This DPA, is entered into by and between Feroot and Customer (as defined in the Order Form).

This DPA supplements and forms part of the Agreement entered into by Feroot and Customer for the provision of the Solution and related services. In the event of any conflict between the Agreement and this DPA, the terms and conditions of this DPA will control. Except to the extent expressly superseded or modified in this DPA, the terms and conditions of the Agreement will apply to this DPA and remain in full force and effect.

Defined terms not defined in this DPA will have the meaning set out in the Terms and Conditions that form a part of this Agreement.

1. Definitions

2. Data Processing and Security Responsibilities.

Customer and Feroot will each comply with all privacy laws that apply to it (including, where applicable, the EU GDPR) in relation to any Personal Data Processed in connection with this DPA, as set out in Annex A to this DPA.

3. Customer Obligations.

Customer agrees that it has

  1. made and will maintain all necessary registrations and notifications as required in order to permit Feroot to perform its obligations and exercise its rights under this DPA;
  2. obtained and will continue to obtain all consents necessary, and provide all necessary notices and otherwise have all authority, to permit Feroot to perform its obligations and exercise its rights under this DPA, and will inform Feroot immediately if any such consents are withdrawn;
  3. (except to the extent Feroot deals directly with individuals in accordance with the Solution, or as otherwise agreed in connection with the Solution) ensured and will continue to ensure that all Personal Data Processed by Feroot is adequate, relevant, accurate and up-to-date, and limited to what is necessary to permit Feroot to perform its obligations and exercise its rights under this DPA; and
  4. ensured and will continue to ensure that there are valid legal grounds to enable Feroot to Process Customer’s Personal Data.

4. Feroot Obligations.

In the course of Processing Personal Data on behalf of Customer in connection with the Solution as set out in Annex A to this DPA, Feroot will:

  1. only Process Personal Data for the purposes of rendering the Solution and as otherwise instructed by Customer in writing from time to time (including in accordance with this DPA), and not Process any Personal Data in any other manner unless required to do so by applicable law, including applicable laws of Canada, the European Union (EU) or the laws of an EU Member State to which Feroot is subject. Feroot will notify Customer before complying with any such requirement unless the law prohibits such information on important grounds of public interest;
  2. immediately inform Customer if, in Feroot’s opinion, any instruction received from Customer infringes the EU GDPR;
  3. (except to the extent Feroot deals directly with individuals in accordance with the Solution, or as otherwise agreed in connection with the Solution) notify Customer without undue delay of any request received from individuals relating to the individual’s right to access, modify, correct, erase or restrict the Processing of Personal Data or to exercise their right of data portability or objection in accordance with the EU GDPR, and assist Customer to comply with such a request;
  4. notify Customer without undue delay of any request or other correspondence received in connection with the Processing of Personal Data under this DPA from:
    1. a supervisory authority; or
    2. an individual (except requests envisioned by clause 4c).
  5. implement physical, technical, administrative and organizational measures (including those set out in Annex B) appropriate to the sensitivity of the Personal Data to protect the Personal Data against loss, theft, destruction, damage, alteration and unauthorized or unlawful access, use, disclosure or other Processing and provide reasonable assistance to Customer, at Customer’s cost, to ensure compliance with Customer’s obligations to implement such security measures;
  6. ensure Feroot personnel who are authorized to Process the Personal Data are bound to protect the confidentiality of the Personal Data by either a commitment to confidentiality or an appropriate statutory obligation of confidentiality; and
  7. to the extent required by the EU GDPR and upon Customer’s request, provide all reasonable assistance to Customer in connection with Customer’s obligations under the EU GDPR to carry out a data protection impact assessment and to consult with the relevant supervisory authority in respect of any such data protection impact assessment.

5. Audit Rights.

Feroot will provide Customer (or its representatives) with access to the records, facilities and premises of Feroot during business hours and upon at least 30 days’ advance notice in writing, for the purposes of verifying Feroot’s compliance with this DPA.

6. Subcontracting.

Customer acknowledges and agrees that Feroot will use sub-processors (including Feroot affiliates) to provide the Solution. Feroot will enter into a written agreement with each such sub-processor that imposes obligations on the sub-processor that are substantially similar to those imposed on Feroot under this DPA. Where such sub-processors fail to fulfil their data protection obligations, Feroot will remain fully liable to Customer for the performance of those sub-processor’s obligations. Prior to appointing any new sub-processor in addition to or in lieu of those listed in Annex C, Feroot will notify Customer of such sub-processors, whereupon Customer will have 30 days to object to such appointment by providing detailed reasons for such objection to Feroot.

7. Security Breach Notification.

  1. Feroot will notify Customer without undue delay upon Feroot becoming aware of any loss, theft, damage or unauthorized or unlawful access to or use, disclosure or other Processing of Personal Data (“Privacy Breach”).
  2. Feroot will assist Customer with complying with Customer’s obligations in notifying individuals affected by a Privacy Breach and supervisory authorities to the extent required by the EU GDPR.

8. Termination

Upon the termination of the Agreement or at such other times as instructed by Customer in writing, immediately return (or, upon the written instruction of Customer, securely dispose of) each and every original and copy in every media of all Personal Data in the possession or control of Feroot unless applicable laws of Canada, the EU or the law of an EU Member State to which Feroot is subject requires storage of the Personal Data.

ANNEX A

DATA PROCESSING DESCRIPTION

Subject-matter and duration of the Processing

Feroot’s Solution helps organizations manage data subject rights, including data subject access requests. The duration of the Processing lasts for as long as the Agreement is in force, and as long as any lawful purposes continue to exist.

Nature and purposes of the Processing

Personal Data are Processed for the following purposes

helping organizations manage data subject rights, including data subject access requests by identifying, storing, retrieving, displaying, erasing, rectifying, and otherwise facilitating the organization’s management of Personal Data across various cloud-based data storage platforms.

Data Categories

The following categories of Personal Data are involved

The Personal Data may include Personal Data about:

ANNEX B

SECURITY MEASURES

The following security measures have been implemented to help safeguard the Personal Data in Feroot’s custody:

ANNEX C

SUBCONTRACTORS

Below is the list of sub-processors