THIS DATA PROCESSING ADDENDUM (this “DPA”) is incorporated into the Master Services Agreement (the “Agreement”) between Customer and Latitude.sh Ltda (“Service Provider” or “Processor”), each a (“party”) and collectively (the “parties”). Capitalized but undefined terms used in this DPA will have the meanings assigned to those terms in the Agreement.
In the course of providing the Services to Customer pursuant to the Agreement, Service Provider may Process Personal Data on behalf of Customer. Service Provider agrees to comply with the following provisions, including the Standard Contractual Clauses (processors) attached as Exhibit A and its related Appendices and incorporated into the DPA (the “Clauses”), to the extent applicable as provided in Section 2.8 below, with respect to its Processing of any Personal Data submitted by or for Customer to Service Provider in connection with Customer’s use of the Services.
“Controller” means the entity that determines the purposes and means of the Processing of Personal Data.
“Customer Data” means any data, information or material originated by Customer that Customer submits, collects or provides in the course of using the Services, including any Customer Personal Data.
“Customer Personal Data” means Personal Data submitted by or for Customer to Service Provider in connection with Customer’s use of the Services.
“Data Protection Laws” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, applicable to the Processing of Customer Personal Data by Service Provider under the Agreement.
“Data Subject” means an identified or identifiable natural person. For purposes of this DPA, “Data Subjects” include individuals from one or more of the following categories: (a) Customer’s users, (b) individuals collaborating and communicating with Customer’s users, and (c) individuals whose Personal Data is possessed by Customer and stored within Customer Data.
“GDPR” means the EU General Data Protection Regulation 2016/679.
“Personal Data”, has the same meaning as “personal data” as defined in the GDPR.
“Personal Data Breach”, has the same meaning as “personal data breach” as defined in the GDPR.
“Process/Processing” has the same meaning as “processing” as defined in the GDPR.
“Processor” means the entity that Processes Personal Data on behalf of the Controller.
“Security, Privacy and Architecture Documentation” means the Security, Privacy and Architecture Documentation applicable to the Services purchased by Customer, as described in summaries of the then-current SSAE 16 SOC Type II audit reports (or comparable industry-standard successor report) that Service Provider generally makes available to its Customers as updated from time to time, or otherwise made reasonably available by Service Provider.
“Sub-processor” means any entity that Service Provider engages to Process Customer’s Personal Data on behalf of Service Provider.
2.1 Roles of the Parties; Purpose. The parties acknowledge and agree that with regard to the Processing of Customer Personal Data, Customer is a Processor of personal data on behalf of its customers who are Controllers of such personal data and that Service Provider as a sub-processor may engage other Sub-processors pursuant to the requirements set forth in this Agreement. The purpose of Processing of Customer Personal Data by Service Provider is the performance of the Services for Customer and the exercise of Customer’s rights pursuant to the Agreement.
2.2 Service Provider’s Processing of Personal Data. Service Provider will only Process Customer Personal Data on behalf of and in accordance with Customer’s instructions. For the purposes of this DPA and Clause 5(a) of the Clauses, Customer will instruct Service Provider to Process Customer Personal Data for the following purposes: (i) to store data as described more fully in the Agreement and applicable Service Order Form(s); and (ii) to comply with other reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement and this DPA. This DPA and the AGREEMENT are Customer’s complete and final instructions to Service Provider for the Processing of Customer Personal Data. Any additional instructions that are inconsistent with the terms of the Agreement or this DPA must be agreed upon separately in writing signed by authorized representatives of both parties.
2.3 Customer’s Processing of Personal Data. In its use of the Services, Service Provider will Process Customer Personal Data in accordance with the requirements of Data Protection Laws. Customer’s instructions for the Processing of Personal Data by Service Provider will comply with all Data Protection Laws. Customer will have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer acquired such Customer Personal Data.
2.4 Security of Processing. Service Provider will secure Customer Personal Data by implementing appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as required under the applicable Data Protection Laws. Such measures include those set forth in the Security, Privacy and Architecture Documentation. Service Provider will not materially decrease the overall security of the Services during the term of the Agreement.
2.5 Personal Data Breach Notification. Service Provider will notify Customer without undue delay after becoming aware of a Personal Data Breach. To the extent such Personal Data Breach is caused by a violation of the requirements of this DPA by Service Provider, Service Provider will make reasonable efforts to identify and remediate the cause of such Personal Data Breach.
2.6 Assistance. Service Provider agrees to provide Customer with reasonable assistance in ensuring compliance with its obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of Service Provider’s Processing and the information available to Service Provider. Service Provider will, to the extent legally permitted, promptly notify Customer if Service Provider receives a request from a Data Subject for access to, correction, amendment or deletion of such Data Subject’s Customer Personal Data. Upon request from Customer, Service Provider will provide commercially reasonable assistance to Customer by appropriate technical and organizational measures, insofar as this is possible, in relation to handling of a Data Subject’s request for exercising Data Subject’s rights set forth in Chapter III of the GDPR, taking into account the nature of Service Provider’s Processing of Customer Personal Data and solely to the extent Customer is unable to fulfill such requests through the Services. Customer will be responsible for any costs arising from Service Provider’s provision of such assistance.
2.7 Deletion of Customer Personal Data. Service Provider will delete all Customer Personal Data and copies thereof (i) upon request of Customer, (ii) upon termination or expiration of the Agreement and (iii) upon a rolling basis every twenty-eight (28) days during the Term of the Agreement, unless otherwise required by the applicable Data Protection Laws. The parties agree that the certification of the deletion of Customer Personal Data that is described in Clause 12(1) will be provided by Service Provider to Customer only upon Customer’s written request.
