Products And Services Data Protection Addendum
This document sets out the obligations relating to the processing and security of personal data in connection with the “Datanau Online Services”. This document is incorporated by reference in section 4(c) of the “Online Services Subscription Agreement Terms” of the Online Services Subscription Agreement.
The purpose is to clarify Datanau’s responsibilities for ensuring the rights and freedoms of data subjects, the security of processing, and to provide guidance on the rights of data subjects applicable to the processing of Customer Data, Professional Services Data or Personal Data as defined in the General Data Protection Regulation – GDPR.
Datanau undertakes the commitments contained in this document, which serves the purpose of a Data Processing Agreement and Products and Services Data Protection Addendum (DPA) for all customers who adhere to the Usage Plans.
1.1. APPLICABLE DPA TERMS AND UPDATES
a) Limits on Updates
If Customer renews or purchases a new subscription for a Product or places an order for a Professional Service, the then-current DPA Terms will apply and will not be modified during Customer’s subscription period for that Product or Professional Service.
If Customer purchases a perpetual license for the Software, the then-current DPA Terms will apply (based on the same provision for determining the then-current “Service Membership Agreement” applicable to such Software in Customer’s licensing) and will not be modified during Customer’s license for such Software.
b) New Features, Supplements, or Related Software
Subject to the foregoing limits on updates, when Datanau introduces features, offers, add-ons or related software that are new (i.e., not previously included with the Products or Services), Datanau may provide terms or make updates to the DPA that apply to Customer’s use of such new features, offers, add-ons or related software.
If such terms include any material adverse changes to the DPA Terms, Datanau will provide Customer with an option to use the new features, offerings, add-ons or related software without loss of the existing functionality of a generally available Professional Product or Service. If Customer does not install or use the new features, offerings, add-ons or related software, the corresponding new terms will not apply.
c) Regulations and requirements of third legal systems outside the european union
Without prejudice to the foregoing limits on updates, Datanau may modify or terminate a Product or Professional Service in any country or jurisdiction in which there is a current or future governmental requirement or obligation that either:
(1) subject Datanau to any regulation or requirement not generally applicable to business operation in that country;
(2) present an impediment to Datanau continuing to operate the Product or offer the Professional Service without modification, and/or;
(3) cause Datanau to believe the DPA Terms or the Product or Professional Service may conflict with any such requirement or obligation.
d) Electronic Notices
Datanau may provide the Customer with information and notifications about the Products and Services electronically, including by email, through the portal of an Online Service or through a website that Datanau chooses. The notification shall be effective from the date Datanau makes it available.
The DPA Terms cover the Products and Services that are currently available.
Capitalized terms used, but not defined, in this DPA shall have the meanings indicated in the “online services subscription agreement“. The following defined terms are used in this DPA:
a) “Customer Data” means all data, including all text, sound, video or image files and software, that is provided to Datanau by or on behalf of the Customer through the use of the Online Service. Customer Data does not include Professional Services Data.
b) “Data Protection Requirements” refers to the data protection legal regime, including the GDPR, and the other references that make up the EU/EEA Local Data Protection and Security legislative framework, especially in what constitutes processing of personal data, such as use, collection, retention, disclosure, transfer, deletion and others.
c) “DPA Terms” means the terms in the personal data processing agreement and any Product-specific terms in the “terms of the online services membership agreement” that specifically supplement or modify the privacy and security terms in the processing agreement for a specific Product (or functionality of a Product). In case of conflict or inconsistency between the DPA and these Product-specific terms, the Product-specific terms shall prevail over the DPA (or the functionalities of this Product).
d) “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
e) “EU/EEA Local Data Protection Laws” means any subordinate laws and regulations implementing the GDPR and having a bearing on the processing of personal data.
f) “GDPR Terms” means the terms in Annex 1 under which Datanau gives binding commitments in relation to the processing of Personal Data as set out in Article 28 of the GDPR.
g) “Personal Data” means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, as defined in Article 4(1) of the GDPR.
h) “Product” has the meaning set out in the “terms of the online services subscription agreement” (section 1.1(k)). For ease of reference, “Product” includes the Online Services and the Software.
i) “Products and Services” means Professional Products and Services. The application of this DPA to specific Professional Products and Services is subject to limitations in the Scope section of this DPA.
j) “Professional Services” means the following services:
Datanau’s consultancy services consisting of planning, advisory, mentoring, data migration, implementation and software/solutions development services;
technical support services provided by Datanau that help customers identify and resolve issues affecting the Products, including technical support and any other commercial technical support services. Professional Services do not include the Products or, for the purposes of this DPA only, Supplemental Professional Services.
k) “Professional Services Data” means all data, including all image, text, sound, video or software files provided to Datanau by or on behalf of the Customer (or which the Customer authorizes Datanau to obtain from a Product), or otherwise obtained or processed by or on behalf of Datanau through an engagement with Datanau to obtain Professional Services.
l) “2021 Standard Contractual Clauses” means the European Union Standard Data Protection Clauses, updated in 2021, for international transfers (contractor-to-contractor module) between Datanau and its suppliers for the transfer of personal data from contractors in the EEA to contractors established in other countries that do not ensure an adequate level of data protection as described in Article 46 of the GDPR, and approved by European Commission Decision 2021/914/EC dated June 4, 2021.
m) “Processor” means other contractors used by Datanau to process Customer Data, Professional Services Data and Personal Data as described in Article 28 of the GDPR.
n) “Supplemental Professional Services” means support requests escalated from support to a Product engineering team for resolution, as well as other Datanau consulting and support tasks provided in connection with the Products or a volume license agreement that is not included in the definition of Professional Services.
Lowercase terms used but not defined in this DPA, such as “personal data breach”, “data processing”, “data controller”, “processor”, “profiling”, “personal data” and “data subject” shall have the meanings set out in Article 4 of the GDPR.
3. GENERAL TERMS
3.1 COMPLIANCE WITH THE APPLICABLE LEGISLATIVE FRAMEWORK
Datanau will comply with the legal and legislative framework applicable to the respective provision of the Products and Services, especially with regard to Data Protection Law.
