| Between: | Macabacus Inc. (the “Data Processor”). |
| And: | Each individual customer (the “Data Controller”) that Macabacus Inc. acts as Data Processor for, that has not entered into a separate valid Data Processing Addendum ("DPA") with Macabacus Inc. |
1.1This Data Processing Addendum (“Addendum“) supplements the Macabacus End-User License Agreement or other agreement governing your use of the applicable Macabacus Product(s) (“Principal Agreement“) by and between you (the "Data Controller") and Macabacus from which you are purchasing the Product(s).
1.2This Addendum shall apply to personal data processed by Macabacus on your behalf in the course of providing the Product(s) to you (“Customer Personal Data”).
Unless otherwise defined herein, capitalized terms and expressions used in this Addendum shall have the following meanings:
"Applicable Laws" means (a) United States or European Union or Member State laws with respect to any Company Personal Data in respect of which any Company Group Member is subject to EU Data Protection Laws; and (b) any other applicable law with respect to any Company Personal Data in respect of which any Company Group Member is subject to any other Data Protection Laws;
"Addendum" means this Data Processing Addendum and all Schedules;
"Company Personal Data" means any Personal Data processed by a Contracted Processor on behalf of Data Controller pursuant to or in connection with the Principal Agreement;
"Contracted Processor" means a Subprocessor;
"Data Protection Laws" means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;
“Data Transfer” means: (a) a transfer of Company Personal Data from the Data Controller to a Contracted Processor; or (b) an onward transfer of Company Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);
“EEA” means the European Economic Area;
“EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
“GDPR” means EU General Data Protection Regulation 2016/679;
"Parties" means the Data Controller and Data Processor together;
“Services” means the services the Data Processor provides;
“Subprocessor” means any person appointed by or on behalf of Data Processor to process Personal Data on behalf of the Data Controller in connection with the Addendum.
The terms, “Commission”, “Data Controller”, "Data Processor", “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing”, and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
3.1The parties acknowledge and agree that to the extent that Macabacus delivers Services, Macabacus is acting as a Data Processor on your behalf, and you are acting as a Data Controller. Macabacus will engage Subprocessors as described in the Subprocessing section below.
3.2You shall, in your use of the Services, process Personal Data in accordance with Data Protection Laws. You shall ensure that Data Subjects are appropriately informed regarding the processing of their Personal Data, and you shall obtain their consent to such processing where required by Data Protection Laws.
3.3Macabacus shall comply with all applicable Data Protection Laws in the processing of Company Personal Data, and not process Company Personal Data other than according to the Addendum.
3.4The Data Controller instructs Data Processor to process Company Personal Data.
3.5Data Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Company Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know and access the relevant Company Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Data Protection Laws in the context of that individual’s duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
More information on the subject matter, duration, subjects, activities, and categories are in Schedule A to this Addendum.
4.1Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall in relation to the Company Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
4.2In assessing the appropriate level of security, Data Processor shall take into account the risks that are presented by Processing, in particular from a Personal Data Breach.
5.1Appointment of Subprocessors. Macabacus and its affiliates may engage third-party Subprocessors in connection with the delivery of the Services. Macabacus or its affiliate will enter into a written agreement with the Subprocessor imposing on the Subprocessor data protection obligations comparable to those imposed on Macabacus under this Addendum with respect to the protection on Company Personal Data. In the case where the Subprocessor fails to fulfill its data protection obligations under this such written agreement with Macabacus, Macabacus will remain liable to you for the performance of the Subprocessor's obligations under such agreement, except as otherwise set forth in the Principal Agreement. By way of this Addendum, you provide general authorization to Macabacus to engage Subprocessors as necessary to deliver Macabacus products.
5.2List of Current Subprocessors. Macabacus shall make available a list of Subprocessors, which can be found here. Macabacus may update this list as required to reflect additions, removals, or other changes to Macabacus' Subprocessors.
