1. Interpretation
1.1 In this Data Processing Agreement:
"Business" means a business as defined in the CCPA;
"CCPA" means the California Consumer Privacy Act of 2018 (California Civil Code Sec. 1798.100 et seq), as amended by the California Privacy Rights Act of 2020 ("CPRA");
"Customer" is the legal entity that has entered into the relevant Services Agreement with the Supplier;
"Customer Group Company" shall mean Customer and any entity that, directly or indirectly, controls, is controlled by, or is under common control with Customer, where "control" means the power (directly or indirectly) to appoint or remove a majority of the directors of that entity;
"Customer Personal Data" means all personal data as defined in the GDPR Data Protection Laws, or to the extent the CCPA applies then all Personal Information as defined therein, controlled by the Customer which is processed by the Supplier on behalf of the Customer;
"Data Processing Agreement" or "DPA" shall mean this Data Processing Agreement, including its appendices;
"Data Protection Laws" means the data privacy laws applicable to the processing of Customer Personal Data in connection with the Services Agreement, including as applicable, but not limited to, the GDPR Data Protection Laws and the CCPA in each case as may be amended, repealed or replaced from time to time;
"Effective Date" shall mean the date on which the Services Agreement was entered into between the Customer and the Supplier, or, if different, either the date on which the Customer indicated its acceptance to the terms of the DPA or the parties otherwise entered into the DPA (as applicable);
"GDPR Data Protection Laws" shall mean the EU General Data Protection Regulation (2016/679) ("GDPR") and its implementing national legislation, the EU Privacy and Electronic Communications Directive 2002/58/EC as implemented in each jurisdiction, the UK Data Protection Act 2018, the UK Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, the UK General Data Protection Regulation, as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of Section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR"); and any amending or replacement legislation of any of the above from time to time;
"Security Incident" shall have the meaning given in clause 6;
"Services" shall mean the services provided by the Supplier to Customer pursuant to and specified in the Services Agreement;
"Services Agreement" means the contract entered into between the Supplier and the Customer under which the Supplier provides the Services to the Customer;
"Sub-processor" shall have the meaning given in clause 5.1;
"Supervisory Authority" shall mean the relevant supervisory authority with responsibility for privacy or data protection matters in the jurisdiction of Customer and/or a Customer Group Company; and
"Supplier" means Symprex Limited (company number 03884240), whose principal place of business is at 2 Guildford Business Park, Guildford, UK GU2 8XG.
1.2 In this DPA, the terms "personal data", "controller", "processor" and "data subject" shall have the meanings set out in the GDPR Data Protection Laws and "processing" means processing as defined in the GDPR Data Protection Laws, or where and to the extent the CCPA applies, then as defined therein.
2. Appointment
2.1 Under the Services Agreement, the Supplier has been appointed by Customer to provide the Services to the Customer, on behalf of and for the benefit of Customer and any other Customer Group Companies.
2.2 The parties agree that this DPA will be incorporated as an addendum to the Services Agreement.
2.3 The parties acknowledge that for the purposes of the GDPR Data Protection Laws, the Customer is the controller acting on behalf of itself and other Customer Group Companies as applicable and the Supplier is the processor. The Customer hereby instructs the Supplier to process Customer Personal Data on behalf of Customer (or a Customer Group Company, as applicable) as the Supplier considers reasonably necessary to provide the Services and in accordance with such other written instructions as Customer may issue from time to time (provided that such instructions do not result in processing that is outside the scope of the Services).
2.4 The Supplier acknowledges that Customer Personal Data may include personal data in respect of which one or more Customer Group Companies are the controller and that Customer may be issuing processing instructions on their behalf. Notwithstanding any other provisions of this Data Processing Agreement, such Customer Group Companies shall be entitled to enforce this Data Processing Agreement as third party beneficiaries.
3. Duration
3.1 This Data Processing Agreement shall commence on the Effective Date and shall continue in full force and effect until the later of the termination or expiry of the Services Agreement.
3.2 Notwithstanding clause 3.1, the Supplier's obligations under clauses 4, 5, 6, 8 and 9 (and any other clauses which by implication ought to survive) shall survive the expiry of this Data Processing Agreement if and to the extent that Supplier continues to process (including without limitation by way of storage) any Customer Personal Data.
4. Data Protection
4.1 Each party shall comply with its obligations under the applicable Data Protection Laws in respect of Customer Personal Data. Without prejudice to the foregoing, neither party shall process Customer Personal Data in a manner that will, or is likely to, result in the other party breaching its obligations under the Data Protection Laws.
