Data Processing Agreement
Last updated August 23, 2021
This Data Processing Agreement (“DPA”) supplements the Order Form and Platform Access and Services Agreement (“Terms”) (the DPA, along with the Terms, is collectively referred to as the “Agreement”) entered into between Aumni, Inc. (“Aumni”) and the Customer (collectively with its affiliates and subsidiaries worldwide, “Customer”) the terms of this DPA are incorporated by reference therein. This DPA shall apply to all Processing of Customer Personal Data by Aumni to provide the Product as agreed to in the Order Form.
If there is any conflict between this DPA and the Terms, this DPA shall prevail solely to the extent of such conflict.
In this DPA, the following terms shall have the meanings set out below and their cognate terms shall be construed accordingly:
- Customer Data has the meaning given to it in the Terms.
- Customer Personal Data means any Customer Data that is Personal Data.
- Data Breach means any unauthorized interference with the availability of, or any unauthorized, unlawful or accidental loss, misuse, destruction, alteration, acquisition of, access to, disclosure of, or damage to Customer Data or Confidential Information, or any other unauthorized Processing of Personal Data that may adversely affect the privacy or security of individuals or the Customer. Data Breach does not include unsuccessful attempts or activities that do not compromise the security of Customer Data or Confidential Information, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other similar incidents.
- Data Protection Laws means all applicable laws relating to privacy, security, or protection of Personal Data, as may be defined in such laws, including, the EEA Law, the California Consumer Protection Act (“CCPA”), and any subsequent supplements, amendments, or replacements to the same.
- EEA means the European Economic Area and the European Union, Switzerland, and the UK.
- EEA Law means EU General Data Protection Regulation (Regulation 2016/679) (“GDPR”), any successor or amendments thereto, and any other law relating to the data protection, security, or privacy of individuals that applies in the EEA.
- Personal Data means any information processed by Aumni in connection with the performance of the Product, including that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular individual or household or with a particular individual’s or household’s device; or any inferences drawn therefrom. Personal Data includes, but is not limited to, name, alias, postal address, identification number, phone number, physical address, email address, details of orders and fulfilments, location data, online identifiers such as internet protocol addresses, cookie or other unique identifiers or as otherwise defined (including under similar terms such as “personal information,” “personal health information,” “personally identifiable information,” and “sensitive personal information”) under Data Protection Laws.
- Process, processed, or processing means the collection, receipt, recording, organization, structuring, alteration, use, transmission, access, sharing, provision, disclosure, distribution, copying, transfer, storage, management, retention, deletion, combination, restriction, summarizing, aggregation, correlation, inferring, derivation, analysis, adaptation, retrieval, consultation, destruction, disposal, or other handling of Personal Data.
- Services means services provided by Aumni as agreed to in the Order Form.
- Standard Contractual Clauses means the standard contractual clauses for the transfer of EEA Personal Data to third countries as adopted by the European Commission, or any successor clauses thereto.
- The terms Controller, Data Processor, Subprocessor, Data Subjects, Sell, and Service Provider shall have the same meaning as in the applicable Data Protection Laws, and their cognate terms shall be construed accordingly.
- GENERAL DATA PROCESSING OBLIGATIONS
- Role of Parties. The parties acknowledge and agree that with respect to processing of Customer Personal Data, Aumni is a Data Processor, and a Service Provider and Customer is a Controller, except that if Customer is a Data Processor in which case Aumni is a Subprocessor. If Customer is a Processor of Customer Personal Data, Customer represents and warrants that Customer’s instructions and Processing of Customer Personal Data, including its appointment of Aumni as a Subprocessor, have been authorized by the respective Controller. Notwithstanding the foregoing, Aumni will be an independent Controller with respect to any Personal Data of Customer employees and other personnel using the Services or acting as administrative or business representatives with respect to the Services. Customer also represents and warrants that the Customer is responsible for the security and integrity of Customer Data in the Customer’s environment.
