Data Processing Addendum
Last updated: September 1, 2020
This Data Processing Addendum (“DPA”) forms a part of the Customer Agreement or if you (“Customer”) have entered into a separate agreement with Twingate Inc. (“Twingate”), then it forms a part of such written agreement, if incorporated by reference in such agreement (in either case, the “Agreement”).
By executing an Agreement that explicitly states that this DPA is incorporated by reference, Customer enters into this DPA on behalf of itself and, to the extent required under Applicable Data Protection Laws, in the name and on behalf of any of its affiliates who are authorized to use the Services.
If you are entering into this DPA on behalf of a company or other legal entity, you represent and warrant that you have the authority to bind that legal entity to this DPA. In that case, “Customer” will refer to that company or other legal entity.
This DPA regulates the Processing of Personal Data subject to European Data Protection Law for the Purposes (as defined in Appendix 1) by the parties in the context of the Services. Capitalized terms not otherwise defined in this DPA have the meanings given to them in the Agreement.
In this DPA:
“Controller” has the meaning given to that term under the GDPR.
“Data Subject” means a “data subject” (as that term is defined under the GDPR) whose whose Personal Data is processed in the context of this DPA.
“European Data Protection Law” means the EU General Data Protection Regulation 2016/679 (“GDPR”), the e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC), their national implementing legislations; the Swiss Federal Data Protection Act, and the Data Protection Acts of the countries in Europe (all as amended and replaced from time to time).
“Europe” means the European Economic Area (“EEA”), Switzerland, and the United Kingdom.
“Personal Data” means the “personal data” (as that term is defined under the GPDR) which is Processed by Processor from or on behalf of the Customer in connection with the Agreement.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
“Processor” has the meaning given to that term under the GDPR.
“Processing” and “process” have the meanings given to those terms under the GDPR.
“Subprocessor” means the entity engaged by Processor or any further sub-contractor to Process Personal Data on behalf of and under the instructions of Controller.
2. Roles of the Parties.
For the purposes of this DPA, the parties acknowledge and confirm that Customer is a Controller and Twingate is a Processor for the Processing of Personal Data for the Purposes (as defined in Appendix 1) in the context of the Services.
3. Obligations of Controller.
Controller confirms and warrants that, in relation to the Processing of Personal Data for the Purposes in the context of the Services, it acts as a Controller and that: (a) it complies with European Data Protection Law when Processing Personal Data, and only gives lawful instructions to Processor; (b) Data Subjects have been informed of the uses of Personal Data as required by European Data Protection Law; (c) it relies on a valid legal basis for the processing of Personal Data under European Data Protection Law including, if required, obtaining consent from Data Subjects; (d) it complies with Data Subject requests to exercise their rights of access, rectification, erasure, data portability, restriction of Processing, and objection to the Processing; (e) it complies with data accuracy, proportionality and data retention principles; (f) it implements appropriate technical and organizational measures to ensure, and to be able to demonstrate, that the Processing of Personal Data is performed in accordance with European Data Protection Law; and (g) it will cooperate with Processor to fulfill their respective data protection compliance obligations in accordance with European Data Protection Law.
4. Obligations of Processor.
Processor will comply with European Data Protection Law when Processing Personal Data for the Purposes in connection with the Services. Processor will:
(a) only Processes Personal Data on behalf of Controller in accordance with Controller’s lawful written instructions and not for any other purposes than those specified in Appendix 1 or as otherwise agreed by both parties in writing. For the avoidance of doubt, Controller authorizes Processor to de-identify Personal Data and use such de-identified data for Processor’s product development, product improvement, benchmarking, security, and analytics purposes;
(b) promptly inform Controller if, in its opinion, Controller’s instructions infringe European Data Protection Law, or if Processor is unable to comply with Controller’s instructions;
(c) notify Controller without undue delay after becoming aware of a Personal Data Breach. Processor will take reasonable steps to mitigate the effects and to minimize any damage resulting from the Personal Data Breach;
(d) assist Controller in complying with data security, data breach notifications, data protection impact assessments, and prior consultations with supervisory authorities’ requirements under European Data Protection Law, taking into account the nature of the Processing and the information available to Processor. To the extent authorized under applicable law, Controller shall be responsible for any costs arising from Processor's provision of such assistance;
(e) taking into account the nature of the Processing, assist Controller, upon Controller’s written request, by appropriate technical and organizational measures, insofar as this is possible, to fulfill Controller’s obligation to respond to Data Subjects’ requests to exercise their rights as provided under European Data Protection Law and specified in Section 4(d). To the extent authorized by applicable law, Controller shall be responsible for any costs arising from Processor's provision of such assistance; and
(f) upon termination of the DPA or upon a request to delete or return Personal Data, delete or anonymize all Personal Data, and delete or anonymize existing copies unless applicable law prevents it from returning or destroying all or part of the Personal Data or requires storage of the Personal Data (in which case Processor must keep such Personal Data confidential).
