This Data Processing Agreement (“DPA”) is made and entered into as of this ____ day of ________ forms part of our End User License Agreement (available at https://www.controlup.com/privacy-policy/controlup-eula/) (the “Agreement”). You acknowledge that you, on your own behalf as an individual and on behalf of ___________ incorporated under ____________ law, with its principal offices located at ____________________ (“Organization”) (collectively, “You”, "Your”, “Customer”, or “Data Controller”) have read and understood and agree to comply with this DPA, and are entering into a binding legal agreement with ControlUp as defined below (“ControlUp ”, “Us”, “We”, “Our”, “Service Provider” or “Data Processor”) to reflect the parties’ agreement with regard to the Processing of Personal Data (as such terms are defined below) of European individuals including Swiss citizens. Both parties shall be referred to as the “Parties” and each, a “Party”.
WHEREAS, ControlUp shall provide services of performance monitoring, troubleshooting, analytics and management of multiple types of IT infrastructures (collectively, the “Services”) for Customer, as described in the Agreement; and
WHEREAS, In the course of providing the Services pursuant to the Agreement, we may process Personal Data on your behalf, in the capacity of a “Data Processor”; and the Parties wish to set forth the arrangements concerning the processing of Personal Data within the context of the Services and agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith.
NOW THEREFORE, in consideration of the mutual promises set forth herein and other good and valuable consideration, the receipt and sufficiency of which are hereby acknowledged by the Parties, the parties, intending to be legally bound, agree as follows:
If Data Processor receives a request from a Data Subject to exercise the Data Subject's right of access, right to rectification, right to be informed, erasure (“right to be forgotten”), restriction of Processing, data portability, right to object, or its right not to be subject to automated individual decision making, including profiling (“Data Subject Request”), Data Processor shall, to the extent legally permitted, promptly forward such Data Subject Request to Customer and reasonably assist Customer.
Data Processor shall grant access to the Personal Data to persons under its authority (including, without limitation, its personnel) only on a need to know basis and ensure that such persons engaged in the Processing of Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Data Processor current list of Sub-processors is included in Schedule 2 (“Sub-processor List”) and is hereby approved by Data Controller. Data Controller hereby grants general authorization to Data Processor to engage new Sub-processors by notifying Data Controller of the intended change or addition thirty (30) days before the new Sub-processor will be implemented. This Section 5 shall not apply to subcontractors of ControlUp which provide ancillary services to support the performance of the DPA. This includes, for example, telecommunication services, maintenance and user service, cleaning staff, or auditors.
Customer may reasonably object to Data Processor’s use of a new Sub-processor for reasons related to the GDPR or Swiss FADP by notifying Data Processor promptly in writing within ten (10) days after receipt of Data Processor’s notice and such written objection shall include the reasons related to the GDPR or Swiss FADP for objecting to Data Processor’s use of such new Sub-processor. Failure to object to such new Sub-processor in writing within ten (10) days following Data Processor’s notice shall be deemed as acceptance of the new Sub-Processor. In the event Customer reasonably objects to a new Sub-processor, as permitted in the preceding sentences, Data Processor will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening the Customer. If Data Processor is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may, as a sole remedy, terminate the applicable Agreement and this DPA with respect only to those Services which cannot be provided by Data Processor without the use of the objected-to new Sub-processor by providing written notice to Data Processor provided that all amounts due under the Agreement before the termination date with respect to the Processing at issue shall be duly paid to Data Processor. Until a decision is made regarding the new Sub-processor, Data Processor may temporarily suspend the Processing of the affected Personal Data. Customer will have no further claims against Data Processor due to the termination of the Agreement (including, without limitation, requesting refunds) and/or the DPA in the situation described in this paragraph.
Taking into account the state of the art, the costs of implementation, the scope, the context, the purposes of the Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Data Processor shall maintain all industry-standard technical and organizational measures required pursuant to Article 32 of the GDPR and Article 8 of Swiss FADP for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data), confidentiality and integrity of Personal Data, as set forth in the Security Documentation which are hereby approved by Customer. Upon the Customer’s request, Data Processor will use commercially reasonable efforts to assist Customer, at Customer’s cost, in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR and Articles 22-24 of Swiss FADP considering the nature of the processing, the state of the art, the costs of implementation, the scope, the context, the purposes of the Processing and the information available to Data Processor.
