EFFECTIVE MARCH 30TH, 2023
Prolio Data Processing Addendum
Please read this data processing addendium carefully before accessing or using the Prolio Application and Services
This Data Processing Addendum including all of its Annexes (“Addendum”) is entered into as of the later signature date below (the “Effective Date”) between the Prolio entity specified on the signature line below (or if this Addendum is being incorporated by reference, the Prolio entity identified on the applicable Prolio quote) (“Prolio”) and the Customer entity(ies) specified on the signature line below (or if this Addendum is being incorporated by reference, the Customer entity identified on the applicable Prolioquote) (“Customer”). This Addendum amends and forms part of the service agreement(s) between the parties that reference this Addendum (including, without limitation, the Prolio Privacy Policy and the Terms of Service (SAAS), if applicable) which respectively govern the software-as-a-service solutions provided by Prolio to Customer (“Services”) (together, the “Agreement”). In the event that any terms and conditions contained herein are in conflict with the terms and conditions set forth in the Agreement, the terms and conditions set forth in this Addendum shall be deemed to be the controlling terms and conditions, except as otherwise stated. "Controller", "processor", "data subject", "personal data", "processing" and "appropriate technical and organizational measures" shall be interpreted in accordance with the applicable Data Protection Legislation. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement or in applicable Data Protection Legislation. In the course of providing the Services to Customer pursuant to the Agreement, Prolio may process personal data on behalf of Customer. This Addendum sets out the additional terms, requirements and conditions on which Prolio will process personal data as far as such processing relates to the performance of the Services.
1. Roles of the Parties.
This Addendum shall apply where Customer acts as a controller and Prolio as a processor, or where Customer acts as a processor and Prolio as a sub-processor. All parties agree to keep every data and Confidential information private and secured from any thirdparty.
2. Compliance with Data Protection Legislation.
Both parties will comply with all applicable requirements of the Data Protection Legislation. As used in this Addendum, “Data Protection Legislation” means all applicable privacy and data protection laws, their implementing regulations, regulatory guidance, and secondary legislation, each as updated or replaced from time to time, including: (I) the General Data Protection Regulation ((EU) 2016/679) (the “GDPR”) and any applicable national implementing laws; (ii) the UK General Data Protection Regulation (UK GDPR) and the UK Data Protection Act 2018; (iii) the Privacy and Electronic Communications Directive (2002/58/EC) and any applicable national implementing laws including the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426); (iv) and United State Federal Trade Commission regulations.
3. Processing of Personal Data
Details of Processing. Annex a sets out the scope, nature and purpose of processing by Prolio, the duration of the processing and the types of personal data and categories of data subject.
I. Instructions.
Customer appoints Prolio to process such personal data on behalf of Customer, and in accordance with Customer’s documented instructions, as otherwise necessary to provide the Services, or as otherwise agreed in writing by the parties. The scope of such instructions are initially defined by the Agreement. Prolio shall inform Customer if, in its opinion, an instruction infringes the Data Protection Legislation, or if Prolio become aware it cannot process Personal Data in accordance with Customer instructions due to a legal requirement under any applicable law, Prolio will (i) promptly notify you; and (ii) where necessary, cease all processing (other than merely storing and maintaining the security of the affected Personal Data) until such time as you issue new instructions with which we are able to comply. If this provision is invoked, we will not be liable to you under the Agreement for any failure to perform the applicable Service until such time as you issue new lawful instructions with regard to the processing.
II. Customer Responsibilities.
Customer will ensure that he is responsible for complying with all requirements that applies, under applicable Data Protection Laws with respect to its Processing of Personal Data and the Instructions it issues to Prolio. In particular but without prejudice to the foregoing, Customer warrant that he/she will be solely responsible for;
(i) the quality, accuracy, and legality of Customer Data and the means by which it was acquired by the Customer; (ii) complying with all necessary lawfulness and transparency requirements under applicable Data Protection Laws for each collection and use of the Personal Data, including obtaining any necessary consents and authorizations; (iii) ensuring you as the Customer have the necessary right to transfer, or provide access to, Prolio for accessing and Processing of such data;
(iv) ensuring that all Instructions regarding the processing of Personal Data comply with applicable laws, including Data Protection Laws; and (v) complying with all laws (including Data Protection Laws) applicable to any emails or other content created, sent or managed through the Service, including those relating to obtaining consents (where required) to send emails, the content of the emails and its email deployment practices. Customer will inform Prolio without undue delay if Customer is not able to comply with Customer’s responsibilities under this 'Compliance with Laws' section or applicable Data Protection Laws.
III. Processor Requirements.
Prolio acknowledges and agrees that it shall act in the role of a “Service Provider” as defined under the GDPR. Customer discloses personal data to Prolio solely for: (I) a valid business purpose; and (ii) Prolio to perform the Services. Prolio is prohibited from: (I) selling Customer’s personal data; (ii) collecting, retaining, using, or disclosing Customer’s personal data for any purpose other than providing the Services to Customer; and (iii) collecting, retaining, using, or disclosing Customer’s personal data outside of the direct business relationship between Prolio and Customer; and (iv) combining Customer’s personal data with personal data that Prolio obtains from other sources. Prolio certifies that it understands the prohibitions outlined in this Section and will comply with them. Customer understands and agrees that Prolio may use sub-processors to provide the Services and process personal data on Customer’s behalf in accordance with this addedndum. The parties agree that any monetary consideration provided by Customer to Prolio is provided for the provision of the Services and not for the provision of personal data.
