Data Processing Addendum
Last updated: September 27, 2021
This Data Processing Addendum (“DPA”) forms a part of the Customer Agreement or if you (“Customer”) have entered into a separate agreement with Twingate Inc. (“Twingate”), then it forms a part of such written agreement, if incorporated by reference in such agreement (in either case, the “Agreement”).
By executing an Agreement that explicitly states that this DPA is incorporated by reference, Customer enters into this DPA on behalf of itself and, to the extent required under Applicable Data Protection Laws, in the name and on behalf of any of its affiliates who are authorized to use the Services.
If you are entering into this DPA on behalf of a company or other legal entity, you represent and warrant that you have the authority to bind that legal entity to this DPA. In that case, “Customer” will refer to that company or other legal entity.
This DPA regulates the Processing of Personal Data subject to European Data Protection Law for the Purposes (as defined in Annex 1) and by the parties in the context of the Services.
This DPA only applies if European Data Protection Law applies to Customer (including via contractual obligations imposed by a Controller, if the Customer is a Processor).
1.1. Definitions. In this DPA:
“Controller” has the meaning given to that term under the GDPR.
“Data Subject” means a “data subject” (as that term is defined under the GDPR) whose Personal Data is processed in the context of this DPA.
“European Data Protection Law” means: (a) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the “EU GDPR”); (b) the EU e-Privacy Directive (Directive 2002/58/EC); (c) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (the “UK GDPR”); (d) the Swiss Federal Data Protection Act of 19 June 1992 (“Swiss DPA”) and (e) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (a), (b) or (c); in each case as may be amended or superseded from time to time.
“Europe” means the European Economic Area (“EEA”), Switzerland, and the United Kingdom.
“GDPR” means: (a) the EU GDPR, where the EU GDPR applies; and (b) the UK GDPR, where the UK GDPR applies.
“Personal Data” means the “personal data” (as that term is defined under the GPDR) which is processed by Twingate on behalf of the Customer in connection with the Agreement.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
“processing” and “process” have the meanings given to those terms under the GDPR.
“Processor” has the meaning given to that term under the GDPR.
“Restricted Transfer” means: (a) where the EU GDPR applies, a transfer of personal data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; (b) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; and (c) where the Swiss DPA applies, a transfer of personal data from Switzerland to any other country that has not been determined to provide adequate data protection by the Federal Data Protection and Information Commissioner or other competent Swiss authority.
”Standard Contractual Clauses” means: (a) where the EU GDPR applies, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”); and (b) where the UK GDPR applies, standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR (“UK SCCs”).
1.2. Interpretation. Capitalized terms used but not otherwise defined in this DPA have the meanings given to them in the Agreement.
2. Roles of the Parties
2.1. Customer. The parties acknowledge that Customer is either: (a) a Controller of Personal Data; or (b) acting as a Processor on behalf of other Controllers and has been instructed by and obtained the authorization of such Controllers to agree to the processing of Personal Data by Twingate as Customer’s subprocessor as set forth in this DPA.
2.2. Twingate. Customer appoints Twingate as a Processor to process Personal Data for the Purposes (as defined in Annex 1 of this DPA) in the context of the Services.
3. Obligations of Customer
3.1. General Compliance. Customer will:
(a) comply with European Data Protection Law when processing Personal Data and will only give lawful instructions to Twingate;
(b) implement appropriate technical and organizational measures to ensure, and to be able to demonstrate, that the processing of Personal Data is performed in accordance with European Data Protection Law; and
(c) cooperate with Twingate to fulfill their respective data protection compliance obligations in accordance with European Data Protection Law.
3.2. Controller Obligations. If Customer is a Controller, Customer confirms and warrants that, in relation to the processing of Personal Data for the Purposes in the context of the Services:
(a) it has informed Data Subjects of the uses of Personal Data as required by European Data Protection Law;
(b) it relies on a valid legal basis for the processing of Personal Data under European Data Protection Law including, if required, obtaining consent from Data Subjects;
(c) it complies with Data Subject requests to exercise their rights of access, rectification, erasure, data portability, restriction of processing, and objection to the processing; and
(d) it complies with data accuracy, proportionality and data retention principles.
