top of page

Data Processing Addendum
Last Modified: November 16, 2023

This Data Processing Addendum (“Addendum”) is an addendum to and forms part of the Master Services Agreement (or other such titled written or electronic agreement addressing the same subject matter) (“Agreement”) to reflect the parties’ agreement with regard to the Processing of Personal Information.  

 

In the course of providing the Services to Customer pursuant to the Agreement, Service Provider may Process Personal Information on behalf of Customer and the parties agree to comply with the following provisions with respect to any Personal Information, each acting reasonably and in good faith. 

 

In the event of any conflict between the Agreement and this Addendum, the terms and conditions of this Addendum shall control. Except to the extent expressly superseded or modified in this Addendum, the terms and conditions of the Agreement will apply to this Addendum and remain in full force and effect.

  1. Definitions

 

  1. “CCPA” means the California Consumer Privacy Act, as amended, and its related regulations;

  2. “Privacy Impact Assessment” means an assessment of the impact of the envisaged Processing operations on the protection of Personal Information as required by applicable Privacy Laws;

  3. “Data Subject” means an identified or identifiable natural person.  

  4. “Personal Information” means any information relating to an identified or identifiable individual, and any other information that constitutes “personal information,” “personal data,” or the like under applicable Privacy Laws.

  5. “PIPEDA” means the Personal Information Protection and Electronic Documents Act, SC 2000, c.5.

  6. “Privacy Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, theft, or unauthorized access to or disclosure of Personal Information.

  7. “Privacy Laws” means any law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (as amended, consolidated or re-enacted from time to time) governing the Processing or protection of Personal Information.

  8. “Processing”, “Processed” or “Process” means any operation or set of operations which is performed on Personal Information or on sets of Personal Information, whether or not by automated means, such as but not limited to collection, use, modification, retrieval, disclosure, retention, storage, deletion, and/or management of Personal Information.

  9. “Regulatory Authority” means an independent public authority tasked with the regulation and enforcement of applicable Privacy Laws.

  10. “Data Processing Particulars” means

    1. Nature, purpose, and subject matter: Provision of the AI cloud, VMaaS and/or BMaaS services to the extent reflected in Customer’s Sales Order;

    2. Duration: ongoing until termination of the Agreement. 

  11. Unless otherwise provided:

    1. a capitalised term that is not defined in this Addendum shall have the meaning given to it in the Agreement; and

    2. the words and expressions in, and the rules of interpretation of, the Agreement shall have the same meaning in this Addendum.

 

2. Data Processing and Security Responsibilities 

 

  1. Customer and Service Provider shall each comply with all Privacy Laws that apply to it in relation to any Personal Information Processed in connection with this Addendum.

  2. Customer agrees that it has:

    1. made and shall maintain all necessary registrations and notifications as required in order to permit Service Provider to perform its obligations and exercise its rights under this Addendum;

    2. obtained and shall continue to obtain all consents necessary, and provided all necessary notices and otherwise has and continues to have all necessary authority to permit Service Provider to perform its obligations and exercise its rights under this Addendum, and shall inform Service Provider immediately if any such consents are withdrawn or can no longer be relied upon;

    3. ensured and shall continue to ensure that all Personal Information Processed by Service Provider is adequate, relevant, accurate and up-to-date, and limited to what is necessary to permit Service Provider to perform its obligations and exercise its rights under this Addendum; 

    4. ensured and shall continue to ensure that there are valid legal bases to enable Service Provider to Process Customer's Personal Information in the matter and for the purposes contemplated under the Agreement and this Addendum; and

  3. Processed and will continue to Process the Personal Information in accordance with all applicable Privacy Laws.

    1. In the course of Processing Personal Information on behalf of Customer, Service Provider shall:

    2. except as otherwise permitted herein, only use, disclose, transfer, retain, and otherwise Process Personal Information as reasonably necessary for the purposes of rendering the Services (which, for ease of reference only, and without enlarging or reducing either party’s rights or obligations, is summarized in the Data Processing Particulars) and as otherwise instructed by Customer in writing from time to time or as required by applicable Privacy Law, and not Process any Personal Information in any other manner without the express prior written authorization of Customer unless required to do so by applicable law;

