DATA PROCESSING ADDENDUM (“DPA”)
The Standard Contractual Clauses (“SCC”), as issued by the European Commission (“EC”) on June 4th, 2021, are an integral part of this DPA and incorporated by reference. Customer must be aware of the latest version of these Standard Contractual Clauses.
2. Data Processing
2.1. Scope and Roles. This DPA applies when Customer Data is processed by Referral Factory, its employees, affiliates, or contractors, and Customer has uploaded Customer Data as part of the Agreement. Customer understands and agrees that Referral Factory will only act as Data Processor. Customer acknowledges that it acts as Data Controller and remains responsible and liable for Customer Data.
2.2. Dashboard Tools. Referral Factory must make available to Customer dashboard controls and tools so that Customer can rectify and/or delete inaccurate or outdated Customer Data. Customer represents it is aware of these dashboard tools where both Customer and end-user are able to manage Data Subject’s privacy rights.
2.3. Details of Data Processing
a. Subject Matter. The subject matter of data processing under this DPA and any other agreement is Customer Data.
b. Duration. The duration of the data processing under this DPA is determined by Customer, and follows the term of the Agreement.
c. Purpose. The purpose of the data processing under this DPA is to provide the services requested by Customer, offered to Data Subject and provided by Referral Factory.
d. Nature of the Processing. The storage, processing, and any other activities as described in the Agreement between Parties.
e. Type of Customer Data. Customer Data uploaded to Referral Factory’s dashboard under Customer’s account(s).
f. Categories of Data Subjects. Data Subjects may include Customer’s clients or customers, employees, suppliers, contractors, affiliates, and end-users.
g. Compliance. Each Party must comply with all applicable laws, rules, and regulations that are binding on Parties.
3. Data Processing Security
3.1. Duties. Customer and Referral Factory have implemented and will maintain the technical and organizational measures described in the relevant sections in this DPA. Parties have implemented and will maintain the technical and organizational measures mentioned in this section.
Referral Factory represents it has implemented:
Encryption, anonymization, and pseudonymization in order to ensure an appropriate level of security of Customer Data;
Technical measures to ensure the integrity, availability, resilience and confidentiality of our systems, dashboard and services, including measures to allow Customer to download and effectively archive Customer Data;
Technical and organizational measures to timely restore the availability and access to Customer Data in the event of a physical or technical incident;
A process for testing from time to time, assessing and evaluating the effectiveness of the technical and organizational measures mentioned in this DPA.
4.1. Authorised Sub-Processors.
4.2. Objection. In the event Customer objects to Referral Factory’s sub-processor(s) it may terminate the Agreement pursuant to its terms and conditions by sending a notice to Referral Factory.
4.3. Obligations and Responsibility. Referral Factory must restrict sub-processors access to Customer Data to the extent that is necessary to maintain services and dashboard access, and in accordance with Referral Factory’s legal obligations under this DPA.
4.4. Sub-Processor Level of Protection. Referral Factory will enter into a written agreement with each sub-processor and, to the extent that the Sub-processor performs the same data processing services provided by Referral Factory under this DPA, Referral Factory must impose on the sub-processor the same contractual obligations that Referral Factory has under this DPA.
4.5. No Liability. Customer understands and acknowledges that Referral Factory waives any responsibility and liability for any acts and/or omissions from sub-processors, and that may cause any material breach of this DPA or applicable privacy laws.
5. Data Subject Requests and Assistance
5.1. Assistance. Referral Factory shall assist Customer in fulfilling its obligations to respond to privacy requests from Data Subjects. Referral Factory will promptly forward requests from Data Subjects to Customer once it has been confirmed Customer is responsible for the data protection of that Data Subject.
5.2. Requests. Customer authorizes Referral Factory to respond to any Data Subject request received by Referral Factory. In addition such requests must be forwarded to Customer, and Parties may agree about Referral Factory’s duties regarding such a request.
5.3. Data Control. Referral Factory must implement appropriate data control measures and provide Customer the proper dashboard tools to restore, access and delete Customer Data. In the case of a technical or physical incident, Referral Factory must have a mechanism to backup and/or restore Customer Data available.
5.4. Security. Referral Factory must take all steps to implement adequate security, protection, and removal of Customer Data, which includes the use of pseudonymization and encryption technology, or any other method.
6. Security and Incidents
6.1. Security. Referral Factory must always notify Customer in the event a breach of Referral Factory’s data security leads to the unlawful or accidental destruction, loss, alteration, unauthorized access or disclosure of Customer Data (“Security Incident”). Customer understands that as a Data Processor it is best able to determine the possible consequences of a Security Incident.
6.2. Measures. Referral Factory must notify Customer if a Security Incident occurs, without undue delay after it has become aware of it, and take all appropriate measures to mitigate any adverse effect resulting from a Security Incident.
