Data Processing Agreement effective starting date is October 5, 2019.
This DPA is between
The company and its Affiliates (collectively “Customer”) identified in the signature block, and Clerk, a company incorporated under the laws of Ukraine and its Affiliates (collectively “Clerk”).
Together the “Parties” and each a “Party”.
The Parties agree as follows:
1.1. This DPA applies to the Processing of Personal Data that is subject to the EU General Data Protection Regulation (“GDPR”) (EU Regulation 206/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC).
1.2. This DPA supplements the terms of the Terms of Services (ToS) and/or the End User License Agreement (“EULA”) (each is a “Service Agreement”), under which Clerk provides certain services (“Services”).
1.3. To the extent Clerk processes Personal Data subject to the GDPR on behalf of Customer in the course of the performance of a Service Agreement, the terms of this DPA shall apply.
2.1. The terms “Processing”, “Personal Data”, “Controller”, “Processor”, “Personal Data Breach” and “Supervisory Authority”, “Commission”, “Member State” shall have meanings given in the GDPR, and their cognate terms shall be construed accordingly.
2.2. “Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
2.3. “Customer Data” means all Personal Data which is provided to Clerk (or to any sub-processor) by the Customer in connection with the Service Agreement.
3.1.1. Customer is the Data Controller. Customer will comply with the applicable GDPR obligations with respect to the processing of Customer Data (Art 24). Customer will not instruct Clerk to process any Customer Data in a manner that would constitute a breach of the GDPR.
3.1.2. Customer warrants that Customer has all the necessary rights to provide the Customer Data to Clerk for the Processing to be performed in relation to the Services. To the extent required by the GDPR, Customer is responsible for ensuring that any necessary data subject consents to this Processing are obtained, and for ensuring that a record of such consents is maintained. Should a consent be revoked by the data subject, Customer is responsible for communicating the fact of such revocation to Clerk, and Clerk remains responsible for implementing any Customer instruction with respect to the further processing of that Customer Data.
3.2.1. Clerk is the Data Processor. Clerk will comply with the applicable GDPR obligations with respect to the processing of Customer Data (Art 28).
4.1. Clerk will process the Customer Data only as set forth in Customer’s written instructions as set forth in the ToS and in this DPA, or as agreed upon in writing by the parties and to the extent that the processing is appropriate for the provision of the Services, unless Clerk is required to comply with a legal obligation to which the Clerk is subject (Art 28(3)(a)). In such a case, the Clerk shall notify the Customer of that legal obligation before processing unless that legal obligation explicitly prohibits the furnishing of such information to the Customer.
4.2. The Parties have entered into a ToS in order to benefit from the expertise of the Clerk in processing the Customer Data for the purposes set out in Exhibit 2. Exhibit 2 describes the processing of Customer Data as required by GDPR, Article 28(3). Customer may make reasonable amendments to Exhibit 2 by written notice to Clerk to meet the GDPR requirements. Nothing in Exhibit 2 (included as amended pursuant to this Section) confers any right or imposes any obligation on any Party to this DPA. Clerk shall be allowed to exercise its own discretion in the selection and use of such means as it considers necessary to pursue those purposes, subject to the requirements of this DPA.
Without prejudice to any existing contractual arrangements between the Parties, Clerk shall treat all Customer Data confidentiality and shall inform all its employees, agents and/or approved sub-processors engaged in processing the Personal Data of the confidential nature of the Customer Data. Clerk shall ensure that all such persons or parties are under an appropriate obligation of confidentiality.
6.1. Clerk will take all measures required by Article 32 (Security of Processing) of the GDPR.
6.2. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, without prejudice to any other security standards agreed upon by the Parties, Clerk shall implement appropriate technical and organisational measures to ensure a level of security of the processing of Customer Data appropriate to the risk (Art 32(1)).
6.3. In assessing the appropriate level of security, Clerk shall take into account the particular risks that are presented by processing, for example, from accidental or unlawful destruction, loss, alteration, unauthorized or unlawful storage, processing, or access or disclosure of Customer Data (i.e. Personal Data Breach) (Art 32(2)).
7.1. Customer authorizes the engagement of Clerk’s Affiliates as subprocessors (Art 28(2)).
7.2. Customer agrees that Clerk may continue to use those subprocessors already engaged by Clerk as of the date of this DPA (Art 28(2)).
7.3. Customer generally authorizes the engagement of any other third-parties as subprocessors (Art 28(2)).
7.4. Information about subprocessors, including their functions and locations, is available per your request to email that could be found in the contact us website section.
