Data Processing Agreement
This Data Processing Agreement (DPA) is entered into by the Client and Haystack Team, Inc. ("Data Processor"), as referenced in the Order Form and associated Master Sales Agreement. The effectiveness of this Agreement and its term are as specified in the Order Form and the associated Master Sales Agreement. This DPA specifies the Parties’ data protection obligations, which arise from the Data Processor’s processing of personal data on behalf of the Data Controller under the quote, service agreement, or other agreement between the Parties. The DPA is adopted as an appendix to the main agreement.
Purpose, Scope & Responsibilities
This Data Processing Agreement forms part of the Contract for Services between the “Client” and the “Data Processor”, collectively referred to as the “Parties”. Whereas the Client acts as a Data Controller and wishes to subcontract certain Services, which imply the processing of personal data, to the Data Processor. The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). The Parties wish to lay down their rights and obligations.
Definitions & Interpretation
Unless otherwise defined, capitalized terms and expressions used in this Agreement shall have the meanings assigned to them here. For example, “Agreement” refers to this Data Processing Agreement and all its Schedules. “Client Personal Data” is any Personal Data Processed by a Contracted Processor on behalf of Client pursuant to or in connection with the Principal Agreement, with “Contracted Processor” meaning a Subprocessor. Definitions also include terms for Data Protection Laws, the European Economic Area (EEA), EU Data Protection Laws including GDPR, Data Transfer, Services, and Subprocessor. Terms such as “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing”, and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
Processing of Client Personal Data
The Processor is obliged to comply with all applicable Data Protection Laws in the Processing of Client Personal Data and not Process Client Personal Data other than on the Client’s documented instructions.
Processor Personnel
The Processor must take reasonable steps to ensure the reliability of any of its employees, agents, or contractors who may have access to the Client Personal Data, with access strictly limited to those individuals who need to know/access the relevant Client Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual’s duties.
Security
Considering the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing as well as the risk to the rights and freedoms of natural persons, the Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including measures referred to in the GDPR.
Subprocessing & Data Subject Rights
The Processor shall not appoint any Subprocessor unless required or authorized by the Client. Additionally, the Processor shall assist the Client by implementing appropriate technical and organizational measures, insofar as possible, for the fulfillment of the Client's obligations to respond to Data Subject rights under the Data Protection Laws. The Processor must promptly notify the Client if it receives a request from a Data Subject in respect of Client Personal Data and shall not respond to that request without the Client's documented instructions.
Personal Data Breach
The Processor shall notify the Client without undue delay upon becoming aware of a Personal Data Breach affecting Client Personal Data, cooperating with the Client and taking reasonable steps as directed by the Client to assist in the investigation, mitigation, and remediation of each such Personal Data Breach.
Data Protection Impact Assessment & Prior Consultation
The Processor shall provide reasonable assistance to the Client with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, solely in relation to Processing of Client Personal Data by the Contracted Processors.
Deletion or Return of Client Personal Data
Upon the cessation of any Services involving the Processing of Client Personal Data, the Processor shall promptly delete and procure the deletion of all copies of those Client Personal Data.
Audit Rights
The Processor shall make available to the Client all information necessary to demonstrate compliance with this Agreement and shall allow for and contribute to audits, including inspections, by the Client or an auditor mandated by the Client in relation to the Processing of the Client Personal Data.
Data Transfer
The Processor may not transfer or authorize the transfer of Data to countries outside the EU and/or the EEA without the prior written consent of the Client.
General Terms
Confidentiality. Each Party must keep this Agreement and information it receives about the other Party and its business (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except as required by law or if the information is already in the public domain.
Notices. All notices and communications must be in writing and delivered personally, sent by post, or sent by email to the address or email address set out in the heading of this Agreement.
Governing Law and Jurisdiction. The Agreement is governed by the laws of a specified jurisdiction, and any disputes will be submitted to the exclusive jurisdiction of the courts of a specified location.