However, it should be noted that Datanau is not responsible for compliance with any laws or regulations applicable to the Customer or its industry and which are not generally applicable to information technology service providers. Datanau does not determine whether Customer data includes information subject to any specific law or regulation. All Security Incidents are subject to the terms of the Security Incident Notification below.
Customer shall comply with all laws and regulations applicable to its use of the Products and Services, including laws relating to biometric data, confidentiality of communications and Data Protection Requirements.
The Customer is responsible for determining whether the Products and Services are suitable for the storage and processing of information, subject to any specific law or regulation, and for using the Products and Services in a manner consistent with the Customer’s legal and regulatory obligations.
The Customer is responsible for responding to any third-party request regarding its use of the Products and Services.
4. DATA PROTECTION TERMS
This section of the DPA includes the following subsections:
The DPA Terms apply to all Products and Services except those Products identified as excluded.
For the sake of clarity, the DPA Terms are only applicable to the processing of data in virtual environments controlled by Datanau and its subcontractors. It includes the data sent to Datanau by the Products and Services, but does not include the data that remains at the Customer’s premises or in any third-party operating environments selected by the Customer. For Supplementary Professional Services, Datanau only assumes the commitments in the Supplementary Professional Services section below.
Previews may employ privacy and security measures that are weaker or different from those normally present in the Products and Services. Unless otherwise specified, Customer shall not use Previews to process Personal Data or other data that is subject to legal or regulatory compliance requirements.
For the Products, the following terms in this DPA do not apply to Previews: Processing of Personal Data; GDPR, Data Security. For Professional Services, offers designated as Previews or Limited Availability only satisfy the terms of the Supplemental Professional Services.
4.2 NATURE, , PURPOSE OF THE PROCESSING AND THE OWNERSHIP OF THE DATA
Datanau will use and otherwise process Customer Data, Professional Services Data and Personal Data only as described and subject to the limitations set forth below:
a) to provide the Customer with the Products and Services in accordance with the Customer’s documented instructions;
b) for business operations in connection with the provision of the Products and Services to Customer. As between the parties, Customer retains all right, title and interest in and to the Customer Data and the Professional Services Data. Datanau does not acquire any rights to the Customer Data or the Professional Services Data other than the rights Customer grants to Datanau in this section.
This paragraph does not affect Datanau’s rights in the software or services licensed by Datanau to Customer.
4.2.1 Data Processing to Provide the Products and Services to the Customer
For the purposes of this DPA, “providing” or “supplying” a Product consists of:
a) Making available the functional capabilities as licensed, configured and used by Customer and its users, including providing customized user experiences;
b) Troubleshooting (preventing, detecting and repairing problems);
c) Keeping the Products up to date and working properly, improving reliability, efficiency, quality, safety and productivity of users.
4.2.2 For the purposes of this DPA, to "provide" Professional Services is to:
a) Provide the Professional Services, including the provision of technical support services, professional planning, advice, guidance, data migration, implementation and software/solutions development.
b) Troubleshooting (preventing, detecting, investigating, mitigating and repairing problems, including Security Incidents and problems identified in the Professional Services or relevant Products during the provision of the Professional Services);
c) Enhance the delivery, effectiveness, quality, and security of Professional Services and underlying Products based on issues identified during the provision of Professional Services, including correcting software defects and otherwise keeping the Products and Services up to date and functioning properly.
4.2.3 In each case, the provision of the Products and Services is done considering the security obligations under the Data Protection Requirements.
4.2.4 In providing the Products and Services, Datanau will not use or otherwise process Customer Data, Professional Services Data or Personal Data for the purposes of:
a) creation of user profiles;
b) advertising or similar commercial purposes;
c) market research aimed at creating new features, services or products, or any other purpose, unless such use or processing of data is in accordance with the Customer’s documented instructions.
4.2.5 Incident Handling of Business Operations to Provide the Products and Services to the Customer
For the purposes of this DPA, “business operations” means the processing operations authorized by the customer in this section. The Customer authorizes Datanau:
a to create aggregated non-personal statistical data from the data containing pseudonymized identifiers (such as usage logs containing pseudonymized unique identifiers); and
to calculate statistics related to Customer Data or Professional Services Data
in each case, without accessing or analyzing the content of the Customer Data or Professional Services Data, and limited to achieving the purposes set out below, each in relation to the provision of the Products and Services to the Customer. These purposes are:
a) invoicing and account management;
b) compensation, e.g. calculating employee commissions and partner incentives;
c) internal reporting and business structuring, e.g. forecasting, revenue, capacity planning and product strategy;
d) financial reporting.
During the processing of data for these business operations, Datanau will apply the principles of data minimization and will not use or otherwise process Customer Data, Professional Services Data or Personal Data to:
a) creation of user profiles;
b) advertising or other similar commercial purposes, or;
c) any other purpose not set out in this section.
In addition, as with all processing under this DPA, processing for commercial operations remains subject to Datanau’s confidentiality commitments and obligations.
4.3 DISCLOSURE OF PROCESSED DATA
Datanau will not disclose or provide access to the Processed Data except:
1) if the Customer so directs;
2) as described in this DPA;
3) if required to do so by law.
For the purposes of this section, “Processed Data” means:
a) Customer Data;
b) Professional Services Data;
c) Personal Data;
d) any other data processed by Datanau in connection with the Products and Services which is confidential information of the Customer under the “terms of the online services membership agreement“.
Datanau will not disclose or give access to Processed Data to law enforcement and judicial authorities unless required to do so by legal obligation.
If Datanau is contacted by law enforcement or judicial authorities wishing to obtain Processed Data, Datanau will attempt to redirect them to request such data directly from the Customer. If Datanau is required to disclose or give access to Professional Services Data to law enforcement or judicial authorities, it will immediately notify the Customer and provide a copy of the request, unless it is legally prohibited from doing so.
