Global Processing Addendum
This Global Data Processing Addendum (“DPA”) is entered into between Celigo, Inc. (“Celigo”) and Customer, on behalf of itself and its Affiliates and is effective as of the date Customer signs this DPA, or if attached to a Quote, the effective date of the Agreement (the “DPA Effective Date”). Celigo and Customer are individually known as a “Party” and collectively as the “Parties.”
This DPA governs the Processing of Personal Information that Customer uploads or otherwise provides to Celigo in connection with the use of Celigo Products and/or services (collectively the “Services”) purchased or licensed by Customer under the AgreementThis DPA is incorporated into the Agreement.
Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. In the event of a conflict between the Agreement and this DPA, the provisions of this DPA shall control and govern with respect to the handling of Personal Information. This DPA may be amended and/or modified only by a writing signed by Celigo and Customer.
From the DPA Effective Date, this DPA replaces and supersedes, in entirety, any earlier data processing agreement, if any, executed by the Parties.
1. Definitions. Capitalized terms in this DPA shall have the meanings set forth below. Capitalized terms that are not defined in this DPA shall have the meanings set forth in Applicable Data Protection Laws. Any other capitalized terms shall have the meaning set forth in the Agreement.
1.1.“Affiliate” means an entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control” for purposes of this definition means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
1.2.“Adequacy Decision” means the adequacy decisions published by the relevant Authorities of the EEA, United Kingdom, Switzerland, the EU Member States or the European Commission.
1.3.“Applicable Laws” means all international, national, federal, state, and local laws, rules, regulations, rulings, judgments, declarations, decrees, directives, statutes, guidelines, court or government agency orders, mandates and resolutions of the United States, Canada, European Union, United Kingdom, and Australia.
1.4.“Audit Reports” means ISO 27001, SSAE 16 SOC II or similar audit report performed by a qualified third party auditor.
1.5.“Authority” means any court, regulatory or supervisory body, law enforcement agency, consumer protection bureau, or any other government entity with the authority to enforce Data Protection Laws.
1.6.“Business Purpose[s]” means the Services provided by Celigo to Customer under the Agreement, any purpose identified in Appendix 1 to this DPA or as otherwise agreed by the Parties in writing.
1.7.“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of Processing Personal Data.
1.8.“Customer Personal Data” means personal data that Customer provides or makes available to Celigo, or that Celigo otherwise processes on Customer’s behalf, in each case, in connection with the provision of or as a part of the Services pursuant to the Agreement at any time until the expiration or termination of the Agreement.
1.9.“Data Protection Laws” means Applicable Laws related to privacy, security, data protection, and/or the Processing of Personal Data to the extent applicable to Celigo’s provision of the Services including but not be limited to: (i) GDPR; (ii) the ePrivacy Directive 2002/58/EC (the “Directive”) and laws of EU Member States implementing or supplementing the Directive; (iii) UK GDPR; (iv) Swiss Federal Data Protection Act (“Swiss DPA”); (v) the California Consumer Privacy Act as amended by the California Privacy Rights Act (collectively “CCPA”) and similar privacy laws enacted in Virginia, Colorado, Utah, Connecticut, Delaware, Texas, New York and other US States (collectively “State Privacy Laws”), as amended, replaced or superseded from time to time.
1.10.“Data Subject” refers to the individual or household to whom Personal Information relates.
1.11.“EEA” means, collectively, the countries of the European Union, Norway, Liechtenstein and Iceland.
1.12.“GDPR” means Regulation (EU) 2016/679 together with applicable legislation of EEA Member States implementing or supplementing the GDPR or otherwise relating to the processing of Personal Data of natural persons, each as amended and including any substantially similar legislation that replaces it.
1.13.“IDTA Addendum” means the International Data Transfer Agreement (IDA) Addendum to the EU Commission Standard Contractual Clauses issued by the United Kingdom Information Commissioner, Version B1.0.
1.14.“Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data transmitted, stored or otherwise Processed by Celigo. “Incidents” includes a “breach of security of a system” or similar term (as defined in any Applicable Laws) as well as any other event that compromises the security, confidentiality or integrity of Personal Information; but does not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
1.15.“Personal Data” means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly with a particular individual or household including, but not limited to, “personal information,” “personal data,” “personally identifiable information,” “Sensitive Personal Information,” and any other comparable terms defined by the Data Protection Laws.
1.16.“Process”, “Processed” or “Processing” means any operation or set of operations that is performed upon Customer Personal Data, whether or not by automatic means, such as collection, recording, securing, organizing, structuring, temporary storage, storage, adaptation or alteration, access to, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, restriction, erasure or destruction.
1.17.“Processor” means the individual or legal entity, of public or private law, Processing Personal Information on behalf of the data Controller, or as defined in any applicable Data Protection Law.
1.18.“Quote” means an enrolment or ordering document.
1.19.“Sensitive Personal Information” refers to any Personal Information that requires an extra level of protection and a higher duty of care, or that could reasonably be expected to increase the likelihood that an individual may be harmed if it is lost or stolen. A national identifier, driver’s license number or other government issued identification number, biometric or personal health information, payment card information, and financial account information are all examples of Sensitive Personal Information.
1.20.“Services” is defined in the Agreement and additionally means services and/or products to be provided by Celigo to Customer under the Agreement as detailed in a Quote.
