Effective September 20, 2017
This Data Processing Addendum (“DPA”) applies whenever it is incorporated by reference into the Master Services Agreement (“Agreement”) between you and Code42. Capitalized terms used but not defined in this DPA have the meanings given to them in the Agreement.
1. Purpose and scope
In the course of providing the Offerings to you under the Agreement, Code42 will Process Customer Data on your behalf. Customer Data may include Personal Data. This DPA reflects the parties’ agreement relating to the Processing of Customer Data in accordance with the requirements of Data Protection Laws and Regulations. This DPA will control in the event of any conflict with the Agreement.
2.1 “Data Controller” means the entity that determines the purposes and means of Processing of Personal Data.
2.2 “Data Processor” means the entity that Processes Personal Data on behalf of the Data Controller.
2.3 “Data Protection Laws and Regulations” means any applicable data protection laws and regulations applicable to the Processing of Personal Data under the Agreement, including the applicable laws and regulations of the European Union, the European Economic Area and their member states, and Switzerland.
2.4 “Data Subject” means the individual to whom Personal Data relates.
2.5 “Personal Data” means any information relating to an identifiable or identified individual.
2.6 “Processing”, “Processes” or “Process” means any operation or set of operations performed upon Personal Data whether or not by automated means, such as collection, recording, organization, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, erasure, or destruction.
2.7 “Sub-processor” means Code42’s Affiliates or other third-party service providers that Process Customer Data for Code42.
3. Processing of customer data
3.1 Data Processing Roles. As between you and Code42, you are the Data Controller of Customer Data and Code42 is the Data Processor. You control the categories of Data Subjects and Personal Data Processed under the Agreement. Code42 has no knowledge of, or control over, the Personal Data that you provide for Processing. You are solely responsible for the accuracy, quality, and legality of the Customer Data and the means by which you acquired the Customer Data.
3.2 Data Processing Instructions. This DPA and the Agreement are your complete and final instructions to Code42 for the Processing of Customer Data. You and Code42 must agree on any additional or alternate instructions. Code42 will inform you if, in Code42's opinion, your instructions violate Data Protection Laws and Regulations. Code42 will process Customer Data: (1) in accordance with the Agreement (including all documents incorporated in the Agreement), and (2) to comply with other reasonable instructions you provide to Code42 (including by email) where your instructions are consistent with the Agreement. Code42 will not otherwise disclose Customer Data to third parties unless required to do so by applicable law, in which case Code42 will inform you in advance unless Code42 is prohibited from doing so. Code42 will not Process Customer Data for any other purpose unless you instruct Code42.
4. Rights of data subjects
4.1 Correction, Blocking and Deletion. If you do not have the ability to amend, block, or delete Customer Data as required by Data Protections Laws and Regulations, you can provide written instructions to Code42 to act on your behalf. Code42 will follow your instructions to the extent they are technically feasible and legally permissible. You will pay Code42’s costs of providing this assistance.
4.2 Data Subject Requests. If permitted, Code42 will promptly notify you of any request from a Data Subject for access to, correction, amendment, or deletion of that Data Subject’s Personal Data. Code42 will not respond to any Data Subject request without your prior written consent, except to confirm that the request relates to you.
4.3 Cooperation and Assistance. Code42 will assist you to address any request, complaint, notice, or communication you receive relating to Code42’s Processing of Customer Data received from (A) a Data Subject whose Personal Data is contained within the Customer Data, or (B) any applicable data protection authority. Code42 will also assist you with your reasonable requests for information to confirm compliance with this DPA or to conduct a privacy impact assessment. You will pay Code42’s costs of providing assistance if the assistance exceeds the services provided under the Agreement.
5. Code42 personnel
5.1 Confidentiality. Code42 informs its personnel engaged in the Processing of Customer Data about the confidential nature of such Customer Data. These personnel receive appropriate training on their responsibilities and are subject to written agreements with confidentiality obligations that survive the termination of their relationship with Code42.
5.2 Limitation of Access. Code42 ensures that access to Customer Data is limited to those personnel who require access to Process Customer Data under the Agreement.
6.1 Authorization. You expressly authorize Code42 to use Sub-processors to perform specific services on Code42’s behalf to enable Code42 to perform its obligations under the Agreement. Code42 has written agreements with its Sub-processors that contain obligations substantially similar Code42’s obligations under this DPA. Code42 is responsible to you for Code42’s Sub-processor’s compliance with the terms of the Agreement.
6.2 Notice and Objection. Code42 will notify you of changes to its Sub-processors upon written request. You have a right to reasonably object to Code42’s use of a new Sub-processor by notifying Code42 in writing within 10 business days after receipt of Code42’s notice. If you do so, Code42 will use reasonable efforts to change the affected Software or Cloud Service, or recommend a commercially reasonable change to your configuration or use of the affected Software or Cloud Service, to avoid Processing of Customer Data by the new Sub-processor. If Code42 is unable to make or recommend such a change within a reasonable period of time, not to exceed 60 days, you may terminate only the Subscription Term for the Software and Cloud Service that Code42 cannot provide without using the new Sub-processor. You must provide written notice of termination to Code42 in accordance with the Agreement. Code42 will promptly refund you the fees applicable to the unused portion of the Subscription Term for the terminated Software and Cloud Services offering.
7.1 Controls for the Protection of Customer Data. Code42 maintains appropriate administrative, technical and organizational safeguards to protect Customer Data from unauthorized or unlawful Processing, from accidental loss, destruction, or damage. Code42’s obligations are described in the Information Security Addendum available at https://support.code42.com/Terms_and_conditions.
7.2 Third-Party Certifications. Code42’s third party certifications and independent audit reports are described in the Information Security Addendum. Code42 will provide you with a copy of the SOC2 independent auditor report upon request.
7.3 Incident Management and Breach Notification. Code42’s obligations relating to incident response and breach notification are described in the Information Security Addendum.
8. Return and deletion of customer data
Under the Agreement, Code42 will provide you an opportunity to retrieve Customer Data at the end of a Subscription Term and will then delete the Customer Data in accordance with the Documentation.
9. Privacy Shield terms for EU and Swiss customer data
Code42 self-certifies and complies with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks as set forth by the Department of Commerce regarding the collection, use, and retention of Personal Data from European Union member countries and Switzerland. Code42 certifies that it adheres to the privacy shield principles and agrees to comply with the frameworks or maintain another valid mechanism to legally transfer data as prescribed by the European Commission. If Code42 determines it can no longer meet these obligations, Code42 will promptly notify you and will cease Processing your Personal Data or take reasonable and appropriate steps to remediate.