GDPR : Data Processing Addendum
Last updated: 28 August 2018
The customer agreeing to this addendum (the “Customer”) and AccelGrid Technologies, Inc.(“AccelGrid”) a company incorporated and registered in the USA (each a “Party”, together the “Parties”), have entered into an agreement which permits the Customer to use of the AccelGrid business management software service (the “Service”), on the terms and subject to the conditions of the AccelGrid Terms and Conditions as amended from time to time which can be found on the AccelGrid website at https://www.accelgrid.com/terms-of-service, (the “Terms and Conditions”).
This Data Processing Addendum (“DPA”) is an addendum to and forms part of the Terms and Conditions. All processing of Customer Personal Data (as defined below) by AccelGrid on behalf of the Customer will be carried out in accordance with this DPA. The Customer’s continued usage of the Service after the Effective Date (as defined below) constitutes acceptance of this DPA.
1. Effect of the Data Processing Addendum
1.1 This DPA is an addendum to and forms part of the Terms and Conditions.
1.2 This DPA contains all relevant terms relating to how AccelGrid handles the personal data (data that can be used to identify, locate or contact a natural person) provided to it by the Customer about other natural persons—for example, the Customer’s users or employees (the “Customer Personal Data”). It does not cover how AccelGrid processes personal data about the Customer themselves.
1.3 Save as set out explicitly in this DPA, the Terms and Conditions will remain unchanged.
2. Term and termination
2.1 This DPA will take effect on the last modified date or on the first day of the Customer’s subscription to the Service, whichever is later (the “Effective Date”).
2.2 This DPA will survive the end of the Customer’s subscription period or the termination of the Terms and Conditions. It will terminate when all the Customer Personal Data has been deleted as described in this DPA.
3. Applicability of data protection legislation
The European Union Regulation (EU) 2016/679 (General Data Protection Regulation) (“GDPR”) applies to the processing of Customer Personal Data by AccelGrid if these processing activities relate to:
3.1 an establishment of the Customer in the European Union (“EU”), European Economic Area (“EEA”), Switzerland or the United Kingdom;
3.2 offering goods or services to data subjects in the EU, EEA, Switzerland or the United Kingdom; and/or
3.3 monitoring the behavior of data subjects in the EU, EEA, Switzerland or the United Kingdom as far as the behavior takes place within these areas,
3.4 (together with the “GDPR Activities”).
4. Data processing
4.1 For the purposes of the PDPA and this DPA, AccelGrid is a data intermediary.
4.2 In respect of any GDPR Activities, AccelGrid is a data processor of the Customer Personal Data, while the Customer may be either a data controller or data processor.
4.3 If any other data protection or privacy law applies to any processing of Customer Personal Data, each Party will comply with their obligations under such law.
4.4 In respect of any GDPR Activities, if the Customer is a data processor, the Customer warrants to AccelGrid that they have all necessary instructions and authorizations from the data controller to appoint AccelGrid as a data sub-processor of the Customer Personal Data.
4.5 AccelGrid will only process Customer Personal Data on the instructions of the Customer unless required by law to act without such instructions.
4.6 The Customer, by entering into this DPA, instructs AccelGrid to process Customer Personal Data as follows:
4.6.1 to provide the Service to the Customer;
4.6.2 as further instructed by the Customer by its use of the Service, including by instructions given on the AccelGrid user interface, by the uploading of CSV files to the AccelGrid Service, or importing data from other services;
4.6.3 as set out in the Terms and Conditions and this DPA; and
4.6.4 as otherwise instructed in writing by the Customer which AccelGrid acknowledges to be instructions for the purposes of this DPA.
4.7 AccelGrid will process Customer Personal Data in accordance with the Customer’s instructions and in accordance with the following precise scope:
4.7.1 Subject matter: Providing the Service to the Customer pursuant to the Terms and Conditions, and as further instructed by the Customer in its use of the Service.
4.7.2 Duration: The length of the Customer’s subscription to the Service, and for a limited period afterward in accordance with the terms of this DPA, until this DPA is terminated after all Customer Personal Data has been deleted.
4.7.3 Nature and purpose: As necessary to provide the Service to the Customer, and as further instructed by the Customer in its use of the Service.
4.7.4 Types of personal data: The Customer may submit Customer Personal Data to the Service, the extent of which is determined and controlled by the Customer in its sole discretion, and which may include (but is not limited to) the following types of personal data:
b) contact information;
c) position and organization, and
d) ID data.
4.7.5 Categories of data subjects: The Customer may submit Customer Personal Data to the Service, the extent of which is determined and controlled by the Customer in its sole discretion, and which may include (but is not limited to) personal data on to the following categories of data subjects, who are in all cases natural persons:
a) the Customer’s end-users, customers, suppliers, and business partners;
b) employees and points of contact of the Customer’s end-users, customers, suppliers, and business partners;
c) the Customer’s employees, agents, advisors, and contractors; and
d) the Customer’s authorized users of the Service.
