This Data Processing Addendum (“DPA”) supplements the Onehub Terms of Service (available at https://www.onehub.com/terms-of-service, as updated from time to time by Onehub) (the “Agreement”) governing Customer’s use of Onehub’s services and product offerings (the “Services”). This DPA is an agreement between Onehub Inc. having its principal place of business at 1109 1st Avenue, Suite 406, Seattle, WA 98101 (“Company” or “Processor”), and the customer entity agreeing to the Onehub Terms of Service (“Customer” or “Controller”). This DPA is incorporated into and forms part of the Agreement, and except as expressly amended by the terms of this DPA, the terms and conditions of the Agreement remain unchanged and will continue in full force and effect.
Each party shall comply with the legal requirements under Data Protection Laws. “Data Protection Laws” means all applicable laws, rules, regulations, or implementing legislation that relate to the data privacy or security of personal data of individuals, including, as applicable: (A) the General Data Protection Regulation 2016/679 (“GDPR”), as well as any other applicable national rule and legislation on the protection of personal data in the European Union or any Member State that is already in force or that will come into force during the term of this DPA; (B) the United Kingdom Data Protection Act of 2018 and the GDPR as it forms part of UK domestic law under the European Union (Withdrawal) Act 2018, as amended (“UK GDPR”); and (C) the California Consumer Privacy Act (“CCPA”), and any other data protection laws substantially amending, replacing, or superseding the CCPA. The terms “personal data,” “processing,” “personal data breach,” and “data subject”, or similar terms, have the meaning given in the Data Protection Laws.
Controller hereby instructs Processor to process personal data for providing the Services described in the Agreement and Annex 1 to this DPA.
Processor will process personal data only on behalf of Customer to deliver Services in accordance with the Agreement or Customer’s other documented instructions. Specifically, Processor shall only process personal data for the purpose of Processor providing the agreed upon Services under the Agreement. Processor shall not retain, use, or disclose Customer’s personal data: (a) for any purpose (including, but not limited to, any commercial purpose) other than to perform the Agreement or any related exhibits, schedules or statements of work; or (b) outside of the direct business relationship between Customer and Processor. Processor further warrants and represents that Processor will not: (i) sell (as defined in the CCPA) any personal data; (ii) retain, use, or disclose any personal data for any purpose other than for the specific purpose of providing the Services and as otherwise permitted by the CCPA, including not retaining, using, or disclosing personal data for a commercial purpose (as defined in the CCPA) other than provision of the Services; or (iii) retain, use, or disclose the personal data outside of the direct business relationship between Customer and Processor. Notwithstanding anything in the Agreement, the parties acknowledge and agree that Processor’s access to personal data does not constitute part of the consideration exchanged by the parties in respect of the Agreement.
Processor certifies that it understands the restrictions set forth under this Section 1 and will at all times comply with them.
Processor undertakes to take the technical, organizational and structural measures necessary to ensure the security, integrity and confidentiality of the personal data it processes in connection with this DPA as described in Annex 2 to the DPA and this Section 2. In particular, Processor will take security measures to prevent any personal data breach, including with respect to:
- destruction, alteration, misuse or loss of the personal data made accidentally or without authorization of the Controller;
- disclosure of or access to the personal data in an accidental or non-authorized manner; or
- any form or purpose of processing of the personal data which would be unlawful, unauthorized or not provided for in this DPA.
- premises where personal data is processed are secured;
- authentication/identification mechanisms to access personal data on information systems are in place;
- a password policy is implemented and enforced;
- the network and the information systems are protected against intrusions and other attacks;
- backups of personal data are regularly performed; and
- the personnel and the staff of the third party processors processing personal data are properly trained on confidentiality, integrity, and availability measures.
