Data Processing Terms
Posted: July 5, 2023
Effective: July 5, 2023
You can see previous agreement here.
These Data Processing Terms form part of the SaaS Subscription Agreement (“Agreement”) between Digify and you and apply when we process Personal Data on your behalf in the course of providing certain services provided by Digify (the “Services”). These Data Processing Terms do not apply where we are the Controller. Defined and/or capitalized terms not defined here have the meanings given to them in the Agreement. If not defined in the Agreement, capitalized terms have the meaning given to them, or an equivalent term, in applicable data protection, privacy or security laws (“Privacy Laws”). These Data Processing Terms take precedence over any other terms of the Agreement in relation to the Processing of Personal Data. For your convenience, you may sign these Data Processing Terms and return a copy to us at legal@digify.com.
- Parties. “Digify”, “we”, “us” or “our” means Digify Inc (if you are incorporated in the USA) or Digify Pte Ltd (if you are incorporated outside of the USA) who execute or assent to the Order Form. “You” or “your” means collectively the other entity(ies) executing or assenting to the Order Form. “Affiliate” means any entity that controls, is controlled by, or is under common control with, another entity. An entity “controls” another if it owns directly or indirectly a sufficient voting interest to elect a majority of the directors or managing authority or otherwise direct the affairs or management of the entity.
- Processing. With respect to the Processing of Personal Data, you act as a Controller, “business”, or Processor and Digify is a Processor or “service provider”. We will only Process Personal Data as permitted under the Agreement and applicable Privacy Laws. We will not “sell” Personal Data. You agree that the Agreement represents your complete instructions to us and any additional changes you require must be mutually agreed. We will inform you if we believe that any of your instructions violate law, unless prohibited on important grounds of public interest. Details regarding the Processing of Personal Data are specified in Annex 1. You are solely responsible for complying with Privacy Laws regarding the Processing of Personal Data (including obtaining consents) and warrant that you comply with the same. You shall indemnify us, our Affiliates, subcontractors, and licensors from all third-party claims or losses arising from the Processing of Personal Data in accordance with this Agreement.
- Subprocessors. You authorize us to use other Processors, including Digify affiliates and service providers, (“Subprocessors”) in any jurisdiction to Process Personal Data, so long as they are required to abide by terms substantially similar to these Data Processing Terms. We will be liable to you for the performance of our Subprocessor’s obligations under the Agreement. Our current Subprocessors are listed at: https://digify.com/subprocessors.html.
You may object in writing to our appointment of a new Subprocessor including reasonable detail supporting your concerns within sixty days of receiving notice of a change or, if Customer has not subscribed to receive such notice, within sixty days of Company publishing the change. If you legitimately object to a Subprocessor on reasonable data protection grounds and we do not resolve the matter within one month following notification, we may terminate the Services impacted by the new Subprocessor, without penalty, upon written notice.
- Security. We will implement appropriate technical and organizational measures to protect Personal Data, as described in Annex 2 (“Security Measures”). We may update or modify the Security Measures, so long as the overall security level of the Services is maintained. You are solely responsible for determining whether the Security Measures meet your requirements. You agree that the level of security provided by the Security Measures is appropriate to the risk inherent in the Services. You are responsible for configuring the Services in a manner which enables you to comply with applicable Privacy Laws. We will ensure that only authorized personnel who are under written obligations of confidentiality or are under an appropriate statutory obligation of confidentiality may access Personal Data. The Services are not designed to Process Special Categories of Data, cardholder data subject to the Payment Card Industry Security Standard (“PCI DSS”), protected health information, children’s Personal Data, or other Personal Data inappropriate for the nature of the Services (collectively, “Prohibited Data”). You shall not submit Prohibited Data to us or to the Services, unless authorized to do so in writing by Digify.
- Security Incident. We will notify you without undue delay after becoming aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration or unauthorized access, disclosure or use of Personal Data while processed by us (each a “Security Incident”) in relation to the Services under the Agreement. We will investigate the Security Incident and provide you with relevant information about the Security Incident as required under Privacy Laws. We will use reasonable efforts to assist you in mitigating, where possible, the adverse effects of any Security Incident.
- Compliance. On written request and subject to obligations of confidentiality, we will provide to you information reasonably necessary, including relevant certifications, to demonstrate our compliance with these Data Processing Terms. With respect to Subprocessors, we may fulfill our responsibilities under this Section 6 by providing you with audit reports or certifications provided by such Subprocessors.
