This Data Processing Agreement (“DPA”) forms part of the Master Subscription Agreement or other written or electronic agreement (“MSA”) between Panaya and Customer for the purchase of the Panaya Services (as defined in the MSA and hereinafter defined as “Services”) to reflect the parties’ agreement with regard to the Processing of Personal Data.
All capitalized terms not defined herein shall have the meaning set forth in the MSA.
“Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
“Customer Data” means as defined in the MSA.
“Data Subject” means the identified or identifiable person to whom Personal Data relates.
“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means the entity which Processes Personal Data on behalf of the Controller.
- In the course of providing the Services to Customer pursuant to the MSA, Panaya may Process Personal Data on behalf of Customer and the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.
- The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller, Panaya is the Processor.
- Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of the Applicable Data Protection Legislation. For the avoidance of doubt, Customer’s instructions for the Processing of Personal Data shall comply with the Applicable Data Protection Legislation. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data.
- Panaya shall treat Personal Data as Confidential Information and shall only Process Personal Data on behalf of and in accordance with Customer’s instructions for the following purposes: (i) to anonymously aggregate, publish or otherwise make known performance benchmarks or other data metrics about the use of the Services, all in accordance with the MSA; and (ii) as reasonably required for proper performance by Panaya of its obligations.
- Where Personal Data is Processed by Panaya, its agents, sub-contractors or employees under or in connection with the MSA, Panaya shall take reasonable steps to ensure that all of its employees, agents and sub-contractors who may have access to the Personal Data:
6.1. Are informed of the confidential nature of the Personal Data; and
6.2. Are subject to confidentiality undertakings or professional or statutory obligations of confidentiality that apply with respect to the Processing of such Personal Data.
- Co‑operate as reasonably requested by the Customer, to the extent necessary to enable the Customer to comply with any exercise of rights by a Data Subject under the Data Protection Legislation in respect of Personal Data Processed by Panaya under the MSA or comply with any assessment, enquiry, notice or investigation under the Data Protection Legislation, including by any regulator, subject to reasonable advance notice and without prejudice to Panaya’s right to charge the Customer any reasonable costs for such assistance.
Panaya shall, to the extent legally permitted, promptly notify Customer if Panaya receives a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making (“Data Subject Request”). Taking into account the nature of the Processing, Panaya shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under the Applicable Data Protection Legislation. In addition, to the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, Panaya shall upon Customer’s request provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent Panaya is legally permitted to do so and the response to such Data Subject Request is required under the Applicable Data Protection Legislation. To the extent legally permitted, Customer shall be responsible for any costs arising from Panaya’s provision of such assistance.
- Panaya shall only authorize sub-contractors to Process the Personal Data (“Sub-Processor“), subject to:
- Informing the Customer of the identity of the proposed Sub-Processor beforehand; and
- including terms in the contract between Panaya and the Sub-Processor which are substantially the same as those set out in this DPA to the extent applicable to the nature of the Services provided by the Sub-Processor; and
- Panaya remaining fully liable to the Customer, in accordance with the terms of the MSA relating to liability, for any failure by a Sub-Processor to fulfil its obligations in relation to the Processing of any Personal Data to the same extent Panaya would be liable if performing the services of the Sub-Processor directly under the terms of this DPA.
Notwithstanding the above, Customer hereby acknowledges and agrees that: (a) Panaya’s affiliates may be retained as Sub-processors; and (b) Panaya stores and process the Customer Data including the Personal Data within a third party hosting services (which is currently the AWS cloud).
- Panaya shall maintain appropriate technical and organizational measures for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Data), confidentiality and integrity of Customer Data, as set forth in the MSA, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. These measures include protection such as encryption for communication and user authentication to prevent unauthorized user access or other malicious activities. In addition, Panaya limits access to its databases, keeping a clear separation between the off-line servers where Your Customer Data is analyzed, and the on-line, on-demand servers where processed impact analysis results are stored. While such tools and procedures reduce the risk of security breaches, they do not provide absolute security, and Panaya cannot guarantee that the Services will be immune from any unlawful interceptions or unauthorized access.
- Panaya will notify the Customer without undue delay upon becoming aware of a Personal Data Breach, and otherwise assist the Customer, taking into account the nature of Processing and the information available to Panaya in meeting its obligations regarding the notification, investigation, mitigation and remediation of a Personal Data Breach under the Data Protection Legislation, without prejudice to Panaya’s right to charge the Customer any reasonable costs for such assistance. The obligations herein shall not apply where statutory guidance indicates that a Personal Data Breach is not required to be notified by a Processor to a Controller and to incidents that are caused by Customer or Customer’s users.
- Panaya shall cease Processing the Personal Data upon the termination or expiry of the MSA or, if sooner, the Service to which it relates and, at the Customer’s option, either return or delete the Personal Data and any copies of it or of the information it contains, without prejudice to any EU legal obligations for Panaya to store or archive such Personal Data.
- Upon request, Panaya shall make available to the Customer all information necessary to demonstrate compliance with its obligations under this DPA and allow for audits conducted by the Customer.
- Each party’s, taken together in the aggregate, arising out of or related to this DPA, is subject to the ‘Limitation of Liability’ section of the MSA. For the avoidance of doubt, Panaya’s total liability for all claims from the Customer arising out of or related to the MSA and this DPA shall apply in the aggregate for all claims under both the MSA and this DPAs established under the MSA, and, in particular, shall not be understood to apply individually and severally.
- If there is new guidance or a change in the Data Protection Legislation or case law that renders all or part of the Services illegal, Panaya may terminate the MSA