Schedule a demo
Contact

Data Processing Agreement

This Personal Data Processing Agreement with its Schedules (“DPA”) forms part of the agreement between APAutomated Limited and the Customer for the provision of APAutomated’s software products or cloud-based software application services to the Customer (“Services”) (the “Agreement”).

Where there is any conflict between the terms of this DPA and any other part of the Agreement, the following order of precedence shall apply: (1) any Transfer Mechanism applicable to the Agreement; (2) this DPA; and (3) any other part of the Agreement.

DEFINITIONS

Capitalised terms used in this DPA that are not defined herein shall have the meaning given to them under the relevant Data Protection Laws, and a list of equivalent terms in the Data Protection Laws can be found in Schedule 3. Other capitalised terms in this DPA shall have the meaning given to them below.

Adequacy Decision”: a finding by the European Commission, or a government or body authorised to make a finding, in accordance with Data Protection Laws, that a recipient country ensures an adequate level of protection of Personal Data, so that further steps/mechanisms are not required to be implemented under Data Protection Laws in relation to a Transfer to a Non-Adequate Country.

Affiliate”: an entity that directly or indirectly controls, or is controlled by, or under common control with, the subject entity. “Control” for purposes of this definition means the ownership or control (whether directly or indirectly) of at least 50% of the voting rights in the entity, or otherwise the power to direct the management and policies of the entity.

Customer”: the Customer entity that has entered into the Agreement and where applicable, any Customer Affiliate.

Data Protection Laws”: any applicable local, national, or international laws, rules and regulations related to privacy, security, data protection, and/or the Processing of Personal Data, as amended, replaced, or superseded from time to time. Depending on where the Customer is based, this may include but is not limited to: (a) the General Data Protection Regulation (EU) 2016/679 (“GDPR”); European Union (“EU”) member state data protection laws; and the Privacy and Electronic Communications Directive 2002/58/EC on Privacy and Electronic Communications ; (b) the UK Data Protection Act 2018 (and regulations made thereunder) and UK GDPR; and the Privacy and Electronic Communications (EC Directive) Regulations 2003; (c) the California Consumer Privacy Act of 2018 (“CCPA”); the California Privacy Rights Act of 2020 (“CPRA”); (d) the Canada Personal Information Protection and Electronic Documents Act (PIPEDA); (e) the Swiss Federal Act on Data Protection; (f) the South Africa Protection of Personal Information Act (POPIA); and (g) the Australian Privacy Act 1988.

Data Subject”: an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Deidentified Information”: information that cannot reasonably be used to infer information about, or otherwise be linked to, a particular Data Subject.

Non-Adequate Country”: a country that is not covered by an Adequacy Decision.

Parties”: the parties to this DPA, specifically (i) APAutomated and (ii) the Customer each a “Party”.

Personal Data”: information relating to a natural person that is included in the data provided, inputted, or submitted by the Customer, or one of the Customer’s Affiliates, Users, or others on the Customer’s behalf, into the Services provided under the Agreement, or shared with APAutomated by any means in connection with the Services and the Agreement.

Transfer to a Non-Adequate Country”: a transfer of Personal Data to a Non-Adequate Country.

Transfer Mechanism”: the relevant module of the standard contractual clauses for a Transfer to a Non-Adequate Country pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, implemented through Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (“SCCs”), as adapted for any jurisdiction to the extent permitted by Data Protection Laws, or similar mechanism in respect of any other jurisdiction, such as the UK Addendum template or UK International Data Transfer Agreement template as issued by the ICO in accordance with s.119A of the Data Protection Act 2018.

“APAutomated”: the APAutomated entity which has entered into the Agreement.

Sensitive Personal Data”: any Personal Data that is given a higher level of protection under Data Protection Laws.

Sub-Processor”: another party engaged by a Processor to assist with the Processing of Personal Data on behalf of a Controller.

User”: an individual who is authorised to use the Services (for instance, individuals who have been supplied with a user identification and password by the Customer, or by APAutomated at the Customer’s request). Users may include Customer’s employees, consultants, contractors, agents or other third parties.

