DATA PROCESSING AGREEMENT
Last Updated: June 4, 2024THIS AGREEMENT, effective as of ___________ (“Effective Date”), is made by and between
- _________________________________, (Controller hereinafter referred to as “Client”).
- Xappex LLC of 8928 Echo Ridge Drive, Las Vegas, NV 89117, USA (Processor hereinafter referred to as “Xappex”).
1. PURPOSE
The Client wishes to outsource certain services which require the processing of personal data. Xappex is the chosen service provider and does so under the current data protection legal framework. Consequently, the parties seek to implement a supplementary and expressly into the service agreement incorporated, data processing agreement that complies with the obligations set out in the General Data Protection Regulation 2016/679 (“GDPR”).
2. DEFINITIONS
2.1. In this Agreement, capitalized words shall have the meaning as set out below or, as the case may be, elsewhere in this Agreement:
2.1.1.“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with, a party from time to time during the Term;
2.1.2.“Data Protection Law” means the data privacy laws applicable to the processing in connection with the Services, including, where applicable, the GDPR;
2.1.3.“Contractual Clauses” means the Standard Contractual Clauses of the European Commission for the transfer of personal data across borders, as amended or replaced from time to time, or any equivalent set of contractual clauses approved for use under Data Protection Law; and
2.1.4.“Personal Data” means the personal data processed by Xappex in connection with the Services on behalf of Client during the Term and as defined in Art. 4 (1) of the GDPR. The processing may include activities auxiliary to our services, such as administrative and other services. This will include names and other information about data subjects included in Client materials.
2.1.5.The words “data subject”, “processing” and variations, “controller” and “processor” shall have the meaning attributed to them in the GDPR.
3. APPOINTMENT
3.1. Xappex is designated by its Clients, Client Affiliates and Business Affiliates (collectively “Instructing Parties”) to provide and manage various services, including the Services on their behalf. Accordingly, Personal Data may contain personal data in relation to which Client and its Instructing Parties are controllers. Xappex confirms that it is authorised to communicate to Client any instructions or other requirements on behalf of Client in respect of processing of Personal Data connection with the Services.
3.2. Xappex is appointed by Client to process Personal Data on behalf of Client and/or the Instructing Parties, as the case may be, as is necessary to provide the Services or as otherwise agreed by the parties in writing.
4. DURATION
The Terms shall commence on the Effective Date and shall continue in full force and effect until such time as all Services have ceased and all Personal Data in the Xappex’s possession or within its reasonable control has been returned or destroyed (the “Term”).
5. DATA PROTECTION COMPLIANCE
5.1. In relation to its processing of Personal Data, save as otherwise required by law, Xappex agrees to:
5.1.1.process Personal Data only as required in connection with the Services and in accordance with Client and its Instructing Parties documented lawful instructions from time to time;
5.1.2.inform Client and its Instructing Parties if, in Xappex’s opinion, an instruction infringes Data Protection Law;
5.1.3.ensure that all the personnel authorized by Xappex to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
5.1.4.implement appropriate technical and organizational measures to appropriately safeguard Personal Data having regard to the nature of the personal data which is to be protected and the risk of harm which might result from any Security Breach (as defined below), at a minimum the measures set out in the Schedule;
5.1.5.promptly inform Client and its Instructing Parties of any data subject requests under Data Protection Law or regulatory or law enforcement requests relating to Personal Data. Xappex shall not acknowledge or otherwise respond to the subject access request except with Client and its Instructing Parties prior written approval, which shall not be unreasonably withheld;
5.1.6.provide such assistance as Client and its Instructing Parties may reasonably require in order to ensure Xappex’s compliance with Data Protection Law in relation to data security, data breach notifications, data protection impact assessments and prior consultations with a competent authority;
5.1.7.at Client and its Instructing Parties choice, without delay delete or return all Personal Data to Client and its Instructing Parties, and delete existing copies of all Personal Data in the Xappex’s possession or within its reasonable control (including those held by a Subprocessor); and
5.1.8.make available to Client and its Instructing Parties any information reasonably necessary to demonstrate Xappex compliance with these Terms and allow for, and contribute to, audits and inspections carried out by Client and its Instructing Parties.
6. SUBPROCESSORS
6.1. Xappex will sub-contract, outsource, assign, novate or otherwise transfer obligations under these Terms or engage any subcontractors involved in the processing of Personal Data (each a “Subprocessor”) only with Client’s prior written consent.
6.2. When engaging a Subprocessor, Xappex will:
6.2.1.carry out reasonable due diligence;
6.2.2.enter into a contract on terms same as those in these Terms, and which may include Contractual Clauses to provide adequate safeguards with respect to the processing of Personal Data; and
6.2.3.inform Client of any intended changes concerning the addition or replacement of a Subprocessor from time to time. If Client objects to any such change on reasonable grounds, then acting in good faith the parties will work together to resolve such objection.
7. SECURITY INCIDENTS
7.1. “Security Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
7.2. Xappex will notify Client without undue delay if Xappex becomes aware of any Security Breach within 24 hours of discovering such Breach and provide Client with:
7.2.1.a detailed description of the Security Incident;
7.2.2.the type of data that was the subject of the Security Incident;
7.2.3.the identity of each affected person, and
7.2.4.the steps Xappex takes in order to mitigate and remediate such Security Incident, in each case as soon as such information can be collected or otherwise becomes available.
7.3. Xappex shall use its best efforts to immediately mitigate and remedy any Security Incident and prevent any further Security Incident(s) at its sole expense.
7.4. Xappex agrees that Client shall have the sole right to determine (i) whether notice of the Security Incident is to be provided to any individuals, regulators, law enforcement agencies, consumer reporting agencies or others as required by law or regulation, or otherwise in Client’s discretion, (ii) the contents of such notice, and (iii) whether any type of remediation may be offered to affected persons, as well as the nature and extent of any such remediation.
7.5. In the event of a Security Incident involving Personal Data in Xappex’s possession or otherwise caused by or related to Xappex’s acts or omissions, and without limiting Client’s other rights and remedies, Xappex will pay all costs and expenses of (i) any disclosures and notification required by applicable law or as otherwise determined as appropriate in Client’s reasonable discretion, (ii) monitoring and reporting on the impacted individuals’ or entities’ credit records if determined in Client’s reasonable discretion as reasonable to protect such individuals, and (iii) all other costs incurred by Client in responding to, remediating and mitigating damages caused by such Security Incident.
7.6. Xappex will investigate the Security Breach and take reasonable action to identify, prevent and mitigate the effects of the Security Breach. Xappex will take such further action as Client may reasonably request in order to comply with Data Protection Law.
7.7. Xappex may not release or publish any filing, communication, notice, press release, or report concerning any Security Breach (“Notices“) without Client`s prior written approval; such approval shall not be unreasonably withheld.
8. AUDIT
Client (or its designated representatives) may, on an annual basis or more frequently as reasonably requested by Client, at Client’s expense, conduct an audit to verify that Xappex is operating in accordance with this DPA. Such audit(s) may include a review of all aspects of Xappex’s performance, including, but not limited to, Xappex’s general controls and security practices and procedures. Xappex will cooperate with Client in conducting any such audit, and will allow Client reasonable access, during normal business hours and upon reasonable notice, to all pertinent records, documentation, computer systems, data, personnel and areas used to Process the Client Data areas as Client reasonably requests to complete such audit. Client will take reasonable steps to prevent the audit from materially impacting Xappex’s operations. Xappex shall correct any deviations from Security Best Practices that are identified in any security audit as soon as practicable, but in no event more than five days after receiving notice from Client outlining any deviations (provided, however, that if five days is not a practicable cure period, then Xappex may instead present a remediation plan to Client within such five day period that sets forth an achievable and reasonable timeframe, and Xappex must thereafter diligently proceed to correct any deviations in accordance with such plan).
