Data Processing Appendix

Transcription

1 Company Name* Execution Date *Company name indicated must conform to the name on customer s Master Subscription Agreement executed with SugarCRM. This Data Processing Appendix on the processing of personal data on behalf of a controller in accordance with Article 28 (3) of the GDPR is an appendix to the Master Subscription Agreement (the MSA ) between SugarCRM Inc. ( SugarCRM ) and the party named above ( Company ). Preamble This Data Processing Appendix ( DPA ) details the parties obligations on the protection of personal data associated with the processing of Personal Data on behalf of Company or an Authorized Affiliate ( Contract Processing ) as described in the MSA and/or Professional Services Agreement (including any Order Forms, Statements or Work, annexes or schedules attached thereto or URLs referenced therein) entered into between the parties (as applicable, the Principal Agreement ). As used in this DPA, all capitalized terms not otherwise defined herein shall have the meanings given to such terms in the Principal Agreement. 1. Scope, duration and specification of contract processing of Personal Data The Principal Agreement defines the scope and duration of the data processing as well as the type and the purpose of the data processing. The details for the data processing are as specified in the attached Schedule A Service Specific Schedule/Data Processing Description. This DPA shall become effective on 25 th of May 2018 and remain in force for the duration of the Principal Agreement. 2. Scope of application and Responsibilities 2.1 Relationship of the parties: Company (a) is the sole Controller of Personal Data or (b) has been instructed by and obtained the authorization of the relevant Authorized Affiliate(s) to agree to the Processing of Personal Data by SugarCRM as set out in this DPA. The parties agree that SugarCRM processes Personal Data on behalf of Company and Authorized Affiliates. Company is solely responsible for entering Personal Data into the Product and any combination or interoperation with third party software or products. Company retains all ownership in the Personal Data and shall have sole responsibility for the accuracy, quality, and legality of Personal Data, the means by which Company acquired Personal Data, and compliance with the applicable statutory requirements on data protection, including, but not limited to, the lawfulness of disclosing Personal Data to SugarCRM, the lawfulness of having Personal Data processed on behalf of Company as well as the lawfulness of any instructions it provides to SugarCRM. SugarCRM is not responsible for determining the requirements of laws applicable to Company s business or that SugarCRM s provision of the Service meet the requirements of such laws. Company will not use the Services in conjunction with Personal Data to the extent that doing so would violate applicable data protection laws. 2.2 Processing: Company grants SugarCRM the non-exclusive right to use, access and process all Personal Data for the sole purpose and to the extent necessary for SugarCRM to provide the Product or Service to Company and to perform its obligations under the Principal Agreement. 2.3 Instructions: Company s instructions on Contract Processing are as documented in the Principal Agreement ( Documented Instructions ). The Parties agree that Company may subsequently ask to amend, change or replace the Documented Instructions in writing. Those instructions must not change the material scope of the Services and shall only become binding upon execution of a written amendment to the Principal Agreement (hereinafter, a New Processing Instruction ). The Parties agree that any costs of such New Processing Instruction, to the extent they exceed the scope of the Documented Instructions or require additional effort or costs will be paid by Company to SugarCRM. 2.4 Prohibited data: Company shall not disclose (and shall not permit any data subject to disclose) to SugarCRM any special and/or prohibited categories of Data for processing that are not expressly disclosed in Schedule A. Data Processing Appendix v 1.1 Page 1 of 7