6.3. Referral Factory Assistance. Referral Factory must cooperate with and assist Customer in notifying the supervisory data protection authorities and Data Subjects after a Security Incident. Referral Factory shall use its best endeavors to comply, taking into account the nature of the data processing, information available to Referral Factory, and any restrictions on disclosing information, such as contractual or government-mandated confidentiality duties.
6.4. Unsuccessful Incident. Customer agrees that unsuccessful incidents are not subject to the duties mentioned in this Section 6. An unsuccessful Security Incident does not result in unauthorised access to Customer Data, or other attempts to obtain illegal access to Referral Factory’s system, such as hacks, Trojan horses, pings, broadcast attacks, denial of service attacks, or any other attempt.
6.5. No Liability. In accordance with the provisions in the Agreement and this DPA, Referral Factory’s obligation to report or respond to a Security Incident under this Section 6 will never be construed as an acknowledgment of Referral Factory’s responsibility or liability.
6.6. Communication. Customer understands and agrees it is solely responsible for providing accurate and updated contact information of its employees, affiliates and contractors so that Referral Factory can immediately contact Customer in case of a Security Incident.
7.1. Documents and Information. In addition to the information contained in this DPA, upon one Parties’ request, and provided that the Parties have a Non-Disclosure Agreement in place, the other Party must make available all documents and information mentioned in this section 7.
7.2. Audits. Customer may use third parties, such as external auditors and security professionals, to verify the effectiveness and adequacy of Referral Factory’s security measures, including the security of places that are physically accessible. Customer understands and agrees that such an audit report will be Confidential Information and belongs at all times to Referral Factory.
7.3. Audit Reports. At Customer’s written request, and under the condition Parties have a Non-Disclosure Agreement in place, Referral Factory must provide Customer with the results of such an audit report so that Customer can reasonably verify Referral Factory’s compliance with the obligations under this DPA.
7.4. Privacy Impact Assessment and Prior Consultation. Referral Factory must assist Customer in complying with Customer’s obligations regarding a data protection impact assessments and prior consultation with the data protection authorities, by providing all information under this Section 7 to Customer.
7.5. Customer Audits. Customer has the right to request Referral Factory an audit or inspection, whether or not on behalf of its data controllers or when Customer is acting as a (sub)processor under the EU General Data Protection Regulation. In the event Referral Factory declines to follow any instruction requested by Customer regarding audits and inspections, Customer is entitled to terminate the Agreement in accordance with its terms and conditions.
8. Transfers of Personal Data
8.1. Regions. Customer may specify and notify Referral Factory in which regions and countries Customer Data must not be processed. In addition, Customer may elect regions and countries from which Customer Data must not be transferred, except when it is necessary to provide the Services initiated by Customer, or to comply with the applicable law or binding governmental order.
8.2. Standard Contractual Clauses. The Standard Contractual Clauses as issued by the European Commission (“EC”) of June 4th 2021 (implementing decision (EU) 2021/914) will only apply to Customer Data that is transferred to any country outside the European Economic Area, and not recognized by the European Commission as a country or region with an adequate level of protection for personal data. Customer is solely responsible for being aware of the latest version of the Standard Contractual Clauses issued by the EC.
8.3. Compliance Standards. The Standard Contractual Clauses will not apply to a data transfer in the event Referral Factory has adopted a recognized internal compliance standard for lawful data transfers, such as binding corporate rules.
8.4. Controller – Processor Responsibilities. In the event Customer is acting as a Data Controller, the Controller-to-Processor provisions in the SCC will apply to each data transfer. When Customer is acting as a Data Processor, the Processor-to-Processor Clauses will apply to each Data Transfer, and Customer must fulfill the Processor duties in this DPA.
9.1. Termination. This DPA will continue in force until the termination of the Agreement, unless Parties agree otherwise.
9.2. Return or Deletion of Customer Data. At any time during the term of the Agreement and ninety (90) days following the termination date, Referral Factory must return or delete all Customer Data after Customer have requested so. After this ninety (90) day period, Referral Factory must have closed and deleted all accounts that contain Customer Data.
9.3. Duty to Inform. Referral Factory must inform Customer immediately when Customer Data becomes subject to seizure during bankruptcy or insolvency proceedings, or any other measure resulting in the loss of control of Customer Data. In addition, all relevant parties (including but not limited to creditors, bankruptcy trustees, administrators, and judges) must be immediately notified by Referral Factory that any Customer Data is Customer’s property and falls under Customer’s responsibility.
9.4. Entire Agreement. This DPA incorporates by reference the Standard Contractual Clauses. Except as amended by this DPA, the Agreement will remain in full force and effect. If there is a conflict between the Agreement and this DPA, the terms of this DPA will supersede. Nothing in this document modifies or varies the latest version of the Standard Contractual Clauses.