Glantus implement appropriate technical and organisational measures to maintain the security, confidentiality and integrity of Company Personal Data and ensure a level of security appropriate to the risk associated with the Processing activity, including, at a minimum, the measures referred to in Article 32(1) of the GDPR; 

Implement and maintain appropriate security measures in accordance with good industry practice in the country or countries in which Vendor is Processing Company Personal Data and in accordance with the requirements of all Data Protection Laws; Use encryption methods to safeguard Company Personal Data while in transit; and 
Regularly monitor compliance with such security safeguards and ensure that there is no material decrease in the level of security afforded to Company Personal Data during the duration of the Processing. 

Please see a link for the Datacentres we use in Dublin and Marlborough, MA which are ISO27001 and PCI DSS rated. The equipment located in the datacentre is wholly owned and managed by Glantus. Access to the equipment is managed by an approved lists of employees. Also we make extensive use of the which are ISO27001 and PCI DSS rated. The equipment located in the datacentre is wholly owned and managed by Glantus. Access to the equipment is managed by an approved lists of employees. Also we make extensive use of the Microsoft Azure platform
All Communication to our infrastructure is fully encrypted using SSL/TLS to dedicated Frontend servers or services. 


Servers holding any data, sit within a segregated Network, away from the frontend network housing the frontend servers. Communication between these networks is strictly controlled and there is no Direct access from the internet to the Network on which the Data resides.


All of the above sits behind a pair of Highly available, Load Balanced Firewalls, that protect the Exterior perimeter of the network and controls access between the individual network segments. At no point is unencrypted data transmitted outside the System.
 
Glantus user access to any systems/networks is further secured by the use of Multifactor Authentication where possible. Data is backed up nightly to an encrypted backup, and a test restore is performed every month on a random server and file selection. All of the above is monitored constantly for operational performance and anomalous behaviour is highlighted and alerted upon.  

In addition, a Risk Committee meets at regular intervals to assess risk in various areas of the company including Information Security. 

 

Data Processing Agreement - EMEA/UK

At Glantus, we are creating a world in which data is the differentiator for creating lasting impact and a catalyst for progressive and practical opportunities to succeed.

PURPOSE

This Data Processing Agreement ("Agreement") forms part of the Contract for Solutions and/or Services ("Principal Agreement") between Data Controller and Data Processor within the meaning of the General Data Protection Regulation (GDPR) and if you have contracted us to provide solutions and/or services that require us to process personal information on your behalf, the following terms (the “Data Processing Agreement”) are hereby incorporated into the Terms and Conditions under which services are provided and form part of the contract for those solutions and/or services.

CONTEXT

The Company acts as a Data Controller.

(A) The Data Controller wishes to subcontract certain Services and/or Solutions, which imply the processing of personal data, to the Data Processor.

(B) The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) or equivalent regulation based on local jurisdiction in accordance with ISO:27701 standard.

(C) The Parties wish to lay down their rights and obligations.

SCOPE

The Agreement applies to solutions and/or services sought for which Glantus group of companies, operating under the name ‘Glantus’, is acting as a Data Processor and Customer is acting as a Data Controller within the meaning of the Regulation.

The agreement covers Glantus as data controller where Company Personal Data may be consolidated to improve efficiency across data systems (e.g. CRM) or if systems become redundant. The data subject will be contacted in such event. Such transfer of Company Personal Data is solely for operational purpose and legitimate interest to provide services as contracted to support the company’s commitment to information security and privacy.

IT IS AGREED AS FOLLOWS:

Definitions and Interpretation

  1. Unless otherwise defined herein, capitalised terms and expressions used in this Agreement shall have the following meaning:

  2. "Agreement" means this Data Processing Agreement and all Schedules and Terms and Conditions

  3. "Contracted Processor" means a Sub processor.

  4. Data” or “Information” shall refer to personal data pertaining to one or more data subjects as defined by the Regulation.

  5. "Data Protection Laws" means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country.

  6. "EEA" means the European Economic Area.

  7. "EU Data Protection Laws" means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR.

