Data Protection Addendum
Schedule 2: Data Protection Addendum Agreement
This Data Protection Addendum (“Addendum”) forms part of the main contract agreement terms (“Principal Agreement”) between: (i) Aptree LLC, being a Delaware Limited Liability Company(“Aptree”) acting on its own behalf and as agent for each Aptree Affiliate; and (ii) Aptree’s Customer as described in the signing section of this Addendum acting on its own behalf and as agent for each Customer Affiliate (“Customer”).
This Addendum governs the receipt, processing, and other activity as governed by Applicable Law regarding all Customer Personal Data received by Aptree as the Processor, from the Customer as the Controller.
In consideration of the mutual obligations set out in this Addendum, the parties agree that the terms and conditions set out below shall be added as an Addendum to the Principal Agreement.
1.1 In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
“Applicable Law” means (a) EU Data Protection Law to the extent that the Customer Personal Data constitutes the Personal Data of an EU Data Subject; or (b) UK Data Protection Law to the extent that the Customer Personal Data constitutes the Personal Data of a person residing in the UK who has protection under that law; or (c) any other applicable law with respect to any Customer related personal data in respect of which Customer is subject to, as notified by Customer and agreed in writing between the parties from time to time so as to form part of this Addendum or which otherwise applies to Aptree;
“Customer” means the customer party signing this Addendum and includes each Customer Group Member who is permitted to use the Services under the terms of the Principal Agreement and uses the Services;
“Customer Group Member” means Customer or any Customer Affiliate; and “Customer Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with Customer, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise;
“Customer Personal Data” means all Personal Data Processed by a Contracted Processor on behalf of a Customer entity, as supplied by a Customer entity (including its appointed users) as part of the Services and pursuant to the Principal Agreement;
“Contracted Processor” means Aptree or a Subprocessor but excluding all employees and contractor personnel of Aptree, and all Third Party Services Providers;
“EU Data Protection Law” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
“GDPR” means EU General Data Protection Regulation 2016/679 once effective on 25 May 2018, including its equivalent provisions as may exist from time to time under UK Data Protection Law to the extent that UK Data Protection Law applies;
“Services” means the services and other activities to be supplied to or carried out by or on behalf of Aptree for a Customer entity pursuant to the Principal Agreement;
“Standard Contractual Clauses” or “SCC” means Standard Contractual Clauses under EU Data Protection Law, including the EU Commission’s Implementing Decision 2021/914 dated 4 June 2021 or any update to or replacement of that, or as is applicable from time to time under UK Data Protection Law (if that is the Applicable Law);
“Subprocessor” means any person (including any third party and any Aptree Affiliate), appointed by or on behalf of Aptree or any Aptree Affiliate to Process Customer Personal Data, but excludes all Third Party Services Providers; and
“Aptree Affiliate” means an entity that owns or controls, is owned or controlled by or is or under common control or ownership with Aptree, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
“Third Party Services Provider” means a third party provider of products, applications, services, software, networks, systems, directories, websites, databases and information which the Customer elects to obtain from that third party via optional links provided within the Services, or which Customer may itself otherwise elect to connect to or enable in conjunction with a Services, including, without limitation, any third party services which may be integrated directly into Customer’s platform by Customer or at Customer’s direction.
“UK Data Protection Law” means the data protection laws in force from time to time in the United Kingdom.
1.2 The terms, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing”, “Processor”, “Supervisory Authority” and any other terms used in GDPR and not expressly defined in this Addendum shall have the same meaning as in the GDPR, or UK Data Protection Law if applicable or other Applicable Law as may be applicable (or similar terms as used in such other Applicable Law), and their cognate terms shall be construed accordingly, unless otherwise required under Applicable Law.
1.3 The word “include” shall be construed to mean include without limitation, and cognate terms shall be construed accordingly. The terms used in this Addendum shall have the meanings set forth in this Addendum. Capitalised terms not otherwise defined herein shall have the meaning given to them in the Principal Agreement. Except where the context requires otherwise, references in this Addendum to the Principal Agreement are to the Principal Agreement as amended by, and including, this Addendum.
