DATA PROCESSING AGREEMENT
By executing the OutSystems Master Subscription Agreement (the “Agreement”), Customer enters into this this Data Processing Addendum ("Addendum"), on behalf of itself and, to the extent required under applicable Data Protection Laws, in the name and on behalf of its Authorized Affiliates, if and to the extent OutSystems Processes Personal Data for which such Authorized Affiliates qualify as the Controller. For the purposes of this Addendum only, and except where indicated otherwise, the term "Customer" shall include Customer and Authorized Affiliates. All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
Capitalized terms shall have the meanings set out below. Any capitalized terms not defined below or elsewhere in this Addendum shall have the meanings ascribed to them in the Master Subscription Agreement:
“Adequate Country” means a country or territory outside the EU/EEA that is recognized for the purposes of Data Protection Laws by virtue of a decision of the European Commission as providing an adequate level of protection for Personal Data.
“Anonymized Data" means any Personal Data which has been anonymized such that the Data Subject to whom it relates cannot be identified, directly or indirectly, by OutSystems or any other party reasonably likely to receive or access that Personal Data.
“Authorized Affiliate” means any of Customer's Affiliate(s) which (a) is subject to the data protection laws and regulations of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom, and (b) is permitted to use the Services pursuant to the Agreement between Customer and OutSystems but has not signed its own Order with OutSystems and is not a "Customer" as defined under the Agreement.
"Breach Event" means an event reasonably considered to be a “data breach” or otherwise involving the unauthorized and/or unlawful Processing of Personal Data whether in electronic, hard copy or other form including but not limited to malicious interference with information system operations by third parties; provided, however that trivial attempts to penetrate Processor’s networks or systems that occur on a daily basis, such as scans, and “pings,” will not be considered a Breach Event.
“Controller” means Customer and/or Authorized Affiliates.
“Data Subject” means the individual to whom the Personal Data belongs according to the Data Protection Laws.
"Data Protection Laws" means all national, state, regional and/or local laws applicable to data privacy and the Processing of “Personal Data” (defined below) including but not limited to, as applicable, the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) and the EU e-Privacy Directive (2002/58/EC) as may be amended by the proposed Regulation on Privacy and Electronic Communications, in each case as implemented into local laws applicable to the relevant Data Controller and/or Data Processor(s) with respect to the Personal Data (as relevant), any legislation that, in respect of a member state of EU, converts into domestic law the GDPR, the proposed Regulation on Privacy and Electronic Communications, or any other law relating to data protection, the processing of personal data and privacy. The term Data Protection Laws shall be deemed to include any successor legislation or replacements for any of the laws referenced in this definition and includes all replacement laws and any similar laws governing the parties’ activities in the European Union or any other applicable jurisdiction.
“EU/EEA” means European Economic Area.
“GDPR” means the EU General Data Protection Regulation 2016/679 and to the extent the GDPR is no longer applicable in the United Kingdom, any implementing legislation or legislation having equivalent effect in the United Kingdom. References to “Articles” or “Chapters” of the GDPR shall be construed accordingly.
"Personal Data" means “Personally Identifiable Information” or as that term is defined in the applicable Data Protection Laws and shall include, without limitation, any data or information (regardless of the medium in which it is contained and whether alone or in combination) which may be supplied to or Processed by or on behalf of Processor in connection with the provision of the Services, that relates to an identified or identifiable person (“Data Subject”) including, without limitation, name, postal address, email address, telephone number and information about the Data Subject’s opinions (in each case, as relevant to the particular Services), more particularly referred to in Exhibit A.
“Personnel” means employees, consultants and/or contractors.
"Process" means, with respect to the description of Processing stated in Exhibit A, the meaning set out in the applicable Data Protection Laws and includes any operation which is performed upon Personal Data, whether or not by automatic means, including but not limited to the access, acquisition, collection, recording, organization, storage, alteration, retrieval, consultation, use, disclosure, combination, “Transfer” (defined below), blocking, return or destruction of Personal Data. "Processed” or "Processing" shall be construed accordingly.