7.5. Requirements for subprocessor engagement (Art 28(4)) With respect to each subprocessor, Clerk shall:
7.5.1. Before the subprocessor first processes any Personal Data, carry out adequate due diligence to ensure that the subprocessor is capable of providing the level of protection for Personal Data required by the Service Agreement;
7.5.2. Ensure that the arrangement is governed by a written contract including terms that offer at least the same level of protection for Personal Data as those set out in this DPA and meet the requirements of GDPR Article 28(3);
7.5.3. Remain fully liable for all obligations subcontracted to, and all acts and omissions of the subprocessor.
8.1. Customer instructs Clerk to transfer Customer Data to any country or territory as is reasonably necessary for the provision of the Services.
8.2. Customer agrees that Clerk and its subprocessors may store and process Customer Data in a country outside of the European Economic Area provided that the European Commission has determined that the country provides an adequate level of protection, or the Commission has determined that a regulatory framework provides an adequate level of protection.
8.3. To the extent that a Party relies on a basis for international data transfers that is subsequently modified, revoked, or held in a court of competent jurisdiction to be invalid, the Parties agree to cooperate in good faith to terminate promptly the transfer and to pursue an alternate mechanism that can lawfully support the transfer.
9.1 Clerk shall use reasonable endeavours to assist the Customer in responding to their Data Subject requests. Clerk shall have at least 20 days, from the time the Customer asks for assistance, to respond to the Customer’s request. The performance and cost of such requests shall be in accordance to the ToS and Clerk’s price list at any giving time.
9.2 Clerk must not disclose the Personal Data to any Data Subject or to a third party and responsibility for responding to requests from Data Subjects shall remain with the Customer.
10.1 If requested, Clerk will provide reasonable assistance to the Customer to comply with its obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to Clerk.
10.2 Clerk shall make available to Customer upon request any reasonable information to demonstrate compliance with Clerk’s obligations under this DPA. Clerk shall reply to any requests for information under this Section within 60 days of receiving the request.
10.3 Clerk will perform audits of its Personal Data Processing practices and the information technology and information security controls for its facilities and systems used in complying with its obligations under this Agreement.
11.1. Clerk shall notify Customer without undue delay upon Clerk (or any subprocessor) becoming aware of a Personal Data Breach affecting Customer Data, and provide Customer with sufficient information to allow each it to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the GDPR.
11.2. Clerk shall co-operate with Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
11.3. Any notifications made to the Customer pursuant to this Section shall be addressed to the employee of the Customer whose contact details are provided in Exhibit 1 of this DPA, and shall contain:
11.3.1. a description of the nature of the incident, including where possible the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned;
11.3.2. the name and contact details of the Clerk’s data protection officer or another contact point where more information can be obtained;
11.3.3. a description of the likely consequences of the incident; and
11.3.4. a description of the measures taken or proposed to be taken by the Clerk to address the incident including, where appropriate, measures to mitigate its possible adverse effects.
12.1. Upon termination of this DPA, upon Customer’s written request, or upon fulfillment of all purposes agreed in the context of the Services whereby no further processing is required, Clerk shall, at the discretion of Customer and within reasonable business efforts, either delete, or destroy Customer’s data.
12.2. Clerk shall notify all subprocessors of the termination of the Data Processing Agreement and shall notify that all such subprocessors either delete or destroy the Personal Data, at the discretion of Customer.
12.3. Clerk and its subprocessors may retain Customer Personal Data to the extent required by a legal obligation and only to the extent and for such period as required by the legal obligation.
Clerk’s liability to Customer for any kind of loss or damage arising out of or in connection with breach of this DPA (including breach of contract, tort, misrepresentation or restitution) will: (a) be subject to the exclusions of liability applicable to Clerk in the Service Agreement; and (b) be subject to, and will in no event exceed, the limitation on Clerk’s liability in the Service Agreement. Any liability incurred under this DPA, such as regulatory fines, will be included in the calculation of Clerk’s liability in the Service Agreement.
This DPA will remain in effect until the later of: (a) the termination or expiry of the Service Agreement, and (b) Clerk ceasing to process the Customer Data.
15.1. The terms of the Service Agreement shall apply to this DPA.
15.2. Order of Precedence. In the event of any conflict or inconsistency between this DPA and the Service Agreement, the DPA shall prevail.
We share certain information with service providers that may be considered our “sub-processors” under GDPR, Article 28. If you wish to receive the current list please send a request via our Clerk Customer Support (“Contact” section).
Please refer to helloclerk.io contact us section for actual contact information. Feel free to reach us in case you have any question or comment.
Clerk’s provision of Services to Customer, and related technical support
The personal data will be processed in connection with the Services for the duration of the Service Agreement, or such shorter period where the processing is no longer authorised, and in respect of any post-termination processing activities permitted by the Customer.
Clerk will process Customer Data submitted to, stored on, or sent via the Service for the purpose of providing the Service and related technical support.
Employees, contractors, and agents of Customer
Amount of money to be charged
Team roles and team schemes