2. Commencement and Duration
2.1 This Addendum shall be legally binding once signed by both parties, being the date noted at the start of this Addendum, and will then continue to apply unless and until the later of:
a)the Principal Agreement terminates for any reason
b)each Contracted Processor ceases to process any Customer Personal Data.
3. Customer Obligations (as Controller)
3.1 Each Customer entity, as a Controller:
a) Instructs Aptree and each Aptree Affiliate (and authorises Aptree and each Aptree Affiliate to instruct each Contracted Processor) to:
i. Process Customer Personal Data; and
ii. in particular, transfer Customer Personal Data to any country or territory, as reasonably necessary for the provision of the Services and consistent with the Principal Agreement and in compliance with the obligations of Aptree and Aptree Affiliates as set out in this Addendum.
b) Warrants and represents at all times throughout the duration of this Addendum:
i. that it is solely responsible for the accuracy of Customer Personal Data and the means by which (and associated lawfulness of) such Customer Personal Data is acquired and used as part of the Services, including as to the Processing by Aptree in accordance with this Addendum, all in accordance with the Applicable Law, particularly with respect to the security, protection and disclosure of Customer Personal Data to Aptree;
ii. that it is and will at all relevant times remain duly and effectively authorised to give the instruction set out in section 3.1(a) on behalf of each relevant Customer Affiliate;
iii. that, if GDPR forms part of the Applicable Law:
A. all Customer Personal Data will comply with GDPR Articles 5(1)(b) to (e) inclusive;
B. in respect of all Customer Personal Data, Article 6(1) of the GDPR is fulfilled by sub Article (b) of that Article (i.e. performance of a contract), and that to the extent that sub Article (a) of that Article 6(1) applies (i.e. consent), that it has complied with Article 7 and all other consent related provisions of GDPR;
C. the nature and scope of all Customer Personal Data is such that the following Articles of GDPR will not apply to this Addendum and are outside the scope of the responsibilities of Aptree and each Aptree Affiliate unless agreed otherwise in writing between the parties: 8, 9, 10, and 11;
D. that the Customer will act in compliance with all Controller-related obligations as set out in GDPR; and
E. without limiting clause 4 below, the Customer will work closely and efficiently with Aptree and each Aptree Affiliate (as may be required) to ensure that the rights of each Data Subject (i.e. as linked to the relevant applicable Customer Personal Data) under Applicable Law are upheld and so that due compliance occurs under Applicable Law.
c) Acknowledges and accepts that, if GDPR forms part of the Applicable Law:
i. Article 35 of GDPR (Data Protection Impact Assessment) does not apply to this Addendum or to the Principal Agreement unless and until either Customer or Aptree writes to the other of them setting out reasonable grounds for the application of this Article. If Articles 35 or 36 of GDPR do apply at any time, then the parties will work together in good faith to progress compliance by each party with those Articles.
ii. Even if Aptree or any Aptree Affiliate is considered to be a joint controller under Article 26 of GDPR, that as between the parties to this Addendum, the relevant Customer entity shall be deemed to be solely responsible as Controller for the purposes of GDPR or other Applicable Law.
d) Shall inform its Data Subjects:
i. about its use of data processors to Process their Customer Personal Data, including Aptree; and
ii. that their Customer Personal Data may be Processed outside of the EU Member States.
e) Shall respond in reasonable time and to the extent reasonably practicable to enquiries by Data Subjects regarding the Processing of their Customer Personal Data by any Customer entity as a Data Controller, and give appropriate instructions to Aptree in a timely manner.
3.2 Customer and each Customer entity undertakes to promptly inform Aptree in writing regarding any communication received from any Supervisory Authority, or any attempt by a Data Subject to enforce his or her rights under Applicable Law as regards any Customer Personal Data.
3.3 Customer acknowledges and confirms for the purposes of Article 28(3) of GDPR that the Customer Personal Data is of a standard nature and does not fall within any special category, nor does any special category of Data Subject apply. Customer acknowledges and accepts the content of Appendix 1 (Details of Customer Personal Data Processed) to this Addendum.
