Table of Contents

This Data Processing Addendum (“DPA”) forms part of the Agreement between the party identified in the Agreement (“Customer”) and Dataclay, LLC (“Dataclay”) and applies to the extent that (i) Dataclay processes Personal Data on behalf of Customer in the course of providing Services and (ii) the Agreement expressly incorporates this DPA by reference. All capitalized terms not defined in this DPA will have the meanings set forth in the Agreement.

  1. DEFINITIONS.
    1. “Agreement” means the QUE Terms of Service or other written or electronic agreement between Customer and Dataclay for the provision of the Services to Customer.
    2. “CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and its implementing regulations.
    3. “Controller” means an entity that determines the purposes and means of the processing of Personal Data.
    4. “Data Protection Law” means GDPR, CCPA, and any other data protection laws and regulations of the European Union, the European Economic Area (“EEA”)and their member states, Switzerland, the United Kingdom and the United States and its states, applicable to the processing of Personal Data under the Agreement.
    5. “GDPR” means the General Data Protection Regulation ((EU) 2016/679) and any national implementing laws, regulations and secondary legislation, as amended, updated or replaced from time to time, in the European Union, Switzerland and/or the United Kingdom.
    6. “Personal Data” means any information relating to an identified or identifiable natural person contained within Customer Data as defined in the Agreement.
    7. “Personal Data Breach” means a breach of security of the Services leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
    8. Processor” means an entity that processes Personal Data on behalf of a Controller.
    9. “Security, Privacy and Architecture Documentation” means security and privacy information applicable to the specific Services purchased by Customer, as updated from time to time, and made reasonably available by DataClay.
    10. Services” means any cloud service offering or customer support services provided by Dataclay to Customer pursuant to the Agreement.
    11. “Standard Contractual Clauses” means either (i) UK Standard Contractual Clauses, and/or (ii) 2021 Standard Contractual Clauses, as the context and circumstances require. (b) “UK Standard Contractual Clauses” means the Standard Contractual Clauses for data controller to data processor transfers approved by the European Commission in decision 2010/87/EU. (b) “2021 Standard Contractual Clauses” means the Standard Contractual Clauses approved by the European Commission in decision 2021/914.
    12. Sub-processor” means any Processor engaged by Dataclay that processes Personal Data pursuant to the Agreement.
    13. “Supervisory Authority” means an independent public authority which is established by an EU Member State pursuant to the GDPR or, for the United Kingdom, the Information Commissioner’s Office (“ICO”).
  2. PROCESSING.
    1. Role of the Parties. As between Dataclay and Customer, Dataclay will process Personal Data under the Agreement only as a Processor acting on behalf of the Customer. Customer may act either as a Controller or as a Processor with respect to Personal Data.
    2. Customer Processing of Personal Data. Customer will, in its use of the Services, comply with its obligations under Data Protection Law in respect of its processing of Personal Data and any processing instructions it issues to Dataclay. Customer represents that it has all rights and authorizations necessary for Dataclay to process Personal Data pursuant to the Agreement.
    3. Dataclay Processing of Personal Data.
      1. Dataclay will comply with Data Protection Law applicable to its provision of the Services and will process Personal Data in accordance with Customer’s documented instructions. Customer agrees that the Agreement is its complete and final instructions to Dataclay in relation to the processing of Personal Data. Processing any Personal Data outside the scope of the Agreement will require prior written agreement between Dataclay and Customer by way of written amendment to the Agreement and will include any additional fees that may be payable by Customer to Dataclay for carrying out such instructions. Upon notice in writing, Customer may terminate the Agreement if Dataclay declines to follow Customer’s reasonable instructions that are outside the scope of, or changed from, those given or agreed to in the Agreement, to the extent such instructions are necessary to enable Customer to comply with Data Protection Laws.
      2. To the extent the CCPA applies to any Personal Data, such Personal Data will be disclosed by Customer to Dataclay for a ‘business purpose’ and Dataclay will act as Customer’s ‘service provider’, as such terms are defined under CCPA. Dataclay will not retain, use or disclose Personal Data for a commercial or any other purpose other than for the specific purpose of providing the Services, as further described in the Agreement, or as otherwise permitted by the CCPA.
    4. Processing of Personal Data Details.
      1. Subject matter. The subject matter of the processing under the Agreement is the Personal Data.
      2. Duration. The duration of the processing under the Agreement is determined by Customer and as set forth in the Agreement.
      3. Purpose. The purpose of the processing under the Agreement is the provision of the Services by Dataclay to Customer as specified in the Agreement.
      4. Nature of the processing. Dataclay and/or its Sub-processors are providing Services or fulfilling contractual obligations to Customer as described in the Agreement. These Services may include the processing of Personal Data by Dataclay and/or its Sub-processors on systems that may contain Personal Data.
