Data Processing Agreement
1. Scope, Order of Precedence, and Term
1.1 This Data Processing Agreement ("DPA") is an addendum to the Customer Terms of Service ("Agreement") between North Commerce and Distribution SRO ("apire.io") and the Customer. apire.io and Customer are individually a "party" and, collectively, the "parties."
1.2 This DPA applies where and only to the extent that apire.io processes Personal Data on behalf of the Customer in the course of providing the Services and such Personal Data is subject to Data Protection Laws of the appropriate jurisdiction, including the State of California, the European Union, the European Economic Area and/or its member states, Switzerland and/or the United Kingdom. The parties agree to comply with the terms and conditions in this DPA in connection with such Personal Data.
1.3 The duration of the Processing covered by this DPA shall be in accordance with the duration of the Agreement.
2. Definitions
2.1 The following terms have the meanings set forth below. All capitalized terms not defined in this DPA will have the meanings set forth in the Agreement.
2.2 The following terms have the definitions given to them in the CCPA: "Business," "Sell," "Service Provider," and "Third Party."
2.3 "Controller" means the entity that determines the purposes and means of the Processing of Personal Data. "Controller" includes equivalent terms in other Data Protection Laws, such as the CCPA-defined term "Business" or "Third Party," as the context requires.
2.4 "Data Protection Law" means all data protection and privacy laws applicable to the processing of Personal Data under the Agreement as it relates to the Customer, including Regulation 2016/679 (General Data Protection Regulation) ("GDPR"), and Cal. Civ. Code Title 1.81.5, § 1798.100 et seq. (California Consumer Privacy Act) ("CCPA").
2.5 "Data Subject" means an identified or identifiable natural person.
2.6 "De-identified Data" means a data set that does not contain any Personal Data. Aggregated data is De-identified Data. To "De-identify" means to create De-identified Data from Personal Data.
2.7 "EEA" means the European Economic Area.
2.8 "Standard Contractual Clauses" means the European Union standard contractual clauses for international transfers from the European Economic Area to third countries, Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
2.9 "Personal Data" means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a Data Subject in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. "Personal Data" includes equivalent terms in other Data Protection Law, such as the CCPA-defined term "Personal Information," as context requires.
2.10 "Personal Data Breach" means a breach of security of the Services leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
2.11 "Process" or "Processing" means any operation or set of operations which is performed upon Personal Data, whether by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
2.12 "Processor" means an entity that processes Personal Data on behalf of another entity. "Processor" includes equivalent terms in other Data Protection Law, such as the CCPA-defined term "Service Provider," as context requires.
2.13 "Sensitive Data" means the following types and categories of data: data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; genetic data; biometric data; data concerning health, including protected health information governed by the Health Insurance Portability and Accountability Act; data concerning a natural person's sex life or sexual orientation; government identification numbers (e.g., SSNs, driver's license); payment card information; nonpublic personal information governed by the Gramm Leach Bliley Act; an unencrypted identifier in combination with a password or other access code that would permit access to a data subject's account; and precise geolocation.
2.14 "Subprocessor" means a Processor engaged by a party who is acting as a Processor.
3. Description of the Parties' Personal Data Processing Activities and Statuses of Parties
3.1 Schedules 1-3 attached hereto describe the purposes of the parties' Processing, the types or categories of Personal Data involved in the Processing, and the categories of Data Subjects affected by the Processing.
3.2 Schedules 1-3 list the parties' statuses under relevant Data Protection Law.
4. International Data Transfer
4.1 With respect to Personal Data of Data Subjects located in the EEA, Switzerland, or the United Kingdom that Customer transfers to apire.io or permits apire.io to access, the parties agree that by executing this DPA, they also execute the Standard Contractual Clauses, which will be incorporated by reference and form an integral part of this DPA. The parties agree that with respect to the elements of the Standard Contractual Clauses that require the parties' input, Schedules 1-3 contain all the relevant information.
5. Data Protection Generally
5.1 Compliance. The parties will comply with their respective obligations under the Data Protection Law and their privacy notices.
5.2 Customer Processing of Personal Data. Customer represents and warrants that it has the consent or other lawful basis necessary to collect Personal Data in connection with the Services.
5.3 Cooperation.
5.3.1 Data Subject Requests. The parties will provide each other with reasonable assistance to enable each to comply with their obligations to respond to Data Subjects' requests to exercise rights that those Data Subjects may be entitled to under the Data Protection Law.
5.3.2 Governmental and Investigatory Requests. The Customer will promptly notify apire.io if the Customer receives a complaint or inquiry from a regulatory authority indicating that apire.io has or is violating Data Protection Law.
5.3.3 Other Requirements of Data Protection Law. Upon request, the parties will provide relevant information to each other to fulfill their respective obligations (if any) to conduct data protection impact assessments or prior consultations with data protection authorities.
5.4 Confidentiality. The parties will ensure that their employees, independent contractors, agents, and representatives are subject to an obligation to keep Personal Data confidential and have received training on data privacy and security that is commensurate with their responsibilities and the nature of the Personal Data.
5.5 De-identified, Anonymized, or Aggregated Data. The parties may create De-identified Data from Personal Data and Process the De-identified Data for any purpose.
6. Data Security
6.1 Security Controls. Each party will maintain a written information security policy that defines security controls that are based on the party's assessment of risk to Personal Data that the party Processes and the party's information systems. Apire.io security controls are described in Schedule 2.3 and Schedule 3.4.
7. apire.io Obligations as a Processor, Subprocess or, or Service Provider
7.1 apire.io will have the obligations set forth in this Section 7 if it P
processes Personal Data in its capacity as the Customer's Processor or Service Provider; for clarity, these obligations do not apply to apire.io in its capacity as a Controller, Business, or Third party.
7.2 Scope of Processing.
7.2.1 apire.io will process personal data to provide services to Customers under the Agreement and comply with applicable law. apire.io will notify the Customer if the law changes and those changes cause apire.io not to be able to comply with the Agreement.
7.3 Data Subjects' Requests to Exercise Rights. apire.io will promptly inform Customer if apire.io receives a request from a Data Subject to exercise their rights with respect to their Personal Data under applicable Data Protection Law. The Customer will be responsible for responding to such requests. apire.io will not respond to such Data Subjects except to acknowledge their requests. apire.io will provide Customer with commercially reasonable assistance, upon request, to help Customer respond to a Data Subject's request.
7.4 apire.io Subprocesses.
7.4.1 Existing Subprocesses. The Customer agrees that apire.io may use the Subprocesses listed in Schedule 3.
7.4.2 Use of Subprocesses. Customer grants apire.io general authorization to engage Subprocesses if apire.io and a Subprocess or enter into an agreement that requires the Subprocess or to meet obligations that are no less protective than this DPA.
7.4.3 Notification of Additions or Changes to Subprocesses. apire.io will notify the Customer of any additions to or replacements of its Subprocesses via email or other contact methods and make that list available at the Customer's request. apire.io will provide the Customer with at least 30 days to object to the addition or replacement of Subprocesses in connection with apire.io performance under the Agreement, calculated from the date when the Customer is provided notice. If Customer reasonably objects to the addition or replacement of apire.io' Subprocess or, apire.io will immediately cease using that Subprocess or in connection with apire.io Services under the Agreement, and the parties will enter into good faith negotiations to resolve the matter. If the parties are unable to resolve the matter within 15 days of Customer's reasonable objection (which deadline the parties may extend by written Agreement), Customer may terminate the Agreement and/or any statement of work, purchase order, or other written agreements. The parties agree that apire.io has sole discretion to determine whether Customer's objection is reasonable; however, the parties agree that Customer's objection is presumptively reasonable if the Subprocess or is a competitor of Customer and Customer has a reason to believe that competitor could obtain a competitive advantage from the Personal Data apire.io discloses to it, or Customer anticipates that apire.io use of the Subprocess or would be contrary to law applicable to Customer.
7.4.4 Liability for Subprocesses. apire.io will be liable for the acts or omissions of its Subprocesses to the same extent as apire.io would be liable if performing the services of the Subprocess or directly under the DPA, except as otherwise set forth in the Agreement.
7.5 Personal Data Breach. apire.io will notify Customer without undue delay of a Personal Data Breach affecting Personal Data apire.io Processes in connection with the Services. Upon request, apire.io will provide information to Customer about the Personal Data Breach to the extent necessary for Customer to fulfill any obligations it has to investigate or notify authorities, except that apire.io reserves the right to redact information that is confidential or competitively sensitive. Notifications will be delivered to the email address the Customer provides in the Customer's account. The Customer agrees that email notification of a Personal Data Breach is sufficient. apire.io agrees that it will notify the Customer if it changes its contact information. Customer agrees that apire.io may not notify Customer of security-related events that do not result in a Personal Data Breach.
7.6 Deletion and Return of Personal Data. Upon deactivation of the Services, all Personal Data shall be deleted, save that this requirement shall not apply to the extent apire.io is required by applicable law to retain some or all of the Personal Data, or to Personal Data it has archived on backup systems, which such Personal Data apire.io shall securely isolate and protect from any further processing, except to the extent required by applicable law.
7.7 Audits.
7.7.1 apire.io shall maintain records of its security standards. Upon Customer's written request, apire.io shall provide (on a confidential basis) copies of relevant external ISMS certifications, audit report summaries and/or other documentation reasonably required by Customer to verify apire.io compliance with this DPA. apire.io shall further provide written responses (on a confidential basis) to all reasonable requests for information made by Customer, including responses to information security and audit questionnaires that Customer (acting reasonably) considers necessary to confirm apire.io compliance with this DPA, provided that Customer shall not exercise this right more than once per year.
7.7.2 To the extent the Standard Contractual Clauses apply and the Customer reasonably argues and establishes that the above documentation and/or other third-party audit reports are not sufficient to demonstrate compliance with the obligations laid down in this DPA, the Customer may execute an audit as outlined under Clause 8.9 of the Standard Contractual Clauses accordingly, provided that in such an event, the parties agree: (a) Customer is responsible for all costs and fees relating to such audit (including for time, cost and materials expended by apire.io); (b) a third party auditor must be mutually agreed upon between the parties to follow industry standard and appropriate audit procedures; (c) such audit must not unreasonably interfere with apire.io business activities and must be reasonable in time and scope; and (d) the parties must agree to a specific audit plan prior to any such audit, which must be negotiated in good faith between the parties. For the avoidance of doubt, nothing in this Section 7.7.2 modifies or varies the Standard Contractual Clauses, and to the extent a competent authority finds otherwise, or any portion of Section 7.7.2 is otherwise prohibited, unenforceable or inappropriate in view of the Standard Contractual Clauses, the relevant portion shall be severed, and the remaining provisions hereof shall not be affected.
Schedule 1: Description of the Processing and Subprocesses
Processing Activity
Status of the Parties
Categories of Personal Data Processed
Categories of Sensitive Data Processed
Frequency of Transfer
Applicable SCCs Module
Customer discloses Personal Data to apire.io to provide, operate, and maintain apire.io Services.
-
The Customer is a Controller.
-
apire.io is a Controller.
Account registration, payment information, user content, communications, cookies, and other tracking technologies, usage of Services, and third-party accounts.
None
Continuous
Module 1
The Customer discloses personal data to improve, analyze, and personalize apire.io Services.
The Customer is a Controller.
apire.io is a Controller.
Account registration, payment information, user content, communications, cookies, and other tracking technologies, usage of Services, and third party accounts.
None
Continuous
Module 1
Customer contacts apire.io for support.
Customer is a Controller.
apire.io is a Controller.
Account registration, payment information, user content, communications, usage of Services, and third party accounts.
None
Continuous
Module 1
The customer stores end-user data on apire.io Services.
apire.io is a Processor.
The customer is a Controller or processor to a controller.
As determined by Customer.
As determined by Customer.
As determined by Customer.
Module 2
or Module 3 (if Customer is a processor to another controller)
Schedule 2: Controller-to-Controller Information for International Data Transfers
1. Retention Periods
apire.io retains Personal Data it collects as a Controller for as long as apire.io has a business purpose for it or for the longest time allowable by applicable law.
2. Information for International Transfers
For the purposes of the Standard Contractual Clauses:
Clause 11(a), Module 1: The parties do not select the independent dispute resolution option.
Clause 17, Module 1: The parties select Option 1. The Member State is the Netherlands.
Clause 18(b), Module 1: The Parties agree that those shall be the courts of the Netherlands.
Annex I(A): The data exporter is the Customer. The data importer is apire.io. Contact details for Customer are the email address(s) designated by Customer in Customer's apire.io account. Contact detail for apire.io https://www.apire.io/privacy-policy
Annex I(B): The parties agree that Schedule 1 describes the transfer.
Annex I(C): The competent supervisory authority is the supervisory authority of The Dutch Data Protection Authority (Authorities Persona ge evens)
Annex II: The parties agree that Schedule 2.3 describes the technical and organizational measures applicable to the transfer.
For definitions of these terms, please review our Privacy Policy (Section 1)
3. Technical and Organizational Measures
Technical and Organizational Security Measure
Evidence of Technical and Organizational Security Measure
Measures of pseudonymization and encryption of personal data
apire.io databases that store Customer Personal Data are encrypted using the Advanced Encryption Standard (AES). Customer data is encrypted in transit between the Customer's software application and apire.io using TLS v1.2.
Measures for ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
apire.io uses a variety of tools and mechanisms to achieve high availability and resiliency. apire.io infrastructure spans multiple fault-independent availability zones in geographic regions physically separated from one another. apire.io infrastructure is able to detect and route around issues experienced by hosts or even whole data centers in real-time and employ orchestration tooling that has the ability to regenerate hosts, building them from the latest backup. apire.io also leverages specialized tools that monitor server performance, data, and traffic load capacity within each availability zone and colocation data center. If suboptimal server performance or overloaded capacity is detected on a server within an availability zone or colocation data center, these tools increase the capacity or shift traffic to relieve any suboptimal server performance or capacity overload. apire.io is also immediately notified in the event of any suboptimal server performance or overloaded capacity.
Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing
apire.io has developed and implemented a security control environment designed to protect the confidentiality, integrity, and availability of customers' systems. The Customer Data Use Policy governs the requirements for the use of customer data in accordance with several industry standards.
apire.io conducts a variety of regular internal and external audits that are inclusive of security operations. For more information, please visit:
https://www.apire.io .io/trust/certification-reports/
Measures for User Identification and Authorization
Access control policies require that access to apire.io assets be granted based on business justification, with the asset owner's authorization and limits based on "need to know" and "least-privilege" principles. In addition, the policy also addresses requirements for the access management lifecycle, including access provisioning, authentication, access authorization, removal of access rights, and periodic access reviews. Documentation of these requirements is recorded and provided to external auditors for security certification testing.
Measures for the Protection of Data During Transmission
Measures for the protection of data during storage
Apire.io databases that store Customer Personal Data are encrypted using the Advanced Encryption Standard (AES). Customer data stored by apire.io is encrypted in transit between the Customer's software application and apire.io using TLS v1.2.
Measures for ensuring the physical security of locations at which personal data are processed
apire.io data centers are located in nondescript buildings that are physically constructed, managed, and monitored 24 hours a day to protect data and services from unauthorized access as well as environmental threats. All data centers are surrounded by a fence with restricted access through badge-controlled gates.
CCTV is used to monitor physical access to data centers and information systems. Cameras are positioned to monitor perimeter doors, facility entrances, and exits, interior aisles, caged areas, high-security areas, shipping and receiving, facility external areas such as parking lots and other areas of the facilities.
Measures for Ensuring Events Logging
Logging of service, user, and security events (web server logs, FTP server logs, etc.) is enabled and retained centrally. apire.io restricts access to audit logs to authorized personnel based on job responsibilities.
Audit logging procedures are reviewed as part of external audits for security standards.
Measures for internal IT and IT security governance and management
Measures for certification/assurance of processes and products
apire.io has developed and implemented a security control environment designed to protect the confidentiality, integrity, and availability of customers' systems. apire.io performs an annual internal review of all security management policies and procedures. External auditors perform an annual review of these policies and procedures.
apire.io conducts a variety of regular internal and external audits that are inclusive of security operations. For more information, please visit https://www.apire.io .io/trust/certification-reports/.
Measures for ensuring data minimization
Measures for ensuring data quality
Measures for ensuring limited data retention
Measures for ensuring accountability
Measures for allowing data portability and ensuring erasure
More information about how apire.io processes personal data is set forth in the Privacy Policy available at: https://www.apire.io .io/legal/privacy-policy/.
Technical and organizational measures to be taken by the [sub]-processor to provide assistance to the controller and, for transfers from a processor to a [sub]-processor, to the Customer.
When apire.io engages a Subprocess or, apire.io and the Subprocess or, enter into an agreement with data protection obligations substantially similar to those contained in this Schedule. Each Subprocess or agreement must ensure that apire.io is able to meet its obligations to the Customer. In addition to implementing technical and organizational measures to protect personal data, sub-processors must (a) notify apire.io in the event of a Security Incident so apire.io may notify the Customer; (b) delete personal data when instructed by apire.io in accordance with Customer's instructions to apire.io; (c) not engage additional sub-processors without apire.io authorization; (d) not change the location where personal data is processed; or (e) process personal data in a manner which conflicts with Customer's instructions to apire.io.
Schedule 3: Controller-to-Processor and/or Processor-to-Processor Information for International Data Transfers
1. Subprocesses
apire.io uses Subprocesses when it acts as a Processor. The Customer authorizes Digital Ocean to use these Subprocesses consistent with Section 7.4. Subprocesses are available upon request at [email protected] .io.
2. Retention Periods
apire.io retains Personal Data it collects or receives from Customer as a Processor for the duration of the Agreement and consistent with its obligations in this DPA.
3. Information for International Transfers
For the purposes of the Standard Contractual Clauses:
Clause 9, Module 2(a): The parties select Option 2. The time period is five days.
Clause 11(a): The parties do not select the independent dispute resolution option.
Clause 17, Module 2: The parties select Option 2. The Member State of the data exporter is EU Member State the Customer is located in.
Clause 18(b), Module 2: The Parties agree that those shall be the courts of the EU Member State Customer is located in.
Annex I(A): The data exporter is the Customer. The data importer is apire.io. Contact details for Customer are the email address(s) designated by Customer in Customer's apire.io account. The contact details for apire.io are [email protected] .io.
Annex I(B): The parties agree that Schedule 1 describes the transfer.
Annex I(C): The competent supervisory authority is the supervisory authority of the Customer, who acts as a data exporter.
Annex II: The parties agree that Schedule 3.4 describes the technical and organizational measures applicable to the transfer.
4. Technical and Organizational Measures
Technical and Organizational Security Measure Evidence of Technical and Organizational Security Measure
Measures of pseudonymization and encryption of personal data
Measures for ensuring ongoing confidentiality, integrity, availability, and resilience of processing systems and services
Customer responsibility. Please see apire.io Trust Platform FAQ for more information on the Separation of Responsibilities: https://www.apire.io .io/trust/faq/.
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
Customer responsibility: It is the Customer's responsibility to backup and utilize redundancy mechanisms to protect their content data.
Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing
Measures for user identification and authorization
Measures for the protection of data during transmission
Measures for the protection of data during storage
Customer responsibility. Please see apire.io Trust Platform FAQ for more information on the Separation of Responsibilities: https://www.nscpect.io/trust/faq/.
Measures for ensuring the physical security of locations at which personal data are processed
apire.io data centers are located in nondescript buildings that are physically constructed, managed, and monitored 24 hours a day to protect data and services from unauthorized access as well as environmental threats. All data centers are surrounded by a fence with restricted access through badge-controlled gates.
CCTV is used to monitor physical access to data centers and information systems. Cameras are positioned to monitor perimeter doors, facility entrances, and exits, interior aisles, caged areas, high-security areas, shipping and receiving, facility external areas such as parking lots, and other areas of the facilities.
Measures for ensuring event logging
Measures for internal IT and IT security governance and management
Measures for certification/assurance of processes and products
Measures for ensuring data minimization
Measures for ensuring data quality
Measures for ensuring limited data retention
Measures for ensuring accountability
Customer responsibility. Please see apire.io Trust Platform FAQ for more information on the Separation of Responsibilities: https://www.apire.io .io/trust/faq/.
Measures for allowing data portability and ensuring erasure
The Customer is able to export or delete Customer Content using the self-service features of the Services as set forth in the applicable documentation for the Services available at https://www.apire.io .io/trust/data-portability/
Technical and organizational measures to be taken by the [sub]-processor to provide assistance to the controller and, for transfers from a processor to a [sub]-processor, to the Customer.