“Processor” means OutSystems.
“Services” means the Software provided on cloud (platform as a service) and the Support and Updates jointly provided through a Subscription and/or the Professional Services provided by OutSystems.
"Standard Contractual Clauses" means the means the European Commission’s Standard Contractual Clauses available at https://eur-lex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32010D0087.
“Sub-Processors” means an entity engaged by Processor for the processing activities to be carried out as part of the Services.
“Third Country” means a country or territory outside the EU/EEA that is not an Adequate Country.
“Transfer” means the transfer of Personal Data to a Third Country. "Transferred” or "Transferring" shall be construed accordingly.
“User” means an individual authorized by Customer to use the Services.
2. PROCESSING OF PERSONAL DATA
2.1 Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller, OutSystems is the Processor and that OutSystems and its Affiliates will engage Sub-Processors pursuant to the requirements set forth in Section 6 “Sub-Pocessors” below.
2.2 Customer’s Processing of Personal Data. Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Data Protection Laws. For the avoidance of doubt, Customer’s instructions for the Processing of Personal Data shall comply with Data Protection Laws. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data.
2.3 OutSystems’ Processing of Personal Data. Outsystems shall treat Personal Data as Confidential Information and shall only Process Personal Data on behalf of and in accordance with the Data Protection Laws and with Customer’s documented instructions for the following purposes, as are more particularly referred to in Exhibit A: (i) Processing in accordance with the Agreement and applicable Order(s); (ii) Processing initiated by Users in their use of the Services; (iv) Processing in order to provide the Services; and (iv) Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement.
2.4 Details of the Processing. The subject-matter of Processing of Personal Data by OutSystems is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this Addendum are further specified in Exhibit A to this Addendum.
2.5 Confidentiality. Personal Data is considered Confidential Information under the Agreement. OutSystems shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data and have received appropriate training on their responsibilities.
OutSystems uses appropriate technical, organizational and administrative security measures to protect the Personal Data supplied and controlled by Customer against loss, misuse, unauthorized access, disclosure, alteration, and destruction. OutSystems’ security measures are continually improved in line with technological developments. OutSystems has been certified and attested to confirm compliance with ISO 27001, ISO 22301 and SOC 2 Type II standards, by independent auditors, as available at https://www.outsystems.com/trust/.
4. OUTSYSTEMS PERSONNEL
OutSystems shall take reasonable steps to ensure the reliability of any OutSystems’ Personnel who may Process Personal Data, ensuring:
(a) that access is strictly limited to those individuals who need to know or access the relevant Customer’s Personal Data for the purposes described in this Addendum; and
(b) that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
5.1 Cooperation with Customer. OutSystems shall cooperate fully with, and assist, Customer in relation to any notifications or prior approvals that Customer may be required to effect or obtain from a regulator, in connection with the Personal Data, including without limitation the preparation of supporting documentation to be submitted to the relevant regulator and provision of supporting documentation sufficient to evidence that Customer is legally bound by the terms of this Addendum. In addition, OutSystems will provide Customer with all assistance and cooperation in the event of the need for Remediation Efforts, including prior consultation with Customer regarding any public notification or government mandated breach notification in connection with a Breach Event. OutSystems shall and shall procure that the Sub-Contractors shall promptly provide to Customer on request all information in its possession or control in relation to the Processing of the Personal Data under this Addendum and with all assistance and cooperation as may reasonably be required in order for Customer to assess whether its Processing of the Personal Data is in accordance with this Addendum.
5.2 Data Subject Requests. OutSystems shall, to the extent legally permitted, promptly notify Customer if OutSystems receives a request from a Data Subject to exercise the Data Subject's right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making (“Data Subject Request”). Taking into account the nature of the Processing, OutSystems shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws. In addition, to the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, OutSystems shall upon Customer’s request provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent OutSystems is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws and Regulations.
5.3 Authority Requests. OutSystems shall and shall procure that the Sub-Contractors shall promptly and in any event within undue delay notify Customer, including by providing copies, if it should receive any communication, correspondence or request for information (whether written or oral) from any regulatory authority relating directly or indirectly to the Personal Data, including in connection with any enforcement action or investigation under the Data Protection Laws (“Authority Request”).
