Data Processing Addendum

CANARY7 – DATA PROCESSING ADDENDUM

THIS DATA PROCESSING ADDENDUM is effective as of the date of the most recent signature in the execution section below, by and between:

Canary7 LTD, a Northern Irish company, whose registered number is NI685499 and principal place of business is at 7 Corchoney Road, Cookstown, BT80 9HU (Canary7); and

Each of Canary7 and Controller may be referred to herein as a party and together as the parties.

1.INTRODUCTION

1.1 Canary7 provides to Customer certain software as a service (the Services) pursuant to the [non-disclosure agreement OR main agreement entered into between the parties either prior to, or on or around the date of this DPA (the Agreement), on the basis of Canary7’s general terms of service or other written agreement.]

1.2 The parties have agreed to enter into this DPA in order to ensure that adequate safeguards are put in place with respect to the protection of such Personal Data as required by Data Protection

1.3 In connection with the provision of the Services, the parties anticipate that Canary7 may process specific Personal Data regarding which Customer or Customer Group, or Customer’s End-Customer or End-Customer Group, may be a data controller under applicable Local Data Protection Laws or perform similar functions under similar Data Protection Laws, including outside of the European Economic Area (EEA), Switzerland and United Kingdom (UK).

1.4 This DPA sets out the additional data processing terms that apply to any such processing of such Personal Data by Canary7 on the Customer’s behalf to give the Customer comfort that adequate safeguards are in place to protect such Personal Data required by the Data Protection Laws.

1.5 Together with the Agreement, this DPA apply to the contract between the parties to exclude any other terms that the Customer may seek to impose or incorporate or implied by trade, custom, practice or course of dealing. This DPA forms an integral part of the Agreement. The provisions of the Agreement therefore apply to this DPA.

2. DEFINITIONS

2.1 This DPA use the following definitions:

Adequate Country means a country or territory that is recognised under relevant Local Data Protection Laws as providing sufficient protection for Personal Data;

Affiliate means, concerning a party, any corporate entity that, directly or indirectly, Controls, is Controlled by, or is under Common Control with such party (but only for so long as such Control exists);

Agreement has the meaning given to it in clause 1.1 above;  

Canary7 has the meaning given to it above;

Canary7 Group means Canary7 and any of its Affiliates and includes any one or more of such Affiliates as the context requires or permits;

Customer has the meaning given to it above;

Customer Group means the Customer and any of its Affiliates and includes any one or more of such Affiliates as the context requires or permits;

Data Subject Request means a request from or on behalf of a data subject relating to access to, or rectification, erasure or data portability in respect of that person’s Personal Data or an objection from or on behalf of a data subject to the processing of its Personal Data;

DPA means this data processing addendum;

Data Protection Laws mean the Local Data Protection Laws or any other directly applicable legislation and regulatory requirements force from time to time which applies to a party relating to the use of Personal Data (including, without limitation, the privacy of electronic communications) for the processing of Personal Data by Canary7 on the Customer’s behalf in connection with the Services;

End-Customer means an organisation to whom the Customer provides services from time to time under the Agreement and who, or a member of whose End-Customer Group, is a data controller of Personal Data under Local Data Protection Laws;

End-Customer Group means an End-Customer and any of its Affiliates established or doing business in the EEA, or the United Kingdom;

ISP means Canary7’s Information Security Policy [Note: link to ISP TBC];

Local Data Protection Laws mean all laws and regulations of the EU, the EEA, their member states, Switzerland and the UK, applicable to the processing of Personal Data under the Agreement, including (where applicable) (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (EU GDPR); and (ii) the EU GDPR as implemented in UK law by virtue of Section 3 of the UK European Union (Withdrawal) Act 2018 (UK GDPR);

Personal Data means all data which is defined as ‘personal data’ or personally identifiable information (PII) under relevant Data Protection Laws and which is provided by the Customer to Canary7 (directly or indirectly), and accessed, stored or otherwise processed by Canary7 as a data processor as part of its provision of the Service to the Customer and to which relevant Data Protection Laws apply from time to time;

processing, sub-processor, the data controller, the data subject, the supervisory authority and the data processor shall have the meanings ascribed to them in relevant Local Data Protection Laws; and

Privacy Policy means Canary7’s Data Privacy Policy; https://www.canary7.com/privacy-policy/

Services has the meaning given to it in clause 1.1 above;  

Security Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed in connection with the provisioning of the Services;

Security Measures means those technical and organisational security measures described in Canary7’s ISP in respect of Personal Data it processes on behalf of the Customer, as well as any measures it is required to implement by law; and

Standard Contractual Clauses means (i) where the EU GDPR or Swiss Data Protection Laws apply, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries adopted pursuant to or permitted under Article 46 of EU GDPR (EU SCCs); and (ii) where the UK GDPR applies, the international data transfer agreement adopted pursuant to or permitted under Article 46 of the UK GDPR (UK IDTA), provided that, in each case, same complies with the requirements of applicable Data Protection Laws from time to time.