Datanau will only disclose or provide access to any Processed Data if required by law, respecting the rights and freedoms of data subjects, in a manner that does not exceed what is necessary and proportionate to the purpose and, as applicable, to safeguard one of the purposes listed in Article 23(1) of the GDPR. Upon receipt of any request for access to Data from a third party, Datanau will promptly notify the Customer unless legally prohibited. Unless required by legal and statutory obligation, Datanau will reject the request. If the request is valid, Datanau will attempt to redirect to the respective entity to request the data directly from the Customer.
Datanau will not provide any third party with:
a) direct, indirect, unlimited or unrestricted access to the Processed Data;
b) the platform encryption keys used to protect the Processed Data or the ability to revert to such encryption;
c) access to the Processed Data if Datanau is aware that it will be used for purposes other than those described in the third-party request.
As part of the above, Datanau may provide the Customer’s basic contact information to third parties for the purpose of such targeting.
4.4 PROCESSING OF PERSONAL DATA UNDER GDPR
All Personal Data processed by Datanau in connection with the provision of the Products and Services is obtained as part of the
a) Customer Data;
b) Professional Services Data, or;
c) Data generated, obtained or collected by Datanau, including data as a result of the Customer’s use of service-based features or obtained by Datanau from locally installed software.
Personal Data provided to Datanau by or on behalf of the Customer through the Online Service is also Customer Data. Personal Data provided to Datanau by or on behalf of the Customer through the use of Professional Services is also Professional Services Data. Pseudonymized identifiers may be included in data processed by Datanau in connection with the provision of the Products, which is also Personal Data. Any Personal Data that is pseudonymized or de-identified but not anonymized is also Personal Data.
To the extent that Datanau is a contractor or processor that processes Personal Data subject to the GDPR, the Terms of the same in Annex 1 govern such processing, so the parties further agree to the following terms in this subsection (“Processing of Personal Data subject to the GDPR”)..
4.4.1 ROLES AND RESPONSIBILITIES OF CONTRACTOR AND DATA CONTROLLER
The Client and Datanau agree that the former is the controller of the Personal Data and Datanau is the processor for the purposes of liability in the legal regime of the protection of personal data. When Datanau acts as a contractor or subcontractor of Personal Data, it will process it only upon documented instructions from the Customer.
The Customer accepts that its “terms of the online services agreement” (including the DPA Terms and any applicable updates), together with the Customer’s use and configuration of the functionalities in the Products, constitutes the Customer’s complete documented instructions to Datanau with respect to the processing of Personal Data, or the Professional Services documentation and the Customer’s use of the Professional Services.
Any additional or alternative instructions must be agreed in accordance with the process for amending the Customer Agreement. In any instance where the GDPR is applicable and Customer is a contractor, Customer warrants to Datanau that Customer’s instructions, including Datanau’s engagement as a contractor or processor, have been authorized by the data controller.
To the extent that Datanau uses or otherwise processes Personal Data subject to the GDPR for business operations in connection with the provision of the Products and Services to the Customer, Datanau will comply with its obligations as a data controller under the GDPR for this purpose.
Datanau accepts the additional responsibilities of data controller under the GDPR for:
a) to act consistently with regulatory requirements to the extent required under the GDPR;
b) provide greater transparency to Customers and confirm Datanau’s responsibility for this processing.
Datanau employs safeguards to protect Customer Data, Professional Services Data and Personal Data in these data processing operations, including the data identified in this DPA and those contemplated in Article 6(4) of the GDPR. In relation to the processing of Personal Data under this paragraph, Datanau undertakes the commitments set out in the Additional Safeguards section for the purposes specified:
a) any disclosure of Personal Data by Datanau as described in the Additional Safeguards section that has been transferred in the course of Datanau’s legitimate business operations is considered a “Relevant Disclosure”;
b) The commitments in the Additional Safeguards section apply to this Personal Data.
4.4.2 DATA PROCESSING DETAILS
The parties acknowledge and agree that:
a) Object. The subject matter of the data processing is limited to Personal Data within the scope of the section of this DPA entitled “Nature of Processing and Ownership of Data“;
b) Duration of the Data Processing.The duration of the Processing shall be in accordance with the Customer’s instructions and the terms of the DPA.
c) Nature and Purpose of Data Processing. The nature and purpose of the Data Processing shall be to make available the Products and Services arising from the “terms of the online services subscription agreement” and for business operations, in connection with the provision of the Products and Services to the Customer, as further described in the section of this DPA entitled “Nature of the Processing and Ownership of the Data” above.
d) Categories of Data. The types of Personal Data processed by Datanau in providing the Products and Services include:
I) Personal Data that Customer chooses to include in Customer Data and Professional Services Data;
II) those expressly identified in Article 4 of the GDPR that may be generated, obtained or collected by Datanau, including data submitted to Datanau as a result of Customer’s use of service-based features, or obtained by Datanau from locally installed software.
The types of Personal Data that Customer chooses to include in Customer Data and Professional Services Data may fall within any categories of Personal Data identified in the records maintained by Customer acting as data controller pursuant to Article 30 of the GDPR, including the categories of Personal Data set out in Appendix B.
e) Data Subjects. Data subjects are divided into categories, Customer representatives and end users, such as: employees, contractors, collaborators and customers, and may include any other categories of data subjects, according to the identification in the records kept by the Customer acting as data controller pursuant to Article 30 of the GDPR, including the categories of data subjects set out in Appendix B.
4.4.3 RIGHTS OF THE DATA SUBJECT AND ASSISTANCE IN EXERCISE REQUESTS
Datanau will ensure the ability to respond to data subjects’ requests to exercise their rights under the GDPR.
If Datanau receives a request from the Customer’s data subject to exercise one or more of their rights under the GDPR in connection with the Products and Services for which Datanau is a data contractor or processor, Datanau will direct the data subject to send the request directly to the Customer. Customer will be responsible for responding to any such requests, including, where necessary, through the functionality of the Products and Services. Datanau shall act in accordance with the reasonable requests made by the Customer to assist him in responding to this type of request from the data subject.
