Data Processing Addendum
This Data Processing Addendum (DPA) shall form part of the agreement made between Mibex Software GmbH, Albisriederstrasse 253, 8047 Zürich ("Service Provider") and the Licensee ("Controller"), as defined in the End User License Agreement ("Main Contract"), if the Licensee uses SaaS-Services (see below) from the Service Provider.
It is possible that by using SaaS-Services, the Controller processes Personal Data and that therefore, the Service Provider processes that Personal Data on behalf of the Controller. In this case, this Data Processing Addendum applies, complementary to the Main Contract.
I. DEFINITIONS
In this Addendum, the following defined terms are used: Additionally, the terms "Personal Data", "Processing", "Processor", "Sub-Processor", "Controller" and "Data Subjects" shall have the meanings ascribed to them in the Swiss DPA and, where applicable, the GPDR. In this Addendum not otherwise defined terms shall have the meanings assigned to them in the Main Contract.
"Affiliate" means any legal entity, which is directly or indirectly controlled by a Party, which directly or indirectly controls a Party, or which is directly or indirectly under the control of the same legal entity as a Party.
"Country with an Adequate Level of Data Protection" means a country or territory whose legislation ensures an adequate level of data protection according to both an adequacy decision by the European Commission and a corresponding assessment by the FDPIC or the Federal Council (as the case may be).
"EEA" means the European Economic Area.
"FDPIC" means the Federal Data Protection and Information Commissioner.
"GDPR" means the Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
"SaaS Services" shall mean the Software-as-a-Service services provided by the Service Provider to the Controller under the Main Contract.
"Software-as-a-Service" is a software as a service licensing and delivery model in which software is licensed on a subscription basis and is centrally hosted on the server of a cloud service provider. In the Main Contract it is also called "cloud-based applications".
"Swiss DPA" means the Swiss Federal Act on Data Protection, as amended from time to time, including its ordinances.
II. PROCESSING
A. Scope and Characteristics of the Processing
This Addendum governs the Processing of Personal Data by the Service Provider as a Processor or Sub-Processor of the Controller acting as a Controller or Processor in the performance of the Main Contract.
Where the Controller itself acts as a Processor (e.g., for a customer), it alone shall be responsible for communicating with the Controller and the Service Provider may consider its instructions as those of the Controller and assume that it is always acting on its authorization.
All Personal Data received by the Service Provider from the Controller, an Affiliate of the Controller, or a third party, or created by the Service Provider itself in the course of Processing, shall be included.
The subject matter, duration, nature and purpose of the Processing, as well as the types of Personal Data Processed and the categories Data Subjects, are specified in Annex A of this Addendum.
B. Obligations of the Controller
The Controller undertakes and guarantees vis-à-vis the Service Provider that:
a) the processing by, the engagement of and instructions to the Service Provider are in compliance with the Swiss DPA and, where applicable, the GDPR and any other applicable data protection legislation and otherwise remain lawful during the term of the Addendum;
b) the technical and organizational measures in accordance with Annex B (Technical and Organizational Measures) are appropriate for processing and the associated risks and will remain appropriate during the term of the Addendum;
c) it has made or obtained all notifications, registrations, regulatory approvals, and consents from Data Subjects that are necessary for the lawful Processing of Personal Data by the Service Provider as a Processor according to the Swiss DPA and, where applicable, the GDPR and other applicable data protection law; and
d) it shall respond in a lawful and appropriate manner to all requests from Data Subjects exercising their rights under applicable data protection laws, as well as from supervisory authorities and other third parties.