4.2 The Customer warrants that its disclosures of, and instructions to the Supplier in relation to, Customer Personal Data are lawful.
4.3 The scope, nature and purpose of processing by the Supplier, the duration of the processing, the types of Customer Personal Data and categories of data subject are set out in Appendix 1 to this Data Processing Agreement.
4.4 Subject at all times to the Supplier's obligations under the Services Agreement, the Supplier undertakes to:
4.4.1 only process Customer Personal Data in accordance with its documented instructions which may include instructions given on behalf of other Customer Group Companies, including with regard to transfers, unless required to do otherwise by applicable law. In which event, the Supplier shall, unless prohibited by law, inform Customer of the legal requirement before processing Customer Personal Data other than in accordance with Customer's instructions;
4.4.2 notify the Customer as soon as practicable if in its reasonable opinion it has been given an instruction which doesn't comply with applicable GDPR Data Protection Law, or (where the Customer is a Business under the CCPA) which doesn't comply with the CCPA, or which doesn't comply with its obligations under this DPA;
4.4.3 implement the technical and organisational measures to protect Customer Personal Data processed by it against unauthorised and unlawful processing and against accidental loss, destruction, disclosure, damage or alteration set out in Appendix 2. The Customer agrees that it is solely responsible for determining whether such technical and organisational measures are appropriate, taking into account the nature, scope, context and purposes of the processing;
4.4.4 ensure that its personnel who have access to Customer Personal Data are bound by appropriate obligations of confidentiality;
4.4.5 at Customer's cost, provide reasonable cooperation and assistance to the Customer, taking into account the nature of the Services and the information available to the Supplier, as the Customer may require to allow the Customer to comply with its obligations as a controller and, where the Customer is a Business under the CCPA, its obligations in respect of consumers under the CCPA, including in relation to data security; data breach notification; data protection impact assessments; prior consultation with supervisory authorities; the fulfilment of data subject's rights; and any enquiry, notice or investigation by a Supervisory Authority; and
4.4.6 following termination of this Agreement either (at the option of the Customer) return to the Customer or destroy all Customer Personal Data in the possession or control of the Supplier.
4.5 The liability of each party to the other in relation to all and any claims, losses, proceedings, actions or regulatory penalties arising under or in connection with this Data Protection Agreement shall be governed by the provisions relating to exclusion and limitation of liability in the Services Agreement.
5. Sub-Processing
5.1 The Customer hereby expressly authorises the Supplier to appoint third parties as further processors on behalf of the Supplier to process Customer Personal Data (each a "Sub-processor"), subject to the requirements set out in the remaining subparagraphs of this clause.
5.2 The Customer hereby authorises the appointment of the Sub-processors listed at www.symprex.com/legal/subprocessor-list.
5.3 Should the Supplier appoint any further Sub-processors, the Supplier shall engage them in writing on terms that:
5.3.1 provide the same level of protections as those set out in this DPA; and
5.3.2 grant the Customer the right to perform on the Sub-processor the audits mentioned at clause 9.
5.4 The Supplier shall provide the Customer with reasonable written notification of the proposed addition or replacement of any Sub-processor.
5.5 The Customer shall have 15 days from the date of such notification to object to the proposed appointment or replacement of the Sub-processor, on reasonable grounds, by giving written notice to the Supplier.
5.6 Neither any delay, omission or failure by the Customer to object to any proposed Sub-processor, nor any approval by the Customer of any Sub-processor (if given), shall relieve the Supplier from any liability or obligation under this Data Processing Agreement.
5.7 The Supplier shall be responsible for the acts, omissions and defaults of any Sub-processor as if they were the Supplier's acts, omissions or defaults.
5.8 If the Customer objects to the appointment or replacement of any proposed Sub-processor, then, if reasonably practicable taking into account the Supplier's commercial interests including its provision of services to its other customers, the Supplier may at its sole discretion propose a reasonable change to the Services to accommodate (in whole or part) the Customer's objections to the proposed Sub-processor. If the Supplier does not propose such a change, or the Customer refuses any such proposed change within 30 days of the date the Customer's notice in clause 5.4, the Customer may terminate this Agreement, which shall be Customer's sole and exclusive remedy to Customer's objection of the proposed Sub-processor.
6. California Data Protection Law
6.1 The parties acknowledge that where and to the extent the CCPA applies to the Customer as a Business, then for the purposes of the CCPA:
6.1.1 the Supplier shall provide no less than the level of privacy protection required by the CCPA, which shall not be less than the level of protection set forth in this DPA; and
6.1.2 The Supplier shall not:
(a) Sell Customer Personal Data;
(b) Share Customer Personal Data;
(c) Process Customer Personal Data in any manner outside of the scope of the Services Agreement between the Customer and the Supplier; or
(d) Combine any Customer Personal Data with personal data that it receives from or on behalf of any other third party or its interactions with consumers, provided that the Supplier may combine personal data if directed to do so by the Customer and permitted by the CCPA.
