Data Processing Addendum (February 2021)
This is an archived version of the Data Processing Addendum which is no longer in effect. View the current version of the Data Processing Addendum.
Last updated: February 3, 2021
This Data Processing Addendum (“DPA”) forms a part of the Customer Agreement or if you (“Customer”) have entered into a separate agreement with Twingate Inc. (“Twingate”), then it forms a part of such written agreement, if incorporated by reference in such agreement (in either case, the “Agreement”).
By executing an Agreement that explicitly states that this DPA is incorporated by reference, Customer enters into this DPA on behalf of itself and, to the extent required under Applicable Data Protection Laws, in the name and on behalf of any of its affiliates who are authorized to use the Services.
If you are entering into this DPA on behalf of a company or other legal entity, you represent and warrant that you have the authority to bind that legal entity to this DPA. In that case, “Customer” will refer to that company or other legal entity.
This DPA regulates the Processing of Personal Data subject to European Data Protection Law for the Purposes (as defined in Appendix 1) and by the parties in the context of the Services.
This DPA only applies if European Data Protection Law applies to Customer (including via contractual obligations imposed by a Controller, if the Customer is a Processor).
1.1. Definitions. In this DPA:
“Controller” has the meaning given to that term under the GDPR.
“Data Subject” means a “data subject” (as that term is defined under the GDPR) whose Personal Data is processed in the context of this DPA.
“European Data Protection Law” means the EU General Data Protection Regulation 2016/679 (“GDPR”), the e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC), their national implementing legislations; the Swiss Federal Data Protection Act, and the Data Protection Acts of the countries in Europe (all as amended and replaced from time to time).
“Europe” means the European Economic Area (“EEA”), Switzerland, and the United Kingdom.
“Personal Data” means the “personal data” (as that term is defined under the GPDR) which is processed by Twingate on behalf of the Customer in connection with the Agreement.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
“processing” and “process” have the meanings given to those terms under the GDPR.
“Processor” has the meaning given to that term under the GDPR.
1.2. Interpretation. Capitalized terms used but not otherwise defined in this DPA have the meanings given to them in the Agreement.
2. Roles of the Parties
2.1. Customer. The parties acknowledge that Customer is either: (a) a Controller of Personal Data; or (b) acting as a Processor on behalf of other Controllers and has been instructed by and obtained the authorization of such Controllers to agree to the processing of Personal Data by Twingate as Customer’s subprocessor as set forth in this DPA.
2.2. Twingate. Customer appoints Twingate as a Processor to process Personal Data for the Purposes (as defined in Appendix 1 of this DPA) in the context of the Services.
3. Obligations of Customer
3.1. General Compliance. Customer will:
(a) comply with European Data Protection Law when processing Personal Data and will only give lawful instructions to Twingate;
(b) implement appropriate technical and organizational measures to ensure, and to be able to demonstrate, that the processing of Personal Data is performed in accordance with European Data Protection Law; and
(c) cooperate with Twingate to fulfill their respective data protection compliance obligations in accordance with European Data Protection Law.
3.2. Controller Obligations. If Customer is a Controller, Customer confirms and warrants that, in relation to the processing of Personal Data for the Purposes in the context of the Services:
(a) it has informed Data Subjects of the uses of Personal Data as required by European Data Protection Law;
(b) it relies on a valid legal basis for the processing of Personal Data under European Data Protection Law including, if required, obtaining consent from Data Subjects;
(c) it complies with Data Subject requests to exercise their rights of access, rectification, erasure, data portability, restriction of processing, and objection to the processing; and
(d) it complies with data accuracy, proportionality and data retention principles.
4. Obligations of Twingate
4.1. Processor Obligations. Twingate will comply with European Data Protection Law when processing Personal Data for the Purposes in connection with the Services. Twingate will:
(a) only process Personal Data on behalf of Customer in accordance with Customer’s lawful written instructions and not for any other purposes than those specified in Appendix 1 of this DPA or as otherwise agreed by both parties in writing. For the avoidance of doubt, Customer authorizes Twingate to de-identify Personal Data and use such de-identified data for Twingate’s product development, product improvement, benchmarking, security, and analytics purposes;
(b) promptly inform Customer if, in its opinion, Customer’s instructions infringe European Data Protection Law, or if Twingate is unable to comply with Customer’s instructions;
(c) notify Customer without undue delay after becoming aware of a Personal Data Breach. Twingate will take reasonable steps to mitigate the effects and to minimize any damage resulting from the Personal Data Breach;
(d) assist Customer in complying with data protection impact assessments, and prior consultations with supervisory authorities’ requirements under European Data Protection Law, taking into account the nature of the processing and the information available to Twingate. To the extent authorized under applicable law, Customer shall be responsible for any costs arising from Twingate’s provision of such assistance;
(e) assist Customer in complying with data breach notifications under European Data Protection Law, taking into account the nature of the processing and the information available to Twingate;
(f) taking into account the nature of the processing, assist Customer, upon Customer’s written request, by appropriate technical and organizational measures, insofar as this is possible, to fulfill Customer’s obligation to respond to Data Subjects’ requests (or, if the Customer is a Processor, to assist the applicable Controller to respond to such requests) to exercise their rights as provided under European Data Protection Law and specified in Section 4.1(d) of this DPA. To the extent authorized by applicable law, Customer shall be responsible for any costs arising from Twingate’s provision of such assistance; and
(g) upon termination of the DPA or upon a request to delete or return Personal Data, delete (including via anonymization) or return all Personal Data, and delete (including by anonymization) existing copies unless applicable law prevents it from returning or destroying all or part of the Personal Data, or requires storage of the Personal Data (in which case Twingate must keep such Personal Data confidential).
5. Data Transfers
5.1. Data Exports. Customer agrees that Personal Data may be transferred from Europe to or through jurisdictions outside of Europe to Twingate’s global team in order to help provide the Services, and provide technical and customer support, account management, billing and other ancillary functions. Twingate will not transfer such Personal Data in such a situation unless it has taken such measures as are necessary to ensure that the transfer is in compliance with European Data Protection Law, such as, for example, by use of the European Commission’s 2010 standard contractual clauses for controller to processor transfers (as may be amended or superseded from time to time) (“Standard Contractual Clauses”) where appropriate.
5.2. Standard Contractual Clauses. If Twingate or a Twingate affiliate will process Personal Data in a jurisdiction outside of Europe then, for any such transfers of Personal Data from Europe, if no other measure recognized by the GDPR (or equivalent national legislation) for permitting such transfers is available (for example, transfer to a recipient in a jurisdiction that the European Commission has decided provides adequate protection for Personal Data, or transfer to a recipient that has achieved binding corporate rules authorization in accordance with applicable European Data Protection Law), the parties agree that, in relation only to the Personal Data that is the subject of any such transfers where no other measure is available (“SCC Data”), the Standard Contractual Clauses shall be incorporated into this DPA by reference on the following basis, if Customer is the Controller with respect to the SCC Data:
(a) references to the “data exporter” in the Standard Contractual Clauses shall mean, with respect to the SCC Data, Customer;
(b) references to the “data importer” in the Standard Contractual Clauses shall mean Twingate and any relevant Twingate affiliate;
(c) the governing law specified in clause 9 of the Standard Contractual Clauses shall be the law of the country in which Customer is established;
(d) Appendix 1 to the Standard Contractual Clauses shall be deemed completed with the information that is provided in Appendix 1 to this DPA in relation to the SCC Data; and
(e) Appendix 2 to the Standard Contractual Clauses shall be deemed completed with the information that is provided in Appendix 2 to this DPA.
If Customer is a Processor with respect to the SCC Data, then, either: (i) Customer is entering into the Standard Contractual Clauses on behalf of each Controller of the SCC Data, if Customer is authorized to do so (such as for a Customer affiliate), in which case each reference to “Customer” in paragraphs (a)-(e) above shall instead refer to the Controller, where applicable; or (ii) Customer is entering into the Standard Contractual Clauses as “back-to-back” Standard Contractual Clauses in accordance with Clause 11 of the Standard Contractual Clauses, provided that Customer has entered into separate Standard Contractual Clauses with each Controller of the SCC Data.
6.1. Authorization. Customer gives a general authorization to Twingate to engage other Processors (“Subprocessors”) to process Personal Data in accordance with this DPA, including Twingate’s existing Subprocessors which are listed at https://www.twingate.com/privacy/subprocessors (“Subprocessor List”). Twingate will impose data protection terms on Subprocessors to protect the Personal Data to the same standard as provided for by this DPA.
6.2. New Subprocessors.
(a) Twingate may subcontract the processing of any Personal Data to additional third party Subprocessors (each a “New Subprocessor”) by updating the Subprocessor List, provided that Twingate will update the Subprocessor List before authorizing any New Subprocessor to process Personal Data in connection with the provision of the applicable Services. Customer will be notified of updates to the Subprocessor List if Customer subscribes to update notifications by following the relevant instructions on the Subprocessor List webpage.
(b) Within 30 days of Twingate adding a New Subprocessor to the Subprocessor List, Customer may object in writing to Twingate’s appointment of that New Subprocessor on the basis that such addition would cause Customer to violate applicable legal requirements. Customer’s written objection will include Customer’s specific reasons for its objection and any options that may be available to mitigate. If Customer provides such a written objection to Twingate, the parties will cooperate to attempt to find a feasible solution. If a solution is not found and Customer does not withdraw its objection, Twingate will notify Customer in writing within 30 days that either: (i) Twingate will not use the New Subprocessor to process the Personal Data; or (ii) Twingate is unable or unwilling to do so. If the notification in clause (ii) is given, Customer may, within 30 days of such notification, elect to terminate this DPA and the Agreement upon written notice to Twingate.