4. Aptree Obligations (as Processor)
4.1 Aptree and each Aptree Affiliate shall at all times throughout the duration of this Addendum:
a) act in compliance with all Processor related obligations as set out in the Applicable Law, in particular, if GDPR forms part of the Applicable Law, in compliance with those provisions set out in Article 28(3) of GDPR from 25 May 2018 onwards, including so as to ensure that all Contracted Processors abide by the same obligations as Aptree under this sub-clause at all times as required (and with Aptree and each Aptree Affiliate remaining liable to Customer at all times in terms of this Addendum);
b) not Process Customer Personal Data other than on the relevant Customer entity’s documented instructions as set out in the Principal Agreement, including as expressly permitted by this Addendum or as otherwise necessary to provide the Service, unless Processing is required by the Applicable Law to which the relevant Contracted Processor is subject, in which case Aptree or the relevant Aptree Affiliate shall to the extent permitted by the Applicable Law inform the relevant Customer entity of that legal requirement before the relevant Processing of that Customer Personal Data;
c) without limiting clause 3 above, work closely and efficiently with each Customer entity (as may be required) to ensure that the rights of each Data Subject (i.e. as linked to the relevant applicable Customer Personal Data) under Applicable Law are upheld and so that due compliance occurs under Applicable Law; and
d) ensure that all persons authorised by Aptree and each Aptree Affiliate to process any Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality regarding that data, which comply with the Applicable Law.
4.2 Aptree shall not transfer Customer Personal Data from inside of any of the EU Member States or the United Kingdom to outside any of those jurisdictions (or permit that to occur) unless: i) Aptree has first obtained the Customer’s prior written permission to do so; or ii) Aptree takes such measures as are necessary to ensure the transfer is in compliance with the Applicable Law. Such measures may include (without limitation) transferring the Customer Personal Data to a recipient in a Country which has been formally declared under the Applicable Law as having adequate protection measures in place for Personal Data, or to a recipient that has achieved binding corporate rules in compliance with the Applicable Law, or to a recipient that has executed Standard Contractual Clauses adopted, approved or otherwise effective under the Applicable Law.
4.3 Aptree warrants its compliance with the content of APPENDIX 2 (Technical and Organisational Security Measures) to this Addendum as at the date of this Addendum.
4.4 Aptree shall immediately inform the Customer if, in Aptree’s opinion, the Customer entity’s Processing instructions infringe, or could infringe, any law or regulation. In such event, Aptree is entitled to refuse Processing of Customer Personal Data that it believes to be in violation of any law or regulation.
5.1 Each Customer entity authorises Aptree and each Aptree Affiliate to appoint (and permit each Contracted Processor appointed in accordance with this section 5 to appoint) Contracted Processor(s) in accordance with this section 5 and any permissions or restrictions contained in the Principal Agreement or in this Addendum.
5.2 Aptree and each Aptree Affiliate may continue to use those Subprocessors already engaged by Aptree or any Aptree Affiliate as at the date of this Addendum, on the basis that Aptree confirms that such existing Subprocessors currently meet the obligations set in this Addendum in respect of all Subprocessors, including those set out in clause 4.2 above.
5.3 Aptree shall maintain an up-to-date list of the names and locations of all Contracted Processors used for the Processing of Customer Personal Data at Aptree’s Suprocesser list (the “Subprocessor List”) and also available on request to [email protected] Aptree shall update the Subprocessor List, on its website, to include any Contracted Processor to be appointed, at least 30 days prior to the date on which the Contracted Processor shall commence processing Customer Personal Data. Customer confirms that clauses 5.2 and 5.3 constitute general written authorisation for the purpose of Articles 28(2) GDPR if applicable, and for the purpose of clause 4.2(i) above.
5.4 In the event the Customer objects to the Processing of its Customer Personal Data by any newly appointed Contracted Processor as described in section 5.3, it shall inform Aptree within fourteen (14) calendar days of notice being given on reasonable grounds relating to the protection of Customer Personal Data. In such event, Aptree shall have the right to cure the objection (if required) through one of the following options (to be selected at Aptree’s sole discretion):
a) instruct the Contracted Processor to cease any further processing of the Customer’s Personal Data in which event this Addendum shall continue unaffected, or
b) take such corrective steps as may be required to address the Customer’s objection and to proceed to use the Contracted Processor with regard to Customer Personal Data so as to ensure compliance with this Addendum, or
c) Aptree may cease to provide (or Customer may agree not to use, but subject to (b) above), temporarily or permanently, the particular aspect of the Service that would involve the use of the relevant Contracted Processor with regard to Customer Personal Data, subject to a mutual agreement of the parties to adjust the remuneration of the Service considering the reduced scope of the Services.
Any Customer objection to a Contracted Processor shall be submitted to Aptree by following the directions set forth in the Subprocessor List.
If none of the above options are reasonably available and the objection has not been resolved to the mutual satisfaction of all parties (acting reasonably) within 30 days after Aptree’s receipt of Customer’s objection, then either party may terminate this Addendum (and the Principal Agreement) immediately, by written notice to the other party, and Customer will be entitled to a pro-rata reimbursement of any sums paid in advance for Services to be provided but not yet received by Customer as of the effective date of termination.
5.5 In addition, where the Services provide links to integrations with Third Party Service Providers, and the Customer elects to enable, access or use such third party services, then the Customer entity’s access to and use of such third party services will be governed solely by the terms and conditions and privacy policies of such Third Party Service Provider(s), and Aptree does not endorse, and is not responsible or liable for, and makes no representations as to any aspect of such Third Party Service Providers, including, without limitation, their content or the manner in which the Third Party Service Provider handles Customer Personal Data or any interaction between the Customer (or its Data Subject) and the Third Party Service Provider. Aptree is not liable for any damage or loss caused or alleged to be caused by or in connection with the Customer entity’s enablement, access or use of any such Third Party Service Providers, or the Customer’s reliance on the privacy practices, data security processes or other policies of such Third Party Service Providers. Customer shall indemnify Aptree and all Aptree Affiliates and hold them harmless against all loss suffered by any of them arising from the excluded scope of Aptree’s liability as described in this clause, and which arises in connection with Customer Personal Data.
5.6 Aptree and each Aptree Affiliate shall ensure that each Contracted Processor agrees to protect the Customer Personal Data to a standard consistent with the requirements of this Addendum, as applicable to Processing of Customer Personal Data carried out by that Contracted Processor.
5.7 Aptree may replace a Contracted Processor if the reason for the change is beyond Aptree’s reasonable control. In such instance, Aptree shall notify Customer of the replacement as soon as reasonably practicable, and Customer shall retain the right to object to the replacement Contracted Processor pursuant to Section 5.4 above. Any replacement Contracted Processor must be such that Aptree fulfills its obligations as set out in this Addendum.
6.1 Aptree warrants and represents that, before any Aptree Affiliate Processes any Customer Personal Data on behalf of any Customer entity, Aptree’s entry into this Addendum as agent for and on behalf of that Aptree Affiliate will have been duly and effectively authorised (or subsequently ratified) by that Aptree Affiliate.
6.2 Customer warrants and represents that, before any Customer Personal Data is transferred to Aptree or any Aptree Affiliate any Customer entity, Customer’s entry into this Addendum as agent for and on behalf of that Customer entity will have been duly and effectively authorised (or subsequently ratified) by that Customer entity.
7. Data Subjects & any Customer Personal Data Breach
7.1 Each party shall:
a) promptly notify the other party if they (or any party affiliated to them) receives a compliant or request from a Data Subject under any Applicable Law in respect of Customer Personal Data processed by a Contracted Processor relating to this Addendum; and
b) ensure that it does not respond to that request except on the documented instructions of Customer or the relevant Customer Affiliate (to be reasonably agreed between the parties) or as required by the Applicable Law, in which case Aptree shall to the extent permitted by the Applicable Law, inform Customer of that legal requirement before Aptree or the Contracted Processor responds to the request.
7.2 Each party shall notify the other in writing without undue delay upon becoming aware of a Personal Data Breach affecting Customer Personal Data, providing sufficient information to allow each Customer entity or any other party to meet any obligations to report or inform Data Subjects, or any Supervisory Authority, of the Personal Data Breach under the Applicable Law.