9. INTERNATIONAL DATA TRANSFERS
9.1. Xappex will ensure that no Personal Data are transferred out of either:
9.1.1.the by the Client approved data environment; or
9.1.2.any territory in which restrictions are imposed on the transfer of Personal Data across borders under Data Protection Laws,
9.1.3.without the prior written consent of Client.
9.2. Xappex will ensure that Contractual Clauses or other applicable transfer mechanism are in place to ensure adequate level of data protection.
10. INDEMNITY
Notwithstanding any provisions of the relevant Services agreement to the contrary, Xappex shall and hereby agrees to indemnify Client and Instructing Parties and their officers, employees, agents and subcontractors (each an “Indemnified Party”) from and against any claims, losses, demands, actions, liabilities, fines, penalties, reasonable expenses, damages and settlement amounts (including reasonable legal fees and costs) incurred by any Indemnified Party as a result of any gross negligence or willful breach by Xappex of these Terms.
11. MISCELLANEOUS
11.1.Clause and other headings in these Terms are for convenience only and shall not affect the meaning or interpretation of these Terms.
11.2.To the extent of any conflict, these Terms shall prevail over any Services agreement or other agreement.
11.3.Nothing in these Terms will exclude or limit the liability of either party which cannot be limited or excluded by applicable law. Subject to the foregoing sentence, (i) these Terms, including any appendices, constitutes the entire agreement between the parties pertaining to the subject matter hereof and supersedes all prior agreements, understandings, negotiations and discussions of the parties relating to its subject matter; and (ii) in relation to the subject matter of these Terms neither party has relied on, and neither party will have any right or remedy based on, any statement, representation or warranty, whether made negligently or innocently, except those expressly set out in these Terms.
11.4.Client shall agree any amendment to these Terms that may be required from time to time for us and Instructing Parties to comply with any amended Data Protection Laws.
11.5.All notices of termination or breach must be in English, in writing and addressed to the other party’s primary contact person or legal department. Notice will be treated as given on receipt, as verified by a valid receipt or electronic log. Postal notices will be deemed received 48 hours from the date of posting by recorded delivery or registered post.
11.6.The provisions of these Terms are severable. If any phrase, clause or provision is invalid or unenforceable in whole or in part, such invalidity or unenforceability shall affect only such phrase, clause or provision, and the rest of these Terms shall remain in full force and effect.
11.7.These Terms are governed by the law of the United States and the parties submit to the exclusive jurisdiction of the Nevada courts in relation to any dispute (contractual or noncontractual) concerning these Terms save that either party may apply to any court for an injunction or other relief to protect its property or confidential information. The foregoing shall not apply where Client`s Business is located within the European Union and in such circumstances the parties agree to submit to the exclusive jurisdiction of the Courts where Client`s Business is located in.
This Agreement has been duly executed the day and year first before written
SIGNED by ____________________ SIGNED by_____________________
[Elena Vesselova, Director of Operations] [_____________________________]
for and on behalf of Xappex for and on behalf of [_______________]
ANNEX I
DETAILS OF PROCESSING
This Annex includes certain details of the Processing of Personal Data as required under the Data Protection Laws.
Categories of Data Subjects:
Customer employees, Customer’s customers, any data subject which are uploaded to the Service by Customer.
Categories of Personal Data processed:
Contact information.
Special Categories of Personal Data:
None.
Nature of the processing:
Collection, storage, organization, communication, transfer, host and other uses in performance of the Services as set out in the Agreement.
Purpose(s) of Processing:
To provide the Service.
Retention Period:
For as long as is necessary to provide the Service by Xappex; provided there is no legal obligation to retain the Personal Data post termination or unless otherwise requested by the Customer.
Process Frequency:
Continuous basis
ANNEX II
TECHNICAL AND ORGANIZATIONAL MEASURES
Please review Xappex’s security policy to learn more regarding the technical and organizational measures implemented by it in order to ensure an appropriate level of security for its Processing of Customer Data.