PROCESSING ROLES

  1. Except as set out in Schedule 1 (Purpose(s) of the Processing, part (b)), the Parties agree that where Data Protection Laws apply to the Processing of Personal Data, the Customer is the Controller, and APAutomated is the Processor in relation to the Processing (which is more fully described in Schedule 1) and APAutomated will act in accordance with the Customer’s documented instructions and in accordance with the Data Protection Laws in carrying out that Processing.
  2. Where the Customer itself is acting as a Processor under Data Protection Laws in Processing Personal Data described in Schedule 1 on behalf of its own customers or other parties, APAutomated will be the Customer’s Sub-Processor, and the obligations in this DPA will apply to APAutomated as a Sub-Processor.

CUSTOMER’S OBLIGATIONS

  1. The Customer shall comply with, and procure the compliance of Customer Affiliates, Users, other contacts of the Customer, or third parties who may use the Services, the Data Protection Laws in Processing Personal Data ahead of sharing it in connection with APAutomated’s provision of the Services to Customer.
  2. The Customer warrants on an ongoing basis that:
    1. it has an appropriate lawful basis under Data Protection Laws to share Personal Data with APAutomated in connection with the provision of the Services; and
    2. where it is acting as a Processor under Data Protection Laws, the relevant Controller has authorised: (i) the Customer’s Personal Data Processing instructions to APAutomated (as set out in this DPA); (ii) the Customer’s appointment of APAutomated as a Sub-Processor; and (iii) APAutomated’s use of further Sub-Processors as described in clause 4.9 (Use of Sub-Processors).
  3. The Customer further agrees that it shall:
    1. where necessary, and as required by the Data Protection Laws, provide sufficient information to Data Subjects regarding the Processing of their Personal Data, or procure the same, for: (i) the Customer to share the Personal Data with APAutomated for the provision of the Services; and (ii) APAutomated to Process the Personal Data for the purposes set out in the Agreement and in accordance with Data Protection Laws;
    2. not do or cause APAutomated to do anything which would put APAutomated in breach of Data Protection Laws or violate the rights of any Data Subject; and
    3. provide reasonable assistance to APAutomated in complying with APAutomated’s obligations under Data Protection Laws, including by entering into any amendments or additions to this DPA which may be necessary to reflect any changes in the Customer’s, or APAutomated’s, Personal Data Processing activities, or otherwise as required by Data Protection Laws.

APAUTOMATED’S OBLIGATIONS

INSTRUCTIONS

  1. By entering into the Agreement, where APAutomated is operating as a Processor or Sub-Processor, Customer is instructing APAutomated to Process Personal Data to provide the Services and any related support to the Customer. APAutomated’s Personal Data Processing activities for these purposes are more fully described in Schedule 1. The Customer further instructs APAutomated to comply with APAutomated’s Personal Data Processing obligations as a Processor or Sub-Processor as set out in the rest of this DPA.
  2. APAutomated shall notify the Customer of any legal requirement which may prevent APAutomated from complying with Customer’s instructions as set out in this DPA, unless the legal requirement prohibits this.
  3. APAutomated shall inform the Customer without delay if, in APAutomated’s opinion, instructions given by the Customer infringe Data Protection Laws.
  4. APAutomated shall promptly notify the Customer if it determines that it can no longer meet its obligations under Data Protection Laws or this DPA.
  5. APAutomated shall comply with the Data Protection Laws whilst such Personal Data is in its control.
  6. Where the CCPA (as amended by the CPRA) applies:
    1. If APAutomated receives Deidentified Information from Customer, APAutomated shall (a) take reasonable measures to ensure that Deidentified Information cannot be associated with a Data Subject or household, (b) publicly commit to maintain and use the Deidentified Information in deidentified form, and (c) not attempt to reidentify the Deidentified Information except for the sole purpose of determining whether our deidentification processes satisfy the requirements of applicable Data Protection Laws.
    2. Where APAutomated is acting as a Service Provider, APAutomated shall not combine Personal Data with Personal Data we receive from or on behalf of another person or entity or collect from our own interactions with a Data Subject, except to perform a business purpose as defined in applicable Data Protection Laws.
    3. APAutomated shall not share, sell, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate orally, in writing, or by electronic or other means, Personal Data to another person or entity for: (i) monetary or other valuable consideration; or (ii) cross-context behavioural advertising for the benefit of a business in which no money is exchanged.
    4. Customer shall have the right, upon notice, to stop and remediate any unauthorised Processing of Personal Data.

SECURITY

  1. APAutomated shall have in place at all times appropriate technical and organisational measures to prevent any unauthorised or unlawful Processing, or accidental loss or destruction, of Personal Data, taking into account the state of the art, the costs of implementation, the nature of the relevant Personal Data Processing, and the risk to the rights and freedoms of the relevant Data Subjects. Such security measures may include:
    1. the pseudonymisation or encryption of Personal Data;
    2. the ability to timely restore the availability and access to Personal Data in the event of an incident;
    3. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems; and
    4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures.
  2. APAutomated shall:
    1. take reasonable steps to ensure the reliability of any personnel who may have access to the Personal Data;
    2. ensure that access, if any, to the Personal Data is strictly limited to those individuals who need to know and/or access the Personal Data for the purposes set out in the Agreement; and
    3. ensure that personnel authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

USE OF SUB-PROCESSORS

  1. The Customer hereby generally authorises APAutomated’s use of Sub-Processors and APAutomated’s list of criteria used to select and appoint a Sub-Processor, which is as follows:
    1. APAutomated will conduct reasonable due diligence on the data privacy and security measures of proposed Sub-Processors before providing them with access to Personal Data;
    2. APAutomated will carry out data protection impact assessments ahead of appointing a Sub-Processor where any Processing of Personal Data by a Sub-Processor is likely to result in a high risk to the rights and freedoms of Data Subjects;
    3. as required under Data Protection Laws, APAutomated will ensure that it puts in place a contract with any appointed Sub-Processor which imposes on the Sub-Processor, in substance, the same data protection obligations as imposed on APAutomated in this DPA; and
    4. APAutomated shall keep its relationships with Sub-Processors under review and take any further steps as may be required under Data Protection Laws or in relation to any changes to Customer’s or APAutomated’s Personal Data Processing activities.
  2. APAutomated shall remain fully responsible to the Customer for the performance of the Sub-Processor’s obligations under the Sub-Processor’s contract with APAutomated.
  3. A list of APAutomated’s Sub-Processors is available upon request. Given APAutomated’s international organisation, APAutomated’s Affiliates may be involved in the Processing of Personal Data, in particular for support purposes. When this occurs, APAutomated Affiliates act as Sub-Processors and intra-group data processing agreements govern the Processing of Personal Data.
  4. If APAutomated wishes to make any changes to Sub-Processors, APAutomated shall inform the Customer where we consider this to have a material effect on the Services provided to the Customer as required by the applicable Data Protection Laws and as described in the region-specific terms, and the Customer may reasonably object within 30 (30) days to such changes.

INTERNATIONAL TRANSFERS

  1. The Customer acknowledges and accepts that the provision of the Services may involve the Processing of Personal Data by APAutomated or its Sub-Processors in countries outside of the country in which the Customer, Customer’s Affiliates or Users are based, subject to the terms of this DPA.
  2. APAutomated shall comply with Data Protection Laws in carrying out any international transfers of Personal Data. Depending on the transfer and the region in which the Customer, Customer’s Affiliates or Users are located, specific international transfer provisions will apply which may include, where applicable, APAutomated’s intra-group data processing agreements, or any other Transfer Mechanism. For the purposes of compliance with this clause 4.14, the EU SCCs set out in Schedule 2 are incorporated into this Agreement to be relied on to the extent necessary to cover such transfers.
  3. The Customer agrees that APAutomated may transfer Personal Data between APAutomated Affiliates on the terms of its intra-group data processing agreements, which incorporate appropriate data transfer mechanisms.
  4. In the event that a Transfer to a Non-Adequate Country is necessary between the Customer and a APAutomated Affiliate as no other valid transfer mechanism applies to such transfer, the transfer shall not be made until the Customer and relevant APAutomated Affiliate have entered into a contractual agreement incorporating the EU SCCs (controller-controller module, controller-processor module, and/or processor-processor module accordingly) will apply depending upon the respective roles of each party as controller or processor, details of which are set out in Schedule 2.