1.21.“SCCs” means the clauses issued pursuant to the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
1.22.“Sub-processors” means third parties, other than Celigo, engaged and authorized by Celigo to process Customer Personal Data in relation to the Services.
1.23.“UK GDPR” means the United Kingdom’s Data Protection Act 2018 and the GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018.
2. Processing of Customer Personal Data.
2.1.For purposes of this DPA, Customer is a Controller or Processor and Celigo is a Processor or Sub-processor.
2.2.By entering into this DPA, Customer instructs Celigo to Process Customer Personal Data only in accordance with the Data Protection Laws and Customer’s instructions (including with regard to data transfers): (a) to provide the Services; (b) as authorized by the Agreement, including this DPA; and (c) as documented in the data flows established by the Parties which also constitute Customer’s instructions for purposes of this DPA. Celigo may exercise its reasonable discretion in the selection and use of such means it deems necessary to comply with Customer’s instructions and this DPA when Processing Customer Personal Data. Customer shall have the right to take appropriate and reasonable steps to stop any unauthorized Processing of Customer Personal Data.
2.3.The categories of Customer Personal Data to be Processed by Celigo, the duration of the Processing, the nature and purposes of the Processing, as well as the types of Personal Data Processed and categories of Data Subjects under this DPA are further specified in in Schedule I which is incorporated by reference.
2.4.Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data it provides to Celigo and the means by which Customer acquired Customer Personal Data. To the extent required by Data Protection Laws, Customer has ensured, and will continue to ensure, that a legal basis for Processing exists, including, but not limited to obtaining all necessary Data Subject consents, and for ensuring that a record of such consents is maintained. Should a Data Subject revoke consent, Customer must immediately notify Celigo or cease the processing of such Personal Data. Customer acknowledges that Celigo is not responsible for collecting consent or authorization for the Processing of Customer Personal Data.
3. Security Measures.
Celigo and Customer shall at all times during the Term of the Agreement and this DPA have in place an appropriate written security policy with respect to the (a) provision or use of the Services (b) Processing of Personal Data, and (c) outlining each Party’s Security Measures.
3.1.Celigo’s Security Measures.
3.1.1. Celigo shall implement and maintain a security program that includes appropriate technical and organizational measures to ensure a level of security, confidentiality and integrity appropriate to the risk of Processing the Customer Data, including the Customer Personal Data provided or Processed under the Agreement and this DPA (“Security Measures”).
3.1.2. Celigo’s Security Measures are set forth in Schedule 2, published at: and may be updated from time to time to improve security and maintain compliance with the Data Protection Laws provided that such updates and modifications do not materially decrease the overall security of the Services.
3.1.3. Celigo routinely monitors and audits its compliance with the Security Measures to assure effectiveness and evidence of continual use. Customer may exercise its rights set forth in Section 4.2 to obtain copies of documentation or other evidence of the effectiveness of the Security Measures.
3.1.4. If Celigo becomes unable to meet its obligations under applicable Data Protection Laws, Celigo will notify Customer and Customer may (a) demand Celigo discontinue Processing Customer Personal Data; (b) discontinue use of the Services and notify Celigo of such discontinuation in writing; or (c) terminate the Agreement by providing written notice to Celigo.
3.2.Customer’s Security Responsibilities.
3.2.1. Customer is solely responsible for taking appropriate risk-based measures to protect the security of Customer’s account and Customer Personal Data within Customer’s control, and during its use of the Services.
3.2.2. Customer is solely responsible for reviewing and evaluating for itself whether Celigo’s Security Measures and the Services meet Customer’s needs and any security or legal obligations under the Data Protection Laws. Customer acknowledges and agrees that (taking into account industry standards, the costs of implementation and the nature, scope, context and purposes of the processing of Customer Personal Data as well as the risks to Data Subjects) the Security Measures implemented and maintained by Celigo provide a level of security appropriate to the risk in respect of Customer Personal Data.
3.3. To the extent required by the Data Protection Laws, Celigo will provide reasonable assistance to Customer in complying with Customer’s obligations to perform a data protection impact assessment. In situations where Customer’s Processing of Customer Personal Data results in a high risk to the rights and freedoms of Data Subjects, Celigo will provide reasonable assistance to Customer as it seeks prior consultation from an Authority. In the event Customer’s request results in an undue burden on Celigo’s business operations, Celigo may charge fees for such assistance, to be agreed by the parties prior to performance of any assistance.
4. Processing Records.
4.1.Customer acknowledges that Celigo is required under the Data Protection Laws to collect and maintain records of certain information. Celigo shall collect an maintain complete, accurate, and up to date written records of all categories of information and Processing activities carried out on behalf of Customer in accordance with the Data Protection Laws including (a) the name and contact details of each Processor and/or Controller and, where applicable, of such Processor’s or Controller’s local representative and data protection officer; (b) the categories of Processing carried out on behalf of Customer; (c) a general description of the technical and organizational Security Measures referred to herein; and, where applicable (d) details of International Transfers of Personal Data to recipients outside the EU/EEA, United Kingdom; Switzerland, or US.
5. Audits.
5.1.Once per calendar year during the Term of the Agreement and this DPA (“Period Limit”) conducted at a place and time and in a manner that will not interfere with Celigo’s standard operations, Customer may, upon no less than forty-five (45) days prior written request (“Notice Requirement”), audit Celigo’s compliance with its obligations under this DPA including its ability to meet the requirements of the Data Protection Laws (including Article 28(3)(h) of GDPR and UK GDPR). To the extent required by the Data Protection Laws, when mandated by an Authority, or in the event of an Incident, the Period Limitation and Notice Requirement in this Section shall not apply. Celigo will contribute to such audits by providing Customer or the relevant Authority with the information and assistance reasonably necessary to conduct the audit, including providing access to any relevant records of Processing activities applicable to the Services.
