Applicability and scope
This DPA applies only to the extent that we process, on your behalf Customer Data to which Applicable Data Protection Legislation applies. Applicable Data Protection Legislation is:
We undertake to comply with Data Protection Legislation in our provision of Products and Services to you.
You undertake to ensure that your instructions comply with Applicable Data Protection Legislation. You acknowledge that we are neither responsible for determining which laws are applicable to you nor whether our Products and Services meet or will meet the requirements of such laws. You undertake to ensure that our processing of Customer Data, when done in accordance with your instructions, will not cause us to violate any applicable law, including Applicable Data Protection Legislation. We undertake to inform you if we become aware, or reasonably believe, that your instructions violate applicable law, including Applicable Data Protection Legislation.
Processing customer data
You appoint us as a processor to process Customer Data on your behalf, and in accordance with your instructions (a) as set forth in your Customer Agreement, this DPA, and as otherwise necessary to provide the Services to Customer (which may include investigating security incidents, and detecting and preventing exploits or abuse); (b) as necessary to comply with applicable law, including Applicable Data Protection Legislation; and (c) as otherwise agreed in writing between the parties (“Permitted Purposes”).
You undertake to ensure that: a) all notices have been given, and all such authorizations have been obtained, as required under Applicable Data Protection Legislation, for us (and any sub-processors) to process Customer Data as contemplated by our Customer Agreement and this DPA; b) you have complied, and will continue to comply, with all applicable laws relating to privacy and data protection, including Applicable Data Protection Legislation; and c) you have, and will continue to have, the right to transfer, or provide access to, Customer Data to us for processing in accordance with the terms of your Customer Agreement and this DPA.
Where the Customer is based in the EEA or Switzerland they will be appointed as the representative of Family Zone for the purposes of acting as a point of contact for supervisory authorities and data subjects, on all issues related to processing for the purposes of complying with Data Protection Laws. Any queries, requests or complaints addressed to the Customer in their capacity as a representative must be notified and forwarded to Family Zone without undue delay, and in any event within 48 hours. Family Zone will remain liable for any instances of non-compliance with Data Protection Law.
Where the Customer, acting as a representative, fails to notify and forward a query, request or complaint to Family Zone, in line with this agreement; the Customer shall indemnify, hold harmless, and defend Family Zone against any and all claims, costs, and expenses (including without limitation lawyer’s fees) relating to or arising out of the Customer’s failure to comply with its obligations.
A “sub-processor" means (a) any third-party data processor engaged by us to assist us to fulfill our obligations under your Customer Agreement and which processes Customer Data. Sub-processors may include third parties or our affiliates.
You agree that (a) we may engage sub-processors (as listed on our website) which may change from time to time; and (b) such sub-processors respectively may engage third party processors to process Customer Data on our behalf.
You provide a general authorization for us to engage onward sub-processors subject to these conditions: a) we will restrict the onward sub-processor’s access to Customer Data only to what is strictly necessary to provide the Services, and we will prohibit the sub-processor from processing the Customer Data for any other purpose; b) we agree to impose contractual data protection obligations, including appropriate technical and organizational measures to protect Customer Data, on any sub-processor we appoint that require such sub-processor to protect Customer Data to the standard required by Applicable Data Protection Legislation; and c) we will remain liable and accountable for any breach of this DPA that is caused by an act or omission of its sub-processors.
We may, by giving reasonable notice to you, add or remove Sub-processors. Where we do so we undertake to update the schedule of processors (as listed on our website) at least 10 days prior to any change. If you object on reasonable grounds (in our opinion) to such a change then we agree to work with you on a good faith basis to find an alternative solution. In the event that the parties are unable to find such a solution, you may terminate the Agreement at no additional cost.
Audits and assistance
We shall, to the extent required by Applicable Data Protection Legislation, provide you with reasonable assistance (at your cost) with data protection impact assessments or prior consultations with data protection authorities that you are required to carry out under such legislation.
We acknowledge that as a data processor on your behalf, you must be able to assess our compliance with our obligations under Applicable Data Protection Legislation and this DPA. We agree to make available to you all information reasonably necessary to demonstrate compliance with this DPA required by Applicable Data Protection Legislation.
We agree to permit you (or your appointed third party auditors) to carry out an audit at your cost (including without limitation our costs) following a security breach suffered by us, or upon the instruction of a data protection authority acting pursuant to Applicable Data Protection Legislation. You agree to provide us with reasonable prior notice of such a requirement, conduct an audit during normal business hours, and take all reasonable measures to prevent unnecessary disruption to our operations. Any such audit shall be subject to our security and confidentiality terms and guidelines and may only be performed a maximum of once annually. If we decline to follow any reasonable instruction from you regarding such an audit, then you are entitled to terminate your Customer Agreement.
In the event that either party receives (a) any request from a data subject to exercise any of its rights under Applicable Data Protection Legislation or (b) any Third Party Request relating to the processing of Account Data or Customer Data conducted by the other party, such party will promptly inform the other party in writing. The parties agree to cooperate, in good faith, as necessary to respond to any Third Party Request and fulfill their respective obligations under Applicable Data Protection Legislation.
You acknowledge that we and our sub-processors may transfer and process your Customer Data outside of your jurisdiction, including in the United States of America. We undertake to ensure that such transfers are made in compliance with Applicable Data Protection Legislation and this DPA.
Applicable Data Protection Legislation may impose restrictions on or require Standard Contractual Clauses (“SCCs”) with respect to transborder data transfers. Where SCCs apply (as amended or superseded) these are incorporated into this DPA and your Customer Agreement. The parties acknowledge that to the extent the SCC’s conflict with any provision of your Customer Agreement (including this DPA) then the SCCs prevail to the extent of the conflict.
We have in place and maintain appropriate measures designed to protect your Customer Data. We undertake to ensure these measures comply with applicable law. We undertake to ensure our employees and contractors are appropriately trained in security and privacy and are subject to duty of confidentiality.
Should we become aware of a security breach we undertake to comply with local laws and notify you without undue delay and provide you such information as you may reasonably require, including to enable you to fulfil your reporting obligations under Applicable Data Protection Legislation. You acknowledge that notification of or response to a security breach is not an acknowledgement by us of any fault or liability.
You are solely responsible for use of our Products and Services, including (a) ensuring your End-Users are properly trained in security and data protection.
End of contract
To download this document as pdf please click here