- Compliance with Data Protection Laws. Each party will comply with obligations under applicable Data Protection Laws in connection with Processing of Customer Personal Data.
- Purpose of Processing. The purpose of Processing under this DPA is the provision of the Services pursuant to the Agreement. Exhibit 1 (Scope of Processing) describes the subject matter and details of the Processing of Customer Personal Data.
- Customer Instructions and Restrictions on Processing.
- Aumni shall use, retain, and disclose Customer Personal Data only on behalf of the Customer and for the specific business purpose of providing the Services and in accordance with Customer’s instructions, including as described in the Agreement. Aumni shall not Sell Customer Personal Data, nor use, retain, or disclose Customer Personal Data outside of its business relationship with the Customer or for any other purpose except as required by law. Aumni will inform Customer if, in Aumni’s reasonable opinion, any of Customer’s instructions infringes any Data Protection Laws.
- Aumni shall have rights to use Customer Personal Data solely (i) to the extent necessary to (a) perform its obligations under this Agreement; (b) operate, manage, test, maintain and enhance the Service including as part of its business operations; (c) to disclose aggregate statistics about the Service in a manner that prevents individual identification of the Customer, Customer Data, any individual device, or individual person; and/or (d) protect the Service from a threat to the Service or Customer Personal Data; or (ii) if required by court order of a court or authorized governmental agency, provided that prior notice first be given to the Customer; (iii) as otherwise expressly authorized by the Customer.
- Aumni certifies that it understands these restrictions and will comply with them.
- CUSTOMER’S OBLIGATIONS
- Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer obtained the Personal Data. Customer will not provide or cause to provide any data or information that is not necessary for Aumni to provide Customer the Services identified in the Order Form. Customer is responsible for the security and integrity of any Customer’s systems from where Customer Data is provided to Aumni.
- Customer shall, in its use of the Services, Process Personal Data in compliance with the requirements of Data Protection Laws, including any applicable industry standards and self-regulatory programs that are binding on Customer. Customer shall be responsible for complying with any notice and consent obligations under such Data Protection Laws.
- Customer understands and agrees that Customer is solely responsible for its own actions and activity in connection with the Customer Account and that Customer will keep its account passwords and login information confidential.
- CONFIDENTIALITY OBLIGATIONS
- Each party agrees, both during and after termination of this Agreement, to hold the Confidential Information in the strictest confidence and comply with the applicable confidentiality obligations in the Terms.
- AUMNI OBLIGATIONS
- Data Protection Compliance Assistance.
- Where Aumni is acting as a Processor, Aumni will reasonably assist Customer in complying with its obligations under the applicable Data Protection Laws, including without limitation, conducting data protection impact assessments, and any consultations with the supervisory or regulatory authority.
- Aumni shall not perform its obligations under this Agreement in such a way as to cause Customer to breach any of its obligations under applicable Data Protection Laws.
- Data Subject Rights.
- Where Aumni is acting as a Processor, Aumni will promptly notify Customer in writing, and in any case without undue delay, if Aumni receives (i) any requests from a Data Subject, with respect to Customer Personal Data, including individual opt-out requests, requests for access and/or deletion and all similar individual rights requests; or (ii) any complaint or inquiry relating to the Processing of Customer Personal Data, including allegations that the Processing infringes on any individual's or third party's rights. Aumni will not respond to any such request or complaint unless expressly authorized to do so by Customer or required to respond under applicable Data Protection Laws.
- To the extent Customer, in its use of the Services, does not have the ability to respond to a request under this Section 5, Aumni shall upon Customer’s written request provide reasonable assistance to the Customer in responding to such request.
- Aumni shall comply with any instructions given by the Customer regarding responding to requests under this Section 5.