5. Data Transfers.
Controller acknowledges and agrees that Personal Data may be exported through or to other jurisdictions (inside and outside of the EEA) to Processor’s global team in order to help provide the Services, provide technical and customer support, account management, billing and other ancillary functions. Processor will not transfer Personal Data (nor permit Processing in or from) a country outside of Europe unless it takes such measures as are necessary to ensure the transfer is in compliance with applicable Data Protection Laws, including, for example but without limitation, by use of the EU standard contractual clauses for controller to processor transfers.
If Processor or a Processor affiliate will Process Personal Data in a country outside of Europe then, for any such transfers of Personal Data, if no other measure recognized by GDPR for permitting such transfers is available (such as, without limitation, transfer to a recipient in a country that the European Commission has decided provides adequate protection for Personal Data, or transfer to a recipient that has achieved binding corporate rules authorization in accordance with applicable European Data Protection Law), the parties agree that, in relation only to the Personal Data that is the subject of any such transfers where no other measure is available ("SCC Data"), the European Commission’s 2010 standard contractual clauses for controller to processor transfers (as may be amended or superseded from time to time) ("SCCs") shall be incorporated into this DPA by reference on the following basis:
(a) references to the "data exporter" in the SCCs shall mean Controller;
(b) references to the "data importer" in the SCCs shall mean Processor and/or the relevant Processor affiliate;
(c) the governing law specified in Clause 9 of the SCCs shall be the law of the country in which the Controller is established;
(d) Appendix 1 to the SCCs shall be deemed completed with the information that is provided in Appendix 1 to this DPA in relation to the SCC Data; and
(e) Appendix 2 to the SCCs shall be deemed completed with the information that is provided in Appendix 2 to this DPA.
Controller gives a general authorization to Processor to engage Processor’s existing subprocessors which are listed at https://www.twingate.com/privacy/subprocessors (“Subprocessor List”). Processor may subcontract the processing of any Personal Data to any additional third party subprocessors (each a “New Subprocessor”) by updating the Subprocessor List. Controller may object in writing to Processor’s appointment of a New Subprocessor (on reasonable grounds relating to the protection of Personal Data) within 30 days of Processor adding that New Subprocessor to the Subprocessor List. If Controller provides such a written objection to Processor, Processor will notify Controller in writing within 30 days that either: (a) Processor will not use the New Subprocessor to process the Personal Data; or (b) Processor is unable or unwilling to do so. If the notification in paragraph (b) is given, Controller may, within 30 days of such notification, elect to terminate this DPA and the Agreement upon written notice to Processor. Such termination will not entitle Processor to a pro rata refund of any prepaid fees.
Processor will impose data protection terms on New Subprocessors to protect the Personal Data to the same standard as provided for by this DPA and Processor will be responsible for any breach of this DPA that is caused by any such subprocessor.
7. Security of Processing & Confidentiality.
Processor will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. In assessing the appropriate level of security, Processor will take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects and the risks that are presented by the Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed. Processor will take steps to ensure that any person acting under its authority who has access to Personal Data is bound by enforceable contractual or statutory confidentiality obligations.
