VEEROTECH SYSTEMS, LLC
PERSONAL DATA PROCESSING ADDENDUM
Updated: May 25, 2018
This Personal Data Processing Addendum (“DPA”) is an addendum to the VeeroTech Systems LLC Terms of Service Agreement (“Service Agreement”), available here (https://www.veerotech.net/terms-service) entered into by and between you (hereinafter referred to as “Customer”) and VeeroTech Systems LLC, located at PO Box 135 – 921 Town Centre Blvd, Clayton, NC 27520 on behalf of itself and its Affiliates (hereinafter referred to as “VeeroTech”). Customer and VeeroTech shall be referred to jointly as the “Parties” and individually as a “Party”. Pursuant to the Service Agreement, Processor provides to Controller certain website hosting and related services (the “Services”).
This DPA is effective, as applicable:
(A) May 25, 2018 to any Customer who has signed up for our Services on or before that date; or
(B) The date on which Customer signed up for our Services and this DPA, if such date is after May 25, 2018.
This DPA will only apply to the extent that the Data Protection Legislation applies to the processing of Customer Data (defined in the Terms of Service) that is Personal Data (referred to herein as “Customer Personal Data”), including if:
(A) the processing is in the context of the activities of an establishment of Customer in the EEA; and/or
(B) Personal Data relates to data subjects who are in the EEA and the processing relates to the offering to them of goods or services or the monitoring of their behavior in the EEA.
(A) The Customer and VeeroTech entered into the Service Agreement that may require the VeeroTech to process Personal Data on behalf of the Customer.
(B) This DPA sets out the additional terms, requirements and conditions on which the Processor will process Personal Data when providing services under the Service Agreement. This DPA contains the mandatory clauses required by Article 28(3) of the General Data Protection Regulation ((EU) 2016/679) for contracts between controllers and processors.
1. DEFINITIONS AND INTERPRETATION. The following definitions and rules of interpretation apply in this DPA; other definitions have the meaning given to them elsewhere in this DPA.
Adequate Country: means a country or territory that the recognized under Data Protection Legislation from time to time as providing adequate protection for Customer Personal Data.
Data Subject, Special Categories, Controller, Processor, Sub-Processor, Personal Data, Process, and Processing: have the meanings giving in the Data Protection Legislation.
Data Protection Legislation: all applicable privacy and data protection laws including the General Data Protection Regulation ((EU) 2016/679) and any applicable national implementing laws, regulations and secondary legislation in England and Wales relating to the processing of Personal Data and the privacy of electronic communications, as amended, replaced or updated from time to time, including the Privacy and Electronic Communications Directive (2002/58/EC) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426).
Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data transmitted, stored or otherwise processed.
Standard Contractual Clauses (SCC): the European Commission’s Standard Contractual Clauses for the transfer of Personal Data from the European Union to processors established in third countries (controller-to-processor transfers), as set out in the Annex to Commission Decision 2010/87/EU.
1.2 This DPA is subject to the terms of the Service Agreement and is incorporated into the Service Agreement. Interpretations and defined terms set forth in the Service Agreement apply to the interpretation of this DPA. Except as amended by this DPA, the Service Agreement will remain in full force and effect. Any claims brought under this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Service Agreement.
1.3 The Annex form part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Annex.
1.4 A reference to writing or written includes faxes and email.
1.5 In the case of conflict or ambiguity between:
(a) any provision contained in the body of this DPA and any provision contained in the Annex, the provision in the body of this DPA will prevail;
(b) the terms of any accompanying invoice or other documents annexed to this DPA and any provision contained in the Annex, the provision contained in the Annex will prevail;
(c) any of the provisions of this DPA and the provisions of the Service Agreement, the provisions of this DPA will prevail; and
(d) any of the provisions of this DPA and any executed SCC, the provisions of the executed SCC will prevail.
2. PERSONAL DATA TYPES; PROCESSING PURPOSES; AND CUSTOMER’S INSTRUCTIONS
2.1 Relationship. The Customer and VeeroTech acknowledge that for the purpose of the Data Protection Legislation, the Customer is a Controller or Processor and VeeroTech is the Processor of Customer Personal Data. Customer retains control of the Customer Personal Data and remains responsible for its compliance obligations under the applicable Data Protection Legislation, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to VeeroTech.
2.2 Personal Data And Processing Purposes. Annex A describes the subject matter, duration, nature and purpose of processing and the Personal Data categories and Data Subject types in respect of which VeeroTech may process to provide the Services pursuant to the Service Agreement. Customer acknowledges that it determines the categories of Personal Data, if any, that it processes through the Services.
