Data Processing Agreement with Standard Contractual Clauses

Last updated: January 2023

This Data Protection Agreement with Standard Contractual Clauses (“DPA”) forms part of the Amberflo.IO Order Form, the Amberflo Platform Agreement, or other written or electronic agreement that expressly references this DPA ("Agreement") between Amberflo.io, Inc. (“Amberflo”) and You for the purchase of usage-based billing and metering (“Services”). For the purposes of this DPA, the term "You" shall include You and Your Affiliates if Amberflo processes the Personal Data of Your Affiliates. All capitalized terms not defined in this DPA shall have the meaning set forth in the Agreement.

1. Definitions.

"Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity where “control” means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

"Authorized Affiliate" means any of Your Affiliate(s) that is permitted to use the Services pursuant to the Agreement between You and Amberflo but has not signed its own Order Form with Amberflo.

CCPA” means California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100, et. seq. and its implementing regulations.

CCPA” means California Consumer Privacy Act of 2018, Cal. Civ. Code § 1798.100, et. seq. and its implementing regulations.

"Controller" means the entity which determines the purposes and means of the processing of Personal Data.

Data Privacy Laws” means any law or regulation concerning information privacy or security applicable to Amberflo’s Processing of the Personal Information to provide Services under the Agreement, including to the extent applicable to the Processing, (i) EU GDPR, (ii) UK GDPR, (iii) the Swiss Federal Act on Data Protection (“FADP”), and (iv) CCPA.

Data Privacy Laws” means any law or regulation concerning information privacy or security applicable to Amberflo’s Processing of the Personal Information to provide Services under the Agreement, including to the extent applicable to the Processing, (i) EU GDPR, (ii) UK GDPR, (iii) the Swiss Federal Act on Data Protection (“FADP”), and (iv) CCPA.

Data Subject Request” means a request from a data subject to exercise the data subject's right under applicable Data Privacy Laws, including, as applicable, rights to data rectification, data portability, access data, data erasure (“the right to be forgotten”), not to be subject to automated decision making, not to have Personal Data sold, to request for information, not to be discriminated against for exercising rights, restriction or objection to processing, and the applicable rights under CCPA §§ 1798.100(d), 1798.105, 1798.110, 1798.120, 1798.130(a)(2), 1798.140(y), 1798.145(g) and GDPR Art. 12-23.

GDPR” means the General Data Protection Regulation, (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.

IDTA” means the then-current International Data Transfer Addendum to the EU Commission Standard Contractual Clauses that was issued by the UK ICO, a current version found at https://ico.org.uk/media/for-organisations/documents/4019538/international-data-transfer-agreement.pdf

Personal Data” means (i) any information relating to an identified or identifiable natural person where an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier or (ii) is defined as “Personal Information” or “Personal Data” by applicable Data Privacy Laws (e.g., CCPA § 1798.140(o) or GDPR Art. 4).

"process" and its cognates mean any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

"Processor" means the entity which processes Personal Data on behalf of the Controller, including, as applicable, any "service provider" as that term is defined by the CCPA.

Standard Contractual Clauses” or “SCCs” means (i) where the GDPR applies, the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("EU SCCs") and (ii) where the UK GDPR applies, the EU SCCs as amended by the IDTA (“UK SCCs”).

Subprocessor” means any Processor engaged by Amberflo to process Your Personal Data.

Supervisory Authority” means an independent public authority which is (i) established by a European Union member state pursuant to Article 51 of the GDPR; or (ii) the public authority governing data protection, which has authority and jurisdiction over You.

UK ICO” means the United Kingdom Information Commissioners Office.

UK GDPR” means the United Kingdom Data Protection Act of 2018 and the United Kingdom General Data Protect Act and any successor legislation thereto.

You” or “Your” means you, the customer, as defined in the Order Form or Agreement entered into by the parties.