  8. "GDPR" means EU General Data Protection Regulation 2016/679.

  9. "Data Transfer" means:

  10. a transfer of Company Personal Data from the Company to a Contracted Processor; or

  11. an onward transfer of Company Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws).

  12. "Services" means the solution or services the Company provides.

  13. Customer” or “Controller” shall refer to the customer acting as Data Controller as defined by the Regulation.

  14. Processor” shall refer to Glantus acting as Data Processor as defined by the Regulation.

  15. "Sub processor" means any person appointed by or on behalf of Processor to process Personal Data on behalf of the Company in connection with the Agreement.

  16. The terms, "Commission", "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

Processing of Company Personal Data

  1. Processor shall:

  2. comply with all applicable Data Protection Laws in the Processing of Company Personal Data; and

  3. not Process Company Personal Data other than on the relevant Company’s documented instructions.

  4. The Company instructs Processor to process Company Personal Data.

  5. Company Personal Data may be consolidated to improve efficiency of company systems. In such case this is only to improve operational procedures.

Personal Data Breach

  1. Processor shall notify Company without undue delay upon Processor becoming aware of a Personal Data Breach affecting Company Personal Data, providing Company with sufficient information to allow the Company to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws in line with Article 33 and 34 of the GDPR. An internal security incident report will be required in this instance. This can be made available to relevant parties if and when required.

  2. Processor shall co-operate with the Company and take reasonable commercial steps as are directed by Company to assist in the investigation, mitigation and remediation of each such Personal Data Breach.

Data Protection Impact Assessment and Prior Consultation

Processor shall provide reasonable assistance to the Company with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Company reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Company Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.

Deletion or return of Company Personal Data

  1. Subject to this section 9 Processor shall promptly and in any event within

  2. business days of the date of cessation of any Services involving the Processing of Company Personal Data (the "Cessation Date"), delete and procure the deletion of all copies of those Company Personal Data.

  3. Processor shall provide written certification to Company that it has fully complied with this section 9 within the time period as agreed.

Audit rights

  1. Subject to this section 10, Processor shall make available to the Company on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by the Company or an auditor mandated by the Company in relation to the Processing of the Company Personal Data by the Contracted Processors.

  2. Information and audit rights of the Company only arise under section 10.1 to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law.

Data Transfer

  1. The Processor may not transfer or authorise the transfer of Data to countries outside the EU and/or the European Economic Area (EEA) without the prior written consent of the Company. If personal data processed under this Agreement is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the personal data is adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of personal data.

General Terms

  1. Confidentiality. Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:
    (a) disclosure is required by law.

    (b) the relevant information is already in the public domain.

  2. Notices. All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post or sent by email to the address or email address set out in the heading of this Agreement at such other address as notified from time to time by the Parties changing address.

Governing Law and Jurisdiction

  1. This Agreement is governed by the laws of EU GDPR.

  2. Any dispute arising in connection with this Agreement, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of Ireland, subject to possible appeal to Irish Courts of Appeal.

This Agreement is entered into with effect from the date of the signed Terms and Conditions.

TERMS OF USE

By accessing Glantus web pages you agree to the following terms. If you do not agree to the following terms, please notice that you are not allowed to use the site.

Any rights not expressly granted herein are reserved. Reproduction, transfer, distribution or storage of part or all of the contents in any form without the prior written permission of Glantus is prohibited except in accordance with the terms outlined in this document.

Glantus provides access to this site free of charge to provide information about Glantus, its capabilities and the work it has done for its clients worldwide over the years. The sole authorized use of the site is to obtain information about Glantus and no other use is permitted.

Glantus consents to you browsing web pages on your computer/mobile device or printing copies of extracts from these pages for your personal use only and not for redistribution unless consented to in writing by Glantus. Individual documents in our web pages may be subject to additional terms indicated in those documents.

The use of this site and the content therein, is permitted to private, non-commercial use. The use of press releases and other documents classified as public is permitted in public communications if the source for the information has been stated.