4.4.4 RECORDS OF DATA PROCESSING ACTIVITIES
To the extent that the GDPR requires Datanau to collect and maintain records of certain information relating to the Customer, the Customer will, upon request, provide this information to Datanau and keep it accurate and up-to-date. Datanau may make any part of this information available to the supervisory authority if required by the GDPR.
4.5 DATA SECURITY
a) Security Policies and Practices
Datanau will implement and maintain appropriate technical and organizational measures to protect Customer Data, Professional Services Data and Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. These measures will be set out in a Datanau Cybersecurity Capabilities Policy. Datanau will make such policy available to Customer, along with other information reasonably requested by Customer regarding Datanau’s security practices and policies, and a description of the security controls for these requirements may be made available for each product.
Each Online Service and Professional Service implements and maintains the security measures set forth in Appendix A for the protection of Customer Data and Professional Services Data. Datanau may update cybersecurity measures as required by government or industry standards at any time.
b) Data Encryption
Customer Data and Professional Services Data (each including any Personal Data contained therein) in transit over public networks between Customer and Datanau are encrypted by default.
Datanau also encrypts Customer Data stored inactive in the Online Services and Professional Services Data stored inactive. In the case of Online Services in which the Customer, or third parties acting on behalf of the Customer, can manage some configurations of the applications, the encryption of the data stored in them may be applied at the discretion of the Customer, through the functionalities provided by Datanau or obtained by the Customer from third parties.
c) Access to Data
Datanau employs least-privileged access mechanisms to control access to Customer Data and Professional Services Data (including any Personal Data contained therein). Function-based and limited access controls are employed to ensure that access to Customer Data and Professional Services Data necessary for service activities is for an appropriate and approved purpose with management supervision. For the Online Services and Professional Services, Datanau maintains the Access Control mechanisms described in the table entitled “Security Measures” in Appendix A, and there is no active access by Datanau personnel to Customer Data and any necessary access is of limited duration.
d) Customer Responsibilities
It is the Customer’s sole responsibility to independently indicate whether the technical and organizational measures for the Products and Services meet the requirements for you, including any security obligations under the applicable Data Protection Requirements.
Customer acknowledges and agrees that (considering state-of-the-art techniques, the costs of implementation and the nature, scope, context and purposes of the processing of its Personal Data, as well as the risks to data subjects) the security practices and policies implemented and maintained by Datanau provide a level of security appropriate to the risk relating to its Personal Data. It is the Customer’s sole responsibility to implement and maintain privacy protections and security measures in components that the Customer provides or controls.
e) Audit Compliance
Datanau may audit the security of the computers, IT environment and physical data centers it uses to process Customer Data, Professional Services Data and Personal Data as follows:
a) In case audits are planned under a standard or framework, at least once a year.
b) Each audit shall be carried out in accordance with the standards and rules of the regulatory or accreditation body for each applicable standard or control framework.
c) Each audit will be carried out by qualified and independent third-party security auditors selected and paid for by Datanau.
Each audit may result in a report (“Datanau Audit Report”), which Datanau will make available on a need-to-know basis and upon request to those entitled.
The Datanau Audit Report will correspond to Datanau Confidential Information and will clearly disclose the scope of the audit and any material findings of the auditor. Datanau will address issues raised in the Audit Report in accordance with the auditor’s requirements. If requested by the Customer, Datanau may review the request and, if legitimate, provide portions of the audit report, subject to the non-disclosure and distribution limits established between Datanau and the auditor.
To the extent that Customer’s audit requirements under the Data Protection Requirements cannot reasonably be satisfied through audit reports, documentation or compliance information that Datanau makes available to its customers generally, Datanau may cooperate with Customer’s requests for additional audit instructions.
Prior to the commencement of an audit, the Customer and Datanau shall mutually agree on the scope, timing, duration, control and evidence requirements, and audit fees, provided that this requirement for agreement shall not permit Datanau to unreasonably delay the performance of the audit. To the extent necessary to perform the audit, Datanau will make available the systems, facilities and documentation supporting the processing of data relevant to the processing of Customer Data, Professional Services Data and Personal Data by Datanau, its Affiliates and its Subcontractors.
This audit will be carried out by an independent auditor, during normal business hours, with reasonable notice to Datanau, and subject to such confidentiality procedures as are reasonable. The Customer and the auditor will not have access to any data of other customers of Datanau, or to Datanau’s systems or facilities, or in connection with the provision of the applicable Products and Services.
The Customer is responsible for all costs and fees related to the audit, including all reasonable costs and fees for any and all periods that Datanau devotes to the audit, plus fees for services provided by Datanau. If the audit report generated following Customer’s audit includes any finding of material non-compliance, Customer will share this report with Datanau, which will promptly remedy any material non-compliance.
Nothing in this section of the DPA varies or modifies the GDPR Terms, nor does it affect any rights of the data subject or the supervisory authority under the Data Protection Requirements.
4.6 SECURITY INCIDENT NOTIFICATION
If Datanau becomes aware of a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data, Professional Services Data or Personal Data during the processing thereof by Datanau (individually, a “Security Incident”), Datanau will immediately and without undue delay proceed to:
1) notify the Customer of the Security Incident;
2) investigate the Security Incident and provide the Customer with detailed information about the Security Incident;
3) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident.
Notifications of Security Incidents will be delivered to the Customer by any means Datanau elects, including by email. It is the Customer’s sole responsibility to ensure that its contact information is current and accurate with Datanau for each applicable Product and Professional Service.
Customer is solely responsible for complying with its obligations under the incident reporting laws applicable to Customer and for complying with any third-party reporting obligations related to any Security Incident.
Datanau will use reasonable endeavors to assist Customer in complying with its obligations under Article 33 of the GDPR or other applicable laws or regulations to notify the relevant supervisory authority and data subjects of a Security Incident.
Datanau’s notification or response to a Security Incident under this section does not represent an acknowledgement of any fault or liability in relation to the Security Incident.
