DATA PROCESSING ADDENDUM
This Data Processing Addendum ("Addendum"), effective as of the effective date of the execution of the OutSystems Master Subscription Agreement (the “Agreement”), between Customer or Company (“Controller”) and OutSystems, ("Processor"), each is a “Party”, together they are the “Parties”.
Capitalized terms shall have the meanings set out below. Any capitalized terms not defined below or elsewhere in this Addendum shall have the meanings ascribed to them in the Master Agreement:
"Affiliate" means in relation to a party, any entity which (directly or indirectly) controls, is controlled by and/or under common control with that party;
"Breach Event" means an event reasonably considered to be a “data breach” or otherwise involving the unauthorized and/or unlawful Processing of Personal Information whether in electronic, hard copy or other form including but not limited to malicious interference with information system operations by third parties; provided, however that trivial attempts to penetrate Processor’s networks or systems that occur on a daily basis, such as scans, and “pings,” will not be considered a Breach Event.
"Data Protection Laws" means all national, state, regional and/or local laws applicable to data privacy and the Processing of “Personal Information” (defined below) including but not limited to, as applicable, the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and the EU e-Privacy Directive (2002/58/EC) as may be amended by the proposed Regulation on Privacy and Electronic Communications, in each case as implemented into local laws applicable to the relevant Data Controller and/or Data Processor(s) with respect to the Personal Information (as relevant), any legislation that, in respect of a member state of EU, converts into domestic law the GDPR, the proposed Regulation on Privacy and Electronic Communications, or any other law relating to data protection, the processing of personal data and privacy. The term Data Protection Laws shall be deemed to include any successor legislation or replacements for any of the laws referenced in this definition and includes all replacement laws and any similar laws governing the parties’ activities in the European Union or any other applicable jurisdiction.
"Personal Information" means “Personal Data”, “Personally Identifiable Information” or “Personal Health Information” as that term is defined in the applicable Data Protection Laws and shall include, without limitation, any data or information (regardless of the medium in which it is contained and whether alone or in combination) which may be supplied to or Processed by or on behalf of Processor in connection with the provision of the Services, that relates to an identified or identifiable person (“Data Subject”) including, without limitation, name, postal address, email address, telephone number and information about the Data Subject’s health, opinions or beliefs (in each case, as relevant to the particular Services), more particularly referred to in Exhibit A.
"Process" means, with respect to the description of Processing stated in Exhibit A, the meaning set out in the applicable Data Protection Laws and includes any operation which is performed upon Personal Information, whether or not by automatic means, including but not limited to the access, acquisition, collection, recording, organization, storage, alteration, retrieval, consultation, use, disclosure, combination, “Transfer” (defined below), blocking, return or destruction of Personal Information. "Processed” or "Processing" shall be construed accordingly.
"Remediation Efforts" means activities related to the investigation of, response to and remediation of a Breach Event including, without limitation, forensic investigations, breach notification, establishment and operation of toll-free phone support for affected individuals, provision of credit protection services and identity theft insurances for affected individuals, cooperation with regulatory authorities and management and response to litigation and other legal or regulatory actions including but not limited to engaging attorneys and the payment of fines, settlements and damages.
“Services” means the Software, including any modification, improvements, alterations, translations, localizations, innovations, or changes of any kind performed on the Software, the Software support, updates and upgrades, the non-exclusive information technology related consulting, training, implementation or customization services.
"Transfer" means:(a) the moving of Personal Information from one location or person to another, whether by physical or electronic means, (b) the granting of access to Personal Information by one location or person to another, whether by physical or electronic means, and (c) any other form of Processing on Personal Information outside of the country of origin of the relevant Data Controller. "Transferred” or "Transferring" shall be construed accordingly.
“Data Controller”, “Data Processor”, “Data Subject”, and “Personal Data” have the meanings set out in the Data Protection Laws.