Glantus assumes no responsibility for the security of this site or your communications with the site. This site is offered AS IS and without warranties of any kind. Glantus disclaims the implied warranties of merchantability and fitness for a specific purpose as well as title or non-infringement. We are not responsible for timeliness, accuracy, unavailability or interruptions in availability, viruses or other defects in the site or its contents. In no event shall Glantus be responsible for any damages to users or their computer systems or otherwise, even if Glantus has been informed of the possibility of such damages and without regard to negligence.

For your convenience Glantus may include links to sites on the web that are owned or operated by third parties. By linking to such third-party site, you agree that Glantus has no control over the content of that site and cannot assume any responsibility for material created or published by such third-party sites.

By submitting your email address anywhere on Glantus.com you grant us permission to send you email, which may include promotional material, surveys or other material. See our privacy policy for more information on how we manage this information.

Glantus is a registered trademark. Glantus' product names are either trademarks or registered trademarks of Glantus. Other product and company names mentioned herein may be trademarks or trade names of their respective owners. Your access to this site should not be construed as granting, by implication, estoppel or otherwise, any license or right to use any marks appearing on the site without the prior written consent of Glantus or the third party owner thereof.

INTRODUCTION 

Glantus is committed to protecting data. As customers we value your data and this Data Processing Agreement (DPA) outlines how we process your data in line with the legal requirements of local US legislation and worldwide legislation including the GDPR. 

It is a legal requirement under the laws of California and Massachusetts (where Glantus US offices are located) that a contractual obligation exist between a Data Controller and Data Processor. This requires the implementation and maintenance of appropriate security measures for the processing of personal information. This requirement may also be present in the laws of the state in which the Data Controller (customer) is located. This is also a requirement of the ISO/IEC 27701:2019 Privacy Information Management standard, against which Glantus is independently certified, and the EU/UK General Data Protection Act (GDPR) in the form of a Data Processing Agreement (DPA). Glantus is headquartered in Ireland (EU Member State), and complies with the information security and privacy measures set forth in the GDPR. 

This DPA works in conjunction with Glantus Standard Contractual Clauses (SCCs) and adopts the modular approach when defining the relationship between Controllers and Processors. For Glantus customers, this will only apply to Customer Relationship Management (CRM) data (name, work phone, work email address etc.). 

 

CUSTOMERS 

Glantus’ customers have primary responsibility as controllers for the personal data they share with Glantus as the Data Processors.  

Glantus’ services involve only limited processing of personal data on behalf of our customers (e.g., contracted information included on invoices or to maintain the services provided). 

If a DPA has not been supplied by the customer this agreement can form a mutual DPA. 

SUPPLIERS 

Glantus’ suppliers have a responsibility as processors to comply with California and Massachusetts law (and equivalent data protection legislation in the USA) and protection of personal data where Glantus is the Data Controller. 

While data controllers generally assume a greater degree of responsibility for ensuring the protection of personal data, they share with data processors, both controllers and processors are subject to the requirement to implement a California and Massachusetts compliant data processing agreement. It is therefore important that Glantus has a data processing agreement in place with our suppliers and with our customers. 

PURPOSE  

This Data Processing Agreement ("Agreement") forms part of the Contract for Solutions and/or Services ("Principal Agreement") between Data Controller and Data Processor within the meaning of the California Consumers Protection Act (CCPA) and other US State level data protection legislation as it comes into effect. Where applicable, General Data Protection Regulation (GDPR EU) and General Data Protection Regulation (GDPR UK) will be applied as Glantus is headquartered in Ireland (EU Member State) and any personal data transfers must be protected. Glantus has in place Standard Contractual Clauses (SCCs) that document the appropriate technical and organisational measures to protect data in this instance. 

 At all times, Glantus is transparent as to the location and processing of data to provide solutions and/or services that require the processing of personal information. Glantus will adopt the highest level of data protection for personal identifiable information. The following terms (the “Data Processing Agreement”) are hereby incorporated in addition to the Terms and Conditions under which services are provided and form part of the contract for those solutions and/or services. 

This Data Processing Agreement ("Agreement") forms part of the Contract for Services ("Principal Agreement"). Details of processing activities are to be completed in Annex I of this document. 