I. Instructions.
Customer appoints Prolio to process such personal data on behalf of Customer, and in accordance with Customer’s documented instructions, as otherwise necessary to provide the Services, or as otherwise agreed in writing by the parties. The scope of such instructions are initially defined by the Agreement. Prolio shall inform Customer if, in its opinion, an instruction infringes the Data Protection Legislation, or if Prolio become aware it cannot process Personal Data in accordance with Customer instructions due to a legal requirement under any applicable law, Prolio will (i) promptly notify you; and (ii) where necessary, cease all processing (other than merely storing and maintaining the security of the affected Personal Data) until such time as you issue new instructions with which we are able to comply. If this provision is invoked, we will not be liable to you under the Agreement for any failure to perform the applicable Service until such time as you issue new lawful instructions with regard to the processing.
II. Customer Responsibilities.
Customer will ensure that he is responsible for complying with all requirements that applies, under applicable Data Protection Laws with respect to its Processing of Personal Data and the Instructions it issues to Prolio. In particular but without prejudice to the foregoing, Customer warrant that he/she will be solely responsible for;
(i) the quality, accuracy, and legality of Customer Data and the means by which it was acquired by the Customer; (ii) complying with all necessary lawfulness and transparency requirements under applicable Data Protection Laws for each collection and use of the Personal Data, including obtaining any necessary consents and authorizations; (iii) ensuring you as the Customer have the necessary right to transfer, or provide access to, Prolio for accessing and Processing of such data;
(iv) ensuring that all Instructions regarding the processing of Personal Data comply with applicable laws, including Data Protection Laws; and (v) complying with all laws (including Data Protection Laws) applicable to any emails or other content created, sent or managed through the Service, including those relating to obtaining consents (where required) to send emails, the content of the emails and its email deployment practices. Customer will inform Prolio without undue delay if Customer is not able to comply with Customer’s responsibilities under this 'Compliance with Laws' section or applicable Data Protection Laws.
III. Processor Requirements.
Prolio acknowledges and agrees that it shall act in the role of a “Service Provider” as defined under the GDPR. Customer discloses personal data to Prolio solely for: (I) a valid business purpose; and (ii) Prolio to perform the Services. Prolio is prohibited from: (I) selling Customer’s personal data; (ii) collecting, retaining, using, or disclosing Customer’s personal data for any purpose other than providing the Services to Customer; and (iii) collecting, retaining, using, or disclosing Customer’s personal data outside of the direct business relationship between Prolio and Customer; and (iv) combining Customer’s personal data with personal data that Prolio obtains from other sources. Prolio certifies that it understands the prohibitions outlined in this Section and will comply with them. Customer understands and agrees that Prolio may use sub-processors to provide the Services and process personal data on Customer’s behalf in accordance with this addedndum. The parties agree that any monetary consideration provided by Customer to Prolio is provided for the provision of the Services and not for the provision of personal data.
4. Security.
I. Security Measures.
Prolio shall implement appropriate technical and organizational measures for processing Customer’s personal data which shall, at minimum, meet the requirements in Annex B
II. Breach Notification.
Prolio shall, to the extent permitted by law, notify Customer without undue delay upon discovery of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data processed by Prolio on behalf of Customer.
III. Personnel.
Prolio shall ensure that all personnel who process (including having access to) personal data have committed themselves to keep the personal data confidential in accordance with Prolio’s confidentiality obligations under the Agreement.
Prolio shall implement appropriate technical and organizational measures for processing Customer’s personal data which shall, at minimum, meet the requirements in Annex B
II. Breach Notification.
Prolio shall, to the extent permitted by law, notify Customer without undue delay upon discovery of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data processed by Prolio on behalf of Customer.
III. Personnel.
Prolio shall ensure that all personnel who process (including having access to) personal data have committed themselves to keep the personal data confidential in accordance with Prolio’s confidentiality obligations under the Agreement.
5. Assistance.
I. Cooperation with Customer.
Taking into account the nature of the processing and the information available to us, Prolio shall reasonably provide the Customer, at Customer’s expense.
II. Self-service features.
The Prolio Application offers a number of features the Customer can use to correct, retrieve, delete or restrict his/her Personal Data, This feature was provided to assist Customer in its obligations under Data Protection Laws, including responding to requests from Data Subjects to exercise their rights under applicable Data Protection Laws.
III. Additional assistance.
Should the Customer be unable to address a Data Subject Request through the Self Service Feature provided by Prolio, Customer reserve the right to send a written request to Prolio for additional assistance to respond to any Data Subject Requests or requests from data protection authorities relating to the Processing of Personal Data under this Agreement.
IV. Return and Deletion of Personal Data.
At the written direction of Customer, Prolio shall delete or return personal data and copies thereof to Customer following termination of the Agreement unless required by applicable law or where Prolio has archived Customer Data on back-up systems (including any Data Protection Legislation) to store the personal data. In the event that Customer has not provided such written direction, the personal data will be deleted as set out in the Agreement.
If a Data Subject Request or other communication regarding the Processing of Personal Data under the Agreement is made directly to Prolio, then Prolio will promptly inform Customer and will advise the Data Subject to submit their request to Customer. Customer will be solely responsible for responding substantively to any such Data Subject Requests or communications involving Personal Data.
