DATA PROCESSING AGREEMENT
WHEREAS, Grip Security shall provide the services set forth in the Agreement (collectively, the “Services”) for Client, as described in the Agreement; and
WHEREAS, In the course of providing the Services pursuant to the Agreement, we may process Personal Data on your behalf, in the capacity of a “Data Processor”; and the Parties wish to set forth the arrangements concerning the processing of Personal Data (defined below) within the context of the Services and agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.
NOW THEREFORE, in consideration of the mutual promises set forth herein and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged by the Parties, the parties, intending to be legally bound, agree as follows:
- INTERPRETATION AND DEFINITIONS
- 1 The headings contained in this DPA are for convenience only and shall not be interpreted to limit or otherwise affect the provisions of this DPA. References to clauses or sections are references to the clauses or sections of this DPA unless otherwise stated. Words used in the singular include the plural and vice versa, as the context may require. Capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement. Definitions:
(a) “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
(b) “Authorized Affiliate” means any of Client’s Affiliate(s) which (a) is subject to the Data Protection Laws And Regulations of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom, and (b) is permitted to use the Services pursuant to the Agreement between Client and Grip Security, but has not signed its own agreement with Grip Security and is not a “Client” as defined under the Agreement.
(c) “CCPA” means the California Consumer Privacy Act of 2018, as amended (Cal. Civ. Code §§ 1798.100 to 1798.199), the CCPA Regulations (Cal. Code Regs. tit. 11, §§ 999.300 to 999.337), and any related regulations or guidance provided by the California Attorney General.
(d) “Controller” or “Data Controller” means the entity which determines the purposes and means of the Processing of Personal Data. For the purposes of this DPA only, and except where indicated otherwise, the term “Data Controller” shall include the Organization and/or the Organization’s Authorized Affiliates.
(e) “Data Protection Laws and Regulations” means all laws and regulations of the European Union, the European Economic Area and their Member States, and the United Kingdom, applicable to the Processing of Personal Data under the Agreement.
(f) “Data Subject” means the identified or identifiable person to whom the Personal Data relates.
(g) “Grip Security” means the relevant Grip Security entity of the following Grip Security legal entities as specified in this DPA and/or in the Agreement, including: Grip Security Inc, Grip Security Inc.
(h) “Grip Security Group” means Grip Security and its Affiliates engaged in the Processing of Personal Data.
(i) “Member State” means a country that belongs to the European Union and/or the European Economic Area. “Union” means the European Union.
(j) “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
(k) “Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. For the avoidance of doubt, Client's business contact information is not by itself deemed to be Personal Data subject to this DPA.
(l) “Process(ing)” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
(m) “Processor” or “Data Processor” means the entity which Processes Personal Data on behalf of the Controller or any Service Provider as defined in CCPA, if applicable.
(n) “Security Documentation” means the Security Documentation applicable to the specific Services purchased by Client, as updated from time to time. Client shall send a request to firstname.lastname@example.org to receive a copy of the Security Documentation.
(o) “Sub-processor” means any Processor engaged by Grip Security and/or Grip Security Affiliate to Process Personal Data on behalf of Client.
(p) “Supervisory Authority” means an independent public authority which is established by an EU Member State pursuant to the GDPR.
- PROCESSING OF PERSONAL DATA
2.1. Roles of the Parties.
2.1.1. The Parties acknowledge and agree that with regard to the Processing of Personal Data under this DPA, Grip Security is the Data Processor and Grip Security or members of the Grip Security Group may engage Sub-processors pursuant to the requirements set forth in Section 5 “Sub-processors” below. For clarity, this DPA shall not apply with respect to Grip Security processing activity as a Data Controller with respect to Grip Security data as defined in the Agreement.