Upon Customer’s written request at reasonable intervals, and subject to the confidentiality obligations set forth in the Agreement and this DPA, Data Processor shall make available to Customer that is not a competitor of Data Processor (or Customer’s independent, third-party auditor that is not a competitor of Data Processor) a copy of Data Processor’s then most recent third-party audits or certifications, as applicable (provided, however, that such audits, certifications and the results therefrom, including the documents reflecting the outcome of the audit and/or the certifications, shall only be used by Customer to assess compliance with this DPA, and shall not be used for any other purpose or disclosed to any third party without Data Processor’s prior written approval and, upon Data Processor's first request, Customer shall return all records or documentation in Customer's possession or control provided by Data Processor in the context of the audit and/or the certification). At Customer’s cost and expenses, Data Processor shall allow for and contribute to audits, including inspections of Data Processor’s, conducted by the controller or another auditor mandated by the controller (who is not a direct or indirect competitor of Data Processor) provided that the parties shall agree on the scope, methodology, timing and conditions of such audits and inspections. Notwithstanding anything to the contrary, such audits and/or inspections shall not contain any information, including without limitation, personal data that does not belong to Customer. Nothing in this DPA will require Data Processor either to disclose to Customer (and/or its authorized auditors), or provide access to: (i) any data of any other customer of Data Processor; (ii) Data Processor’s internal accounting or financial information; (iii) any trade secret of Data Processor; or (iv) any information that, in Data Processor’s sole reasonable discretion, could compromise the security of any of Data Processor’s systems or premises or cause Data Processor to breach obligations under any applicable law or its obligations to any third party.
Data Processor shall notify Customer without undue delay after becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Data Controller's Personal Data (a “Personal Data Incident”). Where, and in so far as, it is not possible to provide the Personal Data Incident at the same time, the Personal Data Incident may be provided in phases without undue further delay. Data Processor shall make reasonable efforts to identify the cause of such Personal Data Incident and take those steps as Data Processor deems necessary and reasonable in order to remediate the cause of such a Personal Data Incident to the extent the remediation is within Data Processor’s reasonable control. The obligations herein shall not apply to incidents that are caused by Customer or Customer’s users. In any event, Customer will be the party responsible for notifying supervisory authorities and/or concerned data subjects (where required by Data Protection Laws and Regulations).
Subject to the Agreement, Data Processor shall, at the choice of Customer, delete or return the Personal Data to Customer after the end of the provision of the Services relating to processing, and shall delete existing copies unless applicable law requires storage of the Personal Data. In any event, to the extent required or allowed by applicable law, Data Processor may retain one copy of the Personal Data for evidence purposes and/or for the establishment, exercise or defense of legal claims and/or to comply with applicable laws and regulations. If the Customer requests the Personal Data to be returned, the Personal Data shall be returned in the format generally available for Data Processor’s clients.
The Parties acknowledge and agree that, by executing the DPA, the Customer enters into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliates, thereby establishing a separate DPA between Data Processor. Each Authorized Affiliate agrees to be bound by the obligations under this DPA. All access to and use of the Services by Authorized Affiliates must comply with the terms and conditions of the Agreement and this DPA and any violation of the terms and conditions therein by an Authorized Affiliate shall be deemed a violation by Customer.
The Customer shall remain responsible for coordinating all communication with Data Processor under the Agreement and this DPA and shall be entitled to make and receive any communication in relation to this DPA on behalf of its Authorized Affiliates.
Personal Data may be transferred from the EU Member States, the three EEA member countries (Norway, Liechtenstein and Iceland) and the United Kingdom (collectively, “EEA”) to countries that offer adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the EEA, the Union, the Member States or the European Commission, the UK supervisory authority or under Swiss FADP (“Adequacy Decisions”) without any further safeguard being necessary.
If the Processing of Personal Data includes transfers from the EEA (and Switzerland), or the UK to countries outside the EEA which do not offer adequate level of data protection or which have not been subject to an Adequacy Decision (“Other Countries”), the Parties shall comply with Chapter V of the GDPR or swiss FADP, including, if necessary, executing the Standard Contractual Clauses adopted by the relevant data protection authorities of the EEA, the Union, the Member States or the European Commission or comply with any of the other mechanisms provided for in the GDPR or swiss FADP for transferring Personal Data to such Other Countries, and the below shall apply:
This DPA shall automatically terminate upon the termination or expiration of the Agreement under which the Services are provided. Sections 2.2, 2.3.3, 8, 11 and 14 shall survive the termination or expiration of this DPA for any reason. This DPA cannot, in principle, be terminated separately to the Agreement, except where the Processing ends before the termination of the Agreement, in which case, this DPA shall automatically terminate.