2. Processing of Data.

This DPA applies to all Personal Data that Amberflo processes pursuant to the Agreement. Amberflo will only process Your Personal Data (i) in compliance with Your instructions, (ii) for the purposes expressly set forth in the Agreement and this DPA, including providing, supporting and improving the Services, and (iii) in compliance with Data Privacy Laws. Amberflo will not use or process Your Personal Data for any other purpose. Amberflo will promptly inform You in writing if it cannot comply with the requirements of this DPA, in which case You may terminate the Agreement or take any other reasonable action, including suspending data processing operations. Amberflo will not disclose Your Personal Data to any third party Except for Subprocessors authorized under this DPA and Amberflo personnel. Amberflo will not attempt to re-identify any pseudonymized, anonymized, aggregate, or de-identified Personal Data without Your express written permission. Except as is necessary to perform the Services, Amberflo will not attempt to link, identify, or otherwise create a relationship between Personal Data and non-Personal Data or any other data without Your express authorization . Amberflo will comply with any applicable restrictions under Data Privacy Laws on combining the Personal Data with personal data that Amberflo receives from, or on behalf of, another person or persons, or that Amberflo collects from any interaction between it and any individual. Amberflo will provide the same level of protection for the Personal Data as is required under Data Privacy Laws applicable to You. Amberflo will not otherwise engage in any processing of the Personal Data that is prohibited or not permitted by “processors” or “service providers” under Data Privacy Laws. Amberflo certifies that it understands and will comply with its obligations under this DPA.

3. Compliance with Law; Duty to Inform.

Amberflo and You will comply with all applicable Data Privacy Laws. Amberflo will promptly inform You if (a) it can no longer meet its obligations under Data Privacy Laws; (b) it has breached this DPA and shall cooperate to remediate such breach; or (3), in its opinion, a processing instruction from You violates Data Privacy Laws. You retain the right, upon notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Data, including any use of Personal Data not expressly authorized in this DPA. You agree that You have obtained all necessary rights for Amberflo to process the Personal Data in accordance with the terms of the Agreement.

4. CCPA and CPRA.

Amberflo will not “sell” any “personal information” (as those terms are defined in the CCPA) or “share” such information for purposes of “cross-context behavioral advertising” (as those terms are defined in the California Privacy Rights Act or “CPRA”)).

5. Roles of the Parties.

The parties agree that with respect to processing Personal Data that You are the Controller and Amberflo is the Processor.

6. Confidentiality.

All Amberflo personnel and any Subprocessors are required to comply with the confidentiality obligations related to Your Personal Data, including after the end of their respective employment, contract or assignment.

7. Standard Contractual Clauses.

To the extent any Personal Data of European Economic Area (“EEA”) or United Kingdom (“UK”), or Swiss data subjects is processed, the Standard Contractual Clauses (“SCC”) as modified below shall apply. For the avoidance of doubt, with respect to transfers of EEA, UK and Swiss Personal Data for processing by Amberflo in a jurisdiction other than a European Union (“EU”) member state, Amberflo agrees to comply with applicable Data Privacy Laws in connection with that cross-border transfer of data (e.g., Art. 46 of the GDPR).

A. Amberflo will not engage in any cross-border Processing of Personal Data, or transmit, directly or indirectly, any Personal Data to any country outside of the country from which such Personal Data was collected, without complying with applicable Data Protection Laws. Where Amberflo engages in an onward transfer of Personal Data, Amberflo shall ensure that a lawful data transfer mechanism is in place prior to transferring Personal Data from one country to another.