7.3 Each party shall co-operate with the other party (and each Customer entity or each Contracted Processor or Aptree Affiliate as is relevant) and take such commercial steps as are reasonably required to assist the other party in the investigation, mitigation and remediation of each such Personal Data Breach.
8. Audit rights
8.1 To the extent that the Applicable Law allows any Customer entity to conduct any audit of any Contracted Processor, the following provisions will apply:
a) Reasonable advance written notice of not less than twenty working days (for the Contracted Processor) must be given, and which must also state the reasons, the scope, and the specific Applicable Law supporting the request;
b) The parties must then, in good faith and acting reasonably, discuss and agree how and when the audit will take place, and will be subject to any Contracted Processor’s legal rights in the context of such audit request;
c) The audit must be conducted by appropriately qualified and experienced third party personnel of reputable standing, and who are reasonable acceptable to both parties (including Customer and Aptree);
d) The audit must minimise disruption to the relevant Contracted Processor(s);
e) The audit will be conducted at the sole cost of the Customer or the applicable Customer entity (and not Aptree or the Contracted Processor or any Aptree Affiliate), unless the reasonable written conclusions of any audit are that any Contracted Processor is in material breach of this Addendum.
9. Return and destruction of Customer Personal Data
9.1 Upon the termination of Customer access to and use of the Service, Aptree will, up to thirty (30) days following such termination, permit Customer to export their Customer Personal Data, at their expense, in accordance with the capabilities of the Service. Following such period, Aptree shall have the right to delete all Customer Personal Data stored or Processed by Aptree on behalf of Customer in accordance with Aptree’s deletion policies and procedures, save to the extent that Aptree is required by any Applicable Law to retain some or all of the Customer Personal Data. In such event Aptree shall extend the protections of this Addendum to such Customer Personal Data and limit any further processing of such Customer Personal Data to only those limited purposes that require the retention for so long as Aptree maintains the Customer Personal Data.
10.1 The liability provisions contained in the Principal Agreement will apply also to this Addendum other than to the extent that any Applicable Law requires otherwise and does not permit the parties to contract out of that requirement.
10.2 If and to the extent that any Customer entity or any Contracted Processor or any Aptree Affiliate becomes liable (by Court, Tribunal, Arbitration or other similar order from a competent authority with valid jurisdiction) to any Data Subject or other third party in respect of any breach of any Applicable Law then the obligations of each party stated in this Addendum shall be used to fairly and reasonably apportion the proportional bearing of that liability as between the relevant parties. If the parties are unable to reach agreement in this regard, apportionment shall be determined in accordance with the dispute resolution provisions of the Principal Agreement or if none, then as contained in this Addendum.
11. General Terms
11.1 The parties to this Addendum hereby submit to the choice of jurisdiction stipulated in the Principal Agreement with respect to any disputes or claims howsoever arising under this Addendum, including disputes regarding its existence, validity or termination or the consequences of its nullity.
11.2 This Addendum and all non-contractual or other obligations arising out of or in connection with it are governed by the laws of the country or territory stipulated for this purpose in the Principal Agreement, subject always to the correct application of the Applicable Law as required by this Addendum.
11.3 In the event of any conflict between a provision of this Addendum and any provision contained in the Principal Agreement regarding the protection of Customer Personal Data, then the provision of this Addendum shall prevail.
11.4 Either party may by at least 30 (thirty) calendar days’ written notice to the other party from time to time:
a) suggest any variations to this Addendum in order to comply with any change to Applicable Law, including as a result of the decision of a competent authority under that Applicable Law; or
b) propose any other variations to this Addendum which either party reasonably considers to be necessary to address the requirements of any Applicable Law.
11.5 If notice is given under section 11.4, then each party shall promptly co-operate to ensure that equivalent variations are openly discussed and that all reasonable and necessary changes are made to this Addendum as a result.
11.6 Neither Customer nor Aptree shall require the consent or approval of any Customer Affiliate or Aptree Affiliate to amend this Addendum pursuant to clause 11.5 or otherwise.
11.7 Should any provision of this Addendum be deemed by a competent Court or other tribunal to be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.