Taking into account the nature of the processing and the information available to us, Prolio shall reasonably provide the Customer, at Customer’s expense.
II. Self-service features.
The Prolio Application offers a number of features the Customer can use to correct, retrieve, delete or restrict his/her Personal Data, This feature was provided to assist Customer in its obligations under Data Protection Laws, including responding to requests from Data Subjects to exercise their rights under applicable Data Protection Laws.
III. Additional assistance.
Should the Customer be unable to address a Data Subject Request through the Self Service Feature provided by Prolio, Customer reserve the right to send a written request to Prolio for additional assistance to respond to any Data Subject Requests or requests from data protection authorities relating to the Processing of Personal Data under this Agreement.
IV. Return and Deletion of Personal Data.
At the written direction of Customer, Prolio shall delete or return personal data and copies thereof to Customer following termination of the Agreement unless required by applicable law or where Prolio has archived Customer Data on back-up systems (including any Data Protection Legislation) to store the personal data. In the event that Customer has not provided such written direction, the personal data will be deleted as set out in the Agreement.
If a Data Subject Request or other communication regarding the Processing of Personal Data under the Agreement is made directly to Prolio, then Prolio will promptly inform Customer and will advise the Data Subject to submit their request to Customer. Customer will be solely responsible for responding substantively to any such Data Subject Requests or communications involving Personal Data.
6. Audit.
I. Audit Requirements.
The parties acknowledge that Customer must be able to assess Prolio’s compliance with its obligations under Data Protection Legislation, to the extent that Prolio is acting as a processor on behalf of Customer. Customer further agrees that the audits described in Section below meet Customer’s audit requirements, and Customer agrees to exercise any right it may have to conduct an inspection or audit (including under the Standard Contractual Clauses, as applicable) by written notice to Prolio to carry out the audits described below.
II. Audit Procedures.
Upon not less than thirty (30) days’ advance written notice to Prolio and no more frequently than once annually, with Prolio’s reasonable costs of complying with any such request to be met by Customer, Prolio shall (I) make available all information necessary to demonstrate to Customer its compliance with Article 28 of the GDPR, including without limitation, executive summaries of its information security and privacy policies, and (ii) cooperate with and respond promptly to Customer’s reasonable privacy and/or security questionnaire(s). Notwithstanding the above, if Customer’s request for audit occurs during Prolio’s quarter or year end, or such other time during which Prolio cannot reasonably accommodate such request, the parties shall mutually agree on an extension to the thirty (30) days’ advance written notification. Customer shall execute a confidentiality agreement in form and substance reasonably satisfactory to Prolio prior to such audit. For the avoidance of doubt, nothing contained herein will allow Customer to review data pertaining to Prolio’s other Customers or partners. Customer shall bare its own costs and expenses with respect to the audits described in this addendum. The parties shall use all reasonable endeavors when exercising rights under this addendum to minimize disruption to Prolio’s business activities.
The parties acknowledge that Customer must be able to assess Prolio’s compliance with its obligations under Data Protection Legislation, to the extent that Prolio is acting as a processor on behalf of Customer. Customer further agrees that the audits described in Section below meet Customer’s audit requirements, and Customer agrees to exercise any right it may have to conduct an inspection or audit (including under the Standard Contractual Clauses, as applicable) by written notice to Prolio to carry out the audits described below.
II. Audit Procedures.
Upon not less than thirty (30) days’ advance written notice to Prolio and no more frequently than once annually, with Prolio’s reasonable costs of complying with any such request to be met by Customer, Prolio shall (I) make available all information necessary to demonstrate to Customer its compliance with Article 28 of the GDPR, including without limitation, executive summaries of its information security and privacy policies, and (ii) cooperate with and respond promptly to Customer’s reasonable privacy and/or security questionnaire(s). Notwithstanding the above, if Customer’s request for audit occurs during Prolio’s quarter or year end, or such other time during which Prolio cannot reasonably accommodate such request, the parties shall mutually agree on an extension to the thirty (30) days’ advance written notification. Customer shall execute a confidentiality agreement in form and substance reasonably satisfactory to Prolio prior to such audit. For the avoidance of doubt, nothing contained herein will allow Customer to review data pertaining to Prolio’s other Customers or partners. Customer shall bare its own costs and expenses with respect to the audits described in this addendum. The parties shall use all reasonable endeavors when exercising rights under this addendum to minimize disruption to Prolio’s business activities.
7. Sub-Processors.
I. Use of Sub-Processors.
Customer provides general written authorization for: (a) Prolio to engage the sub-processors, (b) Prolio to engage Prolio’s Affiliates as sub-processors and (c) Prolio’s Affiliates to engage third-party sub-processors (including other Affiliates as sub-processors) set out at the Privacy policy. For purposes of this Addendum, “Affiliate” means an entity controlling, controlled by, or under common control with a party (an entity will be deemed to have control if it owns over 50% of another entity). Prolio and its Affiliates may engage such sub-processors to process personal data, provided that Prolio and its Affiliates have entered into a written agreement with the third-party processor containing data protection terms that require it to protect the personal data to the same standard required under this Addendum.
