1. Data Protection
1.1 FormAssembly (the data processor) is appointed by Subscriber (the data controller) to process Subscriber Personal Data on behalf of Subscriber(a User, or an Affiliate of Subscriber, as applicable) only as is necessary to provide the Services and as may subsequently be agreed by the parties in writing.
1.3 The categories of Subscriber Personal Data to be processed by FormAssembly and the processing activities to be performed under this Agreement are set out in Schedule 1.Subscriber has sole responsibility for the accuracy, quality
- it has complied with its obligations under the Data Protection Laws in respect of the collection, use, and transfer of subscriber Personal Data and will identify and inform FormAssembly of any other data controller in respect of the Subscriber Personal Data;
- it is able to document and evidence its compliance with its obligations under the Data Protection Laws;
- no Subscriber Personal Data provided or transferred to FormAssembly constitutes a special category of Personal Data pursuant to Article 9 of the GDPR or Personal Data relating to criminal convictions and offenses pursuant to Article 10 of the GDPR;
- it is authorized to give instructions and otherwise act on behalf of its Users or Affiliates in relation to such SubscriberPersonal Data and to bind its Users or Affiliates to the terms of this Exhibit; and
- the quantity of Subscriber Personal Data provided to FormAssembly is the minimum necessary for the performance of the Services pursuant to the Agreement.
1.4 FormAssembly agrees in respect to subscriber personal Data that it shall, in all material respects:
- only process Subscriber Personal Data in accordance with this Exhibit and the Agreement (and not otherwise unless alternative processing instructions are agreed between the parties in writing), unless required to do otherwise by EU law or the national law of an EU member state to which FormAssembly is subject. In which event, FormAssembly shall inform Subscriber of the legal requirement before processing Subscriber Personal Data other than in accordance with Subscriber ’s instructions, unless that applicable law prohibits FormAssembly from doing so. If FormAssembly believes that any instruction received by it from Subscriber is likely to infringe the Data Protection Laws it shall promptly notify Subscriberandshallbe entitled to cease to provide the relevant Services until the parties have agreed appropriate amended instructions such that the relevant Services are not infringing;
- implement, maintain, and comply with the minimum security requirements set out in Schedule 2. Subscriber agrees that FormAssembly may from time to time, upon reasonable prior written notice, change the minimum security requirements set out in Schedule 2, provided that any such changes do not materially reduce the level of security and protection for Subscriber Personal Data required pursuant to clause 1.4.7;
- not publish, disclose, or divulge SubscriberPersonal Data to a third party unless Subscriber has given its prior written consent;
- ensure that only those FormAssembly personnel who may be required by FormAssembly to assist FormAssembly in meeting its obligations under this Agreement will have access to Subscriber Personal Data, that such FormAssembly personnel, prior to such access, meet and remain in compliance with the requirements. Privacy and Confidentiality of Information of the Agreement, and take reasonable steps to ensure the reliability of such FormAssembly personnel;
- at Subscriber’s cost and taking into account the nature of the processing, provide reasonable cooperation to Subscriber to allow Subscriber(or an Affiliate of Subscriber to comply with its obligations as a Data Controller; and
- at the Subscriber’s cost and the Subscriber’s option, following the end of the provision of Services pursuant to the Agreement, either return or delete all Subscriber Personal Data in the possession or control of FormAssembly, except to the extent that any applicable law requires FormAssembly to store or retain copies of such Subscriber Personal Data. For the avoidance of doubt, this requirement to return or delete Subscriber Personal Data shall not apply to Subscriber Personal Data which is archived on FormAssembly’s backup systems; and
- provide an adequate level of security and protection for Subscriber Personal Data in accordance with the requirements of the Data Protection Laws.
1.5 FormAssembly may appoint third parties to process Subscriber Personal Data (“Subprocessors”) subject to FormAssembly:
- providing reasonable prior notice to Subscriber of the identity and location of the Subprocessor and a description of the intended processing to be carried out by the Subprocessor reasonably sufficient to enable Subscriber to evaluate any material risks to Subscriber Personal Data; and
- imposing legally binding contract terms on the Subprocessor which are the same as those contained in this Exhibit including the referenced Schedules.
