Data Processing Agreement

Data Processing Agreement

Last Updated November 26, 2024

This Data Processing Agreement (“DPA”) forms part of the Terms of Use (or other similarly titled written or electronic agreement addressing the same subject matter) (“Agreement”) between Customer and “SucceedSmart Inc.” under which the Processor provides the Controller with the software and services (the “Services”). The Controller and the Processor are individually referred to as a “Party” and collectively as the “Parties”.

The Parties seek to implement this DPA to comply with the requirements of EU GDPR (defined hereunder) in relation to Processor’s processing of Personal Data (as defined under the EU GDPR) as part of its obligations under the Agreement.

This DPA shall apply to Processor’s processing of Personal Data, provided by the Controller as part of Processor’s obligations under the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect.

1. Definitions

Terms not otherwise defined herein shall have the meaning given to them in the EU GDPR or the Agreement. The following terms shall have the corresponding meanings assigned to them below:

2. Purpose of this Agreement

This DPA sets out various obligations of the Processor in relation to the Processing of Personal Data and shall be limited to the Processor’s obligations under the Agreement. If there is a conflict between the provisions of the Agreement and this DPA, the provisions of this DPA shall prevail.

3. Categories of Personal Data and Data Subjects

The Controller authorizes permission to the Processor to process the Personal Data to the extent of which is determined and regulated by the Controller. The current nature of the Personal Data is specified in Annex I to Schedule 1 to this DPA.

4. Purpose of Processing

The objective of Processing of Personal Data by the Processor shall be limited to the Processor’s provision of the Services to the Controller and or its Client, pursuant to the Agreement.

5. Duration of Processing

The Processor will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing by the Controller.

6. Data Controller’s Obligations

7. Data Processor’s Obligations

8. Data Secrecy

9. Audit Rights

10. Mechanism of Data Transfers

Any Data Transfer for the purpose of Processing by the Processor in a country outside the European Economic Area (the “EEA”) shall only take place in compliance as detailed in Schedule 1 to the DPA. Where such model clauses have not been executed at the same time as this DPA, the Processor shall not unduly withhold the execution of such template model clauses, where the transfer of Personal Data outside of the EEA is required for the performance of the Agreement.

11. Sub-processors

12. Personal Data Breach Notification

13. Return and Deletion of Personal Data

14. Technical and Organizational Measures

Having regard to the state of technological development and the cost of implementing any measures, the Processor will take appropriate technical and organizational measures against the unauthorized or unlawful processing of Personal Data and against the accidental loss or destruction of, or damage to, Personal Data to ensure a level of security appropriate to: (a) the harm that might result from unauthorized or unlawful processing or accidental loss, destruction or damage; and (b) the nature of the data to be protected [including the measures stated in Annex II of Schedule 1].

Annex II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND
ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

Description of the technical and organisational security measures implemented by SucceedSmart Inc. as the data processor/data importer to ensure an appropriate level of security, taking into account the nature, scope, context, and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Security

Personnel Security

SucceedSmart Inc. personnel are required to conduct themselves in a manner consistent with the company’s guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. SucceedSmart Inc. conducts reasonably appropriate background checks on any employees who will have access to client data under this Agreement, including in relation to employment history and criminal records, to the extent legally permissible and in accordance with applicable local labor law, customary practice and statutory regulations.

Personnel are required to execute a confidentiality agreement in writing at the time of hire and to protect Customer Personal Data at all times. Personnel must acknowledge receipt of, and compliance with, SucceedSmart Inc.’s confidentiality, privacy and security policies. Personnel are provided with privacy and security training on how to implement and comply with the Information Security Program. Personnel handling Customer Personal Data are required to complete additional requirements appropriate to their role (e.g., certifications). SucceedSmart Inc.’s personnel will not process Customer Personal Data without authorization.

Access Controls

Data Center and Network Security

Networks and Transmission

Annex III

List of Sub-Processors

The controller has authorized the use of the following sub-processors:

Name of Sub-Processor Description of Processing Location of Processor
Amazon Web Services Hosting the Production Environment Global