PERSONAL DATA BREACH

  1. In the case of a Personal Data Breach, APAutomated shall notify the Customer without undue delay, and take actions that APAutomated reasonably considers necessary and possible to contain and mitigate the effects of such Personal Data Breach (subject to any instructions regarding the same from the Customer).
  2. The notification referred to in clause 4.17 above shall at least:
    1. describe the nature of the Personal Data Breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
    2. communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
    3. describe the likely consequences of the Personal Data Breach; and
    4. describe the measures taken or proposed to be taken by the controller to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as it is not possible to provide the information at the same time, the information may be provided in phases without further undue delay.

AUDIT

  1. Subject to any audit provisions in the Agreement, APAutomated shall provide the Customer with information reasonably necessary to demonstrate APAutomated’s compliance with this DPA. Only to the extent Customer cannot reasonably satisfy APAutomated’s compliance with this DPA, APAutomated will allow the Customer to conduct an audit of APAutomated’s Processing of the relevant Personal Data, at Customer’s sole cost and expense.
  2. The frequency of inspections set out in clause 4.19 above shall be no more than once a year and the scope of the audit shall be agreed to at least 30 days prior to the date of the audit. This is without prejudice to the right of the Customer to carry out further inspections on an ad hoc basis in the event of violations of data protection obligations by APAutomated or APAutomated’s Sub-Processors.

OTHER

  1. APAutomated shall, without undue delay, notify the Customer in relation to any communication from a Data Subject, Supervisory Authority or other body in relation to Personal Data.
  2. Taking into account the nature of the Processing, APAutomated shall:
    1. assist the Customer by appropriate technical and organisational measures, insofar as this is possible, for any obligations the Customer has under Data Protection Laws to respond to requests from individuals for exercising their rights; and
    2. provide the Customer with reasonable assistance to comply with any obligations it has under Data Protection Laws relating to: (i) ensuring the security of the Personal Data; (ii) notifications of Personal Data Breaches to Supervisory Authorities; (iii) prior consultations with Supervisory Authorities; (iv) communication of any of Personal Data Breaches to Data Subjects; and (v) data protection impact assessments.
  3. Where APAutomated is acting as a Processor or Sub-Processor on behalf of the Customer, at the end of APAutomated’s provision of the Services, APAutomated shall, at the choice of the Customer, delete or return to the Customer all Personal Data Processed by APAutomated on the Customer’s behalf and delete existing copies unless Data Protection Laws requires storage of the Personal Data.

Schedule 1 – Description of Personal Data Processing

Categories of Data Subjects whose Personal Data is Processed
Depending on what Personal Data the Customer, a Customer Affiliate or a User submits to the Services, or otherwise share(s) with APAutomated, in connection with the Services provided under the Agreement, APAutomated may Process Personal Data relating to the following individuals:

  • Customer’s employees, contractors, workers, applicants or other personnel;
  • Customer’s suppliers, customers, business partners, or prospects (where such parties are individuals);
  • Users to the extent not covered above; and
  • Other contacts the Customer may have (where they are individuals and not covered above).

Categories of Personal Data processed
Personal Data the Customer submits to the Services provided under the Agreement, or otherwise share with APAutomated or a APAutomated Affiliate, in order for APAutomated to provide such Services, is determined by the Customer at the Customer’s discretion. As many of our Services are customisable, the Personal Data submitted/shared will often depend on the options and the commercialisation method chosen by the Customer.

A breakdown of Personal Data Processed by APAutomated to provide our key Services is below (provided that this data relates to an individual).