C. Processing of Personal Data by the Service Provider
1. Obligations of the Service Provider
The Service Provider undertakes to the Controller:
a) to Process Personal Data, unless otherwise agreed, only for the purposes of the Controller and in each case only for the purpose of fulfilling the Main Contract and in accordance with the documented instructions of the Controller; the Main Contract, including this Addendum, as well as the services agreed upon by the Parties and the configurations and options chosen by the Controller and the instructions provided for in the Main Contract are the final and binding instructions of the Controller, unless otherwise agreed. If the Controller wishes to adapt these provisions, it shall propose this to the Service Provider; if the Main Contract provides for no special process for contract amendments, the Service Provider shall examine the request for adaptation in good faith; if the Parties cannot agree on an adaptation within thirty (30) days, the Controller may extraordinarily terminate the Processing and the performance of the Main Contract affected thereby, insofar as it shows that the requested contract amendment is necessary under data protection law;
b) not to disclose or transfer any Personal Data abroad, except:
i. to the Controller itself, its Affiliates or to third parties in fulfillment of an instruction of the Controller or as provided in the Main Contract (this does not apply to transfers to Sub-Processors of the Service Provider or other third parties engaged by the Service Provider);
ii. to a recipient in a Country with an Adequate Level of Data Protection, unless a stricter provision is agreed in the Main Contract;
iii. to a recipient not located in a Country with an Adequate Level of Data Protection, provided that the conditions required under the Swiss DPA and, where applicable, the GDPR for a lawful disclosure or transfer of Personal Data have been met, unless a stricter provision is agreed in the Main Contract; or
iv. if this is agreed with the Controller in the Main Contract or otherwise;
c) to implement and maintain the technical and organizational measures provided in Annex B (Technical and Organizational Measures) to ensure the confidentiality, integrity, and availability of Personal Data at all times and to protect Personal Data against unauthorized Processing, unauthorized access or unauthorized disclosure, as well as against accidental or unlawful falsification, destruction or loss; the Service Provider may adapt these measures if necessary, provided that the overall level of protection is substantially maintained; in such cases, it shall adapt Annex B (Technical and Organizational Measures) and notify the Controller in an appropriate manner;
d) to entrust the Processing of Personal Data only to employees and other auxiliary persons (including all third parties working on the instructions of the Service Provider and falling under Article 29 GDPR) who are contractually or legally bound to confidentiality when Processing Personal Data;
e) to delegate the Processing of Personal Data to third parties (other than employees and other auxiliary persons who meet the requirements of Section II.C.1.d) above) only with the prior written consent of the Controller and only to a Sub-Processor that has undertaken to Process the Personal Data in accordance with the requirements of the Swiss DPA and, where applicable, in accordance with Article 28(3) of the GDPR. Consent shall be deemed to have been granted in general for all Sub-Processors on the list of Sub-Processors in Annex C or in the Main Contract; if the Service Provider wishes to extend or adjust the list to include further Sub-Processors, it shall notify the Controller in text form in an appropriate manner at least sixty (60) days in advance (e.g. by means of an e-mail or notification function in case of adjustments to the list, insofar as it is made available on the Internet). The Controller may object in writing within fifteen (15) days to an extension or adjustment of the list; it shall do so only for justified reasons under data protection law; if the Parties cannot reach agreement within fifteen (15) days, the Controller may extraordinarily terminate the Processing and the service of the Main Contract affected thereby, provided it shows that the objection is necessary under data protection law; stricter provisions regarding the involvement of Sub-Processors for the benefit of the Controller in the Main Contract remain reserved;
f) to notify the Controller promptly at the email address provided by the Controller of any data breach (as defined in the GDPR), with the information pursuant to Article 33(3) GDPR and the corresponding provisions of the Swiss DPA as is reasonably available to the Service Provider;
g) to assist the Controller, upon its request, in complying with the GDPR, the Swiss DPA and other applicable data protection laws, taking into account the nature of the Processing and the information available to the Service Provider, in particular in complying with its obligations (i) towards Data Subjects exercising their rights under applicable data protection laws (including Chapter III of the GDPR and the corresponding provisions of the Swiss DPA and other applicable data protection laws), and (ii) pursuant to Articles 32 to 36 of the GDPR and the corresponding provisions of the Swiss DPA and other applicable data protection laws;
h) to inform the Controller promptly if, in its opinion, an instruction from the Controller violates applicable data protection laws or other applicable laws;
i) to provide the Controller with all information necessary to demonstrate the Service Provider's compliance with this Section II.C.1. and to permit and assist in audits and inspections by the Controller or by audit firms commissioned by the Controller for this purpose; the Controller agrees that it shall exercise this audit right, to the extent possible, only by relying on the review of any certifications and audit reports of independent audit firms provided by the Service Provider; and
j) to return all or certain Personal Data to the Controller, at the Controller's choice, subject to any applicable legal retention obligations, or to delete such Personal Data without retaining a copy upon termination of the Main Contract or upon request of the Controller.