2.8 Data Transfers. With respect to Customer Personal Data transferred from the European Economic Area (“EEA”) to outside the EEA in conjunction with Customer’s use of the Services, either directly or via onward transfer, Service Provider will provide at least the same level of protection for such Customer Personal Data as is required by the relevant principles in accordance with Article 46 of the GDPR. If Service Provider determines that it can no longer provide this level of protection, Service Provider will promptly notify Customer of that determination, and Customer will have the right to terminate the Agreement without penalty upon notice to Service Provider. The Clauses apply only to Customer Personal Data that is transferred from the EEA to outside the EEA, either directly or via onward transfer, to any country or recipient: (i) not recognized by the European Commission as providing an adequate level of protection for Personal Data, and (ii) not covered by a suitable framework recognized by the relevant authorities or courts as providing an adequate level of protection for Personal Data. For the purpose of the Clauses and this DPA, Customer and all Affiliates of Customer established within the EEA that have purchased Services on the basis of a Service Order Form will be deemed “Data Exporters” and will be collectively included in the term “Customer.”
2.9 Audits. Service Provider will make available to Customer all information necessary to demonstrate compliance with its obligations under the GDPR. Service Provider has obtained the third-party certifications and audits set forth in the Security, Privacy and Architecture Documentation. Upon Customer’s written request at reasonable intervals, Service Provider will provide a copy of Service Provider’s then most recent summaries of third-party audits or certifications, as applicable, that Service Provider generally makes available to its Customers at the time of such request. Service Provider will also provide, upon Customer’s written request, reports containing the full results of such third-party audits or certifications, provided that such reports may be redacted to remove testing details or other information that is not necessary for Customer to understand the specific vulnerabilities that might put Customer Personal Data at risk, in Service Provider’s sole reasonable discretion. The parties agree that the audit rights described in Article 28 of the GDPR and Clauses 5(f) and 12(2) of the Clauses will be satisfied by Service Provider’s provision of such summaries and/or reports.
3.1 Confidentiality. Service Provider will ensure that its personnel engaged in the Processing of Customer Personal Data are informed of the confidential nature of Customer Personal Data, have received appropriate training on their responsibilities, and have executed written confidentiality agreements or are under an appropriate statutory obligation of confidentiality. Service Provider will ensure that such confidentiality obligations survive the termination of the personnel engagement.
3.2 Limitation of Access. Service Provider will ensure that Service Provider’s access to Customer Personal Data is limited to those personnel who require such access to perform under the Agreement.
3.3 Data Protection Officer. Certain of Customer’s parent employees have been appointed as data protection officers where such appointment is required by Data Protection Laws.
4.1 General Authorization. Customer authorizes Service Provider to subcontract Processing of Customer Personal Data under this DPA to Sub-processors, provided that Service Provider: (a) provides Customer with information about the Sub-processor(s) as may be reasonably requested by Customer from time to time; (b) flows down its obligations under this DPA to such Sub-processor, such that the Processing requirements of such Sub-processor with respect to Customer Personal Data are no less onerous than the Processing requirements of Service Provider as set forth in this DPA; and (c) will be fully liable to Customer for the performance of the Sub-processor’s obligations under this DPA if such Sub-processor fails to fulfill its data protection obligations.
4.2 New Sub-Processors. Service Provider will inform Customer of any intended changes concerning the addition or replacement of Sub-processors. If Customer has a reasonable basis to object to Service Provider’s use of a new Sub-processor, Customer will notify Service Provider promptly in writing within ten (10) days after Service Provider informs Customer of such change. If such objection is not unreasonable, Service Provider will use reasonable efforts to make available to Customer a change in the affected Services or recommend a commercially reasonable change to Customer’s configuration or use of the affected Services to avoid Processing of Customer Personal Data by such new Sub-processor. If Service Provider is unable to make available such change within a reasonable period of time, which will not exceed sixty (60) days, Customer may terminate the applicable Service Order Form(s) in respect only to those Services which cannot be provided by Service Provider without the use of the objected-to new Sub-processor, by providing written notice to Processor. Customer will receive a refund of any prepaid fees for the period following the effective date of termination in respect of such terminated Services.
4.3 Sub-Processor Agreements. The parties agree that if copies of the Sub-processor agreements must be sent by Service Provider to Customer pursuant to applicable Data Protection Laws, such copies may have all commercial information and clauses unrelated to this DPA redacted by Service Provider beforehand; and, that such copies will be provided by Service Provider only upon reasonable request by Customer.
5.1 Conflicting Terms. This DPA applies only to Customer and Service Provider and does not confer any rights to any third party. This DPA does not replace any additional rights related to privacy or data security set forth in the Agreement.
5.2 Term and Termination. This DPA will become effective as of the date Customer has both: (i) executed a valid Agreement; and (ii) executed this DPA. This DPA will terminate simultaneously and automatically upon the termination of the Agreement. Service Provider may terminate this DPA at any time upon notice to Customer if Service Provider offers alternative means to Customer that complies with all applicable Data Protection Laws. Customer may terminate this DPA at Customer’s discretion upon Service Provider’s receipt of Customer’s written notice of termination.
5.3 Remedies. Service Provider’s remedies, including those of its Affiliates, arising from any breach by Customer of the terms of this DPA will be limited to two times the amounts paid or payable in the past 12 months under the Agreement.
5.4 Governing Law. To the extent required by the applicable Data Protection Laws, this DPA will be governed by the laws of the applicable jurisdiction. In all other cases, this DPA shall be governed by the laws of the jurisdiction stated in the Agreement.