An entity exercises Control over another entity if it: (a) holds a majority of the voting rights in it; (b) is a member or shareholder of it and has the right to remove a majority of its board of directors or equivalent managing body; (c) is a member or shareholder of it and controls alone or according to an agreement with other shareholders or members, a majority of the voting rights in it; or (d) has the right to exercise a dominant influence over it according to its constitutional documents or according to a contract; and two entities are treated as being in Common Control if either control the other (directly or indirectly) or both are controlled (directly or indirectly) by the same entity.

3. STATUS OF THE PARTIES

3.1 The type of Personal Data that the parties expect to be processed under this DPA and the subject matter, duration, nature and purpose of the processing, and the categories of data subjects are determined by the Customer but indicatively described in the Privacy Policy, and shall, including for the purposes of the Standard Contractual Clauses, change if the Privacy Policy is updated. The Personal Data should not include any special category data or criminal records data and Customer is expressly prohibited from uploading such Personal Data using the Services pursuant to the terms of the Agreement.

3.2 Each party warrants concerning Personal Data that it will comply (and will procure that any of its personnel comply and use commercially reasonable efforts to procure that its sub-processors comply) with the obligations imposed upon them respectively under Data Protection Laws. However, Canary7 is not responsible for determining the requirements of or compliance with any Data Protection Laws or other laws applicable to Customer, Customer Group or their industry that are not generally applicable to Canary7 as a service provider and processor of personal data made available to it via the Services.

3.3 As between the parties, the Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and how the Customer or its End-Customer(s) acquired Personal Data, and, without limitation, will ensure or procure that the data controller (if different from the Customer) has ensured that it has all necessary appropriate consents and notices in place to enable lawful transfer of any Personal Data provided to Canary7, for the duration and purposes of the Agreement, including where applicable that the relevant third parties have been informed of, and have given their consent to, such use, processing, and transfer as required by the Data Protection Laws.

3.4 Regarding the parties’ rights and obligations under this DPA regarding the Personal Data, the parties with this acknowledge and agree that the Customer or the relevant End-Customer(s) is/are the data controller, and Canary7 is the data processor. Accordingly, Canary7 agrees that it shall process all Personal Data per its obligations under this DPA and as per the Customer’s lawful written instructions set out in this DPA or the Agreement and the Customer’s use and configuration of features of the Services. Customer hereby gives Canary7 permission to use, transfer and Process such personal data as set forth in this DPA.

3.5 Nothing in this DPA shall apply to the Personal Data comprised in the Customer employees names, contact numbers and email addresses with whom Canary7 is transacting or is required to transact, or who have contacted Canary7, which Canary7 may process as an independent data controller acting in its legitimate interests in compliance with the Data Protection Laws as contemplated under the Agreement and the Privacy Policy, including, for example, data relating to the Customer’s, Customer’s Group or End Customer or End Customer’s Group employees who have subscribed for marketing communications from Canary7 (as more particularly outlined in the Privacy Policy).

