This Data Processing Addendum ("DPA") is part of the Service Agreement concluded by customers based on an agreement found on the homepage of acalby.com or other written or electronic agreements between an acalby.com entity and the customer, resulting in the provision of a licensed access service to acalby.com or other services (hereafter referred to as "services" or as otherwise defined in the relevant agreement), to reflect the agreement between the parties concerning the processing of personal data.
By signing the Agreement, the customer enters into this DPA in their own name and on behalf of the current acalby.com entity with which the original acalby.com agreement was signed, and where required by relevant data protection laws and regulations, on behalf of their authorized affiliated companies, to the extent that acalby.com processes personal data for which such authorized affiliated companies qualify as data controllers. For the purposes of this DPA, the term "customer" is used to refer only to the customer and the authorized affiliated companies. All capitalized terms not defined herein have the meaning ascribed to them in the Agreement.
In providing services to the customer under the Agreement, acalby.com may process personal data on behalf of the customer, and both parties agree to abide by the following provisions regarding any personal data, with each acting reasonably and in good faith.
HOW TO EXECUTE THIS DPA:
Upon receiving the properly completed DPA from acalby.com via the DPA form, this DPA becomes legally binding.
HOW THIS DPA APPLIES: If the customer entity that signs this DPA is a party to the Agreement, this DPA serves as an addendum to the Agreement and is part of the Agreement. In that case, the acalby.com entity that is party to the Agreement is also party to this DPA. If the customer entity that signs this DPA has signed an order form with acalby.com or its affiliated company under the Agreement but is not itself a party to the Agreement, this DPA is an addendum to that order form and any applicable renewal order forms, and the acalby.com entity that is party to that order form is also party to this DPA.
If the customer entity that signs this DPA is not a party to the order form or the Agreement, this DPA is not valid and is not legally binding. Such an entity should ask the customer entity that is a party to the Agreement to sign this DPA.
If the customer entity that signs this DPA is not directly a party to the Agreement with acalby.com but is indirectly a customer through an authorized reseller of acalby.com services, this DPA is not valid and is not legally binding. Such an entity should contact the authorized reseller to agree on whether any changes to their agreement with that reseller are necessary.
This DPA supersedes any comparable or additional rights regarding the processing of customer data contained in the customer's agreement (including any existing data processing addendum to the agreement).
This DPA text (Data Processing Addendum) sets out the terms and obligations related to the processing of personal data between acalby.com and the customer. It includes what both parties agree to do in connection with the processing of acalby.com customer's personal data and how compliance with applicable data protection laws is ensured. It also sets out procedures for data security audits, incident management, data subject rights, and other critical aspects of personal data processing.
It is a document typically appended to a contract or agreement between acalby.com and the customer to ensure both parties adhere to certain standards and practices regarding personal data protection.
DATA PROCESSING TERMS
"Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. "Control" in this context means direct or indirect ownership or control of more than 50% of the voting rights of the entity.
"Data Controller" means an entity that determines the purposes and means of processing personal data.
"Customer Data" refers to what is defined in the agreement as "Customer Data" or "Your Data."
"Authorized Affiliate" refers to any affiliated companies in the customer's group (a) subject to the relevant data protection laws of the European Union, the European Economic Area, and/or their member states, Switzerland, and/or the United Kingdom, and (b) that are permitted to use the services according to the agreement between the customer and acalby.com, but have not created their own order forms and are not "customers" as defined in the agreement, (c) as long as acalby.com processes personal data for which such affiliated companies qualify as data controllers.
"Data Protection Laws and Regulations" means all laws and regulations, including laws and binding regulations of the European Union, the European Economic Area, and their member states, Switzerland, and the United Kingdom, applicable to the processing of personal data under the agreement.
"Data subject" refers to an identified or identifiable person to whom personal data relates.
"GDPR" refers to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation).
"Personal data" refers to any information relating to an identified or identifiable natural person, provided such information is protected as personal data under applicable data protection laws and is submitted as customer data.
"Processing" means any operation or set of operations performed with personal data, whether automated or not, such as collecting, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing, or destroying.
"Processor" refers to an entity that processes personal data on behalf of a controller.
"Security Policies" refers to acalby.com’s Security Policies, as updated from time to time and accessible on the acalby.com homepage (https://app.acalby.com/legacy/security).
"acalby.com Group" refers to acalby.com and its affiliates involved in the processing of personal data, as listed on the acalby.com homepage (https://app.acalby.com/legacy/sub-processors).
"Sub-processor" refers to any entity engaged by acalby.com or a member of the acalby.com Group to process personal data in connection with the services.