II. Changes to Sub-Processors.
If Prolio or its Affiliates appoint a new (or removes an existing) sub- processor, it shall update the list at the Privacy Center. Customer may opt in to receiving alerts regarding such list updates via the mechanism set out at the Privacy Center, and, provided Customer has done so, Prolio will send an email publicizing the change, to the email address the Customer has provided at the Privacy Center. Customer may object to Prolio’s appointment or replacement of a sub-processor, provided Customer notifies Prolio in writing of its specific objection within thirty (30) days of receiving such notification from Prolio. If Customer does not object within such period, the addition of the new sub-processor shall be deemed accepted. If Customer does object to the addition of a new sub-processor and Prolio, in its reasonable opinion, cannot reasonably accommodate Customer’s objection, Customer may terminate the affected Service(s) upon written notice to Prolio. Any previously accrued rights and obligations will survive such termination.
III. General authorization under the Standard Contractual Clauses.
If the Standard Contractual Clauses apply, then the Parties agree to (general written authorization) (a) of the Standard Contractual Clauses (Module Two). Customer acknowledges and agrees that it will be informed of any intended changes to the list of Sub-Processors and have the ability to exercise the corresponding right to object under this agreement(a) of the Standard Contractual Clauses (Module Two) in the manner described under this Addendum.
IV. Liability.
Prolio remains liable for the acts and omissions of its sub-processors to the same extent Prolio would be liable if performing the Services of each sub-processor directly under the terms of this Addendum.
V. Copies of Sub-processor Agreements.
The parties agree that the copies of the sub-processor agreements that must be provided by Prolio to Customer of the Standard Contractual Clauses (Module Two) may have all commercial information, or clauses unrelated to the Standard Contractual Clauses or their equivalent, removed by Prolio beforehand. Prolio will provide such copies in a manner to be determined in its sole discretion, upon request by Customer.
VI. Communications sent through the Service and payment gateways.
Customer acknowledges and agrees that Prolio may use telecommunication providers in the provision of the Service. Customer further acknowledges that in order to send communications for the provision of the Service, Prolio may need to transmit Customer’s communications through existing telecommunications networks and suppliers, via companies bound to comply with applicable telecommunications and privacy laws but who may not all have direct contracts with Prolio and/or Customer. Customer further acknowledges that Prolio may use payment gateways in the provision of Service via companies bound to comply with data protection laws but who may not have direct contracts with Prolio. Customer hereby instructs Prolio to transmit the communications through existing telecommunications networks and to use payment gateways as necessary to provide the Service and acknowledges and agrees that telecommunications networks and payment gateways suppliers are not considered Sub-processors under either the Agreement.
VII. Service quality.
When Customer reports potential issues with the quality of the Service, the Customer instructs Prolio to engage its relevant suppliers for assistance including by providing them with access to necessary data (for example, recordings, logs) which may contain personal data for the purpose of diagnosing and resolving the reported issues.
Customer provides general written authorization for: (a) Prolio to engage the sub-processors, (b) Prolio to engage Prolio’s Affiliates as sub-processors and (c) Prolio’s Affiliates to engage third-party sub-processors (including other Affiliates as sub-processors) set out at the Privacy policy. For purposes of this Addendum, “Affiliate” means an entity controlling, controlled by, or under common control with a party (an entity will be deemed to have control if it owns over 50% of another entity). Prolio and its Affiliates may engage such sub-processors to process personal data, provided that Prolio and its Affiliates have entered into a written agreement with the third-party processor containing data protection terms that require it to protect the personal data to the same standard required under this Addendum.
II. Changes to Sub-Processors.
If Prolio or its Affiliates appoint a new (or removes an existing) sub- processor, it shall update the list at the Privacy Center. Customer may opt in to receiving alerts regarding such list updates via the mechanism set out at the Privacy Center, and, provided Customer has done so, Prolio will send an email publicizing the change, to the email address the Customer has provided at the Privacy Center. Customer may object to Prolio’s appointment or replacement of a sub-processor, provided Customer notifies Prolio in writing of its specific objection within thirty (30) days of receiving such notification from Prolio. If Customer does not object within such period, the addition of the new sub-processor shall be deemed accepted. If Customer does object to the addition of a new sub-processor and Prolio, in its reasonable opinion, cannot reasonably accommodate Customer’s objection, Customer may terminate the affected Service(s) upon written notice to Prolio. Any previously accrued rights and obligations will survive such termination.
III. General authorization under the Standard Contractual Clauses.
If the Standard Contractual Clauses apply, then the Parties agree to (general written authorization) (a) of the Standard Contractual Clauses (Module Two). Customer acknowledges and agrees that it will be informed of any intended changes to the list of Sub-Processors and have the ability to exercise the corresponding right to object under this agreement(a) of the Standard Contractual Clauses (Module Two) in the manner described under this Addendum.
IV. Liability.
Prolio remains liable for the acts and omissions of its sub-processors to the same extent Prolio would be liable if performing the Services of each sub-processor directly under the terms of this Addendum.
V. Copies of Sub-processor Agreements.
The parties agree that the copies of the sub-processor agreements that must be provided by Prolio to Customer of the Standard Contractual Clauses (Module Two) may have all commercial information, or clauses unrelated to the Standard Contractual Clauses or their equivalent, removed by Prolio beforehand. Prolio will provide such copies in a manner to be determined in its sole discretion, upon request by Customer.
