Data Processing Agreement
This Data Processing Agreement forms part of, and is subject to the provisions of, the DoEnd Terms of Service. Capitalized terms that are not defined in this Data Processing Agreement have the meanings set forth in the Terms of Service.
The following definitions apply solely to this Data Processing Agreement:
- the terms “controller”, “data subject”, “personal data”, “process,” “processing” and “processor” have the meanings given to these terms in EU Data Protection Law.
- “EU Data Protection Law” means any data protection or data privacy law or regulation of Switzerland or any European Economic Area (“EEA”) country applicable to Your Controlled Data, including, as applicable, the GDPR and the e-Privacy Directive 2002/58/EC.
- “GDPR” means the EU General Data Protection Regulation 2016/679.
- “Sub-Processor” means an entity engaged by DoEnd to process Your Controlled Data.
- “Your Controlled Data” means the personal data in the Content DoEnd processes on your behalf and instructions as part of the Service, but only to the extent that you are subject to EU Data Protection Law in respect of such personal data. Your Controlled Data does not include personal data when controlled by us, including without limitation data we collect (including IP address, device/browser details and web pages visited prior to coming to our Service) with respect to your End Users’ interactions with the Service through their browser and technologies like cookies.
This Data Processing Agreement only applies to you if you are data subjects located within the EEA or Switzerland and only applies in respect of Your Controlled Data. You agree that DoEnd is not responsible for personal data that you have elected to process through Third Party Services or outside of the Service, including the systems of any other third-party cloud services, offline or on-premises storage.
Details of Data Processing
- Subject Matter. The subject matter of the data processing under this Data Processing Agreement is Your Controlled Data.
- Duration. As between you and us, the duration of the data processing under this Data Processing Agreement is determined by you.
- Purpose. The purpose of the data processing under this Data Processing Agreement is the provision of the Service initiated by you from time to time.
- Nature of the Processing. The Service as described in the Agreement and initiated by you from time to time.
- Type of Personal Data. Your Controlled Data relating to you, your End Users or other individuals whose personal data is included in Content which is processed as part of the Service in accordance with instructions given through your Account.
- Categories of Data Subjects. You, Your End Users and any other individuals whose personal data is included in Content.
Processing Roles and Activities
- DoEnd as Processor and You as Controller. You are the controller and DoEnd is the processor of Your Controlled Data.
- Description of Processing Activities. We will process Your Controlled Data for the purpose of providing you with the Service, as may be used, configured or modified from within your Account (the “Purpose”).
- Compliance with Laws. You will ensure that your instructions comply with all laws, regulations and rules applicable in relation to Your Controlled Data and that Your Controlled Data is collected lawfully by you or on your behalf and provided to us by you in accordance with such laws, rules and regulations. You will also ensure that the processing of Your Controlled Data in accordance with your instructions will not cause or result in us or you breaching any laws, rules or regulations (including EU Data Protection Law). You are responsible for reviewing the information available from us relating to data security pursuant to the Agreement and making an independent determination as to whether the Services meet your requirements and legal obligations as well as your obligations under this Data Processing Agreement. DoEnd will not access or use Your Controlled Data except as provided in the Agreement, as necessary to maintain or provide the Services or as necessary to comply with the law or binding order of a governmental, law enforcement or regulatory body.
- How We Process. We will process Your Controlled Data for the Purpose and in accordance with the Agreement or instructions you give us through your Account. You agree that the Agreement and the instructions given through your Account are your complete and final documented instructions to us in relation to Your Controlled Data. Additional instructions outside the scope of this Data Processing Agreement require prior written agreement between you and us, including agreement on any additional fees payable by you to us for carrying out such instructions. We will promptly inform you if, in our opinion, your instructions infringe applicable EU Data Protection Law, or if we are unable to comply with your instructions. We will notify you when applicable laws prevent us from complying with your instructions, except if such disclosure is prohibited by applicable law on important grounds of public interest, such as a prohibition under law to preserve the confidentiality of a law enforcement investigation or request.
- Notification of Inquiry or Complaint. We will provide you notice, if permitted by applicable law, upon receiving an inquiry or complaint from a End User, or other individual whose personal data is included in your Content, or a binding demand (such as a court order or subpoena) from a government, law enforcement, regulatory or other body in respect of Your Controlled Data that we process on your behalf and instructions.
- Reasonable Assistance with Compliance. We will, to the extent that you cannot reasonably do so through the Service, your Account or otherwise, provide reasonable assistance to you in respect of your fulfillment of your obligation as controller to respond to requests by data subjects under Chapter 3 of the GDPR, taking into account the nature of the Service and information available to us. You will be responsible for our reasonable costs arising from our provision of such assistance.
- Questions. Upon your reasonable requests to us for information regarding our compliance with the obligations set forth in this Data Processing Agreement, we shall, where such information is not otherwise available to you, provide you with written responses, provided that you agree not to exercise this right more than one (1) time per calendar year (unless it is necessary for you to do so to comply with EU Data Protection Law). The information to be made available by DoEnd is limited to solely that information necessary, taking into account the nature of the Service and the information available to DoEnd, to assist you in complying with your obligations under the GDPR in respect of data protection impact assessments and prior consultation. You agree that you may be required to agree to a non-disclosure agreement with DoEnd before we share any such information with you.
- Requests. You can delete or access a copy of some of Your Controlled Data through your Account. For any of Your Controlled Data which may not be deleted or accessed through your Account, upon your written request, we will, with respect to any of Your Controlled Data in our or our Sub-Processor’s possession that we can associate with a data subject, subject to the limitations described in the Agreement and unless prohibited by applicable law or the order of a governmental, law enforcement or regulatory body: (a) return such data and copies of such data to you provided that you make such request within no more than ninety (90) days after the cancellation of the applicable Paid Services; or (b) delete, and request that our Sub-Processors delete, such data (excluding in the case of (a) or (b) any of such data which is archived on back-up systems, which we shall securely isolate and protect from any further processing, except to the extent required by applicable law). Otherwise, we will delete Your Controlled Data in accordance with our data retention policy. This Section does not apply to personal data held by Third Party Services.
- Authorized Sub-Processors. You agree that DoEnd may engage Sub-Processors to Process Your Controlled Data on your behalf. A list of our current Sub-Processors are available upon request by sending an email to email@example.com.
- Sub-Processor Obligations. Where DoEnd engages Sub-Processors, DoEnd will impose data protection terms on the Sub-Processors that provide at least the same level of protection for Your Controlled Data as those in this Data Processing Agreement, to the extent applicable to the nature of the services provided by such Sub-Processors. DoEnd will remain responsible for each Sub-processor’s compliance with the obligations of this Data Processing Agreement and for any acts or omissions of such Sub-Processor that cause DoEnd to breach any of its obligations under this Data Processing Agreement, solely to the extent that DoEnd would be liable under the Agreement if the act or omission was DoEnd’s own.
- Objection to Sub-processors. Provided that your objection is reasonable and related to data protection concerns, you may object to any Sub-Processor by sending an email to firstname.lastname@example.org. If you object to any Sub-Processor and your objection is reasonable and related to data protection concerns, we will use commercially reasonable efforts to make available to you a means of avoiding the processing of Your Controlled Data by the objected-to Sub-Processor. If we are unable to make available such suggested change within a reasonable period of time, we will notify you and if you still object to our use of such Sub-Processor, you may cancel or terminate your account.
- Security Measures. DoEnd shall implement and maintain appropriate technical and organizational security measures to protect Your Controlled Data from Security Incidents and to preserve the security and confidentiality of Your Controlled Data.
- Confidentiality of Processing. DoEnd shall ensure that any person who is authorized by DoEnd to process Your Controlled Data (including its staff, agents and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
- Security Incident Response. Upon becoming aware of a Security Incident, DoEnd shall notify you without undue delay and shall provide timely information relating to the Security Incident as it becomes known.
- Updates to Security Measures. You acknowledge that the Security Measures are subject to technical progress and development and that DoEnd may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Service.
Upon written request, DoEnd shall make available (on a confidential basis) to you all information reasonably required to verify DoEnd's compliance with this Data Processing Agreement, provided that you shall not exercise this right more than once per year. You agree that you may be required to agree to a non-disclosure agreement with DoEnd before we share any such report or outcome from such audit with you and that we may redact any such reports as we consider appropriate.
You authorize us to transfer Your Controlled Data away from the country in which such data was originally collected. In particular, you authorize us to transfer Your Controlled Data to the US. We will transfer Your Controlled Data to outside the EEA using the Swiss-U.S. and EU-U.S. Privacy Shield Frameworks or another lawful data transfer mechanism that is recognized under EU Data Protection Law as providing an adequate level of protection for such data transfers.
The liability of each party under this Data Processing Agreement is subject to the exclusions and limitations of liability set out in the Agreement. You agree that any regulatory penalties or claims by data subjects or others incurred by DoEnd in relation to Your Controlled Data that arise as a result of, or in connection with, your failure to comply with your obligations under this Data Processing Agreement or EU Data Protection Law shall reduce DoEnd’s maximum aggregate liability to you under the Agreement in the same amount as the fine and/or liability incurred by us as a result.
- Governing Law. This Data Processing Agreement shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Data Protection Laws.
- Conflict. In the event of a conflict between this Data Processing Agreement and the Terms of Service, this Data Processing Agreement will control.
- Costs. You are responsible for any costs and expenses arising from DoEnd’s compliance with your instructions or requests pursuant to the Agreement (including this Data Processing Agreement) which fall outside the standard functionality made available by DoEnd generally through the Services.