"Supervisory Authority" refers to an independent public authority established by an EU Member State under the GDPR.
PROCESSING OF PERSONAL DATA
2.1 Roles of the Parties. The parties acknowledge and agree that with respect to the processing of personal data, the customer is the controller, acalby.com is the processor, and acalby.com or members of the acalby.com Group will engage sub-processors in accordance with the requirements set forth in Section 5 "Sub-Processors" below. 2.2 Processing of Customer Personal Data. The customer agrees to process personal data in accordance with the requirements of data protection laws and regulations when using the services. To clarify, the customer’s instructions for processing personal data must comply with data protection laws. The customer is responsible for the accuracy, quality, and legality of personal data and how it was obtained. 2.3 Processing of acalby.com Customer Personal Data. As a processor of customer personal data, acalby.com treats personal data as confidential information and will process personal data only based on and in accordance with the customer's written instructions for the following purposes: (i) processing according to the agreement and the applicable order form; (ii) processing initiated by authorized users in their use of the services; and (iii) processing to fulfill other documented reasonable instructions provided by the customer (for example, via email or a customer support request), provided that such instructions comply with the terms of the agreement (individually and collectively, the "Purpose"). acalby.com acts on behalf of and under the customer's instructions in fulfilling the Purpose. 2.4 Details of Processing. The subject of acalby.com’s processing of personal data is the provision of services under the agreement. The duration, nature, and purpose of processing, the types of personal data, and the categories of data subjects processed in accordance with this DPA are further specified in Schedule A (Description of Processing Activities) of this DPA.
3.1 Data Subject Request. acalby.com will not process any request submitted by a data subject to process their personal data or if the data subject does not consent to the processing of such data ("Data Subject Request"). acalby.com will not respond to the Data Subject Request nor forward it to the customer. The customer, to the extent that they can process the Data Subject Request within their use of the services, is responsible for handling such Data Subject Requests and notifying the data subject that the processing is carried out by the customer. Given the nature of the processing, acalby.com has the right to decide, based on a written request from the customer, whether to provide or withhold assistance in processing Data Subject Requests. Such requests from the customer will only be processed if legally permitted and provided that the Data Subject Request is in compliance with data protection laws. The customer will be responsible for any costs incurred in providing such assistance from acalby.com.
4.1 Confidentiality. acalby.com commits to ensuring that its personnel involved in processing personal data are informed of the confidential nature of personal data, receive adequate training on their obligations, and sign written confidentiality agreements. acalby.com ensures that these confidentiality obligations continue even after personnel are no longer engaged. 4.2 Responsibility. acalby.com will take reasonable steps to ensure the reliability of any acalby.com personnel involved in processing personal data. 4.3 Restricted Access. acalby.com ensures that access to personal data is limited to personnel carrying out services in accordance with the agreement.
5.1 Designation of Sub-Subjects. The customer acknowledges and agrees that (a) acalby.com and its affiliates may be designated as sub-processors, and (b) acalby.com and its affiliates may engage third parties as sub-processors in connection with the provision of services. acalby.com or an acalby.com affiliate has entered into a written agreement with each sub-processor that contains data protection obligations that are at least as protective as those in this agreement regarding customer data protection to the extent applicable to the nature of services provided by such sub-processor. 5.2 List of Current Sub-Processors and Notice of New Sub-Subjects. The current list of sub-processors for services, including the identity of these sub-processors and their country of origin, is available on the acalby.com homepage. acalby.com will notify the customer of new sub-processors through notifications in its software prior to allowing such new sub-processors to process personal data in connection with the provision of relevant services. 5.3 Right to Object to New Sub-Subjects. The customer may object to the use of a new sub-processor by providing written notice to acalby.com within ten (10) business days of receiving notice from acalby.com in accordance with the mechanism set forth in Section 5.2. Such notice must explain reasonable reasons for the objection. In the event that the customer objects to a new sub-processor, as permitted in the previous sentence, acalby.com will make reasonable efforts to provide the customer with a change in services or suggest a commercially reasonable change in configuration or use of services to avoid the processing of personal data subject to objection by such new sub-processor.
6.1 Customer Data Protection Measures. acalby.com will maintain appropriate technical and organizational measures to protect the security (including protection against unauthorized or unlawful processing, against accidental or unlawful loss or alteration or damage, unauthorized leakage, or access to customer data), confidentiality, and integrity of customer data, as outlined in the Data Security Measures Addendum. acalby.com will regularly monitor compliance with these measures.
