Last updated and effective as of Dec 20, 2022 (the “DPA Effective Date”).
This Data Processing Addendum (“DPA”), forms part of the SaaS Services Agreement (the “Agreement”) between Entromy, LLC (“Company”) and the entity that has engaged Company to provide the Services (“Customer”). Capitalized terms used and not otherwise defined herein shall have the meanings ascribed to them in the Agreement. Each of Company and Customer is referred to in this DPA individually as a "party", collectively the "parties". By entering into the Agreement, the parties are deemed to have signed all Exhibits, Attachments, Annexes, Schedules, and Appendices, including those incorporated by reference, to this DPA where applicable.
For the purposes of the Module 2 Controller to Processor Standard Contractual Clauses:
a) Clause 7. The parties agree that the optional language in Clause 7 is included.
b) Clause 9(a). The parties agree that under Option 2, Company has Customer’s general authorization to subcontract its processing activities to the list of subprocessors set out in Section (k)(i) . Company will inform Customer in writing of any intended changes to the list of subprocessors set out in Section (k)(i) at least 10 days’ prior to engaging with any other subprocessor.
c) Clause 11. The parties agree that the optional language in Clause 11 is excluded.
d) Clause 13. The parties agree that the brackets are removed in the provisions in Clause 13(a) such that the appropriate provision will apply as applicable.
e) Clause 17. The Module 2 Controller to Processor Standard Contractual Clauses shall be governed by the laws of Ireland.
f) Clause 18. The parties agree that any dispute arising from the Module 2 Controller to Processor Standard Contractual Clauses shall be resolved by the courts of Ireland.
g)____Annex I.A.
(i.) The name and address of Company (which is the data importer) and Customer (which is the data exporter), and the name and contact details of their respective contact persons are as set forth on the signature page to the Agreement.
(ii.) The activities relevant to the data transferred are the provision of the Services by data importer to data exporter as further described in the Agreement.
(iii.) The signature and date are the signature and date set forth on the signature page to the Agreement.
(iv.) The roles of the parties are as follows: Customer is a controller and Company is a processor.
(h)____Annex I.B.
(i.) The categories of data subjects whose personal data is transferred are Customer’s employees.
(ii.) The categories of personal data transferred are determined by Customer in its sole discretion and may include, but are not limited to: name, business email, business phone, job title, gender, and any other personal data provided as part of the survey responses submitted through the Services.
(iii.) The categories of sensitive personal data are, to the extent applicable, any sensitive data that Customer in its sole discretion requests that Customer’s employees submit through the Services and any other sensitive personal data provided as part of the survey responses submitted through the Services.
(iv.) The frequency of the transfer shall be on a continuous basis.
(v.) The nature of processing is such that the personal data will be subject to basic processing, which may include without limitation collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction for the purpose of providing the Services to the data exporter in accordance with the terms of the Agreement.
(vi.) The purpose of the data transfer and further processing is the provision of the Services by the data importer to the data exporter.
(vii.) The duration of the processing under these Module 2 Controller to Processor Standard Contractual Clauses shall continue as long as data importer carries out personal data processing operations on behalf of data exporter or until the termination of the Agreement (and all personal data has been returned or deleted in accordance with the Module 2 Controller to Processor Standard Contractual Clauses).
(viii.) For transfers to subprocessors, personal data will be transferred to subprocessors in order for the data importer to provide the Services to the data exporter. The nature of the processing by such subprocessors will be as follows: the personal data will be subject to basic processing, which may include without limitation collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction for the purpose of providing the Services to the data exporter in accordance with the terms of the Agreement. The duration of the processing by such subprocessors shall continue as long as such subprocessors carry out personal data processing operations on behalf of the data importer.
(i)____Annex I.C.
(i.) The data exporter’s competent supervisory authority will be determined in accordance with the GDPR.
(j)____Annex II.
(i.) The data importer shall implement the technical and organizational measures as further described in Exhibit D to the Agreement.
(k)____Annex III.
(i) Section (k)(i) of Exhibit A is incorporated herein by reference.
For the purposes of the UK DTA:
(a) For the purposes of Table 1 of the UK DTA:
i. The start date shall be the later of: (i) the DPA Effective Date or (ii) the date the Agreement is entered into by the parties, and
ii. The names of the parties, their roles and their details shall be, as applicable, as set out in Exhibit A Section (f) and Exhibit B Section (f), respectively;
(b) For the purposes of Tables 2 and 3 of the UK DTA, the Module 2 Controller to Processor Standard Contractual Clauses and the Module 3 Processor to Processor Standard Contractual Clauses, including, as applicable, the information set out in Exhibit A Sections (g) and (i) and (k)(i) and Exhibit B Sections (g) and (i) and (k)(i), respectively, shall apply; and
(c) For the purposes of Table 4 of the UK DTA, either party may end the UK DTA.