Upcoming Data Processing Addendum
Trackado’s updated Data Processing Addendum will be effective as of January 15, 2025.
Last Updated: January 15, 2025
This Data Processing Addendum (“DPA”) governs the rights and obligations arising when a company within the Trackado group of companies (“Trackado”, the “Supplier”, the “Processor”) provides a Software-as-a-Service or an ancillary service to the entity that has entered into a legally binding agreement (“Customer ”, the “Controller”) for Trackado’s Software-as-a-Services (the “Agreement”), which involves the processing of Controller’s personal data on behalf of Controller. This DPA, the Agreement and any appendices constitute the Parties’ Agreement. This DPA applies to Agreements from January 15, 2025.
Preamble
1. Scope, duration and specification of contract processing of personal data
This DPA shall form an integral part of the Agreement and applies to all Processing activities performed by the Processor or any third party acting on behalf of the Processor (a “Sub-processor”). This DPA replaces any existing data processing agreement between the Parties. In case of any inconsistencies, this DPA will take precedence over the provisions of the Agreement. Upon the Controller’s written request, the Processor will provide the Controller with a signed version of this DPA.
Specifically, Contract Processing shall include, but not be limited to, the following Data:
Type of data | Purpose (subject matter) of Contract Processing | Categories of data subjects affected |
---|---|---|
Contact Data: Data that helps to identify and contact a data subject (e.g. name, email, phone number, company address). | Providing a contract management Software-as-a-Service solution.
Support to users
| Customer
Customers’ employees, consultants, agents, etc.
Customer’s business partners, customers, suppliers (i.e. the content of the documents) |
Except where this DPA stipulates obligations beyond the term of the Agreement, the term of this DPA shall be the term of the Agreement.
2. Scope of application and responsibilities
- Supplier shall process Data on behalf of Customer. Such Contract Processing shall include all activities detailed in the Agreement. Within the scope of this DPA, Customer shall be solely responsible for compliance with the applicable statutory requirements on data protection, including, but not limited to, the lawfulness of disclosing Data to Supplier and the lawfulness of having Data processed on behalf of Customer. Customer shall be the »controller« in accordance with Article 4 no. 7 of the GDPR.
3. Supplier’s obligations
- Except where expressly permitted by Article 28 (3)(a) of the GDPR, Supplier shall process data subjects’ Data only within the scope of the Agreement and the Customer’s written instructions. Personal Data shall not in any way be processed for any other purposes. Where Supplier believes that an instruction would be in breach of applicable law, Supplier shall notify Customer of such belief without undue delay. The Customer understands that the Supplier is not required to provide legal advice regarding the Customer’s responsibilities. The Supplier shall be entitled to suspend performance on such instruction until Customer confirms or modifies such instruction.
- Supplier shall, within Supplier’s scope of responsibility, organize supplier’s internal organization so it satisfies the specific requirements of data protection. Supplier shall implement technical and organizational measures to ensure the adequate protection of Customer’s Data, which measures shall fulfil the requirements of the GDPR and specifically its Article 32. Supplier shall implement technical and organizational measures and safeguards that ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services.
- Supplier shall ensure that its Affiliates and Sub-processors undertake sufficient and adequate organizational and technical safeguards to ensure adequate protection of the Customer’s Data in accordance with Data Privacy Laws and within this DPA.
- Supplier shall support Customer in fulfilling data subjects’ requests and claims, as detailed in chapter III of the GDPR and in fulfilling the obligations enumerated in Articles 33 to 36 of the GDPR. Supplier may charge additional fees for such support.
- The Supplier shall support the Customer in its contacts with supervisory authorities. The Supplier is not to disclose Personal data or any information regarding the Processing of Personal Data when responding to such requests or inquiries in accordance with Data Protection Laws.
- Supplier shall notify Customer, without undue delay, if Supplier becomes aware of breaches of the protection of personal data within Supplier’s scope of responsibility.
- Supplier shall correct or erase Data if so instructed by Customer and where covered by the scope of the instructions permissible. Supplier may charge additional fees for such support.
- Where a data subject asserts any claims against Customer in accordance with Article 82 of the GDPR, Supplier shall support Customer in defending against such claims, where possible. Supplier may charge additional fees for such support.
- Supplier shall notify the Customer prior to engaging a new Sub-processor and give the Customer a possibility to object to such engagement. The Supplier shall also enter into Sub-process Agreements and equate the initial obligations under the DPA onto the Sub-processors.