      5. Categories of data subjects. Customer determines the data subjects which may include Customer’s end users, employees, contractors, suppliers, and other third parties.
      6. Categories of data. Data consists of the Personal Data that Customer submits to the Services.
  3. SUBPROCESSING.
    1. Use of Sub-Processors. Dataclay engages Sub-processors to provide certain services on its behalf. Customer consents to Dataclay engaging Sub-processors to process Personal Data under the Agreement. Dataclay will be responsible for any acts, errors, or omissions of its Sub-processors that cause Dataclay to breach any of Dataclay’s obligations under this DPA.
    2. Obligations. Dataclay will enter into an agreement with each Sub-processor that obligates the Sub-processor to process the Personal Data in a manner substantially similar to the standards set forth in the DPA, and at a minimum, at the level of data protection required by Data Protection Law (to the extent applicable to the services provided by the Sub-processor).
    3. List of Sub-Processors. A current list of Sub-processors that Dataclay engages to process Personal Data is included in the Security, Privacy and Architecture Documentation.
    4. Changes to Sub-processors. Dataclay will provide notification of any new Sub-processor(s) before authorizing any new Sub-processor(s) to Process Personal Data in connection with the provision of the applicable Services. Customer may object in good faith, stating the reasons therefor, to Dataclay’s use of a new Sub-processor by notifying Dataclay in writing on or before thirty (30) days after receipt of Dataclay’s notice. In the event Customer objects in good faith to a new Sub-processor, as permitted in the preceding sentence, Dataclay will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening Customer. If Dataclay is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may terminate the applicable Order with respect only to those Services which cannot be provided by Dataclay without the use of the objected-to new Sub-processor by providing written notice to Dataclay. Dataclay will refund Customer any prepaid fees covering the remainder of the term of such Order following the effective date of termination with respect to such terminated Services, without imposing a penalty for such termination on Customer.
  4. SECURITY MEASURES.
    1. Security Measures by Dataclay. Dataclay will implement and maintain appropriate technical and organizational security measures to protect against Personal Data Breaches and to preserve the security and confidentiality of Personal Data processed by Dataclay on behalf of Customer in the provision of the Services in accordance with the Security, Privacy and Architecture Documentation (“Security Measures”). The Security Measures are subject to technical progress and development. Dataclay may update or modify the Security Measures from time to time provided that any updates and modifications do not result in material degradation of the overall security of the Services purchased by the Customer.
    2. Third-Party Certifications and Audits. Dataclay (or third parties engaged by Dataclay) audits its compliance against data protection and information security standards on a regular basis. The specific audits, and the data protection and information security certifications Dataclay has achieved, will necessarily vary depending upon the nature of the Services in question. Upon Customer’s written request at reasonable intervals, and subject to obligations of confidentiality, Dataclay will make available to Customer (or Customer’s independent, third-party auditor that is not a competitor of Dataclay) a summary of its most recent relevant audit report and/or other documentation reasonably required by Customer which Dataclay makes generally available to its customers, so that Customer can verify Dataclay’s compliance with this DPA.
    3. Data Protection Impact Assessment. Upon Customer’s request, Dataclay shall provide Customer with reasonable cooperation and assistance needed to fulfil Customer’s obligation under the Data Protection Laws to carry out a data protection impact assessment related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Dataclay. To the extent required under the GDPR, Dataclay shall provide reasonable assistance to Customer in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks relating to Section 6.3 of this DPA,.
    4. Security Measures by Customer. Customer is responsible for using and configuring the Services in a manner that enables Customer to comply with Data Protection Laws, including implementing appropriate technical and organizational measures.
    5. Personnel. Dataclay restricts its personnel from processing Personal Data without authorization (unless required to do so by applicable law) and only those personnel performing Services which requires access to Personal Data will be authorized access to Personal Data. Dataclay will ensure that its personnel engaged in the processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Dataclay shall ensure that such confidentiality obligations survive the termination of the personnel engagement.
    6. Prohibited Data. Customer acknowledges and agrees that the Agreement may prohibit the submission of certain types of Personal Data (such as an individual’s financial or health information) to the Services. Customer must not submit to the Services any Personal Data which is regulated by the United States Health Insurance Portability and Accountability Act unless Customer has entered into a business associate agreement with Dataclay.
  5. PERSONAL DATA BREACH RESPONSE.