To the extent that the Personal Data is subject to the CCPA, ControlUp shall not sell or share Customer's Personal Data. ControlUp acknowledges that when processing Personal Data in the context of the provision of the Services, Customer is not selling or sharing Personal Data to ControlUp. ControlUp agrees not to retain, use or disclose Customer Personal Data: (i) for any purpose other than the Business Purpose (as defined below); (ii) for no other commercial or Business Purpose; or (iii) outside the direct business relationship between ControlUp and Customer. Notwithstanding the foregoing, ControlUp may use, disclose, or retain Customer Personal Data to: (i) transfer the Personal Data to other ControlUp’s entities (including, without limitation, affiliates and subsidiaries), service providers, third parties and vendors, in order to provide the Services to Customer; (ii) to comply with, or as allowed by, applicable laws; (iii) to defend legal claims or comply with a law enforcement investigation; (ii) for internal use by ControlUp to build or improve the quality of its services and/or for any other purpose permitted under the CCPA; (iii) to detect data security incidents, or protect against fraudulent or illegal activity; and (iv) collect and analyze anonymous information. ControlUp shall use commercially reasonable efforts to comply with its obligations under CCPA. If ControlUp becomes aware of any material applicable requirement (to ControlUp as a service provider) under CCPA that ControlUp cannot comply with, ControlUp shall use commercially reasonable efforts to notify Customer. Upon written Customer’s notice, ControlUp shall use commercial reasonable and appropriate steps to stop and remediate ControlUp’s alleged unauthorized use of Personal Data; provided that Customer must explain and demonstrate in the written notice which processing activity of Personal Data it considers to be unauthorized and the applicable reasons. ControlUp shall use commercially reasonable efforts to enable Customer to comply with consumer requests made pursuant CCPA. Notwithstanding anything to the contrary, Customer shall be fully and solely responsible for complying with its own requirements under CCPA. “Business purpose” means the Processing activities that ControlUp will perform to provide Services (as described in the Agreement), this DPA and any other instruction from Customer, as otherwise permitted by applicable law, including, CCPA and the applicable regulations, or as otherwise necessary to provide the Services to Customer.
In the event of any conflict between the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Agreement. Notwithstanding anything to the contrary in the Agreement, this DPA and/or any other agreement between the parties and to the maximum extent permitted : (A) Us and Our Affiliates’ entire, total and aggregate liability, related to personal data or information, privacy, or for breach of, this DPA and/or Data Protection Laws and Regulations, including, without limitation, if any, any indemnification obligation under Agreement or applicable law regarding data protection or privacy shall be limited to the amounts paid to us under the Agreement within twelve (12) months preceding the event that gave rise to the claim. This limitation of liability is cumulative and not per incident; (B) In no event will we and/or our affiliates or their third-party providers, be liable under, or otherwise in connection with this DPA for: (i) any indirect, exemplary, special, consequential, incidental or punitive damages; (ii) any loss of profits, business, or anticipated savings; (iii) any loss of, or damage to data, reputation, revenue or goodwill; and/or (iv) the cost of procuring any substitute goods or services; and (C) The foregoing exclusions and limitations on liability set forth in this Section shall apply: (i) even if we, our Affiliates or third-party providers, have been advised, or should have been aware, of the possibility of losses or damages; (ii) even if any remedy in this DPA fails of its essential purpose; and (iii) regardless of the form, theory or basis of liability (such as, but not limited to, breach of contract or tort).
This DPA may be amended at any time by a written instrument duly signed by each of the Parties.
This DPA shall only become legally binding between Customer and Data Processor when the formalities steps set out in the Section “INSTRUCTIONS ON HOW TO EXECUTE THIS DPA” below have been fully completed. Data Processor may assign this DPA or its rights or obligations hereunder to any Affiliate thereof, or to a successor or any Affiliate thereof, in connection with a merger, consolidation or acquisition of all or substantially all of its shares, assets or business relating to this DPA or the Agreement. Any Data Processor obligation hereunder may be performed (in whole or in part), and any Data Processor right (including invoice and payment rights) or remedy may be exercised (in whole or in part), by an Affiliate of Data Processor.
