Data Processing Addendum

This Addendum comprises a variation, and is supplemental to, the End User License EULA (the “EULA”) for the provision of Software as set out in the EULA (the “Services”). In the event of any conflict between the EULA and this Addendum, the terms and conditions of this Addendum shall control. Except to the extent expressly superseded or modified in this Addendum, the terms and conditions of the EULA will apply to this Addendum and remain in full force and effect.

​

This Addendum shall come into force on the Effective Date and shall remain in force until the termination or expiry of the EULA.

​

1. Definitions

​

1.1 “Applicable EU Law” means any applicable law of the European Union (or the law of one or more of the Member States of the European Union).

 

1.2 “California Privacy Law” means, as applicable, the California Consumer Privacy Act and related regulations and, when effective, the California Privacy Rights Act and related regulations.

 

1.3 “CPA” means, when effective, the Colorado Privacy Act and related regulations.

 

1.4 “Data Processing Particulars” means in relation to any Processing under this Addendum:

a) the subject matter and duration of the Processing;

b) the nature and purpose of the Processing;

c) the type of the Personal Information being Processed; and

d) the categories of Data Subjects.

 

1.5 “PIPEDA” means the Personal Information Protection and Electronic Documents Act, SC 2000, c.5.

 

1.6 “Privacy Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, theft, or unauthorized access to or disclosure of Personal Information.

 

1.7 “Privacy Laws” means any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation or other binding restriction (as amended, consolidated or re-enacted from time to time) governing the Processing or protection of Personal Information, including for example, and without limitation, EU GDPR and Directive 2002/58/EC, UK GDPR, PIPEDA, California Privacy Law, the VCDPA, and the CPA.

 

1.8 “Processing”, “Processed” or “Process” means any operation or set of operations which is performed on Personal Information or on sets of Personal Information, whether or not by automated means, such as but not limited to collection, use, modification, retrieval, disclosure, retention, storage, deletion and/or management of Personal Information.

 

1.9 “Supervisory Authority” means an independent public authority that is established by an EU Member State to monitor the application of the EU GDPR or by the United Kingdom to monitor the application of the UK GDPR.

 

1.10 “UK GDPR” means the EU GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4)) and the UK Data Protection Act 2018 (as amended).

 

1.11 “VCDPA” means, when effective, the Virginia Consumer Data Protection Act.

 

1.12 Unless otherwise provided a capitalised term that is not defined in this Addendum shall have the meaning given to it in the EULA and the words and expressions in, and the rules of interpretation of, the EULA shall have the same meaning in this Addendum.

 

2 Data Processing and Security Responsibilities

 

2.1 Customer and Service Provider shall each comply with all Privacy Laws that apply to it in relation to any Personal Information Processed in connection with this Addendum.

​

2.2 Customer agrees that it has:

​

a) made and shall maintain all necessary registrations and notifications as required in order to permit Service Provider to perform its obligations and exercise its rights under this Addendum;

 

b) obtained and shall continue to obtain all consents necessary, and provided all necessary notices and otherwise has and continues to have all necessary authority to permit Service Provider to perform its obligations and exercise its rights under this Addendum, and shall inform Service Provider immediately if any such consents are withdrawn;

 

c) ensured and shall continue to ensure that all Personal Information Processed by Service Provider is adequate, relevant, accurate and up-to-date, and limited to what is necessary to permit Service Provider to perform its obligations and exercise its rights under this Addendum;

 

d) ensured and shall continue to ensure that there are valid legal bases to enable Service Provider to Process Customer’s Personal Information;

 

e) Processed and will continue to Process the Personal Information in accordance with all applicable Privacy Laws.

 

2.3 In the course of Processing Personal Information on behalf of Customer, Service Provider shall:

 

a) except as otherwise permitted herein, only use, disclose, transfer, retain, and otherwise Process Personal Information as reasonably necessary for the purposes of rendering the Services and as otherwise instructed by Customer in writing from time to time or as otherwise required or permitted by applicable Privacy Law, and not Process any Personal Information in any other manner without the express prior authorization of Customer unless required to do so by applicable law;

 

b) as soon as reasonably practicable, inform the Customer if, in Service Provider’s opinion, any instruction received from the Customer infringes Applicable EU Law;

 

c) not disclose any Personal Information to any third party without the prior authorization of Customer (under this Addendum or otherwise) unless required to do so under applicable law (in which case clause e) below shall apply);