5.2. If Customer appoints a third party to conduct the audit, Celigo may require such third party to execute a non-disclosure agreement. In addition, Celigo may object to the auditor if the auditor is, in Celigo’s reasonable opinion, not suitably qualified or independent, or is a Celigo competitor. Such objection by Celigo will require Customer to appoint another auditor or conduct the audit directly.
5.3. Customer must submit a detailed proposed audit plan to Celigo at least two weeks in advance of the proposed audit start date. The proposed audit plan must describe the scope and duration. If the requested audit scope is addressed in the Audit Reports that were completed within twelve (12) months of Customer’s request, Customer agrees to accept the Audit Reports in lieu of proceeding with the audit. If not, Celigo will review the proposed audit plan and provide Customer with concerns or questions (for example, any request for information that could compromise Celigo security, privacy, employment, or other relevant policies). Celigo will work cooperatively with Customer to finalize a mutually acceptable audit plan.
5.4. Customer will promptly notify Celigo of any alleged non-compliance discovered during the course of an audit and provide Celigo with any reports generated in connection with any audit under this Section, unless prohibited by Data Protection Laws or otherwise instructed by an Authority. Customer may use such reports only for the purpose of meeting Customer’s audit obligations under Data Protection Laws and/or confirming compliance with the requirements of this DPA and for no other purpose. The audit reports are Confidential Information of the Parties under the terms of the Agreement.
5.5. Celigo will promptly resolve, at its own cost and expense, any confirmed non-compliance with Data Protection Laws or this DPA.
5.6. All audits are at Customer’s expense, and subject to mutual agreement prior to any audit; provided Celigo shall cover its own costs for audits resulting from an Incident. Customer shall reimburse Celigo for any time expended by Celigo or its Sub-processors in connection with any audits under this Section at Celigo’s then-current professional services rates. Customer will pay all fees charged by any third-party auditor appointed by Customer to execute any such audit. Audits resulting from an Incident will be at Celigo’s expense, subject to Section 15 (Limitations of Liability) in the Agreement.
5.7. The Parties agree that this Section of the DPA shall satisfy Celigo’s obligations under the audit requirements of the applicable Data Protection Laws.
6. Cross-Border Data Transfers.
6.1.Customer Personal Data may be transferred from the EU Member States, the EEA, the United Kingdom and Switzerland to countries that offer an adequate level of data protection pursuant to an Adequacy Decision, without any further safeguards being necessary.
6.2.If the Processing of Personal Data includes transfers from the EU Member States or the EEA to countries which are not subject to an Adequacy Decision, the Parties are deemed to have signed the SCCs which form part of this DPA and will be deemed completed as follows:
6.2.1. Module 2 of the SCCs applies to transfers of Customer Personal Data from Customer to Celigo where Customer is the controller and data exporter and Celigo is the processor and data importer. Module 3 of the SCCs applies to transfers of Customer Personal Data from Customer to Celigo where Customer is a processor and data exporter and Celigo is a sub-processor and data importer;
6.2.2. Clause 7 (the optional docking clause) is not included;
6.2.3. Under Clause 9 (Use of sub-processors), the Parties select Option
2 (general written authorization);
6.2.4. Under Clause 11 (Redress), the optional language requiring that Data Subjects be permitted to lodge a complaint with an independent dispute resolution body is not included;
6.2.5. Under Clause 13, the following option is selected: The supervisory authority of one of the Member States in which the Data Subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, as indicated in Annex I.C (Schedule 1.C herein), shall act as competent supervisory authority.
Notwithstanding the above, where a Customer is not established in a Member State, the supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.
6.2.6. Under Clause 17 of Module 2 (Governing law), the Parties choose Option 1 (the law of an EU Member State that allows for third-party beneficiary rights) and select the law of the Netherlands.
6.2.7. Under Clause 17 of Module 3 (Governing law), the Parties select the law of the Netherlands;
6.2.8. Under Clause 18 (Choice of forum and jurisdiction), the Parties select the courts of Amsterdam;
6.2.9. The Annexes are completed in the Schedules to this DPA as follows: I(A)-(C) in Schedule I Annex II (Technical and organizational measures) in Schedule 2 of this DPA; and Annex III (List of Sub- processors) in Schedule 3 of this DPA.
6.3.If the Processing of Personal Data includes transfers from the United Kingdom to countries which are not subject to an Adequacy Decision, the Parties are deemed to have signed the SCCs, which form part of this DPA and will be deemed completed as set forth in section 6.2 of this DPA. The Parties are further deemed to have signed the IDTA Addendum which shall amend the SCCs as set forth therein. The Tables of the IDTA Addendum shall be completed as follows: (i)Table 1 is completed as set forth in Schedule 1; (ii) Table 2 is completed as set forth in Sections 6.2.1 through 6.2.8; (iii) Table 3 is completed as set forth in Sections 6.2.9 through 6.2.11; and (iv) Table 4 is completed with the selection of “neither Party.” To the extent Customer intends to provide Celigo with Personal Data of United Kingdom residents, ADDENDUM – SCHEDULE 4: Transfer Risk Assessment (TRA) applies.
