Data Processing Addendum
Lastest update: 01.01.2024
This Data Processing Addendum, including its Schedules, (“DPA”) supplements and forms an integral part of the agreement as governed by the Scaleflex Standard Terms and Conditions available at https://legal.scaleflex.com/ (“Terms”) or any other agreement between Customer and the applicable Scaleflex contracting entity (“Scaleflex”) governing the use and access of the Product (“Agreement”). This DPA reflects the parties’ agreement with regard to the Processing of Personal Data by Scaleflex on behalf of the Customer in connection with the Product. Unless otherwise defined in this DPA or the Agreement, all capitalized terms used in this DPA will have the meanings given to them in Section 1 of this DPA. Any other relevant terms will have the meanings given to those terms under Applicable Law.
1. Definitions
| Terminology | Description |
|---|---|
AI | means Artificial Intelligence. These (opt-in only) features, will be offered in conjunction with the Product, and used based on Customer’s sole discretion. AI features bring the capability to analyse data, make predictions, and automate tasks. |
AI Policy | means Scaleflex Artificial Intelligence Privacy Policy. This AI Policy provides Customer guidelines on the use of AI features within the product, emphasising data handling and privacy considerations, accessible here. |
CCPA | means the California Consumer Privacy Act Cal. Civ. Code § 1798.100 et seq., and any amendments or supplements thereto, including the final California Consumer Privacy Act Regulations. Further specified in Schedule 6 to this DPA. |
Controller | means the entity which determines the purposes and means of the Processing of Personal Data. |
Customer | means the legal entity that is a party to the Agreement with Scaleflex. |
Data Protection Legislation | means all laws and regulations, including but not limited to national, supranational and state-level privacy law(s), applicable to the Processing of Personal Data under the Agreement. |
Data Subject | means the identified or identifiable person to whom Personal Data relates. |
EEA | means the European Economic Area. |
GDPR | means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). |
Personal Data | means any information relating to an identified or identifiable natural person where such data is Processed by Scaleflex on behalf of Customer. |
Processing | (and all verb tenses) means any operation or set of operations which is performed on Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; |
Processor | means the entity which Processes Personal Data on behalf of the Controller. |
Sensitive Categories of Data | means personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs; trade-union membership; genetic data, biometric data processed solely to identify a human being; health-related data; data concerning a person's sex life or sexual orientation. |
Sub-Processor | means a Processor engaged by Scaleflex. |
Standard Contractual Clauses | means, according to the Standard Contractual Clauses set forth in Schedule 5 to this DPA, (a) where the GDPR applies, the Standard Contractual Clauses set out in the Annex of Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (“EU SCCs”), or (b) where the UK GDPR applies, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses of 21 March 2022 (“UK Addendum”). |
Supervisory Authority | means an independent public authority established or recognized under Data Protection Laws. |
UK GDPR | means the Data Protection Act 2018, as well as the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419). |
2. Processing of Personal Data
2.1 Scope, Roles and Details of the Processing.
This DPA, including any Schedules and Annexes, applies when Personal Data is processed by Scaleflex pursuant to the Agreement. Regarding the Processing of Personal Data, Customer is the Controller, Scaleflex is the Processor and Scaleflex will engage Sub-Processors pursuant to the requirements set forth in Section 6 below. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 1 to this DPA.
2.2 Customer’s Processing of Personal Data.
Customer shall, in its use of the Product, Process Personal Data in accordance with the requirements of Data Protection Legislation, including any applicable requirement to provide notice to Data Subjects of the use of Scaleflex as Processor. For the avoidance of doubt, Customer’s instructions for the Processing of Personal Data shall comply with Data Protection Legislation. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data. If Customer chooses to enable any AI features within the Agreement, Scaleflex’ AI Policy will apply. Customer specifically acknowledges that its use of the Product will not violate the rights of any Data Subject that has opted-out from sales or other disclosures of Personal Data, to the extent applicable under the CCPA.
2.3 Scaleflex Processing of Personal Data.
Scaleflex shall treat Personal Data as Confidential Information and shall Process Personal Data on behalf of and only in accordance with Customer’s documented instructions for the following purposes: (i) Processing in accordance with the Agreement and applicable Order Form(s); and (ii) Processing initiated by Users in their use of the Product.
3. Instructions
3.1 Customer Affiliates. Customer represents that it is authorised to give data processing instructions to Scaleflex and to otherwise act on behalf of any Customer Affiliates under this DPA.
3.2 Documented Instructions. This DPA and the Agreement are Customer’s complete and final documented instructions at the time of signature of the Agreement with Scaleflex for the Processing of Personal Data. Any additional or alternate instructions must be agreed upon separately and in writing.
3.3 Exception. If Scaleflex is required by law to conduct additional processing, it shall inform Customer of that legal requirement before Processing, unless such notification is prohibited by law.
