This Data Processing Addendum (“Addendum“) forms part of the underlying written agreement between POSH Virtual Receptionists, LLC (“POSH“) and our customer (“Customer“) under which POSH provides services to Customer (“Agreement“). POSH and Customer are referred to herein as “Parties” and individually as “Party“.
Unless otherwise defined below, all capitalized terms have the same meaning given to them in the Agreement and/or exhibits thereto.
“Data Controller” means the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
“Data Processor” means the entity which Processes Personal Data on behalf of the Data Controller.
“EU Data Protection Laws” means the EU General Data Protection Regulation (EU) 2016/679.
“Data Protection Laws” means all data protection laws applicable to the Processing of Personal Data under this Addendum, including local, state, national and/or foreign laws, treaties, and/or regulations, the Data Protection Law of 2018, the United Kingdom General Data Protection Regulation, EU Data Protection Laws, and implementations of EU Data Protection Laws into national law.
“Data Subject” means the person to whom the Personal Data relates.
“EEA” means the European Economic Area.
“Personal Data” means any Customer data that relates to (i) an identified or identifiable natural person or, (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data under applicable Data Protection Laws).
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
“Processing or Process” means any operation or set of operations performed on Personal Data or sets of Personal Data, such as collecting, recording, organizing, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing by transmission, disseminating or otherwise making available, aligning or combining, restricting, erasing or destroying.
“Services” are those products, services, and other deliverables provided under the Agreement.
“Standard Contractual Clauses” means the Standard Contractual Clauses for the transfer of personal data to processors established in third countries pursuant to Commission Decision (2016/679/EU), or the UK Standard Contractual Clauses published by the Information Commissioner’s Office, once available.
“Subprocessor” means a third-party entity engaged by POSH as a Data Processor under this Addendum.
“Valid Transfer Mechanism” means a data transfer mechanism permitted by Data Protection Laws as a lawful basis for transferring Personal Data to a recipient outside the EEA or the United Kingdom.
2. Processing Personal Data
2.1. Scope and Role of the Parties. This Addendum applies to the Processing of Personal Data by POSH in the course of providing Services under the Agreement. For the purposes of this Addendum: (i) Customer is the Data Controller; and (ii) POSH is the Data Processor Processing such Personal Data on Customer’s behalf.
2.2. Instructions for Processing. POSH shall Process Personal Data in accordance with Customer’s instructions. Customer instructs POSH to Process Personal Data to provide Services in accordance with the Agreement and this Addendum. Customer may provide additional instructions to Process Personal Data; however, POSH shall be obligated to perform such additional instructions only if they are consistent with the terms and scope of the Agreement and this Addendum. If POSH believes that any instruction provided by Customer violates applicable Data Protection Laws, it shall inform Customer accordingly. POSH will not retain, use, disclose, or sell the Personal Data for any purpose other than for the specific purpose of performing Services specified under the Agreement (including retaining, using, disclosing, or selling Personal Data for a POSH’s own commercial purpose) or as otherwise permitted by law.
2.3. Compliance with Laws. POSH shall comply with Data Protection Laws applicable to POSH in its role as a Data Processor Processing Personal Data. Customer shall comply with Data Protection Laws applicable to Customer as a Data Controller. For the avoidance of doubt, POSH is not responsible for complying with Data Protection Laws applicable to Customer as a Data Controller.
3.1. Use of Subprocessors. Customer hereby gives POSH general authorization to engage Subprocessors to Process Personal Data in accordance with this Section 3. POSH shall ensure that any such Subprocessor has entered into a written agreement requiring the Subprocessor to abide by terms no less protective than those provided in this Addendum. POSH shall be liable for the acts and omissions of any Subprocessors to the same extent as if the acts and omissions were performed by POSH. As of the effective date of the Agreement, the Customer consents to POSH’s use of the Subprocessors identified in Attachment A.
3.2. Notification of New Subprocessors. POSH shall provide notice to Customer of any new Subprocessors POSH seeks to appoint to Process Personal Data, and afford Customer the ability to object to such appointment in writing within fourteen (14) calendar days of receiving such notice.
4. Data Center Location and Data Transfers
4.1. Storage of Personal Data. Personal Data will be hosted in data centers located in the United Kingdom unless the Parties otherwise expressly agree in writing.
