This Data Processing Addendum ("DPA") between Angad Corp. d/b/a WorkSpan ("WorkSpan") and Customer is incorporated into and made part of the WorkSpan User Agreement ("Agreement") between Customer and WorkSpan ("Customer" may refer to "User" or "You" as defined in theAgreement). The Parties agree that this DPA sets forth their obligations with respect to the Processing of Personal Data in connection with Customer’s use of Services. This DPA will remain in effect until, and automatically expire upon, the date on which WorkSpan ceases to process Personal Data. Capitalized terms used, but not defined in this DPA have the meanings given to them in the Agreement.
Capitalized terms not defined herein shall have the meaning ascribed tothem in the applicable Agreement.
1.1. "Authorized Partner" means any of Customer's authorized partner(s) or affiliate(s) are permitted to use the services.
pursuant to the Agreement and Order Form(s) between Customer customer and WorkSpan.
1.2. "Business" has the meaning set forth in Section1798.140(c) of the CCPA.
1.3. "Business Purpose" as the meaning set forth in Section1798.140(d) of the CCPA.
1.4. "CCPA" means the California Consumer Privacy Act, Cal.Civ. Code § 1798.100 et seq., and its implementing regulations.
1.5. "Controller" means the entity which determines the purposes and means of the Processing of Personal Data.
1.6. "Customer Personal Data" means Personal Data Processed by WorkSpan on behalf of Customer in its performance of Services under the Agreement.
1.7. "Data Protection Laws and Regulations" means all laws and regulations, including applicable to the Processing of Customer Personal Data under the Agreement, including the CCPA and the GDPR.
1.8. "Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
1.9. "GDPR" means: (i) the General Data Protection Regulation (EU) 2016/679 of the European Parliament; and (ii) the GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (the "UK GDPR");
1.10. "Personal Data" shall have the meaning assigned to the terms "personal data" or "personal information" under applicable Data Protection Laws and Regulations.
1.11. "Processing" means any operation or set of operations is performed on Personal Data or on sets of personal data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.12. "Processor" means the entity which Processes Personal Data on behalf of the Controller.
1.13. "Sell" has the meaning set forth in Section 1798.140(t) of the CCPA.
1.14. "Service Provider" has the meaning set forth in Section 1798.140(v) of the CCPA.
1.15. "Standard Contractual Clauses" or "SCCs" means: (i) where the EU GDPR applies, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European
Parliament and of the Council; and (ii) where the UK GDPR applies, standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR.
1.16. "Sub-processor" means any third party that Processes Personal Data on behalf of WorkSpan, in accordance with Section 5 (Sub-processors) of this DPA.
1.17. "Supervisory Authority" means an independent publica uthority which is established by an EU Member State pursuant to the GDPR.
1.18. "WorkSpan" means WorkSpan and its affiliates.
2. PROCESSING OF CUSTOMER PERSONAL DATA; CUSTOMER’S AUTHORIZED PARTNERS
2.1 Roles of the Parties. (A) Where Customer shares Personal Data relating to Data Subjects, WorkSpan shall be serving as the Processor of such Personal Data. (B) Where WorkSpan directly receives Personal Data from third party sources or Data Subjects, WorkSpan shall be considered a Controller with respect to such data. (C) Any Processing of that Personal Data by each party must be in accordance with DataProtection Laws and Regulations.
2.2 Customer’s Processing of Customer Personal Data. Customer acknowledges that it has sole control over: (i) the DPA version 20220830 1 process of obtaining Personal Data from Data Subjects and all necessary consents for such Personal Data; (ii) the categories of Data Subjects and Personal Data to be Processed; and (iii) the accuracy, quality, and legality of the Personal Data and the means by which it was acquired. Customer customer expressly acknowledges that its use of the Services will not violate the rights of any Data Subject that has opted-out from sales or other disclosures of Personal Data, to the extent applicable under the CCPA. Customer is solely responsible for how it decides to utilize WorkSpan’s Services and Processing of Personal Data.
2.3 WorkSpan’s Processing of Customer Personal Data. WorkSpan shall only Process Customer Personal Data for: (i) Processing in accordance with the Agreement and applicable Order Form;(ii) Processing initiated by Customer in its use of the Services; and (iii) Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement and this DPA.
2.4 Details of the Processing. The duration of the processing, the nature and purpose of the Processing, the types of
Customer Personal Data and categories of Data Subjects Processed underthis DPA are further specified in Schedule 2 (Details of the Processing) to this DPA.