- The Supplier shall provide the Controller and its independent auditors with necessary access to information and premises to verify compliance with the DPA, limited to once a year, unless a material breach is reasonably suspected. The Controller must provide at least 30 days’ notice unless otherwise required by law. Each party bears its own audit costs, with the Controller covering third-party costs. If no material breach is found, the Controller covers all audit costs. The Supplier may review and comment on the audit report before finalization and must promptly address any identified non-compliance.
4. Customer’s obligations
- Customer shall notify Supplier, without undue delay, and comprehensively, of any defect or irregularity with regard to provisions on data protection detected by Customer in the results of Supplier’s work.
- The Customer is responsible for ensuring that the Processing is compliant with the GDPR (see article 34 GDPR), the applicable Data Protection Laws as well as this DPA. The Customer is responsible for that the Processing of which the Supplier is instructed to conduct, has a valid purpose and a valid legal basis.
- The Customer has the right and is obligated to make the decisions regarding the purposes and means of the processing of Personal Data.
- Section 3 para. 8 above shall apply, mutatis mutandis, to claims asserted by data subjects against Supplier in accordance with Article 82 of the GDPR.
- Customer shall notify the Supplier of the point of contact for any issues related to data protection arising out of or in connection with the Agreement.
5. Enquiries by data subjects
- Where a data subject assert claims for rectification, erasure or access against Supplier, and where Supplier is able to correlate the data subject to Customer, based on the information provided by the data subject, Supplier shall refer such data subject to Customer. Supplier shall forward the data subject’s claim to Customer without undue delay. Supplier shall support Customer, where possible, and based upon Customer’s instruction insofar as agreed upon. Supplier shall not be liable in cases where Customer fails to respond to the data subject’s request in total, correctly, or in a timely manner, provided that it was not due to any action or inaction by the Supplier.
6. Sub-Processors
- Use of Sub-Processors. The Supplier may engage Sub-Processors for the Processing of Personal Data. The Supplier is responsible for ensuring that all Processing of Personal Data performed by a Sub-Processor is governed by a written agreement with the Sub-Processor that corresponds to the requirements of this Data Processor Agreement. The Supplier is fully liable for the performance of any Sub-Processors Processing of Personal Data.
- Change of Sub-Processor. The Supplier has the right to change a Sub-Processor or engage other appropriate and reliable Sub-Processors, provided that the rules in this Section are applied. Before engaging a new Sub-Processor, the Supplier shall notify the Controller in writing of the new Sub-Processor, and upon receipt of the notice, the Controller has a right to object to the new Sub-Processor in writing within ten (10) days from receipt of the Supplier’s notice. Such objections shall not be deemed valid unless the Controller can prove a reasonable cause.
- Resolution of objections. If the Controller has objected to a Sub-Processor, the Parties shall discuss various activities to resolve the reason for the Controller’s objection together. If the Parties cannot agree on any solution within a reasonable period of time, which shall not exceed thirty (30) days, the Controller may terminate the agreement by notifying the Supplier in writing. During the termination period, the Supplier is not allowed to transfer any Personal Data to the Sub-Processor.
- List of Sub-Processors. Upon the Controller’s acceptance of this DPA, the Controller has pre-approved the existing sub-processors as listed below in section (5). During the term of the Agreement, the Supplier shall maintain an updated list of all Sub-Processors who process Personal Data in connection with the Agreement and shall send a copy of the list to the Controller upon the Controller’s request.