    3. not retain, use, or disclose California Personal Information outside of the direct business relationship between Service Provider and Customer in violation of the CCPA;

    4. comply with any applicable restrictions under the CCPA on combining the Personal Information that Service Provider receives from, or on behalf of, Customer with Personal Information that Service Provider receives from, or on behalf of, another person or persons, or that Service Provider collects from any interaction between it and a Data Subject;

    5. otherwise comply with applicable provisions of the CCPA, provide the Personal Information subject to such law with the level of protection required by such law, and promptly notify Customer if Service Provider determines it no longer can meet such obligations;

    6. immediately inform the Customer if, in Service Provider’s opinion, any instruction received from the Customer infringes Privacy Law; 

    7. not “sell” or “share” the Personal Information within the meaning of the CCPA;

    8. not otherwise disclose (and not allow any of its employees, or permitted agents or representatives to disclose) any Personal Information to any third party without the prior written authorization of Customer (under this Addendum or otherwise) unless required to do so under applicable law (in which case clause h) below shall apply);

    9. where any disclosure, transfer or other Processing of Personal Information is required by applicable law, promptly notify Customer in writing before complying with any such requirement (unless prohibited by applicable law, such as on important grounds of public interest); 

    10. promptly notify Customer in writing of any (i) enquiry received from individuals relating to the individual’s rights under Privacy Laws, and provide prompt reasonable assistance to Customer with respect to any obligations Customer has to respond to such requests, such as by an obligation to provide access to Personal Information, or to correct, rectify, or restrict the processing of Personal Information; (ii) complaint or correspondence received by Service Provider either from an individual or a Regulatory Authority relating to the Processing of Personal Information, and (iii) order, demand, warrant or any other document purporting to compel the production of any Personal Information, and provide reasonable assistance at Customer’s cost to facilitate Customer’s compliance with Customer’s obligations under Privacy Laws; 

    11. implement reasonable and appropriate physical, technical and organizational security procedures and practices appropriate to the sensitivity of the Personal Information that are designed to protect the Personal Information against loss, theft, destruction, damage, alteration and unauthorized or unlawful access, use, disclosure or other risks incurred by Processing in pursuit of the Services, as would allow Service Provider to reasonably support the ongoing confidentiality, integrity, availability and resilience of Processing systems and services (the “Security Measures”). Service Provider shall carry out regular reviews of the Security Measures to ensure their continuing appropriateness and shall not materially lower the standard of the Security Measures without the prior approval of Customer; 

    12. provide access to Personal Information to employees and authorized agents of Service Provider only if they need to have access to the Personal Information for the purposes set out in the Agreement and this Addendum; 

    13. cause each of Service Provider’s employees involved in rendering the Services to agree in writing to protect the confidentiality and security of the Personal Information in accordance with the terms of this Addendum, and otherwise properly advise and train each of its employees in Privacy Law compliance as applicable to this Addendum; 

    14. ensure that each employee of Service Provider involved in rendering the Services is appropriately screened to confirm the suitability of the performance of their duties in connection with the Services, including the access to and Processing of Personal Information; 

    15. at Customer’s cost and request, and taking into account the nature of the Processing and the Personal Information available to it, provide reasonable assistance to Customer as necessary for Customer to meet its obligations under Privacy Laws in connection with:

      1. obligations relating to ensuring the security and integrity of Personal Information;

      2. obligations relating to notifications and communication of Privacy Breaches as required by Privacy Laws to the Regulatory Authority and/or any affected individuals; and

      3. undertaking any Privacy Impact Assessments that are required by Privacy Laws and, where necessary, consulting with the relevant Regulatory Authority in respect of any such Privacy Impact Assessments;

    16. taking into consideration Service Provider’s role in the Processing of Personal Information, provide the level of protection for the relevant Personal Information required by applicable Privacy Laws; and

    17. notify Customer if Service Provider determines it can no longer meet its obligations under this Addendum.