2.3 Customer’s Instructions. Customer hereby instructs VeeroTech to (i) process Customer Personal Data for the purposes of providing services under the Service Agreement; and (ii) transfer Customer Personal Data to any country or territory, all as necessary for the provision of the Services, subject to the provisions in this DPA. Customer authorizes VeeroTech to instruct each Sub-Processor within the scope of the above or any other future instruction from Customer.
2.4 Warranty And Authorization. Customer warrants and represents that its use of the Services and VeeroTech’s use of the Customer Personal Data as permitted by this DPA will comply with the Data Protection Legislation. Customer further warrants and represents that it is and will at all relevant times remain duly and effectively authorized to give the instructions on behalf of each relevant Customer Affiliate, if applicable. If Customer is a Processor, Customer represents and warrants that Customer’s instructions and actions with respect to Customer Personal Data, including the appointment of VeeroTech as another Processor, have been authorized by the relevant Controller.
2.5 Customer’s Security Responsibilities And Assessment.
(a) Customer agrees that, without prejudice to VeeroTech’s obligations under Sections 4 (Security) and 5 (Personal Data Breach): (i) Customer is solely responsible for its use of the Services, including: (1) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of Customer Personal Data that Customer chooses to process through the Services (e.g., choosing whether or not to encrypt the Customer Personal Data); and (2) securing the account authentication credentials, systems, and devices Customer uses to access the Processor Services; and (ii) VeeroTech has no obligation to protect Customer Personal Data that Customer elects to store or transfer outside of VeeroTech’s and its Sub-Processors’ systems (for example, if you use the Services in connection with Customer’s own hosting environment, whether provided by Customer directly or through a third party, VeeroTech is not responsible for that environment).
(b) Customer acknowledges and agrees that the security measures implemented and maintained by VeeroTech as described in Section 4 provide a level of security appropriate to the risk in respect to the Customer Personal Data that Customer chooses to process through the Service.
(c) If Customer uses the Services in connection with a cloud services provider, such as Amazon Web Services where Customer (and not VeeroTech) has a direct contractual relationship which that provider, then Customer must enter into a direct data processing agreement with that vendor, if required by the Data Protection Legislation, and this DPA does not apply to that processing.
3. VEEROTECH’S OBLIGATIONS
3.1 Processing Instructions. VeeroTech will only process the Customer Personal Data to the extent, and in such a manner, as is necessary for providing the Services in accordance with the Customer’s documented or written instructions (including as set forth in this DPA). VeeroTech will not process the Customer Personal Data for any other purpose or in a way that does not comply with this DPA or the Data Protection Legislation, unless required by applicable laws. VeeroTech shall notify Customer if, in its opinion, Customer’s instruction would not comply with the Data Protection Legislation. An instruction, approval, request or similar, given via the VeeroTech online platform is considered a documented or written data processing instruction from Customer.
3.2 VeeroTech shall use commercially reasonable efforts to promptly comply with any Customer request or instruction requiring the VeeroTech to amend, transfer, delete or otherwise process the Customer Personal Data, or to stop, mitigate or remedy any unauthorized processing, to the extent required by the Data Protection Legislation.
3.3 Assistance. VeeroTech will reasonably assist Customer, at Customer’s expense based on VeeroTech’s standard rates, with meeting Customer’s compliance obligations under the Data Protection Legislation, taking into account the nature of VeeroTech’s processing and the information available to VeeroTech, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with supervisory authorities under the Data Protection Legislation. The scope of such assistance shall be limited to the processing of the Customer Personal Data by VeeroTech.
4.1 Personnel. VeeroTech shall ensure that all employees or contractors (“VeeroTech Personnel”) of VeeroTech who may have access to the Customer Personal Data, have such access only as necessary for the purposes of providing the Services and complying with applicable laws. Furthermore, all VeeroTech Personnel shall be subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
4.2 Technical And Organizational Security Measures. VeeroTech shall in relation to the Customer Personal Data implement, or provide options for Customer to implement, appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to the GDPR. In assessing the appropriate level of security, each Party shall take into account the risks that are presented by processing, in particular from a Personal Data Breach. For the avoidance of doubt, Customer determines the categories of Personal Data, if any, that are processed by the Services, and where VeeroTech makes available different security options (e.g., whether or not to encrypt certain data), Customer is solely responsible for, and shall fully indemnify, defend, and hold VeeroTech harmless from such choices.
