This Data Processing Addendum (“DPA”) is incorporated into the Master Services Agreement (“Agreement”) between Customer and Swivl. All defined terms in the Agreement are incorporated by reference. This DPA reflects the parties’ agreement with respect to the Processing of Personal Data (as defined below) in connection with the requirements of Data Protection Laws. This DPA will control with respect to the subject matter herein in the event of any conflict with the Agreement. This DPA includes the Standard Contractual Clauses, attached hereto as EXHIBIT 1.
In addition to the definitions in the Agreement and set forth in other sections of this DPA:
Customer controls the categories of Data Subjects and Personal Data Processed under this Agreement. Swivl has no knowledge of, or control over, the Personal Data that Customer provides for Processing. Customer is solely responsible for the accuracy, quality, and legality of the Customer Data and the means by which it acquired the Customer Data. Customer is solely responsible to ensure that its submission of Personal Data to Swivl and instructions for the Processing of Personal Data will comply with Data Protection Laws. Swivl will inform Customer without delay if, in Swivl’ opinion, Customer’s instructions violate Data Protection Laws.
Swivl will Process Personal Data on behalf of and in accordance with Customer’s document instructions (i) in accordance with the Agreement (including all documents incorporated into the Agreement) and (ii) to comply with Customer’s other reasonable instructions (including those received via email) to the extent those instructions are consistent with the Agreement. Swivl will not otherwise disclose Personal Data to third parties unless required to do so by applicable law, in which case Swivl will inform Customer in advance unless it is prohibited from doing so. Swivl will not Process Personal Data for any other purpose unless Customer instructs it to do so.
Swivl will, to the extent legally permitted, promptly notify Customer if it receives a request from a Data Subject to access, correct, amend, or delete that person’s Personal Data or if the Data Subject objects to the Processing thereof (“Data Subject Request”). Swivl will not respond to a Data Subject Request without Customer’s prior written consent, except to confirm that the request relates to Customer. To the extent Customer does not have the ability to address a Data Subject Request, Swivl shall upon Customer’s request provide commercially reasonable assistance to facilitate such Data Subject Request to the extent Swivl is legally permitted to do so and provided that such Data Subject Request is exercised in accordance with Data Protection Laws. To the extent legally permitted, Customer shall be responsible for any costs arising from Swivl’ providing such assistance.
With effect from May 25, 2018, the following language shall replace the foregoing. Data Subject Requests. Swivl shall, to the extent legally permitted, promptly notify Customer if Swivl receives a request from a data Subject to exercise the Data Subject’s right of access, right of rectification, restriction of Processing, right of erasure (“right to be forgotten”) data portability, objection to Processing, or its right not to be Subject to an automated individual decision making (“Data Subject Request”). Taking into account the nature of the Processing, Swivl shall assist Customer by appropriate technical and organization measures, insofar as this is possible, for the fulfillment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws. In addition, to the extent Customer does not have the ability to address a Data Subject Request, Swivl shall upon Customer’s request provide commercially reasonable efforts to assist Customer in responding to such Data Subject Requests, to the extent Swivl is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws. To the extent legally permitted, Customer shall be responsible for any costs arising from Swivl’ providing such assistance.
Swivl shall ensure its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities, and have executed written confidentiality agreements that will survive the termination of their relationship with Swivl. Swivl shall ensure that access to Personal Data is limited to those personnel who require access to perform services or Process Personal Data in accordance with the Agreement. Customer expressly authorizes Swivl to use Sub-processors to perform specific services on Swivl’ behalf to enable it to perform its obligations under the Agreement. Swivl has entered into written agreements with its Sub-processors that contain obligations substantially similar to Swivl’ obligations under this DPA. Swivl will notify Customer of changes to its Sub-processors upon written request.
Swivl shall maintain appropriate technical and organizational safeguards to protect the confidentiality, integrity, and security of Customer Data, including protection from unauthorized or unlawful Processing, accidental or unlawful destruction, unauthorized disclosure or aces, accidental loss or alteration, or damage. Swivl shall notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized access, or unauthorized disclosure of Customer Data, including Personal Data, transmitted, stored, or otherwise Processed by Swivl or its Sub-processor of which Swivl becomes aware (“Customer Data Incident”). Swivl shall make reasonable efforts to identify the cause of such Customer Data Incidents and take steps it deems necessary and reasonable to remediate the cause of such incidents to the extent dong so is within Swivl’ control. These obligations do not apply to incidents that are caused by Customer, its affiliates, or users.
