Data Processing Addendum
This Data Processing Addendum forms part of the Agreement between IXUP and Customer and applies to the Processing of Personal Data by IXUP and its Sub-processors in connection with the Service. The obligations of the parties in this DPA with respect to the Processing of Personal Data are in addition to those set out in the Agreement.
Capitalised terms used, but not defined, in this DPA have the meanings given to them in the Agreement.
CCPA refers to the California Civil Code sections 1798.100 – 1798.199 (2020), the California Consumer Privacy Act.
Controller means the entity which determines the purposes and means of the Processing of Personal Data.
Customer Personal Data means the Personal Data specified in Schedule 1 (Details of Processing).
Data Subject has the meaning given to such term (or analogous term) in the applicable Privacy Laws.
DPA means this Data Processing Addendum.
Model Clauses means, as relevant, the standard contractual clauses for the transfer of Personal Data to data processors established in third countries set out in the Commission Decision of 5 February 2010, or any equivalent clauses issued by the relevant competent authority of the United Kingdom (UK) in respect of transfers of Personal Data from the UK, in each case as amended, updated or replaced from time to time.
Personal Data has the meaning given to such term (or analogous term) in the applicable Privacy Laws.
Privacy Laws means (a) the General Data Protection Regulation 2016/679 (the GDPR); (b) the Privacy and Electronic Communications Directive 2002/58/EC; (c) the UK Data Protection Act 2018 (UK DPA), the UK General Data Protection Regulation as defined by the DPA as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019, and the Privacy and Electronic Communications Regulations 2003; (d) the CCPA; and (e) any relevant law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding instrument which implements any of the above or which otherwise relates to data protection, privacy or the use of Personal Data, in each case as applicable and in force from time to time, and as amended, consolidated, re-enacted or replaced from time to time.
Process, Processed or Processing has the meaning given to such term (or analogous term) in the applicable Privacy Laws.
Processor means the entity which Processes Personal Data on behalf of the Controller.
Processor to Processor Clauses means, as relevant, the standard contractual clauses for the transfer of Personal Data to data processors established in third countries set out in any Commission Decision that supersedes the Commission Decision of 5 February 2010, or any equivalent clauses issued by the relevant competent authority of the UK in respect of transfers of Personal Data from the UK, in each case as in force and as amended, updated or replaced from time to time.
Sub-processor means any third party engaged by IXUP or its Affiliates to Process any Customer Personal Data under the Agreement, including this DPA.
Third Country means (i) in relation to Personal Data transfers from the European Economic Area (EEA), any country outside of the scope of the data protection laws of the EEA, excluding countries approved as providing adequate protection for Personal Data by the European Commission from time to time; and (ii) in relation to Personal Data transfers from the UK, any country outside of the scope of the data protection laws of the UK, excluding countries approved as providing adequate protection for Personal Data by the relevant competent authority of the UK from time to time.
- Customer is the Controller, and IXUP the Processor, of the Customer Personal Data.
- For the purposes of this section 2, “service provider,” “commercial purpose,” “collects,” and “sell” shall have the meanings given to them in the CCPA, and any reference to the “business purpose” shall mean the Service performed under the Agreement.
- IXUP shall act as a service provider for Customer, pursuant to which the parties agree that all Customer Personal Data is disclosed to IXUP for the business purpose and its use or sharing by Customer with IXUP is necessary to perform such business purpose.
- Customer and IXUP agree that the use or sharing of Customer Personal Data by Customer with IXUP is not intended to constitute “selling” of Personal Data.
3.1 Details of processing
- IXUP must Process the Customer Personal Data only as:
- Contemplated by the Agreement;
- Instructed by Customer or End Users provided that such instructions are documented and consistent with the Agreement and applicable Privacy Laws; or
- Required by applicable Privacy Laws.
- Schedule 1 sets out further detail on IXUP’s Processing of the Customer Personal Data.
3.2 Customer instruction
Customer hereby instructs IXUP to Process the Customer Personal Data in accordance with the Agreement, including this DPA.
- The confidentiality obligations in the Agreement apply to the Customer Personal Data.
- IXUP must ensure that its Sub-processors and Personnel who Process the Customer Personal Data are subject to contractual, professional or statutory obligations of confidence.
4.1 Existing Sub-processors
Customer hereby grants IXUP general written authorisation to engage the Sub-processors set out at ixup.com/legal/sub-processor-list to Process the Customer Personal Data on IXUP’s behalf.
4.2 New Sub-processors
- IXUP must update the list of Sub-processors at ixup.com/legal/sub-processor-list at least 30 days prior to the engagement of any new Sub-processor, during which the Customer can object against the appointment or replacement. If Customer does not object, IXUP may proceed with the appointment or replacement.
- If Customer notifies IXUP in writing that Customer objects to the engagement of the new Sub-processor within 30 days of IXUP’s updating the list of Sub-processors under section 4.2(a), then:
- IXUP must use reasonable endeavours to address Customer’s concern; and
- If IXUP is unable to address Customer’s concern within 30 days following the date of Customer’s written objection, Customer may terminate the Agreement (including this DPA) with immediate effect by giving IXUP written notice.
4.3 Sub-processor terms
IXUP must ensure that each Sub-processor:
- Is capable of Processing the Customer Personal Data in accordance with this DPA;
- Only accesses and uses the Customer Personal Data as necessary to perform IXUP’s obligations under the Agreement; and
- Is bound by a written agreement which is no less protective of the Customer Personal Data than the terms of this DPA (including the Model Clauses where applicable).
4.4 Liability for Sub-processors
IXUP remains liable for each act and omission of its Sub-processors in Processing the Customer Personal Data as though it were an act or omission of IXUP.
5 Security of Processing
- IXUP must implement and maintain appropriate technical and organisational security measures to protect the Customer Personal Data as required by the Privacy Laws, as set out in Schedule 2.
- Customer agrees that the measures set out in Schedule 2 are sufficient to meet the technical and organisational security measures required by applicable Privacy Laws.
6 Personal Data transfers
- IXUP hosts the Services from, may transfer the Customer Personal Data to and Process the Customer Personal Data from, servers, infrastructure and premises located in Australia, the United States of America and the United Kingdom (Regions).
- IXUP will not transfer the Customer Personal Data from these Regions except:
- On the documented instructions of Customer; or
- As required by applicable Law, in which case IXUP will to the extent permitted by applicable Law, inform Customer of that legal requirement before transferring the Customer Personal Data.
6.2 Model Clauses
- The Model Clauses apply to Customer Personal Data that is transferred from the EEA, Switzerland or UK to a Third Country, either directly or via onward transfer. For the purposes of the Model Clauses:
- Customer is the “data exporter”;
- IXUP is the “data importer”; and
- Schedules 1 and 2 of this DPA apply for the purposes of Appendices 1 and 2 respectively of the Model Clauses.
- Customer acknowledges and agrees that IXUP may appoint an Affiliate or Sub-processor to Process the Customer Personal Data in a Third Country, in which case either:
- Subject to section 6.2(b)(ii), Customer grants IXUP a mandate to execute the Model Clauses (with the processing details set out in Schedule 1 (Details of processing) and the technical and organisational security measures set out in Schedule 2 (Technical and organisation Security measures) with any relevant subcontractor (including Affiliates) it appoints; or
- To the extent in force from time to time, the IXUP shall execute the Processor to Processor Clauses with any relevant subcontractor (including Affiliates) it appoints on behalf of the Customer, and such Processor to Processor Clauses shall replace any Model Clauses executed between the relevant subcontractor and the Customer pursuant to section 6.2(b)(i) .
- To avoid any doubt, the Model Clauses will not apply to transfers of Customer Personal Data originating from Australia, the USA or any other location outside the EEA, UK and Switzerland.
7 Data Breaches and Data Subject requests
7.1 Data Breaches
In the event of a Data Breach affecting the Customer Personal Data, IXUP must:
- Notify Customer without undue delay of the Data Breach; and
- Otherwise comply with its obligations under clause 6.2 (Data Breaches) of the Agreement to assist Customer to investigate, assess, mitigate, remedy and notify the Data Breach as required by applicable Privacy Laws.
7.2 Data Subject requests
- If IXUP or its Sub-processors receive a request from a Data Subject in respect of the Customer Personal Data under Privacy Laws (including the exercise of Data Subject rights), IXUP must
- Promptly forward the request to Customer; and
- Not, and use best endeavours to procure Sub-processors do not, respond to that request except:
- On the documented instructions of Customer; or
- As required by applicable Law, in which case IXUP will to the extent permitted by applicable Laws, inform Customer of that legal requirement before responding to the request.
- IXUP must (at Customer’s cost) provide information, cooperation and assistance reasonably required by the Customer to enable Customer to comply with obligations which arise as a result of a Data Subject request.
8 Customer obligations
- Customer warrants that:
- Laws applicable to Customer do not prevent IXUP from fulfilling the instructions received from Customer and performing IXUP’s obligations under the Agreement and this DPA; and
- Customer has complied and continues to comply with applicable Privacy Laws, in particular that it has obtained any necessary consents, undertaken all necessary assessments, and given any necessary notices, and otherwise has a legitimate ground to disclose the Customer Personal Data to IXUP and enable the Processing of the Customer Personal Data by IXUP as contemplated by the Agreement and this DPA.
- Customer agrees that it will jointly and severally together with any other Controller of any Customer Personal Data, indemnify and hold harmless IXUP on demand from and against all claims, liabilities, costs, expenses, loss or damage (including consequential losses, loss of profit and loss of reputation and all interest, penalties and legal and other professional costs and expenses) incurred by IXUP arising directly or indirectly from a breach of this section 8 or applicable Privacy Laws by Customer.
9 Certifications and Audits
- On Customer’s written request, IXUP must provide such documents and information as may be reasonably necessary to demonstrate its compliance with this DPA, which may include:
- Security certification documents;
- Third party security audit reports,
of IXUP. All such documents and information are the Confidential Information of IXUP for the purposes of clause 7 (Confidentiality) of the Agreement.
- On Customer’s written request and at Customer’s cost, IXUP must provide reasonable information, cooperation and assistance reasonably requested by Customer to carry out mandatory privacy impact assessments under applicable Privacy Laws.
9.2 Customer audits
- Customer must exercise any right it has to conduct an audit of the Processing of the Customer Personal Data (including under the Model Clauses) by instructing IXUP to provide the documents and information referred to in section 9.1.
- If Customer wishes to change the instruction referred to in section 9.1, Customer must notify IXUP in writing. If IXUP declines to follow any instruction requested by Customer regarding an audit, Customer may terminate the Agreement (including the DPA) with immediate effect by providing notice in writing to IXUP.
10 Return and deletion of Customer Personal Data
Upon Customer’s written request or termination of the Agreement, IXUP must destroy or permit Customer to retrieve for a period of up to 30 days all Customer Personal Data that remains in the possession of IXUP or its Sub-processors, subject to section 10.2.
10.2 Retention required by Law
IXUP may retain and continue to Process the Customer Personal Data following Customer’s request or termination of the Agreement or this DPA, only to the extent and for such period as is required by applicable Laws.
11 Changes in Privacy Laws
Customer and IXUP shall negotiate in good faith modifications to this DPA if changes are required for IXUP to continue to Process the Customer Personal Data in compliance with the Privacy Laws or to address the legal interpretation of the Privacy Laws, including (i) to comply with the GDPR or any national legislation implementing it, or the UK General Data Protection Regulation or the UK DPA, and any guidance on the interpretation of any of their respective provisions; (ii) the Processor to Processor Clauses or any other mechanisms or findings of adequacy are invalidated or amended, or (iii) if changes to the membership status of a country in the European Union or the European Economic Area require such modification.
To avoid any doubt, this DPA forms part of the Agreement and clause 11 (Miscellaneous) of the Agreement applies to this DPA accordingly.
In the event of any conflict between the terms of this DPA and the Model Clauses, the terms of the Model Clauses shall prevail to the extent of such inconsistency.
Schedule 1 – Details of Processing
This Schedule 1 includes certain details of the Processing of Customer Personal Data:
1 Subject matter and duration of Processing
For the purpose of performing the Service for Customer for the duration of the Subscription Term.
2 Nature and purpose of the Processing
Collecting, storing, copying, using, otherwise Processing the Personal Data for the purposes set out in section 3:
- Account management;
- Support and maintenance;
- Information and database administration;
- Marketing, market research and Customer engagement;
- Creation of analyses, data science and analytics;
- Risk management and quality control; and
3. Types of Personal Data
Data relevant to the client relationship with an individual:
- Full name and salutation (first, last and middle name, where applicable);
- Personal contact information (for example, phone number, email address, mailing address;
- Business contact information (for example, phone number, email address, fax number, mailing address);
- Technical ID data (such as IP addresses);
- Usage data;
- Photo and avatar; and
4. Data Subjects
Customer, its End Users and other individuals:
- Personnel of Customer;
- Personnel of End Users;
- Individuals who are the subject of Customer Data uploaded to the Service by Customer or End Users; and
- Other individuals who access and use the Service through Customer’s account.
Schedule 2 – Technical and organisational security measures
1 Information Security Program
- All IXUP Services are hosted on Microsoft Azure infrastructure in the Regions (Azure). This allows IXUP to leverage Microsoft’s expertise and investment in physical, network and logical security practices of the leading cloud platform.
- IXUP is designed so that cloud-hosted services are not available to the public internet unless there is a requirement to do so, minimising the ability for malicious third-parties to access those services.
- Separate Azure environments are used for development, test and production systems.
- Access to the Azure environments is strictly limited to personnel of IXUP and its Sub-Processors who must have access and all access to protected by Multi-Factor Authentication (MFA). Direct access to systems is not possible by other than super-users.
- IXUP conducts reviews with Azure Solution Architects to validate any significant architectural change to ensure we are meeting best practice for, in particular, security, scalability and performance of the IXUP applications on the Azure platform.
2 Physical Security
Access to all IXUP premises requires an individually coded electronic identification device to enter. These premises are protected by an alarm system as well as an additional external security door that is locked afterhours.
3 Logical Security
- IXUP follows secure application development practices aligned with industry standards including the OWASP Top 10 and use static code analysis tools such as HP Fortify to track adherence.
- All data transfers between the Customer and IXUP are encrypted and data is encrypted at-rest in the database.