Data Processing Agreement

This is the Data Processing Agreement as referred to in the Terms of Service (“Terms”) governing the access to and use of GoodAccess Cloud VPN (“Services”), as provided by GoodAccess s.r.o., a Czech company with Id. 03513386 (“Data Processor”) to the Customer identified at registration for the Services (“Data Controller”).

If applicable under the Terms, this Data Processing Agreement  (the “DPA”) is made between the Data Processor and the Data Controller by virtue of the Data Controller accepting the Terms, to reflect the parties’ agreement with respect to the Processing (as defined below) of Personal Data (as defined below) under the Terms. In case of discrepancy between DPA and the Terms, DPA prevails.

1. DEFINITIONS

1.1 Capitalized terms used in this DPA shall have the meanings given to them in the Terms and below:

(a) “GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation)

(b) “Applicable Data Protection Law” means the following data protection law(s): (i) where Data Controller is established in a European Economic Area ("EEA") member state or where Data Controller's Agents or End-Users access the Services from an EEA member state: GDPR; (ii) where Data Controller is established in UK, the UK Data Protection Act 2018 (as may be amended or superseded), and (iii) where Data Controller is established in Switzerland, the Swiss Federal Act of 19 June 1992 on Data Protection (as may be amended or superseded).

(c) “Data Subject” means an individual who is the subject of Personal Data.

(d) “Personal Data” means any information relating to an identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.

(e) “Processing/To Process” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

(f) “Service Data” means all electronic data, text, messages or other materials transmitted via the Services by the Data Controller as a Customer or by such Customer’s Members, including, without limitation, Personal Data.

(g) “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries approved pursuant to Commission Decision (EU) 2021/914  of 4 June 2021, found at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.

(h) “Sub-processor” means any third party data processor engaged by Data Processor, who receives Personal Data from Data Processor for processing on behalf of Data Controller and in accordance with Data Controller's instructions (as communicated by Data Processor) and the terms of its written subcontract.

(i) “Supervisor” means any Data Protection Supervisory Authority with competence over Data Controller's and Data Processor's Processing of Personal Data.

2. PURPOSE

2.1 Data Controller and Data Processor have entered the agreement under the Terms pursuant to which Data Controller uses the Services. In providing the Services, Data Processor will engage, on behalf of Data Controller, in the Processing of Personal Data submitted to and stored within the Services by Data Controller.

2.2 The parties are entering into this DPA to ensure that the Processing by Data Processor of Personal Data, within the Services by Data Controller and/or on its behalf, is done in a manner compliant with Applicable Data Protection Law and its requirements regarding the collection, use and retention of Personal Data of Data Subjects.

3. OBLIGATIONS OF DATA PROCESSOR

3.1 The parties agree that the subject-matter and duration of Processing performed by Data Processor under this DPA, including the nature and purpose of Processing, the type of Personal Data, and categories of Data Subjects, shall be as described in Schedule 1 of this DPA and in the Terms.

3.2 As part of Data Processor providing the Services to Data Controller under the Terms, Data Processor agrees and declares as follows:

(a) to process Personal Data in accordance with Data Controller's documented instructions as set out in the Terms and this DPA or as otherwise necessary to provide the Services, except where required otherwise by applicable laws (and provided such laws do not conflict with Applicable Data Protection Law); in such case, Data Processor shall inform Data Controller of that legal requirement upon becoming aware of the same (except where prohibited by applicable laws);

(b) to ensure that all staff and management of the Processor are fully aware of their responsibilities to protect Personal Data in accordance with this DPA and have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

(c) to implement and maintain appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access (a "Data Security Breach"), provided that such measures shall take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, so as to ensure a level of security appropriate to the risks represented by the Processing and the nature of the Data to be protected;

(d) to notify Data Controller, without undue delay, in the event of a confirmed Data Security Breach affecting Data Controller's Services Data and to cooperate with Data Controller as necessary to mitigate or remediate the Data Security Breach;

(e) to comply with the requirements of Section 4 (Use of Sub-processors) when engaging a Sub-processor;

(f) taking into account the nature of the Processing, to assist Data Controller (including by appropriate technical and organizational measures), insofar as it is commercially reasonable, to fulfil Data Controller's obligation to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Law (a "Data Subject Request"). In the event the Data Processor receives a Data Subject Request directly from a Data Subject, it shall (unless prohibited by law) direct the Data Subject to the Data Controller in the first instance. However, in the event Data Controller is unable to address the Data Subject Request, taking into account the nature of the Processing and the information available to Data Processor, Data Processor, shall, on Data Controller's request and at Data Controller's reasonable expense, address the Data Subject Request, as required under the Applicable Data Protection Law;

(g) upon request, to provide Data Controller with commercially reasonable information and assistance, taking into account the nature of the Processing and the information available to Data Processor, to help Data Controller to conduct any data protection impact assessment or Supervisor consultation it is required to conduct under Applicable Data Protection Law;

(h) upon termination of Data Controller's access to and use of the Services, to comply with the requirements of Section 8 (Return and Destruction of Personal Data);

(i) to comply with the requirements of Section 5 (Audit) in order to make available to Data Controller information that demonstrates Data Processor's compliance with this DPA; and

(j) Data Processor shall immediately inform Data Controller if, in its opinion, Data Controller's Processing instructions infringe any law or regulation. In such event, Data Processor is entitled to refuse Processing of Personal Data that it believes to be in violation of any law or regulation.