Additional Safeguards not derogating from the Data Privacy Framework to the extent applies:
Measures and assurances regarding U.S. government surveillance have been implemented by Xappex, and Xappex agrees and hereby represents it maintains the following additional safeguards:
- Xappex maintains industry standard measures to protect the Customer Data from interception (including in transit from Customer to Xappex and between different systems and services). This includes maintaining encryption in transit and at rest. In addition, the fragment key enabling the decryption of Customer Data is held independently by Customer, locally within Customer’s environment, and is the only feasible way to decrypt Customer Data.
- As of the “Last Updated” date stated above, Xappex has not received any national security orders.
- No court has found Xappex to be: (i) the type of entity eligible to receive process issued under section 702 of the United States Foreign Intelligence Surveillance Court (“FISA”); (ii) an “electronic communication service provider” within the meaning of 50 U.S.C § 1881(b)(4) or a member of any of the categories of entities described within that definition.
- In the event that FISA applies to Xappex, Xappex will make reasonable efforts to resist, subject to applicable laws, any request for bulk surveillance relating to the Customer Data, including (if applicable) under Section 702 of the FISA.
- If Xappex becomes aware of any law enforcement agency or other governmental authority (“Authority”) attempt or demand to gain access to or receive a copy of the Customer Data (or part thereof), whether on a voluntary or a mandatory basis, then, unless legally prohibited or under a mandatory legal compulsion that requires otherwise, Xappex shall: (i) inform the relevant Authority that Xappex is a Processor of the Customer Data and that Customer, as the Controller, has not authorized Xappex to disclose the Customer Data to the Authority; (ii) inform the relevant Authority that any and all requests or demands for access to Customer Data should be directed to or served upon Customer in writing; and (iii) use reasonable legal mechanisms to challenge any such demand for access to Customer Data.
- Notwithstanding the above, if, taking into account the nature, scope, context and purposes of the related Authority’s intended access to Customer Data, Xappex has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual or entity, these subsections shall not apply. In such event, Xappex shall notify Customer, as soon as possible, following the access by the Authority, and provide Customer with relevant details, unless and to the extent legally prohibited to do so.
- Xappex will inform Customer, upon written request (and not more than once a year), of the types of binding legal demands for Customer Data Xappex has received and complied with, including demands under national security orders and directives, specifically including any process under Section 702 of FISA.
ANNEX III
LIST OF SUB-PROCESSORS
As of the effective date above, Xappex uses the following sub-processors:
- Amazon Webservices, Inc., cloud infrastructure provider for XL-Connector 365 and Xappex’s customer portal.
- SendGrid, Inc., SMTP for sending emails to our customers. Mail servers are provided by SendGrid to deliver emails from all our products.
- Google Cloud, Cloud infrastructure provider for G-Connector for Salesforce, G-Connector for Zoho CRM, and G-Connector for Google Data Studio Connector.
- Chargebee.com, Billing management system
- Braintreepayments.com, Payments gateway
- Freshworks Inc., Freshdesk – Online cloud-based customer service software providing helpdesk support.
- HubSpot, Inc. – CRM platform for inbound marketing, sales, and customer service.
ANNEX IV
EU INTERNATIONAL TRANSFERS AND SCC
- The parties agree that the terms of the Standard Contractual Clauses are hereby incorporated by reference and shall apply to transfer of Customer Data from the EEA to other countries that are not deemed as Adequate Countries.
- Module Two (Controller to Processor) of the Standard Contractual Clauses shall apply where the transfer is effectuated by Customer as the Controller of the Customer Data and Xappex is the Processor of the Customer Data.
- The parties agree that for the purpose of transfer of Customer Data between Customer (as Data Exporter) and Xappex (as Data Importer), the following shall apply:
- Clause 7 of the Standard Contractual Clauses shall not be applicable.
- In Clause 9, option 2 (general written authorization) shall apply and the method for appointing and time period for prior notice of Sub-Processor changes shall be as set forth in the Sub-Processer Section of the DPA.