2.1.2. Grip Security will comply with all applicable requirements of the CCPA when collecting, using, retaining, or disclosing Personal Data. Grip Security understands and agrees that it will not sell or share Personal Data. Grip Security will not retain, use, or disclose Personal Data for any purpose other than as specified in the Agreement and DPA. Unless used for a business purpose that does not involve cross-context behavioural advertising and is permitted under the CPRA regulations, Grip Security understands and agrees that it is prohibited from combining the personal information it receives from or on behalf of Client with personal information that it: 1) receives from or on behalf of another person; or 2) collects from its own consumer interaction.
2.2. Client’s Processing of Personal Data. Client shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations and comply at all times with the obligations applicable to data controllers (including, without limitation, Article 24 of the GDPR). For the avoidance of doubt, Client’s instructions for the Processing of Personal Data shall comply with Data Protection Laws and Regulations. Client shall have sole responsibility for the means by which Client acquired Personal Data. Without limitation, Client shall comply with any and all transparency-related obligations (including, without limitation, displaying any and all relevant and required privacy notices or policies) and shall at all times have any and all required ongoing legal bases in order to collect, Process and transfer to Grip Security the Personal Data and to authorize the Processing by Grip Security of the Personal Data which is authorized in this DPA. Client shall defend, hold harmless and indemnify Grip Security, its Affiliates and subsidiaries (including without limitation their directors, officers, agents, subcontractors and/or employees) from and against any liability of any kind related to any breach, violation or infringement by Client and/or its authorized users of any Data Protection Laws and Regulations and/or this DPA and/or this Section.
2.3 Grip Security’s Processing of Personal Data.
2.3.1. Subject to the Agreement, Grip Security shall Process Personal Data that is subject to this DPA only in accordance with Client’s documented instructions as necessary for the performance of the Services and for the performance of the Agreement and this DPA, unless required to otherwise by Union or Member State law or any other applicable law to which Grip Security and its Affiliates are subject, in which case, Grip Security shall inform the Client of the legal requirement before processing, unless that law prohibits such information on important grounds of public interest. The duration of the Processing, the nature and purposes of the Processing, as well as the types of Personal Data Processed and categories of Data Subjects under this DPA are further specified in Schedule 1 (Details of the Processing) to this DPA.
2.3.2. To the extent that Grip Security or its Affiliates cannot comply with a request (including, without limitation, any instruction, direction, code of conduct, certification, or change of any kind) from Client and/or its authorized users relating to Processing of Personal Data or where Grip Security considers such a request to be unlawful, Grip Security (i) shall inform Client, providing relevant details of the problem (but not legal advice), (ii) Grip Security may, without any kind of liability towards Client, temporarily cease all Processing of the affected Personal Data (other than securely storing those data), and (iii) if the Parties do not agree on a resolution to the issue in question and the costs thereof, each Party may, as its sole remedy, terminate the Agreement and this DPA with respect to the affected Processing, and Client shall pay to Grip Security all the amounts owed to Grip Security or due before the date of termination. Client will have no further claims against Grip Security (including, without limitation, requesting refunds for Services) due to the termination of the Agreement and/or the DPA in the situation described in this paragraph (excluding the obligations relating to the termination of this DPA set forth below).
2.3.3. Grip Security will not be liable in the event of any claim brought by a third party, including, without limitation, a Data Subject, arising from any act or omission of Grip Security, to the extent that such is a result of Client’s instructions.
- RIGHTS OF DATA SUBJECTS. If Grip Security receives a request from a Data Subject to exercise its rights as laid down in Chapter III of the GDPR or in the CCPA (“Data Subject Request”), Grip Security shall, to the extent legally permitted, promptly notify and forward such Data Subject Request to Client. Taking into account the nature of the Processing, Grip Security shall use commercially reasonable efforts to assist Client by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Client’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations. To the extent legally permitted, Client shall be responsible for any costs arising from Grip Security’s provision of such assistance. Grip Security certifies that it understands the Agreement’s and the CCPA's restrictions and prohibitions on selling personal information and retaining, using, or disclosing personal information outside of the parties' direct business relationship, and it will comply with them, if applicable. Grip Security has no reason to believe any CCPA requirements or restrictions prevent it from providing any of the contracted business purposes or otherwise performing under the Agreement. Grip Security will make reasonable efforts to notify Client of any changes to the CCPA's requirements that may adversely affect its performance under the Agreement.
