Datafold Data Processing Agreement

Last updated: August 26, 2021

This Data Protection Agreement (the “DPA”) is executed as of the date of Customer’s initial order form (the “DPA Effective Date”) between Datafold, Inc. (“Datafold”) and the customer using Datafold’s Services (“Customer”). Capitalized terms have the meanings provided in the Agreement defined below except as provided here.

WHEREAS, Datafold and Customer are parties to a Master Subscription Agreement regarding Customer’s trial and/or subscription to Datafold’s Services (the “Agreement”); and

WHEREAS, Datafold and Customer wish to enter this DPA, which will accompany the Agreement and govern the parties’ security and data protection obligations.

1. Data Protection

Definitions:  In this Clause, the following terms shall have the following meanings: 

1.2. Relationship of the parties.  Customer (the controller) appoints Datafold as a processor to process the personal data described in the Agreement (the "Data") for the purposes described in the Agreement (or as otherwise agreed in writing by the parties) (the "Permitted Purpose").  Each party shall comply with the obligations that apply to it under Applicable Data Protection Law.  If Datafold becomes aware that processing for the Permitted Purpose infringes Applicable Data Protection Law, it shall promptly inform Customer.

1.3. Processing in Accordance with California Law.  In accordance with the CCPA, and with respect to personal data to which the CCPA applies:  (a) Datafold will not “sell” (as defined in the CCPA) any personal data; and (b) Datafold will not coll

1.4. International transfers.  Datafold shall not transfer the Data outside of the European Economic Area ("EEA") unless it has taken such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law.  

1.5. Confidentiality of processing:  Datafold shall ensure that any person it authorises to process the Data (an "Authorised Person") shall protect the Data in accordance with Datafold's confidentiality obligations under the Agreement.

1.6. Security:  Datafold shall implement technical and organisational measures as set out in the Annex to protect the Data (a) from accidental or unlawful destruction, and (b) loss, alteration, unauthorised disclosure of, or access to the Data (a "Security Incident").  

1.7. Subcontracting:  Customer consents to Datafold engaging the third party subprocessors listed in the Subprocessors Annex in the DPA to process the Data for the Permitted Purpose provided that it: (a) will inform Customer of any intended changes concerning the addition or replacement of other subprocessors, thereby giving Customer the opportunity to object to such changes; (b) imposes data protection terms on any subprocessor it appoints that require it to protect the Data to the standard required by Applicable Data Protection Law; and (c) remains liable for any breach of this Clause that is caused by an act, error or omission of its subprocessor.  Customer may object to Datafold's appointment or replacement of a subprocessor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection.  In such event, Datafold will either not appoint or replace the subprocessor or, if this is not possible, Customer may suspend or terminate the Agreement (without prejudice to any fees incurred by Customer prior to suspension or termination).

1.8. Cooperation and data subjects' rights.  Datafold shall provide reasonable and timely assistance to Customer (at Customer’s expense) to enable Customer to respond to: (a) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (b) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data.   In the event that any such request, correspondence, enquiry or complaint is made directly to Datafold, Datafold shall promptly inform Customer providing full details of the same.

1.9. Data Protection Impact Assessment.  Datafold shall provide reasonable cooperation to Customer (at Customer's expense) in connection with any data protection impact assessment that Customer may be required under Applicable Data Protection Law. 

1.10. Security incidents.  If it becomes aware of a confirmed Security Incident, Datafold shall inform Customer without undue delay and shall provide reasonable information and cooperation to Customer so that Customer can fulfil any data breach reporting obligations it may have under (and in accordance with the timescales required by) Applicable Data Protection Law.  Datafold shall further take such any reasonably necessary measures and actions to remedy or mitigate the effects of the Security Incident and shall keep Customer informed of all material developments in connection with the Security Incident.

1.11. Deletion or return of Data.  Upon termination or expiry of the Agreement, Datafold shall (at Customer's election) destroy or return to Customer all Data in its possession or control.  This requirement shall not apply to the extent that Datafold is required by applicable law to retain some or all of the Data, or to Data it has archived on back-up systems, in which event Datafold shall securely isolate and protect from any further processing except to the extent required by such law.

1.12. Audit.  Customer acknowledges that Datafold is audited against SOC 2 standards by independent third party auditors.  Upon request and when available, Datafold shall supply a summary copy of its audit report(s) to Customer, which shall be subject to the confidentiality provisions of the Agreement. Datafold shall also respond to any written audit questions submitted to it by Customer, provided that Customer shall not exercise this right more than once per year. In addition, Customer may contact Datafold to request an on-site audit, not more than once per year, of the procedures relevant to the protection of Customer’s personal data.  Before the commencement of any such on-site audit, Customer and Datafold shall mutually agree upon the scope, timing, and duration of the audit and the reimbursement rate for any travel or other expenses Datafold incurs in the course of such audit. All reimbursement rates shall be reasonable, taking into account the resources expended by Datafold. Customer shall promptly notify Datafold with information regarding any non-compliance discovered during the course of an audit.

2. Miscellaneous

2.1. Construction; Interpretation. This DPA is not a standalone agreement and is only effective if the Agreement is in effect between Customer and Datafold.  This DPA is part of the Agreement and is governed by its terms and conditions, including the limitations of liability therein. This DPA and the Agreement are the complete and exclusive statement of the mutual understanding of the parties and supersede and cancel all previous written and oral agreements and communications relating to the subject matter hereof. Headings contained in this DPA are for convenience of reference only and do not form part of this DPA. 

2.2. Severability. If any provision of this DPA is adjudicated invalid or unenforceable, this DPA will be amended to the minimum extent necessary to achieve, to the maximum extent possible, the same legal and commercial effect originally intended by the parties. To the extent permitted by applicable law, the parties waive any provision of law that would render any clause of this DPA prohibited or unenforceable in any respect. 

2.3. Amendment. This DPA may not be amended or modified by Customer unless such amendment or modification is in writing signed by both parties.

2.4. Assignment. This DPA may be assigned only in connection with a valid assignment pursuant to the Agreement. If the Agreement is assigned by a party in accordance with its terms, this DPA will be automatically assigned by the same party to the same assignee.

2.5. Governing Law. This DPA will be governed by and construed in accordance with the laws the jurisdiction governing the Agreement. 

2.6. Counterparts. This DPA may be executed and delivered by facsimile or electronic signature and in two or more counterparts, each of which will be deemed an original, but all of which together will constitute one and the same instrument.

Security Annex

Security Measures

Datafold will:

1. take all reasonable measures to prevent unauthorized access to the Data through the use of appropriate physical and logical (passwords) entry controls, securing areas for data processing, and implementing procedures for monitoring the use of data processing facilities;

2. use built-in system and audit trails;

3. use secure passwords, network intrusion detection technology, encryption and authentication technology, secure login procedures, and virus protection;

4. account for all risks presented by processing, for example, from an accidental or unlawful destruction, loss, or alteration, unauthorized or unlawful storage, processing, access, or disclosure of the Data;

5. ensure pseudonymization and/or encryption of the Data where appropriate;

6. maintain the ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and Services;

7. maintain the ability to restore the availability and access to the Data in a timely manner in the event of a physical or technical incident;

8. implement a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing of the Data;

9. monitor compliance on an ongoing basis;

10. implement measures to identify vulnerabilities concerning the processing of the Data in systems used to provide Services to Customer;

11. provide employee and contractor training to ensure ongoing capabilities to carry out the security measures established in policy.

Subprocessors Annex

"Amazon Web Services" (for Datafold-hosted deployments)