Last updated: 2023-05-01
This Data Processing Agreement (“DPA”) applies to the provision of services by the Processor (as defined below) to the Controller (as defined below) if the Controller or if the Processor processes (as defined below) personal data (as defined below). This DPA is subject to and made part of the End-User License Agreement and Terms of Service and other agreement for services, if applicable (together, the “Agreement”), between the parties. By accepting the Agreement or using the services, the Controller agrees to this DPA. The “Processor” means Fox and Geese LLC, a Nevada limited liability company with its principal place of business at 5160 SW Dogwood Lane, Portland, OR, 97225, USA. The “Controller” means the other party to the Agreement and its affiliates. The Processor and the Controller, intending to be legally bound, agree as follows:
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), as amended or supplemented from time to time. “Personal data,” “data subject,” “personal data breach,” “supervisory authority” and “processing” (and variations thereof) shall have the meanings assigned to them in the GDPR.
The Processor undertakes to process personal data on behalf of the Controller in accordance with the Agreement, this DPA and the documented instructions of the Controller, including Exhibit A attached hereto. The processing will be performed exclusively within the framework of the Agreement, and for all such purposes as may be agreed to subsequently.
Except as required by applicable law, the Processor shall not use the personal data for any purpose other than as specified by the Controller. The Controller will inform the Processor of any such purposes which may be prohibited by the GDPR.
All personal data processed on behalf of the Controller shall remain the property of the Controller and/or the applicable data subjects.
The Processor represents and warrants that it shall comply with applicable Privacy Laws to the extent applicable to a processor.
Upon reasonable request, the Processor shall furnish the Controller with reasonable information regarding the measures it has adopted to comply with its obligations under this DPA.
The Processor shall provide reasonable assistance to the Controller in fulfilling the Controller’s obligations under Articles 35 -36 of the GDPR.
The Processor may process the personal data in countries outside the European Union. The Processor may transfer the personal data to a country outside the European Union provided that such country guarantees an adequate level of protection and it satisfies the other obligations applicable to it pursuant to this DPA or as otherwise provided by the GDPR, such as through the use of model clauses or the EU-U.S. or Swiss-U.S. Privacy Shield Frameworks.
The Processor shall only be responsible for processing the personal data under this DPA, in accordance with the Controller’s documented instructions which are the responsibility of the Controller.
The Controller represents and warrants that (i) it shall comply with all applicable data protection and privacy laws, including the GDPR (collectively, “Privacy Laws”), (ii) it has a documented valid legal basis for the processing of all personal data processed by the Processor, and (iii) all data processed by the Processor in accordance with this DPA and the Agreement is not unlawful and does not violate any rights of a third party.
The Controller shall indemnify, defend, and hold harmless the Processor and its affiliates, and its and their respective managers, directors, officers, employees and representatives from and against all out-of-pocket costs, expenses, fines, fees (including reasonable attorneys’ fees) arising from all third-party claims, demands, or proceedings arising from or related to any actual or alleged processing of personal data by the Processor on behalf of the Controller without a valid legal basis.
The Processor may engage any of its affiliates as sub-processors, and the Processor and the Processor’s affiliates may engage third-party sub-processors, provided that the Processor or the Processor affiliate has entered into an agreement with each such third-party sub-processor containing data protection obligations no less protective than those in this DPA with respect to the protection of the Controller’s personal data to the extent applicable to the nature of the portion of the services being provided in whole or in part by such third-party sub-processor.
A list of current sub-processors is available as Exhibit B. If the Processor adds new sub- processors under the general authorization set forth in this clause then the Processor shall notify the Controller by updating Exhibit B. The Controller’s continued use of the Processor’s services after such notice shall constitute the Controller’s consent to the new sub-processors, unless the Controller objects pursuant to the paragraph below.
The Controller may reasonably object to the Processor’s use of a new sub-processor by notifying the Processor in writing within fifteen (15) days of the Processor’s notice pursuant to the paragraph above. If the Controller objects to any such new sub-processor(s), then the Processor may terminate the Agreement upon written notice to the Controller without further liability to the Controller.
The Processor shall be liable for the acts and omissions of its sub-processors to the same extent as if the Processor were performing the services of each sub-processor directly under the terms of this DPA.
The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach, as defined by Article 4 of the GDPR. Such notice shall include, to the extent reasonably available to the Processor, the information required for the Controller to fulfill its obligations under Articles 33 and 34 of the GDPR.
The Controller shall be responsible for complying with Articles 33 and 34 of the GDPR. However, the Processor shall provide reasonable assistance in accordance with the GDPR in notifying the relevant supervisory authorities and/or data subjects.
The Processor shall implement and maintain appropriate technical and organizational measures as required by Article 32 of the GDPR that are designed to ensure a level of security appropriate to the risk, including, as appropriate, pseudonymization and encryption of personal data, the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of systems, the ability to restore the availability of personal data in a timely manner in the event of a physical or technical incident, and a process for regularly evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
The Processor does not guarantee that such technical and organizational measures are effective under all circumstances. The Processor will ensure that such technical and organizational measures are appropriate to the risk, taking into account the state of the art, the sensitivity of the personal data, and the costs and operational impact related to such technical and organizational measures.
The Controller will only make the personal data available to the Processor if it is assured that the necessary technical and organizational measures have been taken.
The Processor will provide assistance to the Controller in fulfilling the Controller’s obligations under Article 32 of the GDPR by making information reasonably available to the Controller.
If a data subject contacts the Processor with respect to the data subject rights under the GDPR, the Processor shall instruct the data subject to contact the Controller. The Controller shall be responsible for complying with such data subject’s rights requests under the GDPR. The Processor will provide assistance by making the functionality of the system available to the Controller.
The Processor shall implement and maintain technical and organizational measures designed to ensure the confidentiality of the personal data to the extent required by the Agreement or contemplated by the services provided by the Processor to the Controller. All persons authorized to process personal data by the Processor shall have committed themselves to confidentiality where applicable.
The Processor shall permit the Controller (or its appointed third-party auditors) to audit the Processor’s compliance with this DPA, and shall make available to the Controller information, systems, and staff reasonably necessary for the Controller to conduct such audit. Such audit shall be conducted at the Processor’s place of business, provided that the Controller gives the Processor a minimum of 30 (thirty) days prior written notice of its intention to perform such audit, the auditors conduct the audit during the Processor’s normal business hours, and the auditors take all reasonable measures to prevent unnecessary disruption to the Processor’s operations. The Controller may not request more than one audit in any twelve (12) calendar month period. The Controller agrees to treat all information acquired during the course of any audits and audit results as confidential information of the Processor and maintain the confidentiality of such information to the same nature and extent that the Controller maintains its own confidential information.
Additionally, a supervisory authority may conduct an audit to the extent required by the GDPR.
Audits conducted under this Agreement will be at the Controller’s expense.
The Processor shall, at the Controller’s choice, destroy or return to the Controller all personal data in the Processor’s possession after the Agreement terminates or expires for any reason, unless otherwise required by applicable law.
This DPA is entered into for the duration set out in the Agreement. This DPA shall automatically terminate upon the later of (i) the termination or expiration of the Agreement, or (ii) no personal data of the Controller is in the custody or control of the Processor.
The parties will reasonably cooperate with each other to amend this DPA as necessary to comply with applicable new privacy legislation or regulations.
This DPA shall be governed by the laws of the jurisdiction specified in the Agreement. Venue for any dispute arising between the parties in connection with this DPA shall be in the courts of the jurisdiction specified in the Agreement.
This DPA shall be construed to enable the parties to be compliant with the terms of the GDPR.