This agreement was last updated on June 8, 2023.
Data Processing Addendum
between Controller and Processor
This is an addendum to, is incorporated into, and forms part of the End User License Agreement between the customer and its affiliates (“Controller”) and Presago (“Processor”) (together, the “Parties”) entering into the “Main Agreement”.
Background
The Parties wish to amend the Main Agreement on the agreed terms set out below in order to specify the data protection obligations of the Parties arising from the data processing that is part of the Main Agreement. It applies to all activities related to the Main Agreement in which employees or agents of the Processor process the personal data of the Controller.
Where Controller is subject to EU data protection laws, this Data Processor Addendum shall apply to the extent that Processor processes personal data on Controller’s behalf.
1. Definitions
1.1 The terms “process/processing”, “data subject”, “data processor”, “data controller”, “personal data”, “personal data breach”, and “data protection impact assessment” shall have the same meaning ascribed to them in Data Protection Laws;
...
1.12 Except as set out in this Addendum, all other provisions of the Main Agreement remain in full force and effect.
2. Processing of the Personal Data
2.1 The subject matter, duration, scope and type of data processing and confidentiality arise from the Main Agreement. The purpose of the data processing is to enable the provision of the Services in accordance with the Main Agreement.
...
2.4 The processing and use of the personal data shall take place in the territory of Italy, in a member state of the European Union or in EEA. Any relocation to a third country is governed by the provisions of this DPA as well as the statutory provisions.
3. Rights and Obligations of the Controller
3.1 The Controller is the responsible person within the meaning of Article 4 No. 7 GDPR. The assessment of the permissibility of the data processing is the sole responsibility of the Controller. According to section 4.6, the Processor shall be entitled to inform the Controller of any data processing operations that are illegal in his opinion.
...
3.6 The Controller warrants that has all the necessary rights to provide the Personal Data to the Processor for the processing to be performed in relation to the services. The Controller is also responsible for ensuring that any necessary data subject consent to this processing is obtained, and for ensuring that a record of such consents is maintained. Should consent be revoked by the data subject, the Controller is responsible for communicating the fact of such revocation to the Processor, and the Processor remains responsible for implementing any Controller instruction with respect to the further processing of that Personal Data in accordance with this Addendum and the Main Agreement.
4. General Obligations of the Processor
4.1 The Processor processes personal data exclusively within the scope of the Main Agreement made and in compliance with documented instructions issued by the Controller. The purpose, type and scope of data processing shall be governed exclusively by this Addendum, the Main Agreement and/or documented instructions of the Processor. The Processor shall be allowed to exercise its own discretion in the selection and use of such means as it considers necessary to pursue those purposes, subject to the requirements of this Addendum.
...
4.6 The Processor shall comply with all applicable Data Protection Laws in the Processing of Company Personal Data and not Process Company Personal Data other than on the relevant Company’s documented instructions.
5. Processor Personnel
5.1 The Processor shall treat all Personal Data as strictly confidential and shall inform all its employees, agents, and/or Authorized Sub-processors engaged in processing the Personal Data of the confidential nature of such Personal Data.
...
5.4 The Contractor warrants that it will familiarise its employees processing the Controller’s Personal Data with the Data Protection Laws.
6. Sub-Processing
6.1 As at the date of the conclusion of this Addendum, the companies listed in Annex 3 are acting as subcontractors for partial services for the Processor and, in this context, may also have access to the Personal Data. The Controller hereby authorizes the Processor to engage these subcontractors.
...
6.4 Controller agrees that when the Processor engages a Subprocessor for the provision of Services and those involve a transfer of personal data within the meaning of Chapter V of the GDPR, the Processor and the Subprocessor can ensure compliance with Chapter V of the GDPR e.g. by using the SCCs.
7. Data Subject rights
7.1 If and to the extent the Controller is obliged to provide a data subject with information on the collection, processing or use of its personal data pursuant to Data Protection Laws, the Processor shall support the Controller in providing this information. This presupposes a written request by the Controller, and If additional costs are incurred by the Processor, the Customer shall reimburse the Contractor for the costs incurred by this support.
7.2 If a data subject turns to the Processor with claims for information, correction, deletion or blocking of its personal data, the Processor shall refer the data subject to the Controller.
8. Deletion or return of Controller Personal Data
8.1 The Processor corrects, deletes or blocks the Personal Data if the Controller instructs so. The destruction of data carriers and other materials in accordance with Data Protection Laws shall be undertaken by the Processor on the basis of an individual order by the Controller unless already agreed in the Main Agreement.
...
8.3 Irrespective of other provisions on deletion, the Personal Data in the backup systems and files will be deleted in accordance with the regular deletion cycle of these backups.
9. Audit rights
9.1 The Processor shall make available to the Controller on request all information necessary to demonstrate compliance with this Addendum and Data Protection Laws.
...
9.7 Other contractual or statutory control rights of the Controller shall remain unaffected.
10. International transfers of Personal Data
10.1 The Controller agrees that the Processor may transfer Personal Data processed under this DPA outside the European Economic Area (EEA) as necessary to provide the Services. As at the date of this Addendum, the Controller hereby authorizes the Processor to engage those sub-processors set out in Annex 3.
...
10.3 If personal data processed under this Agreement is transferred from a country within the EEA to a country outside the European Economic Area, the Parties shall ensure that the personal data are adequately
protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU-approved standard contractual clauses for the transfer of personal data.
11. Liability
The Processor shall be liable in accordance with the statutory provisions of Art. 82 GDPR.
12. Costs
Each party bears its own costs in meeting the Controller’s requests made under this addendum.
13. Term and termination
13.1 The term and periods of notice correspond to the Main Agreement.
...
13.3 Upon termination of this Addendum in accordance with this section 8, the Processor’s activities on behalf of the Controller shall end.
14. Data breaches
14.1 The Processor shall assist the Controller in complying with the obligations concerning the security of personal data, reporting of data breaches, data protection impact assessments and prior consultations, referred to in Articles 32 to 36 of the GDPR, including
ensuring adequate protection standards through technical and organizational measures, taking into account the type, circumstances, and purposes of the processing, the likelihood of data breaches and the severity of the risk to natural persons possibly resulting thereof
ensuring immediate detection of infringements
reporting data breaches without undue delay to the Controller
assisting the Controller in answering data subjects' requests or the exercise of their rights
15. Miscellaneous
15.1 With regard to the subject matter of this Addendum, in the event of any conflict or inconsistency between any provision of the Main Agreement and any provision of this Addendum, the provision of this Addendum shall prevail.
...
Annex 3 – Authorized Sub-processors
Annex 1 – Types of Personal Data and categories of data subjects
The types of Personal Data to be processed:
...
Customers
Interested Parties
Employees
Suppliers
Agents
Annex 2 – Technical and organizational measures
The Processor shall implement appropriate technical and organizational measures to protect against the unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. These measures are to be maintained and reviewed regularly by the Processor as necessary to keep such measures up-to-date, efficient, and appropriate with respect to the sensitivity of the Personal Data of all customers.
The technical procedures adopted by the processor can be found on the Security Statement page. The Processor is committed to continuously updating the Security statement according to the technical measures adopted in order to maintain or increase the data protection standards.
Annex 3 – Authorized Sub-processors
Sub-processor | Privacy Policy |
|---|---|
Cloudflare, Inc. | |
Atlassian Pty Ltd | https://www.atlassian.com/legal/privacy-policy |
Microsoft Corporation | |
Twilio Inc. | |
HubSpot, Inc. | |
Google LLC | |
Hetzner Online GmbH | |
MailerLite | |
Slack |