Data Processing Agreement
This Data Processing Agreement (“DPA”) is incorporated by reference in your Broadview Partner Agreement: Terms of Service (the “Agreement”). Capitalized terms used in this DPA shall have the meaning given in the Agreement. Direct all inquiries concerning this DPA to firstname.lastname@example.org.
- “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. Control, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
- “Customer” means either Partner or Partner’s customer(s).
- “Customer Data” means what is defined in the Agreement as Partner Data or Customer Data.
- “Personal Data” means any information relating to (i) an identified or identifiable person and, (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws and Regulations), where such data is Customer Data.
- “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, blocking, erasure or destruction.
- “Data Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
- “Data Processor” means the entity which Processes Personal Data on behalf of the Data Controller.
- “Data Protection Laws and Regulations” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland and Sweden, applicable to the Processing of Personal Data under the Agreement.
- “Data Subject” means the individual to whom Personal Data relates.
2. Processing of Personal Data
2.1 Scope of Processing. Customer use Services to transmit, store or process data which may include Personal Data. Broadview will not review, share, distribute nor reference any such Customer Data except as required by law or as provided in the Agreement and/or Addendum in place with Partner. Customer is responsible for maintaining the security and confidentiality regarding accounts and access to Services as well as encrypting Personal Data that may be stored on or transmitted to/from the Services.
2.3 Customers Processing of Personal Data. Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws and Regulations. For the avoidance of doubt, Customer’s instructions to Broadview for the Processing of Personal Data shall comply with Data Protection Laws and Regulations at all times. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data. If Broadview becomes aware of any non-compliance with Data Protection Laws and Regulations, Broadview shall immediately inform the Partner.
2.4 Broadviews Processing of Personal Data. Broadview shall only Process Personal Data on behalf of and in accordance with Customers instructions and shall treat Personal Data as Confidential Information. Customer guarantees that all instructions to Broadview is in accordance with Data Protection Laws and Regulations.
2.5 Details of the Processing. In the Customer Agreement, if required by law, details of the Processing will be specified, e.g. the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects.
3. Rights of Data Subjects
3.1 Correction, Blocking and Deletion. To the extent Customer, in its use of the Services, does not have the ability to correct, amend, block or delete Personal Data, as required by Data Protection Laws and Regulations, Partner shall comply with any commercially reasonable request by Customer to facilitate such actions. Should Partner not have the ability to perform any of above mentioned actions, broadview shall comply with any commercially reasonable request by Partner to facilitate such actions to the extent Broadview is legally permitted to do so. If legally permitted, Partner shall be responsible for any costs arising from broadview’s provision of such assistance.
3.2 Data Subject Requests. Broadview shall, to the extent legally permitted, promptly notify Partner if it receives a request from a Data Subject for access to, correction, amendment or deletion of that person’s Personal Data. Broadview shall not respond to any such Data Subject request without Partner’s prior written consent except to confirm that the request relates to Partner to which Partner hereby agrees. Broadview shall provide Partner with commercially reasonable cooperation and assistance in relation to handling of a Data Subject’s request for access to that person’s Personal Data, to the extent legally permitted and to the extent Partner does not have access to such Personal Data through its use of the Services. If legally permitted, Partner shall be responsible for any costs arising from Broadview’s provision of such assistance.
4. Broadview Personnel and Visitors
4.1 Confidentiality. Broadview shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Broadview shall ensure that such confidentiality obligations survive the termination of the personnel engagement.
4.2 Reliability. Broadview shall take commercially reasonable steps to ensure the reliability of any Broadview personnel engaged in the Processing of Personal Data.
4.3 Limitation of Access. Broadview shall ensure that Broadviews access to Personal Data is limited to those personnel performing services in accordance with an agreement with the Customer.
4.4 Visitors. The Customers personnel visiting the Broadview premises shall always be escorted by Broadview personnel or shall wear identity cards with photo to ensure visual identification. Customer shall ensure that such visiting personnel are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Customer shall ensure that such confidentiality obligations survive the termination of the personnel engagement.
5.1 Appointment of Sub-processors. Customer acknowledges and agrees that (a) Broadviews Affiliates may be retained as Sub-processors; and (b) Broadview and Broadviews Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Services.
5.2 Objection Right for New Sub-processors. In order to exercise its right to object to Broadviews use of a new Sub-processor, Customer shall notify Broadview promptly in writing within ten (10) business days after receipt of Broadviews notice in accordance with the mechanism set out in Section 5.2. In the event Customer objects to a new Sub-processor, and that objection is not unreasonable, Broadview will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customers configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening the Customer. If Broadview is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may terminate the applicable Services with respect only to those Services which cannot be provided by Broadview without the use of the objected-to new Sub-processor by providing written notice to Broadview. Broadview will refund Customer any prepaid fees covering the remainder of the term of such Services following the effective date of termination with respect to such terminated Services.
5.3 Liability. Broadview shall be liable for the acts and omissions of its Sub-processors to the same extent Broadview would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Agreement.
6.1 Controls for the Protection of Personal Data. Broadview shall maintain administrative, physical and technical safeguards for protection of the security (including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage), confidentiality and integrity of Customer Data, including Personal Data.
6.2 Audits. Upon Customers request, and subject to confidentiality obligations set forth in the agreement between the parties, Broadview shall make available to Customer that is not a competitor of Broadview (or Customers independent, third-party auditor that is not a competitor of Broadview) information regarding the Broadviews compliance with the obligations set forth in this Agreement. Customer may request an on-site audit of the architecture, systems and procedures relevant to the protection of Personal Data at locations where Personal Data is stored. Customer shall reimburse Broadview for any time expended by Broadview or its third-party Sub-processors for any such onsite audit at the Broadviews then-current professional services rates, which shall be made available to Customer upon request. Before the commencement of any such on-site audit, Customer and Broadview shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Customer shall be responsible. All reimbursement rates shall be reasonable, taking into account the sources expended by Broadview, or its third-party Sub-processors. Customer shall promptly notify Broadview with information regarding any non-compliance discovered during the course of an audit.
7. Security Breach Management and Notification
Broadview maintains security incident management policies and procedures and shall, to the extent permitted by law, promptly notify Customer of any actual or reasonably suspected unauthorized disclosure of Customer Data, including Personal Data, by Broadview or its Sub-processors of which Broadview becomes aware (a Security Breach). To the extent such Security Breach is caused by a violation of the requirements of this Agreement by Broadview, Broadview shall make reasonable efforts to identify and remediate the cause of such Security Breach.
8. Deletion of Customer Data
8.1 Customer Data in Services. Customer may at it’s sole discretion delete Services via the Control Panel. After such deletion Broadview may retain Customer Data in limbo for a period of time, which shall not exceed thirty (30) days before permanently deleting the Customer Data. To the extend Customer is not able to delete certain Services via the Control Panel, Broadview shall, after request and within reasonable time, assist Customer to delete the Services and the Customer Data.
8.2 Customer Data in Backups. Backup data are only kept for a limited and specified time, which may vary from for different Services, and if the Customer Data is part of such backup Broadview is allowed to wait with deletion up to the standard deletion of such backup. This deletion cycle may never exceed ninety (90) days unless specifically agreed upon in writing between the parties.
9. Additional Terms
9.1 Change in Data Protection Laws and Regulations. The Parties agree that any changes in the Data Protection Laws and Regulations that have an effect on the services under this Agreement shall immediately after coming into force be implemented into and part of this Agreement and Broadview is responsible for informing the Customer about such changes and distribute the amended wording of this Agreement.
9.2 General co-operation. The parties shall assist each other in ensuring compliance with the obligations in the Data Protection Laws and Regulations of the respective parties.
9.3 Terms of Service. The Broadview Terms of Service will apply for all other aspects of the relation between Broadview and Customer, than the specific regulation of Data processing in this Agreement.
10. Indemnity and Limitation of Liability
10.1 Indemnity. The Customer and Broadview, shall indemnify each other for any third party claim caused by the other partys breach of this Agreement.
10.2 Limitation of liability. Neither party shall in any event be liable to the other party under this Agreement for loss of production, loss of use, loss of business, loss of data or revenue or for any special, indirect, incidental or consequential damages, whether or not the possibility of such damages could have been reasonably foreseen.