This Data Processing Addendum (“DPA”) forms an integral part of the EverHelp Terms of Service, available at link (including any Order Forms, exhibits, appendices, annexes, or policies referenced therein) (“Agreement”), entered into by and between the Customer (“Data Controller”) and EverHelp (“Data Processor”) that governs Customer’s use and EverHelp’s provision of EverHelp’s Services. Customer and EverHelp are hereinafter jointly referred to as the “Parties” and individually as the “Party”. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement.
1.1 “Applicable Privacy Law” means all laws, statutes, regulations, ordinances, codes, rules, guidance, orders or any other legal entitlement issued by any governmental body governing 1.2 the collection, use, transfer, and disclosure of Personal Data.
1.3 “Affiliated Companies” means any legal entities controlling, controlled by or under common control with Data Controller.
1.4 “Data Controller” means the party that has authority over the processing of Personal Data, determining the purpose for its use and the manner that it is processed.
1.5 “Data Processor” means the party that processes Personal Data on behalf of, and under the instruction of, the Data Controller.
1.6 “Data Protection Authority” means the official body that ensures compliance with the Applicable Privacy Law within its applicable jurisdiction.
1.7 “Data Subject” means the directly or indirectly identified or identifiable person to whom the Personal Data relates.
1.8 “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed.
1.9 “GDPR” means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
1.10 “Personal Data” means any information regulated by Applicable Privacy Law provided by the Data Controller, including information concerning an identified or identifiable 1.11 individual, such as, name, address, age, gender, email address, etc.
1.11 “Processing”, “processes” and “process” mean either any activity that involves the use of Personal Data or as the Applicable Privacy Law may otherwise define processing, processes or process. It includes any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction. Processing also includes transferring Personal Data to third parties.
1.12 “Standard Contractual Clauses” (“SCC”) means contractual clauses established by the European Commission concerning the international transfer of Personal Data, as set out in the Annex to Commission Decision 2010/87/EU.
“Sub-processor” means third-party data processor engaged by the Data Processor, who has or potentially will have access to, or processes Personal Data.
1.13 “Service Data” means electronic data, text, messages, communications or other materials processed within the scope of the Services, including without limitation, Personal Data.
2. PROCESSING OF PERSONAL DATA
2.1 The subject matter, duration, nature and purpose(s) of the processing of Personal Data, as well as type of Personal Data and categories of Data Subjects are specified in Schedule A.
2.2 The Data Processor shall refrain from processing Personal Data that is beyond the scope set forth in Schedule A.
2.3 In case the Data Processor receives additional information that is not needed to fulfil the Agreement, it must inform the Data Controller immediately and stop the processing of the additional Personal Data.
2.4 All Service Data Processed under the terms of this DPA and the Service Agreement shall remain the property of Controller. Under no circumstances will Processor act, or be deemed to act, as a “controller” (or equivalent concept) of the Service Data Processed within the Services under any Applicable Data Protection Law.
3.1 The Data Processor shall process the Personal Data only on documented instructions from the Data Controller and for no other purpose than the purpose(s) defined in Schedule A.
3.2 The Data Processor shall inform the Data Controller if, in its opinion, an instruction infringes the GDPR or the Applicable Privacy Law. The processing of the Personal Data required in said instruction shall be delayed.
3.3 If the Data Processor is required to transfer Personal Data to a law enforcement agency, it shall inform the Data Controller of that legal requirement before processing the Personal Data, unless that law prohibits such information on important grounds of public interest.
4.1 The Data Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Technical and organizational security measures are listed in Schedule B.
4.2 In assessing the appropriate level of security, the Data Processor shall take into account the risks that are presented by Processing Person Data, in particular risks arising from a Data Breach.
5. DATA PROCESSOR’S EMPLOYEES
5.1 The Data Processor shall ensure that all employees and contractors with access to the Personal Data, are legally bound by confidentiality obligations during and after the termination of the DPA, including after the termination of their employment.