Controller agrees that Processor may use subprocessors to fulfill its contractual obligations under this DPA or to provide certain services on its behalf. Annex 3 to the DPA lists sub-processors that are currently engaged by Processor to carry out processing activities with respect to Customer’s personal data. Controller generally authorizes Processor to engage subprocessors, provided that Processor:
- provides 10 days’ prior advance notice to Controller and gives Controller an opportunity to object to the addition or replacement of subprocessors (provided that Controller will not object except with reasonable cause);
- executes a written contract with each subprocessor with the similar or more protective obligations and data protection measures contained in this DPA and Annex 2 to this DPA, and provide a copy of such contracts to Controller upon Controller’s written request; and
- remains fully responsible and liable for any actions and omissions of subprocessors.
Processor will comply with all requirements of this DPA and Data Protection Laws with respect to all personal data received from or processed for Controller. Without limiting the generality of the foregoing, Processor will:
- ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- take all measures required to protect Customer’s personal data, including, without limitation, implementing and maintaining reasonable safeguards appropriate to protect Customer’s personal data;
- process Customer’s personal data only on documented instructions from Customer, unless required to do so by law to which Vendor is subject; in such a case, the Vendor will inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
- taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the data subject’s rights under Data Protection Laws; and
- assist the Controller in ensuring compliance with Articles 32 to 36 of the GDPR taking into account the nature of processing and the information available to the Processor.
Processor will without undue delay, and within the period specified by applicable law, inform the Controller of any personal data breach. Processor will, at a minimum, provide the following details:
- the nature of the personal data breach; and
- an estimation of the number of data subjects involved, and, where possible, their names.
Upon termination of the Agreement (in whole or in part) or earlier upon Controller’s request, and at Controller’s choice, Processor will, unless any applicable law, competent court, or supervisory or regulatory body prevents Processor from returning or destroying the personal data transferred:
- destroy all personal data processed and any copies thereof and certify to Controller on request that Processor has done so; or
- in accordance with Controller’s instructions, return all personal data processed and the copies thereof to Controller or other recipient identified by Controller.
- Processor may monitor and audit (either through self-audit or third-party audit) its own compliance with its obligations under Data Protection Laws and this DPA (“Company Audit”) and will provide Controller with such Company Audit (if one is performed) upon Controller’s written request (except that Processor will provide such Company Audit no more than once per calendar year).
- Upon Controller’s request, Processor shall, no more than once per calendar year make available for Controller’s review copies of certifications or reports demonstrating Processor’s compliance with prevailing data security standards applicable to the processing of Controller’s personal data. To the extent required by Data Protection Laws and if Controller requires information in addition to such reports, Processor shall make available to Controller on request all information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections by Controller or an auditor mandated by Controller, not being competitors of Processor (“Mandated Auditor”) of any premises where the processing of Customer’s personal data takes place in order to assess compliance with this DPA (a “Customer Audit”). Processor shall provide reasonable cooperation to Controller with respect to a Customer Audit. Controller agrees that: (a) a Customer Audit may only occur during normal business hours, and where possible only after reasonable notice to Processor (not less than 20 days’ advance written notice); (b) a Customer Audit will be conducted in a manner that does not have any adverse impact on Processor’s normal business operations; (c) Controller and any Mandated Auditor will comply with Processor’s standard safety, confidentiality, and security procedures in conducting any Customer Audit; (d) any records, data, or information accessed by Controller or any Mandated Auditor in the performance of any Customer Audit will be deemed to be the Confidential Information of Processor; and (e) a Customer Audit shall be at the Customer’s sole cost and expense. If the controls or measures to be assessed in a request for a Customer Audit are addressed in a Company Audit, Controller agrees to accept such Company Audit in lieu of requesting a Customer Audit.
- Processor will assist Controller, to the extent reasonably possible, to comply with applicable law in a reasonable time. Without limiting the generality of the foregoing, Processor will assist Controller with any data protection impact assessment and consultation procedures, if any that relate to the Services provided by Processor to Controller and the personal data that Processor handles for Controller.