5.3Objection Right for New Subprocessors. You may reasonably object to Macabacus' use of a new Subprocessor on legitimate grounds, subject to the termination and liability clauses of the Principal Agreement. The Data Controller acknowledges that these Subprocessors are essential to providing the Services and that objecting to the use of a Subprocessor may prevent Macabacus from offering Services to the Data Controller. In the case of a reasonable objection, the Parties shall negotiate in good faith to find an alternative solution, and if an alternative solution cannot be found and the Data Processor decides to proceed with such Subprocessor, the Data Controller may terminate the Principal Agreement with immediate effect, subject to the Macabacus refund policy. Neither of the Parties shall be considered in breach of contract in the event of such a termination.
6.1Data Subject Requests. Macabacus will, to the extent permitted by Applicable Law or other applicable legal or regulatory requirements, inform you of any formal requests from Data Subjects exercising their rights of access, correction or erasure of their Personal Data, their right to restrict or to object to the Processing as well as their right to data portability, and will not to respond to such requests, unless instructed by you in writing to do so.
6.2Assistance by Macabacus. Data Processor shall promptly notify Data Controller if it receives a request from a Data Subject under any Data Protection Law with respect of Company Personal Data, and ensure that it does not respond to that request except on the instructions of Data Controller or as required by Data Protection Laws to which the Data Processor is subject, in which case Data Processor shall to the extent permitted by Data Protection Laws inform Data Controller of that legal requirement before the Contracted Processor responds to the request.
7.1Data Processor shall notify Data Controller without undue delay upon Data Processor becoming aware of a Personal Data Breach affecting Company Personal Data, providing Data Controller with sufficient information to allow the Data Controller to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
7.2Data Processor shall cooperate with the Data Controller and take commercially reasonable steps as are directed by Data Controller to assist in the investigation, mitigation and remediation of the Personal Data Breach.
Data Processor shall provide reasonable assistance to the Data Controller, at the expense of the Data Controller, with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Data Controller reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Company Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.
Subject to this section, Data Processor shall promptly and in any event within 10 business days of the date of cessation of any Services involving the Processing of Company Personal Data (the “Cessation Date”), delete all copies of Company Personal Data.
10.1Data Transfer Mechanism. Parties agree that Macabacus may transfer Company Personal Data processed under this Addendum outside of the EEA, the UK, or Switzerland as necessary to provide Services. If Macabacus transfers Company Personal Data protected under this DPA to a jurisdiction for which the European Commission or the UK (as applicable) has not issued an adequacy decision, Macabacus will ensure that appropriate safeguards have been implemented for the transfer of Company Personal Data in accordance with Data Protection Laws.
10.2Privacy Shield Certification. Macabacus transfers Company Personal Data processed under this DPA to Macabacus Inc. under the Privacy Shield certification of Macabacus Inc., available at privacyshield.gov. For more information, please see Macabacus' Privacy Shield Statement.
This agreement will have the same duration as and will be subject to the termination terms of the Principal Agreement. The obligations of Macabacus to implement appropriate security measures with respect to Company Personal Data will survive the termination of this Addendum and will apply for so long as Macabacus retains Company Personal Data.
Each party's (including their respective affiliates’' liability, in the aggregate, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the 'Limitation of Liability' section of the Principal Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its affiliates under the Principal Agreement and all DPAs together.
13.1Confidentiality. Each Party must keep information it receives about the other Party and its business in connection with this Addendum (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party, except to the extent that disclosure is required by law, or the relevant information is already in the public domain.
13.2Notices. All notices and communications given under this Addendum must be in electronic form, sent by email to privacy@macabacus.com, or at such other email address as notified from time to time by the Parties changing address.
This DPA and any dispute or claim arising out of or in connection with this DPA or its subject matter shall be governed by, and construed in accordance with, the laws of New York.
Subject Matter: Macabacus' provision of the Services to you.
Duration: For the duration of the Principal Agreement.
Data Subjects: End-users of Macabacus' software and services.
Data Processing Activities: Delivering Macabacus desktop software and services.
Categories of Personal Data: Personal data required to deliver Services to Macabacus end-users such as: