Data Protection Agreement

Part of Terms of Service or Master Agreement, effective from the same date and governing data handling between Procys and the Customer.

This Data Processing Agreement ("DPA"), forms part of, and is subject to, Procys Terms of Service other written or electronic master agreement (“Agreement”) between Procys B.V. (as defined below) and the Customer that references this DPA and is effective as of the same date of the Agreement.

This DPA applies where, and to the extent that, Procys processes Personal Data on behalf of the Customer when providing Services under the Agreement. The parties agree that this DPA shall replace any existing DPA or other data protection provisions the parties may have previously entered into in connection with the Services (as defined in the Agreement). Any capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.

1. Definitions

1.1. "Affiliate" means an entity that directly or indirectly Controls, is Controlled by or is under common Control with an entity. For purposes of this definition, "Control" means an ownership, voting or similar interest representing fifty percent (50%) or more of the total interests then outstanding of the entity in question.

1.2.California Personal Information” means Personal Data that is subject to the protection of the CCPA (as defined below) and any later amendments thereto, including by not limited to the California Privacy Rights Act of 2020.

1.3. "CCPA" means California Civil Code Sec. 1798.100 et seq. (also known as the California Consumer Privacy Act of 2018) and any later amendments thereto, including by not limited to the California Privacy Rights Act of 2020 (“CPRA”).

1.4. "Customer Data" means any Personal Data that is uploaded for storage or hosting that Procys processes on behalf of the Customer in the course of providing the Services.

1.5. "Data Controller" means an entity that determines the purposes and means of the processing of Personal Data.

1.6. "Data Processor" means an entity that processes Personal Data on behalf of a Data Controller.

1.7. "Data Protection Laws" means all data protection and privacy laws applicable to the processing of Personal Data under the Agreement.

1.8. "EEA" means the European Economic Area.

1.9. "EU Data Protection Laws" means all current data protection and privacy laws applicable to the processing of Personal Data under the Agreement including but not limited to (i) prior to 25 May 2018, Directive 95/46/EC of

the European Parliament and of the Council on the protection of individuals with regard to the processing of Personal Data and on the free movement of such data ("Directive"); (ii) on and after 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) ("EU GDPR"); (iii) the EU e- Privacy Directive (Directive 2002/58/EC); (iv) the Swiss Federal Data Protection Act; and (v) any national data protection laws made under or pursuant to (i) and (ii).

1.10. “Procys” means Procys B.V. or its Affiliate that is a party to the Agreement.

1.11. "Personal Data" means any information relating to an identified or identifiable natural person.

1.12. "Processing" has the meaning set forth under the GDPR and also includes any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data. The terms “Process,” “Processes” and “Processed” will be construed accordingly.

1.13 "Security Incident" means any unauthorized or unlawful breach of security that leads to the accidental or unlawful

destruction, loss, alteration, unauthorized disclosure of or access to Customer Data.

1.14. Sell” or “Sale” means selling, renting, releasing, disclosing, disseminating, making available, transferring or otherwise communicating orally, in writing or by electronic or other means, Customer Data to a third party for monetary or valuable consideration.

1.15. "Services" has the meaning set forth in the Agreement.

1.16. "Standard Contractual Clauses" means, as applicable:

(a) in the respect of data relating to Data Subjects based in the European Union, the European Commission’s Standard Contractual Clauses for the transfer of Personal Data from the European Union to processors established in third countries as set out in the Annex to Commission Implementing Decision 2021/91 which (i) in instances where the Customer acts as Data Controller and Procys acts as Data Processor, and (ii) in instances where the Customer acts as Data Processor and Procys also acts as Data Processor, or any successor clauses as may be approved by the EU Commission from time to time; or

(b) in the respect of data relating to Data Subjects based in the United Kingdom, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B1.0 or any subsequent version) issued by the UK Information Commissioner’s Office or such successor clauses as may be approved by UK law from time to time.

1.17. "Subprocessor" has the meaning that is set forth under the GDPR and includes any Data Processor engaged by Procys or its Affiliates to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement or this DPA. Subprocessors may include third parties or Affiliates of Procys.

