DATA PROCESSING AGREEMENT

This Data Processing Agreement is an integral part of the agreements for the provisioning of Software between the Parties (hereinafter: “Agreement”).

WHEREAS

  • The Customer wishes to use the Sana services;
  • Sana will, in the implementation of the Agreement, (possibly) process personal data within the meaning of Article 4 (1) of the General Data Protection Regulation (referred to below as: ‘GDPR’), on the instructions of the Customer;
  • Sana is hereby considered to be a processor within the meaning of Article 4 (8) of the GDPR;
  • The Customer is hereby considered to be a controller within the meaning of Article 4 (7) of the GDPR, if it designates the purposes and means for the processing;
  • Sana is willing to do so and is also willing to comply with the obligations concerning security and other aspects of the GDPR;
  • The Parties, partly with a view to the requirement in Article 28 (3) of the GDPR, wish to set out in writing their rights and obligations by means of this Data Processing Agreement (referred to below as: ‘Data Processing Agreement’);

Article 1. Purpose of processing

  1. Sana undertakes, subject to the conditions of this Data Processing Agreement, to process personal data as
    described in Annex 1 on the instructions of the Customer. The personal data will only be processed within the
    context of the Agreement and the purposes that are determined in mutual consultation.
  2. Sana will process the personal data solely for the purposes outlined in Appendix 1 and as instructed by the
    Customer. Any processing of personal data by Sana for its own purposes will be outside the scope of this
    Agreement. The Customer must inform Sana of the purposes of the data processing if not already stated in this
    Data Processing Agreement.
  3. Sana has no control over the purpose of and means for the processing of personal data. Sana takes no decisions
    about the receipt and the use of the personal data, the provision to third parties and the duration of the
    storage of personal data.

Article 2. Parties Obligations

  1. With regard to the processing operations referred to in Article 1, both Parties shall ensure compliance with the conditions applying to the processing of personal data pursuant to the GDPR.
  2. The Customer guarantees that the content, the use and the instructions for the processing of the personal data as referred to in this Data Processing Agreement are not unlawful and do not infringe on any rights of third parties.
  3. The obligations of Sana that arise from this Data Processing Agreement shall also apply to those who process personal data under the authority and on the instructions of Sana.

Article 3. Engaging third parties or subcontractors

  1. The Customer authorizes Sana to use third parties in the processing of personal data, in compliance with applicable privacy legislation. This authorization applies to sub-processors both within and outside the EU.
  2. At the Customer’s request, Sana will inform the Customer as soon as possible about the third parties it has engaged. The Customer has the right to object to any third party, except for other Sana offices. If the Customer objects, the Parties will consult to find a suitable solution.
  3. Sana will remain liable for the activities of the sub-processor and ensures in any case that these third parties take on the same obligations in writing as agreed between the Customer and Sana.

Article 4. Security

  1. Sana shall take appropriate technical and organisational measures taking into account the risks concerning the processing operations of personal data to be carried out, against loss or any form of unlawful processing (such as unauthorised access, corruption, alteration or provision of the personal data).
  2. Sana has in any case taken the following measures:
  • logical access control, making use of strong passwords;
  • physical measures for access protection;
  • automatic logging of all actions involving personal data;
  • encrypted data transfers;
  • organisational measures for access protection;
  • protection of network connections through Secure Socket Layer (SSL) technology; and
  • control of granted powers.

Article 5. Obligation to report breaches

  1. In the event of a possible personal data breach as referred to in Article 4 (12) GDPR Sana shall inform the Customer thereof as soon as reasonably possible or no later than within forty-eight (48) hours after it was detected further to which the Customer shall assess whether it will inform the supervisory authorities and/or data subjects.
  2. The notice as referred to in article 5.1 shall include at least the following:
    • a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects and data records concerned);
    • the details of a contact point where more information concerning the personal data breach can be obtained;
    • its likely consequences and the measures taken or proposed to be taken to address the breach, including to mitigate its possible adverse effects.
  3. Upon the Customer’s reasonable request, Sana shall cooperate in informing the relevant authorities and any data subjects. The Customer shall be responsible for reporting to the relevant authorities and/or data subjects.

Article 6. Assistance to the controller

  1. In the event that a data subject addresses a request concerning one of its statutory rights, as referred to in the GDPR, to Sana, Sana shall forward this request to the Customer, and the Customer will subsequently deal with the request. Sana may notify the data subject of this.
  2. In the event that a data subject addresses a request as referred to in Article 6.1 to the Customer Sana shall, if so requested by the Customer cooperate in complying with that request.
  3. Sana shall upon request assist the Customer with performing data protection impact assessments if deemed necessary by the Customer. Such assistance shall be billed against the then current applicable rates of Sana.

