Data Processing Addendum
Part 1
-
Capitalized terms used in this Part 1 of the Data Processing Addendum (“DPA”) but not defined in the DPA or in the Agreement have the meaning ascribed to them in Regulation (EU) 2016/679 (GDPR).
-
This Part 1 applies only where Blix Inc. ("Blix") acts as a Data Processor in Processing Your Content which is Personal Data, on behalf of the User (or Customer) and under their instructions, where the User (or Customer) is a Data Controller subject to the GDPR with respect to that Personal Data.
-
Blix will Process the Personal Data only on the User’s or Customer’s behalf and for as long as they instruct Blix to do so. Blix shall not Process the Personal Data for any purpose other than the purpose set forth in the next section.
-
The subject matter and purposes of the Processing activities are the provision of the Service, a messaging platform that integrates best-of-breed email, calendar, contacts, and later board for improved team-driven productivity. The Personal Data Processed may include, without limitation: emails, later board, contacts and calendar events.
-
The Data Subjects about whom Personal Data is Processed are the User and those whose Personal Data is found in Your Content.
-
The User and Blix are each responsible for complying with the GDPR as applicable to them in their roles as Data Controller and Data Processor, respectively.
-
Blix will Process the Personal Data only on documented instructions from the User, unless Blix is otherwise required to do so by law to which it is subject (and in such a case, Blix shall inform the User (or Customer), of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest). Blix shall immediately inform the User if, in Blix's opinion, an instruction is in violation the GDPR.
-
The User may only use the Service to process personal data pursuant to a recognized and applicable lawful basis under the GDPR, such as (by way of example only) legitimate basis. The User is solely responsible for determining the lawfulness of the data processing instructions it provides to Blix and shall provide Blix only instructions that are lawful under the GDPR.
-
Considering the nature of Blix’s Processing activities, it will assist the User to accommodate Data Subjects’ requests to exercise their rights in relation to their Personal Data, including accessing their data, correcting it, restricting its processing or deleting it. Blix will pass on to User requests that it receives from Data Subjects regarding their Personal Data Processed by Blix.
-
Blix will make available to the User (or Customer), all information in its disposal necessary to demonstrate compliance with the obligations under the GDPR.
-
The User acknowledges and agrees that Blix uses Amazon Web Services Inc., Google LLC and Digital Ocean LLC to Process the Personal Data.
-
The User authorizes Blix to engage other sub-processors for carrying out specific processing activities of the Product, provided that Blix informs User at least 10 days in advance of any new or substitute sub-processor, by email message to the email address that the User provided to Blix when it enrolled to use the Service. The User shall have the right to object, on reasoned grounds, to that new or replaced sub-processor within that advance notice period. If User objects, Blix may not engage that new or substitute sub-processor for the purpose of Processing Personal Data in the provision of the User and may terminate the Terms with the User.
-
Blix and its sub-processors will only Process the Personal Data in member states of the European Economic Area, in territories or territorial sectors (e.g., Privacy Shield) recognized by an adequacy decision of the European Commission, as providing an adequate level of protection for Personal Data pursuant to Articles 45 or 46 of the GDPR, or using adequate safeguards as required under the GDPR’s provisions governing cross-border data transfers (e.g., Model Clauses).
-
Blix’s Processing activities involve the transfer of the Personal Data to the United States, which is a country outside of the EEA for which the EU Commission has not made an 'adequacy' decision for the purposes of cross-border data transfers pursuant to Article 45 of the GDPR, then the User (or the Customer), as the "data exporter", hereby enters with Blix into the standard contractual clauses for the transfer of personal data to processors established in third countries (“Controller to Processor EU Model Clauses”), pursuant to (EU Commission Decision 2010/87/EU), which are incorporated hereto by reference. For the purpose of the Controller to Processor EU Model Clauses:
-
The User (or the Customer) is a data exporter
-
Blix is the data importer
-
The Data Subjects are as set out in Section 5 above
-
The applicable law for the Controller to Processor EU Model Clauses shall be the Republic of Ireland
-
The categories of Personal Data are as set out in Section 4 above
-
The processing operations include collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, dissemination or otherwise making available, alignment or combination, pseudonymization, erasure
Technical and organizational security measures implemented by the data importer are as set out in Exhibit 1.
-
The User hereby authorizes Blix to enter on its behalf into the Controller to Processor EU Model Clauses with Blix’s sub-processors whose Processing activities involve the transfer of the Personal Data to countries outside of the EEA for which the EU Commission has not made an 'adequacy' decision for the purposes of cross-border data transfers pursuant to Article 45 of the GDPR.
-
Blix will procure that the sub-processors Process the Personal Data in a manner consistent with Blix’s obligations under this Addendum and the GDPR, particularly Article 28 of the GDPR, with such obligations imposed on that sub-processor by way of law or contract, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR.
-
In Processing Personal Data, Blix will implement appropriate technical and organizational measures to protect the Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access. Blix will ensure that its staff authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
-
Not more than once per annum (unless otherwise required by a data protection authority or the GDPR), Blix shall allow for and contribute to audits, including carrying out inspections conducted by the User (or Customer) or another auditor mandated by the User (or Customer) during normal business hours and subject to a prior notice to Blix of at least 30 days as well as appropriate confidentiality undertakings by the User (or Customer) covering such inspections in order to establish Blix's compliance with this Addendum and the provisions of the GDPR as regards the Personal Data that Blix processes on behalf of the User (or Customer). If such audits entail material costs or expenses to Blix, the parties shall first come to agreement on the User (or Customer) reimbursing Blix for such costs and expenses.
-
Blix shall without undue delay notify the User of any Personal Data Breach that it becomes aware of regarding Personal Data of Data Subjects that Blix Processes. Blix will use commercial efforts to mitigate the breach and prevent its recurrence. The User and Blix will cooperate in good-faith on issuing any statements or notices regarding such breaches, to authorities and Data Subjects.
-
Blix will assist the User (or the Customer) with the preparation of data privacy impact assessments and prior consultation as appropriate, provided, however, that if such assistance entails material costs or expenses to Blix, the parties shall first come to agreement on the User (or the Customer) reimbursing Blix for such costs and expenses.
-
Blix will provide the User prompt notice of any request it receives from authorities to produce or disclose Personal Data it has Processed on User’s behalf, so that the User may contest or attempt to limit the scope of production or disclosure request.
-
Blix will delete the Personal Data it has Processed on User’s behalf under this Addendum from its own and its sub-processor’s systems, upon the termination of the Terms, and will furnish written confirmation that the Personal Data has been deleted pursuant to this section.
-
The duration of Processing that Blix performs on the Personal Data is for the duration of the Terms. This Addendum shall prevail in the event of inconsistencies between it and the Agreement between the parties or subsequent agreements entered into or purported to be entered into by the parties after the date of this Addendum – except where explicitly agreed otherwise in writing.
Exhibit 1 to Part 1
(a) deny unauthorized persons access to processing equipment used for processing (‘equipment access control’);
(b) prevent the unauthorized reading, copying, modification or removal of data media (‘data media control’);
(c) prevent the unauthorized input of personal data and the unauthorized inspection, modification or deletion of stored personal data (‘storage control’);
(d) prevent the use of automated processing systems by unauthorized persons using data communication equipment (‘user control’);
(e) ensure that persons unauthorized to use an automated processing system have access only to the personal data covered by their access authorization (‘data access control’);
(f) ensure that it is possible to verify and establish the bodies to which personal data have been or may be transmitted or made available using data communication equipment (‘communication control’);
(g) ensure that it is subsequently possible to verify and establish which personal data have been input into automated processing systems and when and by whom the personal data were input (‘input control’);
(h) prevent the unauthorized reading, copying, modification or deletion of personal data during transfers of personal data or during transportation of data media (‘transport control’);
(i) ensure that installed systems may, in the case of interruption, be restored (‘recovery’);
(j) ensure that the functions of the system perform, that the appearance of faults in the functions is reported (‘reliability’) and that stored personal data cannot be corrupted by means of a malfunctioning of the system (‘integrity’).
(k) implement a process for regularly testing, assessing, evaluating and enhancing the effectiveness of technical and organizational measures for ensuring the security of the Processing (‘assessments’)
Part 2
-
Capitalized terms used in this Part 2 of the Data Processing Addendum (“DPA”) but not defined in the DPA or in the Agreement have the meaning ascribed to them in the California Consumer Privacy Act of 2018 (CCPA), Cal. Civ. Code §1798.140.
-
This Part 2 applies only where Blix is processing Personal Information as a Service Provider on behalf of the User (or Customer) where the User (or Customer) in a Business subject to the CCPA.
-
The Parties acknowledge and agree that Blix is a Service Provider. To that end, and unless otherwise requires by law:
-
3.1 Blix is prohibited from retaining, using or disclosing User’s (or Customer’s) Personal Information for: (a) any purpose other than the purpose of properly performing, or for any commercial purpose other than as reasonably necessary to provide, the technical support for the Product or as otherwise permitted under 11 CCR §999.314(c); (b) Selling the User’s (or Customer’s) Personal Information; and (c) retaining, using or disclosing the User’s (or Customer’s) Personal Information outside of the direct business relationship between the Parties, except as permitted under 11 CCR §999.314(c). Blix certifies that it understands the restriction specified in this subsection and will comply with it.
-
3.2 If Blix receives a request from a California Consumer of the User (or Customer), about his or her Personal Information, Blix shall not comply with the request itself, but shall inform the Consumer that Blix’s basis for denying the request is that the Blix is merely a service provider that follows User’s (or Customer’s) instruction, and inform the Consumer that they should submit the request directly to the User (or Customer) and provide the Consumer with the User’s (or Customer’s), contact information.
-
Blix will delete the Personal Information it has Processed on User’s behalf under this Addendum from its own and its sub-processor’s systems, upon the termination of the Terms, and will furnish written confirmation that the Personal Information has been deleted pursuant to this section.
-
Blix shall assist the User (or Customer), by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the User’s (or Customer’s) obligation to respond to requests for exercising Consumer rights under the California Consumer Privacy Act of 2018.
-
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Blix’s processing of Personal Information of the User (or Customer), as well as the nature of personal information processed for User (or Customer), Blix shall implement and maintain reasonable security procedures and practices appropriate to the nature of the Personal Information, to protect the Personal Information from unauthorized access, destruction, use, modification, or disclosure (including data breaches).