Need Help? We are right here!
(A) Customer acts as a Data Controller. Xecurify offers a suite of Software-as-Service (SaaS) applications, products and services provided as Xecurify-hosted or Self Hosted Services.
(B) Customer wishes to contract certain Services, which may include processing of Customer’s Personal Data to Xecurify.
(C) This Data Processing Addendum (the “DPA”) explains Xecurify’s privacy and security commitments and enables it to demonstrate compliance with applicable Privacy Laws.
(D) The parties agree to comply with the following provisions with respect to Personal Data, each acting reasonably and in good faith.
All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
Customers shall, at all times Process Personal Data, and provide instructions for the Processing of Personal Data in compliance with the Data Privacy Laws. Customers shall ensure that its Instructions comply with all laws, rules and regulations applicable in relation to the Personal Data and that the Processing of Personal Data in accordance with Customer’s Instructions will not cause Xecurify to be in breach of the Data Privacy Laws. Customer is solely responsible for the accuracy, quality and legality of (i) Personal Data provided to Xecurify by or on behalf of Customer, (ii) the means by which Customer acquired any such personal Data, and (iii) the Instructions it provides to Xecurify regarding the Processing of such Personal Data. Customer shall not provide or make available to Xecurify any Personal Data in violation of the Agreement or which is otherwise inappropriate for the nature of the Service, and shall indemnify Xecurify from all claims and losses in connection therewith.
Xecurify shall Process Personal Data only (i) for purposes set forth in the Agreement, (ii) in accordance with the terms and conditions set forth in this DPA and any other documented Instructions provided by Customer, and (iii) in compliance with the Directive and the GDPR. Customer hereby instructs Xecurify to Process Personal Data in accordance with the foregoing and as part of any Processing initiated by Customer in its use of Service.
Customer may transfer Personal Data to Xecurify, the extent of which is determined in Customer’s sole discretion, and which may include Personal Data relating to: the following categories of Data Subjects: (i) the Customer's Authorized Individuals, employees, contractors or other Representatives, and (ii) Customer’s end users/customers.
The Personal Information Customer provides is used for such purposes as answering questions, improving the content of the website,customizing the content, and communicating with the Visitors about Xecurify’s Services, including releases. This information helps to categorize the question, track potential problems and trends and customize Xecurify’s support responses to better serve the Customer. Xecurify shall keep Personal Data confidential and shall only Process Personal Data on behalf of and in accordance with Customer’s documented instructions for the following purposes: (i) Processing in accordance with the Agreement and applicable Order Form(s); (ii) Processing initiated by Users in their use of the Service; and (iii) Processing to comply with other documented, reasonable instructions provided by Customer (for example, via email) where such instructions are consistent with the terms of the Agreement.
Xecurify shall not be required to comply with or observe Customer’s instructions if such instructions would violate the GDPR or other EU law or EU member state data protection provisions.
The subject-matter of the Processing of Personal Data by Xecurify is the performance of the Service pursuant to the Agreement, Identity and access management and related services pursuant to the Agreement. The duration of the Processing shall be for the Term of the Agreement. Personal Data within the Service post-termination of the Agreement will be retained and deleted in accordance with the Documentation. Sub-processors may only Process Personal Data as necessary for the performance of the Service pursuant to the Agreement and for the duration of the Agreement.
The Customer may transfer the following types of Personal Data for the purposes set out in this DPA:
To the extent legally permitted, Xecurify shall promptly notify Customer if Xecurify receives a request from a Data Subject to exercise the Data Subject's right of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making (“Data Subject Request”). Factoring into account the nature of the Processing, Xecurify shall assist Customer by appropriate organizational and technical measures, in so far as this is possible, for the fulfillment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations. In addition, to the extent Customer, in its use of the Service, does not have the ability to address a Data Subject Request, Xecurify shall, upon Customer’s request, provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent that Xecurify is legally authorized to do so, and the response to such Data Subject Request is required under Data Protection Laws and Regulations. To the extent legally permitted, Customer shall be responsible for any costs arising from Xecurify’s provision of such assistance.
Xecurify shall use commercially reasonable measures to ensure the reliability and training of any employee, agent or contractor of any Authorized Employee or its personnel who may access the Personal Data. Xecurify shall ensure that Authorized Employees or its personnel are aware of the Confidential Information nature of the Personal Data and are bound by confidentiality agreements to Xecurify, during and after their engagement with Xecurify. Xecurify shall use commercial reasonable measures to limit access to Personal Data to only Authorized Individuals.
Customer acknowledges and agrees that (a) Xecurify’s Affiliates may be retained as Sub-processors; and (b) Xecurify and Xecurify’s Affiliates respectively may engage third-party Sub-processors in connection with the provision of the Service. Xecurify shall provide notification of a new Sub-processor(s) before authorizing any new Subprocessor(s) to process Personal Data in connection with the provision of the applicable Service.
