This Data Protection Agreement ("Addendum"), forms part of the Terms of Service ("Terms") between (i) Visdum Tech Inc. ("Visdum Tech") and (ii) You, each being a “Party” and together the “Parties”.
The Parties hereby agree that the terms and conditions set out below shall beadded as an Addendum to the Terms and references in this Addendum to the Termsare to the Terms as amended by, and including, this Addendum.
1.1 In this Addendum, the following termsshall have the meanings set out below and cognate terms shall be construedaccordingly:
"Addendum Effective Date" has the meaning given to it in section 2;
"Affiliate" means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with either Client or Visdum Tech (as the context allows), where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;
"Client Personal Data" means any Personal Data Processed by Visdum Tech (i) on behalf of Client (including for the sake of clarity, any Client Affiliate), or (ii) otherwise Processed by Visdum Tech, in each case pursuant to or in connection with instructions given by Client in writing, consistent with the Terms;
"Controller to Processors" means the Standard Contractual Clauses (processors) for the purposes of Article 26(2) of Directive 95/46/EC set out in Decision 2010/87/EC as the same are revised or updated from time to time by the European Commission;
"Data Protection Laws" means (i) Directive 95/46/EC and, from May 25, 2018, Regulation (EU) 2016/679 ("GDPR") together with applicable legislation implementing or supplementing the same or otherwise relating to the processing of Personal Data of natural persons, and (ii) to the extent not included in sub-clause (i), the Data Protection Act 1998 of the United Kingdom, as amended from time to time, and including any substantially similar legislation that replaces the DPA 1998;
"Privacy Shield" means the EU-US Privacy Shield Framework; and
"Services" means the services to be supplied by Visdum Tech to Client or Client Affiliates pursuant to the Terms.
1.2 The terms "Controller", "DataSubject", "Personal Data","Personal Data Breach","Process", "Processor" and “Supervisory Authority” have the same meanings as described in applicable Data Protection Laws, and cognate termsshall be construed accordingly.
1.3 Capitalized terms not otherwise defined in this Addendum shall have the meanings ascribed to them in the Terms.
2. Formation of this Addendum
This Addendum is deemed agreed by the Parties and comes into effect on the “Addendum Effective Date”,being the later of (i) the date that this Addendum is accepted by Client; and(ii) Visdum Tech.
3. Roles of the Parties
The Parties acknowledge and agree that with regard to the Processing of ClientPersonal Data, and as more fully described in Annex 1 hereto, Client acts as a Controller and Visdum Tech acts as a Processor (as defined in section 5.2.4 below).
The Parties expressly agree that Client shall be solely responsible for ensuring timely communications to Client’s Affiliates or therelevant Controller(s) who receive the Services, insofar as such communications may be required or useful in light of applicable Data Protection Laws to enableClient’s Affiliates or the relevant Controller(s) to comply with such Laws.
4. Description of Personal Data Processing
In Annex 1 to this Addendum, the Parties have mutually set out their understanding of the details of the Processing of the Client Personal Data to be Processed by VisdumTech pursuant to this Addendum, as required by Article 28(3) of the GDPR.Either Party may make reasonable amendments to Annex 1 by written notice to the other Party and as reasonably necessary to meet those requirements. Annex1 does not create any obligation or rights for any Party.
5. Data Processing Terms
Client shall comply with all applicable Data Protection Lawsin connection with the performance of this Addendum. As between the Parties,Client shall be solely responsible for compliance with applicable DataProtection Laws regarding the collection of and transfer to Visdum Tech ofClient Personal Data. Client agrees not to provide Visdum Tech with any data concerninga natural person’s health, religion, or any special categories of data asdefined in Article 9 of the GDPR.
