Data Processing Agreement
This document was last updated on April 1, 2021.
This Data Processing Agreement (“DPA”) entered into by and between Customer and SITASYS AG, a Swiss société anonyme, with its principal place of business at Industriestrasse 6 4513 Langendorf SO (“Sitasys”) supplements the agreement between Customer and Sitasys governing Customer’s use of the Services (the “Agreement”) when the GDPR applies to Customer’s processing of Customer Data using/via the Services. This DPA is integrated by reference in the Agreement.
The parties agree that all terms that begins with a capital letter have the meaning ascribed to them in the Agreement or in this DPA.
1. Roles of The Parties
Customer may process Customer Data as a Controller or as a Processor. Sitasys will process Customer Data as a Processor to Customer when Customer acts as a Controller and Sitasys will process Customer Data as a sub-processor to Controller when Customer acts as a Processor.
Sitasys processes Customer Data as a Controller for the training and support Services. Thus, the DPA does not apply to the processing of Customer Data for the training and support Services.
Each party will comply with all laws and regulations applicable to it and binding on it in the performance of this DPA, including the GDPR. Sitasys does not determine whether Customer Data includes Special Category of Personal Data or information subject to any specific law or regulation. Customer is responsible for determining whether the Services are appropriate for storage and processing of Special Category of Personal Data or information subject to any specific law or regulation and for using the Services in a manner consistent with Customer’s legal and regulatory obligations.
2. Customer’s Documented Instructions
2.1. Sitasys will process Customer Data only on documented instructions from Customer.
Customer agrees that this DPA, the Agreement and the provision of instructions via the EVALINK Account, use of the Services, configuration tools and APIs made available by Sitasys constitute Customer’s documented instructions regarding Sitasys’ processing of Customer Data (“Documented Instructions”).
2.2. When Customer acts as a Processor, Customer warrants to Sitasys that Customer's Documented Instructions, including appointment of Sitasys as a sub-processor, have been authorized by the relevant Controller.
2.3. Customer may request a change to the Documented Instructions or new additional instructions. Requested change or addition to the Documented Instruction require the parties to agree in writing to such change or addition and to the associated additional fees payable by Customer to Sitasys for implementing agreed change or addition. If Sitasys does not agree to a change or addition to the Documented Instructions requested by Customer or if the parties do not agree on the associated fees, then Customer is entitled to terminate this DPA and the Agreement in accordance with Section Termination of the Agreement.
3. Processing Details
The Parties acknowledge and agree that:
- The subject-matter of the processing is limited to Customer Data;
- The duration of the processing is determined by the Customer via its EVALINK Account and will not exceed the duration of the Agreement (except as may be required by applicable law);
- The purpose of the processing is to provide the Services pursuant to the Agreement;
- The types of Personal Data processed by Sitasys while providing the Services are the types of Personal Data that the Customer elects to include in Customer Data.
- The categories of data subjects may include Customer and End-Users such as Customer’s or End User’s employees, contractors, suppliers, and customers.
4. Confidentiality of Customer Data
4.1. Sitasys will only process, or disclose to a third party, Customer Data, as necessary to (i) provide or maintain the Services, or (ii) comply with the law or a valid and binding order of a governmental body.
4.2. Sitasys will disclose Customer Data only to the extent compelled by law or a governmental body to do so. Sitasys will provide Customer a prior Notice of the compelled disclosure (to the extent legally permitted) and commercially reasonable assistance, at Customer's cost, if Customer wishes to contest the disclosure request.
4.3. Sitasys imposes appropriate contractual confidentiality obligations upon its personnel authorised to process Customer Data.
5. Data Subject Requests
In a manner consistent with the nature, functionality of the Services, Sitasys will make available to Customer, features, functionalities to assist Customer to the fulfilment of Customer’s obligation to respond to data subject requests to exercise their rights under the GDPR. If a data subject contacts Sitasys to exercise its rights under chapiter III of the GDPR, Sitasys will forward such requests to Customer, or redirect the data subject to the Customer.
6.1. Sitasys may engage sub-processor(s) for carrying out processing activities on Customer Data on behalf of Customer (“Sub-processor(s)”). Sitasys provides a list of the Sub-processors on the EVALINK Site (“Sub-processors List”). Customer authorizes Sitasys to subcontract the processing of Customer Data to the Sub-processors in accordance with this DPA.
6.2. From time to time, Sitasys may engage new Sub-processors, Sitasys will update the Sub-processors List and Notify Customer of that update at least ninety (90) days before Sitasys provides new Sub-processors with access to Customer Data. If Customer objects to a new Sub-processor, then Customer may terminate the Agreement in accordance with Section Termination of the Agreement.
6.3. Sitasys will restrict Sub-processors’ access to Customer Data only to what is necessary to provide or maintain the Services to Customer in accordance with the Agreement and Sitasys will prohibit Sub-processors from accessing Customer Data for any other purpose. Sitasys will enter into a written agreement with Sub-processors and will impose on the Sub-processors at least the level of Customer Data protection required of Sitasys by the DPA.
6.4. Sitasys will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processors that cause Sitasys to breach any of Sitasys’ obligations under this DPA.