2 3. Obligations of SugarCRM 3.1 Purpose limitation: SugarCRM shall process the Personal Data as necessary to perform its obligations under this DPA and in accordance with the Principal Agreement, including the Documented Instructions and any binding New Processing Instruction (the "Permitted Purpose"), except where otherwise required by any EU (or any EU Member State) law to which SugarCRM is subject. 3.2 Confidentiality of processing: SugarCRM shall ensure that any person that it authorises to process the Personal Data (including SugarCRM s staff, agents and subcontractors) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. 3.3 Security: SugarCRM shall, organise SugarCRM s internal organisation so that it satisfies the specific requirements of data protection as follows: SugarCRM shall implement appropriate technical and organisational measures to protect (within SugarCRM s s scope of responsibility) the Personal Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorised disclosure of, or access to the Data. At a minimum, such measures shall include the measures identified in Schedule B. Company is familiar with these technical and organizational measures, and it shall be Company s responsibility that such measures ensure a level of security appropriate to the risk. SugarCRM shall be entitled to modify the security measures identified in Schedule B, provided, however, no modification shall be permissible if it materially derogates from the level of protection contractually agreed upon. 3.4 Cooperation and data subjects' rights a. SugarCRM shall provide reasonable assistance to Company to the extent it is agreed upon by the parties, at Company s expense, to enable Company to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Laws (including its rights of access, rectification, erasure, restriction, data portability and objection, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Personal Data. This shall only apply if (a) Company does not have the technical ability to address such a request itself or migrate Personal Data to another system or service provider; and (b) SugarCRM is legally permitted to do so and has reasonable access to the relevant Personal Data. In the event that any such request, correspondence, enquiry or complaint is made directly to SugarCRM and where SugarCRM is able to correlate the data subject to Company, based on the information provided by the data subject, SugarCRM shall refer such data subject to Company. SugarCRM shall not be liable in the event that Company fails to timely and/or properly respond to the data subject s request. b. At Company s expense and written request, SugarCRM shall (taking into account the nature of the Data Processing Appendix processing and the information available to SugarCRM) provide commercially reasonable assistance to Company in order for Company to fulfill its obligations enumerated in Articles 32 to 36 GDPR if Company does not otherwise have access to the relevant information, and where possible for SugarCRM. 3.5 Security incidents: Upon becoming aware of a breach of personal data within SugarCRM`s scope of responsibility ( Security Incident ), SugarCRM shall inform Company without undue delay. SugarCRM shall implement reasonable measures necessary for securing Personal Data and for mitigating potential negative consequences for the data subject, and shall keep Company informed about all material developments in connection with the Security Incident. SugarCRM will not access the contents of Personal Data in order to identify information, subject to any specific legal requirements. Company is solely responsible for complying with incident notification laws applicable to Company and fulfilling any third party notification duties. SugarCRM s notification of or response to a Security Incident under this Clause 3.6 will not be construed as an acknowledgement by SugarCRM of any fault or liability with respect to the Security Incident. 3.6 Deletion or return of Personal Data: Upon termination or expiry of the Principal Agreement and unless agreed otherwise in the Principal Agreement, SugarCRM shall at the request of Company destroy or return to Company all Personal Data (including all copies of the Personal Data) in its possession or control). This requirement shall not apply to the extent that Documented Instructions require SugarCRM to keep the Personal Data for a longer period or SugarCRM is required by any EU (or any EU Member State) law to retain some or all of the Personal Data, in which event SugarCRM shall isolate and protect the Personal Data from any further processing except to the extent required by such law. 3.7 International transfers: SugarCRM may transfer the Personal Data outside of the European Economic Area ( EEA ) provided that either it is (i) to a recipient in a country that the European Commission has decided provides adequate protection for personal data, (ii) to a recipient that has achieved binding corporate rules authorisation in accordance with Applicable Data Protection Law, (iii) to a recipient who is certified under the EU-U.S. Privacy Shield Framework, as administered by the US Department of Commerce, or (iv) to a recipient that has executed standard contractual clauses adopted or approved by the European Commission. 3.8 Privacy Shield: SugarCRM Inc. has been certified under the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks, as administered by the US Department of Commerce. Data Processing Appendix v 1.1 Page 2 of 7