6.2 Updates to Security Measures. The customer is responsible for reviewing the information provided by acalby.com regarding data security and making an independent decision on whether the services meet the customer's requirements and legal obligations according to data protection laws. The customer acknowledges that the security measures defined in the Data Security Measures Addendum are subject to technical advancements and developments, and that acalby.com may update or modify the security measures from time to time, provided that such updates and modifications do not lead to a degradation of the overall security of the services purchased by the customer.
6.3 Customer Responsibilities. Notwithstanding the foregoing, the customer agrees that, except as specified in this Agreement, they are responsible for the secure use of the services, including securing account authentication details, protecting the security of customer data during transmission to and from the services, and taking all reasonable steps to ensure secure encryption or backup of any customer data uploaded to the services.
9.1 Contractual Relationship. The parties acknowledge and agree that by signing the agreement, the customer enters into the agreement on their behalf and, where necessary, on behalf of and in the name of their authorized affiliated companies, thereby creating a separate DPA between acalby.com and each such authorized affiliated company as per the provisions of the agreement and this section 9 and section 10. Each authorized sub-processor agrees to be bound by the obligations under this Agreement and, where necessary, the agreement. The exact delineation of authorized sub-processors under this section is subject to the relevant provisions of the agreement. All access to and use of the services and content by authorized sub-processors must comply with the terms of the agreement, and any violation of the terms by an authorized sub-processor is considered a violation by the customer.
9.2 Communication. The customer, who is a party to the agreement, will be responsible for coordinating all communication with acalby.com within the scope of this DPA and will have the right to conduct and receive any communications related to this DPA on behalf of their authorized affiliated companies.
9.3 Rights of Authorized Sub-Processors. Where an authorized sub-processor becomes a party to the DPA with acalby.com, the authorized sub-processor will be entitled, to the extent required by applicable data protection laws, to exercise rights and seek remedies under this DPA, except for the following: 9.3.1 If non-applicable data protection laws require that an authorized sub-processor exercise a right or seek any remedy under this DPA directly from acalby.com, the parties agree that (i) only the customer, who is a party to the agreement, will exercise such right or seek such remedy on behalf of the authorized sub-processor, and (ii) the customer, who is a party to the agreement, exercises such rights under this DPA not separately for each authorized sub-processor individually, but collectively for all its authorized affiliated companies (as explained, for example, in section 9.3.2, below). 9.3.2 The parties agree that the customer, who is a party to the agreement, will take all reasonable steps to limit any impact on acalby.com and its sub-processors by combining, wherever possible, multiple audits conducted on behalf of different authorized sub-processors into a single audit.
The liability of each party and all its affiliated companies, in aggregate, arising from or related to this DPA and all DPAs among authorized sub-processors and acalby.com, whether contractual, statutory, or under any other liability, is governed by the section "Limitation of Liability" of the agreement, and any references in such a section to the liability of a party mean the total liability of that party and all its affiliated companies under the agreement and all DPAs together.
Based on the above, the total liability of acalby.com and its affiliated companies for all claims from the customer and all its authorized affiliated companies arising from or related to the agreement and each applicable DPA within the agreement is applicable in aggregate to all claims under the agreement and all DPAs established according to the agreement, including from the customer and all authorized affiliated companies, and is not considered individually and separately for the customer and/or any authorized affiliated company that is a party to any such DPAs.
11.1 GDPR. From May 25, 2018, acalby.com will process personal data in accordance with the GDPR requirements directly applicable to the provision of its services.
11.2 Data Protection Impact Assessment. From May 25, 2018, acalby.com, upon the customer's request, will provide the customer with reasonable cooperation and assistance needed to meet the customer\’s obligations under the GDPR to conduct a data protection impact assessment related to the customer's use of the services, provided the customer otherwise lacks access to relevant information, and provided such information is available to acalby.com. acalby.com will provide the customer with reasonable assistance in cooperating or conducting prior consultation with the supervisory authority in accordance with the GDPR.
The section "HOW THIS DPA APPLIES" defines how acalby.com is a party to this DPA.
This DPA becomes legally binding between the customer and acalby.com only after the formal steps outlined in the "HOW TO EXECUTE THIS DPA" section above have been fully completed.
DESCRIPTION OF DATA PROCESSING
Individuals
The customer may provide personal data to the services, the scope of which is determined and controlled by the customer, and may include but is not limited to personal data relating to the following categories of individuals:
Categories of Data
The personal data being transferred relates to the following categories of data:
Special Categories of Data
The customer may provide acalby.com with personal data through the services, the scope of which is determined and controlled by the customer in accordance with applicable data protection laws. The customer must not provide acalby.com with personal data through the services that could include the following special categories of data:
Processing Operations
The personal data being transferred will be processed in accordance with the agreement and any purchase orders and may be subject to the following processing operations: