Data Processing Agreement
Table of Contents
1. Definitions and Interpretation
1.1 Definitions. Capitalized terms set forth in this Data Processing Agreement have the meaning ascribed thereto hereunder and cognate terms shall be construed accordingly:
Alternate Transfer Mechanism has the meaning ascribed thereto in Section 9.7.
Change Notice means a notice served to Client regarding an update of the Subprocessors List.
Client Personal Data means any Personal Data Processed by a Processor or Subprocessor on behalf of Client pursuant to or in connection with the Agreement.
Controller means the entity that determines the purposes and means of Processing Personal Data.
Data Processing Form means the written form entered into by beqom and Client specifying the Data Center Region, the categories of Data Subjects and the categories of Client Personal Data, the respective data protection officers or representatives and the details relating to cross-border processing of Personal Data.
Data Protection Laws means data protection or privacy laws and regulations directly applicable to a Party’s Processing of Client Personal Data under the Agreement, including European Data Protection Laws.
Data Subject means the identified or identifiable natural person to whom Personal Data relate.
Data Subject Request means a request from a Data Subject exercising his or her rights under Data Protection Laws that relates to Client Personal Data and identifies such Client.
European Data Protection Laws means the GDPR; the UK GDPR; any national data protection laws, implementing regulations, or binding decisions made under the GDPR or the UK GDPR; and the Swiss Data Protection Law.
GDPR means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.
Personal Data means any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.
Personal Data Breach means a breach of beqom’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Client Personal Data.
Process and Processing mean any operation or set of operations which is performed on Personal Data, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
Processor means the entity that Processes Personal Data on behalf of a Controller.
Restricted Transfer means (a) where the GDPR applies, a transfer of Client Personal Data from the EEA to a country outside of the EEA that is not subject to an adequacy determination by the European Commission; (b) where the Swiss Federal Act on Data Protection applies, a transfer of Client Personal Data from Switzerland to a country that is not subject to an adequacy determination by the Swiss Federal Data Protection and Information Commissioner; and (c) where the UK GDPR applies, a transfer of Client Personal Data from the UK to a country that is not the subject of adequacy regulations under section 17A of the United Kingdom Data Protection Act of 2018.
SCCs means the standard contractual clauses for international transfers annexed to the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council and Article 29(7) of Regulation (EU) 2018/1725 of the European Parliament and of the Council, including as incorporated into the UK Transfer Addendum, if applicable.
In the event such SCCs are amended or superseded through an act or decision of the European Commission, the parties will amend this agreement to include the amended or superseding Clauses.
Subprocessor means any Processor (including any third party and any beqom Affiliate, but excluding an employee of beqom or any employee of its Subcontractors) appointed by beqom or an Affiliate of beqom to Process Client Personal Data on beqom’s or its Affiliates’ behalf while providing the Cloud Services or Professional Services.
Subprocessors List means the list of Subprocessors.
Swiss Data Protection Law means the Federal Act on Data Protection 2020 and related application ordinances.
UK Data Protection Law means the UK Data Protection Act 2018 and the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (“UK GDPR”).
UK Transfer Addendum means the International Data Transfer Addendum to the Standard Contractual Clauses issued under S119A)1) of the Data Protection Act 2018.
With respect to the processing of Client Personal Data of EEA Data Subjects, the terms, “Commission”, “Data Subject”, “Member State”, “Personal Data”, “Processing”, “Data Protection Officer” and “Supervisory Authority” shall have the meaning ascribed thereto in the GDPR, and their cognate terms shall be construed accordingly.
With respect to the processing of Client Personal Data of Data Subjects residing in the United Kingdom or Switzerland, the terms “Data Subject”, “Personal Data”, “Processing” and “Commission/er” shall have the same meaning as in the UK Data Protection Law, or in the Swiss Data Protection Law, respectively.
1.2 Interpretation. Any other capitalized term not defined in this Data Processing Agreement or any document referenced therein shall have the same meaning ascribed thereto in the Definitions Appendix.