1.6 Within 30 days of being informed of the appointment of the new Subprocessor, Subscriber may object to the appointment in writing to FormAssembly. If Subscriber objects, FormAssembly shall use its reasonable endeavors to resolve Subscriber’s objection. If Subscriber’s objection cannot be reasonably accommodated, either party may terminate the Agreement upon 30 days’ prior written notice. This is Subscriber’s sole and exclusive remedy.
1.7 Subscriber authorizes the appointment of the Subprocessors listed:
- Amazon Web Services.
- IBM Cloud
1.8 FormAssembly acknowledges and agrees that it shall remain liable to Subscriber for a breach of the terms of this Agreement by a Subprocessor appointed by it.
1.9 FormAssembly shall, in accordance with the Data Protection Laws, make available to Subscriber upon reasonable request such information that is in FormAssembly’s possession or control as is necessary to demonstrate FormAssembly’s compliance with this Exhibit (including the referenced Schedules) and to demonstrate compliance with the obligations on each party imposed by Article 28 of the GDPR (and under any equivalent Data Protection Laws equivalent to that Article 28).
1.10 Subject to a maximum of [one] audit request in any 12 month period, FormAssembly shall, upon reasonable prior notice, allow for and contribute to audits conducted by Subscriber (or another auditor mandated by Subscriber) for the purpose set out in Section 1.9, provided Subscriber (or such other auditor mandated by Subscriber) are bound by appropriate obligations of confidentiality. For the purpose set out in Section 1.9, Subscriber may perform on-site an on-site audit, at its own expense, if and only if (a) FormAssembly notifies Subscriber of a Security Breach, (b) Subscriber reasonably believes FormAssembly is not in compliance with its data security obligations under this Exhibit including the referenced Schedules, or (c) an on-site audit is required by the Data Protection Laws. To extent permissible under the Data Protection Laws, FormAssembly may satisfy an audit request by providing Subscriber with a copy of an independent audit report (which may be redacted as reasonably necessary to ensure confidentiality).
2. Security Breaches
FormAssembly shall notify Subscriber without undue delay of becoming aware of any confirmed accidental, unauthorized, or unlawful destruction, loss, alteration, or disclosure of, or access to, Subscriber Personal Data (“Security Breach”).
At Subscriber’s cost, FormAssembly agrees to provide such assistance reasonably required by Subscriber to enable Subscriber to respond to any request, complaint, or binding instruction that is received from: (a) any living individual whose Personal Data is processed by FormAssembly on Subscriber’s behalf; (b) any regulator or data protection authority; (c) any independent recourse mechanism that Subscriber elects to adopt under the Privacy Shield or any arbitration panel set up under the Privacy Shield Framework.
4. Data Transfers
4.1 FormAssembly shall not process Subscriber Personal Data outside the EEA (including by way of remote access) without the prior written consent of Subscriber.
4.2 Subscriber hereby consents to Subscriber Personal Data being processed outside the EEA, subject to FormAssembly’s compliance with Section 4.3 and Section 4.4 below throughout the duration of the Agreement.
4.3 To the extent that Subscriber Personal Data is processed outside the EEA and/or Switzerland,
- the transfer shall be governed by and is within the scope of FormAssembly’s certification to the Privacy Shield. FormAssembly shall at all times for the purposes of this Exhibit: (a) maintain a “current” Privacy Shield certification status with the U.S. Department of Commerce related to its processing of Subscriber Personal Data and remain at all times in compliance with the requirements of the Privacy Shield and the Privacy Shield Principles; and (b) provide Subscriber with ninety (90) days written notice prior to any date on which FormAssembly’s “current” certification status with the U.S. Department of Commerce ends and, in such case, FormAssembly shall promptly execute any supplemental privacy and security terms with Subscriber or its Affiliates as Subscriber may direct in its sole judgment, including but not limited to European Commission standard contractual clauses.