  • Business profile information: name and contact details, registration details, business type, where registered, payment details, transaction information and history, tax records, relationship information and correspondence with business.
  • Invoice information: name and contact details, account information, registration details, tax number, payment amount, payment terms, and details of Services covered by invoice.
  • Payroll information (only for payroll products/payroll add-ons): name and contact details, registration/reference numbers, basic pay amount, tax types and amounts, deduction types and amounts, payment amounts and frequency, bank account details, tax code, social security number, pay period, gross and net earnings, hours totals, sick and holiday pay amounts.
  • HR information (only for HR products/HR add-ons): name, role, level in organisation, address and other contact details, payroll information (see above), date of birth, appraisal records, absence records, sickness records, holiday information (holiday dates, duration, reason, frequency), disciplinary and grievance records, job and salary history, next of kin, dependencies, emergency contact information.
  • Planning and forecasting information (only for reporting/forecasting products or add-ons): information in the categories above (as applicable), inventory records, order and warehousing records.
  • Client management information (only for client management products/add-ons): name, address, and other contact information and other personal information on engagement letters and proposals, anti-money laundering (AML) information, and know-your-client (KYC) information.
  • Information captured through any specific additional functionality required (depending on type of functionality): information in the categories above (as applicable), bank information, forecasting and prediction information (predicted costs, sales, expenses, cash, profit, tax liability, overdue invoices/bills, budgets and comparisons).

Sensitive Personal Data (including “Special Category” data under the GDPR, i.e. data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation) may at times be captured and transferred in connection with the Services, if shared by a Data Subject described above.

APAutomated ensures that it applies additional restrictions or safeguards with regard to Processing Sensitive Personal Data, including by: (i) ensuring that the Processing of Sensitive Personal Data is avoided wherever possible; (ii) accountability processes (for instance carrying out data protection impact assessments) are followed in relation to Processing Sensitive Personal Data; (iii) staff are provided with appropriate training on handling Sensitive Personal Data; (iv) additional contractual and due diligence measures are applied where possible; and (v) anonymisation, pseudonymisation and password-protection are applied to Sensitive Personal Data where possible.

Frequency of the Processing
Continuous basis based on the Customer or a Customer Affiliate’s use of the Services.

Nature of the Processing
APAutomated may Process Personal Data described above in the following ways in order to provide the Services to the Customer: collection, recording, organisation, structuring, storage, copying, displaying, reformatting, adaptation or alteration, anonymisation, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, synchronisation with cloud services.

Purpose(s) of the Processing

  1. Personal Data is Processed by APAutomated as a Processor (or Sub-Processor, where the Customer is a Processor) to provide, protect, support, enable, improve and maintain the Services in connection with the Agreement. If the Customer opts to subscribe to, or interact with, any particular additional Services (as described in the Agreement), APAutomated may upload, copy and/or transfer Customer’s Personal Data to facilitate these options. Where applicable, this may include synchronising Customer Personal Data with certain APAutomated cloud-based Services. If the Customer chooses to connect the Services to third-party products or services, APAutomated will use the Customer’s Personal Data to make that connection. Where APAutomated receives Personal Data because of that connection, APAutomated will use that Personal Data in line with the Agreement.
  2. If the Customer directs APAutomated to Process Personal Data as part of a Service that utilises artificial intelligence, this may be undertaken by APAutomated as a Controller. APAutomated also Processes Personal Data as a Controller for the purposes set out in the APAutomated Privacy Notice. In all such cases, APAutomated will comply with all relevant provisions in this DPA and requirements under Data Protection Laws.
  3. Notwithstanding anything to the contrary in the previous section, where the CCPA (as amended by the CPRA) applies, if the Customer opts-in or otherwise directs APAutomated to Process Personal Data as part of a Service that utilises artificial intelligence, APAutomated will Process Personal Data as a Service Provider for solely internal uses, where permitted under applicable Data Protection Laws. Where Data Protection Laws prohibit APAutomated from Processing Personal Data for solely internal uses, APAutomated will comply with the following:
    1. APAutomated will Process Personal Data only for the limited and specified purpose of providing the Service that utilises artificial intelligence.
    2. APAutomated will comply with applicable Data Protection Laws, including providing the same level of protection for the Personal Data as required by Data Protection Laws.
    3. Customer may take reasonable and appropriate steps to ensure that APAutomated use the Personal Data in a manner consistent with the obligations imposed by the applicable Data Protection Laws, and Customer may, upon notice, take reasonable and appropriate steps to remediate unauthorised use of Personal Data.
  4. APAutomated will promptly notify Customer if APAutomated determines that it can no longer meet its obligations under applicable Data Protection Laws or this DPA.