Customer shall notify Datanau immediately of any possible misuse of its accounts or authentication credentials, or of any security incident related to the Products and Services.
4.7 LOCATION AND DATA TRANSFERS
a) Data Transfers
Customer Data, Professional Services Data and Personal Data that Datanau processes on behalf of Customer may not be transferred to, or stored and processed in, a geographic location except in accordance with the DPA Terms and the safeguards provided below in this section.
In view of these safeguards, Customer designates Datanau to transfer Customer Data, Professional Services Data and Personal Data to the United States – USA or any other country in which Datanau, or its Subcontractors, operates, and to store and process Customer Data and Personal Data to provide the Products, except as described elsewhere in the DPA Terms.
All transfers of Customer Data, Professional Services Data and Personal Data outside the European Union, European Economic Area, United Kingdom and Switzerland to provide the Products and Services shall be governed by the Standard Contractual Clauses 2021 implemented by Datanau. All transfers of Personal Data to a third country or an international organization will be subject to appropriate safeguards as described in Article 46 of the GDPR, and these transfers and safeguards will be documented in accordance with Article 30(2) of the GDPR.
b) Location of Inactive Customer Data
For the Online Services, Datanau will store inactive Customer Data in certain key geographic areas (each, a Geographic Region) as set out in the terms of the online services subscription agreement (Section 4(B)).
Datanau does not control or limit the regions from which Customer or Customer’s end users may access Customer Data or move Customer Data.
4.8 CONSERVATION AND DELETION OF DATA
During the applicable Professional Services subscription or commitment period, Customer will have the ability to access, extract and delete Customer Data stored in each Online Service and the Professional Services Data.
Except for free trial versions, Datanau will retain Customer Data that remains stored in the Online Services in a limited functionality account for 90 days after the expiration or termination of Customer’s subscription in order for Customer to extract the data . Once the retention period is over, Datanau will deactivate the Customer’s account and delete the Customer Data and Personal Data stored in the Online Services within an additional 90 day , unless the retention of such data is authorized under this DPA.
For Software-related Personal Data and Professional Services Data, Datanau will delete all copies after the business purposes for which they were collected or transferred have been achieved, and may proceed with preliminary deletion at Customer’s request, unless retention of such data is authorized under this DPA.
The Online Service may not support the retention or extraction of software provided by the Customer. Datanau is not responsible for the deletion of Customer Data, Professional Services Data or Personal Data as described in this section.
4.9 CONTRACTOR'S CONFIDENTIALITY COMMITMENT
Datanau ensures that its staff involved in the processing of Customer Data, Professional Services Data and Personal Data:
I) will process this data only upon instructions from the Customer or as described in this DPA, and
II) will be obligated to maintain the confidentiality and security of such data even after termination of the engagement.
Datanau shall ensure periodic and mandatory data security and privacy training and awareness for its employees with access to Customer Data, Professional Services Data and Personal Data in accordance with the Data Protection Requirements and applicable industry standards.
4.10 NOTIFICATION AND CONTROLS ON USE BY PROCESSORS
Datanau may engage Subcontractors to provide certain limited or ancillary services on its behalf. The Customer hereby consents to this engagement and to Datanau’s Affiliates as Subcontractors. The above consents shall constitute the Customer’s prior written consent to Datanau’s outsourcing of the processing of Customer Data, Professional Services Data and Personal Data if such consent is required under the Standard Contractual Clauses or the GDPR Terms.
Datanau is responsible for the compliance of its Subcontractors with the obligations in this DPA. Datanau will make information about its Subcontractors available upon request by the Customer. When engaging any Subcontractor, Datanau will ensure, by a written agreement, that the Subcontractor may access the Customer Data, Professional Services Data or Personal Data and use it only to provide the services instructed by Datanau, and that they are prohibited from using the Customer Data, Professional Services Data or Personal Data for any other purpos . Datanau will ensure that Subcontractors are bound by written contracts that require them to provide at least the level of data protection required by Datanau in the DPA, including limitations on the disclosure of Processed Data. Datanau agrees to supervise the Processors to ensure that these contractual obligations are met.
Datanau may, from time to time, engage new Subcontractors and will notify the Customer if the Customer so requests, providing a mechanism to obtain notice of such update. If Datanau engages a new Subcontractor for a new Product or Professional Service that processes Customer Data, Professional Services Data or Personal Data, Datanau will notify the Customer prior to the availability of that Product or Professional Service, through its website.
If Customer does not approve a new Subcontractor for an Online Service or Professional Services, Customer may terminate any subscription to the affected Online Service or the applicable Statements of Services for the applicable Professional Service, respectively, without a penalty or fee for termination by providing written notice of termination prior to the end of the relevant notice period. If Customer does not approve a new Subcontractor for the Software, and Customer cannot reasonably prevent the use of the Subcontractor by restricting Datanau from processing the data as set forth in the documentation or this DPA, Customer may terminate any license to the affected software product without penalty by providing written notice of termination prior to the end of the relevant notice period.
Customer may also include an explanation of the reasons for non-approval with the notice of termination to allow Datanau to re-evaluate any such new Subcontractor based on applicable concerns. If the affected Product is part of a suite of applications (or a similar single purchase of services), any termination will apply to the entire suite of applications. Upon termination, Datanau will remove payment obligations for any subscriptions or other unpaid work applicable for the terminated Products or Services from Customer’s or its reseller’s subsequent invoices.
4.11 BIOMETRIC DATA
If Customer uses Products and Services to process Biometric Data, Customer is responsible for:
I) notifying data subjects, including regarding retention periods and destruction;
II) obtaining the consent of the data subjects;
III) deleting the Biometric Data as appropriate and required by applicable Data Protection Requirements.
Datanau will process such Biometric Data in accordance with Customer’s documented instructions (as described in the “Roles and Responsibilities of Contractor and Data Controller” section above) and will protect such Biometric Data in accordance with the data protection and security terms under this DPA. For the purposes of this section, “Biometric Data” shall have the meaning set out in Article 4 of the GDPR and, where applicable, equivalent terms in other Requirements in the EU and national Data Protection legal regime.