 

This Data Processing Agreement ("Agreement") forms part of the Contract for Services ("Principal Agreement") between 

Text Box 

Shape(the Company, “Data Controller”) and 

 (the “Data Processor”) (together as the “Parties”) WHEREAS 

 

CONTEXT 

The Company acts as a Data Controller. 

A) The Data Controller wishes to subcontract certain Services and/or Solutions, which imply the processing of personal data, to the Data Processor. 

 

B) The Parties seek to implement a data processing agreement that   complies with the requirements of the current legal framework in relation to data processing and with US Regulation including California’s CCPA (and its amendment, the CPRA), Virginia’s VCDPA and Colorado’s ColoPA (and other State level legislation as they become effective) and based on local jurisdiction in accordance with ISO:27701 standard. 

 

C) As Glantus are headquartered in Ireland (EU), GDPR 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) or equivalent compatible regulation (e.g., CCPA) based on local jurisdiction in accordance with ISO:27701 standard.  

 

D) The Parties wish to lay down their rights and obligations. 

 

SCOPE  

The Agreement applies to solutions and/or services sought for which Glantus Group, operating under the name ‘Glantus’, is acting as a Data Processor and Customer is acting as a Data Controller within the meaning of the General Data Protection Regulation.  

The Agreement also applies where ‘Glantus’ are controllers and services are being sought from data processors. 

The agreement covers Glantus as data controller where The Controller Personal Data may be consolidated to improve efficiency across data systems (e.g CRM) or if systems become redundant. The data subject will be contacted in such event. Such transfer of The Controller Personal Data is solely for operational purpose and legitimate interest to provide services as contracted to support the company’s commitment to information security and data privacy. 

 

IT IS AGREED AS FOLLOWS: 

 

1 Definitions and Interpretation 

 

1.1 Unless otherwise defined herein, capitalised terms and expressions used in this Agreement shall have the following meaning: 

 

1.1.1 "Agreement" means this Data Processing Agreement and all Schedules and Terms and Conditions 

 

1.1.2 "The Controller Personal Data" means any Personal Data Processed by a Contracted Processor on behalf of Company pursuant to or in connection with the Principal Agreement. 

1.1.3 "Contracted Processor" means a Sub processor. 

 

1.1.4 “Data” or “Information” shall refer to personal data pertaining to one or more data subjects as defined by the GDPR and DPA 2018. 

 

1.1.5 "Data Protection Laws" means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other jurisdiction holding an EU adequacy decision. 

1.1.6 "EEA" means the European Economic Area. 

 

1.1.7 "GDPR" and "EU Data Protection Laws" means EU General Data Protection Regulation 2016/679. 

 

1.1.8 "GDPR UK" and "UK Data Protection Laws" means UK General Data Protection Regulation effective 1st January 2021 

 

1.1.9 “CCPA” means California Consumer Protection Act of 2018, effective January 1st 2020. 

 

1.1.10 “CPRA” California Privacy Rights Act. 

 

1.1.11 “VCDPA” Virginia Consumer Data Protection Act. 

 

1.1.12 “ColoPA” Colorado Privacy Act. 

 

1.1.13 "Data Transfer" means: 

 

1.1.13.1 a transfer of The Controller Personal Data from the Company to a Contracted Processor; or 

 

1.1.13.2 an onward transfer of The Controller Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws). 

 

1.1.14 "Services" means the solution or services the Company provides. 

  

1.1.15 “Controller” shall refer to the Company acting as Data Controller as defined by the Regulation. 

  

1.1.16 “Processor” shall refer to the supplier acting as Data Processor as defined by the Regulation. 

  

1.1.17 "Sub processor" means any person appointed by or on behalf of Processor to process Personal Data on behalf of the Company in connection with the Agreement. 

 

1.1.181.2“Standard Contractual Clause” or (“SCCs”) means the standard contractual clauses approved by the European Commission for the transfer of personal data to processors established in countries which do not ensure an adequate level of data protection. 