5.2 The Data Processor shall provide access to Personal Data to its employees and contractors on a need-to-know basis only and shall make sure that the employees and contractors are aware and compliant with the Agreement, the DPA, Data Controller’s written instructions and the Applicable Privacy Law.
5.3 The Data Processor shall train its employees and contractors involved in the processing of the Personal Data to comply with the Applicable Privacy Law and with the requirements established in this DPA.
6.1 Data Controller authorizes Data Processor to appoint (and permit each Sub-processor appointed in accordance with this Clause 6 to appoint) Sub-processors in accordance with this Clause 6 and any restrictions in the Agreement.
6.2 The Data Controller hereby grants general written authorization to the Data Processor to engage an additional or replace existing Sub-processors for the processing of the Personal Data under the Agreement. Upon request of the Data Controller, the Data Processor will provide a list of such Sub-processors. The Data Controller has the right to object to any Sub-processor. The objection shall be made by written communication within 10 business days after receipt of requested list of Sub-processors. The Data Processor shall use reasonable efforts to replace the Sub-processor.
6.3 Where the Data Processor engages a Sub-processor for carrying out specific processing activities on behalf of the Data Controller, the same data protection obligations as set out in this DPA shall be imposed on the Sub-processor by way of a written contract. The Sub-processor in particular shall provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the Applicable Privacy Law.
6.4 The Data Processor shall provide to the Data Controller for review copies of the Processors’ contracts with Sub-processors (which may be edited to remove confidential commercial information not relevant to the requirements of this DPA) as the Data Controller may request from time to time.
6.5 Where a Sub-processor fails to fulfil its data protection obligations, the Data Processor shall remain fully liable to the Data Controller for the performance of Sub-processor’s obligations.
7. RIGHTS OF DATA SUBJECTS
7.1 The Data Processor shall assist the Data Controller in fulfilling its obligations concerning the requests to exercise Data Subject rights under the GDPR and the Applicable Privacy Law.
7.2 Under the Service Agreement, the Data Processor shall fulfill Data Subjects’ requests and if the Data Processor cannot fulfill request by its own efforts, it shall promptly transfer to the Data Controller any request received from the Data Subjects.
8. NOTIFIABLE DATA BREACHES
8.1 The Data Processor shall notify the Data Controller on Data Breach without undue delay (as soon as possible, but no later than within 24 hours of becoming aware of the incident). The notification shall include:
8.1.1 Description of the Data Breach, including, if possible, the categories of data and records concerned, the category and number of Data Subjects affected;
8.1.2 Likely consequences of the Data Breach;
8.1.3 Measures taken or proposed to address and/or mitigate the effects of the Data Breach.
8.2 The Data Processor shall, without undue delay, take all urgent measures as are agreed by the Parties or necessary under the Applicable Privacy Law, to investigate, mitigate and remedy the Data Breach and to protect the Personal Data.
8.3 Parties need the prior approval of the other Party to include and identify them in the breach notifications. Parties should not delay or withhold the approval without a reasonable cause.
8.4 If the Data Breach resulted from the Data Processor’s failure to comply with the DPA or the Applicable Privacy Law, the Data Processor shall reimburse the Data Controller for all the expenses incurred as a result of the Data Breach (e.g. breach notifications, litigation costs, forensic investigations, etc.).
9.1 Upon request, the Data Processor shall assist the Data Controller to comply with its obligations under the Applicable Privacy Law when related to the processing of the Personal Data, including but not limited to:
9.1.1 Data Breaches;
9.1.2 Data Protection Impact Assessments;
9.1.3 Consultations with the Data Protection Authority;
9.1.4 Enquiries, complaints, audits, or claims from any court, government official, Data Protection Authority, third parties or individuals (including but not limited to the Data Subjects).
9.2 The Data Processor shall make available to the Data Controller all information necessary to comply with its obligations under the DPA and the Applicable Privacy Law.
9.3 The Data Processor shall notify the Data Controller of any requirements from an official authority as soon as possible, but no later than within twenty-four (24) hours of receiving said enquiry.
10. AUDIT RIGHTS
10.1 Upon prior notice and no more than once a year, the Data Controller has the right to conduct an audit to verify the Data Processor’s compliance with the DPA.
10.2 The Data Processor shall make available to the Data Controller documentation necessary to demonstrate compliance with this DPA and Applicable Privacy Law, in particular, to provide information about appropriate technical and organizational measures that have been implemented. Such documentation can be a current attestation, reports or expert reports from independent bodies (auditors, DPO, accountant), certifications from an IT security or data protection audit, or a certification approved by the Data Protection Authority.
10.2.1 The Data Controller can do more than one yearly audit in case of a Data Breach or a security incident.
10.2.2 The Data Controller shall schedule the audit with the Data Processor at least 2 weeks in advance.
10.2.3 Both Parties shall agree upon the scope, the timing, and the duration of the audit.
10.3 The audit might be carried out by the Data Controller directly or by a third-party auditor appointed by the Data Controller.
10.4 The Data Processor has the right to object the use of a particular third-party auditor, if it could be considered a competitor of the Data Processor.
11. RECORDS KEEPING
11.1 The Data Processor shall maintain a record of all categories of processing activities carried out on behalf of the Data Controller. The records shall be in writing, including in electronic form.
12. RETURN AND DELETION OF THE PERSONAL DATA
12.1 The Data Processor shall promptly and in any event within ninety (90) days of the date of this DPA termination, return or irrevocably delete or remove the Personal Data, unless storage of the Personal Data is required by law.
12.2 The Data Processor may retain Personal Data to the extent required by Applicable Law and only to the extent and for such period as required by Applicable Privacy Law and always provided that Data Processor shall ensure the confidentiality of such Personal Data and shall ensure that such Personal Data is only processed as necessary for the purpose(s) specified in the Applicable Privacy Law requiring its storage and for no other purpose.
12.3 The Data Processor shall provide evidence of the deletion, removal or return of the Personal Data. Return of Personal Data shall be made in a generally acceptable, structured data format by electronic means.
13. CROSS-BORDER TRANSFER OF PERSONAL DATA
13.1 The Data Controller acknowledges that in connection with the performance of the Agreement the Personal Data will be transferred to the Data Processor in Gibraltar. The parties acknowledge and agree the following:
(a) to abide by module 2 (Transfer controller to processor) of the Standard Contractual Clauses (SCC) that shall be deemed incorporated by reference as Schedule D hereto;
(b) the Data Controller is the data exporter, the Data Processor is the data importer;
(c) the option under clause 7 (docking clause) shall not apply;
(d) option 1 under clause 9 (use of sub-processors) shall apply and the “time period” shall be 3 business days;
(e) the option under clause 11 (redress) shall not apply;
(f) the governing law for the purposes of clause 17 (governing law) shall be the law of Ireland;
(g) the courts under clause 18 (choice of forum and jurisdiction) shall be the courts of Ireland;
(h) the Appendices to SCC shall be completed as follows:
I. the contents of Schedule A to this DPA shall form Annex I.B; no special categories of data will be transferred; transfer is performed on a continuous basis; processing operations will be processing activities necessary for provision of services described in the Agreement;
II. the competent supervisory authority of the Data Controller shall form Annex I.C;
III. the contents of Schedule B to this DPA shall form Annex II;
IV. the contents of Schedule C to this DPA shall form Annex III.
13.2 The Data Processor may not onward transfer Personal Data outside the European Economic Area (“EEA”) without obtaining the Data Controller’s prior written consent.
13.3 The Data Processor may only onward transfer Personal Data outside the EEA under the following conditions:
13.3.1 the Data Processor is processing Personal Data in a territory in relation to which the European Commission has made an adequacy decision; or
13.3.2 the Parties have executed Standard Contractual Clauses.
14. LIABILITY AND INDEMNITY
14.1 The Data Processor is liable for and shall indemnify, keep indemnified and hold the Data Controller, its affiliates, their officers, agents, employees and customers harmless against all liability, losses, costs, claims (including fines and penalties of the Data Protection Authority), expenses (including legal expenses) and demands which the Data Controller may incur, howsoever directly or indirectly arising from any failure by the Data Processor and/or its Sub-processors to comply with the DPA and/or the Applicable Privacy Law.
14.2 Any failure of a Sub-processor shall be deemed as own failure of the Data Processor and therefore entitle the Data Controller and its Affiliated Companies to the foregoing indemnity.
14.3 Damages which an Affiliated Company of Data Controller incurs as a result of a breach of this DPA by the Data Processor or any of its Sub-processors shall be deemed own damages of the Data Controller.
15. CALIFORNIA CONSUMERS PRIVACY RIGHTS
15.1 This Clause 15 is applicable to processing of Personal Information of Consumers. The terms “Personal Information” and “Consumer” shall have the meanings stipulated in the California Consumer Privacy Act of 2018, as amended from time to time (“CCPA”).
15.2 The Data Processor shall not retain, use, or disclose Personal Information for any purpose other than for the specific purpose of performing the services specified in the Agreement.
15.3 The Data Processor shall not retain, use, or disclose Personal Information for a commercial purpose other than providing the services specified in the Agreement.
15.4 The Data Processor shall not retain, use, or disclose Personal Information outside of the direct business relationship between the Data Processor and the Data Controller.
15.5 The Data Processor shall refrain from selling Personal Information, as the term “sell” is defined in the CCPA.
15.6 The Data Processor certifies that it understands the restrictions in Clauses 15.2 – 15.5 hereof and will comply with them.
16. TERMINANTION AND TERM
16.1 This DPA shall be effective as of the effective date of the Agreement.
16.2 This DPA will remain in force and effect so long as the Agreement remains in effect. Termination of this DPA shall not affect Parties’ accrued rights and obligations at the date of termination and the provisions of Clause 12 (Return and Deletion of Personal Data), 14 (Liability and Indemnity) hereof.
16.3 The Data Processor’s failure to comply with the obligations of this DPA is a material breach of the Agreement. In such event the Data Controller has the right to terminate the Agreement effective immediately on written notice to the Data Processor without further liability or obligation.
17.1 Any notice between the Parties shall be in writing to the respective Party’s address or email.
18.1 Should any provision of this DPA be or become, either in whole or in part, void, ineffective or unenforceable, then the validity, effectiveness and enforceability of the other provisions of this DPA shall remain unaffected thereby.
18.2 Any such invalid, ineffective or unenforceable provision shall, to the extent permitted by law, be deemed replaced by such valid, effective and enforceable provision as most closely reflects the economic intent and purpose of the invalid, ineffective or unenforceable provision regarding its subject-matter, scale, time, place and scope of application.
18.3 The aforesaid rule shall apply mutatis mutandis to fill any gap that may be found to exist in this DPA.
19. ENTIRE AGREEMENT
19.1 Parties explicitly declare that this DPA and the documents referred to herein constitute the entire agreement between Parties and supersedes any prior draft, agreements, undertakings, understandings, conditions and arrangements, notwithstanding any conflicting order of precedence, of any nature between the Parties, whether or not in writing, in relation to the subject-matter of this DPA.
20. GOVERNING LAW AND JURISDICTION
20.1 The DPA shall be governed by law as stipulated in the Agreement.
20.2 The Parties hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims howsoever arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity.
21.1 In the case of conflict or ambiguity between:
21.1.1 any provision of the DPA and any provision of the Agreement, the provisions of the DPA shall prevail;
21.1.2 any provision contained in the body of this Agreement and any provision contained in the Schedules, the provisions in the body of this Agreement shall prevail;
21.1.3 any provision of this Agreement and any executed SCC, the provisions of the executed SCC shall prevail.