- GRIP SECURITY PERSONNEL
4.1. Confidentiality. Grip Security shall grant access to the Personal Data to persons under its authority (including, without limitation, its personnel) only on a need to know basis and ensure that such persons engaged in the Processing of Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.2. Grip Security may disclose and Process the Personal Data (a) as permitted hereunder (b) to the extent required by a court of competent jurisdiction or other Supervisory Authority and/or otherwise as required by applicable laws or applicable Data Protection Laws and Regulations (in such a case, Grip Security shall inform the Client of the legal requirement before the disclosure, unless that law prohibits such information on important grounds of public interest), or (c) on a “need-to-know” basis under an obligation of confidentiality to legal counsel(s), data protection advisor(s), accountant(s), investors or potential acquirers.
- AUTHORIZATION REGARDING SUB-PROCESSORS
5.1. Grip Security’s current list of Sub-processors is included in Schedule 2 (“Sub-processor List”) and is hereby approved by Data Controller.
5.2. Grip Security shall provide notification of any new Sub-processor(s) before authorizing such new Sub-processor(s) to Process Personal Data in connection with the provision of the Services.
5.3. Grip Security confirms that prior to supplying any Sub-processor with Personal Data, Grip Security will enter into a written agreement with it incorporating terms that are substantially similar to this DPA. As between Client and Grip Security, Grip Security shall remain liable, subject to the Agreement, for acts of omissions of any Sub-processor appointed by Grip Security pursuant to this section.
5.4. Objection Right for Sub-processors. Client may reasonably object to Grip Security’s use of a Sub-processor for reasons related to the GDPR by notifying Grip Security promptly in writing within ten (10) business days after receipt of Grip Security’s notice in accordance with the mechanism set out in Section 5.1.2 and such written objection shall include the reasons related to the GDPR for objecting to Grip Security’s use of such Sub-processor. Failure to object to such Sub-processor in writing within such ten-day period shall be deemed as acceptance of the Sub-Processor. In the event Client reasonably objects to a Sub-processor, as permitted in the preceding sentences, Grip Security will use reasonable efforts to make available to Client a change in the Services or recommend a commercially reasonable change to Client’s use of the Services to avoid Processing of Personal Data by the objected-to Sub-processor without unreasonably burdening the Client. If Grip Security is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Client may, as a sole remedy, terminate the applicable Agreement and this DPA by providing written notice to Grip Security provided that all amounts due under the Agreement before the termination date with respect to the Processing at issue shall be duly paid to Grip Security. Until a decision is made regarding the Sub-processor, Grip Security may temporarily suspend the Processing of the affected Personal Data. Client will have no further claims against Grip Security due to the termination of the Agreement (including, without limitation, requesting refunds) and/or the DPA in the situation described in this paragraph.
6.1. Controls for the Protection of Personal Data. Taking into account the state of the art, the costs of implementation, the scope, the context, the purposes of the Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Grip Security shall maintain all industry-standard technical and organizational measures required pursuant to Article 32 of the GDPR for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data), confidentiality and integrity of Personal Data, as set forth in the Security Documentation which are hereby approved by Client. Upon the Client’s request, Grip Security will use commercially reasonable efforts to assist Client, at Client’s cost, in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of the processing, the state of the art, and the information available to Grip Security.
6.2. Third-Party Certifications and Audits. Upon Client’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement and this DPA, Grip Security shall make available to Client that is not a competitor of Grip Security (or Client’s independent, third-party auditor that is not a competitor of Grip Security) a copy or a summary of Grip Security’s then most recent third-party audits or certifications, as applicable (provided, however, that such audits, certifications and the results therefrom, including the documents reflecting the outcome of the audit and/or the certifications, shall only be used by Client to assess compliance with this DPA, and shall not be used for any other purpose or disclosed to any third party without Grip Security’s prior written approval and, upon Grip Security’s first request, Client shall return all records or documentation in Client’s possession or control provided by Grip Security in the context of the audit and/or the certification). At Client’s cost and expense, Grip Security shall allow for and contribute to audits, including inspections of Grip Security’s, conducted by the controller or another auditor mandated by the controller (who is not a direct or indirect competitor of Grip Security) provided that the parties shall agree on the scope, methodology, timing and conditions of such audits and inspections. Notwithstanding anything to the contrary, such audits and/or inspections shall not contain any information, including without limitation, personal data that does not belong to Client.
