22 Apps Data Processing Addendum
Last updated September 28, 2020
The purpose of this Addendum is to set out your and 22 Apps’ obligations in relation to any processing of personal data carried out as part of the Agreement. To the extent that there is any conflict between this Addendum and the Agreement, the terms of this Addendum will take precedence with respect to the parties’ obligations in relation to processing of personal data.
a) In this Addendum:
i) “Data Protection Regulations” means all laws applicable to any personal data processed under or in connection with the Agreement, including: (a) the Privacy and Electronic Communications Directive 2002/58/EC; (b) the GDPR; (c) the Data Protection Act 2018 and all other national legislation implementing or supplementing any of the foregoing; and (d) all associated codes of practice and other binding guidance issued by any competent regulator; all as amended, re-enacted or replaced and in force from time to time;
ii)“GDPR” means the General Data Protection Regulation 2016/679; and
“Services” means any services to be provided under the Agreement.
b) When used in this Addendum, the following terms will have the same meaning as in the Data Protection Regulations: (i) personal data; (ii) data controller; (iii) data processor; (iv) processing; and (v) supervisory authority.
a) Under the Agreement, 22 Apps may provide you with Services in relation to any one or more of (i) online visual drag-and-drop-app-builder; (ii) online educational resources and training materials; and (iii) support and maintenance.
b) This may involve the processing of personal data by 22 Apps on your behalf as part of the provision of the relevant Services, including personal data relating to your customers, users or subscribers or other individuals with whom you deal in the course of your business.
3) Description of Processing
The processing to be carried out by 22 Apps is as follows: (i) the nature and subject matter of the processing are as described in 2(a) and the duration of the processing will be throughout the period within which 22 Apps performs the relevant Services under the Agreement; (ii) the purpose of the processing is to enable 22 Apps to perform the relevant Services under the Agreement; (iii) the personal data to be processed will be any personal data you provide in order to enable or facilitate the provision of the Services by 22 Apps under the Agreement as described in Section 2(a), and the categories of data subjects are as described in Section 2(b); and (iv) the obligations and rights of the data controller in relation to the processing are set out below.
4) Compliance with the Data Protection Regulations
The parties will comply with (and will ensure that their personnel and subcontractors comply) with the Data Protection Regulations.
5) Relationship and Roles of the Parties
a) In relation to the processing of personal data under the Agreement, the parties acknowledge and agree that (i) you are the data controller and (ii) 22 Apps is the data processor.
b) 22 Apps agrees that it will process the personal data in accordance with the terms of the Agreement, including this Addendum.
6) Responsible Individuals and Enquiries
Each party will notify the other of the individual within its organization authorised to respond from time to time to enquiries regarding the personal data and the processing which is the subject of the Agreement. Each party will deal promptly and reasonably with all such enquiries.
7) Processing of Personal Data by 22 Apps
a) In relation to the processing of personal data under the Agreement, 22 Apps will:
i) process the personal data only to the extent necessary in order to provide the Services and then only in accordance with (i) the terms of the Agreement and (ii) your written instructions from time to time as provided in accordance with Section 7(c), unless otherwise required by law. Where 22 Apps is required by law to process the personal data otherwise than as provided by the Agreement, it will notify you before carrying out the processing concerned (unless the law also prevents 22 Apps from doing so);
ii) implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks that are presented by the processing, in particular protection against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed under the Agreement;
iii) take all reasonable steps to ensure that only authorised personnel have access to the personal data and that any persons whom it authorises to have access to the personal data will respect and maintain all due confidentiality in relation to the personal data (including by means of an appropriate contractual duty of confidentiality where the persons concerned are not already under such a duty under the law);
iv) not engage any sub-processors in the performance of the Services without your prior written consent and otherwise in accordance with Section 8 at all times;
v) not do, or omit to do, anything, which would cause you to be in breach of its obligations under the Data Protection Regulations; and
vi) promptly notify you if, in 22 Apps’s opinion, any instruction given to 22 Apps infringes the Data Protection Regulations.
