Definitions. Capitalized terms used but not defined in this DPA have the meanings given in the Agreement. In this DPA, unless stated otherwise:
“Affiliate” means any entity controlling, controlled by, or under common control with a Party, where “control” is defined as: (a) the ownership of at least fifty percent (50%) of the equity or beneficial interests of the entity; (b) the right to vote for or appoint a majority of the board of directors or other governing body of the entity; or © the power to exercise a controlling influence over the management or policies of the entity.
“Agreement” means the Services Agreement entered into between the Supplier and the Customer for the provision of Services by the Supplier to Customer.
“Agreed Liability Cap” means the maximum monetary or payment-based amount at which a Party’s liability is capped under the Agreement, either per annual period or event giving rise to liability, as applicable.
“Customer Data” means data submitted, stored, sent or received via the Services by Customer, its Affiliates or End Users. Customer Data may also include Personal Data sent or otherwise made available by Customer to Supplier and/or Supplier’s Affiliates where Customer uses Supplier Affiliates Solutions. “Customer Personal Data” means Personal Data contained within the Customer Data, as described in Appendix 1.
“Data Incident” means a breach of Supplier’s security measures leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data on systems managed by or otherwise controlled by Supplier. “Data Incidents” will not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
“Effective Date” means the date on which Customer and Supplier agreed to this DPA, and is the Agreement Effective Date.
“EEA” means the European Economic Area.
“End User” means natural persons authorized by Customer to access or use the Services, including Customer and Customer’s Affiliate personnel, employee, agent or contractor.
“Data Protection Legislation” means, as applicable: (a) the GDPR; and/or (b) the Federal Data Protection Act of 19 June 1992 (Switzerland) as well as any data protection laws substantially amending, replacing or superseding the GDPR, the Federal Data Protection Act of Switzerland and/or other applicable European Union Member state domestic data protection or national/federal or state/provincial privacy legislation in force, including where applicable, statutes, decisions, guidelines, guidance notes, codes of practice, codes of conduct and data protection certification mechanisms issued from time to time by competent court or Supervisory Authority, relating to the Processing of personal data and privacy.
“GDPR” means Regulation (EU) 2016⁄679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
“Model Contract Clauses” or “MCCs” means the standard data protection clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, as approved by the European Commission in Decision 2010/87/EU, as amended, replaced or superseded by any set of clauses approved by the European Commission.
“Non-European Data Protection Legislation” means any national/federal or state/provincial/emirate data protection or privacy legislation, other than the Data Protection Legislation.
“Notification Email Address(es)” means the email address(es) designated by Customer to receive certain notifications from Supplier.
“Supplier’s Systems” means the computing and storage infrastructure contracted by Supplier to run the Services and to store the Customer Data. For the avoidance of doubt, Supplier’s Systems do not include Third-Party Service Provider Solution used by Customer and contracted by Customer, nor any of the Third Party Offerings.
“Restricted Transfer” means (a) a transfer of Customer Personal Data from Customer to Supplier or Subprocessor, or (b) an onward transfer of Customer Personal Data from Supplier or Subprocessor to (or between two establishments of) Supplier or Subprocessor, in each case, being a transfer to a country outside the EEA, where such transfer would be prohibited by European Data Protection Legislation in the absence of Model Contract Clauses or other legal instruments required by European Data Protection Legislation.
“Subprocessor(s)” means third parties authorized by Processor under this DPA to have logical access to and process Customer Data on behalf of Customer in order to provide parts of the Services and related technical support, including Supplier’s Affiliates.
“Security Measures” has the meaning given in Section 13 (Supplier Security Measures).
“Services” means the services that have been purchased by the Customer pursuant to the Agreement and any applicable Order Form, including any update or replacement thereof and technical support provided by Supplier to Customer from time to time. The Services do not include (i) Supplier Affiliates Solution that may have been separately licensed by Customer, (ii) any Third Party Offerings that may have been separately licensed by Customer, nor (iii) the Third-Party Service Provider Solution used by Customer.
“Supplier Affiliates Solution” means any solution of software provided by one or more Supplier’s Affiliates, which supplements and/or are necessary to provide the Services performed by Supplier, that have either been (i) licensed by Customer from a Supplier’s Affiliate or (ii) licensed by Customer from Supplier.
The terms “Personal Data”, “Data Subject”, “Processing”, “Data Controller”, “Data Processor” and “Supervisory Authority” as used in this DPA have the meanings given to them in the GDPR, and the terms “Data Importer” and “Data Exporter” have the meanings given to them in the Model Contract Clauses, in each case irrespective of whether the European Data Protection Legislation or Non-European Data Protection Legislation applies.
“Term” means the period from the Agreement Effective Date until the end of Supplier’s provision of the Services to Customer under the Agreement, including, if applicable, any period during which provision of the Services may be suspended and any post-termination period during which Supplier may continue providing the Services to Customer for transitional purposes.
“Third-Party Service Provider Solution” means any solution or software on which all or part of the Services are performed by the Supplier, that have been separately licensed by Customer, as the case may be, from an unaffiliated Third-Party Service Provider. Third Party Service Providers Solutions may notably includeGoogle, Microsoft and/or Facebook solutions or software.
“Terms Effective Date” means the date on which Customer accepted, or the parties otherwise agreed to, these Terms.
Appendix 1 - Customer Personal Data Processing Details
|**Subject Matter**||Supplier’s provision of the Services and related technical support to Customer.|
|**Categories of Data Subjects** Categories of Data Subjects whose Personal Data will be Processed by Service Provider||Data Subjects whose Personal Data is provided to Supplier via the Services, by (or at the direction of) Customer or by End Users, including (a) End Users (including Data Controller’s employees and contractors); (b) Data Controller’s own customers, suppliers and subcontractors (and each of their personnel); (c) persons whose Personal Data is collected (including government officials, contractors, external experts, healthcare professionals, collaborators and research subjects); and (d) any other person whose data is processed via services, including third party services to which Customer grants access to Supplier, and including individuals collaborating and communicating with End Users.|
|**Categories of data** Personal Data that will be Processed by Supplier||Personal Data that will be Processed by Supplier includes data submitted, stored, sent or received by Customer, its Affiliates or End Users via services, including third party services to which Customer grants access to Supplier, and may include the following categories of data: user IDs, first and last names, work contact details, location data, gender or title, age or date of birth, event attendance, emails, textual information used in document and document titles, description and other metadata, text and images to be displayed by such services, audit log information, system log information.|
|**Location of Processing Operations** Locations where the personal data will be Processed by Supplier||Personal Data submitted, stored, sent or received by Customer, its Affiliates or End Users via the Services may be processed at Supplier’s locations situated at: * 6 rue Beaubourg, 75004 Paris, France * 650 California Street, San Francisco, CA 94108, USA * 3280 Peachtree Road NE, 7th Floor Atlanta, GA 30305, USA * Via Giosue’ Carducci 125/A, 20099 Sesto San Giovanni, Milan, Italy|
|**Purposes** Purposes for which the Personal Data will be Processed by Supplier||Supplier will process Customer Personal Data identified above for the purposes of providing the Services and related technical support to Customer in accordance with this DPA.|
|**Duration of processing** The length of time for which Processing activities will be carried out Supplier||The applicable Term plus the period from expiry of such Term until deletion of all Customer Personal Data by Supplier in accordance with this DPA.|
Appendix 2 - Security Measures
Appendix 3 - Subprocessors
Supplier uses the following Subprocessors for the performance of the Services:
|**Entity name**||**Corporate location**|