1.3 A reference to a statute or statutory provision is a reference to it as amended, extended or re-enacted from time to time. Any words following the terms including, include, in particular or any similar expression shall be construed as illustrative and shall not limit the sense of the words, description, definition, phrase or term preceding those terms.
2. Scope and Roles
2.1 Scope. This Data Processing Agreement applies when beqom Processes Client Personal in providing the Cloud Services or Professional Services under the Agreement to Client and its Affiliates. If beqom Processes Personal Data on behalf of a Client’s Affiliate, Client is entering this Data Processing Agreement on behalf of itself and such Affiliate to the extent required under the Data Protection Laws.
2.2 The categories of Data Subjects and of Client Personal Data, the respective data protection officers or representatives, the location of the Data Center Region where the data centers hosting Client Personal Data are located, and the required details relating to cross-border processing of Personal Data are identified in the Data Processing Order Form.
2.3 Roles. The Parties agree that Client is a Controller and beqom is a Processor with respect to the Processing of Client Personal Data in relation to the Cloud Services and/or Professional Services under the Agreement.
3.1 beqom Obligations. beqom shall: (a) comply with all Data Protection Laws applicable to it as a Processor in the Processing of Client Personal Data; (b) not Process Client Personal Data other than on Client’s documented instructions unless Processing is required by any Data Protection Laws to which beqom or the relevant Subrocessor is subject, in which case beqom shall to the extent permitted by applicable Data Protection Laws inform Client of that legal requirement before the relevant Processing of that Client Personal Data; (c) notify Client without undue delay if beqom reasonably determines that (i) it can no longer meet its obligations under this Data Processing Agreement (including to follow Client’s instructions) or Data Protection Laws; or (ii) any Processing instruction of Client infringes Data Protection Laws; and, in such event, beqom shall enter into further agreements as requested by Client which are required to comply with Data Protection Laws; (d) not sell, rent, release, disclose, disseminate or otherwise communicate orally, in writing, or by electronic or other means, any Client Personal Data to a third party for monetary or other valuable consideration; (e) not share, rent, release, disclose, disseminate or otherwise communicate orally, in writing, or by electronic or other means, Client Personal Data to a third party for cross-context behavioral advertising, whether or not for monetary or other valuable consideration, including, transactions for cross-context behavioral advertising for the benefit of a business in which no money is exchanged; (f) not retain, use or disclose Client Personal Data: (i) for any purpose other than for the limited and specific business purposes of performing Cloud Services or Professional Services pursuant to the Agreement and as set out in Annex I to the Appendix of the Standard Contractual Clauses; or (ii) outside of the direct business relationship between Client and beqom; or (g) not combine Client Personal Data with any Personal Data that is received from or on behalf of any third party or collected via beqom’s own interaction with a Data Subject.
3.2 beqom shall promptly notify Client of any complaints received or any notices of investigation or non-compliance from any Supervisory Authority or any similar regulatory authority in any country or territory relating to the collection or Processing of Client Personal Data. Client will handle all communications and correspondence with regulators relating to Client Personal Data. beqom shall cooperate with Client and the relevant Supervisory Authority or similar regulatory authority in the event of any investigation or litigation concerning Client Personal Data. If any Client Personal Data is requested or subject to an order for compelled disclosure by any law enforcement or security authorities or other government agencies, or beqom has any reason to believe that such request may be made, in each case beqom shall: (a) promptly redirect the third party to request the Personal Data directly from Client and notify Client, unless prohibited under applicable law or by the relevant authority, in which case beqom shall communicate as much information to Client as soon as possible; (b) use all commercially reasonable efforts to challenge the request or order for disclosure on the basis of any relevant conflicts with the Data Protection Laws; (c) upon written request by Client, promptly suspend or cease Processing any Client Personal Data provided to it by or on behalf of Client; and (d) not make transfers of Client Personal Data to any law enforcement or security authorities or other government agencies in breach of the Data Protection Laws, unless such transfer is requested by Client or required under applicable law.
3.3 Client Obligations. Client shall: (a) comply with all obligations under all applicable Data Protection Laws applicable to it as a Controller; (b) instructs (and authorizes beqom to instruct each Subprocessor) to: (i) Process Client Personal Data, and (ii) in particular, transfer Client Personal Data to any country or territory; solely for the purpose of the provision of the in accordance with the terms of this Data Processing Agreement and the Agreement; and (c) warrants and represents that it is and will at all relevant times remain duly and effectively authorized to give the instructions set out above.
4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, beqom will in relation to the Client Personal Data implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including the beqom's Technical and Organizational Measures.
4.2 beqom will take appropriate steps to ensure compliance with the Technical and Organizational Measures by its employees, agents, contractors, and Subprocessors to the extent applicable to their scope of performance, including ensuring that all persons authorized to Process Client Personal Data have agreed to appropriate confidentiality obligations.
5.1 Authorization. Client generally authorizes beqom to engage Subprocessors in accordance with this Section 5 and approves beqom’s use of the Subprocessors listed in the Subprocessors List. beqom will update the Subprocessors List at least thirty (30) days before appointing a new Subprocessor and will provide Client with a mechanism to receive notifications of updates to the Subprocessors List (a “Change Notice”), which today is available through the Subprocessors List.
5.2 With respect to each Subprocessor, beqom shall ensure that (a) the Subprocessor is capable of providing the level of protection for Client Personal Data required by the terms of the Agreement, and (b) the arrangement between beqom and the relevant Subprocessor is governed by a written contract including terms, which offer at least the same level of protection for Client Personal Data as those set out in this Data Processing Agreement and meet at least the same level of requirements as those provided under the GDPR.
5.3 Objections. Client may object to the new Subprocessor on reasonable grounds related to the protection of Client Personal Data by sending an email to beqom’s data protection officer stated in the Data Processing Form, describing its legitimate, good-faith objection within fifteen (15) days of a Change Notice (an “Objection Notice”), in which case beqom may satisfy the objection by (a) not using the Subprocessor to Process Client Personal Data; (b) taking corrective steps requested by Client in its Objection Notice; or (c) ceasing to provide the parts of the Services that involve the Subprocessor Processing Client Personal Data, subject to a mutual agreement of the Parties to adjust the remuneration for the Cloud Services considering their reduced scope. If none of the options outlined above are reasonably available and Client’s objection has not been resolved to the Parties’ mutual satisfaction within thirty (30) days of beqom’s receipt of the Objection Notice, either Party may terminate the affected Order and beqom will refund to Client a pro rata share of any unused amounts prepaid by Client under the applicable Order Form for Cloud Services on the basis of the remaining portion of the current terms of the Order Form. If Client does not provide a timely Objection Notice with respect to a new Subprocessor, Client will be deemed to have authorized beqom’s use of the Subprocessor and to have waived its right to object.
5.4 Subprocessor Requirements. beqom will enter into a written agreement with each Subprocessor that contains data protection obligations equivalent to those in this Data Processing Agreement. beqom will be liable for the actions and omissions of its Subprocessors undertaken in connection with beqom’s performance under this Data Processing Agreement to the same extent beqom would be liable if performing the Services directly.
6. Data Subject Requests
6.1 If beqom receives a Data Subject Request, beqom will (a) advise the Data Subject to submit the request to Client directly, and (b) promptly notify Client of the request. Where required by Data Protection Laws, beqom will, on Client’s request and taking into account the nature of Client Personal Data Processed, provide reasonable assistance to Client in fulfilling the Data Subject Request to the extent Client is unable through its business operations or its use of the Cloud Services to address a particular Data Subject Request on its own. To the extent permitted by the applicable law, Client will be responsible for any costs arising from beqom’s assistance.