7. Data Security
Sitasys will implement technical and organisational measures against accidental or unlawful loss, access, or disclosure of Customer Data, as described in the Security Policy to the Agreement and Section Security of the Agreement.
Customer will only provide Customer Data to Sitasys when Customer determines that the technical and organizational measures implemented by Sitasys provide a level of security appropriate to the risk with respect to Customer Data.
8. Auditing Compliance
8.1. Upon request, Sitasys will make available to Customer information to demonstrate Sitasys’ compliance with the obligations set forth in this Agreement.
8.2. Should the Customer deem reasonably in good faith that the information provided by Sitasys are not sufficient to verify compliance with this Agreement, Customer or another auditor mandated by Customer and accepted by Sitasys, may conduct an audit, including inspections, with reasonable advance Notice, within the limit of one audit per contractual year and to the extent the audit is not legally or contractually prohibited. Sitasys will commercially reasonably contribute to such audits. Such audit is strictly limited to verify compliance of Sitasys with the obligations set forth in this DPA and does not entail access to (i) other customers’ content, data and (ii) documents or systems unrelated to the performance of the Services registered by Customer.
8.3. Before the commencement of that audit, taking into account the nature, scope, context and purposes of the Services, and the risk for the data subjects, Sitasys and Customer will discuss, and agree, reasonably and in good faith, to the scope, modalities, procedure, timing, duration, commencement date, control and evidence requirements, and fees of the audit. Sitasys will not unreasonably retain its consent to delay or limit Customer’s audit. The audit shall not disrupt the Services or be a threat to the security of the (i) Services and (ii) customers’ content on the Services. Customer will impose confidentiality obligations on its internal or external auditors at least of the level of required of Sitasys under the Agreement and ensure, verify, and guarantee that the auditor possesses the necessary skills to conduct such audit. Customer is responsible for all costs and fees related to such audit, including all reasonable costs and fees for the time Sitasys spends on the audit and on providing to Customer information demonstrating its compliance pursuant to section 8.1 of this DPA, in addition to the rates for services performed by Sitasys. If the audit report generated by Customer’s audit includes any finding of material non-compliance, Customer will share such audit report with Sitasys.
9. Security Incident Notification
9.1. If Sitasys becomes aware of a Security Incident, Sitasys will (i) notify without undue delay the Controller of the Security Incident, (ii) investigate the Security Incident, (iii) assist Customer in gathering the information listed in article 33 of the GDPR by making available to Customer relevant listed information taking into consideration the nature and security of the Services, the information reasonably available to Sitasys and Sitasys’ confidentiality obligations, (iv) take commercially reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident.
9.2. Notification(s) of Security Incidents will be delivered to Customer by any means Sitasys selects, including via email. It is Customer' sole responsibility to ensure contact information in its EVALINK Account is and remains, at all times, accurate.
9.3. Sitasys’ obligation to report or respond to a Security Incident under this section is not and shall not be construed as an acknowledgement by Sitasys of any fault or liability with respect to the Security Incident.
10. Data Transfers and Localization
Customer Data will be processed within the European Union or countries recognized by a European Commission decision as ensuring an adequate level of data protection. Customer Data will be transferred to, and processed in, the countries in which the Sub-processors operate (“Sub-processors Countries”). Some of the Sub-processors Countries may not be recognized by a European Commission decision as ensuring an adequate level of data protection. Sub-processors Countries will be listed in the Sub-processors List.
All transfers of Customer Data to countries not recognized by a European Commission decision as ensuring an adequate level of data protection will be subject to appropriate safeguards as described in Article 46 of the GDPR.
11. Assistance in Complying with Customer’s Obligations
Customer will comply with its obligations pursuant to Articles 32 to 36 of the GDPR.
Sitasys will assist Customer in complying with Customer’s obligations pursuant to Articles 32 to 36 of GDPR as provided in this DPA.
12. Data Restitution and Deletion
During the term of the Agreement, Sitasys makes available to Customer functionalities and features that enable Customer to access, extract and delete Customer Data processed on the Services.
All Customer Content, including Customer Data, will be deleted upon effective termination of the Agreement unless Sitasys is required by applicable law to retain such data.
Unless otherwise defined in the Agreement, all capitalised terms used in this DPA will have the meanings given to them below:
“Controller” has the meaning given to it in the GDPR.
“Customer” means you or the entity you represent.
“Customer Data” means the Personal Data that Customer provides to Sitasys through the use of the Services under Customer’s EVALINK Account.
“GDPR” means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“Personal Data” has the meaning given to it in the GDPR.
“processing” (without capitalised terms) has the meaning given to it in the GDPR and “process”, “processes” and “processed” (without capitalised terms) will be interpreted accordingly.
“Processor” has the meaning given to it in the GDPR.
“Security Incident” means a breach of Sitasys’ security that resulted in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data.
“Special Category of Personal Data” has the meaning given to it in article 9 of the GDPR.
“Sub-processor(s)” has the meaning given to it in Section Sub-processing of this DPA.
“Sub-processors List” has the meaning given to it in Section Sub-processing of this DPA.