- PERSONAL DATA INCIDENT MANAGEMENT AND NOTIFICATION. To the extent required under applicable Data Protection Laws and Regulations, Grip Security shall notify Client without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data, including Personal Data, transmitted, stored or otherwise Processed by Grip Security or its Sub-processors of which Grip Security becomes aware (a “Personal Data Incident”). Grip Security shall make reasonable efforts to identify the cause of such Personal Data Incident and take those steps as Grip Security deems necessary, possible and reasonable in order to remediate the cause of such a Personal Data Incident to the extent the remediation is within Grip Security’s reasonable control. The obligations herein shall not apply to incidents that are caused by Client or Client’s users or are otherwise unrelated to the provision of the Services. In any event, Client will be the party responsible for notifying supervisory authorities and/or concerned data subjects (where required by Data Protection Laws and Regulations), and Grip Security will provide assistance to Client as needed to meet these obligations under Data Protection Laws and Regulations.
- RETURN AND DELETION OF PERSONAL DATA. Subject to the Agreement, Grip Security shall, at the choice of Client, delete or return the Personal Data to Client after the end of the provision of the Services relating to Processing, and shall delete existing copies unless applicable law requires storage of the Personal Data. In any event, to the extent required or allowed by applicable law, Grip Security may retain one copy of specific Personal Data that is identified as needed for evidence purposes in a legal or regulatory action and/or for the establishment, exercise or defence of legal claims and/or to comply with applicable laws and regulations. If the Client requests the Personal Data to be returned, the Personal Data shall be returned in the format generally available for Grip Security’s Clients.
- AUTHORIZED AFFILIATES
9.1. Contractual Relationship. The Parties acknowledge and agree that, by executing the DPA, the Client enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliates, thereby establishing a separate DPA between Grip Security. Each Authorized Affiliate agrees to be bound by the obligations under this DPA. All access to and use of the Services by Authorized Affiliates must comply with the terms and conditions of the Agreement and this DPA and any violation of the terms and conditions therein by an Authorized Affiliate shall be deemed a violation by Client.
9.2. Communication. The Client shall remain responsible for coordinating all communication with Grip Security under the Agreement and this DPA and shall be entitled to make and receive any communication in relation to this DPA on behalf of its Authorized Affiliates.
- TRANSFERS OF DATA
10.1. Transfers to countries that offer adequate level of data protection. Personal Data may be transferred from the EU Member States, the three EEA member countries (Norway, Liechtenstein and Iceland) (collectively, “EEA”) and the United Kingdom to countries that offer adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the EEA, the Union, the Member States or the European Commission (“Adequacy Decisions”), without any further safeguard being necessary.
10.2. Transfers to other countries. If the Processing of Personal Data includes transfers from the EEA to countries outside the EEA which are not subject to an Adequacy Decision (“Other Countries”), the Parties shall comply with Chapter V of the GDPR, including, if necessary, executing the standard data protection clauses adopted by the relevant data protection authorities of the EEA, the Union, the Member States or the European Commission or comply with any of the other mechanisms provided for in the GDPR for transferring Personal Data to such Other Countries. To the maximum extent permitted by law, to the extent that Client and Grip Security will use the Standard Contractual Clauses as a mechanism to transfer Client Personal Data, the rights and obligations of the parties shall be performed in accordance with, and subject to, this DPA.