7. Personal Data Breach
7.1 Breach Notification. beqom shall notify (including by way of email notification) Client without undue delay (but in any event, within 48 business hours) upon becoming aware of a Personal Data Breach affecting Client Personal Data. beqom’s notification to Client will describe (a) the nature of the Personal Data Breach, including, if known, the categories and approximate number of Data Subjects and Personal Data records concerned; (b) the measures beqom has taken, or plans to take, to respond to and mitigate the Personal Data Breach; (c) any measures beqom recommends that Client take to address the Personal Data Breach; and (d) information related to beqom’s point of contact with respect to the Personal Data Breach. If beqom cannot provide all the information above in the initial notification, beqom will provide the information to Client as soon as it is available.
7.2 Breach Response. beqom will promptly take all actions relating to its Technical and Organizational Measures that it deems necessary and advisable to identify and remediate the cause of a Personal Data Breach.
7.3 General. beqom’s notification of or response to a Personal Data Breach shall not constitute an acknowledgment of fault or liability with respect to the Personal Data Breach. The obligations in this Section 7 do not apply to Personal Data Breaches that are caused by Client, Authorized Users, or providers of Client IT systems. Except as may otherwise be required by applicable laws (including any mandated deadlines under Data Protection Laws), if Client decides to notify a Supervisory Authority, Data Subjects, or the public of a Personal Data Breach, Client will make reasonable efforts to provide beqom with advance copies of the notice(s) and allow beqom an opportunity to provide any clarifications or corrections to them.
8. Data Protection Impact Assessment
8.1 Taking into account the nature of the Processing and the information available to beqom, beqom shall, when required by Data Protection Laws, provide reasonable assistance to Client with its obligations related to data protection impact assessments (where related to the Cloud Services, and only to the extent that Client does not otherwise have access to the relevant information) and prior consultation, including by providing the information outlined in Section 7.1 (Breach Notification) above, with Supervisory Authorities or other competent data privacy authorities, which Client reasonably considers to be required under the Data Protection Law, in each case solely in relation to Processing of Client Personal Data by beqom.
9. Data Transfers
9.1 To protect transfers of Client Personal Data out of the EEA, Switzerland, and the UK, the Parties agree to enter into the SCCs and the UK Transfer Addendum as described below.
9.2 The Parties acknowledge that Client on behalf of itself and its Affiliates in the EEA, Switzerland or the UK, as applicable, will be a Data Exporter under the SCCs and beqom on behalf of itself and its Affiliates not established in the EEA, Switzerland or the UK, will be a Data Importer.
9.3 Transfers from the EEA. Where a Restricted Transfer is made from the EEA, the SCCs are incorporated into this Data Processing Agreement and apply to the transfer as follows:
- with respect to Restricted Transfers from Client to beqom, Module Two will apply;
- in Clause 7, the optional docking clause does not apply;
- in Clause 9(a), Option 2 applies, and the period for prior notice of Subprocessor changes is set forth in Section 5 of this Data Processing Agreement;
- in Clause 11(a), the optional language does not apply;
- in Clause 17, Option 1 applies with the governing law being that stated in the Data Processing Form;
- in Clause 18(b), disputes will be resolved before the courts stated in the Data Processing Form;
- Annex I of the SCCs is completed with the information set out in the Data Processing Form;
- Annex II of the SCCs is completed with the information set forth in the beqom Technical and Organizational Measures; and
- Annex III of the SCCs is completed with the information in the Subprocessors List.
9.4 Transfers from Switzerland. Where a Restricted Transfer is made from Switzerland, the SCCs are incorporated into this Data Processing Agreement and apply to the transfer as modified in Section 9.3, except that:
- in Clause 13, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner if the Restricted Transfer is governed by the Swiss Federal Act on Data Protection;
- references to “Member State” in the SCCs refer to Switzerland, and data subjects located in Switzerland may exercise and enforce their rights under the SCCs in Switzerland;
- disputes will be resolved before the Swiss courts stated in the Data Processing Form; and
- references to the “General Data Protection Regulation,” “Regulation 2016/679,” and “GDPR” in the SCCs refer to the Swiss Federal Act on Data Protection (as amended or replaced).