The Parties represent and warrant that they each have the power to enter into, execute, perform and be bound by this DPA.
You, as the signing person on behalf of Customer, represent and warrant that you have, or you were granted, full authority to bind the Organization and, as applicable, its Authorized Affiliates to this DPA. If you cannot, or do not have authority to, bind the Organization and/or its Authorized Affiliates, you shall not supply or provide Personal Data to ControlUp.
By signing this DPA, Customer enters into this DPA on behalf of itself and, to the extent required or permitted under applicable Data Protection Laws and Regulations, in the name and on behalf of its Authorized Affiliates, if and to the extent that ControlUp processes Personal Data for which such Authorized Affiliates qualify as the/a “data controller”.
This DPA has been pre-signed on behalf of ControlUp.
Instructions on how to execute this DPA:
The parties' authorized signatories have duly executed this Agreement:
Signed for and on behalf of Signed for and on behalf of
[Customer’s name] Choose an item.
Name: Name:
Title: Title:
Date: Date:
Signature: Signature:
SCHEDULE 1 – DETAILS OF THE PROCESSING
Nature of Processing
Collection, recording, organization, structuring, storage, erasure by automated and manual means.
Purpose of Processing
The Data Importer shall only be allowed to Process Personal Data on behalf of client for the purpose of Setting up a user account/account(s) for Controller Personal; Setting up profile(s) for users authorized by Controller; Providing support and technical maintenance; Displaying and alerting on Statistical IT performance metrics and data in context of personal data (for example session latency for specific session name).
Duration of Processing
Subject to any Section of the DPA and/or the Agreement dealing with the duration of the Processing and the consequences of the expiration or termination thereof, Data Processor will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.
Categories of Data Subjects
Categories of Personal Data
Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to the following categories of Personal Data:
For the avoidance of doubt, the information subject to the ControlUp’s privacy policy (e.g., log-in details) available here: https://www.controlup.com/privacy-policy/controlup-privacy-policy/ shall not be subject to the terms of this DPA.
.The frequency of the transfer. Continuous basis.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period. As described in this DPA and/or the Agreement.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing. As detailed in Schedule 2.
SCHEDULE 2 – SUB-PROCESSOR LIST
Sub Processor |
Data Storage Locations |
Product |
Nature of Processing |
Scope of Processing |
Amazon Web Services |
US East (Virginia) |
ControlUp Real-Time DX, ControlUp Solve, ControlUp Insights |
Hosting of customer data and the Services |
For our current customers outside EEA. |
AWS Europe (Frankfurt) |
Dedicated for our current EEA customers. |
|||
AWS Europe (Ireland) |
|
|||
Amazon Web Services |
US East (Virginia) |
ControlUp Scoutbees |
Hosting of customer data and the Services |
EUC, Internet and web Application’s performance metrics. |
AWS Europe (Frankfurt) |
||||
Microsoft Azure |
East US (Virginia) |
ControlUp Edge DX |
Hosting of customer data and the Services |
Physical endpoint devices statistics and performance metrics. Data is processed within customer’s tenant. |
Central US (Iowa) |
||||
Canada Central (Toronto) |
||||
Germany North (Berlin) |
||||
West Europe (Amsterdam) |
||||
Sweden Central (Galve) |
||||
France Central (Paris) |
||||
Switzerland North (Zurich) |
||||
UAE North (Dubai) |
||||
Central India (Pune) |
||||
Microsoft Azure |
West Europe (Amsterdam) |
ControlUp DEX |
Hosting of customer data and the Services |
Starting October 2023, new customer’s data will be hosted solely in Azure |
East US (Virginia) |
||||
Canada (Toronto) |
||||
Australia (New South Wales) |
SCHEDULE 3 – STANDARD CONTRACTUAL CLAUSES
EU SCCs. If the Processing of Personal Data includes transfers from the EU to countries outside the EEA which do not offer adequate level of data protection or which have not been subject to an Adequacy Decision, the Parties shall comply with Chapter V of the GDPR. The Parties hereby agree to execute the Standard Contractual Clauses as follows:
a) The Standard Contractual Clauses (Controller-to-Processor and Processor to Processor) as applicable, will apply, with respect to restricted transfers between Customer and ControlUp that are subject to the GDPR.