Schedule 2 – Transfer Mechanism

1.2 European Transfers. Where Personal Data protected by the EU Data Protection Law is transferred, either directly or via onward transfer, to a country outside of Europe that is not subject to an adequacy decision, the following applies:

(a) The EU SCCs are hereby incorporated into this DPA by reference as follows:

(i) Customer is the “data exporter” and APAutomated is the “data importer”.
(ii) Module One (Controller to Controller) applies where APAutomated is Processing  APAutomated Account Data or APAutomated Usage Data.
(iii) Module Two (Controller to Processor) applies where Customer is a Controller of Customer Personal Data and APAutomated is Processing Customer Personal data as a Processor.
(iv) Module Three (Processor to Processor) applies where Customer is a Processor of Customer Personal Data and APAutomated is Processing Customer Personal Data as another Processor.
(v) By entering into this DPA, each party is deemed to have signed the EU SCCs as of the commencement date of the Agreement.

(b) For each Module, where applicable:

(i) In Clause 7, the optional docking clause does not apply.
(ii) In Clause 9, Option 2 applies, and the time period for prior notice of Sub-processor changes is stated in Section 4.12 (Sub-processing) of this DPA.
(iii) In Clause 11, the optional language does not apply.
(iv) In Clause 17, Option 1 applies, and the EU SCCs are governed by Irish law.
(v) In Clause 18(b), disputes will be resolved before the courts of Ireland.
(vi) The Appendix of EU SCCs is populated as follows:

  • The information required for Annex I(A) is located in the Agreement and/or relevant Orders.
  • The information required for Annex I(B) is located in Schedule 1 (Description of Processing) of this DPA.
  • The competent supervisory authority in Annex I(C) will be determined in accordance with the Applicable Data Protection Law; and
  • The information required for Annex II is located here.
  • 1.3 Swiss Transfers. Where Personal Data protected by the Swiss FADP is transferred, either directly or via onward transfer, to any other country that is not subject to an adequacy decision, the EU SCCs apply as stated in in Section 1.2 (European Transfers) above with the following modifications:
  • (a) All references in the EU SCCs to “Regulation (EU) 2016/679” will be interpreted as references to the Swiss FADP, and references to specific Articles of “Regulation (EU) 2016/679” will be replaced with the equivalent article or section of the Swiss FADP; all references to the EU Data Protection Law in this DPA will be interpreted as references to the FADP.
  • (b) In Clause 13, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.
  • (c) In Clause 17, the EU SCCs are governed by the laws of Switzerland.
  • (d) In Clause 18(b), disputes will be resolved before the courts of Switzerland.
  • (e) All references to Member State will be interpreted to include Switzerland and Data Subjects in Switzerland are not excluded from enforcing their rights in their place of habitual residence in accordance with Clause 18(c).
  • 1.4 United Kingdom Transfers. Where Personal Data protected by the UK Data Protection Law is transferred, either directly or via onward transfer, to a country outside of the United Kingdom that is not subject to an adequacy decision, the following applies:
  • (a) The EU SCCs apply as set forth in Section 1.2 (European Transfers) above with the following modifications:
  • (i) Each party shall be deemed to have signed the UK Addendum.
    (ii) For Table 1 of the UK Addendum, the parties’ key contact information is located in the Agreement and/or relevant Orders.
    (iii) For Table 2 of the UK Addendum, the relevant information about the version of the EU SCCs, modules, and selected clauses which this UK Addendum is appended to is located above in Section 1.2 (European Transfers) of this Schedule.
    (iv) For Table 3 of the UK Addendum:
  • The information required for Annex 1A is located in the Agreement and/or relevant Orders.
  • The Information required for Annex 1B is located in Schedule 1 (Description of Processing) of this DPA.
  • The information required for Annex II is located here.
  • The information required for Annex III is located in Section 4 (Sub-processing) of this DPA.