7. Security Incidents
The Supplier shall notify the Customer without undue delay of any accidental, unauthorized, or unlawful destruction, loss, alteration, or disclosure of, or access to, Customer Personal Data ("Security Incident"). The Supplier shall also provide the Customer with a description of the Security Incident, the type of data that was the subject of the Security Incident and (to the extent known to the Supplier) the identity of each affected person, as soon as such information can be collected or otherwise becomes available, as well as all other information and co-operation which the Customer may reasonably request relating to the Security Incident.
8. Data Transfers
8.1 The Customer acknowledges and agrees that the Supplier can transfer Customer Personal Data to the Sub-processors that are located outside of the UK.
8.2 If Customer Personal Data is transferred outside the UK by the Supplier, to the extent required under the applicable GDPR Data Protection Law, the Supplier shall ensure that:
8.2.1 there are appropriate safeguards in place (such as Standard Contractual Clauses) for the purposes of such transfer;
8.2.2 such transfer is to a country, territory or sector that benefits from an ‘adequacy decision' pursuant to Article 45 of the GDPR or the equivalent UK adequacy regulations (as applicable) (including the EU-US Data Privacy Framework); or
8.2.3 another alternative compliance standard for the lawful transfer of personal data applies in respect of such transfer.
9. Audit
9.1 The Supplier shall make available to the Customer all information reasonably necessary to demonstrate compliance with this Data Processing Agreement and allow for and contribute to audits, including physical inspections, conducted by the Customer or its representatives (bound by appropriate obligations of confidentiality), provided such an audit is carried out:
9.1.1 during the Supplier's normal business hours;
9.1.2 in manner that causes minimal disruption to the Supplier's business and excludes from its scope any internal pricing information, information relating to other customers of the Supplier or other the Supplier's own internal reports; and
9.1.3 at the Customer's own cost.
10. Further Assurance
10.1 The parties shall, and shall ensure that their agents, employees and subcontractors shall, do all things reasonably necessary, including executing any additional documents and instrument, to give full effect to the terms of this Data Processing Agreement and to otherwise fulfil the provisions of this Data Processing Agreement in accordance with its terms.
11. Conflict
To the extent of any conflict between this Data Processing Agreement and the Services Agreement, this Data Processing Agreement will prevail.
12. Governing Law
This DPA and any dispute or claim arising out of or in connection with this DPA (including non-contractual disputes or claims) shall be governed by and construed in accordance with the laws of England. Each party irrevocably agrees that the courts of England and Wales shall have exclusive jurisdiction to settle any dispute or claim arising out of or in connection with this Agreement (including non-contractual disputes or claims).
Appendix 1 : Description of Services and Personal Data Processing
The data processing activities carried out by the Supplier under this Data Processing Agreement are as follows:
Description of Services:
The Services provided by the Supplier to the Customer pursuant to the Services Agreement.
Subject-matter of Processing:
The performance of the Services pursuant to the Services Agreement.
Duration of Processing:
Subject to the deletion or return of Personal Data section of this DPA, the Supplier will Process Personal Data for the duration of the Agreement, unless otherwise agreed in writing.
Nature and purpose of Processing:
The Supplier will Process Personal Data to provide the Services pursuant to the Services Agreement, as may be further specified in any order form completed by the Customer when entering into the Services Agreement, and may be as further instructed by the Customer in its use of the Services.
Type of Personal Data:
Data provided by the Customer or collected by the Supplier to be able to manage the Customer's account:
- Customer information including name, email address, job title, business address and telephone number
- Customer credit card information (collected and stored by sub-processor Stripe)
Where Services process user data, the data provided or made available by the Customer or collected by the Supplier to be able to provide the Services:
- Contact information including name, email address, job title, department, company, business address and telephone number
- Any other information provided via custom attributes exposed by the Customer
Where Services process email, the content of the emails provided to the Services for processing.
Categories of Data Subjects:
Customer personnel including users in the Customer's Microsoft 365 tenancy or Google Workspace tenancy, as applicable, or otherwise added to the Services by Customer or any agent of Customer.
Where Services process email, data subjects include Customer representatives and end-users including employees, contractors, collaborators, and customers. Data subjects may also include individuals attempting to communicate or transfer personal information to users of the Services.