8. Data Protection Audit.
Upon prior written request by Controller, Processor agrees to cooperate and, within a reasonable timeframe, provide Controller with: (a) a summary of the audit reports, if any are available, demonstrating Processor’s compliance with its obligations under this DPA, after redacting any confidential and commercially sensitive information; and (b) confirmation that the audit has not revealed any material vulnerability in Processor’s systems, or to the extent that any such vulnerability was detected, that Processor has fully remediated such vulnerability. If the above measures are not sufficient to confirm compliance with European Data Protection law or reveal some material issues, subject to the strictest confidentiality obligations, Processor allows Controller to request an audit of Processor’s data protection compliance program by external independent auditors, which are jointly selected by the parties. The external independent auditor cannot be a competitor of Processor, and the parties will mutually agree upon the scope, timing, and duration of the audit (which must be conducted during Processor’s regular business hours and with reasonable advance notice). Processor will make available to Controller the result of the audit of its data protection compliance program. Controller will reimburse Processor for all expenses and costs for such audit. The audit right hereunder may be exercised once in a calendar year during the term of this DPA and in addition where it is reasonably suspected that a Personal Data Breach has occurred. However, should the audit reveal any non-conformity, Controller shall be entitled to have its auditor perform follow-up audits to the extent necessary to protect its interests under this DPA.
9. Liability Towards Data Subjects.
Each party agrees that it will be liable to Data Subjects for the entire damage resulting from a violation of European Data Protection Law. If one party paid full compensation for the damage suffered, it is entitled to claim back from the other party that part of the compensation corresponding to the other party’s part of responsibility for the damage. For that purpose, both parties agree that Controller will be liable to Data Subjects for the entire damage resulting from a violation of European Data Protection Law with regard to Processing of Personal Data for which it is a Controller, and that Processor will only be liable to Data Subjects for the entire damage resulting from a violation of the obligations of European Data Protection Law directed to Processor or where it has acted outside of or contrary to Controller’s lawful instructions. Processor will be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.
10. Applicable Law.
The Processing of Personal Data under this DPA is governed by the laws of the jurisdiction in which Controller is established.
This DPA may only be modified by a written amendment signed by each of the parties.
12. Invalidity and Severability.
If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, the invalidity or unenforceability of such provision shall not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.
This DPA continues until the earlier of: (a) the expiry of Controller’s entitlement to use and receive the Services, as set forth in the Agreement, and (b) the termination of the Agreement.
In no event shall Processor’s liability to Controller in connection with any issue arising out of, or in connection with, this DPA exceed Processor’s limitations on liability set out in the Agreement. Processor’s limitations on liability as set out in the Agreement shall apply in aggregate across both the Agreement and this DPA, such that a single limitation on liability regime shall apply across both the Agreement and this DPA.
* * *
Appendix 1: Description of the processing
This Appendix 1 describes the Processing that Processor will perform on behalf of Controller.
Subject matter, nature and purpose of the processing operations
The Personal Data will be subject to the following basic processing activities (please specify):
Processor will process personal data as necessary to: (a) perform the Services described under the Agreement, in accordance with the Agreement, and (b) provide account management and customer technical support services.
Processor provides Services under the Agreement that are designed to manage, secure, and monitor access to systems, networks, devices, files, and other data operated and made available by Controller. The content of any information held or transmitted by these systems, networks, devices, files, and other data is determined solely by Controller and not Processor.
Duration of the processing operations
The duration of the processing is (please specify):
Processor will process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.
The personal data concern the following categories of data subjects (please specify):
Controller may submit personal data to the Services, the extent of which is determined and controlled by Controller and may include, without limitation, personal data relating to the following categories of data subjects:
- Employees, agents, advisors, contractors of Controller who are natural persons
- Employees or contact persons of Controller’s business partners and vendors
- Controller’s end users who are authorized by Controller to use the Services
Categories of data
The personal data concern the following categories of data (please specify):
Controller may submit personal data to the Services, the extent of which is determined and controlled by the Controller and may include, without limitation, the following categories of personal data: name, email address, professional life data, and localization data.
Special categories of data (if appropriate)
The personal data concern the following special categories of data (please specify):
* * *
Appendix 2: Technical and Organizational Measures
Refer to the security measures described at https://docs.twingate.com/docs/twingate-security.