Data Processing Agreement
Elemez is a highly configurable cloud based software as a Service platform made available by B2M to End Users. End Users are responsible for configuring Elemez and in doing so will determine the extent and purposes for which Personal Data is Processed. End Users are responsible for configuring Elemez so as to comply with Data Protection Laws and Regulations as further provided in this Data Processing Agreement.
All capitalized terms used in this Exhibit will have the meanings given to them in the Contract unless otherwise defined in this Exhibit. As used in this Exhibit, the following capitalized terms have the following meanings:
means any data processing equipment or system owned or under the control of B2M and used to Process the End User Data and Device Metrics.
means the entity which determines the purposes and means of the Processing of Personal Data.
means the entity which Processes Personal Data on behalf of the Data Controller.
Data Protection Laws and Regulations
means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom, applicable to the Processing of Personal Data under the Agreement.
means the cloud based software as a service environment made available by B2M to Reseller and End Users under the Agreement.
means any information relating to (i) an identified or identifiable person and, (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws and Regulations), where such data forms part of End User Data or Device Metrics.
means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, blocking, erasure or destruction.
End User Data
means any data, information, content, or records (but always excluding Device Metrics) that are provided by an End User to B2M for the purposes of B2M providing Elemez to Reseller and End Users.
- Reseller and B2M acknowledge that for the purposes of Data Protection Laws and Regulations, the End User is the Data Controller and B2M is the Data Processor in respect of any Personal Data.
- Reseller warrants that it will Process Personal Data in accordance with the requirements of applicable Data Protection Laws and Regulations and that End Users’s instructions to B2M for the Processing of Personal Data shall comply with applicable Data Protection Laws and Regulations.
- Reseller agrees and acknowledges that:
- Reseller is responsible for the accuracy, quality, and legality of Personal Data and the means by which End Users acquired Personal Data;
- Reseller and/or End User is responsible for obtaining any data subject consent required or relied upon for the Processing of Personal Data;
- it has familiarised itself with the configuration and operation of Elemez;
- the technical and organisational measures implemented by B2M are as set out in the B2M Elemez Security Policy; and
- B2M is under no duty to investigate the completeness, accuracy or sufficiency of any instructions given by Reseller or End Users with regard to Personal Data.
- If Reseller purchases professional services or support services from B2M involving the configuration of Elemez, Reseller acknowledges that B2M is advising Reseller as to the functionality of Elemez as opposed to making any determination on the Reseller’s behalf as to the Processing of Personal Data, and that such decisions are made by Reseller alone.
- Reseller acknowledges that Reseller or End Users may configure Elemez in ways which do not comply with Data Protection Laws and Regulations, including but not limited to configurations that allow for the Processing of Personal Data in the absence of data subject consent or an alternative condition for Processing. Reseller therefore acknowledges that it is Reseller or the End User’s responsibility (as may be applicable) to configure Elemez so that the environment remains compliant at all times with Data Protection Laws and Regulations.
- B2M will Personal Data in accordance with the requirements of applicable Data Protection Laws and Regulations.
- B2M will Process Personal Data in accordance with End Users’s instructions and End Users shall issue complete and final instructions through the configuration of Elemez. B2M will not Process Personal Data outside the scope of such configuration without prior written agreement between B2M and Reseller, including agreement on any additional fees Reseller may be required to pay to B2M for carrying out such instructions.
- B2M will not access or use End User Data or Device Metrics, except as necessary to provide Elemez as configured by End User.
- B2M will not disclose End User Data or Device Metrics to any government, except as necessary to comply with the law or a valid and binding order of a law enforcement agency (such as a subpoena or court order). If a law enforcement agency sends B2M a demand for End User Data or Device Metrics, B2M will attempt to redirect the law enforcement agency to request that data directly from Reseller and may provide Reseller’s basic contact information to the law enforcement agency. If compelled to disclose End User Data and Device Metrics to a law enforcement agency, then B2M will give Reseller reasonable notice of the demand to allow Reseller to contact End User and to seek a protective order or other appropriate remedy unless B2M is legally prohibited from doing so.
- B2M restricts its personnel from processing End User Data and Device Metrics without authorisation by B2M as described in the B2M Elemez Security Policy. B2M shall ensure its personnel have received appropriate training and will impose reasonable contractual obligations upon its personnel, including relevant obligations regarding confidentiality, data protection and data security. B2M shall take reasonable steps to ensure the reliability of all its personnel who have access to the Personal Data.