4. Obligations of Twingate
4.1. Processor Obligations. Twingate will comply with European Data Protection Law when processing Personal Data for the Purposes in connection with the Services. Twingate will:
(a) only process Personal Data on behalf of Customer in accordance with Customer’s lawful written instructions and not for any other purposes than those specified in Annex 1 of this DPA or as otherwise agreed by both parties in writing. For the avoidance of doubt, Customer authorizes Twingate to de-identify Personal Data and use such de-identified data for Twingate’s product development, product improvement, benchmarking, security, and analytics purposes;
(b) promptly inform Customer if, in its opinion, Customer’s instructions infringe European Data Protection Law, or if Twingate is unable to comply with Customer’s instructions;
(c) notify Customer without undue delay after becoming aware of a Personal Data Breach. Twingate will take reasonable steps to mitigate the effects and to minimize any damage resulting from the Personal Data Breach;
(d) assist Customer in complying with data protection impact assessments, and prior consultations with supervisory authorities’ requirements under European Data Protection Law, taking into account the nature of the processing and the information available to Twingate. To the extent authorized under applicable law, Customer shall be responsible for any costs arising from Twingate’s provision of such assistance;
(e) assist Customer in complying with data breach notifications under European Data Protection Law, taking into account the nature of the processing and the information available to Twingate;
(f) taking into account the nature of the processing, assist Customer, upon Customer’s written request, by appropriate technical and organizational measures, insofar as this is possible, to fulfill Customer’s obligation to respond to Data Subjects’ requests (or, if the Customer is a Processor, to assist the applicable Controller to respond to such requests) to exercise their rights as provided under European Data Protection Law and specified in Section 4.1(d) of this DPA. To the extent authorized by applicable law, Customer shall be responsible for any costs arising from Twingate’s provision of such assistance; and
(g) upon termination of the DPA or upon a request to delete or return Personal Data, delete (including via anonymization) or return all Personal Data, and delete (including by anonymization) existing copies unless applicable law prevents it from returning or destroying all or part of the Personal Data, or requires storage of the Personal Data (in which case Twingate must keep such Personal Data confidential).
5. Data Transfers
5.1. Standard Contractual Clauses. To the extent that Customer undertakes a Restricted Transfer of Personal Data to Twingate, then:
(a) in relation to Personal Data that is protected by the EU GDPR, the EU SCCs will apply completed as follows:
(ii) in Clause 7, the optional docking clause will apply;
(iii) in Clause 9, Option 2 will apply, and the time period for prior notice of subprocessor changes shall be as set out in Section 6.2 of this DPA;
(iv) in Clause 11, the optional language will not apply;
(v) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by the laws of Ireland;
(vi) in Clause 18(b), disputes shall be resolved before the courts of Ireland;
(vii) Annex I of the EU SCCs shall be deemed completed with the information set out in Annex 1 to this DPA; and
(viii) Annex II of the EU SCCs shall be deemed completed with the information set out in Annex 2 to this DPA; and
(b) in relation to Personal Data that is protected by the UK GDPR or the Swiss DPA, the EU SCCs will apply in the form set out in Section 5.1(a) above with the following modifications:
(ii) references to specific articles of ‘Regulation (EU) 2016/679’ are replaced with the equivalent article or section of the UK GDPR or the Swiss DPA (as applicable);
(iii) references to ‘EU’, ‘Union’ and ‘Member State’ are replaced with ‘United Kingdom’ or ‘Switzerland’ (as applicable);
(iv) Clause 13(a) and Part C of Annex 2 are not used and the ‘competent supervisory authority’ is the United Kingdom Information Commissioner or Swiss Federal Data Protection Information Commissioner (as applicable);
(v) references to the ‘competent supervisory authority’ and ‘competent courts’ are replaced with the ‘United Kingdom Information Commissioner’ and ‘courts of England and Wales’ or the ‘Swiss Federal Data Protection Information Commissioner’ and ‘applicable courts of Switzerland’ (as applicable);
(vi) in Clause 17, the EU SCCs are governed by the laws of England and Wales or Switzerland (as applicable); and
(vii) in Clause 18(b), disputes will be resolved before the competent courts of England and Wales or Switzerland (as applicable).
If and to the extent that it is not possible to rely on the EU SCCs as set out in Section 5.1(a) above as amended pursuant to this Section 5.1(b) for transfers of Personal Data that are protected by the UK GDPR, then the UK SCCs shall instead apply as follows: (1) the UK SCCs shall be governed by and disputes shall be resolved before the courts of England and Wales, and (2) the annexes, appendices or tables of the UK SCCs shall be deemed populated with the relevant information set out in Annexes 1 and 2 to this DPA.