    Upon becoming aware of a Personal Data Breach, Dataclay will notify Customer without undue delay and will provide information relating to the Personal Data Breach as reasonably requested by Customer. Dataclay will use reasonable endeavors to assist Customer in mitigating, where possible, the adverse effects of any Personal Data Breach.

  6. DATA TRANSFERS AND EXPORTS.
    1. Data Transfers. Dataclay may transfer and process Personal Data to and in other locations around the world where Dataclay or its Sub-processors maintain data processing operations as necessary to provide the Services as set forth in the Agreement.
    2. European Specific Data Transfer Provisions. Where the transfer of Personal Data is from the EEA, Switzerland or the United Kingdom to a territory which has not been recognized by the European Commission as providing an adequate level of protection for personal data on the basis of Article 45 GDPR (or in the case of transfers from the United Kingdom, by the United Kingdom Government), Dataclay shall process that Personal Data in compliance with the provisions set out in Schedule 1 below, which forms an integral part of this DPA.
    3. Instructions. This DPA and the Agreement are Customer’s complete and final documented instructions at the time of signature of the Agreement to Dataclay for the Processing of Personal Data. Any additional or alternate instructions must be agreed upon separately. For the purposes of the Standard Contractual Clauses, the following is deemed an instruction by the Customer to process Personal Data: (i) processing in accordance with the Agreement and applicable Order; (ii) processing initiated by Users in their use of the Services and (iii) processing to comply with other reasonable documented instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement.
    4. Audits and Certifications. The parties agree that the audits described in the Standard Contractual Clauses shall be carried out as follows: Upon Customer’s request, and subject to the confidentiality obligations set forth in the Agreement, Dataclay shall make available to Customer (or Customer’s independent, third-party auditor) information regarding Dataclay’s compliance with the security obligations set forth in this DPA in the form of the third-party certifications and audits set forth in the Security, Privacy and Architecture Documentation. If that information is not sufficient to demonstrate Dataclay’s compliance with such security obligations, Customer may contact Dataclay in accordance with the “Notices” Section of the Agreement to request an on-site audit of the procedures relevant to the protection of Personal Data, but only to the extent required under applicable Data Protection Law. Customer shall reimburse Dataclay for its reasonable costs associated with any such on-site audit including any time expended for any such on-site audit at Dataclay’s then-current professional services rates, which shall be made available to Customer upon request. Before the commencement of any such on-site audit, Customer and Dataclay shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Customer shall be responsible. All reimbursement rates shall be reasonable, taking into account the resources expended by Dataclay. Customer shall promptly notify Dataclay with information regarding any noncompliance discovered during the course of an audit. Customer will promptly notify Dataclay with information regarding any non-compliance discovered during the course of an audit, and Dataclay will use commercially reasonable efforts to address any confirmed non-compliance.
    5. Certification of Deletion. The parties agree that the certification of deletion of Personal Data that is described in the Standard Contractual Clauses shall be provided by Dataclay to Customer only upon Customer’s request.
  7. DELETION OF DATA.