- B2M does not require access to Personal Data contained in End User Data or Device Metrics to provide Support. Reseller shall take reasonable steps to prevent Reseller personnel providing such Personal Data in a request for or during the provision of Support. In the event any Personal Data is provided by Reseller as part of Support, B2M shall process such Personal Data solely for the purposes of providing Support, and will then delete it as soon as that purpose is complete.
TRANSFERS OF PERSONAL DATA
- B2M may transfer End User Data and Device Metrics outside the geographic region in which the data was collected. In the event of any such transfer B2M will:
- provide appropriate safeguards in relation to the transfer;
- ensure the data subject has enforceable rights and effective legal remedies; and
- B2M will comply with its obligations under the Data Protection Laws and Regulations by providing an adequate level of protection to any Personal Data that is transferred.
- Reseller acknowledges B2M may provide Support from outside the European Economic Area.
- B2M shall having regard to the state of technological development and the cost of implementing any measures, take appropriate technical and organisational measures against the unauthorised or unlawful Processing of Personal Data and against the accidental loss or destruction of, or damage to Personal Data, to ensure a level of security appropriate to: a) the harm that might result from such unauthorised or unlawful Processing or accidental loss, destruction or damage of the Personal Data; and b) the nature of the Personal Data to be protected.
- B2M is responsible for implementing and maintaining the technical and organisational measures for the B2M System as described in the B2M Elemez Security Policy.
- Reseller is responsible for reviewing the information made available by B2M relating to data security and making an independent determination as to whether such measures meet Reseller’s requirements, and for ensuring that Reseller’s personnel and consultants follow the guidelines they are provided regarding data security.
CERTIFICATIONS AND AUDIT
- On reasonable request B2M shall make available all information necessary to demonstrate B2M’s compliance with this DPA.
- B2M performs security audits to a standard that it considers reasonably appropriate for the industry from time to time. B2M shall provide Reseller with a copy the report created pursuant to its most recent security audit following the Reseller’s request.
SECURITY BREACH NOTIFICATION
- If B2M becomes aware of either (a) any unlawful access to any End User Data or Device Metrics stored on B2M’s equipment or in B2M’s facilities or in the Cloud Services; or (b) any unauthorized access to such B2M equipment or facilities, where in either case such access results in loss, disclosure, or alteration of End User Data or Device Metrics (each a “Security Incident”), B2M will promptly: (a) notify the Reseller of the Security Incident; and (b) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident.
- Reseller agrees that an unsuccessful Security Incident will not be subject to this notification under this clause. An unsuccessful Security Incident is one that results in no unauthorized access to End User Data or Device Metrics or to any of B2M’s equipment or facilities storing End User Data or Device Metrics, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond IP addresses or headers) or similar incidents.
- In the event of any Security Incident B2M will permit the Reseller on reasonable notice, in writing, during normal business hours to audit B2M’s Systems and records with regard to the Reseller’s use of Elemez, subject always to any obligations of confidentiality owed to B2M’s other customers and third parties.
- B2M may engage third parties (“Sub Processors”) to provide limited services on its behalf, such as Cloud Services and Support. B2M shall notify Reseller of the addition or replacement of such Sub Processors and the Reseller may, on reasonable grounds, object to a Sub Processor by notifying B2M in writing within 5 days of receipt of B2M notification, giving reasons for the Reseller’s objection. The parties shall work together to reach agreement on the engagement of Sub Processors.
- Where B2M engages any Sub Processor:
- B2M will restrict the Sub processor’s access to End User Data and Device Metrics only to what is necessary to provide Elemez in accordance with the Documentation and B2M will prohibit the Sub Processor from accessing End User Data and Device Metrics for any other purpose;
- B2M will impose appropriate contractual obligations in writing upon the Sub Processor that are no less protective than this DPA, including relevant contractual obligations regarding confidentiality, data protection, data security and audit rights; and
- B2M will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub Processor that cause B2M to breach any of B2M’s obligations under this DPA.
INDEMNITY AND LIMITATIONS OF LIABILITY
- Each party agrees to indemnify and keep indemnified and defend at its own expense the other party against all costs, claims, damages or expenses incurred by the other party or for which the other party may become liable due to any failure by the first party or its employees or agents to comply with any of its obligations under this agreement.
- Reseller acknowledges that B2M is reliant on the Reseller for direction as to the extent to which B2M is entitled to use and process the Personal Data. Consequently, B2M will not be liable for any claim brought by a third party arising from any action or omission by B2M, to the extent that such action or omission resulted directly from information provided by the Reseller or the Reseller’s instructions.