Article 7. Audit

  1. The Customer is entitled to have audits conducted by an independent third party auditor bound to maintain confidentiality to check compliance with this Data Processing Agreement.
  2. This audit will only take place after the Customer has requested and assessed audits conducted by Sana and presented reasonable arguments that justify an audit initiated by Customer. Such an audit is justified when the similar audit reports at Sana give no or insufficient information about the compliance with this Data Processing Agreement by Sana. The audit initiated by the Customer will take place once a year, after a two weeks written prior notice by the Customer.
  3. Sana will cooperate with the audit and all relevant information reasonably relevant to the audit, including supporting data such as system logs, and employees as timely as possible and within a reasonable period of time, with a maximum period of two weeks being reasonable unless an urgent interest oppose to this.
  4. The findings arising from the audit performed shall be assessed by the Parties in mutual consultation and, further thereto, be implemented or not be implemented by one of the Parties or both Parties jointly.
  5. The costs for the audit, including the time against it then current hourly rate, as spent by Sana to assist with the audit, will be borne by the Customer.

Article 8. Duration and Termination

  1. This Data Processing Agreement has been entered into for the term stated in the Agreement between the Parties, in the absence of which it will at least apply for the duration of the collaboration.
  2. The Data Processing Agreement cannot be terminated prematurely.
  3. In the event of termination, dissolution or notice of termination of this Data Processing Agreement, on request, for whatever reason and in whatever manner, Sana shall of its own accord (i) provide to the Customer all personal data obtained from or on behalf of the Customer in a commonly available machine readable format (ii) immediately cease the processing of the personal data, (iii) provide to the Customer all documents in which the personal data are recorded, and (iv) permanently delete all personal data that is stored electronically from the data carrier, or, insofar as permanent deletion from the data carrier is not possible, destroy the data carrier. On the first request of the Customer, Sana shall confirm in writing to the Customer that Sana has complied with all obligations pursuant to this article.

Article 9. Limitation of Liability

  1. The limitation of liability clause as stipulated in the Agreement shall equally apply to the Data Processing Agreement.

Article 10. Other Provisions

  1. The Data Processing Agreement and its implementation are governed by Dutch law.
  2. Should the Customer’s location of the entity with whom Sana has entered into a contract be in Switzerland and/or the UK then the references to the GDPR should be interpreted as meaning the equivalent in the Swiss Data Protection Act or the UK GDPR. The contract shall then be governed by Swiss or UK law and any disputes shall be submitted to the competent court in Zurich or Londen respectively.
  3. Any disputes that may arise between the Parties in connection with the Data Processing Agreement will be submitted to the competent court in the district where Sana is established.
  4. If one or more provisions of the Data Processing Agreement should prove to be unlawful, the other provisions of the Data Processing Agreement will remain in effect. The Parties will then consult with each other on any provisions that are legally invalid so as to agree on replacement provisions that are legally valid, the purport of which corresponds as closely as possible to the original provisions.
  5. The Parties will provide full cooperation to each other in amending the present Data Processing Agreement and adapting it to any new privacy legislation.

Appendix 1: Specification of personal data and data subjects

 

Purpose of Processing

The purpose of the processing is to fulfil the obligations of the Agreement and to enable the Customer to fully use the Software

 

Personal data

In connection with the Agreement, SANA COMMERCE will process the categories of Personal Data

  • Personal and Account Data (e.g. name, address, email address, password, gender, title, birthdate, job title, education, personal interests, photo, etc.)
  • Order Data (e.g. Shipping Address, products, quantity, delivery preferences, payment preferences, etc.)
  • Application Process Data (e.g. questions in courses or forms, feedback, reviews,  )
  • Online Data (e.g. IP address, User ID, mobile device used, operating system, internet provider, date and time of logon and logoff)
  • Communication Data (e.g. Email address, private and business address, private and business phone numbers, Skype ID, social network IDs, email content)
  • Online Usage Data related to the Platform (e.g. cookie IDs, Digital Fingerprints, IP addresses, URL history, etc.)
  • Logging data

 

Data Subjects

Website visitors, customers (of the Customer)

 

Allowed third party data processors

Company Location
Microsoft US
Fastly US
Dynatrace US
Any Sana commerce subsidiary location https://www.sana-commerce.com/contact/