DATA PROCESSING AGREEMENT
Version: March 9, 2023
This Data Processing Agreement (“DPA”) sets forth ScaleWith’s commitments for the protection of User Data and is made part of the Agreement as set forth here.
Designated Data Center Location: United States
1. Definitions. Unless otherwise defined below, all capitalized terms have the meaning given to them in the Agreement.
“Additional Products” means products, services, and applications (whether made available by ScaleWith or a third party) that are not part of the Service.
“Data Controller” means the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
“Data Processor” means the entity which Processes Personal Data on behalf of the Data Controller.
“EU Data Protection Laws” means: (i) up to 25 May 2018, the Data Protection Directive 95/46/EC; and (ii) from 25 May 2018 onwards, the General Data Protection Regulation (EU) 2016/679 (“GDPR”).
“Data Protection Laws” means all data protection laws applicable to the Processing of Personal Data under this DPA, including local, state, national and/or foreign laws, treaties, and/or regulations, EU Data Protection Laws, and implementations of EU Data Protection Laws into national law.
“Data Subject” means the person to whom the Personal Data relates.
“EEA” means the European Economic Area.
“Personal Data” means any User Data that relates to (i) an identified or identifiable natural person or, (ii) an identified or identifiable legal entity, where such information is protected similarly as personal data under applicable Data Protection Laws.
“Personal Data Breach” means (i) a ‘personal data breach’ as defined in the GDPR affecting Personal Data, and (ii) any Security Breach affecting Personal Data.
“Processing or Process” means any operation or set of operations performed on Personal Data or sets of Personal Data, such as collecting, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing or destroying.
“Subprocessor” means a ScaleWith affiliate or third-party entity engaged by ScaleWith or a ScaleWith affiliate as a Data Processor under this DPA.
“Valid Transfer Mechanism” means a data transfer mechanism permitted by EU Data Protection Laws as a lawful basis for transferring Personal Data to a recipient outside the EEA.
2. Processing Personal Data
2.1 Scope and Role of the Parties. This DPA applies to the Processing of Personal Data by ScaleWith in the course of providing the Service. For the purposes of this DPA, User and its affiliates are the Data Controller(s) and ScaleWith is the Data Processor, Processing Personal Data on User’s behalf.
2.2 Instructions for Processing. ScaleWith shall Process Personal Data in accordance with User’s documented instructions. User instructs ScaleWith to Process Personal Data to provide the Service in accordance with the Agreement (including this DPA). User may provide additional instructions to ScaleWith to Process Personal Data, however ScaleWith shall be obligated to perform such additional instructions only if they are consistent with the terms and scope of the Agreement and this DPA.
2.3 Compliance with Laws. ScaleWith shall comply with all Data Protection Laws applicable to ScaleWith in its role as a Data Processor Processing Personal Data. For the avoidance of doubt, ScaleWith is not responsible for complying with Data Protection Laws applicable to User or User’s industry such as those not generally applicable to online service providers. User shall comply with all Data Protection Laws applicable to User as a Data Controller.
3.1 Use of Subprocessors. User agrees that ScaleWith and ScaleWith affiliates may engage Subprocessors to Process Personal Data. ScaleWith or the relevant ScaleWith affiliate shall ensure that such Subprocessor has entered into a written agreement requiring the Subprocessor to abide by terms no less protective than those provided in this DPA. Upon User’s request, ScaleWith will make available to User a summary of the data processing terms. For the avoidance of doubt, the data processing terms that apply to ScaleWith affiliates when Processing Personal Data as a Subprocessor are those set out in this DPA. ScaleWith shall be liable for the acts and omissions of any Subprocessors to the same extent as if the acts or omissions were performed by ScaleWith.
3.2 Notification of New Subprocessors. ScaleWith shall make available to User a list of Subprocessors authorized to Process Personal Data (“Subprocessor List”) and provide User with a mechanism to obtain notice of any updates to the Subprocessor List. At least thirty (30) days prior to authorizing any new Subprocessor to Process Personal Data, ScaleWith shall provide notice to User by updating the Subprocessor List.
3.3 Subprocessor Objection Right. This Section 3.3 shall apply only where and to the extent that User is established within the EEA or Switzerland or where otherwise required by Data Protection Laws applicable to User. In such event, if User objects on reasonable grounds relating to data protection to ScaleWith’s use of a new Subprocessor then User shall promptly, and within fourteen (14) days following ScaleWith’s notification pursuant to Section 3.2 above, provide written notice of such objection to ScaleWith. Should ScaleWith choose to retain the objected-to Subprocessor, ScaleWith will notify the User at least fourteen (14) days before authorizing the Subprocessor to Process Personal Data and the User may immediately discontinue using the relevant portion(s) of the Service and may terminate the relevant portion(s) of the Service within thirty (30) days.
4. Data Center Location and Data Transfers
4.1 Storage of Personal Data. Personal Data will be housed in data centers located in the Designated Data Center Location set forth herein unless the parties otherwise expressly agree in writing.
4.2 Access to Personal Data. Notwithstanding Section 4.1, in order to provide the Service, ScaleWith and its Subprocessors will only access Personal Data from (i) countries in the EEA, (ii) countries or territories formally recognized by the European Commission as providing an adequate level of data protection (“Adequate Countries”) and (iii) the United States provided, in this case, that ScaleWith makes available to User a Valid Transfer Mechanism. When ScaleWith or its Subprocessors access Personal Data from outside the Designated Data Center Location for the purposes set forth above, User agrees that Personal Data may be temporarily stored in that country.