2. Special expenses, indemnification
Unless otherwise agreed in the individual case, the Controller shall reimburse the Service Provider for the costs and expenses incurred by the Service Provider in providing the Controller with support services pursuant to Section II.C.1. or in otherwise assisting the Controller in complying with the Swiss DPA, the GDPR, if applicable, and other applicable data protection laws, in each case to the extent that the Controller cannot prove that these expenses were caused by the Service Provider itself or are not to be borne by the Controller pursuant to an express provision in the Main Contract.
The Controller shall indemnify and hold the Service Provider harmless from and against any and all claims of third parties based on a breach of this Addendum or applicable data protection laws. Such indemnification shall apply in particular to any damages, costs, administrative sanctions, claims or expenses incurred by the Service Provider as a result of such violations. It, as well as any potential claims for damages by the Service Provider and its Affiliates, shall not be subject to any limitation or exclusion of liability agreed in the Main Contract, unless expressly agreed otherwise with respect to this Section.
III. OTHER PROVISIONS
Furthermore, the Parties agree as follows:
a) Each Party shall bear its own costs for implementing this Addendum, unless expressly agreed otherwise in connection with or in this Addendum.
b) Each Party shall fulfill its obligations in accordance with the data protection provisions applicable to it, in particular the provisions of the Swiss DPA and, to the extent applicable, the GDPR. This shall apply in particular if the Service Provider Processes Personal Data received from the Controller or otherwise obtained in connection with the Main Contract as the controller. In this respect, the Controller allows the Service Provider to Process Personal Data and other data for (i) the purposes of the Main Contract and the rights and obligations arising therefrom (e.g. for the provision of the services and invoicing), (ii) the improvement of the Service Provider's products and services, (iii) non-personal purposes (e.g. statistical evaluations), provided that no personal data is published or disclosed to third parties who are not obliged to maintain confidentiality, and (iv) compliance with statutory and self-regulatory obligations. Upon request, the Controller shall inform the Data Subjects of the Service Provider's privacy notice, insofar as the Service Provider does not do so itself. Insofar as the Controller provides the Service Provider with Personal Data for Processing as the controller (e.g. information on service recipients), the Controller warrants that it may do so and that the Service Provider may Process this Personal Data in accordance with the Parties' agreements.
c) The Service Provider may unilaterally modify or amend these Addendum at any time. The Service Provider shall notify the Controller in text form in an appropriate manner at least sixty (60) days before taking effect (e.g. by means of an e-mail). The Controller may object in writing within fifteen (15) days; it shall do so only for justified reasons under data protection law; if the Parties cannot reach agreement within fifteen (15) days, the Controller may extraordinarily terminate the Processing and the service of the Main Contract affected thereby.
d) All prior agreements between the Parties regarding Processing of Personal Data are deemed superseded by this Addendum as of the date of this Addendum.
e) In the event of a conflict between the provisions of this Addendum and the provisions of the Main Contract, the provisions of this Addendum shall prevail if and to the extent that they relate to the Processing of Personal Data by the Service Provider under the Main Contract.
f) The provisions of this Addendum shall survive the termination of the Main Contract and shall remain in effect as long as the Service Provider is in possession of or has access to the Personal Data covered by this Addendum.
g) The provisions of this Addendum shall be governed by and construed in accordance with the substantive laws of Switzerland. All disputes arising out of or in connection with this Addendum shall be submitted to the jurisdiction of Zürich.