Visdum Tech shall comply with all applicable Data ProtectionLaws in the Processing of Client Personal ata and Visdum Tech shall:
process the Client Personal Data relating to the categories of Data Subjects for the purposes of the Terms and for the specific purposes ineach case as set out in Annex 1 to this Addendum and otherwise solely on the documented instructions of Client, for the purposes of providing the Services and as otherwise necessary to perform its obligations under the Terms including with regard to transfers ofClient Personal Data to a third country outside to an international organization; Visdum Tech shall immediately inform Client if, in Visdum Tech’s opinion, an instruction infringes applicable Data Protection Laws;
ensure that persons authorized to process the ClientPersonal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
implement and maintain the technical and organizational measures set out in the Terms and, taking into account the state of the art,the costs of implementation and the nature, scope, context and purposes ofProcessing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement any further appropriate technical and organizational measures necessary to ensure a level of security appropriate to the risk of the Processing of Client Personal Data as per following:(a) pseudonymization and encryption of Client Personal Data;(b) ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services that processClient Personal Data;(c) restoring availability and access to Client PersonalData in a timely manner in the event of a physical or technical incident; and(d) regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing of the Client Personal Data.Any amendment to such agreed measures that is necessitated by Client shall be dealt with via an agreed change control process between VisdumTech and Client;
Client (on behalf of the relevant Controller(s), as applicable), hereby expressly and specifically authorizes Visdum Tech to engage another Processor to Process the Client Personal Data ("Other Processor"), and specifically the Other Processors listed in Annex2 hereto, subject to Visdum Tech's:(a)notifying Client of any intended changes to its use ofOther Processors listed in Annex 2 by emailing notice of the intended change to Client;(b)including data protection obligations in its contract with each Other Processor that are materially the same as those set out in thisAddendum; and (c) remaining liable to the Client for any failure by eachOther Processor to fulfill its obligations in relation to the Processing of theClient Personal Data.In relation to any notice received under section 5.2.4 a.,the Client shall have a period of 30 (thirty) days from the date of the notice to inform Visdum Tech in writing of any reasonable objection to the use of thatOther Processor. The parties will then, for a period of no more than 30(thirty) days from the date of the Client's objection, work together in good faith to attempt to find a commercially reasonable solution for the Client which avoids the use of the objected-to Other Processor. Where no such solutioncan be found, either Party may (notwithstanding anything to the contrary in theTerms) terminate the relevant Services immediately on written notice to theother Party, without damages, penalty, or indemnification whatsoever;
to the extent legally permissible, promptly notify Client ofany communication from a Data Subject regarding the Processing of Client PersonalData, or any other communication (including from a Supervisory Authority)relating to any obligation under the applicable Data Protection Laws in respectof the Client Personal Data and, taking into account the nature of theProcessing, assist Client (or the relevant Controller) by appropriate technicaland organizational measures, insofar as this is possible, for the fulfillmentof Client’s, Client’s Affiliates’ or the relevant Controller(s)’ obligation torespond to requests for exercising the data subject's rights laid down inChapter III GDPR; Client agrees to pay Visdum Tech for time and for out ofpocket expenses incurred by Visdum Tech in connection with the performance ofits obligations under this Section 5.2.5;
upon Visdum Tech’s becoming aware of a Personal Data Breachinvolving Client Personal Data, notify Client without undue delay, of anyPersonal Data Breach involving Client Personal Data, such notice to include allinformation reasonably required by Client (or the relevant Controller) tocomply with its obligations under the applicable Data Protection Laws;
to the extent required by the applicable Data ProtectionLaws, provide reasonable assistance to Client, Client’s Affiliates’ or therelevant Controller(s)’ with its obligations pursuant to Articles 32 to 36 ofthe GDPR taking into account the nature of the Processing and informationavailable to Visdum Tech; Client agrees to pay Visdum Tech for time and for outof pocket expenses incurred by Visdum Tech in connection with any assistanceprovided in connection with Articles 35 and 36 of the GDPR;
cease Processing the Client Personal Data upon thetermination or expiry of the Terms, and at option of Client, Client’sAffiliates or the relevant Controller(s) either return or delete (including byensuring such data is in non-readable format) all copies of the Client PersonalData Processed by Visdum Tech, unless (and solely to the extent and for suchperiod as) Country law requires storage of the Personal Data. Notwithstandingthe foregoing or anything to the contrary contained herein, Visdum Tech mayretain Personal Data and shall have no obligation to return Personal Data tothe extent required by applicable laws or regulations obligations. Any suchPersonal Data retained shall remain subject to the obligations ofconfidentiality set forth in the Terms, and
make available to Client all information necessary todemonstrate compliance with this Addendum and allow for and contribute toaudits, including inspections, by Client, or an auditor mandated by Client. Forthe purposes of demonstrating compliance with this Addendum under section5.2.9, the Parties agree that once per year during the term of the Terms, VisdumTech will provide to Client, on reasonable notice, responses to cybersecurityand other assessments. Client agrees to pay Visdum Tech for time and forout-of-pocket expenses incurred by Visdum Tech in connection with assistanceprovided in connection with such audits, responses to cybersecurity, and otherassessments.
Visdum Tech is certified by Information Security Managementas per ISO 27001:2013. Visdum Tech shall notify Client in writing without unduedelay if it can no longer comply with its obligations under the Privacycompliance, and, in such a case, Visdum Tech will have the option of (i)promptly taking reasonable steps to remediate any non-compliance withapplicable obligations under this Addendum, or (ii) engaging in a good faithdialogue with Client to determine a new data transfer mechanism to carry outthe purposes of the Terms. Visdum Tech acts as a Processor with respect toPersonal Data received pursuant to a data transfer.In the event the Privacy Compliance is invalidated, Clientand each Client Affiliate (on behalf of the relevant Controller(s), as the casemay be), if applicable (as "data exporter") and Visdum Tech (as"data importer"), with effect from the commencement of the relevanttransfer, shall enter into the Controller to Processor SCCs (mutatis mutandis,as the case may be) in respect of any transfer (or onward transfer) from Clientor Client Affiliate to Visdum Tech, where such transfer would otherwise beprohibited by applicable Data Protection Laws or by the terms of data transferagreements put in place to address applicable Data Protection Laws. Appendix 1to the Controller to Processor SCCs shall be deemed to be prepopulated with therelevant sections of Annex 1 tothis Addendum and the processing operations are deemed to be those described inthe Terms. Appendix 2 to the Controller to Processor SCCs shall be deemed to beprepopulated with the following "Takinginto account state of the art, the costs of implementation and the nature,scope, context, and purposes of processing as well as the risk of the varyinglikelihood for the rights and freedoms of natural persons, Visdum Tech shallimplement appropriate technical and organizational measures as set forth in theAddendum."
