This Data Processing Agreement (the "DPA") is made by and between Select Labs Inc. ("SELECT") and the entity identified as Customer ("Customer") in the SELECT Order Form or any other agreement between Customer and SELECT for the purchase of Services (in each case, the "Agreement"). This DPA is incorporated into the Agreement between SELECT and Customer. This DPA shall be effective for so long as SELECT Processes Customer Personal Data. This DPA includes and incorporates by reference the annexes and addenda referenced at the bottom of this document. All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.
1.1 Adequate Country: means a country or territory recognised as providing an adequate level of protection for Personal Data under an adequacy decision made, from time to time, by (as applicable) (i) the Information Commissioner’s Office and/or under applicable UK law (including the UK GDPR), or (ii) the European Commission under the EU GDPR, or (iii) the Swiss Federal Data Protection Authority under Swiss Data Protection Law.
1.2 Data Protection Laws: means: (a) in the European Union, the General Data Protection Regulation 2016/679 (the “GDPR“), (b) in the UK, the UK General Data Protection Regulation 2016/679, as implemented by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020 (the “UK GDPR“) and the Data Protection Act 2018, or (c) Swiss Data Protection Law.
1.3 Data Subject Request: means a request from or on behalf of a data subject to exercise any rights in relation to their Personal Data under Data Protection Laws.
1.4 EEA: means the European Economic Area.
1.5 EU Clauses: means the standard contractual clauses for international transfers of personal data to third countries set out in the European Commission's Decision 2021/914 of 4 June 2021 (at http://data.europa.eu/eli/dec_impl/2021/914/oj) incorporating Module Two for Controller to Processor transfers and which form part of this DPA in accordance with Schedule 4.
1.6 Personal Data: means all personal data which is uploaded into the Services by Customer and accessed, stored or otherwise processed by Supplier as a processor.
1.7 Security Breach: means any breach of security or other action or inaction leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data by any of Supplier’s staff or sub-processors, or any other identified or unidentified third party;
1.8 "Services": means the Services as such term is defined in the Agreement.
1.9 Supervisory Authority: means in the UK, the Information Commissioner’s Office (“ICO”) (and, where applicable, the Secretary of State or the government), and in the EEA, an independent public authority established pursuant to the GDPR.
1.10 Swiss Data Protection Law: means the Swiss Federal Data Protection Act of 19 June 1992 and, when in force, the Swiss Federal Data Protection Act of 25 September 2020 and its corresponding ordinances as amended, superseded or replaced from time to time.
1.11 Swiss Addendum: means the addendum set out in Schedule 3.
1.12 UK: means the United Kingdom.
1.13 UK Approved Addendum: means the template Addendum B.1.0 issued by the UK's Information Commissioner's Office and laid before Parliament in accordance with s119A of the Data Protection Act 2018 of the UK on 2 February 2022, and expected to be in force on 21 March 2022.
1.14 UK Mandatory Clauses: means the Mandatory Clauses of the UK Approved Addendum, as updated from time to time and/or replaced by any final version published by the Information Commissioner's Office.
1.15 UK GDPR: means the EU GDPR as implemented into the law of the United Kingdom by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020 and the Data Protection Act 2018.
1.16 "controller", "data subject", "personal data" and "processor", have the meanings ascribed to them in the Data Protection Laws.
1.17 Any defined terms which are not defined in this DPA are as defined in the Agreement.
2.1 Customer is the controller of Personal Data, and Supplier is the processor of Personal Data. Each party will comply (and will procure that any of its personnel comply and use commercially reasonable efforts to procure that its sub-processors comply), with Data Protection Laws applicable to such party in the processing of Personal Data. As between the parties, Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which the Personal Data was acquired.
3.1 The Subject matter, nature and purposes of the processing, duration, types of Personal Data and categories of Data Subject are as set out in Schedule 1.
3.2 Processing by Supplier. As a processor, Supplier will only process Personal Data (i) in order to provide the Services to Customer or (ii) per Customer’s instructions in writing or via the Services. Supplier will notify Customer (unless prohibited by applicable law) if it is required under applicable law to process Personal Data other than pursuant to Customer’s instructions. As soon as reasonably practicable upon becoming aware, inform the Customer if, in Supplier’s opinion, any instructions provided by the Customer under clause 3 infringe applicable Data Protection Laws. Upon termination of the Agreement and upon written request of the Customer, return or delete the Personal Data, unless required by law to continue to store a copy of the Personal Data.
4.1 Supplier will implement appropriate technical and organizational measures of security appropriate to the risks that are presented by the processing of Personal Data, in particular protection against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data as set out in Schedule 5.
4.2 Supplier will take reasonable steps to ensure that only authorised personnel have access to Personal Data and that any persons whom it authorizes to access the Personal Data are under obligations of confidentiality.
5.1 Security Breaches. Supplier will notify Customer of any Security Breach without undue delay.
5.2 Data Subject Requests. To the extent legally permitted, Supplier will promptly notify Customer if it receives a Data Subject Request. Supplier will not respond to a Data Subject Request, provided that Customer agrees Supplier may at its discretion respond to confirm that such request relates to Customer. Customer acknowledges and agrees that the Services may include features which will allow Customer to manage Data Subject Requests directly through the Services without additional assistance from Supplier. If Customer does not have the ability to address a Data Subject Request, Supplier will, upon Customer’s written request, provide reasonable assistance to facilitate Customer’s response to the Data Subject Request to the extent such assistance is consistent with applicable law.
5.3 Further Assistance. Taking into account the nature of processing and the information available to Supplier, Supplier will provide such assistance as Customer reasonably requests in relation to Customer’s obligations under Data Protection Laws with respect to (i) data protection impact assessments, (ii) notifications to the Supervisory Authority under Data Protection Laws and/or communications to data subjects by the Customer in response to a Security Breach, or (iii) Customer’s compliance with its obligations under the GDPR or UK GDPR (as applicable) with respect to the security of processing.
6.1 Customer grants a general authorisation to Supplier to appoint its Affiliates or third parties as sub-processors to support the performance of the Services, including data centre operators, cloud-based software providers, and other outsourced support and service providers. Supplier will maintain a list of sub-processors and will add the names of new and replacement sub-processors to the list prior to them starting sub-processing of Personal Data. If Customer has a reasonable objection to any new or replacement sub-processor based on the replacement sub-processor’s compliance with the security and privacy protections of applicable Data Protection Law, it shall notify Supplier of such objections in writing within 15 days of the notification and the parties will seek to resolve the matter in good faith. If Customer is not reasonably satisfied that the sub-processor meets the security and privacy protections of applicable Data Protection Law then Customer as its sole remedy may, within such 15-day period, terminate the Agreement. Supplier may use a new or replacement sub-processor whilst the objection procedure in this clause 6.1 is in process.
6.2 Supplier will enter into a written contract with each sub-processor which imposes on such sub-processor terms no less protective of Personal Data than those imposed on Supplier in this DPA (the “Relevant Terms“). Supplier shall be liable to Customer for any breach by such sub-processor of any of the Relevant Terms to the extent required under Data Protection Law.
6.3 Schedule 6 contains the details of any sub-processors that may receive Personal Data from Supplier and which are not based in the UK or the EEA.
7.1 Customer agrees that its use of the Services will involve the transfer of Personal Data to, and processing of Personal Data in, locations outside of the UK and/or EEA from time to time, such as for purposes of providing support to Customer, including processing in the United States.
7.2. UK transfers:
7.2.1 To the extent Personal Data is transferred to Supplier and processed by or on behalf of Supplier outside the UK (except if in an Adequate Country) in circumstances where such transfer would be prohibited by UK GDPR in the absence of a transfer mechanism, the parties agree that the EU Clauses subject to the UK Approved Addendum will apply. The UK Approved Addendum is incorporated into this DPA.
7.2.2 Schedule 2 references the information required by Tables 1 to 4 inclusive of the UK Approved Addendum.
7.3 EU transfers:
7.3.1 To the extent Personal Data is transferred to Supplier and processed by or on behalf of Supplier outside the EEA (except if in an Adequate Country) in circumstances where such transfer would be prohibited by EU GDPR in the absence of a transfer mechanism, the parties agree that the EU Clauses will apply in respect of that processing and are incorporated into this DPA in accordance with Schedule 4.
7.3.2 Schedule 4 contains the information required by the EU Clauses.
7.4 Swiss transfers:
7.4.1 To the extent Personal Data is transferred to Supplier and processed by or on behalf of Supplier outside Switzerland (except if in an Adequate Country) in circumstances where such transfer would be prohibited by Swiss Data Protection Laws in the absence of a transfer mechanism, the parties agree that the EU Clauses subject to the Swiss Addendum will apply in respect of that processing. The Swiss Addendum is incorporated into this DPA in Schedule 3.
7.4.2 Schedule 4 contains the information required by the EU Clauses, including for the purposes of transfers to which this clause 7.4 applies.
7.5 Supplier may (i) replace the EU Clauses, the Swiss Addendum and/or the UK Approved Addendum generally or in respect of the EEA, Switzerland and/or the UK (as appropriate) with any alternative or replacement transfer mechanism in compliance with applicable Data Protection Laws, including any further or alternative standard contractual clauses approved from time to time and (ii) make reasonably necessary changes to this DPA by notifying Customer of the new transfer mechanism or content of the new standard contractual clauses (provided their content is in compliance with the relevant decision or approval), as applicable.
8.1 Supplier will, subject to the confidentiality terms in the Agreement, provide Customer such information in Supplier's possession or control as may be necessary to demonstrate compliance with its obligations under this DPA or in order to respond to requests from an applicable Supervisory Authority. Customer agrees to thoroughly review and provide due consideration to such third-party certifications, audits or reports (such as SOC II or ISO 27001[TW1] ) as Supplier may provide in order to demonstrate its compliance with its obligations under this DPA before making any request for additional information or inspection hereunder.
8.2 Where Customer, acting reasonably, can demonstrate an actual or reasonably suspected material breach by Supplier of this DPA in relation to the Personal Data or that a competent supervisory authority requires it, Customer may itself through appropriately qualified security personnel conduct, or commission a third party auditor to conduct, a data security audit on the terms set out below. Supplier will fully cooperate with such audit requests by providing access to relevant knowledgeable personnel and documentation.
8.3 Audits will: (a) be on no less than fourteen days’ prior written notice to Supplier unless otherwise agreed; (b) be conducted during normal business hours; (c) not unreasonably interfere with Supplier's business activities; (d) not take place more than once in any year except where required at law or as agreed between the parties; (e) be subject to Supplier's reasonable security restrictions (e.g., sign-in requirements, badge requirements, escort requirements); (f) not compromise the security of (or grant access to) any data that is not Personal Data; and (g) be at Customer's sole cost and expense.
8.4 The appointment of Customer's auditor(s) and any third party auditor will be subject to Supplier's prior written consent (not to be unreasonably withheld) and, where a third party is appointed, the agreement of non-disclosure terms between Supplier and such third party.
9.1 Conflicts. This DPA is without prejudice to the rights and obligations of the parties under the Agreement which shall continue to have full force and effect. In the event of any conflict between the terms of this DPA and the terms of the Agreement, the terms (including definitions) of this DPA shall prevail so far as the subject matter concerns the processing of Personal Data. This DPA sets out all of the terms that have been agreed between the parties in relation to the subjects covered by it. Other than in respect of statements made fraudulently, no other representations or terms shall apply or form part of this DPA.
9.2 Limitation of Liability. Supplier’s maximum aggregate liability to Customer under or in connection with this DPA shall not under any circumstances exceed the maximum aggregate liability of Supplier to the Customer as set out in the Agreement.
9.3 Governing Law; Venue. Without prejudice to the provisions of the EU Clauses, Swiss Addendum and the UK Approved Addendum addressing the law which governs them, this DPA shall be governed by and construed in accordance with the laws which govern the Agreement and the venue(s) for disputes and claims under the Agreement shall also apply to disputes and claims under this DPA.
For the purposes of clause 3 of the DPA and Schedules 2 and 3, the parties set out below a description of the Personal Data being processed under the Agreement and further details required pursuant to the Data Protection Laws.
Subject Matter of the Processing | Supplier's provision of access to the Services to Customer. |
Nature and Purpose of Processing | Personal Data that Customer in its discretion uploads into the Services, typically including:
|
Sensitive Personal Data and Applied Restrictions | None. |
Categories of Data Subject | Authorised end users and employees about whom Personal Data is provided to Supplier via the Services by, or at the direction of, Customer. |
Duration of Processing | For the duration of the Agreement, or until the processing is no longer necessary for the purposes. |
For the purposes of the UK Approved Addendum,
In respect of transfers otherwise prohibited by Swiss Personal Data:
Data exporter(s):
Name: Customer as set out in the Agreement
Address: As set out in the Agreement
Contact person’s name, position and contact details: As set out in the Order Form
Activities relevant to the data transferred under these Clauses: Data exporter will transfer Personal Data to the data importer as required for the provision of Services by the data importer under the Supplier Agreement and as set out in the DPA.
Signature and date: Please refer to signature and date in the DPA.
Role (controller/processor):
☒ Controller ☐ Processor
Data importer(s):
Name: Select Labs Inc.
Address: 2967 Dundas St W #609D, Toronto Ontario M6P1Z2, Canada
Contact person’s name, position and contact details:
Activities relevant to the data transferred under these Clauses: Data importer will process personal data as required for the provision of Services under the Agreement and as set out in the DPA.
Signature and date: Signature and date in the DPA.
Role (controller/processor):
☐ Controller ☒ Processor
Categories of data subjects whose personal data is transferred
See Schedule I to the DPA
Categories of personal data transferred
See Schedule I to the DPA
Sensitive data transferred (if applicable) and applied restrictions or safeguards
See Schedule I to the DPA
Frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Transfers will occur from time to time as required during the course of the performance of the Services under the Agreement.
Nature of the processing
See Schedule 1 to the DPA
Purpose(s) of the data transfer and further processing
See Schedule 1 to the DPA
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
See Schedule 1 to the DPA
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
See Schedule 6 to the DPA
Identify the competent supervisory authority/ies in accordance with Clause 13:
Republic of Ireland
ANNEX I - TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL
See Schedule 5 to the DPA
ANNEX II – LIST OF SUB-PROCESSORS
See Schedule 6 to the DPA
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
All policies mentioned below that cover technical and organizational measures including technical and organizational measures to ensure the security of the data can be shared upon request to [email protected].
Please reference the subprocessors webpage for a list of subprocessors: https://www.select.dev/subprocessors