When the General Data Protection Regulation (“GDPR”) becomes effective on May 25, 2018, Swivl will Process Personal Data in accordance with the GDPR’s requirements that are directly applicable to the Services Swivl provides. With effect from May 25, 2018, upon Customer’s request, Swivl shall provide Customer with reasonable cooperation and assistance needed for Customer to fulfill its obligation under the GDPR to conduct a data protection impact assessment related to Customer’s use of the Services, to the extent Customer does not have access to certain relevant information and such information is available to Swivl. To the extent required by the GDPR, in connection with the tasks in this section, Swivl will provide reasonable assistance to Customer in cooperation, or prior to consultation, with any Supervisory Authority.
These Standard Contractual Clauses (“Clauses”) are entered into by and between the Customer and Swivl as an attachment to the Master Services Agreement (“Agreement”) governing Customer’s purchase of and access to Services. All capitalized words that are not defined in these Clauses have the meaning set forth in the Agreement.
For the purposes of the Clauses:
The details of the transfer and in particular the special categories of Personal Data where applicable are specified in Appendix 1 which forms an integral part of the Clauses.
Customer, as the Data Exporter, agrees and warrants:
Swivl, as the Data Importer, agrees and warrants:
The Clauses shall be governed by the law of the Member State in which the Customer is located.
The Parties undertake not to vary or modify the Clauses. This does not preclude the Parties from adding Clauses on business related issues where required as long as they do not contradict the Clauses.
This Appendix forms part of the Standard Contractual Clauses and must be completed and signed by the Parties. Submission of an Order shall be considered signature by Customer, and invoicing for such Order shall be considered signature by Swivl.
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix
Description of the Technical and Organizational Security Measures implemented by Swivl in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):
A. Data exporter
The data exporter is the Customer, as defined in the Master Services Agreement.
B. Data importer
The data importer is Swivl, Inc.
C. Data subjects
The personal data transferred concern the Data Exporter’s end users including employees, contractors and the personnel of customers, suppliers, collaborators, and subcontractors. Data Subjects also includes individuals attempting to communicate with or transfer personal information to the Data Exporter’s end users.
D. Categories of data
The personal data transferred concern personal data, entity data, navigational data (including website usage information), email data, system usage data, application integration data, and other electronic data submitted, stored, sent, or received by end users via the Services.
E. Special categories of data (if appropriate)
The parties do not anticipate the transfer of special categories of data.
F. Processing operations
The personal data transferred will be subject to the following basic processing activities:
Scope of Processing
Personal data may be processed for the following purposes: (a) to provide the Service (which may include the detection, prevention and resolution of security and technical issues); (b) to respond to customer support requests; and (c) otherwise to fulfill the obligations under the Swivl Master Services Agreement.
The Data Exporter instructs the Data Importer to process personal data in countries in which the Data Importer or its subprocessors maintain facilities as necessary for it to provide the Service.
Term of Data Processing
Data processing will be for the term specified in the Swivl Master Services Agreement. For the term of the Swivl Master Services Agreement, and for a reasonable period of time after the expiry or termination of the Swivl Master Services Agreement, the Data Importer will provide the Data Exporter with access to, and the ability to export, the Data Exporter’s personal data processed pursuant to the Swivl Master Services Agreement.
For the term of the Swivl Master Services Agreement, the Data Importer will provide the Data Exporter with the ability to delete data as detailed in the Swivl Master Services Agreement.
Access to Data
For the term of the Swivl Master Services Agreement, the Data Importer will provide the Data Exporter with the ability to correct, block, export and delete the Data Exporter’s personal data from the Service in accordance with the Swivl Master Services Agreement.
The Data Importer may engage subprocessors to provide parts of the Service. The Data Importer will ensure subprocessors only access and use the Data Exporter’s personal data to provide the Data Importer’s products and services and not for any other purpose.
See the link of subprocessors here