4.12 SUPPLEMENTARY PROFESSIONAL SERVICES
When used in the sections listed below, the defined term “Professional Services” includes Supplemental Professional Services and the defined term “Professional Services Data” includes data obtained for Supplemental Professional Services.
For Supplemental Professional Services, the following sections of the DPA apply in the same manner as Professional Services: “Introduction“, “Compliance with Laws“, “Nature of Data Processing; Ownership“, “Disclosure of Data Processed“, “Processing of Personal Data under the GDPR“, the first paragraph of “Security Practices and Policies“, “Customer Responsibilities“, “Security Incident Notification“, “Data Transfer” (including the terms relating to the 2021 Standard Contractual Clauses), the third paragraph of “Data Retention and Disposal“, “Contractor’s Confidentiality Commitment“, “Notification and Controls on Use by Processors“, “Biometric Data“, “How to Contact Datanau“, “Appendix B – Data Subjects and Categories of Personal Data” and “Appendix C – Addendum Regarding Additional Safeguards”.
4.13 HOW TO CONTACT DATANAU
If the Customer believes that Datanau has not complied with its privacy and security commitments, the Customer may contact customer support or use Datanau’s Privacy web form.
The Datanau’s physical address is:
DATANAU – I.T CONSULTANCY
Dom Afonso Henriques 1613 R/C, 4820-090 Fafe, Portugal.
Datanau’s Data Protection Officer – DPO can be contacted at the following email address:
APPENDIX A – SECURITY MEASURES
Datanau has implemented and will keep the Customer Data in the Online Services and Professional Services Data secured by the following security measures which, together with the data protection commitments in this DPA (including the GDPR Terms), are the sole responsibility of Datanau.
|Domain||Measures And Practices|
|Organization of Information Security||
Security Ownership. Datanau has appointed one or more security officers responsible for coordinating and monitoring the security rules and procedures.
Security Roles and Responsibilities. Datanau personnel with access to Customer Data or Professional Services Data are subject to confidentiality obligations.
Risk Management Program. Datanau performed a risk assessment before processing the Customer Data or launching the Online Services service and before processing Professional Service Data or launching the Professional Services.
Datanau retains its security documents pursuant to its retention requirements after they are no longer in effect.
Asset Inventory. Datanau maintains an inventory of all media on which Customer Data or Professional Services Data is stored. Access to the inventories of such media is restricted to Datanau personnel authorized in writing to have such access.
Datanau classifies Customer Data and Professional Services Data to help identify it and to allow for access to it to be appropriately restricted.
Datanau imposes restrictions on printing Customer Data and Professional Services Data and has procedures for disposing of printed materials that contain such data.
Datanau personnel must obtain Datanau authorization prior to storing Customer Data or Professional Services Data on portable devices, remotely accessing such data, or processing such data outside Datanau’s facilities.
|Human Resources Security||
Security Training. Datanau informs its personnel about relevant security procedures and their respective roles. Datanau also informs its personnel of possible consequences of breaching the security rules and procedures. Datanau will only use anonymous data in training.
|Physical and Environmental Security||
Physical Access to Facilities. Datanau limits access to facilities where information systems that process Customer Data or Professional Services Data are located to identified authorized individuals.
Physical Access to Components. Datanau maintains records of the incoming and outgoing media containing Customer Data or Professional Services Data, including the kind of media, the authorized sender/recipients, date and time, the number of media and the types of such data they contain.
Protection from Disruptions. Datanau uses a variety of industry standard systems to protect against loss of data due to power supply failure or line interference.
Component Disposal. Datanau uses industry standard processes to delete Customer Data and Professional Services Data when it is no longer needed.
|Communications and Operations Management||
Operational Policy. Datanau maintains security documents describing its security measures and the relevant procedures and responsibilities of its personnel who have access to Customer Data or Professional Services Data.
Data Recovery Procedures
On an ongoing basis, but in no case less frequently than once a week (unless no updates have occurred during that period), Datanau maintains multiple copies of Customer Data and Professional Services Data from which such data can be recovered.
Datanau stores copies of Customer Data and Professional Services Data and data recovery procedures in a different place from where the primary computer equipment processing the Customer Data and Professional Services Data are located.
Datanau has specific procedures in place governing access to copies of Customer Data and Professional Services Data.
Datanau reviews data recovery procedures at least every six months, except for data recovery procedures for Professional Services and for Azure Government Services, which are reviewed every twelve months.
Datanau logs data restoration efforts, including the person responsible, the description of the restored data and where applicable, the person responsible and which data (if any) had to be input manually in the data recovery process.
Malicious Software. Datanau has anti-malware controls to help avoid malicious software gaining unauthorized access to Customer Data and Professional Services Data, including malicious software originating from public networks.
Data Beyond Boundaries
Datanau encrypts, or enables Customer to encrypt, Customer Data and Professional Services Data that is transmitted over public networks.
Datanau restricts access to Customer Data and Professional Services Data in media leaving its facilities.
Event Logging. Datanau logs, or enables Customer to log, access and use of information systems containing Customer Data or Professional Services Data, registering the access ID, time, authorization granted or denied, and relevant activity.
Access Policy. Datanau maintains a record of security privileges of individuals having access to Customer Data or Professional Services Data.
Datanau maintains and updates a record of personnel authorized to access Datanau systems that contain Customer Data or Professional Services Data.
Datanau deactivates authentication credentials that have not been used for a period of time not to exceed six months.
Datanau identifies those personnel who may grant, alter or cancel authorized access to data and resources.
Datanau ensures that where more than one individual has access to systems containing Customer Data or Professional Services Data, the individuals have separate identifiers/log-ins.
Technical support personnel are only permitted to have access to Customer Data and Professional Services Data when needed.
Datanau restricts access to Customer Data and Professional Services Data to only those individuals who require such access to perform their job function.
Integrity and Confidentiality
Datanau instructs Datanau personnel to disable administrative sessions when leaving premises Datanau controls or when computers are otherwise left unattended.