3 4. Obligations of the Company 4.1 Company shall notify SugarCRM, without undue delay, and comprehensively, of any defect or irregularity with regard to provisions on data protection detected by Company in the results of SugarCRM s product or work and any issues related to data protection arising out of or in connection with the Principal Agreement Where a data subject asserts any claims against SugarCRM in accordance with Article 82 of the GDPR, Company shall immediately notify SugarCRM in writing and shall support SugarCRM in defending against such claims 5. Documentation, Audits, Certifications 5.1 SugarCRM shall demonstrate to Company SugarCRM s compliance with this DPA by appropriate measures. 5.2 If Company is using SugarCRM On Demand Services the following will apply: For data centers used by SugarCRM as a hosting facility (the Hosting Facilities ), any audit requirement will be satisfied by SugarCRM making available for review the then-current SSAE 16 SOC Type II audit report for the relevant Hosting Facility (or comparable industry-standard successor report). Company may need to execute a confidentiality agreement with the hosting provider to obtain such reports. 5.3 Where, in individual cases, onsite audits and inspections by Company are mandatorily required by Applicable Data Protection Laws or a Supervisory Authority, such onsite audits and inspections will be conducted during regular business hours, and without interfering with SugarCRM s operations, upon prior written notice of not less than 30 days. SugarCRM may also determine that such audits and inspections are subject to a longer prior notice, and the execution of a confidentiality undertaking protecting the data of other customers and the confidentiality of the technical and organizational measures and safeguards implemented. SugarCRM shall be entitled to rejecting auditors which are competitors of SugarCRM. SugarCRM shall be entitled to requesting a remuneration for SugarCRM s assistance in conducting inspections and Company shall reimburse for any costs (including internal efforts) and expenses associated with any audit. SugarCRM s time and effort for such inspections shall be limited to one day per calendar year in total for all audits requested by Company and any Authorized Affiliate. 5.4 Where a data protection supervisory authority conducts an inspection, Clause 5.3 above shall apply mutatis mutandis. The execution of a confidentiality undertaking shall not be required if such supervisory authority is subject to professional or statutory confidentiality obligations the breach of which is sanctionable under the applicable criminal code. 6. Sub- processors 6.1 SugarCRM shall not subcontract any processing of the Personal Data to a third party subcontractor without the prior written consent of the Company. Company herewith consents that (a) SugarCRM Affiliates may be retained as Subprocessors in connection with the provision of the Services, and (b) SugarCRM uses the Sub-processors specified on the list available under at the following URL: ata_protection. Company herewith also consents to SugarCRM engaging additional third party subcontractors to process the Personal Data provided that: (i) SugarCRM provides at least 30 days' prior notice of the addition or removal of any Sub-processor (including details of the processing it performs or will perform), which may be given by posting details of such addition or removal at the URL specified above; (ii) SugarCRM imposes data protection terms on any subprocessor to the equivalent standards provided for by this DPA; and (iii) SugarCRM remains fully liable for any breach of this DPA that is caused by its sub-processor. 6.2 Company may object in writing the appointment of a third party processor for legitimate legal data protection reasons within 30 days after the notice was posted by SugarCRM in writing. If no such written refusal has been made, consent shall be deemed granted. If Company objects the appointment of a third party sub-processor as set forth herein, then SugarCRM shall have the option of either (a) not using that third party processor for its engagement with the Company, (b) terminate the Principal Agreement in writing by providing no less than 30 days prior written notice or (c) if the sub-processor affected is used for On Demand services, agree with Company on a migration to On Site deployment as set out in the Agreement. 7. Assistance, amendments 7.1 Company will make a written request for any assistance referred to in this DPA. SugarCRM will charge Company no more than a reasonable charge to perform such assistance or New Processing Instructions, such charges to be set forth in a quote and agreed in writing by the parties, or as set forth in an applicable change control provision of the Agreement. 7.2 No waiver, amendment or modification of this DPA and/or any of its Schedules shall be valid and binding unless made in a signed writing. 7.3 In case of any conflict, the terms of this DPA shall take precedence over the terms of the Principal Agreement. Where individual terms of this DPA are invalid or unenforceable, the validity and enforceability of the other terms of this DPA shall not be affected. Data Processing Appendix v 1.1 Page 3 of 7

4 8.1 Authorized Affiliates 8.1 Contractual Relationship. Company s execution of this DPA is on behalf of itself and each of Company s Authorized Affiliates, such that a separate DPA is deemed to be entered into between SugarCRM and each such Authorized Affiliate. Company agrees on behalf of each Authorized Affiliate that the Authorized Affiliate is bound by the obligations under this DPA. 8.2 Communication. Company shall remain responsible for coordinating all communication with SugarCRM under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Authorized Affiliates. SugarCRM shall be discharged of its obligations to inform or notify the Authorized Affiliates when SugarCRM has provided such information or notice to Company. Company is responsible for ensuring that all Instructions and decisions (e.g. regarding subcontractors) are identical for the Company and each of the Authorized Affiliates and undertakes. 8.3 Rights of Authorized Affiliates. Authorized Affiliates (as Controllers) may have certain direct rights against SugarCRM. Company undertakes to exercise all such rights on their behalf and to obtain all necessary permissions from the Authorized Affiliates and to reimburse SugarCRM on behalf of the Authorized Affiliate for any additional costs and expenses. In addition, the Company shall be required to ensure that any and all rights and remedies sought by the Company and Authorized Affiliates are collective and consistent with each other. 8.4 Termination Right. SugarCRM shall be entitled to terminate an Authorized Affiliate s participation in this DPA by providing written notice to Company in the event that (a) Principal Agreement does not expressly allow the use of the Product or Services by Authorized Affiliates, (b) such Authorized Affiliate is in breach of this DPA, or (c) Company is in default of payment of the additional costs, expenses or extra efforts caused by that Authorized Affiliate. 8.5 Company s Notification Obligation of Authorized Affiliates. Pursuant to section 10(b)(v), Company shall notify SugarCRM in writing of all Authorized Affiliates, including each such Authorized Affiliate s name and address. Notwithstanding anything to the contrary, only affiliates included in such notification(s) shall be Authorized Affiliates under this DPA and the Principal Agreement. 9. Principal Agreement Unless otherwise set forth herein, all terms and conditions of the Principal Agreement remain in full force and effect, including without limitation, indemnification, confidentiality and limitation of liability. For the avoidance of doubt, SugarCRM s total liability Data Processing Appendix for all claims from the Company and all of its Authorized Affiliates arising out of or related to the Principal Agreement and each DPA shall apply in the aggregate for all claims under both the Principal Agreement and all DPAs established under the Principal Agreement, including by Company and all Authorized Affiliates, and, in particular, shall not be understood to apply individually and severally to Company and/or to any Authorized Affiliate that is a contractual party to any such DPA. Also for the avoidance of doubt, each reference to the DPA in this DPA means this DPA including its Schedules and Appendices. 10. Definitions (a) "Data Protection Laws" means the GDPR and any related national laws governing data protection. (b) Authorized Affiliate means any of Company's Affiliate(s) which (i) is subject to the data protection laws and regulations of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom, (ii) is authorized by the Company to use the SugarCRM Product, (iii) is permitted to use the Product and Services pursuant to the Principal Agreement between Company and SugarCRM, (iv) has not signed its own Order Form or agreement with SugarCRM and (v) Company has notified SugarCRM in writing (at legal@sugarcrm.com) that such Affiliate has been authorized to use the SugarCRM Product, including notification of the full legal name of the Affiliate and the Affiliate s address. (c) Controller means the entity which, alone or jointly with others, determines the purposes and means of the processing of personal data. (d) GDPR means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). (e) Personal Data means any information relating to (i) an identified or identifiable natural person and, (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws) where for each (i) or (ii), such data is Company Data or has been provided to SugarCRM in order to provide support under the Principal Agreement. (f) Processing means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making Data Processing Appendix v 1.1 Page 4 of 7