 

1.2 The terms, "Commission", "Controller", "Data Subject", "Member State", "Personal Data", "Personal Data Breach", "Processing" and "Supervisory Authority" shall have the same meaning as in the CCPA. Where reference is missing from CCPA, GDPR reference will apply, and their cognate terms shall be construed accordingly.  

 

1.3 Note that in all basic terms CCPA and GDPR terms are compatible. Example of ‘reference missing’ in 1.2 would refer to where there is no ‘Supervisory Authority’ in California.  

  

2 Processing of The Controller Personal Data 

 

2.1 Processor shall: 

 

2..1.1 Comply with all applicable Data Protection Laws in the Processing of The Controller Personal Data; and 

 

2.1.2 Not Process the Controller Personal Data other than on the relevant Company’s documented instructions. 

 

2.2 The Controller instructs Processor to process The Controller Personal Data. 

2.3 The Controller Personal Data may be consolidated to improve efficiency of company systems. In such case this is only to improve operational procedures.  

 

3 Processor Personnel 

 

3.14.1 Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Controller Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant The Controller Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual's duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings (NDA) or professional or statutory obligations of confidentiality relating to information security and privacy in line with CCPA, this document will serve to provide clarity as the nature and security of processing. Where Glantus are Processors, Article 28 (GDPR) will apply as our obligations are bound by EU General Data Protection Regulation. 

 

4 Security 

 

4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall in relation to the Controller Personal Data implement appropriate technical and organisational measures to ensure a level of information security and privacy appropriate to that risk. Please provide information in Annex II of this agreement. 

 

4.2 Where Glantus are processors or processors with operations in the EU, the inclusion, where appropriate, measures referred to in Article 32(1) of the GDPR. Details of these technical and organisational measures are to be provided in Annex II of this agreement. 

 

4.3 In assessing the appropriate level of security, Processor shall take account of the risks that are presented by Processing, in particular, from a Personal Data Breach. 

 

5 Sub-processing/Sub-processors 

 

5.1 Please provide details of sub-processors who will have access to The Controller personal data in Annex III of this agreement. Sub-processors included in Annex III of this document are deemed accepted by the controller in the terms of this agreement. 

5.2 The Processor is responsible for ensuring that any sub-processors it uses to process data, must ensure processing is conducted in a secure and responsible manor in line with technical and organisational measures outlined by in Annex II by The Processor. 

5.3 Processor shall not appoint (or disclose any Controller Personal Data to) any new Sub processor unless required or authorised by The Controller (Data Controller). 

 

6 Data Subject Rights 

 

6.1 Taking into account the nature of the Processing, Processor shall assist The Controller by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of The Controller obligations, as reasonably understood by Company, to respond to requests to exercise Data Subject rights under the Data Protection Laws. 

 

6.2 As between the parties, the Controller is solely responsible for obtaining, and has obtained or will obtain, all necessary consents, licenses and approvals for the processing, or otherwise has a valid legal basis under Data Protection Laws for the Processing of Personal Data (the “Customer Legal Basis Assurance”). Without limiting the Customer Legal Basis Assurance, each Controller and Processor warrant in relation to Personal Data that it will comply with (and will ensure that any of its personnel comply with), the Data Protection Laws applicable to it.  

6.3 Processor shall: 

 

6.3.1 promptly notify The Controller if it receives a request from a Data Subject under any Data Protection Law in respect of The Controller Personal Data; and 

 

6.3.2 ensure that it does not respond to that request except on the documented instructions of The Controller or as required by Applicable Laws to which the Processor is subject, in which case Processor shall to the extent permitted by Applicable Laws inform Company of that legal requirement before the Contracted Processor responds to the request. 

 

7 Personal Data Breach 

 

7.1 Processor shall notify The Controller without undue delay upon Processor becoming aware of a Personal Data Breach affecting The Controller Personal Data, providing Company with sufficient information to allow The Controller to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws (CCPA Obligations and California Breach Notification Law in the US) and in line with Article 33 and 34 of the GDPR (EU). An internal security incident report will be required in this instance. This can be made available to relevant parties if and when required. 