4.8 All processing of Customer Personal Data will be carried out by trusted employees, staff, agents, contractors, service providers, and sub-processors who will be subject to a duty of confidence.
5. Data retention and deletion
Deletion by the customer
5.1 The Customer may delete Customer Personal Data in a manner consistent with the functionality of the Service during the term of service. If the Customer uses the Service to delete any Customer Personal Data such that it cannot be recovered by the Customer, this will constitute an instruction to AccelGrid to delete the relevant Customer Personal Data from its systems in accordance with applicable law. AccelGrid will comply with this instruction as soon as reasonably practicable unless required by law to retain the data.
5.2 If the Customer wishes to delete Customer Personal Data that cannot be deleted via the Service, the Customer should send a deletion request to [email protected]. AccelGrid will strive to respond to all such requests as soon as reasonably practicable.
Deletion on termination
5.3 If the Customer ceases to subscribe to and use the Service, the Customer’s account will be suspended until such time that:
5.3.1 the Customer resumes their subscription to the Service;
5.3.2 the Customer otherwise informs AccelGrid that they wish to permanently terminate their relationship with AccelGrid; or
5.3.3 AccelGrid, at its sole discretion, permanently discontinues access to the Customer’s account in accordance with the Terms and Conditions.
5.4 If the Customer informs AccelGrid that they wish to permanently terminate their relationship with AccelGrid pursuant to clause 5.3.2, they will be taken to have instructed AccelGrid to delete or anonymize all Customer Personal Data (including existing copies) from AccelGrid’s systems in accordance with applicable law. AccelGrid will comply with this instruction as soon as reasonably practicable unless required by the applicable law to retain the data.
5.5 If AccelGrid permanently discontinues access to the Customer’s account, all Customer Personal Data will be deleted or anonymized unless AccelGrid is required by the applicable law to retain the data.
6. Data security
6.1 AccelGrid will take reasonable steps to ensure that Customer Personal Data is treated securely and to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks, and to meet its obligations as set out in Article 32 of the GDPR.
6.2 AccelGrid cannot guarantee that unauthorized parties will not gain access to Customer Personal Data. To the extent permitted by applicable law, AccelGrid expressly excludes any liability arising from any unauthorized access to Customer Personal Data.
Review of security documentation
6.3 In respect of any GDPR Activities only, AccelGrid will provide the Customer with available information on its security processes as necessary to ensure that both Parties are meeting their obligations under this DPA and as set out in Article 28 of the GDPR.
Security audits and inspections
6.4 In respect of any GDPR Activities only, AccelGrid will permit the Customer or an independent auditor appointed by the Customer to conduct reasonable audits and inspections, who must be approved by AccelGrid in accordance with clause 10, to verify compliance with its obligations under this DPA and as set out in Article 28 of the GDPR.
Data Protection Impact Assessments (“DPIA”)
6.5 The Customer agrees and acknowledges that AccelGrid will assist the Customer in conducting any DPIAs by providing them with this DPA and available information on security processes in accordance with clause 6.3 for review.
7. Incidents and notification
7.1 AccelGrid will inform the Customer as soon as reasonably practicable if it is asked to engage in any activity that may infringe the PDPA, GDPR or other applicable law.
7.2 If AccelGrid becomes aware of any data breaches or security incidents that impact Customer Personal Data, except for data breaches or security incidents caused by the Customer’s own actions, it will notify the Customer as soon as reasonably practicable and without undue delay. AccelGrid will take reasonable steps to mitigate the consequences of any data breaches or security incidents so as to minimize the impact to Customer Personal Data.
7.3 Notice of any data breaches or security incidents pursuant to this clause 7 does not constitute an admission of responsibility by AccelGrid.
8. Rights of data subjects
8.1 AccelGrid will pass on to the Customer, any requests they receive from data subjects and the Customer’s end users to exercise any data rights. The Customer accepts and acknowledges that it is the Customer’s responsibility to respond to any data rights requests with the data subjects and end-users directly, or to instruct the relevant data controller to respond to these requests, as the case may be.
8.2 AccelGrid will, taking into account the nature of the processing activity, assist the Customer in responding to such data rights requests by building appropriate functionality into the Service—such as the ability to delete and amend Customer Personal Data. The Customer agrees to exhaust all possible means of responding to a data subject’s data rights request using the Service’s functionality before contacting AccelGrid for help to respond to such requests by email at [email protected]. AccelGrid reserves the right to refuse assistance if, in its sole discretion, the Customer is able to respond to the data rights request using the Service’s functionality. AccelGrid reserves the right to reimbursement from the Customer of reasonable costs incurred by AccelGrid in providing assistance to the Customer under this clause 8.2.