2.5 Authorized Partners.The parties acknowledge and agree that, by executing the Agreement, the Customer enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Partners, thereby establishing a separate DPA between WorkSpan and each such Authorized Partner subject to the provisions of the Agreement and this DPA. Each Authorized Partner agrees to be bound by the obligations set forth inthis DPA and, to the extent applicable, the Agreement. For the avoidance of doubt, an Authorized Partner is not and does not become a party to the Agreement and is only a party to the DPA. All access to and use of the Services by Authorized Partners must comply with the terms and conditions of the Agreement and any violation of the terms and conditions of the Agreement by an Authorized Partner shall be deemed a violation by Customer. The Customer that is the contracting party to the Agreement shall remain responsible for coordinating all communication with WorkSpan under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Authorized Partners. Where an Authorized Partner becomes a party to the DPA with WorkSpan, it shall, to the extent required under applicable Data Protection Laws and Regulations be entitled to exercise the rights and seek remedies under this DPA, subject to the following:
(i) Except where applicable Data Protection Laws and Regulations require the Authorized Partner to exercise a right or seek any remedy under this DPA against WorkSpan directly by itself, the parties agree that (i) solely The Customer that is the contracting party to the Agreement shall exercise any such right or seek any such remedy on behalf of the Authorized Partner, and (ii) the Customer that is the contracting party to the Agreement shall exercise any such rights under this DPA not separately for each Authorized Partner individually but in a combined manner for all of its Authorized Partners together.
(ii) The parties agree that the Customer that is the contracting party to the Agreement shall, when carrying out an on-site audit of the procedures relevant to the protection of Customer Personal Data, take all reasonable measures to limit any impact on WorkSpan by combining, to the extent reasonably possible, several audit requests carried out on behalf of different Authorized Partners in one single audit.
3. RIGHTS OF DATA SUBJECTS
3.1 Data Subject Request. WorkSpan shall, to the extent legally permitted, promptly notify Customer if it receives a request from a Data Subject to exercise their rights in Customer Personal Data under Data Protection Laws and Regulations ("Data Subject Request"). WorkSpan shall not respond to a Data Subject Request without Customer’s prior written consent except to confirm that such request relates to the customer. Taking into account the nature of the Processing, WorkSpan shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations. In addition, to the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, WorkSpan shall upon Customer’s request provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent WorkSpan is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws and Regulations. To the extent legally permitted, Customer shall be responsible for any costs and expenses arising from WorkSpan’s provision of such assistance.
4. WORKSPAN PERSONNEL WorkSpan shall thoroughly inform all WorkSpan personnel of their obligations of confidentiality under the Agreement, this DPA, and Data Protection Laws and Regulations. WorkSpan shall provide detailed training to all WorkSpan personnel on the confidential nature of Customer Personal Data. Such trainings shall include explanation of their duties and responsibilities. WorkSpan shall be responsible for entering into written non-disclosure agreements with WorkSpan personnel who have obligations of confidentiality intended to survive the termination of employment of WorkSpan personnel. Access to Customer Personal Data, if any, is limited to WorkSpan’s personnel who require such access for the purpose of Processing Customer Personal Data on behalf of the customer.
Customer expressly authorizes WorkSpan to utilize Sub-processors to enable WorkSpan to perform its obligations under the Agreement. WorkSpan shall enter into separate written agreements with each Sub-processor that are consistent with those set forth in this DPA. WorkSpan shall be responsible for each Sub-processor’s compliance with this DPA. A current list of WorkSpan’s Sub-processors is available at https://www.workspan.com/gdpr-subprocessors. CUSTOMER’S EXECUTION OF THE AGREEMENT OR THIS DPA CONSTITUTES CUSTOMER’SWRITTEN CONSENT AND AUTHORIZATION FOR WORKSPAN TO ENGAGE THE SUB-PROCESSORSNAMED ON THE SUB-PROCESSOR LIST. WorkSpan may update the Sub-processor list from time to time. Customer may object to the use of a new Sub-processor in writing within ten (10) days of such an update on the website on reasonable grounds relating to the protection of Personal Data. IF CUSTOMER DOES NOT OBJECT IN WRITING TO A NOTICE OF NEW SUB-PROCESSOR PRIOR TO THE EXPIRATION OF THE APPLICABLE OBJECTIONPERIOD, THEN CUSTOMER WILL BE DEEMED TO HAVE AUTHORIZED WORKSPAN’S ENGAGEMENT OF THE NEW SUB-PROCESSOR AS SET FORTH IN SUCH NOTICE OF NEW SUB-PROCESSOR. WorkSpanshall work with Customer in good faith to make available a commercially reasonable change to Customer’s use of the Products that avoids the use of that proposed Sub-processor. Where such a change cannot be implemented within thirty (30) days from WorkSpan’s receipt of Customer’s objection ("Reassessment Period"), Customer may terminate the Agreement by providing written notice of termination. This termination right isCustomer’s sole and exclusive remedy to Customer’s objection to WorkSpan’s engagement of a new Sub-processor.