VI. Communications sent through the Service and payment gateways.
Customer acknowledges and agrees that Prolio may use telecommunication providers in the provision of the Service. Customer further acknowledges that in order to send communications for the provision of the Service, Prolio may need to transmit Customer’s communications through existing telecommunications networks and suppliers, via companies bound to comply with applicable telecommunications and privacy laws but who may not all have direct contracts with Prolio and/or Customer. Customer further acknowledges that Prolio may use payment gateways in the provision of Service via companies bound to comply with data protection laws but who may not have direct contracts with Prolio. Customer hereby instructs Prolio to transmit the communications through existing telecommunications networks and to use payment gateways as necessary to provide the Service and acknowledges and agrees that telecommunications networks and payment gateways suppliers are not considered Sub-processors under either the Agreement.
VII. Service quality.
When Customer reports potential issues with the quality of the Service, the Customer instructs Prolio to engage its relevant suppliers for assistance including by providing them with access to necessary data (for example, recordings, logs) which may contain personal data for the purpose of diagnosing and resolving the reported issues.
8. International Transfers of Personal Data.
I. General Obligation.
Prolio shall comply with all applicable requirements for cross-border transfers of personal data under Data Protection Legislation.
II. Transfers from the EEA or United State from Customer to Prolio - Standard Contractual Clauses.
To the extent that Prolio processes any personal data under this Addendum that originates from the European Economic Area (“EEA”) or USA or in a country that has not been designated by the European Commission (as applicable) as providing an adequate level of protection for personal data, the parties agree to enter into the Standard Contractual Clauses for the transfer of personal data to third countries as set out in the Annex to Commission Decision (EU) 2021/914 adopted on June 4, 2021 (“Standard Contractual Clauses”) which are hereby incorporated into and form part of this Addendum.
III. Annexes.
The parties hereby agree that data processing details set out in Annex A of this Addendum shall apply for the purposes of Annex 1 of the Standard Contractual Clauses and the technical and organizational security measures set out in Annex B of this Addendum shall apply for the purpose of Annex 2 to the Standard Contractual Clauses. Prolio shall be deemed the “data importer” and Customer the “data exporter” under the Standard Contractual Clauses, and the parties will comply with their respective obligations under the Standard Contractual Clauses. Customer grants Prolio a mandate to execute the Standard Contractual Clauses (Module 3) with any relevant sub-processor (including Prolio Affiliates). Unless Prolio notifies Customer to the contrary, if the European Commission subsequently amends the Standard Contractual Clauses at a later date, such amended terms will supersede and replace any Standard Contractual Clauses executed between the parties. Annex C shall apply to the use of the Standard Contractual Clauses.
IV. Transfers from USA by Customer to Prolio.
To the extent that Prolio processes under this Addendum any personal data that originates from the US in a country that has not been designated by the US Government as providing an adequate level of protection for personal data, and where the parties have implemented a valid mechanism for such transfers, the parties agree that such mechanism shall continue to apply to such transfers. The Annexes to this Addendum supersede the Annexes of any previous data processing agreements signed between Customer and Prolio, except where such would represent a conflict with this section.
V. Alternative Data Export Solution.
The parties agree that the data export solution identified here in will not apply if and to the extent that Customer adopts an alternative data export solution for the lawful transfer of personal data (as recognized under the Data Protection Legislation) from the EEA, UK or United State, in which event, Customer shall reasonably cooperate with Prolio to implement such solution and such alternative data export solution will apply instead (but solely to the extent such alternative data export solution extends to the territories to which personal data is transferred under this Addendum).
Prolio shall comply with all applicable requirements for cross-border transfers of personal data under Data Protection Legislation.
II. Transfers from the EEA or United State from Customer to Prolio - Standard Contractual Clauses.
To the extent that Prolio processes any personal data under this Addendum that originates from the European Economic Area (“EEA”) or USA or in a country that has not been designated by the European Commission (as applicable) as providing an adequate level of protection for personal data, the parties agree to enter into the Standard Contractual Clauses for the transfer of personal data to third countries as set out in the Annex to Commission Decision (EU) 2021/914 adopted on June 4, 2021 (“Standard Contractual Clauses”) which are hereby incorporated into and form part of this Addendum.
III. Annexes.
The parties hereby agree that data processing details set out in Annex A of this Addendum shall apply for the purposes of Annex 1 of the Standard Contractual Clauses and the technical and organizational security measures set out in Annex B of this Addendum shall apply for the purpose of Annex 2 to the Standard Contractual Clauses. Prolio shall be deemed the “data importer” and Customer the “data exporter” under the Standard Contractual Clauses, and the parties will comply with their respective obligations under the Standard Contractual Clauses. Customer grants Prolio a mandate to execute the Standard Contractual Clauses (Module 3) with any relevant sub-processor (including Prolio Affiliates). Unless Prolio notifies Customer to the contrary, if the European Commission subsequently amends the Standard Contractual Clauses at a later date, such amended terms will supersede and replace any Standard Contractual Clauses executed between the parties. Annex C shall apply to the use of the Standard Contractual Clauses.
IV. Transfers from USA by Customer to Prolio.
To the extent that Prolio processes under this Addendum any personal data that originates from the US in a country that has not been designated by the US Government as providing an adequate level of protection for personal data, and where the parties have implemented a valid mechanism for such transfers, the parties agree that such mechanism shall continue to apply to such transfers. The Annexes to this Addendum supersede the Annexes of any previous data processing agreements signed between Customer and Prolio, except where such would represent a conflict with this section.