4.4 If, for whatever reason, the transfer of Subscriber Personal Data under Section 4.3 above ceases to be lawful, the parties shall use reasonable endeavors to promptly implement an alternative lawful transfer mechanism.
5.1 Each party’s liability for one or more breaches of this Exhibit shall be subject to the limitations and exclusions of liability set out in the Agreement. In no event shall either party’s liability for a breach of this Exhibit exceed the liability cap set out in the Agreement.
5.2 Neither party limits or excludes any liability that cannot be limited or excluded under applicable law.
6. General Terms
6.1 Nothing in this Exhibit reduces FormAssembly’s obligations under the Agreement in relation to the protection of Subscriber Personal Data or permits FormAssembly to process (or permit the processing of) Subscriber Personal Data in a manner which is prohibited by the Agreement.
6.2 Subject to Section 6.1, with regard to the subject matter of this Exhibit, in the event of inconsistencies between the provisions of this Exhibit and any other agreements between the parties, including the Agreement and including (except where explicitly agreed otherwise in writing, signed on behalf of the parties) agreements entered into or purported to be entered into after the date of this Exhibit, the provisions of this Exhibit shall prevail.
6.3 Either party may by at least 30 calendar days’ written notice to the other from time to time propose any variations to this Exhibit which that party reasonably considers to be necessary to address the requirements of the Data Protection Laws. If such notice is given, the parties shall promptly discuss the proposed variations and negotiate in good faith with a view to agreeing and implementing those or alternative variations designed to address the requirements identified in the notice as soon as reasonably practicable.
7.1 “Affiliate” means any entity in which the party owns, either directly or indirectly, more than 50% of the equity interest or voting stock, or equivalent, in such entity, or controls, is controlled by or under common control with such entity, whether such entity is now existing or subsequently created or acquired during the term of the Agreement,
7.2 The terms “Data Controller”, “Data Processor”, “Personal Data”, “data subject”, “supervisory authority”, “process” and “processing” have the meanings given to them under all applicable Data Protection Laws from time to time.
7.3 “Data Protection Laws” means any applicable law relating to the processing, privacy and use of Personal Data, as applicable to either party or the Services, including:
- the EU Data Protection Directive (95/46/EC) and/or the EU General Data Protection Regulation (2016/679) (“GDPR”) and/or the UK Data Protection Act 1998;
- any laws which implement any such laws in each applicable jurisdiction; and
- any laws that replace, extend, re-enact, consolidate or amend any of the foregoing.
7.4 “Subscriber Personal Data” means any Personal Data processed by FormAssembly (and its Subprocessors (if applicable)) on behalf of the Subscriber or its Affiliates pursuant to or in connection with the Agreement.
7.5 “Privacy Shield” means the EU-US Privacy Shield self-certification program operated by the U.S. Department of Commerce and approved by the European Commission pursuant to Decision C(2016)4176 of July 12, 2016.
7.6 “Privacy Shield Principles” means the Privacy Shield Framework Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision C(2016)4176 of July 12, 2016 (as may be amended, superseded, or replaced).
Schedule 1: Description of Personal Data Processing
The data processing activities carried out by FormAssembly under this Agreement may be described as follows:
1. Subject Matter
1.1 [Provide a brief description of the subject matter of the processing, i.e. the subject matter of the Service Agreement as it involves personal data (e.g. the provision of IT support, hosting services, payroll]
2.1 [Insert duration of the processing]
3. Nature and Purpose
3.1 [Describe the type of processing and its purpose(s), e.g. hosting, analysis for the purposes of tailored content, disaster recovery. There will be some overlap with the “Subject Matter”, but should include more detail here]
4. Data Categories
4.1 [Insert the categories of personal data which are subject to the processing, e.g. cell phone numbers, IP addresses, photographs, communications data]
[The Personal Data transferred concern the following categories of data:]
5. Data Subjects
5.1 [Insert the categories of data subjects who are subject to the processing, e.g. users, employees]