9. Internationalal data transfers
9.1 AccelGrid Technologies, Inc. is a company incorporated and registered in USA. Most Customer Personal Data is stored in United States of America, however, some data sub-processors might have data centers and storage facilities in other jurisdictions.
9.2 If the storage and/or processing of Customer Personal Data involves transfers of Customer Personal Data out of the EU, EEA, Switzerland, and/or the United Kingdom, AccelGrid will if requested to do so by the Customer, ensure that AccelGrid Technologies, Inc. as the data importer of the transferred Customer Personal Data enters into model contract clauses (being the standard data protection clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, as described in Article 46 of the GDPR) with the Customer as to the data exporter of such personal data, and that the transfers are made in accordance with such model contract clauses.
9.3 The Customer agrees that if the storage and/or processing of Customer Personal Data involves transfers of Customer Personal Data out of the EU, EEA, Switzerland, and/or the United Kingdom and if under the GDPR AccelGrid reasonably requires the Customer to enter into model contract clauses (being the standard data protection clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, as described in Article 46 of the GDPR) in respect of such transfers, the Customer will do so, failing which AccelGrid reserves the right to terminate the Customer’s subscription.
10.1 If the Customer wishes to carry out an audit and/or inspection in accordance with clause 6.4, it must notify AccelGrid by sending an audit and/or inspection request to firstname.lastname@example.org.
10.2 On receipt by AccelGrid of a request under clause 10.1, AccelGrid and the Customer will discuss and agree in advance on:
10.2.1 the identities of the auditors and/or inspectors, be they the Customer’s own personnel or parties appointed by the Customer;
10.2.2 a reasonable date and time to carry out the audit and/or inspection;
10.2.3 the scope and duration of the audit and/or inspection;
10.2.4 confidentiality obligations of the Customer that are a pre-condition for carrying out any audit and/or inspection; and
10.2.5 the amount of any reasonable fees and charges to be borne by the Customer to cover AccelGrid’s costs of the audit and/or inspection.
10.3 The Customer is responsible for all of their own costs in relation to any audit and/or inspection, including the cost of any third-party auditor appointed by the Customer.
10.4 AccelGrid may object to the appointment of any auditor appointed by the Customer if the auditor is, in AccelGrid’s reasonable opinion, not suitably qualified or independent, a competitor of AccelGrid, or otherwise unsuitable.
11.1 The Customer acknowledges and accepts that some processing of Customer Personal Data may be carried out by trusted sub-processors.
11.2 The Customer specifically authorizes AccelGrid to engage the following sub-processors:
11.2.1 all AccelGrid entities, including entities directly or indirectly controlled by, or under common control with AccelGrid Technologies, Inc.; and
11.2.2 the sub-processors listed below as at the Effective Date.
11.3 AccelGrid will engage new sub-processors from time to time. When it does, AccelGrid will ensure that it enters into written contracts with these sub-processors. The written contract will stipulate, among other things, that:
11.3.1 the sub-processor only has access to Customer Personal Data necessary to perform its obligations under their agreement with AccelGrid;
11.3.3 in respect of any GDPR Activities only, that the data protection obligations set out in Article 28(3) of the GDPR are imposed on the sub-processor.
11.4 AccelGrid will notify all Customers when it engages a new sub-processor at least 14 days before any Customer Personal Data is handed to the sub-processor for processing. If the Customer wishes to object to the engagement of any sub-processor, the Customer must terminate their subscription and stop using the Service permanently. The Customer acknowledges and accepts that this is their sole and exclusive remedy to object to AccelGrid’s engagement of any new sub-processor. If this remedy is exercised, AccelGrid’s provision of the service to the Customer will terminate on the eve of the date where the sub-processor begins to process Customer Personal Data or the last date of the Customer’s existing commitment period, whichever is earlier. The Customer remains responsible for payment of all subscription charges up to the last day of Service, to be calculated pro-rata.
12. Limitation of liability
12.1 AccelGrid and all AccelGrid entities’ aggregate liability to the Customer, arising out of or related to this DPA, shall be subject to the “Limitation of Liability” section of the Terms and Conditions. Any reference in such section of the Terms and Conditions to the liability of AccelGrid means the aggregate liability of AccelGrid and all AccelGrid entities under the Terms and Conditions and this DPA.
13.1 The term “data intermediary” as used in this DPA has the meaning given in the PDPA.
13.2 The terms “personal data”, “data subject”, “processing”, “controller” and “processor” as used in this DPA have the meanings given in the GDPR.
13.3 This DPA, and this clause, is governed by the laws of Delaware, USA. The Parties agree to submit to the exclusive jurisdiction of the courts of Delaware, USA.
List of Subprocessors
Last updated: 20 August 2020
- DigitalOcean, LLC. (Cloud Service Provider)
- Mailgun Technologies, Inc. (Email Delivery Service)
- Stripe, Inc (Payment Gateway)