DPA

Updated on: September 26, 2024

If you require a signed copy of this addendum, please email support@handoffs.com.

This Customer Data Processing Agreement, including its Annexes, (the "DPA") is supplemental to and forms part of our Terms of Service and any applicable order forms, statement of work or work orders (collectively, the "Agreement"), entered between Handoffs, Inc. ("Company") and the customer (the "Customer"). This DPA is supplemental to the Agreement and sets out the obligations that apply when Company processes Personal Data on behalf of the Customer in the course of providing the services under the Agreement.

1. Definitions

a) "Applicable Data Protection Laws" means all worldwide data protection and privacy laws and regulations applicable to the Personal Data in question including, where applicable, (i) European Data Protection Laws and (ii) CCPA; in each case, as may be amended, superseded or replaced from time to time.

b) "CCPA" means the California Consumer Privacy Act, Cal. Civ. Code§ 1798.100 et seq., and its implementing regulations.

c) "Europe" means, for the purposes of this DPA, the Member States of the European Union, plus Iceland, Liechtenstein, Norway, Switzerland and the United Kingdom.

d) "European Data Protection Laws" means all data protection laws and regulations applicable to the European Union ("EU") or the European Economic Area ("EEA"), including (a) the General Data Protection Regulation 2016/679 (the "EU GDPR"); (b) the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 and the UK Data Protection Act 2018 (collectively, the "UK GDPR"); (c) the Swiss Federal Data Protection Act of 19 June 1992 and its corresponding ordinances ("Swiss DPA"); (d) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector; and (e) applicable national implementations of (a),(b), (c), and (d).

e) "Data Subject" means any individual about whom Personal Information may be processed pursuant to the Agreement.

f)  "Personal Information" means any information that is protected as "personal data", "personal information" or "personally identifiable information" under Applicable Data Protection Laws and which is processed by Company on behalf of the Customer in connection with the Services, as more particularly described in Annex A of this DPA.

g) "Privacy Shield" means the EU-U.S. Privacy Shield program operated by the U.S. Department of Commerce and approved by the European Commission pursuant to Decision C(2016) 4176 of 12 July 2016 and by the Swiss Federal Council on January 11, 2017 respectively.

h) "Privacy Shield Principles" means the Privacy Shield Framework Principles (as supplemented by the Supplemental Principles) contained in the Annex II to the European Commission Decision of July 12, 2016.

i)  "Restricted Transfer" means: (i) where the EU GDPR applies, a transfer of Personal Information from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of Personal Information from the United Kingdom to any other country which is not subject based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; and (iii) where Swiss DPA applies, a transfer of Personal Information from Switzerland to any other country which is not based on an adequacy decision recognized under Swiss data protection law.

j)  "Security Incident" means any confirmed breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Information transmitted, stored or otherwise processed by Company in the context of this Agreement. "Security Incident" shall not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

k) "Sensitive Information" means Personal Information revealing a Data Subject’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life or sexual orientation.

l)  "Services" means the services provided by Company to the Customer under the Agreement.

m)   "Model Clauses" or "SCCs" means (i) where the EU GDPR applies, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("EU SCCs"); and (ii) where the UK GDPR applies, standard data protection clauses for processors adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR ("UK SCCs") (as amended, superseded or updated from time to time.

n) "Sub-processor" means any third party processor engaged by Company to assist in fulfilling its obligations with respect to providing the Services under the Agreement and this DPA.

o) The terms "controller", "processor" and "processing" shall have the meanings given to them in the GDPR and the terms and "process", "processes" and "processed" shall be interpreted accordingly.

2. Scope and applicability of this DPA

a) Scope

This DPA applies to the extent that Company processes Personal Information that is subject to Applicable Data Protection Laws as a processor (or a sub-processor, where applicable) on behalf of and in accordance with the instructions of the Customer in the course of providing the Services and/or for the business purposes agreed with the Customer in writing in the Agreement (collectively, the "Business Purposes"), as further described in Annex A of this DPA. For the avoidance of doubt, Business Purposes shall include (i) processing in accordance with the Agreement (including this DPA); (ii) processing initiated by Customer's authorized users in their use of the Services; and (iii) processing to comply with other documented, reasonable instructions provided by Customer (e.g. via email) or where otherwise agreed upon by the parties, where such instructions are consistent with the terms of the Agreement.

b) Processing of Personal Information

The Parties acknowledge and agree that Customer is the controller of the Personal Information processed in connection with the Services or, if Customer is itself acting on behalf of a third-party controller, a processor.