4. CANARY7 OBLIGATIONS

4.1 Concerning all Personal Data, Canary7 shall

  • only process Personal Data to provide the Service, and shall act only per (i) this DPA, (ii) the Privacy Policy or Security Policy; and (iii) the Customer’s reasonable written instructions (assuming they do not conflict with the DPA, Notice or Local Data Protection Laws);
  • as soon as reasonably practicable upon becoming aware, inform the Customer if, in Canary7’s opinion, any instructions provided by the Customer under clause 3.14.1 infringe the Local Data Protection Laws;
  • implement appropriate technical and organisational measures to ensure a security level appropriate to the risks presented by Personal Data processing, as required by the Local Data Protection Laws. Such efforts include, without limitation, the security measures set out in the ISP from time to time (which shall apply for the purposes of the Standard Contractual Clauses, where applicable). Canary7 may adapt such measures from time to time, for example, as a result of the development of regulations, technology and other industry considerations.
  • take reasonable steps, insofar as they are within its reasonable control, to ensure that only authorised personnel within Canary7 have direct access to any confidential Personal Data (bearing in mind that Canary7 cannot control such access on the part of its sub-processors) and that any persons whom it permits to have access to the Personal Data are subject to appropriate obligations of confidentiality, subject to any caveats or exclusions in the Agreement or Notice;
  • as soon as reasonably practicable upon becoming aware of same, notify the Customer of any actual or alleged incident of unauthorised or accidental disclosure of or access to any Personal Data by any of Canary7’s staff, sub-processors, or any other identified or unidentified third party (a Security Breach);
  • provide the Customer with reasonable cooperation and assistance in respect of a Security Breach and all practical information in Canary7’s possession concerning such Security Breach insofar as it reasonably affects the Customer or any End-Customer or member of an End-Customer Group, in each case as soon as reasonably practicable and per the Local Data Protection Laws, including the following to the extent then known: (i) the possible cause of the Security Breach; (ii) the categories and approximate number of Personal Data records involved; (iii) the categories and approximate number of data subjects concerned; (iv) a summary of the possible consequences for the relevant data subjects; (v) an overview of the unauthorised recipients of the Personal Data; and (vi) the measures taken by Canary7 to mitigate any damage;
  • not make any announcement about a Security Breach (a Breach Notice) referencing the Customer, its Personal Data, or its End-Customers without (i) the prior written consent of the Customer (not to be unreasonably withheld or delayed); and (ii) prior written approval by the Customer of the content, media and timing of the Breach Notice insofar as it relates to the Customer, its End-Customers or its Personal Data; unless required to make a disclosure or announcement by applicable law; this shall not include generic notices about Security Breaches impacting all or a portion of the personal data processed by Canary7, to the extent that no reference is made to the Customer, its Personal Data or its End-Customers. For clarity, a party’s obligation to report or respond to a Security Breach is not and will not be construed as an acknowledgement by that party of any fault or liability with respect to the Security Breach;
  • promptly (and in any event within three working days of receipt) notify the Customer if it receives a Data Subject Request. Canary7 shall not respond to a Data Subject Request without the Customer’s prior written consent except, where applicable, to confirm that such request relates to the Customer, to which disclosure the Customer agrees. Upon the Customer’s request, Canary7 shall at no extra charge to the Customer provide reasonable assistance to the Customer or the relevant End-Customer (as the Customer’s request shall specify) to facilitate a Data Subject Request;
  • per the provisions of the Agreement and Notice, Canary7 will delete all Personal Data (including copies thereof) processed according to this DPA following termination or expiry of the Agreement. Canary7 is not responsible for compliance with Customer’s, End-Customer’s or their respective Affiliates statutory or legal data retention requirements, but it responsible for the integrity, security, maintenance and retention of the Personal Data stored on its platform as set out in the Agreement and herein; and
  • [where Customer or Customer’s relevant End-Customer, or their respective Affiliates (as the Customer’s request may specify) requires reasonable assistance concerning their obligations under Data Protection Laws in respect of (i) undertaking a data protection impact assessment; (ii) notifications to the supervisory authority under Local Data Protection Laws or communications to data subjects by the Customer or the End-Customer in response to any Security Breach; and (iii) the Customer’s or its End-Customer(s)’ compliance with their respective obligations under the Local Data Protection Laws concerning the security of processing Canary7 shall provide reasonable cooperation and assistance, insofar as it is within its reasonable control and competence, to that person to comply with their obligations (including any obligation to consult with competent data protection authorities). Canary7 shall be entitled to invoice Customer on a time and material basis at the Canary7’s then current rates for any time expended for any such assistance.

4.2 Where Personal Data is not made available through self-Service access to Customer or Customer’s Authorised Users, Canary7 will, without undue delay and in accordance with any time period specified under the applicable Data Protection Laws either: (a) provide Customer, in its role of controller, with the direct ability through Canary7’s platform to access, correct, delete or otherwise fulfil requests from data subjects to exercise their rights under Data Protection Laws in respect of their personal data; or (b) otherwise provide assistance to Customer to access, correct, delete or otherwise fulfil requests from Data Subjects to exercise their rights under Data Protection Laws in respect of their the Personal Data in accordance with the instructions of Customer and insofar as this is possible. The Customer acknowledges and agrees that in the event such cooperation and assistance require additional resources on the part of Canary7, such effort will be chargeable at a fee as mutually agreed to by the Parties acting reasonably. Where Customer requests that Canary7 block, delete and/or return Personal Data, Customer understands, acknowledges, and agrees that it can affect Canary7’s ability to perform the Services as a result of Canary7 complying with such request. As such, Canary7 shall not have any liability for breach of performance or any losses incurred by Customer arising from or in connection with Canary7’s inability to perform the Services in accordance with the Agreement as consequence of Canary7 fulfilling Customer’s request.