B. To the extent legally required, by entering into this DPA, You and Amberflo are deemed to have signed the EU SCCs, which form part of this DPA and (except as described in Section 7(c) and (d) below) will be deemed completed as follows:

  1. Module 2 of the EU SCCs applies to transfers of Personal Data from You (as a controller) to Amberflo (as a processor);
  2. Clause 7 (the optional docking clause) is included;
  3. Under Clause 9 (Use of sub-processors), the Parties select Option 2 (General written authorization). The initial list of Subprocessors is set forth in Schedule B of this DPA and Amberflo shall update that list and provide a notice to You in advance of any intended additions or replacements of Subprocessors as provided in Section 6.
  4. Under Clause 11 (Redress), the optional language requiring that Data Subjects be permitted to lodge a complaint with an independent dispute resolution body shall not be deemed to be included;
  5. Under Clause 17 (Governing law), the Parties choose Option 1 (the law of an EU Member State that allows for third-Party beneficiary rights). The Parties select the laws of Ireland;
  6. Under Clause 18 (Choice of forum and jurisdiction), the Parties select the courts of Ireland;
  7. Annex I(A) and I(B) (List of Parties) is completed as set forth in Schedule A of this DPA;
  8. Under Annex I(C) (Competent supervisory authority), the Parties shall follow the rules for identifying such authority under Clause 13 and, to the extent legally permissible, select the Irish Data Protection Commission.
  9. Annex II (Technical and organizational measures) is completed with Schedule A of this DPA; and
  10. Annex III (List of Subprocessors) is not applicable as the Parties have chosen General Authorization under Clause 9, however a list of Amberflo’s Subprocessors is available in Schedule B.

C. With respect to Personal Data transferred from the United Kingdom for which United Kingdom law (and not the law in any European Economic Area jurisdiction or Switzerland) governs the international nature of the transfer, the UK SCCs form part of this DPA and takes precedence over the rest of this DPA as set forth in the UK SCCs. Undefined capitalized terms used in this provision shall mean the definitions in the UK SCCs. For purposes of the UK SCCs, they shall be deemed completed as follows:

  1. Table 1 of the UK SCCs:
  2. The Parties’ details shall be the Parties and their affiliates to the extent any of them is involved in such transfer.
  3. The Key Contacts shall be the contacts set forth in Schedule A.
  4. Table 2 of the UK SCCs: The Approved EU SCCs referenced in Table 2 shall be the EU SCCs as executed by the Parties.
  5. Table 3 of the UK SCCs: Annex 1A, 1B, II, and III shall be set forth in Schedules A and B below.
  6. Table 4 of the UK SCCs: Either Party may end this DPA as set out in Section 19 of the UK SCCs.
  7. By entering into this DPA, the Parties are deemed to be signing the UK SCCs.

D. For transfers of Personal Data that are subject to the FADP, the EU SCCs form part of this DPA as set forth in this Section 7(b), but with the following differences to the extent required by the FADP (as modified the “Swiss SCC”): (1) references to the GDPR in the EU SCCs are to be understood as references to the FADP insofar as the data transfers are subject exclusively to the FADP and not to the GDPR; (2) references to personal data in the EU SCCs also refer to data about identifiable legal entities until the entry into force of revisions to the FADP that eliminate this broader scope; (3) the term “member state” in EU SCCs shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs; and (4) the relevant supervisory authority is the Swiss Federal Data Protection and Information Commissioner (for transfers subject to the FADP and not the GDPR), or both such Commissioner and the supervisory authority identified in the EU SCCs (where the FADP and GDPR apply, respectively).

E. Additional Safeguards for the Transfer and Processing of Personal Data from the EEA, Switzerland, and the United Kingdom.  To the extent that Amberflo Processes Personal Data of Data Subjects located in or subject to the applicable Data Protection Laws of the EEA, Switzerland, or the United Kingdom, Amberflo agrees to the following safeguards to protect such data to an equivalent level as applicable Data Protection Laws:

  1. Amberflo and You shall encrypt all transfers of the Personal Data between them, and Amberflo shall encrypt any onward transfers it makes of such Personal Data, to prevent the acquisition of such data by third parties.
  2. Amberflo will use all reasonably available legal mechanisms to challenge any demands for Personal Data access through national security process it receives as well as any non-disclosure provisions attached thereto.
  3. Amberflo will promptly notify You of any government demands for Your Personal Data, unless prohibited under applicable law. To the extent Amberflo is prohibited by law from providing such notification, Amberflo shall: (i) review each request on a case-by-case basis; (ii) use best efforts to request that the confidentiality requirement be waived to enable Amberflo to notify You and/or the appropriate Supervisory Authority competent for You; and (iii) maintain evidence of any such attempt to have a confidentiality requirement waived.
  4. Upon Your request, Amberflo shall provide a transparency report indicating the types of binding legal demands for the Personal Data it has received, if any, including national security orders and directives.
  5. Amberflo will promptly notify You if Amberflo can no longer comply with the applicable clauses in this Section. Amberflo shall not be required to provide You with specific information about why it can no longer comply, if providing such information is prohibited by applicable law. Such notice shall entitle You to terminate the Agreement (or, at Your option, affected statements of work, order forms, and like documents thereunder) and receive a prompt pro-rata refund of any prepaid amounts thereunder. This is without prejudice to Your other rights and remedies with respect to a breach of the Agreement.

8. Data Subject Requests.

Amberflo will, to the extent legally permitted, promptly notify You if Amberflo receives a Data Subject Request relating to a data subject’s Personal Data that is being processed for You and assist You through appropriate technical and organizational measures for the fullfilment of Your obligation to respond to third party requests.

9. Notice of Investigation, Complaint or Subpoena.

Amberflo will promptly inform You if it (a) receives any notice or inquiry from a Supervisory Authority relating to the processing of Your Personal Data, (b) any complaint by a data subject regarding the processing of Your Personal Data, and (c) any legally binding request for disclosure of Your Personal Data by a law enforcement authority unless Amberflo is prohibited by applicable law to inform You.

10. Cooperation.

On request, Amberflo will provide You with a summary of its security and privacy policies. On request, Amberflo will cooperate with the Supervisory Authority and promptly provide You with all information in Amberflo’s possession or control in relation to the processing of the Personal Data under this DPA.

11. Data Breach.

Amberflo will notify You within forty-eight (48) hours after discovery of any unauthorized disclosure of or access to Your Personal Data while in the possession or control of Amberflo or its Subprocessors (“Security Incident”). Amberflo will promptly provide You with relevant information in its possession or control in relation to the Security Incident, including a description of the nature of the Security Incident; the categories and approximate number of data subjects concerned and the records of Personal Data affected; the name and contact details of Amberflo’s point of contact from whom further information can be obtained; a description of the expected consequences of the Security Incident and the measures taken or proposed to be taken by Amberflo to address the Security Incident; and with all reasonable assistance and cooperation as is necessary in order for You to seek to mitigate the effects of the Security Incident and comply with its own obligations under the Data Privacy Laws with respect to the Security Incident. Except as may be required by applicable law, Amberflo will not make any public announcement or notify any data subject about the Security Incident unless expressly authorized by You.

12. Subprocessors.

Amberflo may engage third-party Subprocessors in connection with the provision of the Services provided that, before the Subprocessor first Processes Personal Data, Amberflo: (a) enters into a written agreement with the Subprocessor on terms at least as protective as those set out in this DPA, and (b) carries out adequate due diligence to ensure the Subprocessor is capable of providing at least the same level of protection for Personal Data required by this DPA. Amberflo shall provide You with a current list of the Subprocessors that Amberflo has engaged in connection with the provision of Services at https://www.Amberflo.io/legal/subprocessors. Amberflo shall remain fully liable to You for the performance of its obligations under this DPA even where a Subprocessor carries out the Services or any part of the Services on Amberflo’s behalf.

You grant Amberflo general written authorization to engage Processors in connection with the provision of the Services. Amberflo shall provide to You written notice of any change to the list of Subprocessors at least thirty (30) days prior to the date the change takes effect. If You reasonably object to the use of a new Subprocessor within thirty days of the notice date, then the parties shall use good faith and best efforts to find a reasonable replacement in a mutually agreeable manner.