5.2. Application of SCCs. Where the Standard Contractual Clauses apply:
(a) As between the parties, any claims brought under the Standard Contractual Clauses shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement. In no event shall any party limit its liability towards any data subject or data protection authority under the Standard Contractual Clauses.
(b) The Customer acknowledges that it shall exercise any right of audit it may have under the Standard Contractual Clauses by exercising its audit rights under Section 8 of this DPA (which shall be deemed to fulfil the Customer’s audit rights under the Standard Contractual Clauses in full).
(c) In the event of any conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
6.1. Authorization. Customer gives a general authorization to Twingate to engage other Processors (“Subprocessors”) to process Personal Data in accordance with this DPA, including Twingate’s existing Subprocessors which are listed at https://www.twingate.com/privacy/subprocessors (“Subprocessor List”). Twingate will impose data protection terms on Subprocessors to protect the Personal Data to the same standard as provided for by this DPA.
6.2. New Subprocessors.
(a) Twingate may subcontract the processing of any Personal Data to additional third party Subprocessors (each a “New Subprocessor”) by updating the Subprocessor List, provided that Twingate will update the Subprocessor List at least 10 days before authorizing any New Subprocessor to process Personal Data in connection with the provision of the applicable Services. Customer will be notified of updates to the Subprocessor List if Customer subscribes to update notifications by following the relevant instructions on the Subprocessor List webpage.
(b) Within 30 days of Twingate adding a New Subprocessor to the Subprocessor List, Customer may object in writing to Twingate’s appointment of that New Subprocessor on the basis that such addition would cause Customer to violate applicable legal requirements. Customer’s written objection will include Customer’s specific reasons for its objection and any options that may be available to mitigate. If Customer provides such a written objection to Twingate, the parties will cooperate to attempt to find a feasible solution. If a solution is not found and Customer does not withdraw its objection, Twingate will notify Customer in writing within 30 days that either: (i) Twingate will not use the New Subprocessor to process the Personal Data; or (ii) Twingate is unable or unwilling to do so. If the notification in clause (ii) is given, Customer may, within 30 days of such notification, elect to terminate this DPA and the Agreement upon written notice to Twingate.
7.1. Appropriate Security Measures. Twingate will implement appropriate technical and organizational measures to ensure a level of security with respect to the processing of Personal Data that is appropriate to the risk. In assessing the appropriate level of security, Twingate will take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects and the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed. Twingate will take steps to ensure that any person acting under its authority who has access to Personal Data is bound by enforceable contractual or statutory confidentiality obligations.
8. Data Protection Audit
8.1. Audit Right. Upon prior written request by Customer, Twingate agrees to cooperate and, within a reasonable timeframe, provide Customer with: (a) a summary of the audit reports, if any are available, demonstrating Twingate’s compliance with its obligations under this DPA, after redacting any confidential and commercially sensitive information; and (b) confirmation that the audit has not revealed any material vulnerability in Twingate’s systems, or to the extent that any such vulnerability was detected, that Twingate has remediated such vulnerability.
If the above measures are not sufficient to confirm compliance with European Data Protection law or reveal some material issues, subject to confidentiality obligations, Twingate allows Customer to request an audit of Twingate’s data protection compliance program by Customer or by external independent auditors which are jointly selected by the parties. Any external independent auditor cannot be a competitor of Twingate, and the parties will agree upon the scope, timing, and duration of the audit (which must be conducted during Twingate’s regular business hours and with reasonable advance notice). Twingate will make available to Customer the result of the audit of its data protection compliance program. Customer will reimburse Twingate for all expenses and costs for such audit. The audit right hereunder may be exercised once in a calendar year during the term of this DPA and in addition where it is reasonably suspected that a Personal Data Breach has occurred. However, should the audit reveal any non-conformity, Customer shall be entitled to have its auditor perform follow-up audits to the extent necessary to protect its interests under this DPA.
9. General Terms
9.1. Liability Toward Data Subjects. Each party agrees that it will be liable to Data Subjects for the entire damage resulting from a violation of European Data Protection Law. If one party paid full compensation for the damage suffered, it is entitled to claim back from the other party that part of the compensation corresponding to the other party’s part of responsibility for the damage. For that purpose, both parties agree that Customer will be liable to Data Subjects for the entire damage resulting from a violation of European Data Protection Law with regard to processing of Personal Data, and that Twingate will only be liable to Data Subjects for the entire damage resulting from a violation of the obligations of European Data Protection Law directed to Twingate or where it has acted outside of or contrary to Customer’s lawful instructions. Twingate will be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.