1.18. UK Data Protection Laws” means all current data protection and privacy laws applicable to the processing of Personal Data under the Agreement in the UK including without limitation the UK GDPR, the UK Data Protection Act 2018 and regulations made thereunder.

1.19.UK GDPR” has the meaning given to it in section 310 (as supplemented by section 205(4) of the UK Data Protection Act 2018.

2. Roles and Scope of Processing

2. 1. Role of the Parties. As between Procys and the Customer, the Customer is the Data Controller of Customer Data and Procys will process Customer Data only as a Data Processor, except when the Customer is the Data Processor of Customer Data and Procys is a Subprocessor, acting on behalf of Customer.

2. 2. Customer Processing of Customer Data. The Customer agrees that (i) it will comply with its obligations under Data Protection Laws in respect to its processing of Customer Data and any processing instructions it issues to Procys; and (ii) it has provided notice, obtained or will obtain all consents and has established the required legal basis necessary for Procys to process Customer Data pursuant to the Agreement and this DPA.

2. 3. Procys Processing of Customer Data. Procys will process Customer Data only (i) for the purpose of providing the Services and in accordance with the Customer’s documented lawful instructions as set forth in the Agreement and this DPA; (ii) as part of the direct business relationship between the Customer and Procys; (iii) on behalf of the Customer, to the extent necessary to detect data security incidents or protect against fraudulent or illegal activity; or (iv) as required by law, provided Procys will inform the Customer of such legal requirement prior to commencing such processing unless prohibited by law. The parties agree that the Customer’s complete and final instructions with regard to the nature and purposes of the processing are set out in this DPA, which can be amended from time to time, by an addendum to this DPA signed between the parties.

3. Subprocessing


3.1. Authorized Subprocessors. The Customer approves the grant of third party access for all current Procys Subprocessors as of the last date of execution of this DPA. Procys may, in respect of Personal Data that is provided under this Agreement, only authorize a new Subprocessor to process such Personal Data if the Customer is provided with the opportunity to object to the appointment of each Subprocessor to process such Personal Data within 7 working days after Procys supplies the Customer with full details in writing regarding such Subprocessor.

3.2. Subprocessor Obligations. Where Procys authorizes any Subprocessor:

(a) Procys will restrict the Subprocessor’s access to Customer Data solely to what is necessary to assist Procys in providing or maintaining the Services and will prohibit the Subprocessor from accessing Customer Data for any other purpose;

(b) Procys will enter or has already entered into a written agreement with the Subprocessor imposing data protection terms that require the Subprocessor to protect the Customer Data to the standard required by applicable Data Protection Laws and;

(c) Procys will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Subprocessor that cause Procys to breach any of its obligations under this DPA.

4. Technical and Organizational Measures and Security Incident Response

Technical and Organizational Measures. Procys has implemented and will maintain appropriate technical and organizational security measures designed to protect Customer Data from Security Incidents and to preserve the security and confidentiality of Customer Data ("Technical and Organizational Measures”).

4.1. Updates to the Technical and Organizational Measures. The Customer acknowledges that the Technical and Organizational Measures are subject to technical progress and development and that Procys may update or modify the Technical and Organizational Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by the Customer.

4.2. Personnel. Procys restricts its personnel from processing Customer Data without authorization by Procys as set forth in the Technical and Organizational Measures and shall ensure that any individual who is authorized by Procys to process Customer Data is bound under appropriate obligations of confidentiality and non-use.

4.3. Customer Responsibilities. The Customer agrees that, except as provided by this DPA, the Customer is responsible for its secure use of the Services. The Customer may elect to implement technical or organizational measures in relation to Customer Data, which may include (i) protecting account authentication credentials; (ii) protecting the security of Customer Data when in transit to and from the Services; (iii) implementing measures to allow the Customer to backup and archive appropriately in order to restore availability and access to Customer Data in a timely manner in the event of a physical or technical incident; and (iv) taking any appropriate steps to securely encrypt or pseudonymise any Customer Data uploaded to the Services.

4.4. Security Incident Response. Upon becoming aware of a Security Incident, Procys will notify the Customer without undue delay and will provide information relating to the Security Incident as it becomes known or as is reasonably requested by the Customer. Procys will also take reasonable steps to mitigate and, where possible, to remedy the effects of, any Security Incident.