9.5 Transfers from the UK. Where a Restricted Transfer is made from the UK, the UK Transfer Addendum is incorporated into this Data Processing Agreement and applies to the transfer. The UK Transfer Addendum is completed with the information in Section 9.3, the Subprocessors List, and the information stated in the relevant Data Processing Form.
9.6 Specific application of the SCCs. The following terms apply to the SCCs:
- Client may exercise its audit rights under the SCCs as set out in Section 11 (Audit Rights) hereunder;
- beqom may appoint Subprocessors under the SCCs as set out in Section 5 (Subprocessing) above;
- with respect to Restricted Transfers made to beqom, beqom may neither participate in, nor permit any Subprocessor to participate in, any further Restricted Transfer unless the further Restricted Transfer is made in full compliance with Data Protection Laws and in accordance with applicable SCCs or an alternative legally compliant transfer mechanism.
- if any provision of this Section 9 is inconsistent with any terms in the SCCs, the SCCs will prevail.
9.7 Alternate Transfer Mechanism. If beqom adopts an alternative data export mechanism (including any new version of or successor to the SCCs or privacy shield principles adopted pursuant to the Data Protection Laws) for the transfer of Client Personal Data not described herein (“Alternative Transfer Mechanism”), the Alternative Transfer Mechanism shall apply instead of any applicable transfer mechanism described in this Data Processing Agreement, but only to the extent such Alternative Transfer Mechanism complies with European Data Protection Law and extends to the territories to which Client Personal Data is transferred.
10. Deletion or Return of Personal Data
10.1 Subject to Subsections 10.2 and 10.3, beqom shall promptly upon Client’s written request and in any event within thirty (30) days of the date of termination of the Agreement (the “Termination Date”) delete and procure the permanent and irrevocable deletion of all Client Personal Data from the Platform, back-ups included.
10.2 Subject to Subsection 10.3, Client may in its absolute discretion by written notice to beqom within thirty (30) days of the Termination Date require beqom to (a) return to Client by secure file transfer a complete copy of all Client Personal Data then under beqom's control in a generally accepted industry-standard electronic format (e.g. csv, xls); and (b) delete and procure the permanent and irrevocable deletion of all other copies of Client Personal Data Processed by beqom and any Subprocessor. beqom shall comply with any such written request within thirty (30) days of the Termination Date and Client shall acknowledge in writing safe receipt of the returned Client Personal Data.
Beqom and each Subprocessor may retain Client Personal Data only to the extent required by applicable Data Protection Laws and only to the extent and for such period as required by the applicable Data Protection Laws, and always provided that beqom shall ensure that such Client Personal Data is only Processed as necessary for the purpose(s) specified in the applicable Data Protection Laws requiring its storage, and for no other purpose.
Without prejudice to the foregoing, Client agrees and acknowledges that beqom has no obligation to retain Client Data beyond that period and that Client Personal Data shall be irretrievably deleted after thirty (30) days following the term or termination of the applicable Agreement. beqom shall not be liable to Client nor to any third party for any termination of Client’s access to the Cloud Services or for deletion of Client Personal Data in compliance with this Section.
11. Audit Rights
11.1 Subject to Subsections 11.2 to 11.4 hereunder, beqom shall make available to Client on request all information necessary to demonstrate compliance with this Data Processing Agreement, and shall allow for and contribute to audits, including inspections, by Client or an auditor mandated by Client in relation to the Processing of Client Personal Data by beqom or its Subprocessors.
11.2 Information and audit rights of Client only arise under Subsection 11.1 to the extent that the Agreement does not otherwise give Client information and audit rights meeting the relevant requirements of the applicable Data Protection Law.
11.3 Except where required by a Supervisory Authority or other regulator, Client shall give beqom reasonable notice of any audit or inspection to be conducted under Subsection 11.1 and shall make (and ensure that each of its mandated auditors makes) reasonable endeavors to avoid causing (or, if it cannot avoid, to minimize) any damage, injury or disruption to the Processors' or Subprocessors’ premises, equipment, personnel and business while its personnel are on said premises in the course of such an audit or inspection.
11.4 Except where required by a Supervisory Authority or other regulator, neither beqom or a Subprocessor need not give access to its premises for the purposes of such an audit or inspection:
- to any individual unless he or she produces reasonable evidence of identity and authority;
- outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis and Client has given notice to beqom that this is the case before attendance outside those hours begins; or
- for the purposes of more than one audit or inspection, in respect of beqom or a Subprocessor, in any calendar year, except for any additional audits or inspections which: (i) Client reasonably considers necessary because of genuine concerns as to beqom's compliance with this Data Processing Agreement; or (ii) Client is required or requested to carry out by Data Protection Law, a Supervisory Authority or any similar regulatory authority responsible for the enforcement of Data Protection Laws in any country or territory; where Client has identified its concerns or the relevant requirement or request in its notice to beqom of the audit or inspection.
11.5 Notwithstanding the foregoing, Client hereby covenants and agrees that Client’s audit rights under this Section 11 with respect to beqom's cloud infrastructure provider Microsoft Azure shall be exercised by instructing Microsoft Azure to conduct an audit of the computers, computing environment and physical data centers that Microsoft Azure uses in Processing Client Personal Data. If Client desires to change this instruction, then Client has the right to do so as set forth in the SCCs and the European Data Protection Laws, which change shall be requested in writing.
Azure data centers are certified for ISO 27001, ISO 27017/27018, ISO 22301, AICPA SOC 2 & SOC 3, UK G-Cloud, and NIST 800-171 and are audited yearly by leading independent certification bodies. Each audit will result in the generation of an audit report (“Audit Report”), which will clearly disclose any material findings by the auditor. Microsoft Azure will remediate issues raised in any Audit Report to the satisfaction of the auditor. beqom can request Microsoft Azure to provide a copy of the Audit Report so that Client can verify Microsoft Azure’s compliance with the Subprocessor’s obligations under this Data Processing Agreement. The Audit Report will be Microsoft Azure’s Confidential Information and will be subject to non-disclosure and distribution limitations of Microsoft Azure and the auditor.
Upon written request, beqom can provide certificates at any time relating to Azure data centers, including but not limited to: ISO 27001, ISO 27017/27018, ISO 22301, AICPA SOC 2 & SOC 3, UK G-Cloud, and NIST 800-171. Nothing in this Section 11.5 varies or modifies the SCCS or the European Data Protection Laws or affects any Supervisory Authority or Data Subject’s rights under the SCCs or the European Data Protection Laws.
12. Limitation of Liability
Each Party’s liability taken together in the aggregate, arising out of or related to this Data Processing Agreement, whether in contract, tort, or under any other theory of liability, is subject to the limitation of liability provisions of the Master Agreement.
beqom may make changes to this Data Processing Agreement where the change is required to comply with the Data Protection Laws, and provided that the change: (a) does not reduce the security of the Cloud Services or Professional Services, (b) does not change the scope of beqom’s Processing of Client Personal Data, and (c) does not have a material adverse impact on Client’s rights under this Data Processing Agreement or the Master Agreement.
14. Order of Precedence
In the event of a conflict or inconsistency between the Master Agreement, this Data Processing Agreement, and the SCCs, the terms of the following documents will prevail (in order of precedence): the SCCs; then this Data Processing Agreement; and then the Master Agreement.
15. Governing Law
15.1 To the extent required by applicable Data Protection Laws (e.g., in relation to the governing law of the SCCs), this Data Processing Agreement shall be governed by the law set out in the relevant Data Processing Form.
15.2 In all other cases, this Data Processing Agreement shall be governed by the laws of the jurisdiction specified in the Master Agreement.
16. Signature and Effect
This Data Processing Agreement is deemed to be validly executed, effective and enforceable upon the signature by both Parties of the Data Processing Form as of the last date of signature.