- Supplier will conduct the performance agreed upon, or the parts of the performance identified below, using the subcontractors enumerated below:
Name and address of the subcontractor | Description of the affected parts of the performance | Data Location and basis for data transfer in accordance with paragraph 7. |
---|---|---|
Emit Knowledge, Bulevar Jane Sandanski, 76-19 Skopje – Aerodrom, North Macedonia |
Software application operation, maintenance and support. | North Macedonia
EU Standard Contractual Clauses |
Intercom R&D Unlimited Customer, 18-21 St. Stephen’s Green, Dublin 2, Ireland | Customer support and messaging | USA
Certification under the EU-US Data Privacy Framework, the Swiss-US Data Privacy Framework and the UK-US Data Privacy Framework (together, the “DPF”) operated by the U.S. Department of Commerce. To the extent that the DPF is invalidated or ceases to be an appropriate safeguard under Article 46 GDPR for transfers to the United States, then, such transfer shall be subject to the appropriate Standard Contractual Clauses
More details can be found in Intercom’s Data Processing Addendum. |
Microsoft Ireland Operations Ltd, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland | Hosting / Cloud services | EU |
SignRequest B.V., Singel 542, 1017AZ Amsterdam, The Netherlands | E-Signing services | EU |
Twilio Ireland Limited, 25-28 North Wall Quay, Dublin 1, Ireland (EEA headquarters). | Email sending and processing (via their product “Sendgrid”), Text messaging for two-factor-authentication | USA
The Data Privacy Framework (Twilio Inc. is self-certified under the Data Privacy Framework), Twilio BCRs, the EU Standard Contractual Clauses, the UK International Data Transfer Agreement and, if neither of the above is applicable, then other applicable data Transfer Mechanisms permitted under Applicable Data Protection Law.
More details can be found in Twilio’s Data Processing Addendum.
|
- Where Supplier commissions subcontractors, Supplier shall be responsible for ensuring that Supplier’s obligations on data protection resulting from the Agreement and this DPA are valid and binding upon subcontractor.
7. International Data Transfers outside of the EU/EEA
- In the event that the Supplier transfers Personal Data to a country outside the EU/EEA without an adequacy decision, the Supplier shall execute a supplementary agreement incorporating the current Standard Contractual Clauses (SCC) from the European Commission, provided the SCC remains a valid transfer mechanism. Upon the Customer’s request, the Supplier will provide a signed copy of the SCC agreement. Should there be any conflict between this DPA and the SCC, the provisions of the SCC shall take precedence.
- In response to Government Access Requests, the Supplier shall comply with the new SCCs, thoroughly assess any legal implications, and implement appropriate data minimization measures along with additional safeguards
- Both Parties agree to remain vigilant regarding regulatory updates and judicial decisions, and, if required, make necessary adjustments to the Processing of Personal Data and this DPA to ensure compliance with legal data transfer requirements to third countries.
- If the Supplier receives a legally binding request from a public authority via its Sub-processors for disclosure of Personal Data under the SCCs, it shall forward such requests to the Customer. The Supplier and its Sub-processors must, wherever possible, challenge any requests that do not have legally binding authority and avoid granting access to the Customer’s data. Furthermore, the Supplier shall share as much relevant information as possible regarding the requests it receives from Sub-processors with the Customer.
8. Obligations to inform, mandatory written form, choice of law
- Where the Data becomes subject to search and seizure, an attachment order, confiscation during bankruptcy or insolvency proceedings, or similar events or measures by third parties while in Supplier’s control, Supplier shall notify Customer of such action without undue delay. Supplier shall, without undue delay, notify all pertinent parties in such action, that any data affected thereby is in Customer’s sole property and area of responsibility, that data is at Customer’s sole disposition, and that Customer is the responsible body in the sense of the GDPR.
- In case of any conflict, the data protection regulations of this DPA shall take precedence over the regulations of the Agreement. Where individual regulations of this DPA are invalid or unenforceable, the validity and enforceability of the other regulations of this DPA shall not be affected.
- This DPA is subject to the laws of Sweden.
9. Liability and damages
- Any claims, costs, fines or similar imposed upon either party for breaches of statutory laws or regulations are exempt from the limitation of liability above and shall be apportioned according to each party’s responsibility, as decided by judgment or settlement.
10. Security
- The Supplier shall implement appropriate technical and organizational security measures in order to protect Personal Data according to Data Protection Laws. Supplier shall also observe industry best practices, code of conduct, and guidelines issued or approved by supervisory authorities where necessary.
- The Supplier shall notify the Customer without undue delay upon awareness of any accidental or unlawful alternation, destruction, log, unauthorized disclosure of, or access to, the Customer’s Personal Data.
- The Supplier is responsible for ensuring that Supplier’s and Sub-processors’ personnel who process the Customer’s Personal Data shall maintain secrecy, receive suitable training and are bound by Non-Disclosure Agreements. Confidentiality shall remain in force after this DPA has otherwise ceased.
- The Supplier is responsible for ensuring that only personnel (Supplier and Sub-processor) who need the Personal Data to fulfil the Supplier’s commitment to the Customer under the Agreement, shall have access to the Personal Data.