- In Clause 11, the optional language will not apply, and Data Subjects shall not be able to lodge a complaint with an independent dispute resolution body.
- In Clause 17, option 1 shall apply. The parties agree that the Standard Contractual Clauses shall be governed by the laws of the EU Member State in which the Customer is established (where applicable).
- In Clause 18(b) the parties choose the courts of Nevada, as their choice of forum and jurisdiction.
- Annex I.A of the Standard Contractual Clauses shall be completed as follows:
- “Data Importer“: Xappex
- “Data Exporter“: Customer
- Roles: (A) With respect to Module Two: (i) Data Exporter is a Controller and (ii) the Data Importer is a Processor.
- Data Exporter and Data Importer Contact details: As detailed in the Agreement.
- Signature and Date: By entering into the Agreement and DPA, Data Exporter and Data Importer are deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Agreement.
- Annex I.B of the Standard Contractual Clauses shall be completed as follows:
-
- The purpose of the Processing, nature of the Processing, categories of Data Subjects, categories of Personal Data and the parties’ intention with respect to the transfer of special categories are as described in Annex I (Details of Processing) of this DPA.
- The frequency of the transfer and the retention period of the Personal Data is as described in Annex I (Details of Processing) of this DPA.
- The Sub-Processors which Personal Data is transferred to are listed in Annex III.
-
- Annex I.C of the Standard Contractual Clauses shall be completed as follows:the competent supervisory authority in accordance with Clause 13 is the supervisory authority in the Member State stipulated in Section 3 above.
- Annex II of this DPA (Technical and Organizational Measures) serves as Annex II of the Standard Contractual Clauses.
- Annex III of this DPA (List of Sub-Processors) serves as Annex III of the Standard Contractual Clauses.
- Transfers to the US: Measures and assurances regarding US government surveillance (“Additional Safeguards”) are further detailed in Annex II.
ANNEX V
UK INTERNATIONAL TRANSFERS AND SCC
- The parties agree that the terms of the Standard Contractual Clauses as amended by the UK Standard Contractual Clauses, and as amended in this Annex V, are hereby incorporated by reference and shall apply to transfer of Customer Data from the UK to other countries that are not deemed as Adequate Countries.
- This Annex V is intended to provide appropriate safeguards for the purposes of transfers of Customer Data to a third country in reliance on Article 46 of the UK GDPR and with respect to data transfers from Controller to Processor or from a Processor to its Sub-Processors.
- Terms used in this Annex V that are defined in the Standard Contractual Clauses, shall have the same meaning as in the Standard Contractual Clauses.
- This Annex V shall (i) be read and interpreted in the light of the provisions of UK Data Protection Laws, and so that if fulfills the intention for it to provide the appropriate safeguards as required by Article 46 of the UK GDPR, and (ii) not be interpreted in a way that conflicts with rights and obligations provided for in UK Data Protection Laws.
- Amendments to the UK Standard Contractual Clauses:
- Part 1: Tables
- Table 1 Parties: shall be completed as set forth in Section 4 within Annex IV above.
- Table 2 Selected SCCs, Modules and Selected Clauses: shall be completed as set forth in Section 2 and 3 within Annex IV above.
- Table 3 Appendix Information:
- Annex 1A: List of Parties: shall be completed as set forth in Section 2 within Annex IV above.
- Annex 1B: Description of Transfer: shall be completed as set forth in Annex I above.
- Annex II: Technical and organizational measures including technical and organizational measures to ensure the security of the data: shall be completed as set forth in Annex II above.
- Annex III: List of Sub Processors: shall be completed as set forth in Annex III above.
- Table 4 ending this Addendum when the Approved Addendum Changes: shall be completed as “neither party”.
ANNEX VI
SUPPLEMENTARY TERMS FOR SWISS DATA PROTECTION LAW TRANSFERS ONLY
The following terms supplement the Clauses only if and to the extent the Clauses apply with respect to data transfers subject to Swiss Data Protection Law, and specifically the FDPA:
- The term ’Member State’ will be interpreted in such a way as to allow Data Subjects in Switzerland to exercise their rights under the Clauses in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the Clauses.
