This Data Processing Agreement (the “DPA”) is entered into by and between:
WHEREAS:
1. Definitions
1.1 For the purposes of this DPA, the following terms have the meanings set out below. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Main Agreement (as defined below) or in applicable Data Protection Laws:
2. Scope and Roles of the Parties
2.1 Controller and Processor Roles: The Parties acknowledge that, with regard to Customer Data, the Customer is the Controller and Allasso is the Processor for the purposes of Applicable Data Protection Laws. The Customer retains control and responsibility for the Personal Data it entrusts to Allasso under this DPA. Allasso will process Customer Personal Data solely on behalf of and under the documented instructions of the Customer, as set out in the Main Agreement and this DPA (see Section 3.1 below), except where otherwise required by applicable law.
2.2 Purpose of Processing: Allasso shall process Customer Personal Data only for the purpose of providing the Services and as further instructed by the Customer in the Main Agreement or as otherwise agreed in writing. The subject-matter, nature and purpose of the processing, the types of Personal Data, and categories of Data Subjects are those necessary to provide the analytics, risk management and market insight Services subscribed by Customer.
2.3 Duration: This DPA ) shall enter into force on the effective date of the Main Agreement or the date Customer first provided Personal Data to Allasso for processing (whichever is earlier) and shall continue until the Main Agreement expires or is terminated, or until Allasso no longer processes any Customer Personal Data, whichever is sooner.
2.5 Special Categories of Data: The Parties do not anticipate that Customer will disclose any special categories of personal data (as defined in GDPR Article 9 or “sensitive personal data” under FADP) to Allasso in connection with the Services. The Customer shall not transmit or expose Allasso to any sensitive or special category data unless strictly necessary for the Services and agreed in advance. In the event the Customer needs to include such data, Customer must ensure it has a lawful basis and any required consents for processing such data, and shall inform Allasso in writing so that appropriate safeguards can be applied. Allasso reserves the right to refuse processing of any special category data not agreed to, or to require additional protections before processing.
2.6 Customer’s Obligations: The Customer shall, in its use of the Services, comply with all obligations applicable to it under Data Protection Laws as a Controller. The Customer is responsible for ensuring that any personal data it provides to Allasso has been collected and is provided in compliance with Applicable Laws.
3. Obligations of the Processor Allasso, as the Processor of Customer Personal Data, agrees to the following obligations, in accordance with Article 28 GDPR and equivalent provisions of UK GDPR and FADP:
3.1 Processing on Instructions: Allasso shall process Customer Personal Data only on the documented instructions of the Customer and for no other purposes except as authorized by the Customer or required by law. This DPA, together with the Main Agreement, constitutes the Customer’s complete and final instructions to Allasso for the processing of Personal Data. If Allasso is required by applicable law to process Customer Personal Data in a manner that is not expressly provided by Customer’s instructions, Allasso will inform the Customer of that legal requirement before processing (unless the law prohibits such notice). Allasso will immediately inform Customer if, in Allasso’s opinion, an instruction from Customer appears to violate applicable Data Protection Laws, in which case Allasso is entitled to suspend such processing until the issue is resolved.
3.2 Compliance and Data Protection: Allasso shall comply with all applicable Data Protection Laws in its processing of Customer Personal Data, and will assist Customer in ensuring compliance with its own obligations to the extent required under those laws.
3.3 Confidentiality: Allasso shall treat all Customer Personal Data as confidential information. Allasso will ensure that any persons it authorizes to process the Personal Data (including its employees, agents or contractors) are subject to strict duties of confidentiality, whether by contract or statutory obligation.
3.4 Security Measures: Allasso shall implement and maintain appropriate technical and organizational security measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to such data. In determining the appropriate measures, Allasso will take into account the state of the art, the costs of implementation, the nature, scope, context and purposes of processing, and the risks of varying likelihood and severity for the rights and freedoms of Data Subjects. Such measures shall be designed to ensure a level of security appropriate to the risk, including (as appropriate and without limitation) measures such as: pseudonymization and encryption of personal data; measures to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems; measures to restore availability and access to data in a timely manner following an incident; and a process for regularly testing and assessing the effectiveness of security measures (consistent with GDPR Article 32(1)).
3.5 Use of Subprocessors: The Customer hereby provides a general written authorization for Allasso to engage Subprocessors as necessary to provide the Services (e.g. cloud hosting providers, analytics or support services). A current list of Allasso’s Subprocessors can be made available to Customer upon request. Allasso shall ensure that any new or replacement Subprocessor is similarly qualified and bound by data protection obligations no less protective than those in this DPA. Allasso remains fully liable to the Customer for the performance of any Subprocessor’s obligations or any acts/omissions of its Subprocessors that cause Allasso to breach any of its obligations under this DPA. Allasso will provide prior notice to the Customer of any intended addition or replacement of its Subprocessors, by updating the Subprocessor list.
3.6 Data Subject Rights: Taking into account the nature of the processing and to the extent required under applicable law, Allasso shall assist the Customer in responding to requests from Data Subjects to exercise their rights under Data Protection Laws (such as rights of access, rectification, erasure, restriction, portability, or objection).
3.7 Personal Data Breach Notification: In the event Allasso becomes aware of a Personal Data Breach affecting Customer Personal Data, Allasso shall notify the Customer without undue delay (and in any event promptly) after becoming aware of the breach. Such notice will include, to the extent reasonably available at the time, relevant information about the breach including: a description of the nature of the breach, the categories and approximate volume of data and Data Subjects affected, the likely consequences of the breach, and any measures Allasso has taken or proposes to take to address the breach (including, where appropriate, measures to mitigate its possible adverse effects). Where it is not feasible to provide full details at once, Allasso may provide the information in phases without undue further delay as details become available. Allasso will investigate the Personal Data Breach and take necessary steps to mitigate harm and prevent further incidents. Allasso shall cooperate with Customer and follow Customer’s reasonable instructions to assist in the Customer’s compliance with any breach notification obligations under Data Protection Laws.
3.8 Data Security Assessments and Audits:
a. Audit Rights: Allasso shall make available to the Customer all information necessary to demonstrate compliance with the obligations set forth in this DPA and in Article 28 of GDPR (and equivalent provisions of UK GDPR and FADP). In particular, Allasso will maintain records of its processing activities and security practices as required by law, and upon reasonable request will provide summaries of relevant certifications, audit reports, or other documentation evidencing Allasso’s controls (e.g. ISO 27001).
b. Customer Audits: The Customer (or its mandated independent auditor that is not a competitor of Allasso) is entitled to perform audits or inspections of Allasso’s operations to verify Allasso’s compliance with this DPA, subject to the following conditions: (i) The Customer must provide at least 30 days’ written notice of its intention to audit, and will conduct such audit during normal business hours, in a manner that does not unreasonably interfere with Allasso’s business operations. (ii) Audits shall be limited to once per year, except additional audits may be conducted if required by a Supervisory Authority or if a material Personal Data Breach has occurred. (iii) The scope of the audit must be agreed in advance, and due to security and confidentiality obligations, Allasso may limit access to certain sensitive information (such as data of other customers, or Allasso’s own confidential information not relevant to the Customer’s Personal Data). (iv) Allasso may require the auditor to sign a customary non-disclosure agreement. The Customer shall be responsible for its own costs in conducting an audit. If Customer requests an on-site audit, Allasso will charge a reasonable fee (to be agreed in advance) to cover Allasso’s audit support time, except where such audit was required due to Allasso’s breach of this DPA.
3.9 Assistance with Data Protection Impact Assessments: If the Customer is required under Data Protection Laws to conduct a Data Protection Impact Assessment (“DPIA”) or consult with a Supervisory Authority prior to processing (e.g. under GDPR Articles 35 and 36), Allasso shall provide reasonable cooperation and assistance to the Customer in fulfilling these obligations.
4. Return or Deletion of Data Upon termination or expiration of the Main Agreement (or at such earlier time that processing of Personal Data is no longer required for the Services), Allasso shall, at the Customer’s choice, either return to the Customer all the Customer Personal Data (and any copies thereof) or securely delete all Customer Personal Data in its possession or control. This requirement will not apply to any Personal Data that Allasso has a separate legal basis to retain as a Controller (such as its business contact records), or to data that has been aggregated or anonymized in a manner no longer identifying any individual.
5. Cross-Border Data Transfers To the extent that Allasso processes any Customer Personal Data that is subject to the GDPR (EU), UK GDPR, or Swiss FADP in a country outside the European Economic Area (EEA), the UK, or Switzerland that has not been recognized as providing an adequate level of data protection by the European Commission, UK government, or Swiss authorities (as applicable), then the Parties shall take all necessary measures to ensure the transfer is in compliance with applicable transfer restrictions. Allasso will not transfer Customer Personal Data from the EU, UK or Switzerland to any third country unless it has ensured appropriate safeguards as required by the respective Data Protection Laws.
6. Final Provisions Each Party’s liability arising out of or in connection with this DPA is subject to the limitations and exclusions of liability set forth in the Main Agreement.
7. Order of Precedence This DPA is an integral part of the agreement between the Parties. In the event of any conflict or inconsistency between the terms of this DPA and the terms of the Main Agreement (and any previous data processing terms included therein), the terms of this DPA shall prevail with regard to the processing of Personal Data and data protection matters.
8. Governing Law and Jurisdiction Any disputes arising out of or in connection with this shall be subject to the exclusive jurisdiction of the courts of Switzerland, unless otherwise agreed by the Parties or required by applicable law.