- The Customer hereby consents to the use of the Subprocessors by Aumni for the purposes of providing the Services pursuant to the Agreement. The Subprocessors that are currently authorized to Process Customer Personal Data will be provided to Customer upon request. To the extent required by Data Protection Laws, if Aumni appoints a new Subprocessor or intends to make any changes concerning the addition or replacement of the Subprocessors, it shall provide Customer prior written notice, during which Customer can object against the appointment or replacement on reasonable grounds. If Customer does not object within a reasonable period following such notice, Aumni may proceed with the appointment or replacement of Subprocessor.
- Aumni must ensure that it has a written agreement in place with all Subprocessors which contains obligations on the Subprocessors which are no less onerous on the relevant Subprocessor than the obligations on Aumni under this DPA.
- Aumni shall be liable for the acts and omissions of its Subprocessors to the same extent Aumni would be liable if providing the Product and related services of each Subprocessor directly under the terms of this DPA.
- Staff Confidentiality. Aumni shall ensure that all employees, agents, officers, consultants, Subprocessors and any third party authorized to Process the Customer Personal Data or Confidential Information are subject to written confidentiality agreements or are under an appropriate statutory obligation of confidentiality.
- Aumni will implement and maintain commercially reasonable administrative, technical and physical safeguards, including procedures and practices commensurate with the level of sensitivity of the Customer Personal Data and Confidential Information and the nature of its activities under the Agreement, to protect the security, confidentiality and integrity of such information Processed by Aumni or in its possession and control including such safeguards (a) designed to ensure the security of systems upon which such information is Processed; and (b) designed to prevent a Data Breach.
- Data Breach.
- In the event Aumni discovers or learns of a Data Breach affecting Customer Data, Aumni shall take appropriate and prompt steps to: (a) investigate, mitigate, and remedy the Data Breach and prevent further Data Breaches, (b) notify Customer of such Data Breach without unreasonable delay; (c) furnish to Customer necessary and relevant details of the Data Breach as may be available; (d) assist Customer, as needed, in its investigation, mitigation, and remedying of the Data Breach; (e) provide information and reasonably assist Customer, as needed, in meeting Customer’s legal obligations, including any applicable obligations to notify individuals affected by the Data Breach; and (f) cooperate with Customer in any other reasonable action, step, or proceeding as may be deemed necessary by Customer in connection with the Data Breach and any dispute, inquiry or claim concerning the Data Breach.
- Unless prohibited by an applicable statute or court order, Aumni shall notify Customer of any third-party legal process relating to any Data Breach, including, but not limited to, any legal process initiated by any governmental entity.
- Aumni will comply with any reasonable instructions given by the Customer regarding any requests in connection with a Data Breach.
- Aumni’s cooperation or obligation to report or respond to Data Breaches under this DPA is not and will not be interpreted as an acknowledgment by Aumni of any fault or liability of Aumni with respect to a Data Breach.
- Upon written request from the Customer, Aumni shall make available to the Customer once a year such information as is reasonably required by the Customer to demonstrate Aumni’s compliance with its obligations under this DPA.
- If the Customer in its reasonable opinion determines that the information provided under Section 5.7.1 is not sufficient, Aumni will assist with Customer’s request for additional information through completing a reasonable questionnaire or request for information provided by Customer (“Questionnaire”), or a third party acting on Customer’s behalf, regarding Aumni’s compliance with this Addendum.
- If the Customer in its reasonable opinion determines that the information provided under Section 5.7.2 is not sufficient, Aumni will allow the Customer or a third party acting on behalf of the Customer to conduct audits solely as necessary to fulfill Customer's obligations under Data Protection Laws no more than once annually.
- Any such audit under this Section 5.7 will occur only after Customer has provided Aumni with at least 60 days’ prior written notice and during a mutually agreed upon date, time, and location. Audits must not unreasonably interfere with Aumni’s business or operations and the scope of such audit will be subject to Aumni’s reasonable pre-approval. Individuals responsible for conducting such audit shall be subject to a contract of confidentiality with Aumni. The work required by Aumni to participate in any audit may result in additional fees (at a mutually agreed upon hourly rate) to be paid by the Customer, unless otherwise agreed in writing prior to the commencement of such audit. If the audit reveals any vulnerability or inadequacy, Aumni shall correct any such vulnerability or inadequacy at its sole cost and expense and shall certify the same in writing to Customer.