V. Alternative Data Export Solution.
The parties agree that the data export solution identified here in will not apply if and to the extent that Customer adopts an alternative data export solution for the lawful transfer of personal data (as recognized under the Data Protection Legislation) from the EEA, UK or United State, in which event, Customer shall reasonably cooperate with Prolio to implement such solution and such alternative data export solution will apply instead (but solely to the extent such alternative data export solution extends to the territories to which personal data is transferred under this Addendum).
9. Miscellaneous.
I. Interpretation.
Any words following the terms “including” and similar expressions shall not limit the sense of the words preceding those terms.
II. Entire Agreement.
This Addendum shall replace and supersede any existing data processing addendum (including any privacy addendums), attachment or exhibit (including any standard contractual clauses) between the parties, except as provided for in this DPA, if applicable. Any addenda, attachments, or exhibits related to security shall remain in place and supplement any security measures set out in Annex B. In the event of a conflict between Annex B and any other agreement that Customer has entered into with Prolio governing information security, including administrative, physical, or technical safeguards regarding the protection of data, the provisions more protective of the data shall prevail.
Any words following the terms “including” and similar expressions shall not limit the sense of the words preceding those terms.
II. Entire Agreement.
This Addendum shall replace and supersede any existing data processing addendum (including any privacy addendums), attachment or exhibit (including any standard contractual clauses) between the parties, except as provided for in this DPA, if applicable. Any addenda, attachments, or exhibits related to security shall remain in place and supplement any security measures set out in Annex B. In the event of a conflict between Annex B and any other agreement that Customer has entered into with Prolio governing information security, including administrative, physical, or technical safeguards regarding the protection of data, the provisions more protective of the data shall prevail.
10. Liability.
Notwithstanding anything to the contrary in the Agreement or this Addendum, the liability of each party and each party’s Affiliates under this Addendum shall be subject to the exclusions and limitations of liability set out in the Agreement or, in the absence of such a provision in the Agreement, the following will apply: (a) in no event will either party’s maximum aggregate liability arising out of or related to the Agreement or this Addendum exceed the total amount paid or payable to Prolio under the Agreement during the twelve (12) month period preceding the date of initial claim, and (b) neither party will have any liability to the other party for any loss of profits or revenues, loss of goodwill, loss or corruption of data or for any indirect, special, incidental, consequential or punitive damages arising out of, or in connection with the Agreement or this Addendum.
11. Governing Law and Jurisdiction.
This Addendum will be governed by and construed in accordance with United State of America laws and jurisdiction provisions in the terms of service, unless required otherwise by applicable Data Protection Legislation.
12. Termination of Addendum.
This Addendum will terminate simultaneously and automatically with the termination or expiry of the Agreement.
IN WITNESS WHEREOF, this Addendum is entered into and becomes a binding part of the Agreement with effect as of the Addendum Effective Date.
IN WITNESS WHEREOF, this Addendum is entered into and becomes a binding part of the Agreement with effect as of the Addendum Effective Date.
Annex A
Personal Data Processing Purposes and Details
A. List of Parties
Legal entity (ies) and date of signature: See Front sheet of the Agreement
Address: See Front sheet of the Agreement
Role (controller/processor): Controller
Contact person for data protection matters position and contact details of the data protection officer and/or representative in the United State or European Union: data exporter shall provide these details by email to info@parsage.com upon signature of the Agreement.
Activities relevant to the data transferred under these SCCs: The data importer will provide services to the data exporter involving the transfer of personal data as detailed under the Agreement.
Address: See Front sheet of the Agreement
Role (controller/processor): Controller
Contact person for data protection matters position and contact details of the data protection officer and/or representative in the United State or European Union: data exporter shall provide these details by email to info@parsage.com upon signature of the Agreement.
Activities relevant to the data transferred under these SCCs: The data importer will provide services to the data exporter involving the transfer of personal data as detailed under the Agreement.
Legal entity (ies) and date of signature: See Front sheet of the Agreement
Address: See Front sheet of the Agreement
Contact details for data protection matters: info@parsage.com
Role (controller/processor): Processor
Activities relevant to the data transferred: The data importer will provide services to the data exporter involving the transfer of personal data as detailed under the Agreement.
B. Description of Transfer
Customer may submit personal data to Prolio to enable Prolio to perform the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to personal data relating to the following categories of data subjects:
- Customers, business partners, and (who are natural persons)
- Employees or contact persons (both of whom are natural persons) of Customer, business partners, and vendors
- Customer’s end users (i.e., customers, respondents, visitors).
- Employees, agents, advisors, contractors, or any user authorized by Customer to use the Services (who are natural persons)
Customer may submit personal data to Prolio to enable Prolio to perform the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include (depending on the nature of the Services):
- First and last name and title;
- Employer and position;
- Contact information (email, username, cell / mobile phone number, physical business address);
- Work flow information
- Project Data
- Device identification data (Device ID);
- Electronic identification data (IP address; MAC address);
- Technical data (operating system information; software logs; crash reports);
- Username and password to Prolio Services; and
- In relation to certain Prolio Services, including the Prolio Identity services, the geo-location of the device using such Services.
- Customers: Identification and contact data (name, address, title, contact details, username); financial information (account details, payment information); employment details (employer, job title, geographic location, area of responsibility).