4.3 Confidentiality. VeeroTech will take appropriate steps to maintain the confidentiality of all Customer Personal Data and will not disclose Customer Personal Data to third parties unless Customer or this DPA specifically authorizes the disclosure, or as required by law. If a law, court, regulator or supervisory authority requires VeeroTech to process or disclose Customer Personal Data, VeeroTech shall first inform Customer of the legal or regulatory requirement and give the Customer an opportunity to object or challenge the requirement, unless the law prohibits such notice.
5. PERSONAL DATA BREACH
5.1 Notification. VeeroTech shall notify Customer without undue delay, and within 36 hours, upon Processor becoming aware of a Personal Data Breach affecting Customer Personal Data. VeeroTech shall provide Customer with sufficient information to the extent in the possession of VeeroTech to allow Customer to meet any obligations to report or inform Data Subjects or Data Protection authorities of the Personal Data Breach under the Data Protection Legislation. Customer shall not issue any public statements regarding VeeroTech unless VeeroTech has first agreed in writing to the issuance of the public statement. Customer shall notify VeeroTech in advance of any written statements it makes to regulators or law enforcement regarding VeeroTech, unless otherwise prohibited by law. VeeroTech’s notification of or response to a Data Breach shall not be construed as acknowledgement by VeeroTech of any fault or liability with respect to the Data Breach.
5.2 Cooperation. VeeroTech shall cooperate with Customer and take such commercially reasonable steps as are directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach, at Customer’s sole expense, to the extent required by Data Protection Legislation.
5.3 Remediation. Notwithstanding the above, VeeroTech may take any steps to remediate or respond to Personal Data Breach, as required by applicable law, including providing notifications to the data subjects and/or relevant authorities.
6. CROSS-BORDER TRANSFERS OF PERSONAL DATA
VeeroTech is located in the United States and to the extent any processing of Customer Personal Data of Data Subjects located in the EEA by VeeroTech takes place in any country outside the EEA (other than exclusively in an Adequate Country), there must be a lawful basis for this transfer as required by the Data Protection Legislation. The Customer undertakes that it has received and can demonstrate that it has received the necessary consents and authorizations from the respective data subjects for the transfer of Customer Personal Data to a country outside the EEA (other than to an Adequate Country). To the extent that the Customer does not wish to rely on consent for the transfer, it may request VeeroTech firstname.lastname@example.org provide a draft of the Standard Contract Clauses. These Standard Contract Clauses, once agreed between the parties, will apply in respect of that processing. If, in the performance of the DPA, VeeroTech transfers any Customer Personal Data of Data Subjects located in the EU to a Sub-Processor (which shall include without limitation any affiliates of VeeroTech) and without prejudice to Section 7, where such Sub-Processor will process such Customer Personal Data outside the EEA (other than exclusively in an Adequate Country), VeeroTech shall ensure that a mechanism to achieve adequacy in respect of that processing is in place such as: (a) the requirement for VeeroTech to execute or procure that the third party execute on behalf of standard contractual clauses approved by the EU authorities under Data Protection Legislation; (b) the requirement for the third party to be certified under the Privacy Shield framework; or (c) the existence of any other specifically approved safeguard for data transfers (as recognized under the Data Protection Legislation) and/or a European Commission finding of adequacy.
Customer grants VeeroTech general authorization to engage Sub-Processors to provide the Services (including without limitation data center operators, spam filtering, hosting services, providers of anti-fraud and reporting services and other outsourced providers), provided that VeeroTech and the Sub-Processor enter into a contract on terms that are materially at least as protective as this DPA.
From time to time, we may engage new Sub-Processors under and subject to the terms of this DPA. In such case, we will provide 30 days advance notice (via our website and email) prior to any new Sub-Processor obtaining any Customer Personal Data. If you do not approve of a new Sub-processor, then Customer may terminate any applicable Services without penalty by providing, within 10 days or receipt of notice from us, written notice of termination that includes an explanation of the reasons for your non-approval. If the Services are part of a bundle or bundled purchase, then any termination will apply to its entirety. Subject to the terms of the applicable Service Agreement, VeeroTech shall remain fully liable to Customer for the performance of the Sub-Processor’s obligations.
8. COMPLAINTS, DATA SUBJECT REQUESTS, AND OTHER REQUIRED ASSISTANCE
8.1 Customer Obligations. Customer is and shall be solely responsible for compliance with any statutory obligations concerning requests to exercise Data Subject rights under Data Protection Legislation (e.g., for access, rectification, deletion of Customer Personal Data, etc.) VeeroTech shall reasonably assist Customer to the extent feasible in responding to requests to exercise Data Subject rights under the EU Data Protection Laws. As part of the Services, Customer may download Customer’s Personal Data through the Services (“Data Portability Right“). This Data Portability Right shall be provided as part of the service at no additional charge for the Customer.
8.2 VeeroTech Obligations. VeeroTech shall:
(a) promptly notify Customer if it receives a request from a Data Subject under Data Protection Legislation in respect of Customer Personal Data; and
(b) ensure that it does not respond to that request except on the documented instructions of Customer or as required by applicable laws to which the VeeroTech is subject.
9. AUDIT RIGHTS
9.1 VeeroTech shall make available to Customer, upon prior written request, all information necessary to reasonably demonstrate compliance with this DPA to the extent required by the EU Data Protection Laws. VeeroTech may provide industry-standard third-party audit certifications to demonstrate compliance.
9.2 VeeroTech shall allow for and contribute to audits, including inspections, by a reputable auditor mandated by Customer. The scope, duration and methods of such audit will be determined by both Parties in good faith. In any event, a third-party auditor shall be subject to confidentiality obligations. VeeroTech may object to the selection of the auditor if it reasonably believes that an auditor does not guarantee confidentiality, security or otherwise puts at risk the VeeroTech business.
9.3 Provisions of information and audits are at Customer’s sole expense, including fees charged by third party auditors appointed by Customer.
10 TERM AND TERMINATION
10.1 This DPA will remain in full force and effect so long as:
(a) the Service Agreement remains in effect, or
(b) VeeroTech retains any Customer Personal Data related to the Service Agreement in its possession or control (“Term”).
10.2 Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Service Agreement in order to protect Customer Personal Data will remain in full force and effect.
10.3 Either Party’s failure to comply with the terms of this DPA is a material breach of the Service Agreement. In such event, the non-breaching Party may terminate the Service Agreement effective immediately on written notice to the non-breaching Party without further liability or obligation.
10.4 If a change in any Data Protection Legislation prevents either party from fulfilling all or part of its Service Agreement obligations, the parties will suspend the processing of Customer Personal Data until that processing complies with the new requirements. If the parties are unable to bring the Customer Personal Data processing into compliance with the Data Protection Legislation within 30 days, they may terminate the Service Agreement on written notice to the other party.
11. DATA RETURN AND DESTRUCTION
11.1 Customer may be provided controls that to retrieve or delete Customer Personal Data. Where VeeroTech does not provide such tools for the applicable Service, upon termination of the provision of Services, VeeroTech shall delete or return all copies of Customer Personal Data upon request, except as authorized or required to be retained in accordance with applicable law.
11.2 Upon Customer’s prior written request, VeeroTech shall provide written certification to Customer that it has fully complied with this section.
12.1 Any notice or other communication given to a party under or in connection with this DPA must be in writing and delivered to:
For Customer: The contact information on file for Customer, including via email.
For VeeroTech: PO Box 135 – 921 Town Centre Blvd, Clayton, NC 27520
12.2 Section 12.1 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.
12.3 A notice given to VeeroTech under this DPA is not valid if sent by email unless the receipt of such email has been confirmed.
CHANGES TO THIS DPA.
13.1 VeeroTech may change this DPA if the change:
(a) reflects a change in the name or form of a legal entity;
(b) is required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency; or
(c) does not: (i) result in a degradation of the overall security of the Services; (ii) expand the scope of, or remove any restrictions on, VeeroTech’s processing of Customer Personal Data; and (iii) otherwise have a material adverse impact on Customer’s rights under this DPA, as reasonably determined by VeeroTech.
13.2 Notification of Changes. If VeeroTech intends to change this DPA under Section 13.1(b) or (c), VeeroTech will inform Customer at least 30 days (or such shorter period as may be required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency) before the change will take effect by either: (a) sending an email to the Notification Email Address; or (b) alerting Customer via the user interface for the Services. If Customer objects to any such change, Customer may terminate the DPA by giving written notice to VeeroTech within 90 days of being informed by VeeroTech of the change.
PERSONAL DATA PROCESSING PURPOSES AND DETAILS
Subject matter of processing:
VeeroTech’s provision of website hosting services and any related technical support to Customer.
Duration of Processing:
The Term plus the period from the expiration of the Term until the deletion of all Customer Personal Data by VeeroTech in accordance with this DPA.
Nature of Processing:
VeeroTech provides website hosting services to assist its customers manage their own websites, including computing, storage, reporting, deleting.
Personal Data Categories:
Customer determines the categories of personal data that it processes through the Services.
Data Subject Types:
Data subject about whom personal data is transferred to VeeroTech in connection with the Services by, at the direction of, or on behalf of Customer.