6.1 Controls for the Protection of Customer Personal Data. Customermaintains ownership of and control over all Customer Personal Data. Customer grants limited rights to Process Customer Personal Data within the Customer account but Customer maintains full control and authority of all Processed Customer Personal Data. WorkSpan shall maintain technical and organizational measures appropriate to the risk associated with the Processing designed to protect Customer Personal Data (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Personal Data) within WorkSpan’s reasonable control.
6.2 Third-Party Certifications and Audits. Upon Customer’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement, WorkSpan shall make available to Customer that is not a competitor of WorkSpan (or Customer’s independent, third-party auditor that is not a competitor of WorkSpan) a copy of WorkSpan’s then most recent third-party audits or certifications, as applicable.
7. SECURITY INCIDENT MANAGEMENT AND NOTIFICATION
WorkSpan shall, unless instructed otherwise by law enforcement, notify the customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, including Customer Personal Data, transmitted, stored or otherwise processed by WorkSpan or its Sub-processors of which WorkSpan becomes aware (a "Security Incident"). The parties shall cooperate in good faith to help limit the effects of such Security Incident and prevent a recurrence. WorkSpan's notification of or response to a Security Incident will not be construed as an acknowledgement by WorkSpan of any fault or liability with respect to the Security Incident. WorkSpan shall make reasonable efforts to identify the cause of such Security Incident and take those steps as WorkSpan deems necessary and reasonable in order to remediate the cause of such a Security Incident to the extent the remediation is within WorkSpan’s reasonable control. The obligations herein shall not apply to Security Incidents that are attributable to Customer or Customer’s users.
8. RETURN OR DELETION OF CUSTOMER PERSONAL DATA
Upon request following termination or expiration of the Agreement, and at the choice of Customer, WorkSpan shall (i) return any Customer Personal Data in its possession or control to Customer; or (ii) to the extent allowed by applicable law, delete Customer Personal Data and existing copies of Customer Personal Data in its possession or control. If WorkSpan is required to copies of Customer Personal Data under applicable laws, WorkSpan will isolate, keep confidential, and protect that Customer Personal Data from any further Processing except to the extent required by applicable laws. Analytics. Customer acknowledges and agrees that WorkSpan may create and derive anonymized and/or aggregated data from Processing related to the Services that does not identify Customer or any Data Subject, and use, publicize, or share with third parties such data to improve the Services and for its legitimate business purposes.
9. LIMITATION OF LIABILITY
Each party’s and all of its affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its affiliates under the Agreement. For the avoidance of doubt, WorkSpan's total liability for all claims from the Customer and all of its Authorized Partners arising out of or related to the Agreement and each DPA shall apply in the aggregate for all claims under both the Agreement and all DPAs established under this Agreement, including by the Customer and all Authorized Partners, and, in particular, shall not be understood to apply individually and severally to the Customer and/or to any Authorized Partner that is a contractual party to any such DPA. Each reference to the DPA in this DPA means this DPA including its Schedules and Appendices.
10. CALIFORNIA PROVISIONS
10.1 CCPA. This Section applies to WorkSpan Processing of Customer Personal Data that is subject to the CCPA.
10.2 Permitted Use. WorkSpan shall not retain, use or disclose Customer Personal Data for any purpose other than for the specific purpose of performing the Services specified in the Agreement,or as otherwise permitted by the CCPA, including retaining, using, or disclosing the Customer Personal Data fora commercial purpose other than providing the Services specified in the Agreement. WorkSpan may retain, use, or disclose Personal Data obtained in the course of providing the Services: (1) to retain and employ another Service Provider as a subcontractor, where the subcontractor meets the requirements for a Service Provider under theCCPA; (2) for internal use by WorkSpan to build or improve the quality of its services, (3) to detect data security incidents, or protect against fraudulent or illegal activity; (4) to comply with federal, state, or local laws; (5) to comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities; (6) to cooperate with law enforcement agencies concerning conduct or activity that WorkSpan reasonably and in good faith believes may violate federal, state, or local law; or (7) to exercise or defend legal claims.
10.3 Selling Prohibited. WorkSpan shall not sell Customer Personal Dataas the term "sell" as defined by the CCPA.
11. EUROPEAN PROVISIONS
11.1 GDPR. This Section applies to WorkSpan Processing of Customer Personal Data that is subject to the GDPR.
11.2 Data Privacy Impact Assessment. Upon Customer’s request, WorkSpan shall provide Customer with reasonable cooperation and assistance needed to fulfill Customer’s obligation under the GDPR to carry out a data privacy impact assessment related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to WorkSpan. WorkSpan shall provide reasonable assistance to Customer in cooperation or prior consultation with the Supervisory Authority in the performance of its tasks relating to this Section of this DPA, to the extent required under the GDPR.
11.3 Transfer mechanisms for data transfers. Subject to the additional terms in Schedule 1, for any transfers of Customer Personal Data under this DPA from the European Union, the EuropeanEconomic Area and/or their member states and the United Kingdom to countries which do not ensure an adequate level ofdata protection within the meaning of Data Protection Laws and Regulations of the foregoing territories, to the extent such transfers are subject to such Data Protection Laws and Regulations, the SCC’s apply to the Services listed in Appendix 1 to the Standard Contractual Clauses, subject to the additional terms in Schedule 1. To the extent applicable, the SCC’s are hereby incorporated by reference provided that Appendices 1 and 2 of the Standard Contractual Clauses are set forth below and attached to this Addendum.
12. LEGAL EFFECT
This DPA will become legally binding upon the effective date of the Agreement or upon the date that the parties sign this
DPA if it is completed after the effective date of the Agreement.
List of Schedules and Appendices
Schedule 1: Transfer Mechanisms for European Data Transfers
Schedule 2: Details of the Processing
Appendix 1 to the Standard Contractual Clauses
Appendix 2 to the Standard Contractual Clauses
SCHEDULE 1 - TRANSFER MECHANISMS FOR EUROPEAN DATA TRANSFERS
1. ADDITIONAL TERMS FOR STANDARD CONTRACTUAL CLAUSES
1.1. Entities covered by the Standard Contractual Clauses. The Standard Contractual Clauses and the additional terms specified in this this Schedule apply to (i) the legal entity that is party the Standard Contractual Clauses as a data exporter and its Authorized Partners and, (ii) all Authorized Partners of Customer established within the European Economic Area and/or the United Kingdom,which use the Services to Process Customer Personal Data. For the purpose of the Standard Contractual Clauses and this Schedule, the aforementioned entities shall be deemed "data exporters.".
1.2. Instructions. This DPA and the Agreement are Customer’s complete and final documented instructions at the time of signature of the Agreement to WorkSpan for the Processing of Customer Personal Data. Any additional or alternate instructions must be agreed upon separately. For the purposes of Clause 5(a) of the Standard Contractual Clauses, the following is deemed an instruction by the Customer to process Customer Personal Data: (a) Processing in accordance with the Agreement and applicable Order Form(s); (b) Processing initiated byCustomer in its use of the Services; and (c) Processing to comply with other reasonable documented instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the agreement. 1.3. Appointment of new Sub-processors and List of current Sub-processors. Pursuant to Clause 5(h) of the Standard Contractual Clauses, Customer acknowledges and expressly agrees that (a) WorkSpan’s affiliates may be retained as Subprocessors; and (b) WorkSpan and WorkSpan’s affiliates, respectively, may engage third-party Sub-processors in connection with the provision of the Services. WorkSpan shall make available to Customer the current list of Sub-processors in accordance with the DPA.
1.4. Notification of New Sub-processors and Objection Right for New Sub-processors. Pursuant to Clause 5(h) of the Standard Contractual Clauses, Customer acknowledges and expressly agrees that WorkSpan may engage new Subprocessors as described in the DPA.
1.5. Copies of Sub-processor Agreements. The parties agree that the copies of the Sub-processor agreements that must be provided by WorkSpan to Customer pursuant to Clause 5(j) of the Standard Contractual Clauses may have all commercial information, or clauses unrelated to the Standard Contractual Clauses or their equivalent, removed by WorkSpan beforehand; and, that such copies will be provided by WorkSpan,in a manner to be determined in its discretion, only upon reasonable request by Customer.
1.6. Audits and Certifications. The parties agree that the audits described in Clause 5(f) and Clause 12(2) of the Standard Contractual Clauses shall be carried out in accordance with the following specifications:
Upon Customer’s request, and subject to the confidentiality obligations set forth in the Agreement, WorkSpan shall make available to Customer that is not a competitor of WorkSpan (or Customer’s independent, third-party auditor that is not a competitor of WorkSpan) information regarding the WorkSpan’s compliance with the obligations set forth in this DPA in the form of the third-party certifications and audits to the extent WorkSpan makes them generally available to its customers. Customer may contact WorkSpan in accordance with the "Notices" Section of the Agreement to request an on-site audit of the policies and procedures relevant to the protection Customer Personal Data. Any audit must be conducted: (i) during WorkSpan’ regular business hours; (ii) with reasonable advance notice to WorkSpan; (iii) in a manner that prevents unnecessary disruption to WorkSpan’ operations; and (iv) subject to reasonable confidentiality procedures. In addition, audits shall be limited to once per year, unless an audit is carried out at the direction of a Supervisory authority.Customer shall reimburse WorkSpan for any time expended for any such on-site audit at the WorkSpan’s then-current professional services rates, which shall be made available to Customer upon request. Before the commencement of any such on-site audit, Customer and WorkSpan shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Customer shall be responsible. Customer shall promptly notify WorkSpan with information regarding any non-compliance discovered during the course of an audit.
1.7. Certification of Deletion. The parties agree that the certification of deletion of Customer Personal Data that is described in Clause 12(1) of the Standard Contractual Clauses shall be provided by WorkSpan to Customer only upon Customer’s request.
SCHEDULE 2 - DETAILS OF THE PROCESSING
1. Nature and Purpose of Processing - WorkSpan will Process Customer Personal Data as necessary to perform theServices pursuant to the Agreement, and as further instructed by Customer in its use of the Services.
2. Duration of Processing - WorkSpan will Process Customer Personal Data for the duration of theAgreement, unless otherwise agreed upon in writing.
3. Categories of Data Subjects - For usage of the Services, the Customer will provide Customer PersonalData pertaining to its employees and any other users authorized by Customer to access the Services. Customer shall be theController (or "data exporter") of the Personal Data for the Data Subjects listed below, except for those data types set forthunder Section 4 below. WorkSpan shall be the Processor (or "data importer") of the Personal Data.
Customer may submit Personal Data to the Services, the extent of whichis determined and controlled by Customer in its sole discretion, and which may include, but is not limited toPersonal Data relating to the following categories of data subjects:
Prospects, customers, business partners and vendors of Customer (who arenatural persons)
Employees or contact persons of Customer’s prospects, customers,business partners and vendors
Customer’s Users authorized by Customer to use the Services
4. Type of Personal Data - For usage of the Services, the Customer will provide the followingCustomer Personal Data elements: Information received directly from users of WorkSpan, including withoutlimitation the following:
- First and last name
- Email address
- Telephone number
- Profile picture
- IP Address
WorkSpan shall be the Controller (or “data exporter”) of the Personal Data listed above.
The personal data transferred concern the following special categories of data: None. Processing operations The personal data transferred will be subject to the following basic processing activities: The objective of Processing of Customer Personal Data by data importer is the performance of the Services pursuant to the Agreement, which includes the collection, organization, structuring, storage, retrieval, consultation, use, disclosure by transmissions, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of the Personal Data.
APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES
This Appendix forms part of the Clauses and must be completed and signed by the parties
Description of the technical and organizational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):
WorkSpan has an information security program aligned with security industry accepted good practices, frameworks, and standards for the protection of data, including Personal Data, and has implemented and maintains physical, technical and organizational measures and safeguards to help protect the security andconfidentiality of data against unauthorized or accidental access to, or processing, disclosure, destruction, damage or loss. The performance of the security program is measured and continuous monitoring is performed for conformance to the requirements outlined in the information security policies. Testing and assessments are periodically performed to measurethe effectiveness of security controls, and identify areas of improvement. Sensitive data including Personal Data isencrypted and access is restricted based upon a reasonable required business need and monitored. Changes are assessed for security impact and must be approved prior to implementation. Without limiting the foregoing, such measures aresufficient to satisfy Article 32 of GDPR.