- Contacts: Identification and contact data (name, gender, general, occupation or other demographic information, address, title, contact details, including email address, phone, profile photo); personal interests or preferences; IT information (IP addresses, usage data, cookies data, online navigation data, location data, browser data).
- Project content: Content submitted by all customer via the Service in form of texts, images, video and audio files, or other data files. The extent is typically determined by the project type (segmentation, consumer habits and opinions, user preferences, market segmentation, and other data).
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
Sensitive data may be transferred by Customer to Prolio solely where Customer needs to transfer such data to Prolio for the provision of the Services as described pursuant to the Agreement.
The safeguards applying to the processing of such data are as described under Annex B.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis). Continuous.
Sensitive data may be transferred by Customer to Prolio solely where Customer needs to transfer such data to Prolio for the provision of the Services as described pursuant to the Agreement.
The safeguards applying to the processing of such data are as described under Annex B.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis). Continuous.
Prolio will process personal data as necessary to perform the Services pursuant to the Agreement, as further instructed by Customer (as expressly set forth in this Addendum) in its use of the Services.
Prolio will process personal data for the purposes necessary to perform the Services pursuant to the Agreement, as further instructed by Customer (as expressly set forth in this Addendum) in its use of the Services.
The personal data will be retained as long as needed for the provision of Services by Prolio under the Agreement.
Matter and nature of the processing, as set out at collabito.com/sub-processors, for the duration required for the data importer to provide the Services to the data exporter.
Identify the competent supervisory authority/ies in accordance with Clause 13 of the Standard ContractualClauses
Data exporter shall provide this information by email to info@parsage.com and signature of the Agreement.
Data exporter shall provide this information by email to info@parsage.com and signature of the Agreement.
Annex B
Technical and Organisational Measures
This Annex II sets forth the security measures that Prolio shall maintain in connection with the personal data submitted by Customer to Prolio to enable it to provide the services under the Agreement.
Prolio encrypts Customer personal data it processes while in transit over corporate networks and from and to Prolio’s Applications.
Prolio maintains documented business continuity and disaster recovery plans that are designed to ensure that business functions can respond quickly and continue with minimum disruption in case of an unexpected interruption that may materially impact Customer personal data or Prolio’s ability to provide products and services under the Agreement.
Prolio performs ongoing data replication and backup as necessary, designed to prevent data loss and to facilitate service recovery for the Customer.
Prolio utilizes various tools to continuously track and monitor security vulnerabilities to identify, report, and remediate network vulnerabilities. As part of the ongoing information security activities, the security vulnerabilities are prioritized and assigned an appropriate remediation process according to the type of vulnerability, its severity and its potential impact.
Prolio also frequently performs penetration testing to its networks, infrastructure and products, including to identify security vulnerabilities. Prolio further leverages automated penetration testing tools for a wide and comprehensive view over existing vulnerabilities and attack vectors to mitigate the risk of cyber attacks
Prolio also frequently performs penetration testing to its networks, infrastructure and products, including to identify security vulnerabilities. Prolio further leverages automated penetration testing tools for a wide and comprehensive view over existing vulnerabilities and attack vectors to mitigate the risk of cyber attacks
Prolio controls, monitors and protects the credentials and secrets related to users’ access by utilizing industry standard tools, including its own security products. Prolio also secures physical access to its equipment used to store Customer personal data by using industry standard processes to limit access to authorized personnel.
Prolio’s policies governing internal access to Customer personal data are designed on a least privilege and need-to-know basis, based on individual roles and responsibilities. Prolio maintains methods and procedures designed to prevent unauthorized access to the Customer personal data and the systems that host it. Appropriate authentication methods are used to control access to the network applications and systems thatContain Customer personal data (which may include Virtual Private Network (VPN) and Multi-Factor Authentication (MFA) and more).
Prolio’s policies governing internal access to Customer personal data are designed on a least privilege and need-to-know basis, based on individual roles and responsibilities. Prolio maintains methods and procedures designed to prevent unauthorized access to the Customer personal data and the systems that host it. Appropriate authentication methods are used to control access to the network applications and systems thatContain Customer personal data (which may include Virtual Private Network (VPN) and Multi-Factor Authentication (MFA) and more).
Prolio encrypts all Customer personal data it processes while in transit over corporate networks and from and to Prolio’s Applications.
Where possible in light of the services being provided to Customer, Prolio encrypts Customer personal data it processes while at rest.
Prolio applies security measures to its offices and facilities that host servers that contain sensitive or critical information, including Customer personal data, (“Facilities”) and limits access to these Facilities only to authorized personnel. These measures include:
- 24/7 monitoring and access control of these Facilities;
- CCTV cameras;
- Procedure to promptly disable any (1) lost access cards and; (2) identifiable badges no longer needed in case of employee termination.
- Policies and training of employees to secure workstations and prevent unauthorized disclosure of Customer personal data (e.g. screen locks and least privilege access).
We have put in place processes and policies to ensure that incidents are dealt with and logged in accordance with the following process:
- Identification,
- Classification,
- Reported to appropriate internal (and where required external) stakeholders,
- Mitigated and remediated throughout incident response stages including post-incident assessments.
Prolio develops, documents, and maintains under configuration control, a current baseline configuration for systems, and reviews these configurations at least annually. Default configurations of technical controls are removed prior of operational use.