    Following expiration or termination of the Agreement, Dataclay will delete or return to Customer all Personal Data in Dataclay’s possession as set forth in the Agreement except to the extent Dataclay is required by applicable law to retain some or all of the Personal Data (in which case Dataclay will archive the data and implement reasonable measures to prevent the Personal Data from any further processing). The terms of this DPA will continue to apply to that retained Personal Data.

  8. COOPERATION.
    1. Data Protection Requests. If Dataclay receives any requests from individuals or applicable data protection authorities relating to the processing of Personal Data under the Agreement, including requests from individuals seeking to exercise their rights under Data Protection Law, Dataclay will promptly redirect the request to the Customer. Dataclay will not respond to such communication directly without Customer’s prior authorization, unless legally compelled to do so. If Dataclay is required to respond to such a request, Dataclay will promptly notify Customer and provide Customer with a copy of the request, unless legally prohibited from doing so.
    2. Customer Requests. Dataclay will reasonably cooperate with Customer, at Customer’s expense, to permit Customer to respond to any requests from individuals or applicable data protection authorities relating to the processing of Personal Data under the Agreement to the extent that Customer is unable to access the relevant Personal Data in their use of the Services.
    3. DPIAs and Prior Consultations. To the extent required by Data Protection Law, Dataclay will, upon reasonable notice and at Customer’s expense, provide reasonably requested information regarding the Services to enable Customer to carry out data protection impact assessments (“DPIAs”) and/or prior consultations with data protection authorities.
    4. Legal Disclosure Requests. If Dataclay receives a legally binding request for the disclosure of Personal Data which is subject to this DPA, such request will be dealt with in accordance with the Agreement.
  9. GENERAL.
    1. Relationship with Agreement. Any claims brought under this DPA against Dataclay, LLC, will be subject to the terms and conditions of the Agreement.
    2. Conflicts. In the event of any conflict between this DPA and any privacy-related provisions in the Agreement, the terms of this DPA will prevail.
    3. Modification and Supplementation. Dataclay may modify the terms of this DPA as provided in the Agreement, in circumstances such as (i) if required to do so by a Supervisory Authority or other government or regulatory entity, (ii) if necessary to comply with Data Protection Law, or (iii) to implement or adhere to the Standard Contractual Clauses, approved codes of conduct or certifications, binding corporate rules, or other compliance mechanisms, which may be permitted under Data Protection Law. Supplemental terms may be added as an Appendix to this DPA where such terms only apply to the processing of Personal Data under the Data Protection Law of specific countries or jurisdictions. Dataclay will provide notice of such changes to Customer, and the modified DPA will become effective, in accordance with the terms of the Agreement or as otherwise provided on Dataclay’s website if not specified in the Agreement.

SCHEDULE 1 – STANDARD CONTRACTUAL CLAUSES

  1. UK Standard Contractual Clauses. For transfers of Personal Data out of the United Kingdom that are subject to this DPA, the UK Standard Contractual Clauses will apply and are incorporated into the DPA by reference, provided that the illustrative indemnification clause within Appendix 2 of the UK Standard Contractual Clauses will not apply. Annex 1 to this Schedule 1 will serve as Appendix 1 of the UK Standard Contractual Clauses. Annex II to this Schedule 1 will serve as Appendix 2 of the UK Standard Contractual Clauses.
  2. The 2021 Standard Contractual Clauses. For transfers of Personal Data out of the EEA or Switzerland that are subject to this DPA, the 2021 Standard Contractual Clauses are incorporated into the DPA by reference, and will apply in the following manner:
    1. Module Two (Controller to Processor) will apply where Customer is a controller of Personal Data and Dataclay is a processor of Personal Data.
    2. Module Three (Processor to Processor) will apply where Customer is a processor of Personal Data and Dataclay is a sub-processor of Personal Data.
    3. For each Module:
      1. Clause 7 will not apply;
      2. in Clause 9(a), Option 2 will apply, and the time period for prior notice of Sub-processor changes will be as set forth in Section 3.4 of the DPA;
      3. in Clause 11(a), the optional language will not apply;
      4. in Clause 17, Option 2 will apply, and the Standard Contractual Clauses will be governed by the law of the Republic of Ireland;
      5. in Clause 18(b), disputes will be resolved before the courts of the Republic of Ireland:
      6. In Annex I, Part A:
        • Data exporter: Customer
        • Contact details: Customer’s account owner email address, or to the email address(es) for which Customer elects to receive legal communications
        • Data exporter role: Data exporter’s role is outlined in Section 2 of the DPA
        • Signature and date: The parties agree that execution of the Agreement shall constitute execution of these Standard Contractual Clauses by both parties
        • Data importer: Dataclay, LLC
        • Contact details: 6425 Living Place, Suite 200, Pittsburgh, PA 15206; Tel.: +1-833-328-4336; fax: +1-833-328-4336; e-mail: legal@dataclay.com
        • Data exporter role: Data importer’s role is outlined in Section 2 of the DPA
        • Signature and date: The parties agree that execution of the Agreement shall constitute execution of these Standard Contractual Clauses by both parties
      7. In Annex I, Part B:
        1. The categories of data subjects whose personal data is transferred are:

          Data exporter may submit Personal Data to the Services, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:

          • Prospects, customers, business partners and vendors of data exporter (who are natural persons)
          • Employees or contact persons of data exporter’s prospects, customers, business partners and vendors
          • Employees, agents, advisors, freelancers of data exporter (who are natural persons)
          • Data exporter’s Users authorized by data exporter to use the Services
        2. The categories of Personal Data transferred are.

          Data exporter may submit Personal Data to the Services, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:

          • First and last name
          • Title
          • Position
          • Employer
          • Contact information (company, email, phone, physical business address)
          • ID data
          • Professional life data
          • Personal life data
          • Localisation data
        3. Sensitive data transferred (if applicable):

          Data exporter may submit sensitive categories of personal data to the Services, the extent of which is determined and controlled by the data exporter in its sole discretion, and which is for the sake of clarity Personal Data with information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

        4. The frequency of the transfer is on a continuous basis for the duration of the Agreement.
        5. The nature of the processing is described in Section 2.4.4 of the DPA.
        6. The purpose of the processing is described in Section 2.4.3 of the DPA.
        7. The period of retention of Personal Data in relation to the processing will end upon termination of the Agreement.
        8. For transfers to Sub-processors, the subject matter and nature of the processing is described in Section 3 of the DPA. The duration of processing by Sub-processors is the same as by data Importer;
      8. In Annex I, Part C: The Irish Data Protection Commission will be the competent supervisory authority; and
      9. Annex II: Data importer will maintain administrative, physical, and technical safeguards for protection of the security, confidentiality and integrity of Personal Data uploaded to the Services, as described in the Security, Privacy and Architecture Documentation applicable to the specific Services purchased by data exporter, and made reasonably available by data importer. Data Importer will not materially decrease the overall security of the Services during a subscription term.
  3. Additional Clauses. Each of the following forms part of the Standard Contractual Clauses and sets out the parties’ understanding of their respective obligations under the Standard Contractual Clauses:
    • 8.9 of the 2021 Standard Contractual Clauses and Clause 5(f) of the UK Standard Contractual Clauses: Audit. Data exporter acknowledges and agrees that it exercises its audit right(s) under Clause 8.9 or Clause 5(f), as applicable, by instructing data importer to comply with the audit measures described in Section 6.4 (Audits and Certifications) of the DPA.
    • Clause 12 of the 2021 Standard Contractual Clauses and Clause 6 of the UK Standard Contractual Clauses: Liability. To the greatest extent permitted under Data Protection Law, any claims brought under the Standard Contractual Clauses will be subject to any aggregate limitations on liability set out in the Agreement.
    • Clause 11 of the UK Standard Contractual Clauses: Onward sub-processing. The parties acknowledge that Article 28 of the United Kingdom GDPR allows for the general written authorisation of a sub-processor subject to notice of and the opportunity to object to the sub-processor. Accordingly, data exporter provides a general consent to Dataclay, pursuant to Clause 11 of the UK Standard Contractual Clauses, to engage onward sub-processors. That consent is conditional on Dataclay’s compliance with the requirements set out in Section 3 (Subprocessing) of the DPA.