5.4 Data Quality. OutSystems shall and shall procure that the Sub-Contractors shall preserve the accuracy and integrity of Personal Data. OutSystems shall update, amend, correct or delete Personal Data that is inaccurate or incomplete at the request of Customer, consistent with the provisions set forth in this Addendum or under the Data Protection Laws. OutSystems shall at all times promptly and fully cooperate with Customer’s efforts to respond to any Data Subject inquiry or breach response action requiring access to information stored or processed by OutSystems on behalf of Customer.
5.5 Deletion, Destruction or Return of Personal Data. To the extent not otherwise prohibited by applicable Data Protection Laws, the Agreement or this Addendum, notwithstanding any failure of Customer to provide written instructions, OutSystems shall and shall procure that the Sub-Processors shall delete or destroy upon termination of Agreement, all Personal Data stored, collected or processed on behalf of Customer. Following expiry or termination of the Agreement, and at any other time upon Customer's request, OutSystems shall and shall procure that all Su-Processors shall immediately and permanently delete all electronic copies of the Personal Data from its/their computer systems (including without limitation servers, hardware and mobile devices) and from digital media in its/their possession or control); and in respect of hard copies of the Personal Data, securely destroy all originals and copies of Personal Data in its, or its Sub-Processors, possession, custody, or control. Upon request, OutSystems shall provide a certification confirming that all Personal Data Processed under the Agreement has been securely destroyed.
5.6 Breach Notification. Outsystems shall promptly and with undue delay notify Customer of any actual or suspected Breach Event; including the nature of the Breach Event, the categories and approximate number of Data Subjects and Personal Data records concerned and any measure proposed to be taken to address the Security Incident and to mitigate its possible adverse effects, and promptly provide OutSystems with all other information in its possession or control concerning the Breach Event and with all assistance and cooperation as may be required in order for Customer and/or (as relevant) its Authorized Affiliates who is/are Controller(s) of the Personal Data to seek to mitigate the effects of the Breach Event, comply with the Data Protection Laws and adhere to guidance issued by relevant data privacy regulator with regard to security breach management and reporting; where and in so far as it is not possible to provide all the relevant information at the same time the information may be provided in phases without undue delay. Further, OutSystems shall fully and promptly cooperate with Customer in satisfying its obligations with respect to a Breach Event, as determined by Customer in its sole discretion, under any applicable Data Protection Laws.
5.7 Data Protection Officer. OutSystems has appointed a Data Protection Officer who may be reached at firstname.lastname@example.org.
6.1 Consent. OutSystems shall be entitled to engage Sub-Processors to fulfil OutSystems’ obligations defined in the Agreement only with Customer’s consent. For these purposes, Customer consents to the engagement as Sub-Processors of OutSystems’ Affiliates mentioned in the list referenced in Section 12 below, as well as the third parties listed in Exhibit B. For the avoidance of doubt, the above authorization constitutes Customer’s prior written consent to the sub Processing by OutSystems for purposes of article 28/2 of GDPR and Clause 11 of the Standard Contractual Clauses.
6.2 Engagement of Sub-Processors. With respect to each Sub-Processor, OutSystems shall: a) before the Sub-Processor first Processes Customer’s Personal Data, carry out adequate due diligence to ensure that the Sub-Processor is capable of providing the level of protection for Customer’s Personal Data required by this Addendum and Data Protection Laws; and b) ensure that the arrangement between OutSystems and any prospective Sub-Processor is governed by a written contract including terms which offer at least the same level of protection for Customer Personal Data as those set out in this Addendum, and that such terms meet the requirements of Article 28(3) of the GDPR. If OutSystems intends to instruct Sub-Processors other than the companies listed in Exhibit 2, the OutSystems will notify the Customer thereof in writing (email to the email address(es) on record in OutSystems’s account information for Customer is sufficient) and will give the Customer the opportunity to object to the engagement of the new Sub-Processors within 30 days after being notified. If the OutSystems and Customer are unable to resolve such objection, either party may terminate the Agreement by providing written notice to the other party. Where the Sub-Processor fails to fulfil its data protection obligations, OutSystems will remain liable to the Customer for the performance of such Sub-Processors obligations.
7. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
OutSystems shall provide reasonable assistance to Customer, at Customer’s cost, with any data protection impact assessments, and prior consultations with supervisory authorities, which Customer reasonably considers to be required of Customer by Article 35 or 36 of the GDPR, in each case solely in relation to Processing of Customer Personal Data by and considering the nature of the Processing and information available to, OutSystems.
8. AUDIT RIGHTS
8.1 OutSystems shall make available to Customer on request information reasonably necessary to demonstrate compliance with this Addendum.
8.2 Subject to Paragraphs 8.3 and 8.4, in the event that Customer (acting reasonably) is able to provide documentary evidence that the information made available by OutSystems pursuant to Section 8.1 is insufficient to demonstrate OutSystems’s compliance with this Addendum, OutSystems shall allow for and contribute to audits, including on-premise inspections, by Customer or an auditor mandated by Customer in relation to the Processing of the Customer’s Personal Data by OutSystems.
8.3 Customer shall give OutSystems reasonable notice of any audit or inspection to be conducted under Section 8.2 (which shall in no event be less than thirty (30) days’ notice unless required by a supervisory authority pursuant to Section 8.4(f)(ii)) and shall use its best efforts (and ensure that each of its mandated auditors uses its best efforts) to avoid causing, and hereby indemnifies OutSystems in respect of, any damage, injury or disruption to OutSystems’s premises, equipment, Personnel, data, and business (including any interference with the confidentiality or security of the data of OutSystems’s other customers or the availability of OutSystems’s Services to such other customers) while its Personnel and/or its auditor’s Personnel (if applicable) are on those premises in the course any on-premise inspection.
8.4 OutSystems needs not give access to its premises for the purposes of such an audit or inspection:
(a) to any individual unless he or she produces reasonable evidence of identity and authority;
(b) to any auditor whom OutSystems has not given its prior written approval (not to be unreasonably withheld);
(c) unless the auditor enters into a non-disclosure agreement with OutSystems on terms acceptable to OutSystems;
(d) where, and to the extent that, OutSystems considers, acting reasonably, that to do so would result in interference with the confidentiality or security of the data of OutSystems’s other customers or the availability of OutSystems’s services to such other customers;
(e) outside normal business hours at those premises; or
(f) on more than one (1) occasion in each period of twelve (12) months during the Subscription Term (or where the term of the Subscription Term is less than (12) months, on more than one (1) occasion during such shorter term), except for any additional audits or inspections which:
(i) Customer reasonably considers necessary because of a Breach Event; or
(ii) Customer is required to carry out by Data Protection Law or a supervisory authority, where Customer has identified the Breach Eventor the relevant requirement in its notice to OutSystems of the audit or inspection.
8.5 The Parties shall discuss and agree the costs of any inspection or audit to be carried out by or on behalf of Customer pursuant to this Section 8 in advance of such inspection or audit and, unless otherwise agreed in writing between the Parties, Customer shall bear any third party costs in connection with such inspection or audit and reimburse OutSystems for all costs incurred by OutSystems and time spent by OutSystems (at OutSystems’s applicable professional services rates) in connection with any such inspection or audit.
9. RESTRICTED TRANSFERS
OutSystems agrees that no Customer’s Personal Data shall be Processed by any Sub-Processor outside the EU/EEA in a Third Country otherwise than in accordance with Chapter V of the GDPR and OutSystems shall ensure that a legal mechanism to achieve adequacy in respect of that Processing is in place, such as Sub-Processors’ EU-U.S. and Swiss-U.S. Privacy Shield Framework certifications (if any) or Standard Contractual Clauses. Without limiting the other mechanisms available to achieve adequacy that may be available to OutSystems under Chapter V of the GDPR in respect of Transfers to Sub-Processors located in a Third Country, Customer hereby confers a specific mandate to OutSystems to enter into and undersign the Standard Contractual Clauses as agent for Customer, as the ‘data exporter’ with such Sub-Processors as the ‘data importer’.
10. ANONYMOUS DATA
Advertiser acknowledges and agrees that OutSystems shall be freely able to use and disclose Anonymized Data for OutSystems’ own business purposes, namely, but not limited to, the improvement of the Services.
11. LIMITATION OF LIABILITY
OutSystems and all its Affiliates’ liability, taken together in the aggregate, arising out of or related to the infringement of the Data Protection Laws or the non-compliance with their obligations towards the Processing of Personal Data in relation with this Addendum, whether in contract, tort or under any other theory of liability, is limited to proven direct damages caused by OutSystems and/or any of its Affiliates in an amount not to exceed €500.000,00 (five hundred thousand Euros). The provisions of this section allocate risks under this Addendum between the parties hereunder. For the avoidance of doubt, OutSystems’ and its Affiliates’ total liability for all claims from the Customer and all of its Authorized Affiliates arising out of or related to the infringement of the Data Protection Laws or the non-compliance with their obligations towards the Processing of Personal Data in relation with this Addendum shall apply in the aggregate for all claims under both the Agreement and all Addendums established under this Agreement, including by Customer and all Authorized Affiliates, and, in particular, shall not be understood to apply individually and severally to Customer and/or to any Authorized Affiliate that is a contractual party to any such Addendum.
12. GOVERNING LAW AND JURISDICTION
Except where the Processing of the Personal Data is governed by specific Data Protection Laws, in such case such laws shall apply, this Addendum shall be governed by, and construed and enforced in accordance with the laws defined at www.outsystems.com/legal/governing-law-jurisdiction, excluding its rules regarding the conflict of laws.
13. HOW THIS ADDENDUM APPLIES
The parties acknowledge and agree that, by executing the Agreement, OutSystems enters into this Addendum on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliates, thereby establishing a separate Addendum between OutSystems and each such Authorized Affiliate subject to the provisions of the Agreement and this Section. Each Authorized Affiliate agrees to be bound by the obligations under this Addendum and, to the extent applicable, the Agreement.
If the Customer entity signing this Addendum is a party to the Agreement, this Adendum is an addendum to and forms part of the Agreement. In such case, the OutSystems entity that is party to the Agreement is party to this Addendum.
If the Customer entity signing this Addendum has executed an Order with OutSystems or its Affiliate pursuant to the Agreement, but is not itself a party to the Agreement, this Addendum is an addendum to that Order and the OutSystems entity that is party to such Order is party to this Addnedum.
If the Customer entity signing the Addendum is not a party to an nor to a Master Subscription Agreement directly with OutSystems, but is instead a customer indirectly via an authorized reseller Partner of OutSystems, this Addnedum is not valid and is not legally binding. Such entity should contact the authorized reseller Partner to discuss whether any amendment to its agreement with that reseller may be required.
Description of Processing Activities
Except upon written instructions of Controller amending these instructions, Processing shall only be conducted with respect to the following:
Nature and Purpose of Processing
Processor will Process Personal Data as necessary to perform the Services pursuant to the Agreement, as further specified in the applicable Order, and as further instructed by Controller in its use of the Services.
Duration of Processing
Processor will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.
Categories of Data Subjects
Controller may submit Personal Data related to the Services, the extent of which is determined and controlled by Controller in its sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of data subjects:
● Customers, business partners and vendors of Controller (who are natural persons).
● Employees or contact persons of Controller’s customers, business partners and vendors.
● Employees, agents, advisors, contractors of Controller (who are natural persons).
● Controller’s Users authorized by Controller to use the Services.
Type of Personal Data
Controller may submit Personal Data to the Services, the extent of which is determined and controlled by Controller in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:
● First and last name ● Title ● Position ● Employer ● Contact information (company, email, phone, physical business address) ● ID data ● Professional life data ● Personal life data ● Connection data ● Localisation data
PERMITTED THIRD PARTY SUB-PROCESSORS