Prolio has implemented policies and processes to ensure that roles and responsibilities regarding the management and monitoring of Prolio’s security requirements and procedures, are clearly determined. For example, Prolio’s organizational roles and responsibilities include the following roles:
- Chief Information Technology Officer;
- Director of Information Security;
- Product security managers and production services security managers.
Prolio currently adopts industry practices to develop its products and services such as (but not limited to), Open Web Application Security Project (OWASP), Application Security Verification Standard (ASVS) and CSA Consensus Assessments Initiative Questionnaire (CAIQ).
In addition, Prolio undergoes security audits on an annual basis and adheres to industry recognized security practices, such as ISO 27001:2013 and SOC 2 Type II as applicable, or other certificates or standards in line with industry practice.
In addition, Prolio undergoes security audits on an annual basis and adheres to industry recognized security practices, such as ISO 27001:2013 and SOC 2 Type II as applicable, or other certificates or standards in line with industry practice.
All of Prolio’s personnel are required to undergo onboarding and refresher training courses on information security and GDPR compliance. This includes specific modules about data minimization.
Prolio’s Internal Privacy Policy & Handbook also contains practical guidance for employees designed to ensure that the data they process is limited in scope and time to the extent which is necessary for the purpose of that processing.
Prolio handles the data which Customers provide to us. The extent of the processed data is determined and controlled by Customer in its sole discretion.
Prolio’s Internal Privacy Policy & Handbook also contains practical guidance for employees designed to ensure that the data they process is limited in scope and time to the extent which is necessary for the purpose of that processing.
Prolio handles the data which Customers provide to us. The extent of the processed data is determined and controlled by Customer in its sole discretion.
Prolio handles the data which Customers provide to us. Prolio isn’t responsible for the accuracy and quality of the data provided by Customers.
The quality of the data generated by Prolio’s products is ensured by the implementation of secure development practices. When introducing or modifying code, this includes:
The quality of the data generated by Prolio’s products is ensured by the implementation of secure development practices. When introducing or modifying code, this includes:
- Peer-reviews of changes/new code;
- Examination by static code analysis;
- Regression testing, prior to code being introduced into production, designed to identify any potential security vulnerabilities.
- Tracking in a source control system;
- Deployment into production environments by different personnel than the ones who developed such code;
- Logical or physical separation of environments for development, testing, and production.
Prolio retains Customer Information only for as long as specified within the Agreement or Documentation, except to the extent that a longer retention period is required by applicable law or regulations.
Prolio securely disposes of Customer personal data in accordance with applicable law and the Agreement, in a manner that Customer personal data cannot be read or reconstructed.
Prolio securely disposes of Customer personal data in accordance with applicable law and the Agreement, in a manner that Customer personal data cannot be read or reconstructed.
Prolio’s information security framework includes practices and procedures such as asset management, access management, physical security, people security, network security, third-party security, product security, and vulnerability management, security monitoring and incident response. Information security policies and standards are approved by management and available to all Prolio employees.
Upon request, Prolio may provide APIs for the purpose of data retrieval by Customers for our Applications. For certain of our products, Customer may also be able to directly retrieve and export Customer data via the product interface.
For transfers to (sub-) processors, also describe the specific technical and organizational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter.
Prior to engaging with a new third party that may have access to Customer personal data, Prolio evaluates such third party’s data security standards using a qualification risk assessment and, if necessary at Prolio’s reasonable determination, maintains ongoing oversight of such third party in order to meet its information security standards. This includes measures replicating Prolio’s own assistance obligations towards Customer as indicated under the Data Processing Addendum.
For transfers to (sub-) processors, also describe the specific technical and organizational measures to be taken by the (sub-) processor to be able to provide assistance to the controller and, for transfers from a processor to a sub-processor, to the data exporter.
Prior to engaging with a new third party that may have access to Customer personal data, Prolio evaluates such third party’s data security standards using a qualification risk assessment and, if necessary at Prolio’s reasonable determination, maintains ongoing oversight of such third party in order to meet its information security standards. This includes measures replicating Prolio’s own assistance obligations towards Customer as indicated under the Data Processing Addendum.
Annex C
Standard Contractual Clauses
- This Annex is supplemental to, and should be read in conjunction with, the Standard Contractual Clauses. Any references to the ‘Clauses’ in this Annex should be read as references to the Standard Contractual Clauses.
- The data subject can enforce, as third-party beneficiary, this Paragraph 2 and Paragraph 4 of this Annex against the data importer in accordance with Clause 3 of the Clauses.
- The data importer shall reasonably assist the data exporter with the data exporter’s continuing assessment of the adequacy of the protection of the personal data in accordance with the requirements of the applicable data protection law.
- Upon receipt of any legally binding order or request for disclosure of the personal data by a law enforcement authority or other competent government authority, the data importer will, in accordance with and supplementing Clause 15 of the Clauses:
- use reasonable efforts to re-direct the relevant authority to request or obtain the personal data directly from the data exporter;
- in addition to promptly notifying the data exporter of the request or order pursuant to Clause 15.1(a) of the Clauses, use reasonable efforts to assist the data exporter in its efforts to oppose the request or order, if applicable; and
- In the event it is prohibited by applicable laws from notifying the data exporter of the request or order, use reasonable efforts to challenge such request or order.