In connection with the Services provided pursuant to the service agreement (“Service Agreement”) by the service provider as data processor, being Imprima or the relevant Affiliate which is party to the Service Agreement (the relevant party referred to as the “Service Provider”) to the Client as data controller (“Client”), the parties have agreed that these data processing terms (“Terms”) shall apply in order to address the compliance obligations imposed upon Client under Data Protection Law. These Terms shall be incorporated in the Service Agreement by reference.
BY CONTINUING TO PROVIDE OR RECEIVE THE SERVICES, AS APPLICABLE, THE PARTIES AGREE TO BE BOUND BY THESE TERMS.
NOW IT IS HEREBY AGREED as follows:
- DEFINITIONS
- In these Terms, capitalised words shall have the meaning as defined in the Service Agreement, unless these Terms expressly state otherwise below or elsewhere in these Terms:
- “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with, a party from time to time during the Term;
- “Data Protection Law” means the data privacy laws applicable to the processing in connection with the Services, including, where applicable, the Regulation (EU) 2016/679, as amended or replaced by any subsequent Regulation, Directive or other legal instrument of the European Union including by the General Data Protection Regulation or similar law, or the applicable data privacy laws of any other relevant jurisdiction;
- “End User” shall have the meaning as defined in the Service Agreement;
- “Services” means the services as described in the Service Agreement and the section below;
- “Contractual Clauses” means the standard contractual clauses of the European Commission for the transfer of personal data across borders, as amended or replaced from time to time, or any equivalent set of contractual clauses approved for use under Data Protection Law; and
- “Client Personal Data” means the personal data processed by us in connection with the Services as further described below. In accordance with clause 2.2, this may include the personal data of a Client Affiliate.
- The words “data subject”, “personal data”, “processing” and variations, “controller” and “processor” shall have the meaning attributed to them in Data Protection Law.
- APPOINTMENT
- The Client is designated by its Affiliates and End Users to provide and manage various services, including the Services on their behalf. Accordingly, Client Personal Data may contain personal data in relation to which Client Affiliates and End Users are controllers. The Client confirms that it is authorized to communicate to Service Provider any instructions or other requirements on behalf of Client Affiliates and End Users in respect of processing of Client Personal Data by Service Provider in connection with the Services.
- Service Provider is appointed by the Client to process Client Personal Data on behalf of the Client and/or Client Affiliates and/or End Users, as the case may be, as is necessary to provide the Services or as otherwise agreed by the parties in writing.
- DURATION
- These Terms shall commence on the earlier of: (i) the date of their execution, or (ii) the effective date of the Service Agreement (the “EffectiveDate”) and shall continue in full force and effect until the termination or expiry of the Service Agreement (the “Term”).
- SERVICES
- The Service Provider may carry out processing of Client Personal Data as described below:
- Description of Services: Cloud-based VDR Data Room services.
- Subject-matter of processing: Processing activities in connection with the provision of Services.
- Duration of processing: For the duration of the Service Agreement.
- Nature and purpose of processing: Hosting personal data in the Data Room and allowing end users to access and process Client Personal Data as part of Services.
- Type of personal data: Employment data, shareholder data, customer data, business data, sales data, financial data, etc.
- Categories of data subjects: Personnel, advisors, shareholders, customers and other individuals.
- DATA PROTECTION COMPLIANCE
- In relation to its processing of Client Personal Data during the Term, save as otherwise provided by law, Service Provider agrees to:
- comply with Data Protection Law in relation to its processing of Client Personal Data;
- process Client Personal Data only as required in connection with the Services, in accordance with the Client’s documented lawful instructions reasonably given in the context of the Services from time to time, and for internal business analytics. The Client warrants and represents on a continuous basis that its instructions will not put Service Provider in breach of the law;
- inform the Client if, in its opinion, an instruction infringes Data Protection Law;
- ensure that all personnel authorised by Service Provider to process Client Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- implement appropriate technical and organisational measures to appropriately safeguard Client Personal Data having regard to the nature of Client Personal Data which is to be protected and the risk of harm which might result from any Security Breach (as defined below), as set out in the Service Agreement or appropriate alternative measures, and as a minimum, the measures set out in the Appendix;
- inform without undue delay the Client of any data subject requests under Data Protection Law or regulatory or law enforcement requests relating to Client Personal Data. Service Provider may acknowledge each data subject access request. Where agreed, Service Provider may, at Client’s expense, respond to the subject access request on Client’s behalf;
- at Client’s expense, provide such assistance as the Client may reasonably require in order to ensure the Client’s compliance with Data Protection Law in relation to data security, data breach notifications, data protection impact assessments and prior consultations with competent supervisory authorities with responsibility for privacy and data protection matters;
- at the choice and expense of the Client, delete or return all Client Personal Data to the Client after the end of the provision of Services, and delete existing copies of all Client Personal Data, save for Client Personal Data archived for business continuity and disaster recovery purposes, where applicable, and anonymised Client Personal Data retained for legitimate business purposes. Service Provider may delete or destroy any Client Personal Data that are no longer needed in order to comply with these Terms; and
- at Client’s expense, make available to Client information reasonably necessary to demonstrate Service Provider’s compliance with these Terms and allow for audits carried out by an independent third party, as the parties may agree
- Client shall promptly provide such assistance as Service Provider may reasonably require in order to comply with its data privacy and security obligations under these Terms.
- NOTICE
- Service Provider will, upon Client request and at Client’s expense, provide to each data subject a standard Client privacy notice as the Client may reasonably request from time to time in accordance with the Service Agreement.
- SUBPROCESSORS
- Service Provider will engage any subcontractors involved in the processing of Client Personal Data (each a “Subprocessor”) only with Client’s consent, which is, subject to clause 7.2, hereby given.
- When engaging a Subprocessor, Service Provider will:
- carry out reasonable due diligence;
- enter into a contract on terms, as far as practicable, same as those in these Terms, and which may include Contractual Clauses to provide adequate safeguards with respect to the processing of Client Personal Data; and
- inform the Client of any intended changes concerning the addition or replacement of a Subprocessor from time to time. If the Client objects to any such change on reasonable grounds, then acting in good faith the parties will work together to resolve such objection.
- SECURITY INCIDENTS
- “Security Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Client Personal Data transmitted, stored or otherwise processed.
- Service Provider will notify the Client without delay if it becomes aware of any Security Breach. Where practicable, Service Provider will provide phased notifications.
- Service Provider will investigate the Security Breach and take reasonable action to identify, prevent and mitigate the effects of the Security Breach caused by Service Provider. At the Client’s expense, Service Provider will take such further action as the Client may reasonably request in order to comply with Data Protection Law.
- The Client may not release or publish any filing, communication, notice, press release, or report concerning any Security Breach without Service Provider’s prior written approval; such approval shall not be unreasonably withheld.
- INTERNATIONAL DATA TRANSFERS
- Service Provider will ensure that no Client Personal Data are transferred out of either one of (9.1.1) or (9.1.2) options, without the express prior written consent of Client, which is hereby given, subject to clause 9.2:
- the European Economic Area; or
- any other territory in which restrictions are imposed on the transfer of Client Personal Data across borders under Data Protection Laws.
- At the Client’s expense, Service Provider will provide such assistance as the Client may reasonably require in order to ensure that Contractual Clauses or other applicable transfer mechanism, such as EU-US Privacy Shield Framework in relation to EU-US transfers, is in place to ensure adequate level of data protection.
- MISCELLANEOUS
- Clause and other headings in these Terms are for convenience of reference only and shall not constitute a part of or otherwise affect the meaning or interpretation of these Terms.
- Subject to clause 3, either party’s liability under these Terms shall be subject to the exclusions and limitations of liability under the Service Agreement.
- Nothing in these Terms will exclude or limit the liability of either party which cannot be limited or excluded by applicable law. Subject to the foregoing sentence, (i) these Terms and the Service Agreement constitute the entire agreement between the parties pertaining to the processing of Client Personal Data as part of the Services and supersede all prior agreements, understandings, negotiations and discussions of the parties relating to its subject matter; and (ii) in entering into these Terms neither party has relied on, and neither party will have any right or remedy based on, any statement, representation or warranty, whether made negligently or innocently, except those expressly set out in these Terms.
- The Client shall pay to Service Provider within 15 days of invoice date any costs and expenses including without limitation reasonable attorney fees and the cost of preparing and sending correspondence incurred by Service Provider and/or its Affiliates in connection with carrying out duties at the Client’s expense under these Terms.
- Where the Client causes that the Services may no longer be provided under the Service Agreement as envisaged by the Service Provider due to the Client’s request to, in whole or part, suspend or cease any contract with a Sub-Processor, to suspend or cease any transfer of Client Personal Data, to destroy or return to Client all Client Personal Data or to suspend or cease access to Client Personal Data or similar request, the Service Provider shall have the right to terminate the Service Agreement without liability at any time with immediate or delayed effect by written notice to the Client. Upon termination of the Service Agreement by the Service Provider or the Client for reasons relating to these Terms or compliance with Data Protection Law, all Service fees, expenses and other payments under the Service Agreement shall become immediately payable by the Client to Service Provider calculated as if the Service Agreement were lawfully terminated for convenience by the Client pursuant to its terms.
- All notices of termination or breach must be in English, in writing and addressed to the other party’s primary contact person or legal department. Notice will be treated as given on receipt, as verified by a valid receipt or electronic log. Postal notices will be deemed received 48 hours from the date of posting by recorded delivery of registered post.
- The provisions of these Terms are severable. If any phrase, clause or provision is invalid or unenforceable in whole or in part, such invalidity or unenforceability shall affect only such phrase, clause or provision, and the rest of these Terms shall remain in full force and effect.
- Either party may transfer its rights and/or obligations under these Terms to its successor as a result of a merger, acquisition, sale, reorganisation or liquidation.
- These Terms is governed by English law and the parties submit to the exclusive jurisdiction of the English courts in relation to any dispute (contractual or non-contractual) concerning these Terms save that either party may apply to any court for an injunction or other relief to protect its property, intellectual property rights or confidential information.
APPENDIX – Security Measures
Service Provider shall put in place the following minimum measures, as applicable.
- maintain ISO 27001:2013 certification
- latest generation firewalls
- least system privilege user access control with user IDs and passwords with limited lifetime, where appropriate
- restricted remote access and multi-factor authentication for remote access
- real-time protection anti-virus, anti-malware and anti-spyware software
- compliance with hardware and software manufacturer instructions
- data separation according to client and purpose where appropriate
- regular software updates
- secure data removal from decommissioned devices
- 256Bit encryption of portable data storage devices and encryption of personal data in transit
- intrusion detection and prevention systems;
- data backup with regular testing
- business continuity and disaster recovery procedures
- personnel vetting
- least privilege physical access control
- non-disclosure agreements for personnel
- training of personnel on confidentiality