6.4.If the Processing of Personal Data includes transfers from Switzerland to countries which are not subject to an Adequacy Decision, the Parties are deemed to have signed the SCCs, but with the following differences to the extent required by Swiss Privacy Laws:
6.4.1. References to the GDPR in the SCCs are to be understood as references to the Swiss Privacy Laws insofar as the data transfers are subject exclusively to Swiss Privacy Laws and not to the GDPR.
6.4.2. The term “member state” in the SCCs shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the SCCs. Swiss courts are an alternative place of jurisdiction for Data Subjects habitually resident in Switzerland.
6.4.3. To the extent Transfers are subject to the Federal Act on Data Protection (“FADP”) references to “Regulation (EU) 2016/679” will be deemed to be references to the FADP.
6.4.4. References to Personal Data in the SCCs also refer to data about identifiable legal entities until the entry into force of revisions to Swiss Privacy Laws that eliminate this broader scope.
6.4.5. Under Annex I(C) (Schedule 1.C herein) of the SCCs (competent supervisory authority): (a) where the transfer is subject exclusively to Swiss Privacy Laws and not the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner; and (b) where the transfer is subject to both Swiss Privacy Laws and the GDPR, the supervisory authority is the Swiss Federal Data Protection and Information Commissioner insofar as the transfer is governed by Swiss Privacy Laws and the supervisory authority is as set forth in Section 6.2 of this DPA insofar as the transfer is governed by the GDPR.
6.5.Celigo shall notify the Customer of any inability to comply with the SCCs, in which case the Customer may suspend the transfer of all data, reduce the scope of the Services to eliminate the transfer of data from the EEA, Switzerland, or UK to counties without an Adequacy Decision, and/or terminate the Agreement.
6.6.If the transfer of Customer Personal Data under the SCCs or IDTA Addendum ceases to be lawful or the additional safeguards are no longer effective, Customer and Celigo will promptly, and without insisting on conditions that are not legally required, cooperate to facilitate use of an alternative lawful data transfer mechanism and/or alternative additional safeguards for the transfer of Customer Personal Data from the, EEA, Switzerland, or United Kingdom to a county without an Adequacy Decision. Customer may also require Celigo to cease transfers of the Customer Personal Data until such alternate mechanism is in place.
6.7.In addition to the terms set forth herein, the additional jurisdiction terms included in Schedule 4 shall amend and/or supplement this Section for the specific jurisdiction or as otherwise required under the Data Protection Laws.
6.8.If a valid international data transfer mechanism (“Mandatory Transfer Mechanism”) is required to lawfully transfer Customer Personal Data, the terms specified in the applicable portions of this Section 6 and Schedule 4; and as otherwise set forth in Schedule 5 to this DPA apply.
7. Data Storage and Processing Facilities. Celigo may store and Process Customer Personal Data anywhere Celigo or its Sub-processors maintains facilities including in the United States and Germany, subject to the Customer’s selection of a regional data center. Celigo also has employees or contractors who may access Customer Personal Data from third countries in India, Philippines, and Sri Lanka. Customer is solely responsible for selecting the operational regional data center to use for Processing upon signing up for the Services and executing this DPA. For clarity, Customer understands and agrees that all Customer Personal Data remains hosted in the region of the data center used for the duration of Processing.
8. Information Obligations and Incident Management
8.1.If Celigo becomes aware of an Incident, Celigo will: (a) notify Customer of the Incident without undue delay, but no later than seventy-two (72) hours after becoming aware of the Incident; and (b) take reasonable steps to identify the cause of such Incident, minimize harm, and prevent a recurrence. Notifications made pursuant to this Section must, to the extent then known: (i) describe the nature of the Incident including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Customer Personal Data records concerned; (ii) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained; (iii) describe the likely consequences of the Incident; (iv) describe the measures taken or proposed to be taken by Celigo to address the Incident, including, where appropriate, measures to mitigate its possible adverse effects; (v) provide other information required by a Authority under Data Protection Laws.
8.2.Except to the extent required by applicable Data Protection Laws, Celigo shall not make any notification of an Incident to any third-parties or Authorities without Customer’s prior written consent, other than to (i) law enforcement; (ii) Celigo’s affected Sub-processors, insurance adjusters, legal counsel, and Incident response service providers; and (iii) any other third-parties whose data was also involved in the Incident.
8.3.Customer is solely responsible for complying with Incident notification laws applicable to Customer and fulfilling third-party notification obligations related to an Incident, including all notifications of impacted Data Subjects and Authorities.
8.4.Celigo’s notification of, or response to, an Incident under this Section 8 will not be construed as an acknowledgement by Celigo of any fault or liability with respect to the Incident.
9. Sub-Processors.
9.1.Customer specifically authorizes the engagement of Celigo Affiliates as Sub-processors. To the extent consent is required under this DPA, the SCCs or ITDA Addendum, Customer consents to the subcontracting by Celigo of the Processing of Customer Personal Data by Celigo’s current Sub-processors described in Schedule 3.
9.2.Celigo may disclose Customer Personal Data to an approved Sub- processor, provided that the Sub-processor will comply with applicable Data Protection Laws, and pursuant to a contract requiring that such Sub-processor implements appropriate administrative, technical, and physical measures to ensure Customer Personal Data is Processed in compliance with applicable Data Protection Laws, the Agreement and this DPA. Celigo shall be liable for all obligations subcontracted to, and all acts and omissions of Celigo’s Sub- processors.