4. USE OF SUB-PROCESSORS

4.1 Data Controller agrees that Data Processor may appoint Sub-processors to assist it in providing the Services and Processing Personal Data provided that such Sub-processors:

(a) agree to act only on Data Processor’s instructions when Processing the Personal Data (which instructions shall be consistent with Data Controller's Processing instructions to Data Processor); and

(b) agree to protect the Personal Data to a standard consistent with the requirements of this DPA, including by implementing and maintaining appropriate technical and organizational measures to protect the Personal Data they Process consistent with the security measures described in Schedule 2.

5. Data Processor agrees and warrants to remain liable to Data Controller for the subcontracted Processing of any of its direct or indirect Sub-processors under this DPA. Data Processor shall maintain an up-to-date list of the names and location of all Sub-processors used for the Processing of Personal Data under this DPA at [https://www.goodaccess.com/sub-processors] Data Processor shall update the list of any Sub-processor to be appointed at least 30 days prior to the date on which the Sub-processor shall commence processing Personal Data.

5.1 In the event that the Data Controller objects to the Processing of its Personal Data by any newly appointed Sub-processor, it shall inform the Data Processor immediately. In such event, Data Processor will either (a) instruct the Sub-processor to cease any further processing of Data Controller's Personal Data, in which event this DPA shall continue unaffected, or (b) allow Data Controller to terminate this DPA and the Services immediately and provide it with a pro rata reimbursement of any sums paid in advance for Services to be provided but not yet received by Data Controller as of the effective date of such termination.

6. AUDIT

6.1 The parties acknowledge that Data Processor may use external auditors to verify the adequacy of its security measures.

6.2 Data Processor shall provide responsive and reasonably detailed information to Data Controller's requests for information (including any requests by Data Controller under instruction from Data Subjects), which may include responses to relevant information security and audit questionnaires.

7. INTERNATIONAL DATA EXPORTS

7.1 For any transfers by Customer of Customer Personal Data from the EEA and its member states, UK or Switzerland (collectively, “Restricted Countries”) to the Data Processor in a country which does not ensure an adequate level of protection (within the meaning of and to the extent governed by the Applicable Data Protection Law of the Restricted Countries) (collectively, “Third Country”), such transfers shall be governed by a valid mechanism for the lawful transfer of Data Controller Personal Data recognized under Applicable Data Protection Law, such as those listed in this Section 7. For clarity, for transfers from the UK and Switzerland, references in the SCCs shall be interpreted to include applicable terminology for those jurisdictions (e.g., ‘Member State’ shall be interpreted to mean ‘United Kingdom’ for transfers from the United Kingdom).

7.2 Each party agrees to abide by and transfer Personal Data from the Restricted Countries in accordance with the SCCs, which are incorporated into this DPA by reference. Each party is deemed to have executed the SCCs by entering into this DPA.

7.3 The below shall apply to the SCCs, including the election of specific terms and/or optional clauses as described in more detail in (a)-(h) below, and any optional clauses not expressly selected are not included:

(a) the Module 2 apply;

(b) for purposes of Clause 9 of the SCCs, Option 2 (‘General written authorization’) is selected and the process and time period for the addition or replacement of Sub-processors shall be as described in Section 5 (Use of Sub-processors) of this DPA;

(c) for purposes of Clause 13 and Annex 1.C of the SCCs, Data Controller shall maintain accurate records of the applicable Member State(s) and competent supervisory authority, which shall be made available to Data Processor on request;

(d) for purposes of Clause 17 and Clause 18 of the SCCs, the Member State for purposes of governing law and jurisdiction shall be the Czech Republic;

(e) for purposes of Annex 1.A, the ‘data importer’ shall be Data Processor and the ‘data exporter’ shall be Data Controller;

(f) for purposes of Annex 1.B, the description of the transfer is as described in Schedule 1 (Details of Data Processing) of this DPA;

(g) for purposes of Annex 2, the technical and organization measures are described in Schedule 2 (Security Measures) of this DPA; and

(h) the Sub-processors for Annex III shall be as described in Section 4.1 (Authorized Sub-processors) of this DPA.

8. OBLIGATIONS OF DATA CONTROLLER

8.1 As part of Data Controller receiving the Services under the Terms, Data Controller agrees and declares as follows:

(a) it is solely responsible for the accuracy of Personal Data and the means by which such Personal Data is acquired and the Processing of Personal Data by Data Controller, including instructing Processing by Data Processor in accordance with this DPA, is and shall continue to be in accordance with all the relevant provisions of the Applicable Data Protection Law, particularly with respect to the collection, security, protection and disclosure of Personal Data;

(b) that Data Controller will inform its Data Subjects about its use of data processors to Process their Personal Data, including Data Processor, to the extent required under Applicable Data Protection Law;

(c) that it shall respond in reasonable time and to the extent reasonably practicable to enquiries by Data Subjects regarding the Processing of their Personal Data by Data Controller, and to give appropriate instructions to Data Processor in a timely manner.