13. DPIA and Consultations.

Upon request, Amberflo will provide You with assistance in the preparation of data protection impact assessments and, where necessary, carrying out consultations with any Supervisory Authority.

14. Audits.

A. Supervisory Authority Audit. If a Supervisory Authority requires an audit of the data processing facilities from which Amberflo processes Your Personal Data in order to ascertain or monitor Your compliance with Data Privacy Laws, Amberflo will cooperate with such audit. You are responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time Amberflo expends for any such audit, in addition to the rates for services performed by Amberflo.

B. Your Audits. On request, Amberflo will provide to You each year an opinion or Service Organization Control report provided by an accredited, third-party audit firm under the Statement on Standards for Attestation Engagements (SSAE) No. 18 (“SSAE 18”) (Reporting on Controls at a Service Organization) or the International Standard on Assurance Engagements (ISAE) 3402 (“ISAE 3402”) (Assurance Reports on Controls at a Service Organization) standards applicable to the services under the Agreement (each such report, a “Report”). If a Report does not provide, in Your reasonable judgment, sufficient information to confirm Amberflo’s compliance with the terms of this DPA, then You or an accredited third-party audit firm agreed to by both You and Amberflo may audit Amberflo’s compliance with the terms of this DPA during regular business hours, with reasonable advance notice to Amberflo and subject to reasonable confidentiality procedures. You are responsible for all costs and fees related to such audit, including all reasonable costs and fees for any and all time Amberflo expends for any such audit, in addition to the rates for services performed by Amberflo. Before the commencement of any such audit, You and Amberflo shall mutually agree upon the scope, timing, and duration of the audit. You shall promptly notify Amberflo with information regarding any non-compliance discovered during the course of an audit. Except to the extent required by applicable law, You may not audit Amberflo more than once annually unless there is a Security Incident.

15. Data Destruction.

Amberflo will destroy all Personal Data within sixty (60) days following either the expiration/termination of this Agreement or receipt of a destruction request from You and shall cause its Subprocessors to do the same unless Data Privacy Laws prevent Amberflo from destroying all or part of Your Personal Data disclosed. For clarity, Amberflo may continue to process Personal Data that has been de-identified and/or aggregated in a manner that does not identify individuals to improve Amberflo’s systems and services and data without identifying You as the source of the data. Amberflo will return and/or destroy Customer Data as provided in the Agreement.

16. Technical and Organizational Safeguards.

Amberflo will implement appropriate technical and organizational safeguards designed to protect Personal Data (i) from unauthorized or unlawful processing, (ii) against accidental or unlawful disclosure, alteration or loss, and/or (iii) unauthorized disclosure or access, including as applicable Art. 32 of the GDPR. Amberflo will comply with strict internal controls in line with industry best practices, such as SOC2 guidelines. Amberflo will implement security controls in the form of mandatory policies and procedures for all Amberflo’s employees who have access to Your Personal Data to follow. These policies and procedures cover: (1) measures, standards, norms, procedures, and rules to address the appropriate level of security, (2) the meaning and importance of Personal Data and the need to keep it secure, confidential, and accessed only on a need to know basis, (3) staff functions, obligations and access rights, (4) procedures for reporting, managing and responding to security incidents and (5) procedures for making backup copies and recovering Personal Data.

