Company may require in order to make any notification or announcement as referred to above; and
h. fully cooperate with Company in Company’s handling of the Data Breach and take all reasonable steps required by the Company to assist the Company to comply with good practice regarding evaluation, containment, notification, and recovery following a Data Breach, including but not limited to assistance with notifications to individuals and regulatory bodies.
12. Return of Company Data
Opsware Data must return or delete all Company Data processed in connection with the Agreement, after completion of the Services or the Agreement, at Company’s election. In the event that Company requests destruction, Opsware Data shall provide a written certificate to Company within thirty (30) days of such destruction. If Company requires that the Company Data be returned, it must be returned to Company within thirty (30) days of the completion or termination of Services, in a secure manner.
13. International Transfer
a. Opsware Data stores all Customer Data in Ireland and Canada. Opsware Data personnel may access data from Canada and the United States.
b. Opsware Data shall not physically transfer Company Data from outside of the country in which the Company Data is designated to be hosted under the Agreement without the prior written consent of Company.
c. In the event the Services provided under the Agreement involve the transfer of Personal Data of European Data Subjects outside of the European Economic Area or Switzerland, the parties agree to enter into the Standard Contractual Clauses attached hereto as Annex 1 and incorporated by this reference. In the event of a conflict between the terms of this DPA and the Annex, the Annex shall control.
d. To the extent that Opsware Data engages any subprocessors to process the Personal Data of any European Data Subjects, Opsware Data shall ensure that there is an effective method of transfer in place as required by applicable Data Protection Laws.