3.4 Instructions likely to violate Data Protection Legislation. If, in Scaleflex’ opinion, Customer’s instructions are either likely to violate Data Protection Legislation, Scaleflex is entitled to refuse to follow such instructions and shall inform Customer of the reasons for its refusal. In such cases, Customer shall provide alternative instructions in a timely manner and Scaleflex may cease all Processing of the impacted Personal Data (other than secure storage thereof) until it receives acceptable instructions.
4. Scaleflex Personnel
4.1 Confidentiality Obligations. Scaleflex ensures that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, and have executed written confidentiality agreements.
4.2 Limited Access. Scaleflex ensures that Scaleflex’ access to Personal Data is limited to those personnel performing services in accordance with the Agreement.
4.3 Data Protection Officer. Scaleflex has appointed a data protection officer (“DPO”). The appointed DPO may be reached at privacy@Scaleflex.com.
5. Security of Processing
5.1 Measures. Scaleflex has implemented and shall maintain appropriate technical and organisational measures to protect Personal Data against accidental, unauthorised, or unlawful destruction, loss, alteration, disclosure, and access (“Security Measures”), as described in Schedule 3 of this DPA, including as appropriate:
a. the pseudonymisation and encryption of Personal Data;
b. the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of Processing systems;
c. subject to the Service Level Agreement, the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; and
d. the regular testing, assessment, and evaluation of the effectiveness of the Security Measures.
5.2 Customer has made an independent determination as to whether these Security Measures meet the Customer's requirements.
5.3 Third Party Certifications. Scaleflex has obtained third party certifications as set forth in Schedule 3 of this DPA. Upon Customer’s written request, but not more than once per year, and subject to the confidentiality obligations set forth in the Agreement, Scaleflex shall make available to Customer a copy of Scaleflex’ then most recent third-party certification and audit report, as applicable.
6. Sub-Processors
6.1 General Authorization. Customer agrees that Scaleflex may use Sub-Processors to fulfil its contractual obligations under this DPA or to provide certain services on its behalf.
6.2 Sub-Processor Obligations. Scaleflex will enter into a written agreement with the Sub-Processor and Scaleflex will impose on Sub-Processors data protection obligations not less protective than those in this DPA.
6.3 Sub-Processor List. Scaleflex currently uses the Sub-Processors listed in Schedule 2 to this DPA. A list of Sub-Processors is also available on Scaleflex’ website at https://legal.scaleflex.com/privacy/global-privacy-policy/sub-processors ("Sub-processors"). Scaleflex will update the Sub-Processors Page with any new Sub-Processor and notify Customer at least 30 calendar days before such Sub-Processors will begin to Process Personal Data.
6.4 Objection Right. Customer may object to the use of a new Sub-Processor on a reasonable and legitimate basis. In the event Customer objects to a new Sub-Processor, Customer shall provide written notice to privacy@Scaleflex.com within the 30 calendar day notice period set out in Section 6.3, outlining Customer’s specific concerns about the new Sub-Processor in order to give Scaleflex the opportunity to address such concerns. Scaleflex may, at its sole discretion, (i) not appoint the Sub-Processor and/or propose an alternate Sub-Processor; (ii) take the steps to address the Customer’s specific concerns and obtain Customer’s written consent to use the Sub-Processor; or (iii) make available to Customer the Scaleflex Product(s) without the particular aspect that would involve use of the objected-to Sub-processor. If Scaleflex is unable or determines in its reasonable judgement that it is commercially unreasonable to do any of the options in Section 6.4 (i)-(iii), Customer may terminate the Agreement in accordance with section 19.3 of the Terms.
6.5 Liability. Scaleflex will remain responsible for the performance of a Sub-Processor to the same extent Scaleflex would be responsible if performing the services of each Sub-Processor directly under the terms of this DPA.
7. Rights of Data Subject
Scaleflex will, to the extent legally permitted, notify Customer without undue delay if Scaleflex receives a request from a Data Subject to exercise the Data Subject’s rights set forth in Data Protection Legislation, especially Chapter III of GDPR (“Data Subject Request”). Taking into account the nature of the Processing, Scaleflex will assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to Data Subject Requests under Data Protection Legislation. To the extent Customer is unable to address a Data Subject Request, Scaleflex will upon Customer’s request provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request. To the extent legally permitted, Customer will be responsible for any costs arising from Scaleflex’ provision of such assistance.
8. Assistance
Taking into account the nature of Processing and the information available to Scaleflex, Scaleflex will provide reasonable assistance and cooperation to Customer in respect of its relevant obligations under Articles 32 to 36 GDPR. To the extent legally permitted, Customer will be responsible for any costs arising from Scaleflex’ provision of such assistance.
9. Personal Data Breach Notification
Scaleflex will notify Customer without undue delay, but always within 48 hours, after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise Processed by Scaleflex or its Sub-Processors of which Scaleflex becomes aware (“Personal Data Breach”). Notification of Personal Data Breaches, if any, will be delivered by email at the email address specified for notices in the applicable Order Form, if no email address is specified, to one or more of Customer’s Product administrators. Scaleflex’ obligation to notify Customer of a Personal Data Breach is not an acknowledgement by Scaleflex of any fault or liability with regard to the Personal Data Breach.