2. Interpretation and Processor Obligations
a. In the event of any conflict between this Addendum and the Agreement, this Addendum shall prevail.
b. Processor and Controller hereby agree to the following obligations with respect to Processor’s performance of the Master Agreement.
c. The parties acknowledge and agree that Controller and/or (as relevant) its Affiliates is/are Data Controller(s) of the Personal Information and that Processor is Data Processor.
d. Processor shall immediately inform Controller if it believes that Controller’s instructions under this Addendum may result in a violation of applicable Data Protection Laws.
e. Processor shall immediately inform Controller upon the occurrence of any event or change in its operations that would (i) result in a violation of applicable Data Protection Laws (ii) negatively impact the validity of its representations or warranties in this Addendum or (iii) negatively impact its ability to satisfy its obligations under this Addendum.
3. Limitations on Processor's use of Personal Information
a. Processor shall maintain all Personal Information in strict confidence and (without prejudice to Section 2.2(b)) shall and shall procure that the Subcontractors (as defined in section 2.6(b)) shall only Process the Personal Information in compliance with applicable Data Protection Laws.
b. Processor shall and shall procure that the Subcontractors shall Process the Personal Information strictly in order to perform the Agreement and in connection with the subject matter and duration of processing, the nature and the purposes of processing, as are more particularly referred to in Exhibit A, and only in accordance with the strict documented instructions received from time to time from Controller and/or (as relevant) its Affiliates who is/are Data Controller(s) of the Personal Information, including as may be set out in the Agreement, and for no other purpose unless otherwise provided in the Agreement or authorized in advance in writing by Controller.
c. If Processor collects Personal Information directly from individual Data Subjects on behalf of Controller, in connection with the Agreement, it shall do so in compliance with all Data Protection Laws applicable to its own processing of such Personal Information and with the applicable Order or in such other form as reasonably specified in writing to Processor by Controller.
d. Processor shall not by its act or omission or those of any Subcontractor (as later defined) cause Controller and/or (as relevant) its Affiliates to be in breach of the Data Protection Laws.
e. Processor shall and shall procure that the Subcontractors shall at all times protect the confidentiality of the Personal Information with no lesser level of security and confidentiality used for its most sensitive confidential information, or to the extent greater, any level of security called for in Exhibit C.
f. Processor shall and shall procure that the Subcontractors shall immediately inform Controller if, in its opinion, an instruction infringes the Data Protection Laws.
4. Data Quality
Processor shall and shall procure that the Subcontractors (as defined in section 2.5(b)). shall preserve the accuracy and integrity of Personal Information, Processor shall update, amend, correct or delete Personal Information that is inaccurate or incomplete at the request of Controller or the Data Subject, consistent with the provisions set forth in this Addendum or under the Data Protection Laws. Processor shall at all times promptly and fully cooperate with Controller’s efforts to respond to any data subject inquiry or breach response action requiring access to information stored or processed by processor on behalf of Controller.
5. International Transfers
a. Unless specifically authorized in the Agreement, Processor shall not cause or permit any Transfer or other Processing, nor permit any Subcontractor (as later defined) to cause or permit any Transfer or other Processing, of Personal Information outside of EEU without Controller's prior written consent. Notwithstanding any consent or authorization in the Agreement, Processor shall be primarily responsible for ensuring that any Processing of Personal Information across international borders undertaken by Processor (whether performed by itself or a Subcontractor) complies with all applicable Data Protection Laws including but not limited to any cross-border data transfer, restrictions, requirements or prohibitions.
b. Controller and Processor hereby agree that any processing performed on Personal Information obtained in the European Economic Area (EEA) where such Personal Information is processed electronically or otherwise outside of the EEA, shall further be governed by the terms and conditions stated in standard contractual clauses approved by the European Commission.
