SaaSWorks Data Processing Agreement
Customer and SaaSWorks, Inc. (“SaaSWorks”) hereby agree to the following Data Processing Agreement (the “DPA”) to their Customer Terms of Service (the “Agreement”), dated as of March 1, 2021 (“Effective Date”).
1. Designation of the Parties.
The parties agree that, for all data received from or on behalf of the Customer, or otherwise obtained in connection with the performance of SaaSWorks’ obligations under this DPA or the Agreement that relates to an identified or identifiable individual, including all sensitive financial information about or belonging to individuals, including any information that can be used to identify or contact a specific individual, such as first and last name, email address, telephone number, social security number, financial account information, credit card number, or otherwise relates to or is capable of identifying a natural person (“Personal Data”), the Customer shall be the controller or business and SaaSWorks shall be the processor or service provider, as these terms are defined under applicable privacy law. Each party shall comply with all relevant privacy laws and its relevant obligations under this DPA.
2. Use of Personal Data.
Personal Data will be accessed, used, maintained, collected, modified, merged, shared, disclosed or otherwise processed by SaaSWorks only as is necessary for SaaSWorks to perform its obligations under this DPA and the Agreement, or as otherwise required by the Customer in writing. When processing Personal Data on behalf of the Customer, SaaSWorks shall ensure that any person acting on its behalf or under its authority processes the Personal Data only in accordance with the Customer’s written instructions, including as set out in the applicable Agreement and/or statement of work (“Processing Instructions”). The Customer shall not provide any Processing Instructions that may infringe any applicable law.
3. Privacy and Security Policy.
SaaSWorks shall implement and maintain, at its cost and expense, commercially reasonable technical, organizational, and physical measures in relation to the processing of Personal Data by SaaSWorks. SaaSWorks shall ensure that its agents and representatives processing Personal Data on behalf of the Customer keep Personal Data confidential.
4. Agents and Subcontractors.
The Customer authorizes SaaSWorks to engage another processor to perform specific processing activities involving Personal Data on behalf of the Customer. In doing so, SaaSWorks shall enter into a binding written contract with the sub-processor (“Processor Contract”) which imposes substantially the same material data protection obligations contained in this DPA on the sub-processor.
5. Cooperation.
SaaSWorks shall provide reasonable assistance, information, and cooperation to the Customer to ensure compliance with the Customer’s obligations under relevant laws with
respect to: (i) data security; (ii) data breach notification; (iii) responding to requests relating to Personal Data and/or the Customer’s data privacy or security practices from regulators or individuals; and (iv) conducting privacy impact assessments. SaaSWorks shall reasonably cooperate with the Customer in the Customer's efforts to monitor SaaSWorks’ compliance with this DPA.
6. Cross Border Data Transfers.
The Customer understands and acknowledges that SaaSWorks may process Personal Data in the United States. It is the obligation of the Customer to notify SaaSWorks if any Personal Data relates to residents of the European Union, or any other jurisdiction with specific cross-border data transfer restrictions. Where such restrictions exist, the parties shall enter into Standard Contractual Clauses, or a similar mechanism, in order to legitimize such a transfer. Where SaaSWorks otherwise transfers Personal Data outside of its country of origin, SaaSWorks shall ensure that such transfer (and any onward transfer): (i) is pursuant to a written contract including provisions relating to security and confidentiality of any Personal Data; (ii) is made pursuant to a legally enforceable mechanism for such cross-border data transfers of Personal Data under relevant laws; (iii) is made in compliance with this DPA; and (iv) otherwise complies with relevant privacy laws.
7. Breaches.
In the event of any access or acquisition of Personal Data by an unauthorized third party, SaaSWorks shall notify the Customer of the data breach without undue delay. SaaSWorks warrants that if there has been a breach of Personal Data, all responsive steps will be documented and will reasonably cooperate with the Customer in the Customer's handling of the matter, SaaSWorks including without limitation any investigation, reporting or other obligations required by applicable law or regulation, including responding to regulatory inquiries or investigations, and will reasonably work with the Customer to otherwise respond to and mitigate any damages caused by the breach.
8. Information Management.
SaaSWorks shall, at the Customer’s written request, either securely delete or return any Personal Data to the Customer as soon as processing by SaaSWorks of any Personal Data is no longer required for SaaSWorks’ performance of its obligations under the Agreement and this DPA. As soon as reasonably possible upon completion of the Services under the Agreement, SaaSWorks shall securely delete all existing copies of Personal Data, unless storage of any data is required by applicable law, and if so, SaaSWorks shall notify the Customer of this in writing.
9. Indemnification.
The Customer agrees that it shall reimburse, indemnify, and hold SaaSWorks harmless for all costs incurred in responding to and/or mitigating damages relating to a third- party claim brought against SaaSWorks regarding the Customer’s processing of Personal Data where such processing is consistent with this DPA and the Processing Instructions.