- Processor will assist Controller with any data subject access, portability, correction, erasure or blocking requests and objections. If Processor receives any request from data subjects, data protection authorities, or others relating to its data processing, Processor will immediately inform Controller and assist Controller with developing a response (but Processor will not itself respond, except per instructions from Controller). Processor will also assist Controller with the resolution of any request or inquiries that Controller receives from data protection authorities relating to Processor and, if and to the extent requested by Controller, cooperate with any authorities’ requests.
Processor will notify Controller without undue delay:
- about any legally binding request for disclosure of personal data by a law enforcement authority, unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation; and
- about any complaints and requests received directly from data subjects (e.g., regarding access, rectification, erasure, data portability, objection to processing of data, automated decision-making), and assist Controller with a response and resolution of the request, but not respond until Controller provides instructions.
With respect to any transfers of personal data originating from the European Economic Area or Switzerland to Processor in a country whose laws have not been deemed by the European Commission to provide an adequate level of protection for personal data, and such transfer is not subject to an alternative adequate transfer mechanism under Data Protection Laws, the parties agree to comply with the relevant terms of the European Commission’s decision (C(2021)3972) of 4 June 2021 on Standard Contractual Clauses (Module Two: Transfer controller to processor) for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/678 (available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en), which are incorporated into this DPA by reference (the “EU SCCs”). The parties hereby agree that details in Annex 1 to this DPA will be used to complete Annex I of the EU SCCs, and details in Annex 2 to this DPA will be used to complete Annex II of the EU SCCs. In accordance with Clause 2 of the EU SCCs, the parties wish to supplement the EU SCCs with additional commercial clauses, which shall neither be interpreted nor applied in such a way as to contradict the EU SCCs (whether directly or indirectly) or to prejudice the fundamental rights and freedoms of data subjects. Processor (as “data importer”) and Controller (as “data exporter”) therefore agree that the applicable terms of the Agreement and this DPA shall apply if, and to the extent that, they are permitted under the EU SCCs, including without limitation the following:
- The instructions described in Clause 8.1(a) are as set forth in Sections 1 and 4(c) of this DPA.
- In the event a data subject requests a copy of the EU SCCs or this DPA in accordance with Clause 8.3 of the EU SCCs, data exporter shall make all redactions reasonably necessary to protect business secrets or other confidential information of data importer.
- Certification of deletion of personal data under Clause 8.5 and Clause 16(d) of the EU SCCs shall be provided upon the written request of data exporter.
- Data importer shall be deemed in compliance with Clause 8.8 of the EU SCCs to the extent such onward transfers occur in accordance with Article 4 of the Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
- Any information requests or audits provided for in Clause 8.9 of the EU SCCs shall be fulfilled in accordance with Sections 7 and 8 of this DPA.
- Pursuant to Clause 9(a) Option 2 of the EU SCCs, data exporter agrees that data importer may engage new subprocessors as described in Section 3 of this DPA. With respect to Clause 9 of the EU SCCs, the parties select the time period set forth in Section 3 of this DPA.
- The relevant sections of the Agreement, which govern indemnification and limitation of liability, shall apply to data importer’s liability under Clause 12(a), 12(d), and 12(f) of the EU SCCs.
- The parties agree that, for purposes of Clause 13 of the EU SCCs, the data exporter’s competent supervisory authority will be determined in accordance with the GDPR EU SCCs, the data exporter’s competent supervisory authority will be determined in accordance with the GDPR.
- Section 6 of this DPA, which governs termination, shall apply to a termination pursuant to Clause 14(f) or Clause 16 of the EU SCCs.
- With respect to Clause 17 of the EU SCCs, the parties select the law of Ireland.
- With respect to Clause 18 of the EU SCCs, the parties agree that any dispute arising from the EU SCCs shall be resolved by the courts of Ireland.
