This Data Processing Addendum (“DPA”) amends and forms part of the written agreement between ScreenSteps, Inc. (“Company”) and the customer (“Customer”) titled Master Services Agreement or Terms of Service (the “Agreement”). This DPA prevails over any conflicting term of the Agreement to the extent necessary to resolve the conflict.
-
Definitions. In this DPA:
- “Controller”, “Data Subject”, “Joint Controller” “Personal Data”, “Personal Data Breach”, “Processor”, “Processing”, and “Supervisory Authority” have the meaning given to them in Data Protection Law.
- “Customer Personal Data” means any Personal Data subject to Data Protection Law that is Processed by Company in the context of the Agreement.
- "Data Protection Law” means all applicable data protection and privacy legislation in force in the US, Switzerland, the UK, and the EEA at the time of signing the agreement, as well as any successor legislation, and all other relevant legislation and regulatory requirements that apply to a party concerning the use of personal data, including, without limitation, the Data Protection Act 2018 (UK GDPR), Regulation (EU) 2016/679 (EU GDPR), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (UK PECR), and the EU Directive 2002/58/EC (EU e-Privacy), as well as all other data protection laws, regulations, and regulatory guidance of Europe, as may be amended or replaced from time to time."
- “UK Addendum” means the International Data Transfer Addendum (version B1.0) issued by the Information Commissioner's Office under S119(A) of the UK Data Protection Act 2018, as may be amended, superseded, or replaced from time to time.
- “Europe” means Switzerland, the United Kingdom, the European Union and the European Economic Area.
- “Subprocessor” means a third party engaged by Company to further Process the Customer Personal Data.
- Scope. This DPA applies to Processing of Customer Personal Data by Company. The subject matter, duration, nature and purpose of the Processing, the types of Customer Personal Data and categories of Data Subjects are set out in the Agreement and this DPA, and Appendix 1.
- Roles. Customer is a Controller and appoints Company as a Processor on behalf of Customer. Customer must comply with the requirements of Protection Law applicable to Controllers. To the extent that Company is a Processor on behalf of other Controller(s), or a Joint Controller, then Customer: is the single point of contact for Company; must obtain all necessary authorizations from such other Controller(s); undertakes to issue all instructions and exercise all rights on behalf of such other Controller(s); and must comply with the requirements of Data Protection Law applicable to Processors.
- Instructions. Except if, and to the extent that, Company is acting as a Joint Controller, Company will only Process Customer Personal Data on documented instructions of Customer and is prohibited from Processing Customer Personal Data for any other purpose except to the extent required by Data Protection Law, and in such a case Company shall inform Customer of that legal requirement before processing unless prohibited to do so by Data Protection Law on important grounds of public interest. Customer’s instructions are documented in this DPA, the Agreement, and any relevant product or service documentation. Customer may reasonably issue additional written instructions. Company may charge a reasonable fee to comply with any additional instructions.
- Subprocessing. Company shall not engage Subprocessors without prior specific or general written authorization of Customer. Customer hereby provides general authorization for Company to engage the Subprocessors listed at https://trust.screensteps.com/subprocessors, provided that Company shall notify Customer of any intended changes concerning the addition or replacement of Subprocessors in order to allow Customer to object to such changes. The Customer agrees to subscribe to such notifications through the ScreenSteps Trust Center located at https://trust.screensteps.com/subprocessors. If Customer notifies Company of its objection to the intended change based on reasonable grounds relating to a potential or actual violation of Data Protection Law by providing written notice detailing the grounds of such objection within fifteen (15) days of receiving notice of the intended change, Customer and Company will work together in good faith to address the objection. If Company chooses to engage the Subprocessor objected to by Customer, Customer may terminate the Agreement within fifteen (15) days. Company must impose the same obligations, by way of a written agreement, on any Subprocessors as this DPA imposes on Company. If any Subprocessor fails to fulfill its obligations under Data Protection Law, this DPA, or the Agreement, Company will be fully liable to Customer for the performance of such obligations.
- International Data Transfers. Company must obtain Customer’s specific prior written authorization to transfer Customer Personal Data outside of Europe. Customer hereby authorizes Company to transfer Customer Personal Data outside of Europe in accordance with Data Protection Law, including on the basis of an adequacy decision, or appropriate safeguards in accordance with Data Protection Law. If Company’s compliance with Data Protection Law applicable to such transfers is affected by circumstances outside of Company’s control, including if a legal instrument for such transfers is invalidated, amended, or replaced, then Customer and Company will work together in good faith to reasonably resolve such non-compliance.
- Standard Contractual Clauses. By signing this DPA, Customer and Company conclude the European Commission’s standard contractual clauses for the transfer of Customer Personal Data to processors established in third countries annexed to European Commission Decision 2010/87/EU of 5 February 2010 (OJ L 39, 12.2.2010, p. 5-18), (hereinafter referred to as “SCC”), which are hereby incorporated into this DPA by reference and completed as follows: the “data exporter” is Customer; the “data importer” is Company; the governing law in SCC Clause 9 and Clause 11.3 is the law of the descriptions referred to in SCC Appendix 1 and 2 to the clauses are included in Appendix 1 and 2 to this DPA, respectively; and the optional SCC indemnification clause is struck. If the European Commission amends or replaces the incorporated standard contractual clauses, then Customer or Company may unilaterally replace the incorporated clauses with the European Commission’s new clauses upon thirty (30) days written notice to the other party.
- UK Addendum. This UK Addendum applies to the processing of personal data of data subjects located in the United Kingdom (UK). If personal data of UK data subjects is transferred from the UK to a recipient outside the UK, such transfers will be governed by the Standard Contractual Clauses (SCCs) as adopted by the European Commission, supplemented by this UK Addendum. The UK Addendum is deemed incorporated into this Data Processing Agreement (DPA) and will be considered an appropriate safeguard for ensuring compliance with UK data protection laws. Both parties agree to adhere to the provisions of the UK Addendum and to ensure that all transfers of UK personal data comply with applicable UK data protection regulations.
- Security. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Company must implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks presented by the Processing, including, at a minimum, the measures required by Data Protection Law. Company shall also implement the security measures listed in Appendix 2. Customer acknowledges that the security measures in Appendix 2 are appropriate in relation to the risks associated with Customer’s intended Processing and will notify Company prior to any intended Processing for which Company’s security measures may not be appropriate.
- Personal Data Breach. Company will notify Customer without undue delay after becoming aware of a Personal Data Breach involving Customer Personal Data. Company will immediately investigate and identify the causes and effects of the Personal Data Breach and take measures to prevent and mitigate further effects. Company will take any other action necessary to remedy the Personal Data Breach.
- Confidentiality. Company must keep all Customer Personal Data, and all information relating to the Processing thereof, in strict confidence. Company must ensure that all personnel authorized to Process Customer Personal Data are subject to a contractual or statutory obligation of confidentiality.
- Assistance. Taking into account the nature of the Processing, and the information available to Company, Company shall assist Customer, including by implementing appropriate technical and organizational measures, with the fulfillment of Customer’s own obligations under Data Protection Law. Company must immediately inform Customer of any request, complaint, or other inquiry regarding the Customer Personal Data or the Processing thereof. Company may charge a reasonable fee for assistance under this Section. If Company is at fault, then Company and Customer shall each bear their own costs related to assistance.
- Accountability. Company will comply with this DPA and Data Protection Law and will demonstrate such compliance to Customer upon request. Company must immediately inform Customer if: (1) Company is unable to comply with this DPA or Data Protection Law; or (2) Company believes that an instruction of Customer violates Data Protection Law.
- Audit. Upon Customer’s written request at reasonable intervals, and no more than once per calendar year, Company will make available to Customer, consistent with the Agreement, a copy of all third-party certifications and/or audits, in their then-most-current form and reasonably redacted to remove commercially sensitive information, that relate to Company’s compliance with data protection, privacy, or information security standards or requirements. If, under a reasonable interpretation, the documentation provided by Company clearly fails to demonstrate Company’s compliance with applicable data protection law, Customer may make a written request for additional information from Company relating to Company’s compliance with those provisions and/or aspects of applicable data protection law that Customer expressly identifies as the object of its concern. If further information provided by Company does not reasonably address Customer’s concern(s), Customer may request an audit of Company’s procedures related to the protection of Customer Personal Data, provided that any such audit is preceded by at least thirty (30) days’ notice, is conducted during Company’s business hours, and is conducted without disruption to Company’s operations. Company agrees to permit and reasonably contribute to such audit, while complying with its confidentiality obligations. Customer agrees to bear all the costs associated with such audit and to reimburse Company at commercially reasonable rates for any time expended by Company, its Processors or Subprocessors providing assistance in connection with the audit. Company will inform Customer if Company believes that Customer's instruction under this Section infringes Data Protection Law. Company may suspend the audit or inspection or withhold requested information until Customer has modified or confirmed the lawfulness of the instructions in writing.
- Liability. To the extent permitted by applicable law, where Company has paid damages or fines, Company is entitled to claim back from Customer that part of the compensation, damages or fines, corresponding to Customer’s part of responsibility for the damages or fines.
- Notifications. Company must make all notifications, including security-related notifications, required under this DPA at least to the email address of Admin users registered with the Customer’s account within the Company web application. Customer must make all notifications required under this DPA to privacy@screensteps.com.
- Term and duration of Processing. The Processing will last no longer than the term of the Agreement. Upon termination of the Processing, Company must, at Customer’s choice, delete or return all Customer Personal Data and must delete all remaining copies within one hundred and eighty (180) days after confirmation of Customer’s choice. Company may charge a reasonable fee to return data.
- Modifications. This DPA may only be modified by a written amendment signed by both Customer and Company, with the exception of changes to the Appendices, which may be amended by unsigned written agreement.
- Invalidity and severability. If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.
APPENDIX 1 - Description of the Processing
This Appendix forms part of the Clauses
1. Data exporter
Name: The Customer, as defined in the Master Services Agreement or in the owner of the account that Customer has created with Company.
Address: The Customer's address, as set out in the Master Services Agreement or in the billing address associated with the account that Customer has created with Company.
Contact person’s name, position and contact details: The Customer's contact details, as defined in the Master Services Agreement or in the owner of the account that Customer has created with Company.
Activities relevant to the data transferred under these Clauses: Processing of Personal Data in connection with Customer's use of the ScreenSteps Subscription Services under the ScreenSteps Customer Terms of Service
Role (controller/processor): Controller (either as the Controller; or acting in the capacity of a Controller, as a Processor, on behalf of another Controller)
2. Data importer
Name: ScreenSteps, Inc.
Address: PO Box 801, McLean, Virginia 22101, US
Contact person’s name, position and contact details: Privacy Team (privacy@screensteps.com).
Activities relevant to the data transferred under these Clauses: Processing of Personal Data in connection with Customer's use of the ScreenSteps Subscription Services under the ScreenSteps Customer Terms of Service
Role (controller/processor): Processor
3. Data Subjects
The Personal Data Processed concern the following categories of Data Subjects: contractors, agents, consultants, vendors, customers, customer employees.
4. Categories of Personal Data
The Personal Data Processed concern the following categories of data: name, email, job title, username, IP address.
5. Sensitive Data
The Personal Data Processed concern the following special categories of data: None.
6. Processing operations
The Personal Data will be subject to the following basic Processing activities: Personal Data contained in Company Account Data, Company Usage Data, Personal Data provided by Customer (including any Personal Data Customer collects from its end users and processes through its use of the Services).
APPENDIX 2 - Security Measures
Data Importer will, at a minimum, implement the following types of security measures:
See SOC 2 Report