b) The Parties agree that for the purpose of transfer of Personal Data between Customer (as Data Exporter) and ControlUp (as Data Importer), the following shall apply: (i) Clause 7 of the Standard Contractual Clauses shall be applicable; (ii) In Clause 9, option 2 shall apply and the method described in Section 5 of the DPA (Authorization Regarding Sub-Processors) shall apply; (iii) Clause 11 of the Standard Contractual Clauses shall be not applicable; (iv) In Clause 13: the relevant option applicable to the Customer, as informed by Customer to ControlUp; (v) In Clause 17, option 1 shall apply. The Parties agree that the Standard Contractual Clauses shall be governed by the laws of _____________; and (vi) In Clause 18(b) the Parties choose the courts of _____________, as their choice of forum and jurisdiction.
c) Annex I.A: With respect to Module Two: (i) Data Exporter is Customer as a data controller and (ii) the Data Importer is ControlUp as a data processor. With respect to Module Three: (i) Data Exporter is Customer as a data processor and (ii) the Data Importer is ControlUp as a data processor (sub-processor). Data Exporter and Data Importer Contact details: As detailed in the Agreement. Signature and Date: By entering into the Agreement and this DPA, each Party is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the DPA.
d) Annex I.B of the Standard Contractual Clauses shall be completed as described in Schedule 1 (Details of the Processing) of this DPA.
e) Annex I.C of the Standard Contractual Clauses shall be completed as follows: The competent supervisory authority is the _____________ supervisory authority.
f) Annex II of the Standard Contractual Clauses shall be completed as described in the Security Documentation.
g) Annex III of the Standard Contractual Clauses shall be completed with the authorized sub-processors detailed in Schedule 2 (Sub-processor list) of this DPA.
UK SCCs. If the Processing of Personal Data includes transfers from the UK to countries which do not offer adequate level of data protection or which have not been subject to an Adequacy Decision, the Parties shall comply with Article 45(1) of the UK GDPR and Section 17A of the Data Protection Act 2018. The Parties hereby agree to execute the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses as follows:
a) The UK Standard Contractual Clauses (Controller-to-Processor and Processor to Processor) if applicable, will apply with respect to restricted transfers between Customer and ControlUp that are subject to the GDPR.
b) The Parties agree that for the purpose of transfer of Personal Data between Customer (as Data Exporter) and ControlUp (as Data Importer), the following shall apply: (i) Clause 7 of the Standard Contractual Clauses shall be applicable; (ii) In Clause 9, option 2 shall apply and the method described in Section 5 of the DPA (Authorization Regarding Sub-Processors) shall apply; (iii) Clause 11 of the Standard Contractual Clauses shall be applicable; (iv) In Clause 17, option 1 shall apply. The Parties agree that the Standard Contractual Clauses shall be governed by the laws of England and Wales; and (v) In Clause 18(b) the Parties choose the courts of England and Wales. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of any country in the UK. The Parties agree to submit themselves to the jurisdiction of such courts, as their choice of forum and jurisdiction. Which Parties may end this Addendum as set out in Section 19: Importer and/or Exporter, in accordance with the agreed terms of the DPA.
c) Annex I.A: With respect to Module Two: Data Exporter is Customer as a data controller and the Data Importer is ControlUp as a data processor. With respect to Module Three: Data Exporter is Customer as a data processor and the Data Importer is ControlUp as a data processor (sub-processor). Data Exporter and Data Importer Contact details: As detailed in the Agreement. Signature and Date: By entering into the Agreement and this DPA, each Party is deemed to have signed these UK Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the DPA.
d) Annex I.B of the UK Standard Contractual Clauses shall be completed as described in Schedule 1 (Details of the Processing) of this DPA.
e) Annex I.C of the UK Standard Contractual Clauses shall be completed as follows: The competent supervisory authority is the ICO supervisory authority.
f) Annex II of the UK Standard Contractual Clauses shall be completed as described in the Security Documentation.
g) Annex III of the UK Standard Contractual Clauses shall be completed with the authorized sub-processors detailed in Schedule 2 (Sub-processor list) of this DPA.
Swiss SCCs. If the Processing of Personal Data includes transfers from the Switzerland to countries outside the EEA which do not offer adequate level of data protection or which have not been subject to an Adequacy Decision, where the FADP applies to Swiss Transfers, the Parties hereby agree to execute the Swiss Standard Contractual Clauses as follows: