Schedule to the Agreement
DATA PROCESSING AGREEMENT
(the "DPA")
BACKGROUND AND UNDERTAKINGS
The parties agree the following:
A
The "Customer" is a customer of Sandvik
Machining Solutions AB (the "Processor")
in relation to the Processor's provision of services under the TERMS OF SERVICE - CRIBWISE (the "Agreement"). Within the scope of the Agreement, the Processor
will process personal data on behalf of Customer. This DPA constitutes a
schedule to the Agreement and forms an integral part of the Agreement.
B
Within the
scope of this DPA, Customer: (a) is the sole controller of Customer personal
data which Processor processes on behalf of Customer; or (b) has been
instructed by and obtained the authorization of the relevant Customer
Affiliate(s) to agree to the processing of personal data by Processor as set
out in this DPA. Processor will process personal data on behalf of Customer in
accordance with what is set forth in Annex 1.
C
Notwithstanding
any priority clauses in the Agreement, this DPA is subject to the
non-conflicting terms of the Agreement. With regard to
the subject matter of this DPA, in the event of inconsistencies between the
provisions of this DPA and the Agreement, the provisions of this DPA shall
prevail with regard to the parties’ data protection obligations.
D
In its
capacity as processor, Processor may provide both Hosting Services and/or
Support and Maintenance Services. Due to the nature of said services, the Processor's
obligations herein may vary depending on which services the Processor provides
under the Agreement. Such specific obligations shall be explicitly clarified in
this DPA. Where no limitation to Hosting Services or Support and Maintenance
Services is stated, all provisions of this DPA will apply.
1.
Definitions
In this DPA, the following terms
have the meanings set forth below:
"Agreement" means the underlying agreement entered into between
the parties as described in recital A above;
"Applicable Data Protection Laws" means laws and regulations
under EU law, including the General Data Protection Regulation "GDPR"
(2016/679/EU), and relevant Member State laws that from time to time that apply
to the processing of personal data;
"Data Processing Agreement" means this DPA
and all appendices attached hereto (as amended from time to time in accordance
herewith);
“Customer Affiliate” means any entity which is controlled by Customer, which controls
Customer, or which is under common control with Customer. For
the purpose of this DPA, “control” of an entity means the direct or
indirect ownership of more than fifty per cent (50%) of the shares or interests
entitled to vote for the directors of such entity or equivalent power over the
management of such entity, for so long as such entitlement or power exists.
"Hosting Services" means technology
services offered to the Customer by Processor that hosts the physical servers
running services for the Customer. Access to the service is usually provided
through a direct network connection that may or may not run via the Internet.
“Processor Affiliate” means any entity
which is controlled by Processor, which controls Processor, or which is under
common control with Processor. For the purpose of this
DPA, “control” of an entity means the direct or indirect ownership of more than
fifty per cent (50%) of the shares or interests entitled to vote for the
directors of such entity or equivalent power over the management of such
entity, for so long as such entitlement or power exists.
"Third Country" means a country
which is not a member of the European Union (EU) or the European Economic Area
(EEA);
“Services” means the Hosting Services
and/or the Support and Maintenance Services, including on premise services, as
per the Agreement;
"Sub-Processor" means a Processor
Affiliate or a third-party engaged by Processor or a Processor Affiliate as a
processor of personal data under this DPA; and
"Support and Maintenance Services"
means support and maintenance provided by Processor under the Agreement.
For the purposes of this DPA, the
terms recognized by the GDPR shall have the meanings set forth therein such as “controller" "data subject", "processor", "processing", "personal data", and "personal data breach.”
2.
General
obligations of the Processor
2.1
Instructions. Customer instructs Processor to process
personal data to provide the Services in accordance with the Agreement
(including this DPA). Customer may provide additional, documented instructions
to Processor to process personal data, however, Processor shall be obligated to
perform such additional instructions only if they are consistent with the terms
and scope of the Agreement and this DPA.
2.1.1
In the event Customer
provides additional documented instructions regarding processing of personal
data, which goes beyond the scope of this DPA or the Agreement, or which
requires the Processor to take measures over and above the standard measures
taken by the Processor in order to protect the
personal data processed by the Processor, Processor is entitled to remuneration
for any costs incurred by the Processor as a result of such additional
instructions. In such case, Processor may send a quote of the additional costs
to Customer.
2.1.2
If Processor notifies
Customer that an additional instruction is not feasible or Customer notifies
Processor that it does not accept the quote for the additional instruction,
Customer may terminate, wholly or partly (if possible), the affected Services
one month after sending the Processor a written notification to terminate the
affected Services. Processor will refund a prorated portion of any prepaid
charges for the period after such termination date.
2.1.3
Notwithstanding what
is stated in section 2.1.1 above, Processor is
entitled to process the personal data to the extent it is necessary in order to comply with legal requirements under Applicable
Data Protection Laws to which the Processor is subject. The Processor shall
inform the Customer about such legal requirement before the processing,
unless Applicable Data Protection Laws prohibit the Processor from
providing the information.
2.2
Notwithstanding
any provisions regarding choice of law agreed between the parties in the
Agreement, Processor shall comply with Applicable Data Protection Laws
applicable to processors. Customer shall comply with
Applicable Data Protection Laws applicable to Customer as controller.
3.
Security
measures and assistance
3.1
In
regards Hosting Services, Processor shall implement appropriate technical and
organizational measures as set forth in Processor’s applicable security policy
(available upon request) to ensure a level of security appropriate to the risk
for Processor’s scope of responsibility. Technical and Organizational measures
are subject to technical progress and further development. Accordingly,
Processor reserves the right to modify such measures provided that the
functionality and security of the Services are not degraded.
3.2
In
regards Support and Maintenance Services, Processor shall take appropriate
technical and organizational measures to protect the personal data that is
processed when the Processor is carrying out the Support and Maintenance
Services, including measures to ensure that personal data is not unnecessarily
copied or otherwise stored in the Processor's systems.
3.3
Processor
shall, upon the Customer's request and taking into account
the nature of the processing and the information available to the Processor,
provide information to the Customer in order to allow the Customer to fulfil
its obligations to, where applicable, carry out data protection impact
assessments (DPIAs) and prior consultations with the relevant supervisory
authority under Applicable Data Protection Laws in relation to the processing
of personal data covered by the Services. Processor is entitled to compensation
from the Customer for any costs and expenses relating to the Processor's
assistance in accordance with the Customer's request pursuant to this section
3.3.
3.4
In
regards Hosting Services, Processor shall take measures to ensure that access
to personal data is limited to such employees of the Processor who need access
to the personal data in order for the Processor to
fulfil its obligations under the Agreement and the DPA.
3.5
In
regards the Support and Maintenance Services, Processor shall take measures to
ensure that access to personal data is limited to such employees of the
Processor who need access in order to provide the
Support and Maintenance Services. When a support or maintenance matter is
closed, Customer shall restrict the Processor's employees' access to the
personal data accessed within the scope of the support or maintenance matter.
3.6
Processor
shall ensure that all employees authorized to access and process personal data
observes confidentiality not less restrictive than the confidentiality
undertaking set out in section 7 of this DPA.
4.
Personal data
breach
4.1
Hosting
Services
4.1.1
In the event of a
personal data breach involving personal data processed on behalf of Customer
and subject to this DPA, Processor shall notify Customer, in writing without
undue delay, after becoming aware of the personal data breach. Processor shall notify Customer by email.
4.1.2
The notification to
the Customer shall include the following information:
4.1.2.1
a description of the
nature of the personal data breach including the categories and approximate
number of data subjects concerned and the categories and approximate number of
personal data records concerned; and
4.1.2.2
a description of the
measures taken or proposed to be taken by the Processor to address the personal
data breach, including, where appropriate, measures to mitigate its possible
adverse effects.
4.1.3
Where, and insofar as
it is not possible for the Processor to provide the information set out in
section 4.1.2 above at the same time, the Processor may provide the information
in phases without any further undue delay.
4.2
Support and
Maintenance Services
4.2.1
If Processor discovers
a personal data breach within the scope of the Support and Maintenance Services
and such personal data breach is attributable to the Customer's processing of
personal data, the Processor shall only be responsible for notifying Customer
about the personal data breach and await written instructions from Customer about
whether Customer wishes that Processor shall investigate the personal data
breach on behalf of Customer. If Customer requires further assistance from
Processor, Processor shall be entitled to reasonable remuneration for such
assistance.
4.2.2
If the personal data
breach is attributable to Processor, then Processor shall without undue delay
notify Customer after becoming aware of the personal data breach. Processor
shall notify Customer by email and provide the following information:
4.2.2.1
a description of the
nature of the personal data breach including the categories and approximate
number of data subjects concerned and the categories and approximate number of
personal data records concerned; and
4.2.2.2
a description of the
measures taken or proposed to be taken by Processor to address the personal
data breach, including, where appropriate, measures to mitigate its possible
adverse effects.
4.2.3
Where, and insofar as
it is not possible for Processor to provide the information set out in section
4.2.2 above at the same time, the Processor may provide the information in
phases without any further undue delay.
5.
Access to
information and audit
5.1
Upon
request, Processor shall provide Customer documentation reasonably necessary to
demonstrate compliance with Applicable Data Protection Laws applicable to
Processor.
5.2
Customer
may conduct an on-site inspection of the technical and organizational measures
that Processor has implemented to fulfil its obligations under this DPA
provided that: (i) the above documentary audit cannot
reasonably demonstrate compliance with Applicable Data Protection Laws
applicable to Processor; or (ii) a Supervisory Authority in the EEA requires
inspection of the Processor. Customer shall notify Processor thirty (30) days
in advance prior to conducting such inspection.
5.3
For
the avoidance of doubt, an inspection carried out in accordance with section
5.2 above shall only comprise such information that is strictly necessary in
order for Customer to determine whether Processor takes appropriate technical
and organizational measures to fulfil its obligations under this DPA and shall
under no circumstances comprise any other information e.g. regarding the
Processor's business operations, other customers of Processor or intellectual
property which is not relevant to the Processor's processing of personal data
on behalf of the Customer under this DPA.
5.4
The
Parties acknowledge and agree that an on-site inspection must be conducted by a
third party auditor jointly appointed by both Parties.
The Customer shall ensure that such third party undertakes confidentiality in
relation to any information that the third party receives within the scope of
the inspection, such confidentiality undertaking being not less restrictive
than the confidentiality undertaking in section 7 below. Further, the
inspection must occur during normal business hours and only in a manner that
causes minimal disruption to Processor’s business. Customer shall be liable for
any breach of such confidentiality undertaking by the third party. Any and all costs and expenses related to the inspection
shall be borne by the Customer, including any potential costs and expenses
incurred by the Processor due to the Processor's participation in such
inspection.
6.
use of
sub-processors
6.1
Customer
hereby agrees that Processor or a Processor Affiliate may engage Sub-Processors
to process personal data on behalf of Customer. Sub-Processors that are
Processor Affiliates have entered into an Intra Group Data Transfer Agreement whereby Processor and Processor Affiliates have signed the Standard
Contractual Clauses ensuring the legal transfer of personal data as controller
and processor within Processor’s group of companies. Processor or the relevant
Processor Affiliate, as applicable, shall ensure the Sub-Processor has entered
into a data processing agreement with obligations no less restrictive than
those set out in this DPA.
6.2
Processor provides a list of its Sub-Processors in
Annex 3 or directly on SubProcessor web page at, https://app.cribwise.com/public/policies/sub_processors.html stating the:
6.2.1
identity of the
Sub-Processor (including full legal name and address);
6.2.2
type(s) of service(s)
provided by the Sub-Processor; and
6.2.3
geographical location
where the Sub-Processor will process personal data on behalf of Customer.
6.3
Processor
shall provide Customer with a mechanism to obtain notice of any updates to such
list.
6.4
Customer
may object to a Sub-Processor processing Customer’s personal data provided that
such objection is reasonable and based on data protection grounds. If Processor
is unable to accommodate Customer’s objection, Customer may terminate, wholly
or partly (if possible), the affected Services by providing Processor with a
written notice within one month of Processor’s notice. Processor will refund a
prorated portion of any pre-paid charges for the period after such termination
date.
1.
Processor shall be liable for the acts and omissions of any
Sub-Processors to the same extent as if the acts or omissions were performed by
Processor.
7.
Confidentiality
Without prejudice to any
confidentiality undertakings in the Agreement, the Processor shall keep and
maintain all personal data strictly confidential and not disclose personal data
to any third party, unless otherwise authorized in advance in writing by the
Customer or otherwise required by applicable laws or for the performance of
this DPA and/or the Agreement.
8.
Liability
8.1
The
parties are liable jointly and severally in relation to claims from data
subjects. The party compensating the data subject shall have a right to
recourse in accordance with the provisions under Art 82 of the GDPR.
8.2
The
parties acknowledge and agree that neither party shall have an obligation to
indemnify the other Party for any administrative fines imposed by a supervisory
authority or a court under Applicable Data Protection Laws.
8.3
For
the purposes of Section 8.2 above, both parties shall, to a reasonable extent,
provide information to the other party which may be useful within the scope of
a supervisory matter or a court proceeding.
8.4
For
the purposes of Sections 8.1 above, each party's total liability shall be
limited to an amount equal to the lowest of: (i) the
total amount paid by Controller for the Services under the Agreement during the
12 months immediately preceding the date on which the claim arose; or (ii) any
limitation cap provided for under the Agreement.
9.
Rights of the
Data subject
2.
If
a data subject directs a request to Processor to exercise its rights under
Applicable Data Protection Laws (Data Subject Rights), Processor shall refer
the data subject to Customer. To the extent a data
subject’s personal data is not accessible to Customer through the Services,
Processor will, as necessary to enable Customer to meet its obligations under
applicable Data Protection Laws, provide reasonable assistance to make such
Personal Data available to Customer.
10.
Return of
personal data
3.
Upon
termination of the Agreement and for any Customer personal data in Processor or
a Sub-Processor’s possession, Processor shall delete or anonymize such personal
data or, upon Customer's written request, return such personal data to
Customer, unless Processor is obligated under applicable law to continue to
store the personal data.
11.
Transfer to and
processing of personal data in a third country
11.1
Processor
is entitled to transfer personal data under this DPA to a Third Country,
provided that:
11.1.1
the Third Country,
according to a decision issued by the EU Commission, provides an adequate level
of protection for personal data;
11.1.2
Processor ensures that
there are appropriate safeguards in place for the transfer in accordance with
Applicable Data Protection Laws such as the standard data protection clauses
adopted by the EU Commission under Applicable Data Protection Laws; or
11.1.3
Processor is able to apply other legal mechanisms under Applicable
Data Protection Laws for the transfer of the personal data.
11.2
For
the purposes of section 11.1.2 above, the Customer hereby grants, to the extent
permissible by applicable law, a power of attorney to Processor to execute any
standard data protection clauses adopted by the EU Commission with any
Sub-Processor that will process personal data on behalf of Customer, to the
extent such processing will entail a transfer of personal data to a Third
Country.
12.
Term and
Termination
This DPA shall enter into force
when the Agreement has been agreed by both parties and shall continue to apply
during the term of the Agreement or the longer period during which Processor or
a Sub-Processor processes personal data on behalf of Customer.
13.
MISCELLANEOUS
13.1
Assignment
Neither the rights nor the
obligations of either Party under this DPA may be assigned in whole or in part
without the prior written consent of the other Party. The Processor may however
assign its rights and obligations under this DPA to a company within the
Processor's group of companies, provided that such company can provide
sufficient guarantees that the company will be able to comply with the
provisions of this DPA.
13.2
Amendments
Additions and amendments to this
DPA shall be in writing and duly signed by both Parties to be valid.
13.3
Entire
agreement
Without prejudice to the Agreement, this DPA constitutes the entire
agreement between the Parties on all issues to which the DPA relates. The
contents of this DPA and its appendices supersede all previous written or oral
commitments and undertakings between the Parties on the issues to which this
DPA relates.
13.4
Headings
The division of this DPA into separate sections and the insertion of
headings are for convenience only and shall not affect the interpretation of
this DPA.
14.
Applicable law
and dispute resolution
14.1
This
DPA shall be governed by and construed in accordance with Swedish law, without
regard to any provisions regarding conflict of laws.
14.2
Any
dispute arising out of or in connection with this DPA shall be finally settled
in accordance with the dispute resolution provisions set forth in the Agreement, unless the Parties agree otherwise.
__________________
__________________
Annex 2
Security measures
How does CRIBWISE protect customer data? CRIBWISE
is built for the cloud using industry-standard components,
but can also be deployed on customer own servers.
A cloud provider’s full-time job is to
keep systems available, secure and updated with the
latest software patches. Most in-house IT departments do not have the resources
to ensure the same level of reliability and security.
Reliability – protecting your data from getting lost or corrupted
CRIBWISE uses Microsoft Azure Services,
one of the most well-known cloud providers.
CRIBWISE has a backup/disaster recovery
scheme in place.
Security – protecting your intellectual property from theft and leakage
All customer data is encrypted at rest and
in transit. that is when stored and being transferred.
Identity management is handled by the
leading IAM provider Microsoft Azure.
The system is regularly scanned for
security vulnerabilities.
The system is designed to not let data
leak between customer accounts.
Privacy and GDPR compliance
CRIBWISE is fully GDPR compliant. All
personally identifiable information is managed separately from production data
and will be deleted according to retention rules of CRIBWISE
__________________
Annex 3
List of sub-processors