 

d) not “sell” the Personal Information within the meaning of California Privacy Law, the VCDPA, or the CPA, and not “share” the Personal Information within the meaning of the California Consumer Rights Act;

 

e) where any disclosure, transfer or other Processing of Personal Information is required by applicable law, promptly notify Customer in writing before complying with any such requirement (unless prohibited by applicable law, such as on important grounds of public interest); 

 

f) promptly notify Customer in writing of any (i) enquiry received from individuals relating to the individual’s rights under Privacy Laws, and redirect the individual to make its request directly to Customer; (ii) provide reasonable assistance to Customer with respect to any obligations Customer has to respond to such requests, such as by an obligation to provide access to Personal Information, or to correct, rectify, erase or restrict the processing of Personal Information; (iii) complaint received by Service Provider either from an individual or a Supervisory Authority relating to the Processing of Personal Information, and (iv) order, demand or warrant purporting to compel the production of any Personal Information;

​

g) implement reasonable and appropriate physical, technical, administrative and organizational security procedures and practices appropriate to the sensitivity of the Personal Information, to protect the Personal Information against loss, theft, destruction, alteration and unauthorized or unlawful access, use or disclosure, as would allow Service Provider to ensure the ongoing confidentiality, integrity and availability of Processing systems and services. 

​

h) limit access to Personal Information only to those employees and authorized agents of Service Provider who need to have access to the Personal Information and solely for the purposes set out in this Addendum;

​

i) ensure or cause each of the employees and permitted contractors of Service Provider to agree to protect the confidentiality and security of the Personal Information in accordance with the terms of this Addendum;

​

j) provide reasonable assistance, at Customer’s cost and request, to Customer in connection with Customer’s obligations under Privacy Laws, including:

     (i) obligations relating to ensuring the security and integrity of Personal Information;

     (ii) obligations relating to notifications and communication of Privacy Breaches as required by Privacy Laws to the Supervisory Authority and /or any affected individuals; and

     (iii) undertaking any Data Protection Impact Assessments that are required by Privacy Laws and, where necessary, consulting with the relevant Supervisory Authority in respect of any such Data Protection Impact Assessments;

​

k) otherwise comply with Privacy Laws applicable to the Processing by Service Provider; and

​

l) notify Customer if Service Provider determines it can no longer meet its obligations under applicable Privacy Laws.

 

3 Sub-processing

 

Customer hereby consents to SheetWhiz’s engagement of Subprocessors in connection with the processing of the Personal Data. SheetWhiz will enter into written agreements with each Subprocessor containing reasonable provisions relating to the implementation of technical and organizational measures. Upon written request, SheetWhiz will make the list of applicable Subprocessors available to Customer. Customer may reasonably object to any new Subprocessor, in which case SheetWhiz will use reasonable efforts to make a change in the Service or recommend a commercially reasonable change to avoid processing by such Subprocessor. If SheetWhiz is unable to provide an alternative, then Customer may terminate the Services impacted by the Subprocessor.

 

4 Security Breach Notification

 

4.1 Service Provider will do as follows:

​

(i) notify Customer without undue delay upon Service Provider becoming aware of a Privacy Breach.

​

(ii) Provider may investigate the Privacy Breach and provide Customer with detailed information about the Privacy;

 

(iii) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident; and

 

(iv) comply with laws applicable to a Privacy Breach;

 

4.2 Customer is solely responsible for complying with its obligations under incident notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Privacy Breach. SheetWhiz shall reasonably assist Customer in fulfilling Customer’s obligation under applicable law or regulation to notify the relevant Supervisory Authority and data subjects about such Privacy Breach.

 

4.3 SheetWhiz’s notification of or response to a Privacy Breach under this section is not an acknowledgement by SheetWhiz of any fault or liability with respect to the Privacy Breach.

 

5 Data Transfers

Customer acknowledges and agrees that in the course of providing the Services to Customer, Service Provider may transfer Personal Information that is subject to Applicable EU Law to sub-processors in countries outside of the European Economic Area (“EEA”). 

​

6 Governing Law and Jurisdiction of Addendum

 

6.1 This Addendum and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the laws specified in the Terms of Service.

 

6.2 The Customer and Service Provider agree that the courts specified in the Terms of Service shall have exclusive jurisdiction to settle any dispute or claim that arises out of or in connection with this Addendum or its subject matter or formation (including non-contractual disputes or claims).