17. Miscellaneous.

Neither party will assign the DPA in whole or in part without the other party’s prior written consent (which consent will not be unreasonably denied, delayed or conditioned), except to an Affiliate or a successor that is made in connection with a merger or sale of all or substantially all of a party’s assets or stock. Any attempted assignment in violation of this restriction is void. The DPA shall bind and inure to the benefit of the parties, their respective successors and permitted assigns. If a conflict exists between any of the terms in the DPA and the Agreement, then this DPA will govern. The EU SCC, UK SCC and the Swiss SCC will control if there is a conflict between (i) the EU SCC, UK SCC or the Swiss SCC and (ii) the Agreement, the DPA or the Order Form. The parties may amend the DPA only in a written amendment signed by both parties. This DPA can be executed electronically and in counterparts, each of which is deemed to be an original and together comprise a single document. Each party represents and warrants that the individual binding a party under this DPA is authorized to do so.

SCHEDULE A: APPLICABLE STANDARD CONTRACTUAL CLAUSES AND SUPPLEMENTAL TERMS

ANNEX I

A. LIST OF PARTIES

Data exporter(s):

The exporter (Controller) is You and Your contact details and signature are as provided in the Agreement.

Data importer(s):

The importer (Processor) is Amberflo and Amberflo’s contact details and signature are as provided in the Agreement.

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred:

  1. Your personnel that use Amberflo’s SaaS solution: Your personnel that access Amberflo’s SaaS-based Services
  2. Your End Customers: For any of Your end customer that You use Amberflo’s Services for usage-based metering and billing, an identifiable or identified natural person, as well as applicable under Switzerland’s FADP identifiable legal entities, that You decide to use in connection with the Services.

Categories of personal data transferred:

  1. For Your personnel that use Amberflo’s SaaS solution: With respect to Your personnel that access Amberflo’s SaaS-based Services, Amberflo may process name, email address, IP Address and/or other login credentials used to access the Service.
  2. For Your End Customers: Amberflo’s solution provides You with the ability to provide its end customers with usage based pricing by metering usage of Your solution(s). Amberflo will process an (i) Your end customer account name or other end customer account identifier(s) selected by You and (ii) any other end customer account details You decide to input into Amberflo’s Platform all which You can decide to anonymize. This data will be linked with the usage based data You collect and create through its Service.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:

You agree not to provide this data to Amberflo.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):

Amberflo shall process Personal Data in order to provide the Services on a continuous basis pursuant to the terms of the Agreement.

Nature of the processing:

Amberflo shall process Personal Data to provide the Services pursuant to the terms of the Agreement.

Purpose(s) of the data transfer and further processing:

The transfer is made for the purpose of providing Services to You pursuant to the Agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

Amberflo shall process Personal Data in its provision of Services for a term outlined in the Agreement.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:

The subject matter, nature and duration of the processing of Personal Data by Amberflo’s Subprocessors is the same as for Amberflo, as outlined above.

C. In Annex 1.C of the EU SCC: The competent supervisory authority shall be the supervisory authority applicable to You in its EEA country of establishment or, where it is not established in the EEA, in the EEA country where its representative has been appointed pursuant to Article 27(1) of Regulation (EU) 2016/679.

ANNEX II

Data Importer will at a minimum institute the technical and organizational measures to ensure a level of security appropriate with the risk, as is required in Art. 32 of the GDPR. Data Importer will comply with strict internal controls in line with industry best practices, such as SOC2 guidelines and ISO 27001 guidelines. Data Importer will implement security controls in the form of mandatory policies and procedures for all Data Importer employees who have access to Data Exporter's data to follow. Data Importer will have, where appropriate measures of pseudonymization and encryption of Personal Data; Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services; Measures for ensuring the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing; Measures for user identification and authorization; Measures for the protection of data during transmission; Measures for the protection of data during storage; Measures for ensuring physical security of locations at which Personal Data are processed; Measures for ensuring events logging; Measures for ensuring system configuration, including default configuration; Measures for internal IT and IT security governance and management; Measures for certification/assurance of processes and products; Measures for ensuring data minimization; Measures for ensuring data quality; Measures for ensuring limited data retention; Measures for ensuring accountability and measures for ensuring erasure.

Schedule B

List of Subprocessors

https://www.Amberflo.io/legal/subprocessors