- To ensure that Aumni complies with applicable Data Protection Laws and its contractual obligations regarding data privacy and security, the Customer agrees that Aumni is not required to provide the Customer with access to the Aumni’s systems or information in a manner that may compromise the security, privacy, or confidentiality of Aumni’s other Customers’ confidential or proprietary information. Any information disclosed pursuant to this Section 5.7 will be deemed Aumni’s Confidential Information.
- DATA TRANSFERS
- As of the date this DPA was last updated, all Customer Personal Data is Processed in the United States. In its role as a Processor, Aumni will not Process any Customer Personal Data subject to EEA Law outside of the United States or country recognized as “adequate” by the E.U. Commission without Customer’s written authorization.
- Aumni may Process Customer Personal Data in various jurisdictions in which it operates provided Aumni reasonably cooperates with the Customer to comply with applicable data transfer restrictions and obligations required by this DPA and applicable Data Protection Laws.
- To the extent Customer Personal Data that is subject to EEA Law is processed, the parties will execute appropriate data processing terms (including any transfer terms) in connection with such processing and transfer.
- To the extent Data Protection Laws require any further steps to be taken in order to permit the transfer of Customer Personal Data to Aumni (including in relation to data export restrictions under applicable Data Protection Laws outside the EEA), Aumni will work with Customer in good faith (including, where reasonably necessary, by entering into contractual clauses with Customer) to ensure that the transfer of Customer Personal Data meets the requirements of Data Protection Laws. To the extent Customer Personal Data is subject to EEA Laws, the parties will execute appropriate data processing and transfer terms for such processing and transfer.
- RETURN OR DESTRUCTION OF CUSTOMER PERSONAL DATA
- Either upon request or direction by Customer or termination or expiration of this Agreement, Aumni will (a) provide a copy of all Customer Personal Data in Aumni’s possession to the Customer and upon written verification from Customer of Customer’s receipt of such Customer Personal Data, destroy such information in accordance with this Section 7; (b) subject to Section 7.1 (a), promptly and securely destroy all such Customer Personal Data in accordance with applicable Data Protection Laws; and (c) certify in writing that it has complied with this Section 7, except to the extent that Aumni is required by applicable law to keep a copy of the Customer Personal Data and notifies Customer of the same.
- Aumni agrees to comply with the terms of this DPA to the extent any Customer Personal Data is remains in its possession or control in accordance with this Section 7.1.
Exhibit 1 to Data Protection Agreement
DETAILS OF PROCESSING OF CUSTOMER PERSONAL DATA
This Exhibit 1 includes details of the Processing of Customer Personal Data by Aumni.
Subject matter and duration of the Processing of Customer Personal Data
The subject matter and duration of the Processing of the Customer Personal Data are set out in the Agreement, this DPA, and in the applicable Order Form and Platform Access and Services Agreement.
The nature and purpose of the Processing of Customer Personal Data
Customer Personal Data may be processed as described in the Agreement, this DPA and in the applicable Order Form and Platform Access and Services Agreement.
The types of Customer Personal Data to be Processed
The types of data to be processed shall be determined by the Customer and as may be described in the applicable Order Form and Platform Access and Services Agreement and may include all types of Personal Data.
The types of Sensitive Personal Data to be Processed
The categories of Data Subject to whom the Customer Personal Data relates
The categories of Data Subject shall be determined by the Customers and as may be described in the applicable Order Form and Platform Access and Services Agreement and may include all categories of Data Subjects.
The obligations and rights of Customer
The obligations and rights of Customer and its Affiliates are set out in the Agreement and this DPA.
Customer Personal Data is disclosed to the following categories of Recipients:
- Customer Operations
- Customer Success
- Database Engineers
Contact points for data protection enquiries