9.3.When a new Sub-processor is engaged during the Term, Celigo will notify Customer of the engagement (including the name and location of the new Sub- processor and the activities it will perform) at least ten (10) days prior to permitting the new Sub-processor from commencing Services provided that Customer has opted-in to receive email notifications in accordance with the form available through Schedule 3. If the SCCs or ITDA Addendum apply, Celigo may redact all confidential business or legal terms in its agreements with Sub- processors prior to responding to Customer’s request for a copy of a Sub- processor agreement pursuant to the SCCs.
9.4.Customer may object to a new Sub-processor by providing written notice to Celigo within ten (10) business days of the date on the Celigo notice. In the event Customer objects to a new Sub-processor, Customer and Celigo will work together in good faith to find a mutually acceptable resolution to address such objection. If the Parties are unable to reach a mutually acceptable resolution within a reasonable timeframe, Customer may, as its sole and exclusive remedy, terminate the use of the effected Services, terminate that portion of the Agreement related to the effected Services, or terminate the Agreement by providing written notice to Celigo.
10. Return or Destruction of Personal Data. Celigo shall only retain Customer Personal Data for as long as it is reasonably necessary to provide the Services or as otherwise permitted or required by applicable Data Protection Laws. Within 30 days of the effective date of expiration or termination of the Agreement, Celigo shall delete Customer Personal Data from Celigo’s systems in accordance with applicable Data Protection Laws as soon as reasonably practicable, unless any Applicable Laws, including applicable Data Protection Laws require or allow Celigo to retain copies of Customer Personal Data. Alternatively, Customer may manually delete data using a deletion option provided by Celigo as part of the Services.
11. Data Subject Rights.
11.1.During the Term, if Celigo receives any request from a Data Subject in relation to Customer Personal Data, to the extent permitted by applicable Data Protection Laws, Celigo will advise the Data Subject to submit the request to Customer, notify the Customer of the request, and Customer will be responsible for responding to any such request, in each case, unless Celigo does not know that Customer is the Controller or Processor for the Data Subject.
11.2.Taking into account the nature of the Processing of Customer Personal Data by Celigo, and subject to Section 3.3, Celigo will provide Customer with reasonable assistance as necessary for Customer to fulfil its obligation under Data Protection Laws to respond to Data Subject requests.
12. Request for Disclosure of Personal Data.
12.1.If Celigo receives a request for disclosure of Customer Personal Data Processed by Celigo (“Disclosure Request”) from an Authority, Celigo will, without undue delay, notify Customer of the Disclosure Request to give Customer an opportunity to object to or challenge the Disclosure Request, unless Applicable Laws prohibit such notice. Celigo will also assess on a case- by-case basis whether the Disclosure Request is legally valid and binding on Celigo and will resist any Disclosure Request that is not valid and binding in accordance with Applicable Laws.
12.2.If providing Customer with notice of a Disclosure Request to Celigo is prohibited, Celigo will request that the Authority waive this prohibition, and Celigo will document that it has made such request.
13. Notices. Notices required or permitted to be given by a Party may be given (a) in accordance with the notice provisions of the Agreement; (b) to a Party’s primary points of contact with the other Party; and/or (c) to any email provided by Customer for the purpose of providing it with Service- related communications or alerts. Customer is solely responsible for ensuring that the emails provided for notices are current and valid. Customer must also email a copy of all notices to: [email protected].
14. Amendments. If an amendment to the Agreement or this DPA is necessary in order to execute Customer’s instruction to Celigo to improve Security Measures as may be required by changes in Data Protection Laws, the Parties shall negotiate an amendment to the Agreement or this DPA, as applicable, in good faith and without undue delay.
Governing Law. This DPA shall be governed by the law of the same jurisdiction as the Agreement, except where and to the extent the Data Protection Laws require this DPA be governed by the law of another jurisdiction.
Customer:
By:
Print Name:
Title:
Date:
Celigo, Inc.
By:
Print Name: Jessica Mifflin
Title: Data Privacy Officer
Date:
SCHEDULE 1: PARTIES AND PROCESSING DETAILS [TO BE COMPLETED BY CUSTOMER]
A. LISTOFPARTIES
Data exporter:
Company _____________________________________
Address: _______________________________________________
Contact person’s name, position and contact details:
________________________________________________________
Role: [Select Controller or Processor]
Data Importer:
Company: CELIGO, INC.
Address: 3 Lagoon Drive, Suite 130, Redwood City, CA 94065
Contact person’s name, position and contact details: Jessica Mifflin, Sr. Director, Security and Compliance: [email protected]
Role: Processor
B. DESCRIPTION OF TRANSFER
1. Categories of Data Subjects whose personal data is transferred.
Employees, contractors, customers, and partners of Customer
2. Categories of personal data transferred.
Categories necessary for Customer’s intended use of the Platform
3. Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
None
4. The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis)
Continuous, or as necessary for performance under the Agreement
5. Nature of the processing
The Processing will comprise the Processing necessary to provide the Services pursuant to the Agreement.
6. Purpose(s) of the data transfer and further processing
To provide the Services pursuant to the Agreement: [provide additional details]
7. The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period.
In accordance with paragraph 10 of the DPA.
8. For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing.
The subject matter of the Processing of the Customer Personal Data are set out in the Agreement and this DPA. The duration of the Processing activities shall be for the term set forth in the Agreement. The purpose of the Processing of Customer Personal Data by Celigo is the performance of the Services pursuant to the Agreement.
C. COMPETENT SUPERVISORY AUTHORITY
The Parties shall follow the rules for identifying such competent supervisory authority under Clause 13 of the SCCs and paragraph 6 of the Agreement.
__________________________________________________________ _____________
SCHEDULE 2: TECHNICAL AND ORGANISATIONAL MEASURES
1. Applicable Standards
1.1. Celigo will implement administrative, physical and technical safeguards designed to protect Customer Data consistent with generally-accepted industry standards and practices for information security, including the controls and Trust Service Principles of SOC 2 Type 2 (covering security and availability). Celigo will ensure that all such safeguards, including the manner in which Celigo processes, uses, disposes of and discloses Customer Data comply with laws applicable to Celigo’s delivery of the services as stated in the Agreement, including without limitation all applicable Data Protection Legislation.
1.2. Celigo will not make any changes that materially reduce or weaken Celigo’s security controls to Celigo’s systems or environments that transmit, process, or store Customer Data.
2. Data Security
2.1. Celigo will encrypt all electronic Customer Data that is required to be encrypted under applicable laws, regulations, or standards, whether stored at rest or transmitted in transit, in accordance with industry- accepted encryption standards (e.g., AES-256, TLS 1.2 or higher). Celigo will use security technologies (including intrusion prevention systems, security monitoring and alerting, encryption, multi-factor authentication, and firewall protection) in providing the Products.
2.2. Where applicable, Celigo will use a security-conscious software development lifecycle for software engineering that incorporates risk assessmentand vulnerability testing designed to ensure that none of the OWASP Web Application Top 10 Security Risks are present. Celigo will additionally ensure Customer Data is not replicated or used in non- production environments. Celigo will implement change management processes and procedures to ensure that only authorized changes are implemented in the production environment.
2.3. Celigo will maintain a security training program for all Celigo personnel (incl. temporary workers) who have access to, or are likely to have access to Customer Data in written or electronic form.
3. Access Controls. Celigo will grant user access rights and privileges to information resources containing Customer Data solely on a need-to-know basis consistent with role-based authorization. Immediately upon separation or role transfer that eliminates the valid business need for continued access to Customer Data by a Celigo Representative, Celigo will remove such Celigo Representative’s access. Celigo will also employ appropriate personnel security and integrity procedures and practices, including, but not limited to, conducting background checks of employees that will have access to Customer Data consistent with industry standards and applicable law.
4. Audit Logs. Celigo will maintain audit logs for access to systems and networks transmitting, processing, or storing Customer Data. Audit logs will, at a minimum, identify the user accessing the system/data, actions taken by the user, and a date/time stamp. Audit logs will be protected against unauthorized modification and deletion.
5. Business Continuity and Disaster Recovery. Celigo will maintain business continuity and disaster recovery plans designed to ensure that critical services can be restored and provided in a manner consistent with Celigo’s service level agreements agreed to with the Customer.
6. Physical Security. Celigo will use reasonable efforts to ensure that it and Celigo subprocessors, are physically secured. Celigo will s implement physical entry controls for all areas where Customer Data is processed. Such controls will include requiring access to these areas, and the use of individually identifiable entry methods (e.g. key cards), Celigo will contractually require its subprocessors to maintain comparable controls. Celigo and subprocessors will maintain surveillance systems for secure areas to monitor, detect, and respond to suspected security incidents on a 24/7 basis.
7. Subcontractors. Celigo will ensure that any Celigo personnel who processes Customer Data on behalf of Celigo is bound by a written contract that imposes the same restrictions and conditions that apply to Celigo with respect to such data. Celigo will provide Customer with at least ten (10) days’ notice prior to the date on which it engages any new or replacement Celigo Representative to process Customer Data.
8. Permitted Uses. Celigo may maintain, transmit, access, use or disclose Customer Data solely for the benefit of Customer and to perform functions, activities, or services as specified in the Agreement.
9. Breach Notification.
9.1. Celigo will notify Customer of a Security Incident (as defined in the Terms of Service or Data Processing Agreement) by emailing Customer at the address specified in the Agreement as soon as practicable, but no later than seventy two (72) hours after Celigo becomes aware of or has reason to believe that a Security Incident has occurred. Notification of a Security Incident is not an acknowledgement by Celigo of its fault or liability.
9.2. Taking into account the nature of the Security Incident and the information available to Celigo, Celigo agrees to support Customer’s investigation of the Security Incident by providing Customer with a report of the Security Incident and access to relevant records, logs, and other information as required by applicable laws.
9.3. Celigo will exercise reasonable efforts to identify the cause of the Security Incident, mitigate the effects and remediate the cause to the extent within Celigo’s reasonable control.
9.4. Celigo agrees that Customer will have the sole right to determine: (i) whether notice of the Security Incident is to be provided to any individuals impacted by any unauthorized disclosure of Customer Data and (ii) the contents of such notice. Notwithstanding the forgoing, Celigo may notify consumer reporting agencies or others as required by Applicable Laws.
9.5. Celigo agrees to reasonably cooperate with Customer in any litigation or other formal action deemed necessary by Customer to protect its rights relating to the use, disclosure, protection and maintenance of Customer Data. Celigo may seek reimbursement of its expenses for such cooperation, to be agreed by the parties in advance of any such participation.
10. Termination.
10.1. Customer will have the right to terminate the Agreement for Celigo’s material breach of these Security Requirements as set forth in the termination section of the Agreement.
11. Celigo will provide Customer on request, with the results of any security assessment or audit report performed on behalf of Celigo to assess the effectiveness of Celigo’s information security program as relevant to the security and confidentiality of Customer Data.
In the event an audit conducted by Celigo shows deficiencies, Celigo will use reasonable efforts to promptly remediate and correct all such deficiencies in line with industry standard remediation timeframes.
12. Precedence. In the event of a conflict between these Security Requirements and any terms set forth in the Agreement with respect to the subject matter described herein, these Security Requirements will control unless Customer and Celigo explicitly agree in writing that this Section 12 will not apply with respect to the conflicting terms.
SCHEDULE 3: LIST OF SUB-PROCESSORS
All third-parties listed at the following web address as of the DPA Effective Date: https://www.celigo.com/subprocessors#collapse-11908
SCHEDULE 4: JURISDICTION SPECIFIC TERMS
1. ADDITIONAL PROVISIONS FOR EUROPEAN PERSONAL DATA
1.1 Scope. This ‘Additional Provisions for European Personal Data’ section will apply only with respect to European Personal Data that Celigo Processes on Customer’s behalf under the Agreement and this DPA.
1.2 Role of Parties. When Processing European Data in accordance with Customer’s instructions, the Parties acknowledge and agree that Customer is acting as the Controller, or as a Processor on behalf of another Controller, and Celigo is the Processor under the Agreement and this DPA.
1.3 Instructions. If Celigo believes that Customer’s instructions infringe European Data Protection Laws (where applicable), Celigo will inform Customer without delay.
1.4 Data Protection Impact Assessments and Consultation with the Authorities. To the extent that the required information is reasonably available to Celigo, and Customer does not otherwise have access to the required information, Celigo will provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with the Authorities (for example, the French Data Protection Agency (CNIL), and the Berlin Data Protection Authority (BlnBDI) or other competent Authorities to the extent required by European Data Protection Laws.
1.5 Data Transfers. Celigo will not transfer European Personal Data to any country or recipient not recognized as covered by an Adequacy Decision for Customer Personal Data (within the meaning of applicable European Data Protection Laws), unless it first takes all such measures as are necessary to ensure the transfer is in compliance with applicable European Data Protection Laws. Such measures may include (without limitation) (i) transferring such data to a recipient that is covered by a suitable framework or other legally adequate transfer mechanism recognized by the relevant authorities or courts as providing an adequate level of protection for Customer Personal Data, including the Data Privacy Framework; (ii) to a recipient that has achieved binding corporate rules authorization in accordance with European Data Protection Laws; or (iii) to a recipient that has executed the Standard Contractual Clauses in each case as adopted or approved in accordance with applicable European Data Protection Laws.
2. Switzerland
2.1 When Celigo engages a Sub-processor, it will:
2.1.1 Require the Sub-processor to comply with those Security Measures set forth in Sections 2, and Schedule 2 of this DPA that are appropriate to the nature of processing by the Sub-processor, including but not limited to all technical and organizational measures required by Article 28 of the GDPR; and
2.1.2 Require the Sub-processor to agree in writing to only process Customer Personal Data (a) in Switzerland, (b) in the EU/EEA, (c) in another country that the European Commission has provided an Adequacy Decision, or (d) on terms set forth in Section 6.4 or in Schedule 5 regarding International Transfers of Customer Personal Data.
3. United Kingdom
3.1 References to “GDPR” will be deemed to be references to the corresponding laws and regulations of the United Kingdom, including, without limitation the UK GDPR and UK Data Protection Act of 2018.
3.2 When Company engages a Sub-processor, it will:
3.2.1 Require the Sub-processor to comply with those Security Measures set forth in Section 2, and Schedule 2 of this DPA that are appropriate to the nature of Processing by the Sub-processor, including but not limited to all technical and organizational measures required by Article 28 of the UK GDPR; and
3.2.2 Require the Sub-processor to agree in writing to only process Customer Personal Data in (a) the UK, (b) the EU/EEA, (c) another country that the United Kingdom has issued an Adequacy Decision, or (d) on terms set forth in Schedule 5 regarding International Transfers of Customer Personal Data.
4. Additional Provisions for the United States, including California
4.1 Scope. This ‘Additional Provisions for the United States, including California’ section of the DPA will apply only with respect to Customer Personal Data that Celigo Processes on Customer’s behalf under the Agreement and this DPA.
4.2 Role of Parties. When processing Customer Personal Data in accordance with Customer’s instructions, the Parties acknowledge and agree that Customer is a Business and Celigo is a Service Provider for the purposes of the CCPA.
4.3 Responsibilities. Celigo certifies that it will Process Customer Personal Data as a Service Provider strictly for the purpose of performing the Services under the Agreement (the “Business Purpose”) or as otherwise permitted by the CCPA or Data Protection Laws. Further, Celigo certifies that it will not (i) sell or share Customer Personal Data; (ii) Process Customer Personal Data outside the direct Business Purpose or as otherwise agreed between the Parties, unless required by Applicable Law; (iii) combine Customer Personal Data included in Customer data with Personal Data that Celigo collects or receives from another source (other than information Celigo receives from another source on behalf of Customer in connection with Celigo’s obligations as a Service Provider under the Agreement); (iv) retain, use, or disclose Customer Personal Data for any purpose other than the Business Purpose specified in the Agreement, or (c) retain, use, or disclose any Customer Personal Data outside of the direct business relationship between Celigo and Customer.