4.2. Access to and Transfer of Personal Data. Notwithstanding Section 4.1, in order to provide the Services, POSH and its Subprocessors will only access Personal Data from (i) countries in the EEA; (ii) countries formally recognized by the European Commission as providing an adequate level of data protection (“Adequate Countries”); and (iii) the United States and other non-Adequate Countries, provided that the transfers of the Personal Data are pursuant to a Valid Transfer Mechanism. To the extent required under applicable Data Protection Laws and where Customer transfers to and where POSH receives Customer Personal Data in a non-Adequate Country, the Parties agree to enter into a Valid Transfer Mechanism, including as appropriate, the Controller-Processor Standard Contractual Clauses. When POSH or its Subprocessors access Personal Data from outside the location identified in Section 4.1, Customer agrees that Personal Data may be temporarily stored in that country.
5. Assistance to Customer
5.1. Assistance with Handling of Data Subject Requests. Customer is responsible for responding to Data Subject requests for access, correction, deletion, restriction, or other privacy right under applicable Data Protection Law of that person’s Personal Data (“Data Subject Request”). If POSH receives a Data Subject Request, POSH shall promptly redirect the Data Subject to Customer. POSH will reasonably assist Customer in handling Data Subject Requests by complying with Customer’s instructions with respect to a Data Subject’s Personal Data.
5.2. Assistance with Data Portability. For the avoidance of doubt, Customer is responsible for responding to Data Subject’s data portability requests. To the extent a Data Subject’s Personal Data is not accessible to Customer, POSH will, as necessary to enable Customer to meet their obligations under applicable Data Protection Laws, provide such Personal Data extract in a structured, commonly used and machine-readable format.
5.3. Assistance with Other Obligations. Customer is responsible for complying with all its obligations as Controller under applicable Data Protection Laws, including without limitation, obligations related to data protection impact assessments or prior consultations with relevant supervisory authorities. POSH shall reasonably assist Customer with Customer’s efforts to comply with its own obligations under applicable Data Protection Laws related to conducting data protection impact assessments, including where necessary, prior consultation with the relevant supervisory authority.
6. Government Access Requests
Unless prohibited by applicable law or a legally-binding request of law enforcement, POSH shall promptly notify Customer of any request by government agency or law enforcement authority for access to or seizure of Personal Data.
7. POSH Personnel
POSH shall take reasonable steps to train its personnel on their responsibilities regarding the handling and safeguarding of Personal Data and require such personnel to sign confidentiality agreements with POSH. Such confidentiality obligations shall survive termination of employment.
8.1. Security Program. POSH shall implement appropriate technical and organizational measures designed to protect Personal Data against unauthorized access or disclosure or accidental or unlawful destruction, loss, or alteration. Such measures shall be appropriate to (i) the size, scope, and type of POSH’s business; (ii) the type of information that POSH will Process; and (iii) the need for security and confidentiality of such information.
8.2. Breach Notification. POSH shall promptly (and in any case not more than seventy-two (72) hours of becoming aware of a Personal Data Breach) notify Customer of any Personal Data Breach affecting the Personal Data that POSH maintains on Customer’s behalf. POSH shall provide sufficient information to allow Customer to meet its obligations under Data Protection Laws.
Customer may, no more than once per calendar year, audit POSH’s compliance with its obligations under this Addendum with respect to the Processing of Personal Data under the Agreement. For such audits, POSH shall make available, upon reasonable request, information and documentation necessary and and provide responses to Customer’s reasonable written questionnaires relevant to demonstrate compliance with this Addendum. Customer shall bear all costs and expenses related to any audits performed under this section.
10. Return and Deletion of Personal Data
No later than fourteen (14) days after termination of the Services, POSH shall, at Customer’s option, delete or return all Personal Data to Customer and delete existing copies unless applicable law requires storage of the Personal Data. In such case, POSH shall continue to ensure the confidentiality of all such Personal Data. Notwithstanding the forgoing, POSH may retain Personal Data on any automatic backup disaster recovery system or server provided that non-deleted data will be held securely and securely deleted in accordance with POSH’s backup retention policies.
11. General Provisions
11.1. Termination. The term of this Addendum will end simultaneously and automatically with the termination of the Agreement.
11.2. Conflict. In the event of a conflict between the provisions of this Addendum and the Agreement, the provisions of the Addendum will prevail with regard to the Parties’ data protection obligations.
11.3. Indemnification; Limitations on Liability; Remedies. Customer’s indemnities, limitations on liability, and remedies with respect to any breach by POSH of the terms of this Addendum, and the overall aggregate liability of POSH arising out of, or in connection with the Agreement (including this Addendum), will be subject to any aggregate limitation of liability as specified in the Agreement (“Liability Cap“). For the avoidance of doubt, the Parties intend and agree that the overall aggregate liability of POSH arising out of, or in connection with the Agreement (including this Addendum) shall in no event exceed the Liability Cap.
11.4. Section Headings. The section headings contained in this Addendum are for reference purposes only and shall not in any way affect the meaning or interpretation of this Addendum.