10. Return and Deletion of Personal Data
10.1 Upon Customer’s request to privacy@Scaleflex.com Scaleflex will return or delete Personal Data in accordance with the timeframes specified in the Agreement, unless European Union law or the laws of a EU member state requires that Scaleflex retains the Personal Data. Scaleflex may delete Personal Data six months after termination or expiration of the Agreement. Scaleflex shall dispose Personal Data in accordance with the latest method(s) of data sanitising, as detailed in NIST 800-88 (“Guidelines for Media Sanitization”).
10.2 Notwithstanding anything to the contrary in this DPA, Scaleflex may retain Personal Data if and for as long as required by law.
10.3 Personal Data stored in Scaleflex’ auto-backup or archival systems will be deleted automatically after 180 days after back-up, or otherwise as soon as technically possible. Upon written request, Scaleflex shall provide a certificate to Customer certifying that Customer Data has been destroyed.
10.4 If Customer provides Personal Data on a hard drive or other forms of removable media, such removable media must be encrypted or password protected. In collaboration with Customer, Scaleflex shall either return the removable media to Customer, or securely destroy such removable media by using a certified third party. A certificate of destruction can be made available to Customer upon request
11. Customer Audits
11.1 Summary Report of Internal Audit. In addition to Section 5.3, Scaleflex will on a regular basis audit the security of the systems that it uses to Process Personal Data. Upon Customer’s written requests, Scaleflex will make available to Customer a summary of the results of this audit ("Summary Report") to demonstrate compliance with the obligations under this DPA
11.2 Customer Audit. If Customer substantiates that the Summary Report cannot satisfactorily demonstrate Scaleflex’ compliance and that it has a justifiable suspicion that Scaleflex is in breach of this DPA, Customer may conduct an audit on Scaleflex’ premises, not more than once per year, and subject to the confidentiality obligations set forth in the Agreement and following conditions:
a. Customer must provide at least 30 days’ prior written notice to privacy@Scaleflex.com. Such notice must indicate the reasons for the audit request, and will be effective upon Scaleflex’ confirmation of receipt;
b. Audits will be conducted within a mutually agreed scope, duration, and timing; performed by Customer, or a third party that is pre-approved by Scaleflex, such approval not to be unreasonably withheld; and conducted within Scaleflex’ normal business hours and with best efforts taken to avoid disruption of Scaleflex’ business operations;
11.3 Cost. The cost of an audit on Scaleflex’ premises will be borne by Customer, unless a Material Breach (as defined in the Agreement) of this DPA is found, in which case Scaleflex will bear the costs.
11.4 Nothing in this Section 11 varies or modifies the Standard Contractual Clauses nor affects any Supervisory Authority's or Data Subject's rights under the Standard Contractual Clauses.
12. Transfers of Personal Data to Third Countries
12.1 Regions. Customer may specify the location where Customer Data, including Personal Data, will be Processed in the Agreement (“Region”). Except as necessary to provide the Product and services initiated by Customer, or as necessary to comply with the law, Scaleflex will not transfer Personal Data from Customer’s selected Region. A transfer to a third country shall take place only if the conditions of Chapter V. GDPR are complied with.
12.2 Application of Standard Contractual Clauses. Scaleflex will enter into Standard Contractual Clauses with each affiliate and/or Sub-Processor where the Processing of Personal Data is transferred outside the EEA, either directly or via onward transfer, to any third country not recognized by the European Commission as providing an adequate level of protection for Personal Data. The Standard Contractual Clauses will not apply to Personal Data that is not transferred, either directly or via onward transfer, outside the EEA.
12.3 Revision of Standard Contractual Clauses. Parties agree that, in the event the Standard Contractual Clauses are revised or replaced by a competent authority, they shall execute any updated or replacement Standard Contractual Clauses in order to ensure continued compliance with Data Protection Legislation. It shall be the Customer's obligation to inform Scaleflex about the location of their end users to facilitate proper data processing and compliance with applicable Data Protection Legislation.
12.4 Order of precedence. If the Standard Contractual Clauses apply, nothing in this Section 12 varies or modifies the Standard Contractual Clauses.
13. Limitation of liability
Each party’s liability, taken together in the aggregate, arising out of or related to this DPA, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together.
14. Entire Agreement, Hierarchy
Except as amended by this DPA, the Agreement will remain in full force and effect. If there is a conflict between any other agreement between the parties including the Agreement and this DPA, the terms of this DPA will take precedence to the extent of such conflict.
15. Term and termination
This DPA shall enter into force at the same time as the Agreement and shall automatically terminate upon any termination or expiration of the Agreement
16. List of Schedules
Schedule 1: Details of the Processing of Personal Data
Schedule 2: Sub-Processors and Scaleflex Entities
Schedule 3: Security Measures
Schedule 4: Details of the Processing
Schedule 5: Cross Border Transfers
Schedule 6: CCPA Addendum
Annex A: Technical and Organisational Measures
Last updated