Datanau stores passwords in a way that makes them unintelligible while they are in force.
Datanau uses industry standard practices to identify and authenticate users who attempt to access information systems.
Where authentication mechanisms are based on passwords, Datanau requires that the passwords are renewed regularly.
Where authentication mechanisms are based on passwords, Datanau requires the password to be at least eight characters long.
Datanau ensures that de-activated or expired identifiers are not granted to other individuals.
Datanau monitors, or enables Customer to monitor, repeated attempts to gain access to the information system using an invalid password.
Datanau maintains industry standard procedures to deactivate passwords that have been corrupted or inadvertently disclosed.
Datanau uses industry standard password protection practices, including practices designed to maintain the confidentiality and integrity of passwords when they are assigned and distributed, and during storage.
Network Design. Datanau has controls to avoid individuals assuming access rights they have not been assigned to gain access to Customer Data or Professional Services Data they are not authorized to access.
|Information Security Incident Management||
Incident Response Process
Datanau maintains a record of security breaches with a description of the breach, the time period, the consequences of the breach, the name of the reporter, and to whom the breach was reported, and the procedure for recovering data.
For each security breach that is a Security Incident, notification by Datanau (as described in the “Security Incident Notification” section above) will be made without undue delay and, in any event, within 72 hours.
Datanau tracks, or enables Customer to track, disclosures of Customer Data and Professional Services Data, including what data has been disclosed, to whom, and at what time.
Service Monitoring. Datanau security personnel verify logs at least every six months to propose remediation efforts if necessary.
|Business Continuity Management||
Datanau maintains emergency and contingency plans for the facilities in which Datanau information systems that process Customer Data or Professional Services Data are located.
Datanau’s redundant storage and its procedures for recovering data are designed to attempt to reconstruct Customer Data and Professional Services Data in its original or last-replicated state from before the time it was lost or destroyed.
APPENDIX B – DATA SUBJECTS AND CATEGORIES OF PERSONAL DATA
Data subjects: Data subjects include the Customer’s representatives and end-users including employees, contractors, collaborators, and customers of the Customer. Data subjects may also include individuals attempting to communicate or transfer personal information to users of the services provided by Datanau.
Datanau acknowledges that, depending on Customer’s use of the Products and Services, Customer may elect to include personal data from any of the following types of data subjects in the personal data:
a) Employees, contractors and temporary workers (current, former, prospective) of Customer;
b) Dependents of the above;
c) Customer’s collaborators/contact persons (natural persons) or employees, contractors or temporary workers of legal entity collaborators/contact persons (current, prospective, former);
d) Users (e.g., customers, clients, patients, visitors, etc.) and other data subjects that are users of Customer’s services;
e) Partners, stakeholders or individuals who actively collaborate, communicate or otherwise interact with employees of the Customer and/or use communication tools such as apps and websites provided by the Customer;
f) Stakeholders or individuals who passively interact with Customer (e.g., because they are the subject of an investigation, research or mentioned in documents or correspondence from or to the Customer);
g) Minors; or
h) Professionals with professional privilege (e.g., doctors, lawyers, notaries, religious workers, etc.).
Categories of data: The personal data that is included in e-mail, documents and other data in an electronic form in the context of the Products and Services. Datanau acknowledges that, depending on Customer’s use of the Products and Services, Customer may elect to include personal data from any of the following categories in the personal data:
a) Basic personal data (for example place of birth, street name and house number (address), postal code, city of residence, country of residence, mobile phone number, first name, last name, initials, email address, gender, date of birth), including basic personal data about family members and children;
b) Authentication data (for example user name, password or PIN code, security question, audit trail);
c) Contact information (for example addresses, email, phone numbers, social media identifiers; emergency contact details);
d) Unique identification numbers and signatures (for example Social Security number, bank account number, passport and ID card number, driver’s license number and vehicle registration data, IP addresses, employee number, student number, patient number, signature, unique identifier in tracking cookies or similar technology);
e) Pseudonymous identifiers;
f) Financial and insurance information (for example insurance number, bank account name and number, credit card name and number, invoice number, income, type of assurance, payment behavior, creditworthiness);
g) Commercial Information (for example history of purchases, special offers, subscription information, payment history);
h) Biometric Information (for example DNA, fingerprints and iris scans);
i) Location data (for example, Cell ID, geo-location network data, location by start call/end of the call. Location data derived from use of wifi access points);
j) Photos, video and audio;
k) Internet activity (for example browsing history, search history, reading, television viewing, radio listening activities);
l) Device identification (for example IMEI-number, SIM card number, MAC address);
m) Profiling (for example based on observed criminal or anti-social behavior or pseudonymous profiles based on visited URLs, click streams, browsing logs, IP-addresses, domains, apps installed, or profiles based on marketing preferences);
n) HR and recruitment data (for example declaration of employment status, recruitment information (such as curriculum vitae, employment history, education history details), job and position data, including worked hours, assessments and salary, work permit details, availability, terms of employment, tax details, payment details, insurance details and location and organizations);
o) Education data (for example education history, current education, grades and results, highest degree achieved, learning disability);
p) Citizenship and residency information (for example citizenship, naturalization status, marital status, nationality, immigration status, passport data, details of residency or work permit);
q) Information processed for the performance of a task carried out in the public interest or in the exercise of an official authority;
r) Special categories of data (for example racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, data concerning a natural person’s sex life or sexual orientation, or data relating to criminal convictions or offences); or
s) Any other personal data identified in Article 4 of the GDPR.
APPENDIX C – ADDITIONAL SAFEGUARDS ADDENDUM
By this Additional Safeguards Addendum to the DPA (this “Addendum”), Datanau provides additional safeguards to Customer for the processing of personal data, within the scope of the GDPR, by Datanau on behalf of Customer and additional redress to the data subjects to whom that personal data relates.
This Addendum supplements and is made part of, but is not in variation or modification of, the DPA.