  4. Service Provider hereby certifies that it understands its obligations under this Addendum (including, without limitation, the restrictions under this Section 2) and that it will comply with them. 

 

3. Audit Rights

 

Customer has the right to (i) take reasonable and appropriate steps to ensure that Service Provider uses the Personal Information in a manner consistent with the business’s obligations under Privacy Laws and (ii) upon notice, take reasonable and appropriate steps to stop and remediate the unauthorized use of Personal Information.  Service Provider shall provide, and Customer agrees to accept, Service Provider’s most current third-party certifications as may be relevant and available in respect of the Services. Service Provider shall provide Customer (or its representatives) with access to information necessary to demonstrate Service Provider’s compliance with this Addendum.

 

4. Sub-processing 

 

Subject to Clause 6, Customer acknowledges and agrees that Service Provider shall use sub-processors (including Service Provider affiliates) to provide the Services. Service Provider shall enter into a written contract with each such sub-processor that imposes obligations on the sub-processor that are substantially similar to those imposed on Service Provider under this Addendum (provided that obligations imposed on Service Provider that are legally required only under a future Privacy Law need not be imposed on a sub-processor prior to the effective date of such Privacy Law).  Service Provider shall only retain sub-processors that Service Provider can reasonably expect to appropriately protect the privacy, confidentiality and security of the Personal Information. To the extent required under applicable Privacy Law, Service Provider shall provide advance notification to Customer before providing a sub-processor with access to Personal Information and allow Customer at least 10 days’ time to lodge an objection by detailing in writing to Service Provider why Customer believes that the sub-processor cannot comply with such obligations.  If Service Provider’s engagement of the subprocessor would breach this Addendum, and Service Provider does not provide a reasonable alternative to such engagement within 20 days of Customer’s notice, Customer may terminate the Agreement and receive a refund of unused prepaid fees.

 

5. Privacy Breach Notification

 

Service Provider shall notify Customer in writing without undue delay upon Service Provider becoming aware of a Privacy Breach. Service Provider shall further take any reasonably necessary measures and actions to remedy or mitigate the effects of the Privacy Breach to the extent within Service Provider’s control and shall keep Customer informed of material developments in connection with the Privacy Breach.

 

6. Data Transfers

 

Customer acknowledges and agrees that in the course of providing the Services to Customer, Service Provider may transfer Personal Information outside of North America (Canada/US).

 

7. Termination

 

  1. This Addendum shall come into force on the Effective Date of the Agreement and shall remain in force until the termination or expiry of the Agreement.

  2. Upon the termination of the Agreement or at such other times as instructed by Customer in writing, Service Provider shall either anonymize or securely dispose of (or, at Customer’s request, return) the Personal Information and all existing copies, subject to Service Provider’s requirements to retain certain Personal Information in order to comply with its legal and regulatory obligations and applicable law or as otherwise necessary in the context of any disputes or litigation. In the event applicable law does not permit Service Provider to comply with the delivery or destruction of the Personal Information, Service Provider warrants that it shall protect the confidentiality of the Personal Information in accordance with applicable law.

 

8. Updates to this Addendum

 

In the event of changes to applicable Privacy Laws, including, but not limited to, the amendment, revision or introduction of new laws, regulations, or other legally binding requirements to which either party is subject, the parties agree to revisit the terms of this Addendum, and negotiate any appropriate or necessary updates in good faith, including the addition, amendment, or replacement of any schedules.  

 

9. Governing Law and Jurisdiction of Addendum 

 

9.1. This Addendum and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed in accordance with the jurisdiction set out under the Agreement. 

bottom of page