7.1. Appropriate Security Measures. Twingate will implement appropriate technical and organizational measures to ensure a level of security with respect to the processing of Personal Data that is appropriate to the risk. In assessing the appropriate level of security, Twingate will take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects and the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed. Twingate will take steps to ensure that any person acting under its authority who has access to Personal Data is bound by enforceable contractual or statutory confidentiality obligations.
8. Data Protection Audit
8.1. Audit Right. Upon prior written request by Customer, Twingate agrees to cooperate and, within a reasonable timeframe, provide Customer with: (a) a summary of the audit reports, if any are available, demonstrating Twingate’s compliance with its obligations under this DPA, after redacting any confidential and commercially sensitive information; and (b) confirmation that the audit has not revealed any material vulnerability in Twingate’s systems, or to the extent that any such vulnerability was detected, that Twingate has remediated such vulnerability.
If the above measures are not sufficient to confirm compliance with European Data Protection law or reveal some material issues, subject to confidentiality obligations, Twingate allows Customer to request an audit of Twingate’s data protection compliance program by Customer or by external independent auditors which are jointly selected by the parties. Any external independent auditor cannot be a competitor of Twingate, and the parties will agree upon the scope, timing, and duration of the audit (which must be conducted during Twingate’s regular business hours and with reasonable advance notice). Twingate will make available to Customer the result of the audit of its data protection compliance program. Customer will reimburse Twingate for all expenses and costs for such audit. The audit right hereunder may be exercised once in a calendar year during the term of this DPA and in addition where it is reasonably suspected that a Personal Data Breach has occurred. However, should the audit reveal any non-conformity, Customer shall be entitled to have its auditor perform follow-up audits to the extent necessary to protect its interests under this DPA.
9. General Terms
9.1. Liability Toward Data Subjects. Each party agrees that it will be liable to Data Subjects for the entire damage resulting from a violation of European Data Protection Law. If one party paid full compensation for the damage suffered, it is entitled to claim back from the other party that part of the compensation corresponding to the other party’s part of responsibility for the damage. For that purpose, both parties agree that Customer will be liable to Data Subjects for the entire damage resulting from a violation of European Data Protection Law with regard to processing of Personal Data, and that Twingate will only be liable to Data Subjects for the entire damage resulting from a violation of the obligations of European Data Protection Law directed to Twingate or where it has acted outside of or contrary to Customer’s lawful instructions. Twingate will be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.
9.2. Applicable Law. The processing of Personal Data under this DPA is governed by the laws of the jurisdiction in which Customer is established.
9.3. Modification. This DPA may only be modified by a written amendment signed by each of the parties.
9.4. Invalidity and Severability. If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, the invalidity or unenforceability of such provision shall not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.
9.5. Term. This DPA continues until the earlier of: (a) the expiry of Customer’s entitlement to use and receive the Services, as set forth in the Agreement, and (b) the termination of the Agreement.
9.6. Liability. In no event shall Twingate’s liability to Customer in connection with any issue arising out of, or in connection with, this DPA exceed Twingate’s limitations on liability set out in the Agreement. Twingate’s limitations on liability as set out in the Agreement shall apply in aggregate across both the Agreement and this DPA, such that a single limitation on liability regime shall apply across both the Agreement and this DPA.
* * *
Appendix 1: Description of the processing
This Appendix 1 describes the Processing that Processor will perform on behalf of Controller.
Subject matter, nature and purpose of the processing operations
The Personal Data will be subject to the following basic processing activities (please specify):
Processor will process personal data as necessary to: (a) perform the Services described under the Agreement, in accordance with the Agreement, and (b) provide account management and customer technical support services.
Processor provides Services under the Agreement that are designed to manage, secure, and monitor access to systems, networks, devices, files, and other data operated and made available by Controller. The content of any information held or transmitted by these systems, networks, devices, files, and other data is determined solely by Controller and not Processor.
Duration of the processing operations
The duration of the processing is (please specify):
Processor will process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.
The personal data concern the following categories of data subjects (please specify):
Controller may submit personal data to the Services, the extent of which is determined and controlled by Controller and may include, without limitation, personal data relating to the following categories of data subjects:
- Employees, agents, advisors, contractors of Controller who are natural persons
- Employees or contact persons of Controller’s business partners and vendors
- Controller’s end users who are authorized by Controller to use the Services
Categories of data
The personal data concern the following categories of data (please specify):
Controller may submit personal data to the Services, the extent of which is determined and controlled by the Controller and may include, without limitation, the following categories of personal data: name, email address, professional life data, and localization data.
Special categories of data (if appropriate)
The personal data concern the following special categories of data (please specify):
* * *
Appendix 2: Technical and Organizational Measures
Refer to the security measures described at https://docs.twingate.com/docs/twingate-security.