5. Rights of Data Subjects
5.1 Correction, Deletion or Restriction. ScaleWith will, at its election and as necessary to enable User to meet its obligations under applicable Data Protection Laws, either (i) provide User the ability within the Service to correct or delete Personal Data or restrict its Processing; or (ii) make such corrections, deletions, or restrictions on User’s behalf if such functionality is not available within the Service.
5.2 Access to Personal Data. To the extent a Data Subject’s Personal Data is not accessible to User through the Service, ScaleWith will, as necessary to enable User to meet its obligations under applicable Data Protection Laws, provide reasonable assistance to make such Personal Data available to User.
5.3 Handling of Data Subject Requests. For the avoidance of doubt, User is responsible for responding to Data Subject requests for access, correction, deletion or restriction of that person’s Personal Data (“Data Subject Request”). If ScaleWith receives a Data Subject Request, ScaleWith shall promptly redirect the Data Subject to User.
5.4 Data Portability. During the term of the Agreement, User may extract Personal Data from the Service in accordance with the Documentation and the relevant provisions of the Agreement, including so that User can provide the Personal Data to an individual who makes a data portability request under EU Data Protection Laws.
6. Government Access Requests. Unless prohibited by applicable law or a legally-binding request of law enforcement, ScaleWith shall promptly notify User of any request by government agency or law enforcement authority for access to or seizure of Personal Data.
7. ScaleWith Personnel. ScaleWith shall take reasonable steps to require screening of its personnel who may have access to Personal Data, and shall require such personnel (i) to receive appropriate training on their responsibilities regarding the handling and safeguarding of Personal Data; and (ii) to agree to comply with confidentiality obligations which shall survive the termination of employment.
8. Personal Data Breach. In the event ScaleWith becomes aware of a Personal Data Breach it shall without undue delay notify User in accordance with the Security Exhibit for Services. To the extent User requires additional information from ScaleWith to meet its Personal Data Breach notification obligations under applicable Data Protection Laws, ScaleWith shall provide reasonable assistance to provide such information to User taking into account the nature of Processing and the information available to ScaleWith.
9. Security Program. ScaleWith shall implement appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data as set forth in the Security Exhibit for Services.
10. Audit. User agrees that ScaleWith’s then-current SOC 2 audit reports (or comparable industry-standard successor reports) and/or ScaleWith’s other certifications will be used to satisfy any audit or inspection requests by or on behalf of User, and ScaleWith shall make such reports available to User. In the event that User, a regulator, or supervisory authority requires additional information, including information necessary to demonstrate compliance with this DPA, or an audit related to the Service, such information and/or audit shall be made available in accordance with ScaleWith’s internal policies and procedures.
11. Return and Deletion of Personal Data. Upon termination of the Service, ScaleWith shall return or delete Personal Data in accordance with the relevant provisions of the Agreement.
12. Additional Products. User acknowledges that if it installs, uses, or enables Additional Products that interoperate with the Service but are not part of the Service itself, then by such actions User is instructing ScaleWith to cause the Service to allow such Additional Products to access Personal Data as required for the interoperation of those Additional Products with the Service. Such separate Additional Products are not required to use the Service and may be restricted for use as determined by User’s system administrator. This DPA does not apply to the Processing of Personal Data by Additional Products which are not part of the Service.
13. Additional European Terms
13.1 Subject-Matter, Nature, Purpose and Duration of Data Processing. ScaleWith will Process Personal Data to provide the Service (operation and maintenance of a software-as-a-service application). The duration of Processing Personal Data shall be for the term of the Agreement.
13.2 Data Protection Impact Assessments and Prior Consultations. User agrees that ScaleWith’s then-current SOC 2 audit reports (or comparable industry-standard successor reports) and/or ScaleWith’s other certifications will be used to carry out User’s data protection impact assessments and prior consultations, and ScaleWith shall make such reports available to User. To the extent User requires additional assistance to meet its obligations under Article 35 and 36 of the GDPR to carry out a data protection impact assessment and prior consultation with the competent supervisory authority related to User’s use of the Service, ScaleWith will, taking into account the nature of Processing and the information available to ScaleWith, provide reasonable assistance to User through the User Audit Program.
14. General Provisions
14.1 User Affiliates. User is responsible for coordinating all communication with ScaleWith on behalf of its affiliates with regard to this DPA. User represents that it is authorized to issue instructions as well as make and receive any communications or notifications in relation to this DPA on behalf of its affiliates.
14.2 Termination. The term of this DPA will end simultaneously and automatically at the later of (i) the termination of the Agreement or, (ii) when all Personal Data is deleted from ScaleWith’s systems.
14.3 Conflict. This DPA is subject to the non-conflicting terms of the Agreement. With regard to the subject matter of this DPA, in the event of inconsistencies between the provisions of this DPA and the Agreement, the provisions of this DPA shall prevail with regard to the parties’ data protection obligations.
14.4 Remedies. User’s remedies with respect to any breach by ScaleWith or its affiliates of the terms of this DPA, and the overall aggregate liability of ScaleWith and its affiliates arising out of, or in connection with the Agreement (including this DPA) will be subject to any aggregate limitation of liability that has been agreed between the parties under the Agreement (the “Liability Cap”). For the avoidance of doubt, the parties intend and agree that the overall aggregate liability of ScaleWith and its affiliates arising out of, or in connection with the Agreement (including this DPA) shall in no event exceed the Liability Cap.
14.5 Miscellaneous. The section headings contained in this DPA are for reference purposes only and shall not in any way affect the meaning or interpretation of this DPA.