6. Subcontractors and Other Third Parties
a. Except as permitted under Sections 2.5 a) to e) inclusive, Processor shall not cause or permit the Personal Information to be disclosed to any third parties.
b. Processor shall not engage any third party companies (whether inside or outside of Processor’s group) or non-employee individuals ("Subcontractors") to Process Personal Information or otherwise cause or permit any Subcontractors to Process Personal Information unless Controller has expressly granted approval in writing, or, unless in cases where a prior general approval is set out and contemplated in the Agreement and Processor has subjected such Subcontractor to obligations in a written contract to protect and process the Personal Information which are the same as those set out in this Addendum.
c. In the event that approval from Controller is obtained in accordance with section 2.2(b), the Processor shall, prior to causing or permitting any Subcontractors to Process Personal Information, enter into a written agreement with the Subcontractors containing the same obligations to those set out in this Addendum. Processor shall, promptly upon request, provide to Controller for inspection the relevant agreements between Processor and Subcontractor(s) to ensure compliance with this section.
d. Processor warrants that it shall at all times remain responsible for the processing of Personal Data by the Subcontractors and it hereby acknowledges and agrees that it shall be liable under this Addendum for the acts and omissions of the Subcontractors.
e. The Processor has engaged, or will engage, the Subcontractor(s) listed on Exhibit B with names, addresses and a description of the subprocessing activities, to Process Personal Information. As of the effective date of this Addendum, subject to the requirements under this section 2.6 for the use by Processor of Subcontractors, Controller consents to the use of such Subcontractor(s). Processor represents and warrants that no Subcontractor shall Process any Personal Information on behalf of Controller unless and until a valid written agreement is executed between the Processor and the Subcontractor(s) containing the same obligations as those set out in this Addendum.
7. General Cooperation
a. Processor shall cooperate fully with, and assist, Controller and the Controller Affiliates in relation to any notifications or prior approvals that Controller or the Controller Affiliates may be required to effect or obtain from a regulator in connection with the Personal Information, including without limitation the preparation of supporting documentation to be submitted to the relevant regulator and provision of supporting documentation sufficient to evidence that Processor is legally bound by the terms of this Addendum. In addition, Processor will provide Controller with all assistance and cooperation in the event of the need for Remediation Efforts, including prior consultation with Controller regarding any public notification or government mandated breach notification in connection with a Breach Event.
b. Processor shall and shall procure that the Subcontractors shall promptly provide to Controller on request all information in its possession or control in relation to the Processing of the Personal Information under this Addendum and with all assistance and cooperation as may reasonably be required in order for Controller and the Controller Affiliates to assess whether its Processing of the Personal Information is in accordance with this Addendum.
c. Processor shall and shall procure that the Subcontractors shall promptly and in any event within undue delay notify Controller, including by providing copies, if it should receive any:
i. communication, correspondence or request for information (whether written or oral) from any regulatory authority relating directly or indirectly to the Personal Information, including in connection with any enforcement action or investigation under the Data Protection Laws (“Authority Request”); and/or
ii. communication, correspondence, complaint, request or enquiry (whether written or oral) from any Data Subject relating directly or indirectly to the Personal Information, including any subject access request or any other request by a Data Subject in connection with the exercise of his rights pursuant to the Data Protection Laws (“Data Subject Request”);
and the Processor will and will procure that the Subcontractors shall promptly cooperate with and assist Controller and the Controller Affiliates (as relevant) in connection with its/their response(s) to the Authority Request or Data Subject Request, including within the timescales set out in the Data Protection Laws, the Authority Request and/or the Data Subject Request (as relevant), and the Processor shall not respond to any Authority Request or Data Subject Request except in cases where it has the prior written consent of Controller to do so and in any event strictly in accordance with the documented instructions of Controller and the Controller Affiliates (as relevant) in respect of the same.
d. Processor will execute all such documents and do all such things as Controller may reasonably request from time to time in order to ensure that Controller and the Controller Affiliates (as relevant) comply/ies with the Data Protection Laws.