ANNEX A: DESCRIPTION OF THE PROCESSING
Subject matter/purpose of the Processing: | Processing any Personal Data, entered by Controller and/or his End Users for the use of the SaaS-Services. |
Categories of data subjects: |
|
Categories of personal data: | Any data that Controller or its End Users enter into the SaaS-Services (may contain special categories of personal data). |
Nature of the Processing: | Hosting, transmitting and backup of personal data. |
Duration of the Processing: | Processing of personal data as long as the controller uses the SaaS-services. Deletion of personal data upon request. |
ANNEX B: TECHNICAL AND ORGANIZATIONAL MEASURES
Physical security and access control | |||
☒ ☒ | Access controls (key, badge) Keys/badges are assigned to individuals | ||
User and access control (identity and access management) | |||
☒ | All access require authentication | ☒ | Rules for password complexity and renewal |
☒ | Role-based identity and access management | ☒ | Tools are locked when not in use |
☒ | Multi-factor authentication for external access | ☒ | Least privilege principle |
☒ | Privileged Access Management (PAM); | ☒ | Access logging |
☒ | Use of admin accounts only when necessary | ☒ | Authorization concept (need-to-know principle) |
|
| ||
Confidentiality, integrity, availability and traceability | |||
☒ | Encryption of data "at rest" | ☒ | Backup concept |
☒ | Encryption of end devices | ☒ | BCM concept, emergency plan |
☒ | Encryption of data "in transit" | ☒ | Regular review of the backup |
☒ | State-of-the-art encryption | ☒ | Inventory of hardware and software |
☒ | Penetration tests, external security audits | ☒ | Hardware and software continuously checked/updated |
☒ | Staff signs non-disclosure agreement (clause in the employment contract) | ☒ | Technical redundancy (e.g. RAID, two systems) |
☒ | Logged changes of data/systems | ☒ | Logical separation of the data processed as an processor from other data |
Measures to comply with data protection principles and data subject rights | |||
☒ | Privacy Policy for all applications | ☒ | Responsibility for data subject rights established |
☒ | Separation of productive data/test data | ☒ | List of processing activities |
☒ | Responsibility for edits defined |
|
|
Organisation, monitoring and certifications | |||
☒ | TOMS are regularly checked/adjusted | ☒ | Internal or external data protection representative |
Instructions and training | |||
☒ | Information security training | ☒ | Training on data protection |
☒ | Awareness measures data protection |
|
|
ANNEX C: APPROVED SUB-PROCESSORS
The Parties agree to the commissioning of the following Sub-Processors:
Company | Service Provided | Corporate Location | Address | Contact Point | Further Details (including own Sub-Processors) |
Atlassian. Pty Ltd | Hosting (Forge Apps) | Australia | Level 6, 341 George Street Sydney NSW 2000 | eudatarep@atlassian.com | The provider is using further sub-processors as per the following list: https://www.atlassian.com/legal/sub-processors Technical and organizational measures can be found here: https://developer.atlassian.com/platform/forge/resources/Forge-Data-Processing-Addendum.pdf |
SFDC Ireland Limited | Hosting (Heroku) | Ireland | Salesforce Tower Dublin Dublin 1 | + 353 14403500 legal@salesforce.com | The provider is using further sub-processors as per the following list: https://www.salesforce.com/company/legal/trust-and-compliance-documentation/ Technical and organizational measures can be found here: https://www.salesforce.com/company/legal/trust-and-compliance-documentation/ |
Alpine Shark, LLC | Static IP Service (used for opt-in feature for Include Bitbucket for Confluence Cloud) | USA | 2831 St. Rose Pkwy. Unit 221 Henderson NV 89052 |
|
|