Data Processing Agreement
Between the Customer and Pickit
Last updated August 12, 2021
Data Processing Agreement
This Data Processing Agreement (the “DPA”) is entered into between:
(1) Customer (“Controller”); and
(2) PicHit.me Inc (“Processor”), a Delaware Corporation
Each of Controller and Processor are referred to as a “Party” and jointly as the “Parties”.
1. Background
1.1 The Parties have entered into an enterprise agreement (the “Agreement”), where Controller has contracted Processor in order to use the Pickit Business service, in its business operations which forms the subject matter of the processing of personal data under this Agreement.
1.2 Pickit’s service, is a SaaS solution providing content (images) in MS Office 365 through an Add-in (the (the “Pickit Business Service”), rendering Controller the data controller, whilst Pickit qualifies as data processor under the applicable data protection laws. In light of the above, Processor and Controller have agreed on the following terms and conditions set out in this DPA (including the Schedules) concerning the Processing of personal data under this DPA.
1.3 This DPA shall supersede any prior agreements, arrangements and understandings between the parties and constitutes the entire agreement between the parties relating to the subject matter hereof. In case of conflict between the Agreement and the DPA including the Schedules, this DPA shall take precedence.
2. Processor’s obligations
2.1 Processor shall to the extent any personal data is processed by Processor on behalf of Controller under the Agreement:
(i) only process personal data in accordance with Controller’s documented instructions specified in
Schedule 1 of this DPA, unless when required to do so under applicable law to which the Processor is subject. Processor shall in such case inform Controller of such legal obligation unless prohibited by law. Processor shall immediately inform Controller if the Controller’s documented instructions, in the Processor’s opinion, are infringing applicable laws, rules and regulations. Such information shall not be considered as legal advice provided by Processor;
(ii) ensure that the employees/agents/sub-contractors or other third parties that are authorized to process personal data are subject to an obligation of confidentiality with regards to the personal data. Processor is only allowed to disclose personal data to third parties if Controller has given its written consent or if it is required by applicable law;
(iii) hereby be given a general authorization to engage other processors (“Sub-processors”) for the processing of personal data on behalf of Controller. Where Processor engages a Sub-processor under this clause, Processor undertakes to ensure that the contract entered into between Processor and any Subprocessor shall impose, as a minimum, data protection obligations not less stringent than those set out in this DPA. Processor shall notify Controller of any intended changes concerning the addition or replacement of Sub-processors, to which the Controller may object. If Controller has made no such objection within ten
(10) days from the date of receipt of the notification, Controller is assumed to have made no objection;
(v) have the right to cure an objection from Controller as described in (iii) above, upon mutual agreement. If no corrective option is reasonably available and the objection has not been cured within thirty (30) days after receiving the objection, either Party may terminate the affected Pickit Business Service or the Agreement with reasonable written notice;
(vi)
(viii) on termination or expiration of the Agreement or on instruction from Controller, upon written request and at Controller’s choice, return or delete all personal data processed under the Agreement at Controller’s cost, unless Processor is required to retain the personal data by applicable laws, rules and regulations. Controller must make such written request thirty (30) days from the Agreement’s termination or expiration; and
(ix) upon Controller’ request and at the cost of Controller, make available all information necessary to demonstrate Processor's compliance with the obligations in this DPA and allow for and contribute to audits, including inspections, conducted by Controller or another auditor mandated by Controller and accepted by Processor. Processor shall not unreasonably withhold its acceptance. The audit shall be carried out maximum once (1) per calendar year, and a written notice shall be sent to the Processor with a notice period of at least sixty (60) days, before the audit commences. The audit shall be conducted during Processor’s normal working hours without disturbance to the normal operations of Processor.
3. Limitation of liability and Indemnification
3.1 The Processor’s aggregate liability for breach of personal data obligations set forth in the Agreement, DPA or applicable data protection law shall be governed by the limitation of liability in the Agreement . This includes, for example, claims from data subjects and administrative penalties or fines imposed on the Processor by relevant courts or data protections authorities.
3.2 Notwithstanding what is stated in the Agreement, DPA or applicable data protections law the Controller shall hold harmless the Processor from all liability, if such liability arises as a result of the Controller’s breach of the
Agreement, DPA or applicable data protection law or if the Controller’s instructions is in breach of the Agreement, DPA or applicable data protection law.
4. Governing Law and Disputes
4.1 This DPA shall be governed in accordance with the laws of the state of California, with the exclusion of its conflict of laws rules.
4.2 Any dispute, controversy or claim arising out of or in connection with this Agreement, or the breach, termination or invalidity thereof, shall governed by the laws of the State of California.
Schedule 1 – Controller’s instructions
The following are instructions from the Processor to the Controller for the processing of personal data which covers this DPA.
|
PROCESSING ACTIVITIES |
Collecting, registering and storing |
|
CATEGORIES OF PERSONAL DATA |
• username • password • email address • company postal & invoicing address • invoicing e-mail • postal code • country |
|
CATEGORIES OF DATA SUBJECTS |
Image Bank Owner Image Bank Admin Image Bank Users |
|
RETENTION PERIODS |
|
|
DATA PROTECTION OFFICER Schedule 2 – sub-processors |
The data privacy officer can be reached at privacy@pickit.com |
|
Sub-processors Third country |
Security measures |
|
Sendgrid USA |
SCC |
|
Hubspot USA |
SCC |
|
Application Insights Ireland |
GDPR (a Microsoft Service to support the health of the Service) |
Schedule 3 technical and organizational measures
Physical security
The premises used by Processor shall be protected with adequate physical security measures, such as alarms for fires, water damage, burglary, etc. In addition, there should be procedures and equipment for example in the form of alarms, barriers, locks, etc. which control access to the premises. Processor shall introduce necessary safety routines, such as (i) lock devices on computers and other equipment; (ii) entry control system; (iii) protection gear for power breaks as well as smoke and water damages; (iv) fire extinguishers; (v) safety locks; and (vi) marking of equipment etc.
Organizational security measures
Processor should possess an updated and implemented security policy which states for example the manner in which the personal data shall be processed, to whom Processor’s personnel shall turn in the event of a burglary or other incident, which personnel are authorized as regards which type of information, back-up procedures, contingency plans, etc.
Technical security measures
Processor should create a safe IT-environment, which includes, but is not limited to (i) necessary safety routines for avoiding virus attacks or other threats that could be harmful to the IT-environment; (ii) an encryption system and/or other security measures with the purpose of avoiding tapping or revealing signals; (iii) necessary security routines for IT-equipment; (iv) a control system based on user authorization, which enables identification of user identity (through the usage of passwords or such) and prevents unauthorized use of or access to the processed personal data; (v) storage of processing history (log data), which shall be sorted out in accordance with Controller’s instructions; (vi) automatic back-up routines, including storage of back-up copies, which shall be sorted out in accordance with Controller’s instructions; as well as (vii) destruction or other means of eradication of all media that has contained personal data that no longer is used.