Company will at all times: (i) process the Personal Information only to fulfil the Business Purposes to provide the Services to Customer in accordance with the Agreement; (ii) not process the Personal Information for a purpose other than the Business Purposes; (iii) not "sell" Personal Information (as understood within the requirements of the CCPA); (iv) not retain, use, or disclose the Personal Information except as necessary to fulfil the Business Purposes or as otherwise permitted under Applicable Data Protection Laws; and (v) not retain, use, or disclose the Personal Information outside of the direct business relationship between the person and the business except as necessary to fulfil the Business Purposes or as otherwise permitted under the Applicable Data Protection Laws. Company certifies that it understands these restrictions and will comply with them.

Customer shall comply with its obligations under Applicable Privacy Laws, and in particular under European Data Protection Laws as a controller or processor (as applicable). Where Customer is itself a processor acting on behalf of a third party controller, Customer shall ensure that any data processing undertaken pursuant to this DPA and the Agreement reflects the documented instructions issued by the ultimate controller of such data.

Company shall process Personal Data submitted to Company by the Customer within the Services as a processor (or sub-processor, as applicable) on behalf of the Customer and in accordance with Customer's instructions.

As a processor, Company shall process Personal Information only for the purposes described in the Agreement (including this DPA) and only in accordance with the Business Purposes. Company shall inform the Customer if, in its opinion, the Customer's processing instructions infringe Applicable Data Protection Laws.

The parties agree that the Agreement (including this DPA), and the Customer's use of the Services in accordance with the applicable terms of use, set out Customer's complete and final instructions to Company in relation to the processing of Personal Information. The parties further agree that any processing outside the scope of these instructions (if any) shall require a prior written agreement between the Customer and Company.

c) Aggregate or de-identified information

Notwithstanding the foregoing or anything to the contrary in the Agreement (including this DPA), the Customer acknowledges that Company shall have a right to collect and create anonymized, aggregate, and/or de-identified information as defined by Applicable Data Protection Law ("Aggregate Data") for its own legitimate business purposes, including, but not limited to, product improvement and development.

d) Customer responsibilities

The Customer is responsible for the lawfulness of Personal Information processed under or in connection with the Agreement. Notwithstanding anything contrary in the Agreement, the Customer represents and warrants that:

i.     it has provided, and will continue to provide all notice and obtained, and will continue to obtain, all consents, permissions and rights necessary under Applicable Data Protection Laws for Company to lawfully process Personal Information for the purposes contemplated by the Agreement (including this DPA);

ii.     it has complied with its obligations under Applicable Data Protection Laws in order to lawfully provide Company and its Sub-processors with the Personal Information; and

iii.     it shall ensure its processing instructions comply with applicable laws (including Applicable Data Protection Law) and that the processing of Personal Information by Company in accordance with the Customer's instructions will not cause Company to be in breach of Applicable Data Protection Laws.

e) Prohibited information

Customer further acknowledges that it shall not disclose, and shall not require any individuals to disclose, (i) Sensitive Information or (ii) Personal Information of any person under the age of 13, and Customer agrees not to provide any such information through the Services.

3. Security

The Services provide reasonable technical and organizational measures that have been designed, taking into account the nature of its Processing, to assist Company's customers in securing their Personal Information in the Services, insofar as reasonably possible. Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. These measures are listed in Annex B of this DPA.

Company will require that its personnel who is granted access to Personal Information be under an appropriate obligation of confidentiality (whether a contractual or statutory duty) to protect the confidentiality of the Personal Information.

Customer agrees that, except as otherwise provided by this DPA, the Customer is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Personal Information when in transit to and from the Service(s) and taking any appropriate steps to securely encrypt or backup any Personal Information processed in connection with the Services.

Upon written request from Customer, Company shall provide written responses (on a confidential basis) to reasonable requests for information from Customer in relation to Company's processing of Personal Information, as long as Customer does not exercise this right more than once in any 12-month rolling period. Customer may also exercise such audit right in the event Customer is expressly requested or required to provide this information to a data protection authority, or Company has experienced a Security Incident, or on another reasonably similar basis.

4. Data subject requests

Customer is responsible for handling any requests or complaints from Data Subjects with respect to their Personal Information processed by Company. Customer shall delete from the Services all Personal Information (except where such information has been anonymized or de-identified) for which it has received a verified request for deletion from the relevant individuals or applicable data protection authorities relating to the processing of Personal Information under the Agreement.

Company will notify Customer as soon as practicable, unless prohibited by applicable law, if Company receives any such requests or complaints. For the avoidance of doubt, Company may communicate, without restriction, with a regulatory or judicial body or a Data Subject if it is not reasonably apparent on the face of the communication to which customer of Company the request relates to.

Customer acknowledges that the Services provide the Customer with a number of controls that the Customer may use to retrieve, correct, delete or restrict Personal Information, which Customer may use to assist it in connection with its obligations under Applicable Data Protection Laws and to respond to requests from Data Subjects or applicable data protection authorities.

5. Assistance

a) Data protection impact assessments

Company will assist with conducting any legally required data protection impact assessments (including subsequent consultation with applicable data protection authorities), if so required by applicable law, taking into account the nature of processing and the information available to Company. Company may charge a reasonable fee for any such assistance, as permitted by Applicable Data Protection Laws.

b) Regulatory investigations

Upon request from the Customer, Company will assist the Customer in the event of an investigation by a competent regulator, including a data protection authority or similar authority, if and to the extent that such investigation relates to the processing of Personal Information by Company on your behalf in accordance with this Agreement. Company may charge a reasonable fee for such requested assistance, to the extent permitted by Applicable Data Protection Laws.

6. Security Incidents

Upon becoming aware of a Security Incident, Company shall notify Customer without undue delay that a Security Incident has occurred, unless otherwise prohibited by applicable law or otherwise as instructed by a supervisory authority. Following such notification, Company will take reasonable steps to mitigate the effects of the Security Incident and to minimize any damage resulting from the Security Incident. Company shall provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Client.

At the Customer's request, Company will provide reasonable assistance and cooperation with respect to any notifications that the Customer is legally required to send to affected Data Subjects and relevant authorities. Company may charge a reasonable fee for such requested assistance, to the extent permitted by Applicable Data Protection Laws.

7. Sub-Processors

Pursuant to the Agreement, Customer agrees that Company may engage Sub-processors to process personal data on the Customer's behalf and disclose Personal Information to Sub-processors, provided that Company imposes appropriate obligations on its Sub-processors regarding the security and confidentiality of Personal Information.

By signing this DPA, Customer hereby provides a general written authorization for Company to engage Sub-processors to provide the Services.

List of Sub-processors:

Name: Amazon Web Services

Address: 410 Terry Ave N, Seattle Washington 98109, USA

Description of processing: Cloud computing, Data Warehousing

Name: Salesforce

Address: Salesforce Tower 415 Mission Street, 3rd Floor San Francisco, CA 94105, USA

Description of processing: CRM

You can subscribe for email notifications of updates to our Sub-processor list be emailing this request to support@handoffs.com. Company will provide at least fifteen (15) calendar days prior written notice to Customer of the engagement of any new Sub-Processor. Customer may object in writing to the appointment of each such Sub-Processor on reasonable grounds (e.g. if making Personal Information available to the Sub-Processor may violate Applicable Privacy Law or weaken the protections for such Personal Information) by notifying Company promptly in writing within ten (10) calendar days of receipt of Company notice in accordance with this Section 7. Such notice shall explain the reasonable grounds for the objection and the parties shall discuss such concerns in good faith with a view to achieving a commercially reasonable resolution. If Customer does not object to the proposed Sub-processor within ten (10) calendar days of receipt of notice, the Sub-processor is deemed to have been approved. Company may in its sole discretion, remove the Sub-Processor from the list. In the event a Sub-Processor is removed by Company, Company will be provided a reasonable amount of time to replace the Sub-processor.

8. Data Transfers

In connection with the performance of the Agreement, the parties agree that Company may transfer Personal Information to various locations, which may include locations both inside and outside of the European Economic Area ("EEA"). The parties agree that where transfer of Personal Information from Customer to Company is a Restricted Transfer, it will be subject to the transfer mechanism considerations listed below: The parties further agree that:

1.     although Company is not relying on Privacy Shield as a legal basis for transfers of personal data outside the EU in light of the judgement of the Court of Justice of the European Union in Case C-311/18, Company shall continue to process personal data (within the meaning of Applicable Data Protection Laws) in compliance with the Privacy Shield Principles as long as Company is self-certified to Privacy Shield. Company further agrees to notify Customer if it determines that it can no longer meet its obligation to provide the level of protection required by the Privacy Shield Principles.