9.2. Applicable Law. The processing of Personal Data under this DPA is governed by the laws of the jurisdiction in which Customer is established.
9.3. Modification. This DPA may only be modified by a written amendment signed by each of the parties.
9.4. Invalidity and Severability. If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, the invalidity or unenforceability of such provision shall not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.
9.5. Term. This DPA continues until the earlier of: (a) the expiry of Customer’s entitlement to use and receive the Services, as set forth in the Agreement, and (b) the termination of the Agreement.
9.6. Liability. In no event shall Twingate’s liability to Customer in connection with any issue arising out of, or in connection with, this DPA exceed Twingate’s limitations on liability set out in the Agreement. Twingate’s limitations on liability as set out in the Agreement shall apply in aggregate across both the Agreement and this DPA, such that a single limitation on liability regime shall apply across both the Agreement and this DPA.
* * *
Annex 1: Description of the processing
This Annex 1 describes the Processing that Twingate will perform on behalf of Customer.
A. LIST OF PARTIES
Contact details: The email address under which any of Customer’s Admin Accounts is registered.
Activities relevant to the data transferred under these clauses: The receipt of the Services provided by Twingate pursuant to the Agreement.
Signature and date: These Standard Contractual Clauses shall be deemed executed by Customer upon execution or acceptance of the Agreement.
Role (controller/processor): The data exporter’s role is set forth in Section 2 of this DPA.
Name: Twingate Inc.
Contact details: Twingate Privacy Team, email@example.com, 541 Jefferson Ave, Suite 100, Redwood City, CA 94063, USA.
Activities relevant to the data transferred under these clauses: The provision of the Services by Twingate pursuant to the Agreement. In general, Twingate provides services that are designed to enable Customer to manage, secure, and monitor access to systems, networks, devices, files, and other assets operated and made available by Customer.
Signature and date: These Standard Contractual Clauses shall be deemed executed by Twingate upon execution or acceptance of the Agreement.
Role (controller/processor): Processor.
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred: Customer may submit personal data to the Services, the extent of which is determined and controlled by Customer and may include, without limitation, personal data relating to the following categories of data subjects:
- Employees, agents, advisors, contractors of Customer (and applicable Controllers, if Customer is a Processor) who are natural persons;
- Employees or contact persons of Customer’s (and applicable Controllers’, if Customer is a Processor) business partners and vendors;
- Customer’s end users who are authorized by Customer to use the Services.
Categories of personal data transferred: Customer may submit personal data to the Services, the extent of which is determined and controlled by the Customer and may include, without limitation, the following categories of personal data: name, email address, professional life data, and localization data.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures: None.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis): Continuous throughout the duration of the Agreement.
Nature of the processing: The provision of the Services by Twingate to Customer pursuant to the Agreement.
Purpose(s) of the data transfer and further processing: Customer will transfer personal data to Twingate for Twingate to provide the Services pursuant to the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: Twingate will process personal data for the duration of the Agreement, unless otherwise agreed upon in writing.
For transfers to (sub-)processors, also specify subject matter, nature and duration of the processing: As described above and in the Agreement.
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies (e.g. in accordance with Clause 13 of the Standard Contractual Clauses): The competent supervisory authority shall be determined in accordance with Clause 13 of the Standard Contractual Clauses.
* * *
Annex 2: Technical and Organizational Measures
Description of the technical and organizational measures implemented by the Processor(s)/data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
Twingate’s technical and organizational security measures are described at https://docs.twingate.com/docs/twingate-security and shall be deemed incorporated into these Standard Contractual Clauses. Twingate shall not modify these measures in a way that may adversely reduce the security of personal data it processes.
For transfers to Subprocessors, also describe the specific technical and organizational measures to be taken by the Subprocessor to be able to provide assistance to the controller (and, for transfers from a Processor to a Subprocessor, to the data exporter).
When Twingate engages a subprocessor pursuant to this DPA, Twingate and the subprocessor enter into an agreement with data protection obligations substantially similar to those contained in this DPA. Each subprocessor agreement must ensure that Twingate is able to meet its obligations to Customer. In addition to implementing technical and organizational measures to protect personal data, subprocessors must: (a) notify Twingate in the event of a Personal Data Breach so Twingate may notify Customer; (b) delete personal data when instructed by Twingate in accordance with Customer’s instructions to Twingate; (c) not engage additional subprocessors without Twingate’s authorization; or (d) process personal data in a manner which conflicts with Customer’s instructions to Twingate.
* * *