Data Processing Addendum
Need a signature? You can sign our DPA electronically using PandaDoc!
This Data Processing Addendum (“DPA”) forms part of the terms and conditions of service found at https://www.knowledgeowl.com/home/terms-and-conditions unless the Customer has entered into a superseding agreement with KnowledgeOwl, in which case it forms part of that agreement (in either case, the “Agreement”).
KnowledgeOwl agrees to comply with the following provisions with respect to any Personal Data Processed by KnowledgeOwl in connection with its provision of the Services. References to the Agreement will be construed as including this DPA and, except as modified below, the terms of the Agreement shall remain in full force and effect.
For the purpose of this DPA, Customer is the Data Controller and KnowledgeOwl is the Data Processor. Any capitalized terms not defined herein shall have the respective meanings given to them in the Agreement. In the event of any conflict between this DPA and the Agreement, this DPA will prevail.
“Data Controller” means the entity that determines the purposes and means of the Processing of Personal Data.
“Data Processor” means the entity which Processes Personal Data on behalf of the Data Controller.
“Data Protection Laws” means all laws and regulations, including laws and regulations of the European Union, applicable to the Processing of Personal Data under the Agreement.
“Data Subject” means the individual to whom Personal Data relates.
“Personal Data” means any information relating to an identified or identifiable person.
“Privacy Shield” means the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce.
“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction (“Process”, “Processes” and “Processed” shall have the same meaning).
“Security Breach” has the meaning set forth in Section 7 of this DPA.
“Sub-processor” means any Data Processor engaged by KnowledgeOwl.
2. PROCESSING OF PERSONAL DATA
2.1 The parties agree that with regard to the Processing of Personal Data, the Customer is the Data Controller and KnowledgeOwl is the Data Processor.
2.2 KnowledgeOwl shall process Personal Data in accordance with the requirements of the Data Protection Laws and Customer will ensure that its instructions for the Processing of Personal Data shall comply with the Data Protection Laws. If KnowledgeOwl believes or becomes aware that any of Customer’s instructions conflict with any Data Protection Laws, KnowledgeOwl shall inform Customer.
2.3 During the Term of the Agreement, KnowledgeOwl shall only Process Personal Data on behalf of and in accordance with Customer’s written instructions and shall treat Personal Data as confidential information. Customer instructs KnowledgeOwl to Process Personal Data for the following purposes: (i) Processing in accordance with the Agreement and any applicable orders; and (ii) Processing to comply with other reasonable written instructions provided by Customer where such instructions are consistent with the terms of the Agreement. KnowledgeOwl may Process Personal Data other than on the written instructions of Customer if it is required under applicable law to which KnowledgeOwl is subject. In this situation, KnowledgeOwl shall inform Customer of such requirement before KnowledgeOwl Processes the Personal Data unless prohibited by applicable law. The objective of Processing of Personal Data by KnowledgeOwl is the provision of the Services pursuant to the Agreement.
2.4 Customer acknowledges and agrees that KnowledgeOwl may engage Sub-processors to provide the Services set forth in the Agreement. KnowledgeOwl agrees that any agreement with an approved Sub-processor shall include no less protective data protection obligations as set out in this DPA. KnowledgeOwl will notify the Customer of any intended change to Sub-processors, giving the Customer at least 10 business days to object in writing. KnowledgeOwl shall remain responsible for any approved Sub-processor’s compliance with the obligations of this DPA.
3. RIGHTS OF DATA SUBJECTS
3.1 To the extent Customer, in its use or receipt of the Services, does not have the ability to correct, amend, restrict, block or delete Personal Data, as required by Data Protection Laws, KnowledgeOwl shall promptly comply with reasonable requests by Customer to facilitate such actions to the extent KnowledgeOwl is legally permitted and able to do so.
3.2 KnowledgeOwl shall, to the extent legally permitted, promptly notify Customer if it receives a request from a Data Subject for access to, correction, amendment, deletion of or objection to the processing of that person’s Personal Data. KnowledgeOwl shall not respond to any such Data Subject request without Customer’s prior written consent except to confirm that the request relates to Customer. To the extent that Customer responds to any such Data Subject request, KnowledgeOwl shall provide Customer with commercially reasonable cooperation and assistance, including by implementing appropriate technical and organizational measures, in relation to the handling of a Data Subject’s request, to the extent legally permitted.
4. KNOWLEDGEOWL PERSONNEL
4.1 KnowledgeOwl shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and are subject to obligations of confidentiality and such obligations shall survive the termination of that individual’s engagement with KnowledgeOwl.
4.2 KnowledgeOwl shall ensure that access to Personal Data is limited to personnel who require such access to fulfill KnowledgeOwl’s obligations under the Agreement.
5. SECURITY; AUDIT RIGHTS; PRIVACY IMPACT ASSESSMENTS
5.1 Pursuant to Article 28, Section 3(c) of the General Data Protection Regulation (“GDPR”), KnowledgeOwl shall take all measures required pursuant to Article 32 of the GDPR.
5.2 KnowledgeOwl will make available to Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by Customer or another auditor mandated by Customer.
5.3 KnowledgeOwl will reasonably cooperate with Customer to assist Customer in ensuring compliance with Articles 32 to 36 of the GDPR.
6. SECURITY BREACH MANAGEMENT AND NOTIFICATION
If KnowledgeOwl becomes aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to any Personal Data transmitted, stored or otherwise Processed on KnowledgeOwl’s equipment or in KnowledgeOwl’s facilities (“Security Breach”), KnowledgeOwl will promptly: (i) notify Customer of the Security Breach in accordance with Section 7.2 below; (ii) investigate the Security Breach and provide Customer with all relevant information about the Security Breach; and (iii) take all steps to mitigate the effects and to minimize any damage resulting from the Security Breach.
7. RETURN AND DELETION OF PERSONAL DATA
Upon Customer’s request, KnowledgeOwl shall delete or return Personal Data to Customer and shall delete existing copies unless applicable European Union or Member State law requires storage of such data.
8. PRIVACY SHIELD
KnowledgeOwl agrees to apply the Privacy Shield Framework Principles issued by the U.S. Department of Commerce, located at https://privacyshield.gov/ (“Privacy Shield Principles”) to all Personal Data that Customer transfers to KnowledgeOwl that originates from the European Economic Area or Switzerland (“EEA Data”). For clarity, KnowledgeOwl agrees to (a) use EEA Data only for purposes specified by Customer; (b) notify Customer upon KnowledgeOwl’s determination that it can no longer apply the Privacy Shield Principles to EEA Data; and (c) upon such determination, cease use of EEA Data or take other reasonable and appropriate steps to apply the Privacy Shield Principles to EEA Data.
9. PARTIES TO THIS DPA
Nothing in this DPA shall confer any benefits or rights on any person or entity other than the parties to this DPA.
10. LEGAL AUTHORITY
Each of KnowledgeOwl and Customer mutually represent and warrant that (i) the person executing this DPA on its respective behalf has the legal authority to bind such party, and (ii) it has right, power, and authority to (a) enter into this DPA, (b) make the representations and warranties contained herein, and (c) commit to and perform the respective duties, obligations and covenants set forth hereunder.
Need a signature? You can sign our DPA electronically using PandaDoc!