DATA PROCESSING

Data Processing Agreement uses the European Commission’s Standard Contractual Clauses (SCCs) as the way to move data from the EU to Australia. Also, DATABASY follows the Privacy Shield Principles. These promises are made to make sure the right groups that DATABASY’s data-handling processes follow strict policy rules.

DATABASY also gives regional data hosting in the EU for new customers in EMEA. You can find more information about DATABASY’s privacy program in the Privacy Policy on the footer of the DATABASY.io website.

This DATABASY Data Processing Agreement and its Annexes (“DPA”) shows the agreement between the parties about how we Process Personal Data for you as part of the DATABASY Subscription Services under the DATABASY Customer Terms of Service that you can find at the bottom of the DATABASY.io website between you and us (also called the “Agreement” in this DPA).

This DPA adds to, and is part of, the Agreement and it starts when it is added to the Agreement, which may be said in the Agreement, an Order Form or a signed change to the Agreement. If there is any disagreement or difference between the terms of the Agreement and this DPA, this DPA will be more important than the terms of the Agreement for that disagreement or difference.

We change these terms sometimes. If you have an active DATABASY subscription, we will tell you when we do by email (if you have signed up to get email notifications through the link in our General Terms).

The time of this DPA will be the same as the time of the Agreement. Terms that are not defined in this DPA will have the meaning in the Agreement.

Customer Responsibilities

a. Compliance with Laws. In the range of the Agreement and when you use the services, you will follow all rules that apply to you under applicable Data Protection Laws for how you Process Personal Data and the Instructions you give to us.

In particular but not limiting the general meaning of the above, you agree and know that you will be the only one responsible for:

1. the accuracy, quality, and legality of Customer Data and how you got Personal Data;
   2. following all needed openness and lawfulness rules under applicable Data Protection Laws for how you get and use the Personal Data, including getting any needed consents and authorisations (especially for using it by Customer for marketing purposes);
   3. making sure you have the right to move, or give access to, the Personal Data to us for Processing according to the terms of the Agreement (including this DPA);
   4. making sure that your Instructions to us for how to Process Personal Data follow applicable laws, including Data Protection Laws; and
   5. following all laws (including Data Protection Laws) that apply to any emails or other content you make, send or manage through the Subscription Services, including those about getting consents (where needed) to send emails, the content of the emails and how you send emails. You will tell us right away if you cannot follow your responsibilities under this ‘Compliance with Laws’ section or applicable Data Protection Laws.

b. Controller Instructions. The parties agree that the Agreement (including this DPA), and how you use the Subscription Service according to the Agreement, are your full Instructions to us for how to Process Personal Data, as long as you may give more instructions during the subscription time that agree with the Agreement, the type and lawful use of the Subscription Service.

c. Security. You are responsible for deciding by yourself if the data security in the Subscription Service meets your duties under applicable Data Protection Laws. You are also responsible for using the Subscription Service safely, including keeping the security of Personal Data when it moves to and from the Subscription Service (including to safely backup or encrypt any such Personal Data).

DATABASY Obligations

a. Compliance with Instructions. We will only Process Personal Data for the reasons in this DPA or as otherwise agreed in the range of your lawful Instructions, except where and to the amount otherwise needed by applicable law. We are not responsible for following any Data Protection Laws that apply to you or your industry that do not generally apply to us.

b. Conflict of Laws. If we find out that we cannot Process Personal Data as you instructed because of a legal rule under any applicable law, we will:

1. tell you right away about that legal rule as much as the applicable law lets us; and
   
   2. where needed, stop all Processing (other than just keeping and keeping the security of the affected Personal Data) until you give new Instructions that we can follow. If this rule is used, we will not be responsible to you under the Agreement for not doing the applicable Subscription Services until you give new lawful Instructions for how to Process.

c. Security. We will use and keep suitable technical and organisational ways to protect Personal Data from Personal Data Breaches, as described under Annex 2 to this DPA (“Security Measures”). Even if there is a different rule, we may change or update the Security Measures at our choice as long as that change or update does not make the protection worse by the Security Measures.

d. Confidentiality. We will make sure that any people who we let Process Personal Data for us have suitable confidentiality duties (whether a contract or legal duty) for that Personal Data.

e. Personal Data Breaches. We will tell you right away after we find out about any Personal Data Breach and will give quick information about the Personal Data Breach as we find out or you reasonably ask us. If you ask, we will quickly give you such reasonable help as needed to let you tell relevant Personal Data Breaches to skilled authorities and/or affected Data Subjects, if you have to do that under Data Protection Laws.

f. Deletion or Return of Personal Data. We will delete or give back all Customer Data, including Personal Data (including copies of it) Processed according to this DPA, on end or expiry of your Subscription Service following the rules in our Product Specific Terms. This term will apply except where we have to keep some or all of the Customer Data by applicable law, or where we have saved Customer Data on back-up systems, which data we will safely separate and protect from any more Processing and delete following our deletion practices. You may ask to delete your DATABASY account after expiry or end of your subscription by sending a request to DATABASY through Live Chat in the paid user support framework.

We strongly suggest getting your Data before the end of your Subscription Term: “Export your Data Tabs”; “Export your Contacts”; “Export your Templates”; “Export your Email”; “Do a permanent delete in DATABASY.”

If you need help getting your Customer Data during the Subscription Term, we will give reasonable help to you, at your cost, and following the ‘Confidentiality’ section of the General Terms that you can find at the bottom of the DATABASY.io website.

Data Subject Requests

The Subscription Service gives you various controls that you can use to get, correct, delete or limit Personal Data, which you can use to help it with its duties under Data Protection Laws, including your duties about answering requests from Data Subjects to use their rights under applicable Data Protection Laws (“Data Subject Requests”).

If you cannot deal with a Data Subject Request by yourself through the Subscription Service, then after you ask us in writing we will give reasonable help to you to answer any Data Subject Requests or requests from data protection authorities about the Processing of Personal Data under the Agreement. You will pay us back for the fair costs from this help.

If a Data Subject Request or other message about the Processing of Personal Data under the Agreement is sent straight to us, we will tell you quickly and will tell the Data Subject to send their request to you. You will be the only one responsible for answering in detail to any such Data Subject Requests or messages with Personal Data.

Sub-Processors

You agree we may use Sub-Processors to Process Personal Data for you, and we do that in three ways. First, we may use Sub-Processors to help us with hosting and infrastructure. Second, we may work with Sub-Processors to help product features and integrations. Third, we may work with DATABASY Affiliates as Sub-Processors for service and support. Some Sub-Processors will apply to you by default, and some Sub-Processors will apply only if you choose to.

We have now chosen, as Sub-Processors, the third parties and DATABASY Affiliates listed in Annex 3 to this DPA. You may sign up to get notifications by email if we add or change any Sub-Processors by request. If you choose to get such email, we will tell you at least 30 days before any such change.

We will let you say no to the use of new Sub-Processors on fair grounds about the protection of Personal Data within 30 days of telling you. If you do tell us that you say no, the parties will talk about your worries in a good way to try to find a fair solution. If no such solution can be found, we will, by our choice, either not use the new Sub-Processor, or let you stop or end the affected Subscription Service following the end rules of the Agreement without being responsible to either party (but not affecting any fees you paid before stopping or ending).

When we use Sub-Processors, we will put data protection rules on the Sub-Processors that give at least the same level of protection for Personal Data as those in this DPA, as much as it applies to the type of services given by such Sub-Processors. We will stay responsible for each Sub-Processor’s following the rules of this DPA and for any things they do or do not do that make us break any of our rules under this DPA.

Data Transfers

You know and agree that we may get and Process Personal Data around the world as needed to give the Subscription Service following the Agreement, and especially that Personal Data may be moved to and Processed by DATABASY. in Australia and to other places where DATABASY Affiliates and Sub-Processors work. Wherever Personal Data is moved outside its home country, each party will make sure such moves are done following the rules of Data Protection Laws.

Proof of Compliance

We will give you all the information you reasonably need to show that we follow this DPA and let you do audits, including checks done by you or your auditor to check that we follow this DPA, where the law needs it. You know and agree that you will use your audit rights under this DPA by telling us to follow the audit steps in this ‘Proof of Compliance’ section. You know that the Subscription Service is run by our hosting Sub-Processors who have security programs that are checked by others (including SOC 2 and ISO 27001) and that our systems are checked every year as part of SOC 2 following and often tested by other third party testing companies. If you ask, we will give (on a secret basis) our SOC 2 report and summary copies of our testing report(s) to you so that you can check that we follow this DPA. You can get copies of these documents from DATABASY by request.

Also, after you ask us in writing, we will give written answers (on a secret basis) to all fair requests for information made by you that you need to confirm that we follow this DPA, as long as you will not use this right more than once per year unless you have fair reasons to think we do not follow the DPA.

1. Extra Rules for European Data
   
   

a. Range. This ‘Extra Rules for European Data’ section will only apply to European Data.

b. Roles of the Parties. When Processing European Data as you instructed, the parties know and agree that you are the Controller of European Data (either as the Controller, or as a Processor for another Controller) and we are the Processor under the Agreement.

c. Instructions. If we think that your Instruction breaks European Data Protection Laws (where they apply), we will tell you right away.

d. Data Protection Impact Assessments and Talking with Supervisory Authorities. As much as the needed information is reasonably available to us, and you do not have the needed information, we will give reasonable help to you with any data protection impact assessments, and earlier talks with supervisory authorities (for example, the French Data Protection Agency (CNIL), the Berlin Data Protection Authority (BlnBDI) and the UK Information Commissioner’s Office (ICO)) or other skilled data privacy authorities as much as the European Data Protection Laws need it.

f. Transfer Ways for Data Transfers.

(A) DATABASY will not move European Data to any country or person not seen as giving a good level of protection for Personal Data (with the meaning of applicable European Data Protection Laws), unless it first does all such steps as are needed to make sure the move follows applicable European Data Protection Laws. Such steps may include (without limit)

1. moving such data to a person that is part of a good framework or other legally good transfer way seen by the relevant authorities or courts as giving a good level of protection for Personal Data, including the Data Privacy Framework;
   
   2. to a person that has got binding corporate rules permission following European Data Protection Laws; or
   
   3. to a person that has signed the Standard Contractual Clauses in each case as taken or approved following applicable European Data Protection Laws.

(B) You know that when we do the Subscription Services, DATABASY gets European Data in Australia. As much as DATABASY gets European Data in the Australia, DATABASY will follow the next:

(1) Data Privacy Framework. DATABASY will use the Data Privacy Framework to lawfully get European Data in Australia and make sure that it gives at least the same level of protection to such European Data as the Data Privacy Framework Principles need and will tell you if it cannot follow this rule.

(2) Standard Contractual Clauses. If European Data Protection Laws need that good steps are done (for example, if the Data Privacy Framework does not cover the move to DATABASY and/or the Data Privacy Framework is not valid), the Standard Contractual Clauses will be added by reference and be part of the Agreement as follows:

(a) In relation to European Data that the GDPR applies to

1. Customer is the “data exporter” and DATABASY is the “data importer”;
   
   2. the Module Two terms apply as much as the Customer is a Controller of European Data and the Module Three terms apply as much as the Customer is a Processor of European Data;
   
   3. in Clause 7, the optional docking clause applies;
   
   4. in Clause 9, Option 2 applies and changes to Sub-Processors will be told following the ‘Sub-Processors’ section of this DPA;
   
   5. in Clause 11, the optional language is deleted;
   
   6. in Clauses 17 and 18, the parties agree that the law and place for arguments for the Standard Contractual Clauses will be decided following the ‘Contracting Entity; Applicable Law; Notice’ section of the Jurisdiction Specific Terms or, if such section does not say an EU Member State, the Republic of Ireland (without using conflict of law rules); (vii) the Annexes of the Standard Contractual Clauses will be seen as done with the information in the Annexes of this DPA; (viii) the supervisory authority that will act as skilled supervisory authority will be decided following GDPR; and (ix) if and as much as the Standard Contractural Clauses break with any rule of this DPA the Standard Contractual Clauses will be more important as much as such break.

(b) In relation to European Data that the UK GDPR applies to, the Standard Contractual Clauses will apply following sub-section (a) and the next changes

1. the Standard Contractual Clauses will be changed and understood following the UK Addendum, which will be added by reference and be an important part of the Agreement;
   
   2. Tables 1, 2 and 3 of the UK Addendum will be seen as done with the information in the Annexes of this DPA and Table 4 will be seen as done by choosing “neither party”; and
   
   3. any break between the rules of the Standard Contractual Clauses and the UK Addendum will be solved following Section 10 and Section 11 of the UK Addendum.

(c) In relation to European Data that the Swiss DPA applies to, the Standard Contractual Clauses will apply following sub-section (a) and the next changes

1. references to “Regulation (EU) 2016/679” will be understood as references to the Swiss DPA;
   
   2. references to “EU”, “Union” and “Member State law” will be understood as references to Swiss law; and
   
   3. references to the “skilled supervisory authority” and “skilled courts” will be changed with the “the Swiss Federal Data Protection and Information Commissioner ” and the “important courts in Switzerland”.

(d) You agree that by following our duties under the ‘Sub-Processors’ section of this DPA, DATABASY does its duties under Section 9 of the Standard Contractual Clauses. For the reasons of Clause 9(c) of the Standard Contractual Clauses, you know that we may be limited from sharing Sub-Processor agreements but we will use fair tries to make any Sub-Processor we choose to let it share the Sub-Processor agreement to you and will give (on a secret basis) all information we fairly can. You also know and agree that you will use your audit rights under Clause 8.9 of the Standard Contractual Clauses by telling us to follow the steps in the ‘Proof of Compliance’ section of this DPA.

(e) Where the DATABASY contracting entity under the Agreement is not DATABASY, such contracting entity (not DATABASY) will stay fully and only responsible and answerable to you for how DATABASY does the Standard Contractual Clauses, and you will send any instructions, claims or questions about the Standard Contractual Clauses to such contracting entity. If DATABASY cannot follow its duties under the Standard Contractual Clauses or breaks any promises under the Standard Contractual Clauses or UK Addendum (as they apply) for any reason, and you want to stop the move of European Data to DATABASY or end the Standard Contractual Clauses ,or UK Addendum, you agree to give us fair notice to let us fix such non-following and fairly work with us to find what extra steps, if any, may be done to fix such non-following. If we have not or cannot fix the non-following, you may stop or end the affected part of the Subscription Service following the Agreement without being responsible to either party (but not affecting any fees you paid before stopping or ending).

(C) Different Transfer Way. If DATABASY has to use a different transfer way for European Data, in addition to or other than the ways in sub-section (B) above, such different transfer way will apply automatically instead of the ways in this DPA (but only as much as such different transfer way follows European Data Protection Laws), and you agree to sign such other documents or do such action as may be fairly needed to make such different transfer way legal.