9. RETURN AND DESTRUCTION OF PERSONAL DATA

9.1 Upon the termination of Data Controller's access to and use of the Services, Data Processor will up to 30 days following such termination permit Data Controller to export its Services Data, at its expense, in accordance with the capabilities of the Services. Following such a period, Data Processor shall have the right to delete all Services Data stored or Processed by Data Processor on behalf of Data Controller in accordance with Data Processor's deletion policies and procedures. Data Controller expressly consents to such deletion.

10. DURATION

10.1 This DPA will remain in force as long as Data Processor Processes Personal Data on behalf of Data Controller under the Terms.

11. MISCELLANEOUS

11.1 This DPA replaces any data protection agreement in place between the parties. This DPA may not be amended or modified except by a writing signed by both parties hereto. This DPA may be executed in counterparts. The terms and conditions of this DPA are confidential and each party agrees and represents, on behalf of itself, its employees and agents to whom it is permitted to disclose such information that it will not disclose such information to any third party; provided, however, that each party shall have the right to disclose such information to its officers, directors, employees, auditors, attorneys and third party contractors who are under an obligation to maintain the confidentiality thereof and further may disclose such information as necessary to comply with an order or subpoena of any administrative agency or court of competent jurisdiction or as reasonably necessary to comply with any applicable law or regulation. Data Controller may not, directly or indirectly, by operation of law or otherwise, assign all or any part of its rights under this DPA or delegate performance of its duties under this DPA without Data Processor's prior consent, which consent will not be unreasonably withheld. Data Processor may, without Data Controller's consent, assign this DPA to any affiliate or in connection with any merger or change of control of Data Processor or the sale of all or substantially all of its assets provided that any such successor agrees to fulfil its obligations pursuant to this DPA. Subject to the foregoing restrictions, this DPA will be fully binding upon, inure to the benefit of and be enforceable by the parties and their respective successors and assigns. This DPA and the Terms constitute the entire understanding between the parties with respect to the subject matter herein, and shall supersede any other arrangements, negotiations or discussions between the parties relating to that subject-matter.

12. GOVERNING LAW AND JURISDICTION

12.1 This DPA is governed by laws of the Czech Republic. Any dispute or claim arising out of, or in connection with this DPA shall be resolved by the competent courts of the Czech Republic with the local jurisdiction based on the registered address of Data Processor.

‍

‍

Schedule 1: Subject Matter and Details of the Data Processing

Subject Matter

Data Processor’s provision of the Services and related technical support to the Data Controller.

Duration of the Processing

The applicable term of Data Controller’s use of the Services plus the period from expiry of such Subscription Term until deletion of all Services Data by the Data Processor in accordance with the DPA.

Nature and Purpose of the Processing

The Data Processor will process Service Data, to the extent these qualify as Personal Data, by transmitting these Service Data via the Services, as instructed by the Data Controller or the Members.

Categories of Data

Personal Data transmitted via the Services may include the following categories of data: email addresses and other contact and identification details, documents, images and other content.

Data Subjects

Personal data Personal Data transmitted via the Services may concern the following categories of data subjects: Data Controller’s employees, contractors, customers, suppliers and other persons who interact with the Data Controller or Members.

‍

Schedule 2: Security Measures

The Data Processor will implement and maintain the security measures set out in this Schedule 2. The Data Processor may update or modify such Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services.

1. Physical Access Controls: Data Processor shall take reasonable measures to prevent physical access, such as security personnel and secured buildings and factory premises, to prevent unauthorized persons from gaining access to Personal Data, or ensure third parties operating data centers on its behalf are adhering to such controls.
2. System Access Controls Data Processor shall take reasonable measures to prevent Personal Data from being used without authorization. These controls shall vary based on the nature of the Processing undertaken and may include, among other controls, authentication via passwords and/or two-factor authentication, documented authorization processes, documented change management processes and/or, logging of access on several levels.
3. Data Access Controls Data Processor shall take reasonable measures to provide that Personal Data is accessible and manageable only by properly authorized staff, direct database query access is restricted and application access rights are established and enforced to ensure that persons entitled to use a data processing system only have access to the Personal Data to which they have privilege of access; and, that Personal Data cannot be read, copied, modified or removed without authorization in the course of Processing.
4. Transmission Controls: Data Processor shall take reasonable measures to ensure that it is possible to check and establish to which entities the transfer of Personal Data by means of data transmission facilities is envisaged so Services Data cannot be read, copied, modified or removed without authorization during electronic transmission or transport.
5. Data Backup: Back-ups of the databases in the Services are taken on a regular basis, are secured, and encrypted to ensure that Personal Data is protected against accidental destruction or loss when hosted by the Data Processor.
6. Logical Separation: Data from different Data Processor's subscriber environments is logically segregated on Data Processor's systems to ensure that Personal Data that is collected for different purposes may be Processed separately.