Data Processing Addendum

Data Processing Addendum

1. DEFINITIONS 

Capitalized terms used but not defined below or in Attachment 1 to this DPA will have the meanings set forth in the Master Agreement.

2. DATA PROCESSING AND PROTECTION

Limitations on Use. Coalesce will Process Personal Data only:

1. in a manner consistent with documented instructions from Customer, which will include Processing (i) as authorized or permitted under the Master Agreement, , and (ii) consistent with other reasonable instructions of Customer; and
2. as required by Data Protection Law, provided that Coalesce will inform Customer (unless prohibited by such Data Protection Law) of the applicable legal requirement before Processing pursuant to such Data Protection Law.

Confidentiality. Coalesce will ensure that persons authorized by Coalesce to Process any Personal Data are subject to appropriate confidentiality obligations.

Customer Obligations. Customer will not instruct Coalesce to perform any Processing of Personal Data that violates any Data Protection Law.

Security. Coalesce will protect Personal Data in accordance with requirements under Data Protection Law, including Articles 28(1) and 32 of the GDPR. Coalesce will use appropriate technical and organizational measures to protect Personal Data and the rights of Data Subjects, including the safeguards described in Section 3.5(b) of the Master Agreement. The measures will be appropriate to the nature of the Personal Data and will meet or exceed prevailing industry standards.

Return or Disposal. At the choice of Customer, Coalesce will delete or return (or will enable Customer via the Coalesce Services to delete or retrieve) all Personal Data after the end of the provision of Coalesce Services (unless Data Protection Law requires the storage of such Personal Data by Coalesce).

3. DATA PROCESSING ASSISTANCE

Data Subject’s Rights Assistance. Where required of Coalesce by applicable Data Protection Law, and taking into account the nature of the Processing of Personal Data by Coalesce under the Master Agreement, Coalesce will provide reasonable assistance to Customer by appropriate technical and organizational measures, insofar as this is possible, to assist Customer in its fulfillment of its obligations to respond to requests for exercising a Data Subject’s rights under Chapter III of the GDPR.

Further Assistance. Taking into account the nature of Processing and the information available to Coalesce, Coalesce will assist in Customer’s efforts to ensure Coalesce’s compliance with Articles 32 to 36 of the GDPR by facilitating Customer’s exercise of audits pursuant to Section 4 of this DPA.

Personal Data Breach Notice and Assistance. Where required of Coalesce by applicable Data Protection Law, Coalesce will notify Customer without undue delay after becoming aware of a Personal Data Breach. Coalesce will provide reasonable assistance to Customer as may be necessary for Customer to satisfy any notification obligations imposed under Data Protection Law in connection with any Personal Data Breach, including by providing notice to Customer regarding: (a) the nature of the Personal Data Breach, including where possible the categories and approximate numbers of affected Data Subjects and Personal Data records concerned; (b) the likely consequences of the Personal Data Breach; (c) any measures taken or proposed to be taken to address the Personal Data Breach. Customer is solely responsible for complying with any Personal Data Breach notification requirements applicable to Customer under Data Protection Law and fulfilling any third-party notification obligations related to any Personal Data Breach.

4. AUDITS

Where required of Coalesce by applicable Data Protection Law, Coalesce will allow for and contribute to audits conducted by Customer, or another auditor mandated by Customer that is reasonably acceptable to Coalesce, in accordance with the terms of this Section 4. Any such audit will be limited to what is reasonably necessary to verify Coalesce’s compliance with this DPA, and must occur during Coalesce’s normal business hours. Customer will only have the right to audit Coalesce once per 12-month period. In connection with any such audit, the auditor will: (a) observe reasonable on-site access and other restrictions reasonably imposed by Coalesce; (b) comply with reasonable and applicable on-site policies and procedures provided by Coalesce; and (c) not unreasonably interfere with Coalesce’s business activities. Customer will provide written communication of any audit findings to Coalesce, and the results of the audit will be the confidential information of Coalesce. Customer will provide no less than thirty (30) days’ advance notice of its request for any such audit, and will cooperate in good faith with Coalesce to schedule any such audit on a mutually agreed upon date and time (such agreement not to be unreasonably withheld by either party). Customer will be responsible for any fees charged by any auditor appointed by Customer to execute any such audit.

5. SUBPROCESSORS

Customer hereby grants Coalesce general written authorization to engage subprocessors to carry out specific Processing activities on behalf of Customer.  Coalesce will provide Customer with notice of any intended changes concerning the addition or replacement of its subprocessors, and, where required of Coalesce by applicable Data Protection Law, provide Customer with the opportunity to object to such changes. If Customer objects to such changes, Coalesce may terminate the Agreement immediately upon notice to Customer.

6. DATA TRANSFERS 

With respect to the transfer of Personal Data from the European Economic Area, the United Kingdom or Switzerland to a country not deemed to provide an adequate level of protection, the Parties will conduct such data transfer pursuant to the Standard Contractual Clauses (which will be deemed executed by the Parties as of the effective date of the Master Agreement), and the following terms will apply: (a) Customer will be referred to as the “Data Exporter” and Coalesce will be referred to as the “Data Importer” in such clauses with relevant name and address details from the Master Agreement being used accordingly; (b) details in the Master Agreement and  this DPA will be used to complete Appendix 1 of those clauses; (c) details in Section 2 of this DPA will be used to complete Appendix 2 of those clauses; and (d) if there is any conflict between this DPA or the Master Agreement and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail.  “Standard Contractual Clauses” means Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal information to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (notified under document C(2010) 593) (the text of which is available at: https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32010D0087).

7. MISCELLANEOUS

The terms of this DPA will control to the extent there is any conflict between terms of this DPA and the terms of the Master Agreement. Except as specifically amended and modified by this DPA, the terms and provisions of the Master Agreement remain unchanged and in full force and effect. Without limiting the foregoing, the governing law clause and forum selection clause of the Master Agreement will apply to any disputes arising out this DPA. This DPA may be executed in several counterparts (including delivery via facsimile or electronic mail), each of which will be deemed to be an original but all of which together will constitute one and the same instrument.