Data Processing Agreement
- Date
Last Updated: July 10, 2023
This Data Processing Agreement (the "DPA") is made by and between Select Labs Inc. ("SELECT") and the entity identified as Customer ("Customer") in the SELECT Order Form or any other agreement between Customer and SELECT for the purchase of Services (in each case, the "Agreement"). This DPA is incorporated into the Agreement between SELECT and Customer. This DPA shall be effective for so long as SELECT Processes Customer Personal Data. This DPA includes and incorporates by reference the annexes and addenda referenced at the bottom of this document. All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.
1. Definitions
1.1 Adequate Country: means a country or territory recognised as providing an adequate level of protection for Personal Data under an adequacy decision made, from time to time, by (as applicable) (i) the Information Commissioner’s Office and/or under applicable UK law (including the UK GDPR), or (ii) the European Commission under the EU GDPR, or (iii) the Swiss Federal Data Protection Authority under Swiss Data Protection Law.
1.2 Data Protection Laws: means: (a) in the European Union, the General Data Protection Regulation 2016/679 (the “GDPR“), (b) in the UK, the UK General Data Protection Regulation 2016/679, as implemented by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020 (the “UK GDPR“) and the Data Protection Act 2018, or (c) Swiss Data Protection Law.
1.3 Data Subject Request: means a request from or on behalf of a data subject to exercise any rights in relation to their Personal Data under Data Protection Laws.
1.4 EEA: means the European Economic Area.
1.5 EU Clauses: means the standard contractual clauses for international transfers of personal data to third countries set out in the European Commission's Decision 2021/914 of 4 June 2021 (at http://data.europa.eu/eli/dec_impl/2021/914/oj) incorporating Module Two for Controller to Processor transfers and which form part of this DPA in accordance with Schedule 4.
1.6 Personal Data: means all personal data which is uploaded into the Services by Customer and accessed, stored or otherwise processed by Supplier as a processor.
1.7 Security Breach: means any breach of security or other action or inaction leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data by any of Supplier’s staff or sub-processors, or any other identified or unidentified third party;
1.8 "Services": means the Services as such term is defined in the Agreement.
1.9 Supervisory Authority: means in the UK, the Information Commissioner’s Office (“ICO”) (and, where applicable, the Secretary of State or the government), and in the EEA, an independent public authority established pursuant to the GDPR.
1.10 Swiss Data Protection Law: means the Swiss Federal Data Protection Act of 19 June 1992 and, when in force, the Swiss Federal Data Protection Act of 25 September 2020 and its corresponding ordinances as amended, superseded or replaced from time to time.
1.11 Swiss Addendum: means the addendum set out in Schedule 3.
1.12 UK: means the United Kingdom.
1.13 UK Approved Addendum: means the template Addendum B.1.0 issued by the UK's Information Commissioner's Office and laid before Parliament in accordance with s119A of the Data Protection Act 2018 of the UK on 2 February 2022, and expected to be in force on 21 March 2022.
1.14 UK Mandatory Clauses: means the Mandatory Clauses of the UK Approved Addendum, as updated from time to time and/or replaced by any final version published by the Information Commissioner's Office.
1.15 UK GDPR: means the EU GDPR as implemented into the law of the United Kingdom by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020 and the Data Protection Act 2018.
1.16 "controller", "data subject", "personal data" and "processor", have the meanings ascribed to them in the Data Protection Laws.
1.17 Any defined terms which are not defined in this DPA are as defined in the Agreement.
2. Roles & compliance with Data Protection Laws.
2.1 Customer is the controller of Personal Data, and Supplier is the processor of Personal Data. Each party will comply (and will procure that any of its personnel comply and use commercially reasonable efforts to procure that its sub-processors comply), with Data Protection Laws applicable to such party in the processing of Personal Data. As between the parties, Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which the Personal Data was acquired.
3. Description of Processing
3.1 The Subject matter, nature and purposes of the processing, duration, types of Personal Data and categories of Data Subject are as set out in Schedule 1.
3.2 Processing by Supplier. As a processor, Supplier will only process Personal Data (i) in order to provide the Services to Customer or (ii) per Customer’s instructions in writing or via the Services. Supplier will notify Customer (unless prohibited by applicable law) if it is required under applicable law to process Personal Data other than pursuant to Customer’s instructions. As soon as reasonably practicable upon becoming aware, inform the Customer if, in Supplier’s opinion, any instructions provided by the Customer under clause 3 infringe applicable Data Protection Laws. Upon termination of the Agreement and upon written request of the Customer, return or delete the Personal Data, unless required by law to continue to store a copy of the Personal Data.
4. Technical and Organisational Security Measures
4.1 Supplier will implement appropriate technical and organizational measures of security appropriate to the risks that are presented by the processing of Personal Data, in particular protection against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data as set out in Schedule 5.
4.2 Supplier will take reasonable steps to ensure that only authorised personnel have access to Personal Data and that any persons whom it authorizes to access the Personal Data are under obligations of confidentiality.
5. Security Breaches, Data Subject Requests & Further Assistance
5.1 Security Breaches. Supplier will notify Customer of any Security Breach without undue delay.
5.2 Data Subject Requests. To the extent legally permitted, Supplier will promptly notify Customer if it receives a Data Subject Request. Supplier will not respond to a Data Subject Request, provided that Customer agrees Supplier may at its discretion respond to confirm that such request relates to Customer. Customer acknowledges and agrees that the Services may include features which will allow Customer to manage Data Subject Requests directly through the Services without additional assistance from Supplier. If Customer does not have the ability to address a Data Subject Request, Supplier will, upon Customer’s written request, provide reasonable assistance to facilitate Customer’s response to the Data Subject Request to the extent such assistance is consistent with applicable law.
5.3 Further Assistance. Taking into account the nature of processing and the information available to Supplier, Supplier will provide such assistance as Customer reasonably requests in relation to Customer’s obligations under Data Protection Laws with respect to (i) data protection impact assessments, (ii) notifications to the Supervisory Authority under Data Protection Laws and/or communications to data subjects by the Customer in response to a Security Breach, or (iii) Customer’s compliance with its obligations under the GDPR or UK GDPR (as applicable) with respect to the security of processing.
6. Sub-processing
6.1 Customer grants a general authorisation to Supplier to appoint its Affiliates or third parties as sub-processors to support the performance of the Services, including data centre operators, cloud-based software providers, and other outsourced support and service providers. Supplier will maintain a list of sub-processors and will add the names of new and replacement sub-processors to the list prior to them starting sub-processing of Personal Data. If Customer has a reasonable objection to any new or replacement sub-processor based on the replacement sub-processor’s compliance with the security and privacy protections of applicable Data Protection Law, it shall notify Supplier of such objections in writing within 15 days of the notification and the parties will seek to resolve the matter in good faith. If Customer is not reasonably satisfied that the sub-processor meets the security and privacy protections of applicable Data Protection Law then Customer as its sole remedy may, within such 15-day period, terminate the Agreement. Supplier may use a new or replacement sub-processor whilst the objection procedure in this clause 6.1 is in process.
6.2 Supplier will enter into a written contract with each sub-processor which imposes on such sub-processor terms no less protective of Personal Data than those imposed on Supplier in this DPA (the “Relevant Terms“). Supplier shall be liable to Customer for any breach by such sub-processor of any of the Relevant Terms to the extent required under Data Protection Law.
6.3 Schedule 6 contains the details of any sub-processors that may receive Personal Data from Supplier and which are not based in the UK or the EEA.
7. International Transfers
7.1 Customer agrees that its use of the Services will involve the transfer of Personal Data to, and processing of Personal Data in, locations outside of the UK and/or EEA from time to time, such as for purposes of providing support to Customer, including processing in the United States.
7.2. UK transfers:
7.2.1 To the extent Personal Data is transferred to Supplier and processed by or on behalf of Supplier outside the UK (except if in an Adequate Country) in circumstances where such transfer would be prohibited by UK GDPR in the absence of a transfer mechanism, the parties agree that the EU Clauses subject to the UK Approved Addendum will apply. The UK Approved Addendum is incorporated into this DPA.
7.2.2 Schedule 2 references the information required by Tables 1 to 4 inclusive of the UK Approved Addendum.
7.3 EU transfers:
7.3.1 To the extent Personal Data is transferred to Supplier and processed by or on behalf of Supplier outside the EEA (except if in an Adequate Country) in circumstances where such transfer would be prohibited by EU GDPR in the absence of a transfer mechanism, the parties agree that the EU Clauses will apply in respect of that processing and are incorporated into this DPA in accordance with Schedule 4.
7.3.2 Schedule 4 contains the information required by the EU Clauses.
7.4 Swiss transfers:
7.4.1 To the extent Personal Data is transferred to Supplier and processed by or on behalf of Supplier outside Switzerland (except if in an Adequate Country) in circumstances where such transfer would be prohibited by Swiss Data Protection Laws in the absence of a transfer mechanism, the parties agree that the EU Clauses subject to the Swiss Addendum will apply in respect of that processing. The Swiss Addendum is incorporated into this DPA in Schedule 3.
7.4.2 Schedule 4 contains the information required by the EU Clauses, including for the purposes of transfers to which this clause 7.4 applies.
7.5 Supplier may (i) replace the EU Clauses, the Swiss Addendum and/or the UK Approved Addendum generally or in respect of the EEA, Switzerland and/or the UK (as appropriate) with any alternative or replacement transfer mechanism in compliance with applicable Data Protection Laws, including any further or alternative standard contractual clauses approved from time to time and (ii) make reasonably necessary changes to this DPA by notifying Customer of the new transfer mechanism or content of the new standard contractual clauses (provided their content is in compliance with the relevant decision or approval), as applicable.
8. Audit and Records
8.1 Supplier will, subject to the confidentiality terms in the Agreement, provide Customer such information in Supplier's possession or control as may be necessary to demonstrate compliance with its obligations under this DPA or in order to respond to requests from an applicable Supervisory Authority. Customer agrees to thoroughly review and provide due consideration to such third-party certifications, audits or reports (such as SOC II or ISO 27001[TW1] ) as Supplier may provide in order to demonstrate its compliance with its obligations under this DPA before making any request for additional information or inspection hereunder.
8.2 Where Customer, acting reasonably, can demonstrate an actual or reasonably suspected material breach by Supplier of this DPA in relation to the Personal Data or that a competent supervisory authority requires it, Customer may itself through appropriately qualified security personnel conduct, or commission a third party auditor to conduct, a data security audit on the terms set out below. Supplier will fully cooperate with such audit requests by providing access to relevant knowledgeable personnel and documentation.
8.3 Audits will: (a) be on no less than fourteen days’ prior written notice to Supplier unless otherwise agreed; (b) be conducted during normal business hours; (c) not unreasonably interfere with Supplier's business activities; (d) not take place more than once in any year except where required at law or as agreed between the parties; (e) be subject to Supplier's reasonable security restrictions (e.g., sign-in requirements, badge requirements, escort requirements); (f) not compromise the security of (or grant access to) any data that is not Personal Data; and (g) be at Customer's sole cost and expense.
8.4 The appointment of Customer's auditor(s) and any third party auditor will be subject to Supplier's prior written consent (not to be unreasonably withheld) and, where a third party is appointed, the agreement of non-disclosure terms between Supplier and such third party.
9. General
9.1 Conflicts. This DPA is without prejudice to the rights and obligations of the parties under the Agreement which shall continue to have full force and effect. In the event of any conflict between the terms of this DPA and the terms of the Agreement, the terms (including definitions) of this DPA shall prevail so far as the subject matter concerns the processing of Personal Data. This DPA sets out all of the terms that have been agreed between the parties in relation to the subjects covered by it. Other than in respect of statements made fraudulently, no other representations or terms shall apply or form part of this DPA.
9.2 Limitation of Liability. Supplier’s maximum aggregate liability to Customer under or in connection with this DPA shall not under any circumstances exceed the maximum aggregate liability of Supplier to the Customer as set out in the Agreement.
9.3 Governing Law; Venue. Without prejudice to the provisions of the EU Clauses, Swiss Addendum and the UK Approved Addendum addressing the law which governs them, this DPA shall be governed by and construed in accordance with the laws which govern the Agreement and the venue(s) for disputes and claims under the Agreement shall also apply to disputes and claims under this DPA.
SCHEDULE 1 - Data Processing Details
For the purposes of clause 3 of the DPA and Schedules 2 and 3, the parties set out below a description of the Personal Data being processed under the Agreement and further details required pursuant to the Data Protection Laws.
Subject Matter of the Processing | Supplier's provision of access to the Services to Customer. |
Nature and Purpose of Processing | Personal Data that Customer in its discretion uploads into the Services, typically including:
|
Sensitive Personal Data and Applied Restrictions | None. |
Categories of Data Subject | Authorised end users and employees about whom Personal Data is provided to Supplier via the Services by, or at the direction of, Customer. |
Duration of Processing | For the duration of the Agreement, or until the processing is no longer necessary for the purposes. |
SCHEDULE 2 - UK transfers
For the purposes of the UK Approved Addendum,
- the information required for Table 1 is contained in Schedule 1 of this DPA and the start date shall be deemed dated the same date as the EU Clauses;
- in relation to Table 2, the version of the EU Clauses to which the UK Approved Addendum applies is Module Two for Controller to Processor and, where Customer acts as processor, Module Three for Processor to Processor transfers;
- in relation to Table 3, the list of parties and description of the transfer are as set out in Annex 1 of Schedule 4 of this DPA, Supplier's technical and organisational measures are set in Annex II of Schedule 4 of this DPA, and the list of Supplier's sub-processors shall be provided pursuant to section 6.1 of this DPA; and
- in relation to Table 4, neither party will be entitled to terminate the UK Approved Addendum in accordance with clause 19 of the UK Mandatory Clauses.
SCHEDULE 3 - Swiss Addendum
In respect of transfers otherwise prohibited by Swiss Personal Data:
- The FDPIC will be the competent supervisory authority;
- Data subjects in Switzerland may enforce their rights in Switzerland under Clause 18c of the EU SCCs, and
- References in the EU SCCs to the EU GDPR should be understood as references to Swiss Data Protection Law insofar as the data transfers are subject to Swiss Data Protection Law.
SCHEDULE 4 - EU Clauses
For the purposes of this Schedule 3, the EU Clauses (Modules Two and Three), available at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN, shall be incorporated by reference to this Schedule and the DPA and shall be considered an integral part thereof, and the Parties’ signatures in the DPA shall be construed as the Parties’ signature to the EU Clauses. In the event of an inconsistency between the DPA and the EU Clauses, the latter will prevail.
For the purposes of the EU Clauses, the following shall apply:
- Customer shall be the data exporter and Supplier shall be the data importer. Each Party agrees to be bound by and comply with its obligations in its role as exporter and importer respectively as set out in the EU Clauses.
- Clause 7 (Docking clause) shall be deemed as included.
- Clause 9 (Use of sub-processors): OPTION 2 – GENERAL WRITTEN AUTHORISATION shall apply. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors as set out in clause 6 of the DPA.
- Clause 11 (Redress): optional clause (optional redress mechanism before an independent dispute resolution body) shall be deemed as not included.
- Clause 17 (Governing law): These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Ireland.
- Clause 18 (b) (Choice of forum and jurisdiction): The Parties agree that any dispute between them arising from the EU Clauses shall be resolved by the courts of Ireland.
Any provision in the EU Clauses relating to liability of the parties with respect to each other shall be subject to the limitations and exclusions of the Supplier Agreement.
Any provision in the EU Clauses relating to the right to audit shall be interpreted in accordance with Clause 5 of the DPA and the Supplier Agreement.
ANNEX I to Schedule 4 to the DPA
A. LIST OF PARTIES
Data exporter(s):
Name: Customer as set out in the Agreement
Address: As set out in the Agreement
Contact person’s name, position and contact details: As set out in the Order Form
Activities relevant to the data transferred under these Clauses: Data exporter will transfer Personal Data to the data importer as required for the provision of Services by the data importer under the Supplier Agreement and as set out in the DPA.
Signature and date: Please refer to signature and date in the DPA.
Role (controller/processor):
☒ Controller ☐ Processor
Data importer(s):
Name: Select Labs Inc.
Address: 2967 Dundas St W #609D, Toronto Ontario M6P1Z2, Canada
Contact person’s name, position and contact details:
- Ian Whitestone
- Co-founder & CEO
- [email protected]
Activities relevant to the data transferred under these Clauses: Data importer will process personal data as required for the provision of Services under the Agreement and as set out in the DPA.
Signature and date: Signature and date in the DPA.
Role (controller/processor):
☐ Controller ☒ Processor
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
See Schedule I to the DPA
Categories of personal data transferred
See Schedule I to the DPA
Sensitive data transferred (if applicable) and applied restrictions or safeguards
See Schedule I to the DPA
Frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Transfers will occur from time to time as required during the course of the performance of the Services under the Agreement.
Nature of the processing
See Schedule 1 to the DPA
Purpose(s) of the data transfer and further processing
See Schedule 1 to the DPA
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
See Schedule 1 to the DPA
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
See Schedule 6 to the DPA
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13:
Republic of Ireland
ANNEX I - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL
See Schedule 5 to the DPA
ANNEX II – LIST OF SUB-PROCESSORS
See Schedule 6 to the DPA
SCHEDULE 5 - Security Measures
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
All policies mentioned below that cover technical and organizational measures including technical and organizational measures to ensure the security of the data can be shared upon request to [email protected].
- Acceptable Use: measures of security awareness training, background checks, anti-virus, hard drive encryption
- Asset management: Measures of asset inventory, ownership, hardening standards, media management and transfer
- Backup policy measures of ensuring events logging
- Business continuity plan measures of ongoing confidentiality, integrity, availability and resilience of processing systems and services, internal IT and IT security governance and management
- Data classification policy measures of data minimisation, quality, portability
- Data deletion policy measures of protection of data and data portability
- Data protection policy measures of pseudonymisation and encryption of personal data, data during transmission and storage
- Disaster recovery plan measures of ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
- Encryption policy measures of pseudonymisation and encryption of personal data outlining minimum encryption of AES-256 with a minimum key size of 256-bit
- Incident response plans measures of ensuring accountability
- Information security policy measures of ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services, internal IT and IT security governance and management
- Password policy measures of internal IT and IT security governance and management
- Physical security policy measures of physical security of locations at which personal data are processed
- Responsible disclosure policy ensuring accountability
- Risk assessment policy measures of internal IT and IT security governance and management
- Software development lifecycle policy ensuring system configuration, including default configuration
- Supplier code of ethics measures of internal IT and IT security governance and management
- Systems access control policy measures of identification and authorisation
- Vendor management policy measures ensuring accountability
- Vulnerability management policy measures ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
SCHEDULE 6 - Sub-processors
Please reference the subprocessors webpage for a list of subprocessors: https://www.select.dev/subprocessors