- TERMINATION. This DPA shall automatically terminate upon the termination or expiration of the Agreement under which the Services are provided. Sections 2.2, 2.3.3, 8 and 12 shall survive the termination or expiration of this DPA for any reason. This DPA cannot, in principle, be terminated separately to the Agreement, except where the Processing ends before the termination of the Agreement, in which case, this DPA shall automatically terminate.
- RELATIONSHIP WITH AGREEMENT. In the event of any conflict between the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Agreement. Notwithstanding anything to the contrary, the Parties' liability under this DPA shall be limited as provided in Section 11 of the Agreement.
- AMENDMENTS. This DPA may be amended at any time by a written instrument duly signed by each of the Parties.
- LEGAL EFFECT. Grip Security may assign this DPA or its rights or obligations hereunder to any Affiliate thereof, or to a successor or any Affiliate thereof, in connection with a merger, consolidation or acquisition of all or substantially all of its shares, assets or business relating to this DPA or the Agreement. Any Grip Security obligation hereunder may be performed (in whole or in part), and any Grip Security right (including invoice and payment rights) or remedy may be exercised (in whole or in part), by an Affiliate of Grip Security.
- SIGNATURE. The Parties represent and warrant that they each have the power to enter into, execute, perform and be bound by this DPA. You, as the signing person on behalf of Client, represent and warrant that you have, or you were granted, full authority to bind the Organization and, as applicable, its Authorized Affiliates to this DPA. If you cannot, or do not have authority to, bind the Organization and/or its Authorized Affiliates, you shall not supply or provide Personal Data to Grip Security. By signing this DPA, Client enters into this DPA on behalf of itself and, to the extent required or permitted under applicable Data Protection Laws and Regulations, in the name and on behalf of its Authorized Affiliates, if and to the extent that Grip Security processes Personal Data for which such Authorized Affiliates qualify as the/a “data controller”.
List of Schedules
- SCHEDULE 1 - DETAILS OF THE PROCESSING
- SCHEDULE 2 - SUB-PROCESSOR LIST
The parties’ authorized signatories have duly executed this Agreement:
GRIP SECURITY Inc
Print Name: Lior Yaari
SCHEDULE 1 - DETAILS OF THE PROCESSING
Subject matter. Grip Security will Process Personal Data as necessary to perform the Services pursuant to the Agreement, as further instructed by Client in its use of the Services.
Nature and Purpose of Processing
- Performing the Agreement, this DPA and/or other contracts executed by the Parties, including, providing the Service(s) to Client and providing support and technical maintenance, if agreed in the Agreement
- For Grip Security to comply with documented reasonable instructions provided by Client where such instructions are consistent with the terms of the Agreement.
Duration of Processing. Subject to any Section of the DPA and/or the Agreement dealing with the duration of the Processing and the consequences of the expiration or termination thereof, Grip Security will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.
Type of Personal Data .Client may submit Personal Data to the Services, the extent of which is determined and controlled by Client in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:
- Full name
- Email address
- IP address
- Any other Personal Data or information that the Client decides to provide to the Grip Security or the Services.
The Client and the Data Subjects shall provide the Personal data to Grip Security by supplying the Personal data to Grip Security’s Service.
Notwithstanding anything to the contrary, Client acknowledges that the same personal information or Personal Data provided by Client or processed on behalf of Client may have already been (or will be) provided by other customers or clients to Grip Security, or may have already been (or will be) collected by Grip Security independently or from other customers or clients, or may be available on public sources. For avoidance of doubt, this data and information may be collected, used and processed by Grip Security and/or disclosed by Grip Security to third parties and other customers or clients without this being deemed a breach of this DPA and/or the Agreement.
Categories of Data Subjects
Client may submit Personal Data to the Services, the extent of which is determined and controlled by Client in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:
- Client’s customers and/or clients
- Employees, agents, advisors, freelancers of Client (who are natural persons)
- Prospects, Clients, business partners and vendors of Client (who are natural persons)
- Employees or contact persons of Client’s prospects, Clients, business partners and vendors
SCHEDULE 2 – SUB-PROCESSOR LIST