2.     the Restricted Transfer shall be subject to the appropriate Model Clauses, which are automatically incorporated by reference and form an integral part of this DPA, as follows:

a)     In relation to Personal Information that is protected by the GDPR, the EU SCCs will apply as follows:

i.     Module Two (Transfer controller to processor) and Module Three (Transfer processor to processor) will apply, where appropriate;

ii.     in Clause 7, the optional docking clause shall apply;

iii.     in Clause 9, Option 2 will apply, and the time period for prior notice of Sub-Processor changes shall be fifteen (15) days;

iv.     in Clause 11, the optional language will not apply;

v.     in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;

vi.     in Clause 18(b), disputes shall be resolved before the courts of Ireland.

vii.     Annex I of the EU SCCs shall be deemed completed with the information set out in Annex A to this DPA;

viii.     Annex II of the EU SCCs shall be deemed completed with the information set out in this DPA

b)     In relation to data that is protected by the UK GDPR, the EU SCCs as implemented in accordance with paragraph (a) above will apply provided that:

i.     any references in the EU SCCs to "Directive 95/46/EC" or "Regulation (EU) 2016/679" shall be interpreted as references to the UK GDPR; references to specific Articles of "Regulation (EU) 2016/679" are replaced with the equivalent Article or Section of UK GDPR; references to "EU", "Union" and "Member State law" are all replaced with "UK"; Clause 13(a) and Part C of Annex II of the EU SCCs are not used; references to the "competent supervisory authority" and "competent courts" shall be interpreted as references to the Information Commissioner and the courts of England and Wales; Clause 17 of the EU SCCs is replaced to state that "The Clauses are governed by the laws of England and Wales" and Clause 18 of the EU SCCs is replaced to state "Any dispute arising from these Clauses shall be resolved by the courts of England and Wales. A data subject may bring legal proceeding against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts";

ii.     to the extent and for so long as the EU SCCs as implemented in accordance with paragraph 2(A) above cannot be used to lawfully transfer Personal Information protected by the UK DPA to Supplier, the UK SCCs shall be incorporated into and form an integral part of this DPA and shall apply to such transfers; and

iii.     for the purposes of the UK SCCs (where applicable) the relevant Annexes/ Appendices of the UK SCCs shall be deemed completed using the information contained in Annex A and Annex B of this DPA.

c)     In relation to Personal Information that is protected by the Swiss DPA, the EU SCCs as implemented in accordance with paragraph (1) above will apply provided that:

i.     references in the EU SCCs to "Regulation (EU) 2016/679" or the "GDPR" shall be interpreted as references to the Swiss Federal Act on Data Protection (FADP);

ii.     references to "EU", "Union" and "Member State law" shall be interpreted as references to Switzerland and to Swiss law, as the case may be;

iii.     the term ’member state’ shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland);

iv.     the EU SCC clauses should be interpreted as protecting the data of legal entities until the entry into force of the revised FADP; and

v.     references to the "competent supervisory authority" and "competent courts" shall be interpreted as references to the Swiss Federal Data Protection and Information Commissioner (FDPIC) and competent courts in Switzerland.

d)     In the event that any provision of this Agreement or this DPA contradicts, directly or indirectly, the Model Clauses, the Model Clauses shall prevail.

ii.     to the extent Company adopts an alternative data export mechanism (including any new version of or successor to the Standard Contractual Clauses) for the transfer of personal data ("Alternative Transfer Mechanism"), the Alternative Transfer Mechanism shall apply instead of any transfer mechanism described in this DPA (but only to the extent such Alternative Transfer Mechanism complies with Applicable Data Protection Law and extends to the territories to which the personal data is transferred), and, if required, the parties agree to execute such other and further documents and take such other and further actions as may be reasonably necessary to give legal effect to such Alternative Transfer Mechanism; and

iii.     if and to the extent that a court of competent jurisdiction or relevant supervisory authority with binding authority orders (for whatever reason) that the measures described in this DPA cannot be relied on to lawfully transfer personal data in accordance with Applicable Data Protection Laws, Company may implement any additional measures or safeguards not described in this DPA to enable the lawful transfer of such personal data.

9. Return or disposal

Upon termination or expiration of the Agreement for any reason, Company will, at the Customer's request, return or destroy Personal Information in its possession or control. This requirement shall not apply to the extent that Company is required by any applicable law to retain some or all information (including Personal Information), in which event Company shall isolate and protect such data from any further processing except to the extent required by applicable law.