The provisions of this Addendum are supplemental to theprovisions of the Terms. In the event of any inconsistency between theprovisions of this Addendum and the provisions of the Terms, the provisions ofthis Addendum shall prevail.
To the extent permissible by law, Client shall indemnify andhold harmless Visdum Tech against all (i) losses, (ii) third-party claims,(iii) administrative fines, and (iv) costs and expenses (including withoutlimitation, reasonable legal, investigatory and consultancy fees and expenses)reasonably incurred in relation to (i), (ii) or iii), suffered by Visdum Tech and that arise from any breach by Client of this Addendum or of its obligations under applicable Data Protection Laws.
The Parties agree that, if any section or sub-section of this Addendum is held by any court or competent authority to be unlawful or unenforceable, it shall not invalidate or render unenforceable any other section of this Addendum.
The organization ensures that the contract to process PIIaddresses the organization’s role in providing assistance with the customer'sobligations.The Agreement considers the following and follows
a. Privacy by Design and default
b. Achieving Security of Processing
c. Notification of breaches involving PII to a Supervisoryauthority
d. Notification of breaches involving PII to Customers andPII Principals,
e. Conducting Privacy Impact Assessment
f. Assurance of Assistance by the PII Processors if priorconsultations with relevant PII Protection authorities are needed.
g. Visdum Tech shall inform the customer if, in its opinion,a processing instruction infringes applicable legislation or regulation.
h. The organization does not use PII processed under a contract for the purposes of Marketing and Advertising
i. Coordinate with Clients to help Audit the systems. Theorganization provides the customer with the appropriate information so that itcan demonstrate compliance with its obligations
j. Visdum Tech shall use AWS and PIPL as subprocessors withSecurity and Privacy requirements full filled.
k. The organization shall comply with all statutory andregulatory requirements, ISO 27001:2013, ISO 27701:2019, and EU GDPRrequirements.
l. The Data shall be deleted, or de-identified after the processing is complete (This is after the retention period selected iscomplete).
m. Visdum Tech shall inform 24 hours in advance to clients in case of any legally binding requests for disclosure of PII.
n. For Access, Correction,and/or Erasure of the PII of Data subjects can be done by contacting the DataProtection Officer (DPO) below. Also, raising concerns and/or any complaintsrelated with PII that can be done by contacting the Data Protection Officerbelow:
Name: Sameer Sinha
Email ID: firstname.lastname@example.org
Contact Number: +1 312586 8696
Annex 1: Description of Processing of Client Personal Data
This Annex includes certain details of the Processing of Client Personal Data as required by Article 28(3)GDPR and, as applicable, Controller to Processor SCC.
Subject matter and duration of the Processing of the Personal DataThe subject matter and duration of the Processing of theClient's Personal Data are set out in Section 2 of the Terms.
The nature and purpose of the Processing of Personal DataDue diligence and Background Verification of Organizations andIndividuals.
The categories of DataSubject to whom the Client's Personal Data relates - Employees and Contractors of Clients.
The types of ClientPersonal Data to be Processed Name, Address, Date of Birth, Age, Education, Email, Gender,Image, Job, Language, Phone, Related person, Related URL, User ID, and Username
Special categories of data None
The obligations and rights of Client The obligations and rights of Client are set out in the Termsand this Addendum.
Data exporter (as applicable)The data exporter is: Client of Visdum Tech that uses theServices
Data importer (as applicable)The data importer is: PIPL, a company that provides services tothe client, which requires receiving the Client’s query data
Processing operations (as applicable)The personal data transferredwill be subject to the following basic processing activities: The provision of VisdumTech Limited to Client for Due Dillegence and Background Verification as perClient requirements.
Annex 2: Authorized Other Processors
Name of Other Processor: Amazon Web Services
Description of Processing: Hosting the Production Environment
Location of Other Processor: USA
Name of Other Processor: Google Workspace
Description of Processing: Email, File Repository
Location of Other Processor: USA
Name of Other Processor: Slack
Description of Processing: Messaging
Location of Other Processor: USA
Name of Other Processor: Atlassian
Description of Processing: Issue Management (Jira), Code Repository (BitBucket)
Location of Other Processor: USA
Resources to supercharge your sales commission plans