(b) In Table 4 of the UK Addendum, both the data importer and data exporter may end the UK Addendum.

1.5 Data Privacy Framework. APAutomated participates in and certifies compliance with the Data Privacy Framework. As required by the Data Privacy Framework, APAutomated (i) provides at least the same level of privacy protection as is required by the Data Privacy Framework Principles; (ii) will notify Customer if APAutomated makes a determination it can no longer meet its obligation to provide the same level of protection as is required by the Data Privacy Framework Principles, and (iii) will, upon written notice, take reasonable and appropriate steps to remediate any unauthorized Processing of Personal Data.

2. United States of America. The following terms apply where APAutomated Processes Personal Data subject to the US State Privacy Laws:

2.1. To the extent Customer Personal Data includes personal information protected under US State Privacy Laws that APAutomated Processes as a Service Provider or Processor, on behalf of Customer, APAutomated will Process such Customer Personal Data in accordance with the US State Privacy Laws, including by complying with applicable sections of the US State Privacy Laws and providing the same level of privacy protection as required by US State Privacy Laws, and in accordance with Customer’s written instructions, as necessary for the limited and specified purposes identified in Section 1.1(a) (Customer Personal Data) and Schedule 1 (Description of Processing) of this DPA. APAutomated will not:

(a) retain, use, disclose or otherwise Process such Customer Personal Data for a commercial purpose other than for the limited and specified purposes identified in this DPA, the Agreement, and/or any related Order, or as otherwise permitted under US State Privacy Laws;

(b) “sell” or “share” such Customer Personal Data within the meaning of the US State Privacy Laws; and

(c) retain, use, disclose or otherwise Process such Customer Personal Data outside the direct business relationship with Customer and not combine such Customer Personal Data with personal information that it receives from other sources, except as permitted under US State Privacy Laws.

2.2. APAutomated must inform Customer if it determines that it can no longer meet its obligations under US State Privacy Laws within the timeframe specified by such laws, in which case Customer may take reasonable and appropriate steps to prevent, stop, or remediate any unauthorized Processing of such Customer Personal Data.

2.3. To the extent Customer discloses or otherwise makes available Deidentified Data to APAutomated or to the extent APAutomated creates Deidentified Data from Customer Personal Data, in each case in its capacity as a Service Provider, APAutomated will:

(a) adopt reasonable measures to prevent such Deidentified Data from being used to infer information about, or otherwise being linked to, a particular natural person or household;

(b) publicly commit to maintain and use such Deidentified Data in a de-identified form and to not attempt to re-identify the Deidentified Data, except that APAutomated may attempt to re-identify such data solely for the purpose of determining whether its de-identification processes are compliant with the US State Privacy Laws; and

(c) before sharing Deidentified Data with any other party, including Sub-processors, contractors, or any other persons (“Recipients”), contractually obligate any such Recipients to comply with all requirements of this Section 2.3 (including imposing this requirement on any further Recipients).

3.2. To the extent Customer discloses or otherwise makes available Deidentified Data to APAutomated, APAutomated will:

(a) maintain and use such Deidentified Data in a de-identified form and not attempt to re-identify the Deidentified Data; and

(b) before sharing Deidentified Data with any other party, including Sub-processors, contractors, or any other persons (“Recipients”), contractually obligate any such Recipients to comply with all requirements of this Section 3.2 (including imposing this requirement on any further Recipients).

Schedule 3 – Equivalent terms

Term in DPA

Equivalent terms in other Data Protection Laws

Personal Data

Personal Information, Personally Identifiable Information

Controller

Responsible Party, Business

Personal Data Breach

Security Compromise, POPIA Data Breach

Processor

Operator, Service Provider, Contractor

Data Subject

Consumer

Table of Contents

Schedule a demo

Fill out the form below (all fields required), and we will contact you to schedule your personalized demo.

By clicking submit, you agree to our Terms of Use and Privacy Policy. We will never share or sell your information.