GDPR - Data Sub-Processing Addendum

Last revised: March 13, 2022

Effective date: March 13, 2022

This Data Sub-Processing Addendum (“Addendum”) amends and forms part of the Terms of Service agreement governing the use of the Services and Products, and the Order form, if any (“Principal Agreement”), entered by and between you, a customer of the Services and Products (“you” or “your” or “Customer”) and Pathfix Inc. (“we” or “us” or “our” or “Pathfix”) to reflect the parties agreement with regard to the Processing of Personal Data by Pathfix solely on behalf of the Customer. The Customer and Pathfix may hereinafter be referred to individually as a “Party” and collectively as the “Parties”.

The scope and duration, as well as the extent and nature of the collection, processing and use of Customer Personal Data under this Addendum has been defined in the Principal Agreement. The term of this Addendum corresponds to the duration of the Principal Agreement.

Capitalized terms not defined herein shall have the meanings assigned to such terms in the Principal Agreement.

By using the Services, you accept the terms and conditions of this Addendum and you represent and warrant that you have full authority to bind the Customer to this Addendum. If you cannot, or do not agree to, comply with and be bound by this Addendum, or do not have authority to bind the Customer or any other entity, please do not provide Personal Data to us.

If you need a signed copy of this Addendum, you can download this Addendum and send a signed copy to info@pathfix.com and we’ll provide you a countersigned copy.

NOW THEREFORE, THE PARTIES AGREE AS FOLLOWS:


1. DEFINITIONS AND INTERPRETATION

Unless otherwise defined herein, capitalized terms and expressions used in this Addendum shall have the following meaning;


a. “Addendum” means this Data Processing Addendum and all annexures attached hereto;

b.Pathfix” means Pathfix Inc., a Delaware Corporation and its affiliates and subsidiaries. 

c. "Business’,’ “Business Purpose”, Consumer", “Person”, “Personal Information”, “Sell”, "Service Provider" and “Third Party” shall have the meanings set forth in CCPA. 

d. “California Personal Information” means Personal Data that is protected under the CCPA.  

e. "CCPA" means California Civil Code Sec. 1798.100 et seq. (also known as the California Consumer Privacy Act of 2018) as may be amended from time to time, and any rules or regulations implementing the foregoing. 

f. “Customer Personal Data” means any Personal Data Processed by Pathfix on behalf of the Customer pursuant to or in connection with the Principal Agreement.

g. “Data Protection Laws” means the data protection or privacy laws, rules, and regulations of the European Union, the European Economic Area and their member states, and the State of California, United States applicable to the Processing of Customer Personal Data under this Addendum.

h. “Data Transfer” means:

  1. A transfer of Customer Personal Data from the Customer to Pathfix; or 
  2. an onward transfer of Customer Personal Data from Pathfix to a Sub-processors, or between two establishments of Pathfix, in each case, where such transfer would be prohibited by Data Protection Laws  

i. “EEA” means the European Economic Area; 

j. “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;

k. “GDPR” means EU General Data Protection Regulation 2016/679;

l. “Services” means the services provided by Pathfix to the Customer pursuant to the Principal Agreement. 

m. "Standard Contractual Clauses" means the standard contractual clauses for Processors approved pursuant to the European Commission’s decision (EU) 2021/914 of 4 June 2021, for the transfer of personal data to third countries in the form set out in Annexure 3; as amended, superseded or replaced from time to time in accordance with this Addendum.

n. “Sub-processors” means any person or entity appointed by or on behalf of Pathfix to process Customer Personal Data on behalf of the Customer in connection with the Principal Agreement.

o. The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR. 

2. RELATIONSHIP AND ROLES OF THE PARTIES

The Parties acknowledge and agree that with regard to the Processing of Customer Personal Data performed solely on behalf of Customer, (i) Customer is (or represents that it is acting with full authority on behalf of) the Processor of the Customer Personal Data, (ii) Pathfix is the Sub-processor of such Customer Personal Data; (iii) for the purposes of the CCPA (and to the extent applicable), Customer is the “Business” and Pathfix is the “Service Provider” (as such terms are defined in the CCPA), with respect to Processing of Customer Personal Data. In some circumstances, Customer may be a Controller, in which case Customer appoints Pathfix as Customer’s Processor, which shall not change the obligations of either Customer or Pathfix under this Addendum.

3. PROCESSING OF CUSTOMER PERSONAL DATA

a. The Parties agree that this Addendum and the Principal Agreement constitute Customers documented instructions regarding Pathfix’s Processing of Customer Personal Data. 

b. The scope of the processing of the Customer Personal Data provided by Customer to Pathfix for e.g. the subject-matter of the processing, the nature and purpose of the processing, the type of Personal Data and categories of data subjects are specified in Annexure 1 of this Addendum. 

c. The Customer shall in its use of the Services, and Customer’s instructions to Pathfix, comply with Data Protection Laws. The Customer shall ensure that its instructions will not cause Pathfix to be in breach of the Data Protection Laws. The Customer shall establish and have any and all required legal basis in order to collect, Process and transfer to Pathfix the Customer Personal Data, and to authorize the Processing by Pathfix, and for Pathfix’s Processing activities on Customer’s behalf, including the pursuit of ‘business purposes’ as defined under the CCPA.

d. In processing your Customer Personal Data, we will comply with Data Protection Laws. We shall as per our obligations under Article 28 of GDPR; 

  1. process the Customer Personal Data only in accordance with documented instructions from you (as set forth in this Addendum or the Principal Agreement or as directed by you through the Services). If Data Protection Laws require us to process the Customer Personal Data for any other purpose, we will inform you of this requirement first, unless such law(s) prohibit this on important grounds of public interest;
  2. notify you promptly if, in our opinion, an instruction for the processing of Customer Personal Data given by you infringes upon the Data Protection Laws;
  3. make available to you all information reasonably requested by you for the purpose of demonstrating that your obligations relating to the appointment of Sub-Processors have been met;
  4. not generate copies, duplicates and/or backups of the Customer Personal Data without the prior written consent and knowledge of the Customer.

e. We will assist you in your obligations under Articles 35 and 36 of GDPR by performing any required data protection impact assessments, and informing any supervisory authority if such assessment indicates that such processing would result in high risk in the absence of measures taken by you to mitigate the risk.

f. We will assist you in your obligations under Articles 15 through 18 of GDPR by providing you documentation, product functionality, or processes to assist you in retrieving, correcting, deleting or restricting Customer Personal Data.

g. We shall ensure that our personnel required to access the Customer Personal Data are subject to a binding duty of confidentiality with regard to such Customer Personal Data; and ensure that none of our personnel publish, disclose or divulge any Customer Personal Data to any third party. 

h. We will upon your written request following the expiration or earlier termination of the Principal Agreement securely delete such Customer Personal Data in our possession in compliance with procedures and retention periods outlined in our Principal Agreement.

i. Pathfix acknowledges and confirms that it does not receive or process any Customer Personal Data as consideration for any services or other items that Pathfix provides to the Customer under the Principal Agreement. Pathfix shall not have, derive, or exercise any rights or benefits regarding Customer Personal Data Processed on Customer’s behalf, and may use and disclose Customer Personal Data solely for the purposes for which such Customer Personal Data was provided to it, as stipulated in the Principal Agreement and this Addendum. Pathfix certifies that it understands the rules, requirements and definitions of the CCPA and agrees to refrain from selling (as such term is defined in the CCPA) any Customer Personal Data Processed hereunder, without the Customer’s prior written consent, nor taking any action that would cause any transfer of the Customer Personal Data to or from Pathfix under the Principal Agreement or this Addendum to qualify as “selling” such Customer Personal Data under the CCPA.


5. SECURITY

a. We implement and maintain appropriate technical and organizational measures (which may include, with respect to personnel, facilities, hardware and software, storage and networks, access controls, monitoring and logging, vulnerability and breach detection, incident response, encryption of Customer Personal Data while in transit and at rest) to protect the Customer Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure in accordance with Annexure 2. These measures shall be appropriate to the harm which might result from any unauthorized or unlawful processing, accidental loss, destruction, damage or theft of Customer Personal Data and appropriate to the nature of the Customer Personal Data which is to be protected. We may update the technical and organizational measures, provided, however, that such modifications shall not diminish the overall level of security.

b. Pathfix takes reasonable steps to confirm and ensure that all Pathfix representatives that may have access to the Customer Personal Data are protecting the security, privacy and confidentiality of the Customer Personal Data consistent with the requirements of this Addendum. 

c. If Pathfix becomes aware of and confirm any accidental, unauthorized or unlawful destruction, loss, alteration, or disclosure of, or access to your Customer Personal Data that Pathfix Processes in the course of providing the Services, Pathfix will notify you without undue delay in a manner as provided for under Section 8 of this Addendum.


6. SUB-PROCESSORS

a. Pathfix shall not engage any Sub-processor to process any Customer Personal Data under this Addendum without the Customer’s prior written consent. You provide general consent under Clause 11 of the Standard Contractual Clauses to our appointment of the applicable third party Sub-processors listed at our website for the Processing Customer Personal Data and for purposes described in this Addendum. Pathfix may update the list of approved Sub-processors at any time. 

b. The Sub-processor list as of the date of first use of the Services by the Customer is hereby deemed authorized, upon first use of the Services. The Customer may reasonably object to Pathfix’s use of an existing Sub-processor by providing a written objection to info@pathfix.com within thirty (30) days from the date on which the list of Sub-processors is updated by Pathfix. The Customer’s failure to object to such a new Sub-processor in writing within thirty (30) days from the date on which the list of Sub-processors is updated by Pathfix shall be deemed as acceptance of the new Sub-processor by the Customer.

c. In the event Customer reasonably objects to an existing Sub-processor, as permitted in the preceding sentences, Customer may, as a sole remedy, terminate the applicable Principal Agreement and this Addendum with respect only to those Services which cannot be provided by Pathfix without the use of the objected to Sub-processor by providing written notice to Pathfix provided that all amounts due under the Principal Agreement before the termination date with respect to the Processing at issue shall be duly paid to Pathfix. The Customer will have no further claims against Pathfix due to (i) past use of approved Sub-processors prior to the date of objection or (ii) the termination of the Principal Agreement (including, without limitation, requesting refunds) and the Addendum in the situation described in this paragraph. 

d. Pathfix has entered into a written agreement with each Sub-processor containing appropriate safeguards to the protection of Customer Personal Data. Where Pathfix engages a new Sub-processor for carrying out specific Processing activities on behalf of the Customer, the same or materially similar data protection obligations as set out in this Addendum shall be imposed on such new Sub-processor by way of a contract, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR.


7. DATA SUBJECT RIGHTS

a. Pathfix shall, to the extent legally permitted, promptly notify the Customer or refer Data Subject or Consumer, as the case may be, to Customer, if Pathfix receives a request from a Data Subject or Consumer to exercise their rights (to the extent available to them under Data Protection Law) of access, right to rectification, restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, its right not to be subject to an automated individual decision making, to opt-out of the sale of Personal Information, or the right not to be discriminated against for exercising any CCPA Consumer rights (“Data Subject Request”). 

b. Taking into account the nature of the Processing, Pathfix shall assist Customer by appropriate technical and organizational measures, insofar as this is possible and reasonable, for the fulfillment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws. Pathfix may refer Data Subject Requests received, and the Data Subjects making them, directly to the Customer for its treatment of such Data Subject Requests.

c. Pathfix shall not respond to Data Subject Requests except on the documented instructions of the Customer or as required by Data Protection Laws to which the Pathfix is subject, in which case Pathfix shall to the extent permitted by Data Protection Laws inform the Customer of that legal requirement before Pathfix responds to the Data Subject Request.


8. PERSONAL DATA BREACH

a. Pathfix shall to the extent required under applicable Data Protection Laws, notify the Customer without undue delay and in any event within forty eight (48) hours of becoming aware of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data Processed on behalf of the Customer, including Customer Personal Data transmitted, stored or otherwise Processed by Pathfix or its Sub-processors of which Pathfix becomes aware (a “Personal Data Breach”). 

b. Pathfix shall at the Customer’s instructions make reasonable efforts to identify the cause of such Personal Data Breach and take those steps that Pathfix deems necessary and reasonable in order to investigate, mitigate or remediate the cause of such a Personal Data Breach to the extent the investigation, mitigation and remediation is within Pathfix’s reasonable control. The obligations herein shall not apply to incidents that are caused by the Customer or the Customer’s end users i.e. Controllers. 

c. Customer will not make, disclose, release or publish any finding, admission of liability, communication, notice, press release or report concerning any Personal Data Breach which directly or indirectly identifies Pathfix (including in any legal proceeding or in any notification to regulatory or supervisory authorities or affected individuals) without Pathfix’s prior written approval, unless, and solely to the extent that, Customer is compelled to do so pursuant to applicable Data Protection Laws. In the latter case, unless prohibited by law, Customer shall provide Pathfix with reasonable prior written notice to provide Pathfix with the opportunity to object to such disclosure and in any case Customer will limit the disclosure to the minimum scope required.


9. DELETION OR RETURN OF CUSTOMER PERSONAL DATA

a. The Parties agree that on the termination of the Services or upon Customer’s reasonable request, Pathfix shall, and shall cause any Sub-processors to, at the choice of the Customer. 

  1. Return all the Customer Personal Data and copies of such Customer Personal Data to the Customer or 
  2. securely destroy them and demonstrate to the satisfaction of the Customer that it has taken such measures, unless Data Protection Laws prevent Pathfix from returning or destroying all or part of the Customer Personal Data disclosed. 

b. In case Pathfix, under any Data Protection Laws is prevented from returning or destroying all or part of the Customer Personal Data disclosed, Pathfix agrees to preserve the confidentiality of the Customer Personal Data retained by it and shall ensure that it will only actively process such Customer Personal Data after such date in order to comply with Data Protection Laws.  

c. To the extent authorized or required by Data Protection Laws, Pathfix may also retain one copy of the Customer Personal Data solely for evidence purposes and/or for the establishment, exercise or defense of legal claims and/or for compliance with legal obligations. 


10. AUDIT RIGHTS

a. Upon Customer’s fourteen (14) days prior written request at reasonable intervals (no more than once every twelve (12) months), and subject to strict confidentiality undertakings by Customer, Pathfix shall make available to the Customer that is not a competitor of Pathfix (or Customer’s independent, reputable, third-party auditor that is not a competitor of Pathfix and not in conflict with Pathfix, subject to their confidentiality and non-compete undertakings) all information necessary to demonstrate compliance with this Addendum and allow for and contribute to audits, including inspections, conducted by them (provided, however, that such information, audits, inspections and the results therefrom, including the documents reflecting the outcome of the audit and/or the inspections, shall onl