- The clauses in the DPA protect the Customer Data of legal entities until the entry into force of the upcoming revised FDPA.
- All references in this DPA to the GDPR should be understood as references to the FDPA insofar as the data transfers are subject to the FDPA.
- References to the “competent supervisory authority”, “competent courts” and “governing law” shall be interpreted as Swiss Data Protection Laws and Swiss Information Commissioner, the competent courts in Switzerland, and the laws of Switzerland (for Restricted Transfers from Switzerland).
- In respect of data transfers governed by Swiss Data Protection Laws, the EU SCCs will also apply to the transfer of information relating to an identified or identifiable legal entity where such information is protected similarly as Personal Data under Swiss Data Protection Laws until such laws are amended to no longer apply to a legal entity.
- The competent supervisory authority is the Swiss Federal Data Protection Information Commissioner.
ANNEX VII
US DATA PROTECTION LAWS ADDENDUM
This US Privacy Law Addendum (“US Addendum”) adds specification applicable to US Data Protection Laws. All terms used but not defined in this US Data Protection Laws Addendum shall have the meaning set forth in the DPA.
- CCPA Specifications:
- For the purpose of the CCPA, Customer is the Business and Xappex is the Service Provider.
- Xappex shall Process Customer Data on behalf of the Customer as a Service Provider under the CCPA and shall not: (i) Sell or Share the Customer Data; (ii) retain, use or disclose the Customer Data for any purpose other than for a Business Purpose specified in the Agreement; or (iii) combine the Customer Data with other Personal Data that it receives from, or on behalf of, another customer, or collects from its own interaction with California residents, expect as otherwise permitted by the CCPA.
- if, and to the extent applicable, Xappex shall assist Customer in respect of a Consumer request to limit the use of its Sensitive Personal Information (“SPI”) by Xappex.
- Xappex certifies that it understands the rules, requirements and definitions of the CCPA and agrees to refrain from Selling any Customer Data.
- US Applicable States Specifications:
- For the purpose of this US Addendum ”Applicable States” shall mean Virginia, California, Colorado, Connecticut and Utah.
- Xappex agrees to notify the Customer if Xappex makes a determination that it can no longer meet its obligations under this US Addendum or US Data Protection Law.
- Xappex shall provide information necessary to enable Customer to conduct and document any data protection assessments required by US Data Protection Laws. Notwithstanding the above, Xappex is responsible for only the measures allocated to it.
- Xappex shall provide assistance and procures that its subcontractors will provide assistance, as Customer may reasonably request, where and to the extent applicable, in connection with any obligation by Customer to respond to Consumer’s requests for exercising their rights under the US Data Protection Laws. Including without limitation, by taking appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer’s respective obligation. Xappex acknowledges and confirms that it does not receive any monetary goods, payments or discounts in exchange for Processing the Customer Data.
- Each party shall, taking into account the context of Processing, implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. The parties are hereby establishing a clear allocation of the responsibilities between them to implement these measures. Xappex technical measures are detailed in the DPA and Annexes above.
- The Processing instructions, including the nature of Processing, purpose of Processing, the duration of Processing, the type of Personal Data and categories of Data Subjects, are set forth in Annex I above.
- In addition to the Audit rights under Section 8 of the DPA, under US Data Protection Laws and subject to Customer’s consent, Xappex my alternately, in response to Customer’s on-premise audit request, initiate a third-party auditor to verify Xappex’s compliance with its obligations under this US Data Protection Laws. During such audit, Xappex will make available to the third-party auditor all information necessary to demonstrate such compliance.
- Each party will comply with the requirements set forth under US Data Protection Laws with regards to processing of de-identified data, as such term is defined under the applicable US Data Protection Law.
- When Processing Customer Data or Usage Data (as defined in the Agreement) for the permitted purposes under US Data Protection Laws, Xappex shall ensure it complies with applicable laws and shall be liable for such Processing activities.