Data Protection Addendum
This Data Protection Addendum (“DPA”) is incorporated by reference into the Exceed Software-as-a-Service Agreement and all related orders for the Services between Exceed and Customer (collectively the “Agreement”), and governs the Processing of Personal Data by Exceed as a Processor on behalf of Customer (referred to hereinafter as “You”) under EU Data Protection Law. This DPA does not apply to Personal Data for which Exceed is a Controller.
The parties, in consideration of mutual obligations, hereby agree to the terms and conditions set forth below.
- General. The terms “Personal Data,” “Process/Processing,” “Controller,” “Processor,” and “Data Subject” have the meanings given to them under EU Data Protection Law; provided that the term “Personal Data” as used herein only applies to Personal Data for which Exceed is a Processor. All other capitalized terms used herein (including in the above preamble) will have the meaning set forth in this Section 1 or elsewhere in this DPA, unless otherwise defined in the Agreement.
- “Customer Data” means either data referring to Users themselves (as defined in Section 12 below) or any User Content (as defined in section 1.12 below) or any information relating Contacts (as such term is defined in the Agreement) to the extent it constitutes Personal Data.
- “Data Protection Laws” means all data protection and privacy laws and regulations applicable to the processing of Personal Data under the Agreement, including where applicable, EU Data Protection Law.
- “EEA” means the European Economic Area (including the United Kingdom).
- “EU Data Protection Law” means: (i) prior to 25 May 2018, the EU Directive 95/46/EC; and (ii) on and after 25 May 2018, GDPR.
- “EU Directive” means Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the Processing of personal data and on the free movement of such data.
- “General Data Protection Regulation” or “GDPR” means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
- “Privacy Shield” means the European Union – United States (“US”) Privacy Shield Framework established by the US Department of Commerce and the European Commission.
- “Services” means any services as defined under the governing Agreement.
- “Sub-processor” means any Processor engaged by Exceed or its Affiliates (as defined in the Agreement) to assist in fulfilling its obligations to provide the Services pursuant to the Agreement or this DPA. Sub-processors may include third parties or Exceed Affiliates.
- “Supervisory Authority” means an independent public authority, which is established by a European Union member state pursuant to the GDPR.
- “User” means any natural person who, as an employee of the Customer or otherwise authorized by the Customer, uses the Services.
- “User Content” means any content for the purposes of the Agreement.
- Details of Data Processing
- Subject Matter. The subject matter of the data processing under this DPA is Customer Data to the extent it constitutes Personal Data.
- Duration. As between Exceed and You, the duration of the data processing under this DPA is the term of the Agreement.
- Purpose. The purpose of the data processing under this DPA is the provision of the Services to You and the performance of Your obligations under the Agreement and this DPA (or as otherwise agreed by the Parties).
- Categories of Data Subjects. Data Subjects consist of Your Users, the Contacts and other natural persons (i.e. third parties) which might be referred to in the User Content as entered by them into the Exceed software or Your platforms that uses the Services.
- Types of Your Personal Data. Regarding Users, the types of Personal Data collected by Exceed or its Service includes personal identification information, such as name, address, country. For third parties (such as Contacts), the types of Personal Data will be determined by the Users on a case-by-case basis and as required by Users in each individual case.
- Processing of Customer Personal Data
- Your Processing of Personal Data. You shall, in Your use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws. For the avoidance of doubt, Your instructions for the Processing of Personal Data shall comply with all applicable Data Protection Laws. You shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which You acquired Personal Data. Specifically, you undertake to only introduce Personal Data to the Services for which You have either obtained a valid declaration of consent or may rely on a sufficient other statutory basis to justify the processing.
- Exceed’s Processing of Personal Data. Exceed shall treat Personal Data as Confidential Information and shall only Process Personal Data on behalf of and in accordance with Your documented instructions for the following purposes: (i) in accordance with the Agreement and applicable Order Form(s); (ii) as initiated by Users in their use of the Services; and (iii) to comply with other documented reasonable instructions provided by You (e.g., via email or via any other interface), where such instructions are consistent with the terms of the Agreement.
- Appointment of Sub-processors. You acknowledge and agree that (i) Exceed’s Affiliates may be retained as Sub-processors; and (ii) Exceed and Exceed’s Affiliates may engage third-party Sub-processors in connection with the provision of the Services. Exceed or a Exceed Affiliate has entered or will enter into a written agreement with each Sub-processor containing data protection obligations not less protective than those in this Agreement with respect to the protection of Your Data, to the extent applicable to the specific services provided by such Sub-processor.
- Objection Right for New Sub-processors. Exceed will provide reasonable prior notice on its website if it intends to make any changes to its Sub-processors. You may object to Exceed’s use of a new Sub-processor in respect of the Services provided to You by notifying Exceed promptly in writing within ten (10) business days after Exceed’s notice is posted. In the event You object to a new Sub-processor, as permitted in the preceding sentence, Exceed will use reasonable efforts to make available to You a change in the Services or recommend a commercially reasonable change to Your configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening You. If Exceed is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, You may terminate the applicable Order Form(s) with respect only to those Services which cannot be provided by Exceed without the use of the objected-to new Sub-processor by providing written notice to Exceed. Exceed will refund You any prepaid fees covering the remainder of the term of such Order Form(s) following the effective date of termination of the affected Services.
- Liability. Exceed shall be liable for the acts and omissions of its Sub-processors to the same extent Exceed would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Agreement.
- Security Measures. Exceed has implemented and will maintain appropriate technical and organizational security measures to protect the Personal Data from Security Incidents and to preserve the security and confidentiality of the Personal Data (“Security Measures“).
- Updates to Security Measures. You are responsible for reviewing the information made available by Exceed relating to its Security Measures and making an independent determination as to whether the Services meet Your requirements and legal obligations under Data Protection Laws. You acknowledge that the Security Measures are subject to technical progress and development and that Exceed may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by You.
- Exceed restricts its personnel from Processing Your Personal Data without authorization by Exceed as set forth in the Security Measures, and shall ensure that any person who is authorized by Exceed to process Your Personal Data is under an appropriate obligation of confidentiality.
- Your Responsibilities. Notwithstanding the above, You agree that except as provided by this DPA, You are responsible for Your secure use of the Services, including securing Your account authentication credentials, protecting the security of the Personal Data when in transit to and from the Services, and taking any appropriate steps to securely encrypt or backup any of the Personal Data uploaded to the Services.
- Customer Data Incident Management and Response. Exceed shall notify You without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, including Personal Data, transmitted, stored, or otherwise Processed by Exceed or its Sub-processors (a “Customer Data Incident”). Exceed shall use reasonable efforts to identify the cause of such Customer Data Incident and take those steps as Exceed deems reasonably necessary in order to remediate the cause of such Customer Data Incident to the extent the remediation is within Exceed’s reasonable control. The obligations herein shall not apply to incidents that are caused by You or Your Users.
- Audit Rights
Any provision of security attestation reports or audits shall take place in accordance with Your rights under the Agreement. If the Agreement does not include a provision regarding security attestation reports, Exceed shall provide a copy of its most current security attestation report upon Your written request no more than once annually. If the Agreement does not include audit rights, Exceed and You will discuss and agree in advance on the reasonable start date, scope and duration of and security and confidentiality controls applicable to any audit, and Exceed reserves the right to charge a fee (based on Exceed’s reasonable costs) for any such audit. Exceed will provide further details of any applicable fee and the basis of its calculation to Customer in advance of such audit.
- Individual Data Subject Rights
Exceed shall, to the extent legally permitted, promptly notify You if it receives a request from a Data Subject to access, correct, or delete that person’s Personal Data or if a Data Subject objects to the Processing thereof (“Data Subject Request”). Exceed shall not respond to a Data Subject Request without Your prior written consent except to confirm that such request relates to You, to which You hereby agree. To the extent You, in Your use of the Services, do not have the ability to address a Data Subject Request, Exceed shall upon Your request provide commercially reasonable assistance to facilitate such Data Subject Request to the extent Exceed is legally permitted to do so and provided that such Data Subject Request is exercised in accordance with Data Protection Laws. To the extent legally permitted, You shall be responsible for any costs arising from Exceed’s provision of such assistance.
- Data Protection Impact Assessment and Prior Consultation
With effect from 25 May 2018, upon Your request, Exceed shall provide You with reasonable cooperation and assistance needed to fulfil Your obligation under the GDPR to carry out a data protection impact assessment related to Your use of the Services, to the extent You do not otherwise have access to the relevant information, and to the extent such information is available to Exceed. Exceed shall provide reasonable assistance to You in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks relating to this Section 8, to the extent required under the GDPR.
- Deletion or Return of Personal Data
After sixty (60) days following termination or expiration of the Agreement, Exceed shall delete all of Your Data, including Your Personal Data, in its possession or control such that it cannot be recovered or reconstructed; provided, however, that, unless prohibited by applicable Law, Exceed shall promptly delete Your Data upon receipt of Your written request. This requirement shall not apply to the extent Exceed is required by applicable Law to retain some or all of Your Data, or to Your Data it has archived on back-up systems, which Exceed shall securely isolate and protect from any further processing, except to the extent required by Law.
- International Data Transfers
- Data Storage/Transfer. If You are established in the United Kingdom, the EEA, or Switzerland (collectively “Europe”), You acknowledge that Exceed will transfer Personal Data outside of Europe for Processing. Exceed shall ensure appropriate safeguards for the transfer and Processing of Personal Data outside of Europe in accordance with the requirements of EU Data Protection Law. The Parties acknowledge and agree that, in transferring and Processing Personal Data outside of Europe under this Agreement: (i) You are the Controller of Personal Data; (ii) Exceed is a Processor of such Personal Data; (iii) You will comply with Your obligations as a Controller under EU Data Protection Law; and (iv) Exceed will comply with its obligations as a Processor under EU Data Protection Law and this DPA.
- Adequate Level Of Data Protection. To the extent that Exceed processes any Personal Data originating from the EEA under the Agreement, the Parties acknowledge that Exceed shall be deemed to provide adequate protection for any such Personal Data by virtue of being incorporated in Israel. As per decision 2002/2/EC of the EU Commission, Israel is deemed to provide an adequate level of data protection regarding commercial organizations such as both Exceed and the Customer.