5. CUSTOMER RESPONSIBILITIES

5.1 Customer shall comply with Data Protection Laws as well as any other Laws applicable to Customer or Customer’s industry. If compliance with any such specific laws requires any actions with regard to data protection on the part of Canary7 in addition to the obligations set forth in this DPA, such actions will only be taken upon mutual agreement between the Parties. For the avoidance of doubt, where agreed by the Parties, Canary7 will use commercially reasonable efforts to accommodate additional requirements. In any event, Customer will provide reasonable advance notice of the required actions, cooperate fully with Canary7 in respect thereof and compensate Canary7 for any such efforts that require additional services or investment or modifications in the Services, as agreed in advance by the Parties.

5.2 Customer warrants that, where it provides any personal data to Canary7 for Processing by Canary7:

  • it has duly informed the relevant data subjects of their rights and obligations, and in particular has informed them of the possibility of Canary7 processing their personal data on Customer’s behalf and in accordance with its instructions;
  • it has complied with all applicable Data Protection Laws in the collection and provision to Canary7 of such personal data and has taken all necessary steps to ensure that Canary7 can Process such personal data, including by obtaining the data subjects’ consent, if required; and
  • the Processing of such personal data in accordance with the instructions of the relevant controller is lawful.

5.3 Customer shall take reasonable steps to keep personal data up to date to ensure the data are not inaccurate or incomplete with regard to the purposes for which they are collected.

5.4 If a data subject contacts Canary7 directly in order to exercise his or her individual rights such as requesting a copy, correction or deletion of his or her data or wanting to restrict or object to the Processing activities, Canary7 will promptly, and in any event within five working days of receipt), direct such data subject to Customer. In support of the above, Canary7 may provide Customer’s basic contact information to the requestor (but shall not otherwise reply to same), and, to the extent disclosed by the data subject, data subject’s basic contact information and a summary of the request to Customer. Customer shall inform data subjects that they may exercise these rights solely vis-à-vis Customer. Customer agrees to answer to and comply with any such request of a data subject in accordance with applicable Data Protection Laws.

5.5 With regard to components that Customer provides or controls, including but not limited to workstations connecting to Canary7 Services, data transfer mechanisms used, and credentials issued to Customer Authorised Users, Customer shall implement and maintain the required technical and organisational measures for data protection.

5.6 Customer must notify Canary7 promptly about any possible misuse of its accounts or authentication credentials or any security issue related to its use of the Services.

6. SUB-PROCESSING

6.1 The Customer grants a general authorisation to Canary7 to appoint other Canary7 Group members, third-party hosting services providers and the different categories of service providers named in the Privacy Policy and ISP (as amended from time to time) as sub-processors (or authorised receivers for the purposes of the UK IDTA).

6.2 Canary7 confirms that it has entered or (as the case may be) will join with the third-party processor into a written agreement substantially on that third party’s standard terms of business, which shall include an obligation to keep all personal data confidential and process it only in accordance with the purposes for which Canary7 has instructed them to deliver services, and applicable Local Data Protection Laws.

6.3 As between the Customer and Canary7, Canary7 shall remain fully liable for all acts or omissions of any third-party processor appointed by it according to this clause.

 

7. NOTIFICATIONS

7.1 Unless legally prohibited from doing so, Canary7 shall promptly notify Customer if it or any of its sub-processors, with regard to Customer’s Personal Data:

  • receives an inquiry, a subpoena or a request for inspection or audit from a competent public authority relating to the processing by Canary7; or
  • intends to disclose Personal Data to any competent public authority outside the scope of the Services of the Agreement. At the request of Customer, Canary7 shall provide a copy of the documents delivered to the competent authority to Customer.

7.2 Any notification under this DPA, including a Security Breach notification, will be delivered to one or more of Customer’s contact persons via e-mail. Upon request of Customer, Canary7 shall provide Customer with an overview of the contact information of the registered Customer’s contact persons. It is Customer’s sole responsibility to timely report any changes in contact information (including “Key Contact” and “Importer Data Subject Contact” as described below) and to ensure Customer’s contact persons maintain accurate contact information.

7.3 If either party is subject to an inquiry by a data protection authority, regulator or agency, the scope of which includes operations or information within the other party’s control, each party agrees to provide reasonable cooperation to the other party.