8. Deletion, Destruction or Return of Personal Information
a. To the extent not otherwise prohibited by applicable Data Protection Laws, the Agreement or this Addendum, notwithstanding any failure of Controller to provide written instructions, Processor shall and shall procure that the Subcontractors shall delete or destroy upon termination of Agreement, all Personal Information stored, collected or processed on behalf of Controller.
b. Following expiry or termination of the Agreement, and at any other time upon Controller's request, Processor shall and shall procure that all Subcontractors shall immediately and permanently delete all electronic copies of the Personal Information from its/their computer systems (including without limitation servers, hardware and mobile devices) and from digital media in its/their possession or control); and in respect of hard copies of the Personal Information, return to Controller or securely destroy all originals and copies of Personal Information in its, or its Subcontractor’s, possession, custody, or control. Upon request, Processor shall provide a certification confirming that all Personal Information Processed under the Agreement has been returned or securely destroyed.
9. Security Standards and Security Breach Notification
a. Processor shall and shall procure that the Subcontractors shall put in place and maintain at all times appropriate technical, physical and organizational measures, commensurate with the sensitivity of the Personal Information to be processed by Processor hereunder, against unauthorized or unlawful Processing, acquisition, access, and to protect against the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, the Personal Information transmitted, stored or otherwise Processed (including without limitation the minimum security measures set out in Exhibit C to this Addendum).
b. Processor shall promptly and with undue delay notify Controller of any actual or suspected incident of unauthorized or unlawful Processing, acquisition, access, accidental loss, destruction, alteration, or damage to the Personal Information or unauthorized or accidental disclosure of the Personal Information or other breach of Section 2.9(a) (“Security Incident”); including the nature of the Security Incident, the categories and approximate number of Data Subjects and Personal Information records concerned and any measure proposed to be taken to address the Security Incident and to mitigate its possible adverse effects, and promptly provide Controller with all other information in its possession or control concerning the Security Incident and with all assistance and cooperation as may be required in order for Controller and/or (as relevant) its Affiliates who is/are Data Controller(s) of the Personal Information to seek to mitigate the effects of the Security Incident, comply with the Data Protection Laws and adhere to guidance issued by relevant data privacy regulator with regard to security breach management and reporting; where and in so far as it is not possible to provide all the relevant information at the same time the information may be provided in phases without undue further delay but the Processor may not delay notification under this section 2.9(c) on the basis that an investigation is incomplete or ongoing.
c. Processor shall and shall procure that the Subcontractors shall fully and promptly cooperate with Controller in satisfying its obligations with respect to a Security Incident, as determined by Controller in its sole discretion, under any applicable Data Protection Laws.
10. Governing Law
Except where the Processing of the Personal Information is governed by specific Data Protection Laws, in such case such laws shall apply, this Addendum shall be governed by, and construed and enforced in accordance with the laws defined at www.outsystems.com/legal/governing-law-jurisdiction, excluding its rules regarding the conflict of laws.
Description of Processing Activities
Except upon written instructions of Controller amending these instructions, Processing shall only be conducted with respect to the following:
Nature and Purpose of Processing
Processor will Process Personal Data as necessary to perform the Services pursuant to the Agreement, as further specified in the applicable Order, and as further instructed by Customer in its use of the Services.
Duration of Processing
Processor will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.
Categories of Data Subjects
Customer may submit Personal Data related to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:
- Customers, business partners and vendors of Customer (who are natural persons)
- Employees or contact persons of Customer’s customers, business partners and vendors
- Employees, agents, advisors, contractors of Customer (who are natural persons)
- Customer’s Users authorized by Customer to use the Services
Type of Personal Data
Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:
- First and last name
- Contact information (company, email, phone, physical business address)
- ID data
- Professional life data
- Personal life data
- Connection data
- Localisation data
- Amazon Web Services
- Microsoft Azure
- and any other wholly-owned OutSystems Affiliates.
Processor uses appropriate technical, organizational and administrative security measures to protect the data supplied by Processor and managed by Processor against loss, misuse, unauthorized access, disclosure, alteration, and destruction.
Processor’s security measures are continually improved in line with technological developments. Processor has been certified and attested to confirm compliance with ISO 27001, ISO 22301 and SOC 2 Type II standards, by independent auditors, as available at https://www.outsystems.com/trust/