4.4 Compliance. Celigo will (i) comply with the obligations applicable to Celigo as a Service Provider under the CCPA; (ii) provide the same level of protection for Customer Personal Data as is required by the CCPA; and (iii) notify Customer if Celigo makes a determination that Celigo can no longer meet our obligations as a Service Provider under the CCPA.
4.5 CCPA Audits. Customer will have the right to take reasonable and appropriate steps to help ensure that Celigo uses Customer Personal Data in a manner consistent with Customer’s obligations under the CCPA. Upon notice, Customer will have the right to take reasonable and appropriate steps in accordance with the Agreement to stop and remediate unauthorized use of Customer Personal Data.
4.6 Not a Sale. The Parties acknowledge and agree that the disclosure of Customer Personal Data by Customer to Celigo does not form part of any monetary or other valuable consideration exchanged between the Parties.
Schedule 5 International Mandatory Cross Border Transfer Mechanisms
1. Definitions for this Schedule 5 only:
1.1 The “Data Privacy Framework (‘DPF’)” means the EU-US, Swiss-US, or UK-US Data Privacy Framework certification programs operated by the U.S. Department of Commerce (https://www.dataprivacyframework.gov).
1.2 The “UK-US Data Bridge” means the UK Extension to the EU-US Data Privacy Framework.
1.3 The “EU Standard Contractual Causes” mean the standard contractual clauses approved by the European Commission and attached in the annex to decision 2021/914 of June 2021.
1.4 The UK International Data Transfer Agreement (“IDTA Addendum”) issued by the UK Information Commissioner, Version B1.0, is deemed to be executed by the Parties as of the DPA Effective Date, and the EU Standard Contractual Clauses are deemed amended as specified by the IDTA Addendum in relation to data transfers from the UK.
2. Order of Precedence
2.1 No Mandatory Transfer Mechanism is used if a transfer is made to a country that has been deemed to offer an adequate level of data protection by the Data Protection Laws of the country from which such Customer Personal Data is transferred.
2.2 If a Transfer is required and such Transfer is covered by more than one Mandatory Transfer Mechanism, the Transfer will be subject to a single Mandatory Transfer Mechanism in accordance with the following order of precedence: (a) the applicable EU or Swiss DPF; (b) the UK-US Data Bridge; (c) the EU Standard Contractual Clauses; (d) the IDTA Addendum; or (e) any other applicable Mandatory Transfer Mechanism permitted under the applicable Data Protection Law.
2.3 If a Mandatory Transfer Mechanism is deemed invalid after execution of this Agreement, all future Transfers will be deemed made by the next applicable valid Mandatory Transfer Mechanism.
3. Data Privacy Framework
3.1 Self-Certification.
3.1.1 Celigo represents that it is self-certified under the DPF. Celigo agrees (a) to provide at least the same level of protection to any Customer Personal Data as required under the DPF’s Data Privacy Principles; (b) to notify Customer in writing without undue delay, if Celigo’s certification to the DPF is withdrawn, terminated, revoked, or otherwise invalidated; and (c) upon written notice from Customer, take reasonable and appropriate steps to stop and remediate any unauthorized processing of Customer Personal Data.
3.1.2 Company’s Certification. To the extent Customer is certified under the DPF, Customer agrees (a) to provide at least the same level of protection to any Personal Data as required under the DPF’s Data Privacy Principles; (b) to notify Celigo in writing without undue delay, if Customer’s certification to the DPF is withdrawn, terminated, revoked, or otherwise invalidated; and (c) upon written notice to Celigo, take reasonable and appropriate steps to stop and remediate any unauthorized processing of Customer Personal Data.
3.2 Status
3.2.1 EU-US DPF. The EU-US DPF has been deemed to provide an adequate level of data protection by the European Commission pursuant to a 10 July 2023 adequacy decision and is in effect as of 10 October 2023.
3.2.2 UK-US Data Bridge. The UK-US Data Bridge has been deemed to provide an adequate level of data protection by the UK Secretary of State for Science, Innovation, and Technology who has laid adequacy regulations in Parliament as of 21 September 2023. The UK-US Data Bridge regulations went into effect on 12 October 2023.
3.2.3 Swiss-US DPF. The Swiss-US DPF has been approved by the Swiss Federal Council and is in effect as of 15 September 2024.
4. The EU Standard Contractual Clauses
4.1 For Personal Data Transfers from the EU/EEA and Switzerland that are subject to the EU Standard Contractual Clauses deemed executed by the Parties, the signed EU Standard Contractual Clauses which form a part of this DPA are completed in accordance with Sections 6.2 and 6.4 of this DPA.
5. United Kingdom International Data Transfer Agreement
5.1 The IDTA Addendum applies to Transfers of Customer Personal Data transferred from the United Kingdom to any country outside the United Kingdom that is not recognized by the competent United Kingdom regulatory authority or government body as providing an adequate level of Personal Data protection.
5.2 For Personal Data Transfers from the United Kingdom that are subject to the IDTA Addendum deemed executed by the Parties, the signed IDTA Tables which form a part of this DPA are completed in accordance with Section 6.3.