Xecurify’s Subprocessor : Amazon Web Service(AWS)
In order to exercise its right to object to Xecurify’s use of a new Sub-processor, Customer shall notify Xecurify promptly in writing within ten (10) business days after receipt of Xecurify’s notice in accordance with the mechanism set out above. In the event Customer objects to a new Sub-processor, and that objection is not unreasonable, Xecurify will use reasonable efforts to make available to Customer a change in the Service or recommend a commercially-reasonable change to Customer’s configuration or use of the Service to avoid Processing of Personal Data by the objected-to new Subprocessor without unreasonably burdening the Customer. If Xecurify is unable to make available such change within a reasonable time period, which shall not exceed thirty (30) days, Customer may terminate the applicable Order Form(s) with respect only to those aspects of the Service which cannot be provided by Xecurify without the use of the objected-to new Sub-processor by providing written notice to Xecurify. Xecurify will refund Customer any prepaid fees covering the remainder of the term of such Order Form(s) following the effective date of termination with respect to such terminated Service.
Customer acknowledges and agrees that Xecurify may engage Sub-processors as described in this Section for the fulfillment of Xecurify’s obligations under Clause 9(a) of the Standard Contractual Clauses. The parties agree that the copies of the Sub-processor agreements that must be provided by Xecurify to Customer pursuant to Clause 9(c) of the Standard Contractual Clauses may have all commercial information, or clauses unrelated to the Standard Contractual Clauses or their equivalent, removed by Xecurify beforehand to protect business secrets or other confidential information; and, that such copies will be provided by Xecurify, in a manner to be determined in its discretion, only upon request by Customer.
Xecurify shall be liable for the acts and omissions of its Sub-processors to the same extent Xecurify would be liable if performing the services of each Sub-processor directly under the terms of this DPA, except as otherwise set forth in the Agreement.
Xecurify shall maintain appropriate organizational and technical measures for protection of the security (including protection against unauthorized or unlawful Processing, and against unlawful or accidental destruction, alteration or damage or loss, unauthorized disclosure of, or access to, Customer Data), confidentiality, and integrity of Customer Data. Xecurify regularly monitors compliance with these measures. Xecurify will not materially decrease the overall security of the Service during a subscription term.
Xecurify has in place reasonable and appropriate security incident management policies and procedures, and shall notify Customer without undue delay after becoming aware of the unlawful or accidental destruction, alteration or damage or loss, unauthorized disclosure of, or access to, Customer Data, including Personal Data, transmitted, stored or otherwise Processed by Xecurify or its Sub-processors of which Xecurify becomes aware (hereinafter, a “Customer Data Incident”). Xecurify shall make reasonable efforts to identify the cause of such Customer Data Incident, and take those steps as Xecurify deems necessary and reasonable in order to remediate the cause of such a Customer Data Incident, to the extent that the remediation is within Xecurify’s reasonable control. The obligations set forth herein shall not apply to incidents that are caused by either Customer or Customer’s Users.
Xecurify shall return Customer Data to Customer and, to the extent allowed by applicable law, delete Customer Data, unless the retention of the data is requested from Xecurify according to mandatory statutory laws.
The parties agree that, by executing the DPA, the Customer enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliate(s), thereby establishing a separate DPA between Xecurify and each such Authorized Affiliate, subject to the provisions of the Agreement. Each Authorized Affiliate agrees to be bound by the obligations under this DPA and, to the extent applicable, the Agreement. An Authorized Affiliate is not and does not become a party to the Agreement, and is only a party to the DPA. All access to and use of the Service by Authorized Affiliate(s) must comply with the terms and conditions of the Agreement and any violation thereof by an Authorized Affiliate shall be deemed a violation by Customer.
The Customer that is the contracting party shall be responsible for coordinating all communication with Xecurify under this DPA, and shall be entitled to transmit and receive any communication in relation to this DPA on behalf of its Authorized Affiliate(s).
Xecurify takes reasonable steps to ensure the reliability of its staff and any other person acting under its supervision who may come into contact with, or otherwise have access to and Process, Personal Data; ensure persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; and ensure that such personnel are aware of their responsibilities under this Data Protection Addendum and any Data Protection Laws (or Company’s own written binding policies are at least as restrictive as this Data Protection Addendum).
The Standard Contractual Clauses apply to: (i) the legal entity that has executed the Standard Contractual Clauses as a data exporter and its Authorized Affiliates and, (ii) all Affiliates of Customer established within the European Economic Area, Switzerland and the United Kingdom, which have signed Order Forms for the Service. For the purpose of the Standard Contractual Clauses the aforementioned entities shall be deemed “data exporters.” If necessary to fulfill its legal obligations, Customer may share a copy of the attached Standard Contractual Clauses with Data Subjects.
Subject to the confidentiality obligations set forth in the Agreement, Xecurify performs internal security audits periodically, and upon the request from the customer, can make available the audit reports to the customer.. Customers can perform third party security audits through independent Third Party Auditors of their choice, charges and expenses for such audits shall be borne by the customer. Before the commencement of any such audit, Customer and Xecurify shall mutually agree upon the scope, timing, and duration of the audit.
The total liability of each of Customer and Xecurify (and their respective employees, directors, officers, affiliates, successors, and assigns), arising out of or related to this Agreement, whether in contract, tort, or other theory of liability, shall not, when taken together in the aggregate, exceed the limitation of liability set forth in the Agreement.
Claims from one party due to the other party’s non-compliance with this DPA shall be subject to the same limitations as in the Customer Use Agreement. In assessing whether the limitation is reached, claims under this Agreement and the Customer Use Agreement shall be viewed in conjunction, and the limitation in the Customer Use Agreement shall be viewed as a total limitation.