10. General

a) The parties agree that this DPA shall supersede and replace any existing terms the parties may have previously entered into in connection with the Services, as such terms relate to the subject matter of this DPA.

b) The obligations placed upon Company under this DPA shall survive so long as Company and/or its Sub-processors process Personal Information on the Customer's behalf.

c) This DPA may not be modified except by a subsequent written instrument signed by both parties.

d) If any part of this DPA is held unenforceable, the validity of all remaining parts will not be affected.

e) The Agreement remains unchanged and in full force and effect. In case of discrepancies between this DPA and any agreement(s) between the parties and/or their Affiliates, the provisions of the following documents (in order of precedence) shall prevail: (a) Standard Contractual Clauses (where applicable); then (b) this DPA; and then (c) the main body of the Agreement. This DPA shall not limit or restrict, but shall only be deemed to supplement the Standard Contractual Clauses.

f)  Any claims brought under or in connection with this DPA shall be subject to the terms and conditions of the Agreement.

g) This DPA will be governed by and construed in accordance with the governing law and venue provisions in the Agreement, unless required otherwise by Applicable Data Protection Laws.

ANNEX A

Data Processing & Transfer Description

ANNEX 1(A): LIST OF PARTIES

Data exporter

Name of the data exporter: The entity identified as "Customer" in the Agreement and this DPA.

Activities relevant to the data transferred: The activities specified in the DPA.

Role (Controller/Processor): Controller (for Module 2) or Processor (For Module 3).

Data importer

Name of the data importer: Handoffs, Inc.

Activities relevant to the data transferred: The activities specified in the DPA.

Role (Controller/Processor): Processor

ANNEX 1(B): DESCRIPTION OF THE PROCESSING / TRANSFER

Categories of Data Subjects whose personal information is transferred:

Customer shall be deemed to have declared that the categories of data subjects include: (i) prospects, customers, business partners and vendors of Customer (who are natural persons); (ii) employees or contact persons of Customer’s prospects, customers, business partners and vendors; (iii) employees, agents, advisors, freelancers of Customer (who are natural persons); and/or (iv) Customer’s Authorized Users.

Categories of Personal Information transferred:

Customer shall be deemed to have declared that the types of personal data may include but are not limited to the following types of personal data: (i) name, address, title, contact details; (ii) IP addresses, usage data, cookies data, location data and (iii) contents of emails.

Sensitive Information transferred (if appropriate) and applied restrictions or safeguards

In accordance with Section 2.5 of the DPA, Customer shall not disclose, and shall not require any individuals to disclose, (i) Sensitive Information or (ii) Personal Information of any person under the age of 13, and Customer agrees not to provide any such information through the Services.

Frequency of the Transfer (e.g. whether the data is transferred on a one-off or continuous basis)

Continuous or one-off depending on the Services being provided by Company.

Nature, subject matter and duration of the Processing

Nature: Company provides a Service designed to improve the email experience by making it faster and more intelligent, as further described in the Agreement.

Subject Matter: Personal Information.

Duration: The duration of the data processing under this DPA is until the termination of the Agreement in accordance with its terms, plus the period from the expiry of the Agreement until deletion of the Personal Information by Company, in accordance with the terms of the Agreement.

Purpose(s) of the data transfer and further processing:

Company shall process Personal Information for the Business Purposes, as further defined in Section 2.1 of the DPA.

Period for which the personal information will be retained, or if that is not possible the criteria used to determinate that period, if applicable:

Company will retain Personal Information from Customer for the term of the Agreement and any period after the termination of expiry of the Agreement during which Company processes Personal Information from Customer in accordance with the Agreement.

ANNEX 1(C): COMPETENT SUPERVISORY AUTHORITY

Competent supervisory authority

The competent supervisory authority, in accordance with Clause 13 of the EU SCCs, is either:

1.     the supervisory authority applicable to the data exporter in its EEA country of establishment or,
2.     where the data exporter is not established in the EEA, the supervisory authority applicable in the EEA country where the data exporter's EU representative has been appointed pursuant to Article 27(1) of the GDPR, or
3.     where the data exporter is not obliged to appoint a representative, the supervisory authority applicable to the EEA country where the data subjects relevant to the transfer are located.

With respect to the processing of Customer Personal Data to which the UK GDPR applies, the competent supervisory authority is the Information Commissioners Office (the "ICO").

With respect to the processing of personal data to which the Swiss DPA applies, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.

ANNEX B

Security Measures

Company's information security program includes administrative, technical, and physical safeguards to protect the Personal Information that we handle against anticipated threats or hazards to its security, confidentiality or integrity (such as unauthorized access, collection, use, copying, modification, disposal or disclosure, unauthorized, unlawful, or accidental loss, destruction, acquisition, or damage or any other unauthorized form of processing).

Experience Seamless Account Management Support with Grace - Get Started Today!