- With respect to transfers of personal data originating from Switzerland: (i) the term “member state” as used in the EU SCCs shall not be interpreted in such a way as to exclude data subjects in Switzerland of suing for their rights in their place of habitual residence in accordance with Clause 18(c) of the EU SCCs; (ii) the EU SCCs shall also protect the data of legal entities until the entry into force of the revised Swiss Federal Act of Data Protection (FADP) on or about 1 January 2023; (iii) references to the GDPR or other governing law contained in the EU SCCs shall also be interpreted to include the FADP; and (iv) the parties agree that the supervisory authority as indicated in Clause 13 and Annex I.C of the EU SCCs shall be the Federal Data Protection and Information Commissioner (FDPIC) of Switzerland.
With respect to any transfers of personal data originating from the United Kingdom to Processor in a country whose laws have not been deemed by the government of the United Kingdom to provide an adequate level of protection for personal data, and such transfer is not subject to an alternative adequate transfer mechanism under Data Protection Laws, the parties agree to comply with the relevant terms of the United Kingdom’s standard contractual clauses for international transfers from controllers to processors (available at: https://ico.org.uk/media/for-organisations/documents/2620100/uk-sccs-c-p-202107.docx), which are incorporated into this DPA by reference (the “UK SCCs”). The parties hereby agree that details in Annex 1 to this DPA will be used to complete Appendix 1 of the UK SCCs, and details in Annex 2 to this DPA will be used to complete Appendix 2 of the UK SCCs. In accordance with Clause 10 of the UK SCCs, the parties wish to supplement the UK SCCs with additional commercial clauses, which shall neither be interpreted nor applied in such a way as to overlap or contradict the UK SCCs (whether directly or indirectly), reduce the level of protection that the data importer is required to provide for personal data, or to reduce the rights of data subjects or make it more difficult for them to exercise their rights. Processor (as “data importer”) and Controller (as “data exporter”) therefore agree that the applicable terms of the Agreement and this DPA shall apply if, and to the extent that, they are permitted under the UK SCCs, including without limitation the following:
- In the event a data subject requests a copy of the UK SCCs or this DPA in accordance with Clause 4(h) of the UK SCCs, data exporter data exporter shall make all redactions reasonably necessary to protect business secrets or other confidential information of data importer.
- The instructions described in Clause 5(a) are as set forth in Section 1 of this DPA.
- Any information requests or audits provided for in Clauses 5(f) and 12(2) of the UK SCCs shall be fulfilled in accordance with Sections 7 and 8 of this DPA.
- Pursuant to Clause 5(h) of the UK SCCs, data exporter acknowledges and expressly agrees that data importer may engage new subprocessors as described in Section 3 of this DPA.
- Copies of any subprocessor agreements required to be sent to data exporter under Clause 5(j) of the UK SCCs shall only be sent upon data exporter’s written request. The parties agree that data importer may remove or redact all commercial information unrelated to the UK SCCs or their equivalent beforehand.
- Certification of deletion of personal data as described in Clause 12(1) of the UK SCCs shall be provided upon the written request of data exporter.
- Section 6 of this DPA, which governs termination, shall apply to a termination pursuant to Clauses 5(a) and 5(b) of the UK SCCs.
- The relevant sections of the Agreement, which govern indemnification and limitation of liability, shall apply to data importer’s liability under Clause 6(2) of the UK SCCs.
- All obligations under this DPA apply in addition to, not in lieu of, any other contractual, statutory and other obligations of Processor.
- In case of any conflict or inconsistency, the order of precedence in respect of the processing of personal data shall be: the Annexes to this DPA, this DPA, and then the Agreement.
- This DPA shall not restrict the Data Protection Laws. If any provision in this DPA is ineffective or void, this shall not affect the remaining provisions. The parties shall replace the ineffective or void provision with a lawful provision that reflects the business purpose of the ineffective or void provision. In case a necessary provision is missing, the parties shall add an appropriate one in good faith.
- This DPA shall commence on the date that the Onehub Terms of Service are deemed agreed to by the Customer.