Appendix 2 : Security Measures
The Supplier observes the Security Measures described below. All capitalized terms not otherwise defined herein shall have the meanings as set forth in the Services Agreement. References to "we", and "our" refer to the Supplier, and references to "you" refer to the Customer.
General
The Supplier maintains commercially reasonable administrative, physical and technical safeguards designed for the protection, confidentiality and integrity of Customer Data.
The Supplier has implemented an Information Security Management System (ISMS) certified against international standards ISO/IEC 27001 and ISO/IEC 27018. The Supplier is audited against both standards once every year, and performs full re-certification every third year. All audits are conducted by an external, independent, UKAS accredited auditor.
Confidentiality
The Supplier has controls in place to maintain the confidentiality of Customer Data, in accordance with the Services Agreement. All Supplier employees and contract personnel are bound by the Supplier's internal policies regarding maintaining confidentiality of Customer Data and contractually commit to these obligations.
All Supplier employees and contract personnel are contractually bound by confidentiality and non-disclosure clauses.
Access Control
Preventing Unauthorized Product Access
Outsourced processing: We host our Signature 365 Service with outsourced cloud infrastructure providers. Additionally, we maintain contractual relationships with vendors in order to provide the Signature 365 Service in accordance with our DPA. We rely on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors.
Physical and environmental security: We host our product infrastructure with multi-tenant, outsourced infrastructure providers. The physical and environmental security controls are audited for SOC 2 Type II and ISO 27001 compliance, among other certifications.
Authentication: We implement a uniform password policy for our customer products. Customers who interact with the products via the user interface must authenticate before accessing non-public customer data.
Authorization: Customer Data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of our products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user's permissions against the attributes associated with each data set.
Application Programming Interface (API) access: Public product APIs may be accessed using an API key or through OAuth authorization.
Preventing Unauthorized Product Use
We implement industry standard access controls and detection capabilities for the internal networks that support our products.
Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.
Intrusion detection and prevention: We implement a Web Application Firewall (WAF) solution to protect hosted customer websites and other internet-accessible applications. The WAF is designed to identify and prevent attacks against publicly available network services.
Static code analysis: Security reviews of code stored in our source code repositories is performed, checking for coding best practices and identifiable software flaws.
Penetration testing: We maintain relationships with industry recognized penetration testing service providers. The intent of the penetration tests is to identify and resolve foreseeable attack vectors and potential abuse scenarios.
Vulnerability disclosure policy: A vulnerability disclosure policy invites and incentivizes independent security researchers to ethically discover and disclose security flaws. We implement a vulnerability disclosure policy in an effort to widen the available opportunities to engage with the security community and improve the product defences against sophisticated attacks.
Limitations of Privilege & Authorization Requirements
Product access: A subset of our employees have access to the products and to customer data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. Access is enabled through "just in time" requests for access; all such requests are logged. Employees are granted access by role, and reviews of high risk privilege grants are initiated daily. Employee roles are reviewed at least once every six months.
Background checks: All Symprex employees undergo a third-party background check prior to being extended an employment offer, in accordance with and as permitted by the applicable laws. All Symprex employees are required to conduct themselves in a manner consistent with company guidelines, non-disclosure requirements, and ethical standards.
Employee training: At least once a year, employees must complete our security and privacy training which covering our security policies, security best practices, and privacy principles.
Transmission Control
In-transit: We encrypt all data in transit using TLS 1.2 or higher using industry standard algorithms and certificates.
At-rest: We store user passwords following policies that follow industry standard practices for security. We have implemented technologies to ensure that stored data is encrypted at rest.
Input Control
Detection: We designed our infrastructure to log extensive information about the system behaviour, traffic received, system authentication, and other application requests. Internal systems aggregated log data and alert appropriate employees of malicious, unintended, or anomalous activities. Our personnel, including security, operations, and support personnel, are responsive to known incidents.
Response and tracking: We maintain a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, we will take appropriate steps to minimize product and Customer damage or unauthorized disclosure. Notification to you will be in accordance with the terms of the Services Agreement and DPA.
Availability Control
Infrastructure availability: The infrastructure providers use commercially reasonable efforts to ensure a minimum of 99.95% uptime. The providers maintain a minimum of N+1 redundancy to power, network, and HVAC services.
Fault tolerance: Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Customer Data is backed up to multiple durable data stores and replicated across multiple availability zones.
Online replicas and backups: Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary database. All databases are backed up and maintained using at least industry standard methods.
Our products are designed to ensure redundancy and seamless failover. The server instances that support the products are also architected with a goal to prevent single points of failure. This design assists our operations in maintaining and updating the product applications and backend while limiting downtime.