 

7.2 Processor shall co-operate with The Controller and take reasonable commercial steps as are directed by Company to assist in the investigation, mitigation and remediation of each such Personal Data Breach. 

 

7.3 The Processor will promptly provide the Controller with information regarding the breach including: 

 

  1. The nature of the personal data breach 

  2. The categories and approximate number of data subjects concerned 

  3. The categories and approximate number of personal data records concerned 

  4. The likely consequences of the personal data breach 

  5. A summary of the unauthorised recipients of the personal data and, 

  6. The measures taken or proposed to be taken by the Processor to address the personal data breach including, where appropriate, measures to mitigate its possible adverse effects. 

 

8 Data Protection Impact Assessment and Prior Consultation 

 

8.1 Processor shall provide reasonable assistance to The Controller (where the controller is based in or has operations in the EU) with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Company reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of The Controller Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors. 

 

8.2 Where DPIA is not mandatory in US State legislation, Processors are encouraged to complete Data Protection Impact Assessment.  

 

9 Deletion or return of The Controller Personal Data 

 

9.1 Subject to this section 9 Processor shall promptly and in any event within 10 business days of the date of cessation of any Services involving the Processing of The Controller Personal Data (the "Cessation Date"), delete and procure the deletion of all copies of those The Controller Personal Data. 

 

9.2 Processor shall provide written certification to Company that it has fully complied with this section 9 within the time period as agreed. 

 

10 Audit rights 

 

10.1 Subject to this section 10, Processor shall make available to The Controller on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by The Controller or an auditor mandated by The Controller in relation to the Processing of the Controller Personal Data by the Contracted Processors. 

 

10.2 Information and audit rights of The Controller only arise under section 10.1 to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Data Protection Law. 

 

11 Data Transfer 

 

11.2 For data stored in the EU, the Processor may not transfer or authorize the transfer of Data to countries outside the EU and/or the European Economic Area (EEA) without the prior written consent of The Controller. If personal data processed under this Agreement is transferred from a country within the European Economic Area to a country outside the European Economic Area, the Parties shall ensure that the personal data is adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of personal data. 

 

11.2 For data stored in the US, the Processor may not transfer or authorize the transfer of Data to countries outside the US or Canada without the prior written consent of The Controller. 

 

12 General Terms 

 

12.2 Confidentiality. Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that: 

 

a) disclosure is required by law. 

 

b) the relevant information is already in the public domain. 

 

12.2 Notices. All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post or sent by email to the address or email address set out in the heading of this Agreement at such other address as notified from time to time by the Parties changing address. 

13 Governing Law and Jurisdiction 

 

13.1 This Agreement is governed by the laws of The United States. 

 

13.2 Any dispute arising in connection with this Agreement, which the Parties will not be able to resolve amicably, will be submitted to the relevant courts of appeal. 

 

13.3 Where the Data Subject is based in the European Union, the data subject may in some circumstances, hold the right to select the governing law and choice of jurisdiction of any EU member state. This depends on the origin or data and the location of processing.  

 

 

IN WITNESS WHEREOF, this Agreement is entered into with effect from the date first set out below. 

 

Please specify ‘Controller’ or ‘Processor’ in the blanks below: 

 

 

Data ___________ Company 

 

Signature Name: Title: Date Signed:   

 

 

Data __________ Company 

 

Signature:
Name:
Title:
Date Signed:

ANNEX I: DESCRIPTION OF PERSONAL DATA PROCESSING 

Annex I describes Vendor’s processing of Company Personal data, in accordance with Section 2 of this DPA and Data Protection Laws. 

Subject matter, duration, nature, and purposes of personal data processing: 

Categories of personal data: 

 Categories of data subjects: 

ANNEX II: DESCRIPTION OF VENDOR’S SECURITY MEASURES 

Annex II describes the technical and organizational security measures that Vendor has implemented in accordance with Section 4 of this DPA and Data Protection Laws. 

 Vendor information below: 

ANNEX III: List of Sub-Processors 

Please provide a list of sub-processors who will have access to controllers personal data as described in section 5 of this agreement.