1) Challenges to Orders. In the event Datanau receives an order from any third party for compelled disclosure of any personal data processed under this DPA, Datanau shall:
a) use every reasonable effort to redirect the third party to request data directly from Customer;
b) promptly notify Customer, unless prohibited under the law applicable to the requesting third party, and, if prohibited from notifying Customer, use all lawful efforts to obtain the right to waive the prohibition in order to communicate as much information to Customer as soon as possible; and
c) use all lawful efforts to challenge the order for disclosure on the basis of any legal deficiencies under the laws of the requesting party or any relevant conflicts with applicable law of the European Union or applicable Member State law;
If, after the steps described in a. through c. above, Datanau or any of its affiliates remains compelled to disclose personal data, Datanau will disclose only the minimum amount of that data necessary to satisfy the order for compelled disclosure.
For purpose of this section, lawful efforts do not include actions that would result in civil or criminal penalty such as contempt of court under the laws of the relevant jurisdiction.
2) Compensation of Data Subjects. Without prejudice to the foregoing, Datanau shall have no obligation to compensate the Data Subject under this Section 2 to the extent that the Data Subject has already received compensation for the same damage, whether from Datanau or another party.
3) Indemnification Conditions.Compensation under Section 2 is conditional on the data subject establishing, to the satisfaction of Datanau, that:
a) Datanau engaged in a Relevant Disclosure;
b) the Relevant Disclosure was the basis of an official proceeding by the non-EU/EEA government body or law enforcement agency against the data subject; and
c) the Relevant Disclosure directly caused the data subject to suffer material or non-material damage.
The data subject bears the burden of proof with respect to conditions a. though c.
Notwithstanding the foregoing, Datanau shall have no obligation to indemnify the data subject under Section 2 if Datanau establishes that the Relevant Disclosure did not violate its obligations under Chapter V of the GDPR.
4) Scope of Damages. Indemnification under Section 2 is limited to material and non-material damages as provided in the GDPR and excludes consequential damages and all other damages not resulting from Datanau ’s infringement of the GDPR.
5) Exercise of Rights. Rights granted to data subjects under this Addendum may be enforced by the data subject against Datanau irrespective of any restriction in Clauses 3 or 6 of the Standard Contractual Clauses. The data subject may only bring a claim under this Addendum on an individual basis, and not part of a class, collective, group or representative action. Rights granted to data subjects under this Addendum are personal to the data subject and may not be assigned.
6) Notice of Change. Datanau agrees and warrants that it has no reason to believe that the legislation applicable to it or its sub-processors, including in any country to which personal data is transferred either by itself or through a sub-processor, prevents it from fulfilling the instructions received from the Customer and its obligations under this Addendum or the 2021 Standard Contractual Clauses and that in the event of a change in this legislation which is likely to have a substantial adverse effect on the warranties and obligations provided by this Addendum or the Standard Contractual Clauses, it will promptly notify the change to Customer as soon as it is aware, in which case Customer is entitled to suspend the transfer of data and/or terminate the contract.
ANNEX 1 - TERMS OF THE DATA PROCESSING AGREEMENT UNDER THE GDPR
Datanau makes the commitments in these GDPR Terms, to all customers effective May 25, 2018. These commitments are binding upon Datanau with regard to Customer regardless of:
1) the version of the Product Terms and DPA that is otherwise applicable to any given Product subscription or license, or;
2) any other agreement that references this attachment.
For purposes of these GDPR Terms, Customer and Datanau agree that Customer is the controller of Personal Data and Datanau is the processor of such data, except when Customer acts as a processor of Personal Data, in which case Datanau is a subprocessor. These GDPR Terms apply to the processing of Personal Data, within the scope of the GDPR, by Datanau on behalf of Customer.
These GDPR Terms do not limit or reduce any data protection commitments Datanau makes to Customer in the Product Terms or other agreement between Datanau and Customer.
These GDPR Terms do not apply where Datanau is a controller of Personal Data
1) Datanau supports Customer’s accountability obligations via this DPA and the product documentation provided to Customer, and will continue to do so during the term of the term of Customer’s subscription or the applicable Professional Services engagement pursuant to subsection 3(h) below. (Article 5(2))
2) Processing by Datanau shall be governed by these GDPR Terms under European Union (hereafter “Union”) or Member State law and are binding on Datanau with regard to Customer. The subject-matter and duration of the processing, the nature and purpose of the processing, the type of Personal Data, the categories of data subjects and the obligations and rights of the Customer are set forth in the Customer’s licensing agreement, including these GDPR Terms. In particular, Datanau shall:
a) process the Personal Data only on documented instructions from Customer, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by Union or Member State law to which Datanau is subject; in such a case, Datanau shall inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
b) ensure that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
c) take all measures required pursuant to Article 32 of the GDPR;
d) respect the conditions referred to in paragraphs 1 and 3 for engaging another processor;
e) considering the nature of the processing, assist Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR;
f) assist Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to Datanau;
g) at the choice of Customer, delete or return all the Personal Data to Customer after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data;
h) make available to Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer.
Datanau shall immediately inform Customer if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions. (Article 28(3))
3) Where Datanau engages another processor for carrying out specific processing activities on behalf of Customer, the same data protection obligations as set out in these GDPR Terms shall be imposed on that other processor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR. Where that other processor fails to fulfil its data protection obligations, Datanau shall remain fully liable to the Customer for the performance of that other processor’s obligations. (Article 28(4)).
4) Considering the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Customer and Datanau shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
a) the pseudonymisation and encryption of Personal Data;
b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing. (Article 32(1))
5) In assessing the appropriate level of security, account shall be taken of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed. (Article 32(2))
6) Customer and Datanau shall take steps to ensure that any natural person acting under the authority of Customer or Datanau who has access to Personal Data does not process them except on instructions from Customer, unless he or she is required to do so by Union or Member State law. (Article 32(4))
7) Datanau shall notify Customer without undue delay after becoming aware of a Personal Data breach. (Article 33(2)). Such notification will include that information a processor must provide to a controller under Article 33(3) to the extent such information is reasonably available to Datanau.