8. DATA TRANSFERS

8.1 The Customer acknowledges and agrees that Personal Data may be transferred or stored outside the EU, EEA, UK or the country where the relevant data subjects are located for Canary7 and its authorised sub-processors to provide the Services and fulfil Canary7’s other obligations under the Agreement. Any transfer from one territorial jurisdiction to another territorial jurisdiction (the EU constituting one single jurisdiction for the purpose of this Article) will only be undertaken in compliance with the applicable Data Protection Laws, such as the execution of an additional data transfer addendum, as required.

8.2 To the extent any processing of Personal Data relating to EU, EEA or UK data subjects by Canary7 takes place in any country outside the EEA (except if in an Adequate Country), the parties agree that the Standard Contractual Clauses will apply in respect of that processing. Canary7 will comply with the obligations of the ‘data importer’ or ‘Importer’ in the relevant Standard Contractual Clauses. The Customer will comply with the duties of the ‘data exporter’ or ‘Exporter’.

8.3 If, in the performance of this DPA or the Agreement, Canary7 transfers any Personal Data to a sub-processor located, or permits processing of any Personal Data by a sub-processor outside of the UK, EU or EEA except if in an Adequate Country (without prejudice to clause 4), Canary7 shall in advance of any such transfer ensure that a legal mechanism to achieve adequacy in respect of that processing, such as the Standard Contractual Clauses (where applicable). Where the transfer would be a restricted transfer but for the Standard Contractual Clauses being put in place, then the Standard Contractual Clauses shall, if they provide a lawful mechanism for such transfer, be deemed incorporated into the Agreement and will apply to such transfer.

8.4 Where the Standard Contractual Clauses are deemed to have been put in place, the following terms shall apply to same (as applicable), in addition to the terms set out elsewhere in this DPA: (i) Canary7 may appoint sub-processors as set out and subject to the requirements of clauses 4 and 6.3 of this DPA; (ii) where the EU SCCs apply, they and any connected actions under this DPA or the Agreement shall be governed by the laws of the Republic of Ireland and subject to the exclusive jurisdiction of the courts of the Republic of Ireland; (iii) where the UK IDTA applies, it and any connected actions under this DPA or the Agreement shall be governed by the laws of Northern Ireland and subject to the exclusive jurisdiction of the courts of Northern Ireland; (iv) where the UK IDTA applies, Canary7’s key contact shall be the Data Privacy Officer as noted in clause 2 above and the Customer’s “key contact” and “Importer Data Subject Contact” shall be the person and email address specified in the Customer’s sign up form when subscribing for the Services as part of the Agreement via the Canary7 website, unless otherwise specified herein; (v) the Standard Contractual Clauses may only be terminated if there is a breach of their terms or the Agreement, following the principles set out in the Agreement, or the parties agree in writing; (vi) where the EU SCCs apply, the relevant parts of the Privacy Notice shall apply as Appendix 1 of the EU SCCs and the relevant parts of the ISP shall apply as Appendix 2 of the Standard Contractual Clauses, and where the UK IDTA applies, the relevant parts of the Privacy Policy and ISP shall populate Tables 1 – 4 of Part 1 of the IDTA (to the extent not already provided for elsewhere in this DPA).

9. GENERAL

9.1 This DPA is without prejudice to the parties’ rights and obligations under the Agreement, which shall continue to have full force and effect. Collectively, this DPA (including the Standard Contractual Clauses) and the Agreement constitute the complete agreement and merge all prior discussions and agreements between the parties regarding the Services. In the event of any conflict between the terms of this DPA and the terms of the Agreement, this DPA shall prevail so far as the subject matter concerns the processing of Personal Data, but the terms of the Agreement shall otherwise prevail.

9.2 This DPA contains references to the ISP, Notice and Standard Contractual Clauses, and in the event of any conflict or inconsistency between these various documents, the following order of precedence shall apply: (i) the Standard Contractual Clauses; (ii) this DPA; (iii) the Privacy Policy; and (iv) the ISP.

9.3 This DPA comes into effect on the Effective Date and remains in force until processing of Personal Data by Canary7 is no longer required (a) in the framework of or pursuant to the Agreement or (b) for a period after termination of the Agreement or the relevant Services for any reason whatsoever, in accordance with Customer’s explicit instructions or other legally permissible basis.

9.4 Subject to the provisions of clause 4(ii) above, this DPA and any action related to it shall be governed by and construed per the laws of Northern Ireland, without giving effect to any conflicts of laws principles, and any disputes in respect of same subject to the exclusive jurisdiction of, and venue in, the courts of Northern Ireland for such purposes.