5 available, alignment or combination, restriction, erasure or destruction. (g) Processor means the entity which Processes Personal Data on behalf of the Controller. (h) Sub-processor means any Processor engaged by SugarCRM. Signed for and behalf of SugarCRM Inc. By: (Authorized Signature) Print name: Mark Liu Print title: General Counsel Signed for and behalf of Company By: (Authorized Signature) Print name: Print title: Date: Data Processing Appendix v 1.1 Page 5 of 7

6 Schedule A Service Specific Schedule / Data Processing Description This Schedule A forms part of the DPA and describes the processing that the processor will performed on behalf of the controller. Data subjects* The personal data to be processed concern the following categories of data subjects Customers Potential Customers Employees Categories of data* The personal data to be processed concern the following categories of data Customer contact data Potential customer contact data Employee contact data Special categories of data (if appropriate) The personal data to be processed concern the following special categories of data (please specify): None Processing operations The personal data will be subject to the following basic processing activities: Support Hosting (if On Demand Product has been subscribed to by Company) Professional Services (if Parties have entered into a separate Professional Services Agreement) * If other data subjects or categories of data are implicated with Company s use of SugarCRM products and services, Company shall notify SugarCRM in writing and parties shall amend this Schedule A in writing. Data Processing Appendix v 1.1 Page 6 of 7

7 Schedule B Minimum Security Measures 1. Physical Access Controls SugarCRM has measures in place to prevent unauthorized persons from gaining access to SugarCRM premises where Company data is processed. Such measures include: controlling access to entry doors and sensitive areas, securing and limiting access to server rooms, installing video cameras where appropriate, using electronic ID badges for entering SugarCRM offices, controlling badge holder access and logging, and alarm monitoring. Visitors must arrive at the main entrance and are met by the sponsoring employee. All visitors are issued visitor badges upon presentation of a government issued photo ID and are required to sign-out upon leaving the premises. SugarCRM On Demand uses data center facilities which are SOC 2 certified. 2. Logical Access Controls SugarCRM has measures in place to prevent data processing systems from being used without authorization. Such measures include locking of terminals; regulations for user authorization; obligation to comply with data confidentiality requirements; differentiated access regulations (e. g. partial blocking); controlled destruction of data media; processes for the checking and release of programs. Company Data is encrypted at rest in our On-Demand environment. 3. Intervention Control SugarCRM has implemented measures to prevent its personal data processing systems from being used by unauthorised persons by means of data transmission equipment. The measures taken include access and authorization concepts with different user ID s and passwords for access to data processing systems. 4. Transfer control Technical measures to prevent Company Data from being processed or used during electronic transmission or during transport without authorization (e.g. by means of encryption or protection by passwords); Such measures include the following: authentication of authorized personnel, controlling the removal and destruction of data media. 5. Input Control If Company Data is processed on SugarCRM systems, access to Company Data will be recorded in in log files. For any Company Data stored in the SugarCRM Product, Company is solely responsible for such data input and SugarCRM does not have any control or involvement in such data input. 6. Separation control Measure to ensure that data collected for different purposes can be processed separately include an authorization concept which takes account the separate processing of data. in the SugarCRM On Demand environment Customer s Company Data is logically separated from other customer s company data. 7. Availability controls Technical measures to ensure that personal data stored in SugarCRM s internal systems are protected against accidental destruction or loss include the use of protection programs (such as firewall, SPAM filters), rejection of unauthorized users, backup and recovery concepts. The SugarCRM On Demand instance makes use of multiple data centers, and clustering to avoid interruptions in service. Data Processing Appendix v 1.1 Page 7 of 7