b) Where applicable in respect of any personal data processed under the Agreement, 22 Apps will co-operate with and assist you in ensuring compliance with:
i) your obligations to respond to requests from any data subject(s) seeking to exercise their rights under Chapter III of the GDPR, including by notifying you of any written subject access requests 22 Apps receives relating to your obligations under the Data Protection Regulations; and
ii) your obligations under Articles 32 – 36 of the GDPR to: (a) ensure the security of the processing; (b) notify the relevant supervisory authority, and any data subject(s), where relevant, of any breaches relating to personal data; (c) carry out any data protection impact assessments of the impact of the processing on the protection of personal data; and (d) consult the relevant supervisory authority prior to any processing where a any data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by you to mitigate the risk.
c) You hereby instruct 22 Apps to process personal data to provide the Services in accordance with the Agreement (including this Addendum). you may provide additional instructions to 22 Apps to process personal data in writing, however 22 Apps will be obligated to perform such additional instructions only if they are consistent with the terms and scope of the Agreement and this Addendum.
a) You hereby agree and provide a general prior authorisation that 22 Apps and its affiliates may engage sub-processors.
b) 22 Apps will ensure that any sub-processor it engages to provide any services on its behalf in connection with the Agreement does so only on the basis of a written agreement that is no less protective than this DPA. 22 Apps will be liable any act or omission of the sub-processor to the same extent as if the act or omission were performed by 22 Apps.
c) A list of 22 Apps’s main sub-processors is available via email at support [at] 22apps [dot] com. Where you have given a general authorisation to 22 Apps to engage sub-processors, then prior to engaging a new sub-processor under the general authorisation 22 Apps will notify you of any changes that are made and, subject to Section 8.4, give you an opportunity to object to them.
d) This Section 8(d) will apply only where and to the extent that you are established within the European Economic Area, the United Kingdom or Switzerland or where otherwise required by Data Protection Regulations applicable to you. In such event, if you object on reasonable grounds relating to data protection to 22 Apps’s use of a new sub-processor you will promptly, and within 15 days following 22 Apps’s notification pursuant to Section 8(c), provide written notice of such objection to 22 Apps. Should 22 Apps choose to retain the objected-to sub-processor, 22 Apps will notify you at least 15 days before authorising the sub-processor to process personal data and you may terminate the relevant portion(s) of the Services within 30 days. Upon any termination by you pursuant to this Section 8(c), 22 Apps will refund to you any prepaid fees for the terminated portion(s) of the Service that were to be provided after the effective date of termination.
9) Monitoring of 22 Apps’s Performance
You are, at your expense, entitled to monitor and audit 22 Apps’s compliance with the Data Protection Regulations and its obligations in relation to data processing under the Agreement at any time during normal business hours not more than once per year. 22 Apps agrees to provide you promptly with all access, assistance and information that is reasonably necessary to enable the monitoring and audits concerned. If you believe that an on-site audit is necessary, 22 Apps agrees to give you, on reasonable notice, reasonable access to its premises (subject to any reasonable confidentiality and security measures), and to any stored personal data and data processing programs it has onsite. You are entitled to have the audit carried out by a third party.
10) Completion of Services
Upon completion of the Services, 22 Apps will return or delete all personal data processed under the Agreement in accordance with the applicable provisions of the Agreement, except to the extent that 22 Apps is required by law to retain any copies of the personal data.
Your remedies with respect to any breach by 22 Apps of the terms of this Addendum and the overall aggregate liability of 22 Apps arising out of, or in connection with the Agreement (including this Addendum) will be subject to any aggregate limitation of liability that has been agreed between the parties under the Agreement (the “Limit of Liability”). For the avoidance of doubt, the parties intend and agree that the overall aggregate liability of 22 Apps and its affiliates arising out of, or in connection with the Agreement (including this Addendum) will in no event exceed the Limit of Liability.