5. Customer Audits

5.1. Reports. Upon request, Procys will supply a summary copy of security audit report(s) ("Report") to the Customer in accordance with the Technical and Organizational Measures, which reports shall be subject to the confidentiality provisions of the Agreement. Procys will also respond to any reasonable written audit questions submitted to it by the Customer to review Procys’s compliance with Data Protection Laws, provided that the Customer shall not exercise this right more than once per year.

5.2. Customer Audits. Procys will permit the Customer and its third-party representatives to audit the Procys's compliance with its Agreement obligations, on at least 60 days' notice, during the term of the Agreement. Procys will give the Customer and its third-party representatives all necessary assistance to conduct such audits. Such audits shall be limited to once per year.

6. International Transfers

6.1. Data Center Locations. Procys may transfer and process Customer Data anywhere in the world where Procys, its Affiliates or its Subprocessors maintain data processing operations. Procys will at all times provide an appropriate level of protection for the Customer Data processed, in accordance with the requirements of Data Protection Laws.

6.2. Transfers outside the EEA and/or UK. Procys may only process, or permit the processing, of Personal Data outside the EEA and/or United Kingdom under the following conditions:

(a) Procys is processing Personal Data, or permitting the processing of Personal Data in a territory which is subject to adequacy regulations under the EU Data Protection Laws and/or UK Data Protection Laws (as applicable) that the territory provides adequate protection for the privacy rights of individuals; or

(b) Procys, its Affiliates and/or its Subprocessors (as applicable) enter into applicable Standard Contractual Clauses so that appropriate safeguards are in place to ensure an adequate level of protection with respect to the privacy rights of individuals as required by Article 46 of the UK GDPR and EU GDPR.

If any Personal Data transfer between the Customer and Procys requires execution of Standard Contractual Clauses in order to comply with the EU Data Protection Laws and/or UK Data Protection Laws where the Customer is the entity exporting Personal Data relating to EU and/or UK based individuals to Procys outside the EEA and/or UK), the Standard Contractual Clauses are incorporated by reference and form part of this DPA. To the extent there is any ambiguity between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail unless this DPA offers a Data Subject a greater level of protection in which case and only in respect of the greater protection that is offered this DPA shall prevail.

6.3. Alternative Data Export Solutions. Notwithstanding the foregoing, the parties agree that in the event Procys adopts another alternative data export solution (as recognized under EU Data Protection Laws and/or UK Data Protection Laws (as applicable)), then the alternative data export solution shall apply instead of the Standard Contractual Clauses. In the event that the alternative data export solution is later determined to not constitute an adequate level of data protection under EU Data Protection Laws, the Standard Contractual Clauses shall apply as the data export solution; similarly, should such alternative data export solution later be determined not to constitute an adequate level of data protection under UK Data Protection Laws, the Standard Contractual Clauses (or any equivalent recognized by Data Protection Laws) shall apply.

7. Return or Deletion of Data

7.1. General. Upon termination or expiration of the Agreement, Procys will, at the Customer's election, delete or return to the Customer all Customer Data in its possession or control within one month of the expiry or termination of the Agreement, as applicable. If the Customer requires storage for a longer period, Procys may provide such storage at an additional cost, without assuming any liability.

7.2. Exception. This requirement will not apply where (i) to the extent Procys is required by applicable law to retain some or all of the Customer Data; (ii) to the Customer Data it has archived on back-up systems, which Customer Data Procys will securely isolate and protect from any further processing, except to the extent required by law or (iii) financial transaction history that might be required for regulatory audits. 

8. Cooperation

Access to Customer Data. To the extent that the Customer is unable to independently access the relevant Customer Data within the Services and provided that the Customer has configured the Services in accordance with Procys’s recommendations, Procys will, at the Customer's expense, provide reasonable cooperation to assist the Customer to respond to any requests from individuals or applicable data protection authorities relating to the processing of Personal Data under the Agreement when the Customer is required to respond to such requests under applicable Data Protection Laws. In the event that any such request is made directly to Procys.