- Data Transfers. You authorize us and our Subprocessors to transfer Personal Data to locations outside of its country of origin for the performance of the Agreement, provided that we implement appropriate transfer safeguards to comply with applicable Privacy Laws. If we transfer Personal Data from the European Economic Area (“EEA”), UK, Switzerland or from any other jurisdiction that restricts the cross-border transfer of Personal Data to locations outside that jurisdiction, you shall be bound by the standard contractual clauses approved by the European Commission in Commission Decision 2021/914 dated 4 June 2021, for transfers of personal data to countries not otherwise recognized as offering an adequate level of protection for personal data by the European Commission (as amended and updated from time to time) (“SCCs”) in the capacity of “data exporter”, and Digify in the capacity of “data importer” as those terms are defined therein. The SCCs will be deemed to have been signed by each Party and are hereby incorporated by reference into the Agreement in their entirety as if set out in full as an annex to this Agreement. The Parties acknowledge that the information required to be provided in the appendices to the SCCs is set out in Annex 1 below as a “Description of the Transfer” and “Security Measures” as a “Description of the Technical Organizational Measures” in Annex 2. Audits under Section 8.9 of the SCCs shall be carried out in accordance with the above Section 6. The SCCs will prevail over these Data Processing Terms or the Agreement, in the event of conflict.
- Cooperation. We will cooperate with you to respond to requests, complaints or inquiries from data subjects, supervisory authorities, or other third parties, conduct a privacy impact assessment and prior consultation with supervisory authorities, provided that you reimburse us for all reasonably incurred costs. If we receive a data subject request relating to Personal Data, we will provide it to you. We will not respond to the data subject request unless required by applicable law.
- Termination. Upon termination of the Agreement, we will return, delete or anonymize Personal Data except to the extent (i) we are required by applicable law to retain Personal Data or (ii) for compliance, audit or security purposes, in which case these Data Processing Terms will continue to apply to the retained Personal Data. Any certification of deletion will be provided to you only upon your written request.
- Signature. Upon execution of these Data Processing Terms, you represent that you are the authorized signatory for your organization.
| Name: | Signature: | ||
| Date: | Title: | ||
| Company: |
ANNEX 1
DESCRIPTION OF THE PROCESSING AND TRANSFER (MODULE 2: CONTROLLER TO PROCESSOR)
A. LIST OF THE PARTIES | |
Controller / Data Exporter | You and your Affiliates, as set forth in the Agreement. |
Processor / Data Importer | For customers incorporated in the USA or Canada: Name: Digify Inc Address: 350 Townsend Street #746 San Francisco CA 94107 For customers incorporated outside of the USA or Canada: Name: Digify Pte Ltd Address: 2 Venture Drive #15-17 Singapore 608526 Contact: Legal Email: legal@digify.com |
B. DETAILS OF PROCESSING/TRANSFER | |
CATEGORIES OF DATA SUBJECTS | The Personal Data processed and transferred is determined and controlled by you in your sole discretion and may include, without limitation, the following categories of Data Subjects: users (e.g. customers) and end users of the Services; any other data subject as described in the Agreement. |
CATEGORIES OF PERSONAL DATA | The Personal Data processed and transferred is determined and controlled by you in your sole discretion and may include, without limitation, the following categories of data: name, email address, country of residence, mobile phone number, username, password, IP addresses. |
SPECIAL CATEGORIES OF DATA | The Services is not intended for the Processing of Special Categories of Data or Prohibited Data, and you shall not transfer, directly or indirectly to us. |
FREQUENCY | The Personal Data transfers under the Agreement will take place on a continuous basis. |
NATURE OF THE PROCESSING | Digify and its Subprocessors are providing the Services or fulfilling contractual obligations to you, as described in the Agreement. These Services may include the processing of Personal Data by Digify and/or its Subprocessors. |
PURPOSE OF PROCESSING / TRANSFER | Your Personal Data is processed and transfer is made for the following purposes: (i) providing the Services and facilitating communication with customers, employees and users; (ii) administration and management of channel partners, distributors and/or sales partners; (iii) identity management and security; (iv) managing product and service development, improving existing and developing new products and services, research and development; (v) Research in any field including scientific and technical research; (v) any other scope and purpose as described in the Agreement. |
RETENTION | Your Personal Data will be retained in accordance with the Agreement unless applicable law requires storage of the Personal Data for a longer period. |
TRANSFER TO SUBPROCESSORS | Digify may process and transfer Personal Data to Subprocessors in relation to the performance of the Agreement and in accordance with the following scope: · Subject Matter: The subject matter of the processing under the Agreement is the Personal Data. · Nature of the processing: Digify and its Subprocessors are providing services or fulfilling contractual obligations to you, as described in the Agreement. These services may include the processing of Personal Data by Digify and/or its Subprocessors. · Duration: The duration of the processing under the Agreement is determined by you and as set forth in the Agreement. |
C. COMPETENT SUPERVISORY AUTHORITY | |
For the purposes of Clause 13 of the SCCs, the competent supervisory authority for the Customer shall be the supervisory authority applicable to the Customer in its EEA country of establishment or, where it is not established in the EEA, in the EEA country where its representative has been appointed pursuant to Article 27(1) of Regulation (EU) 2016/679. | |
D. GOVERNING LAW AND CHOICE OF FORUM | |
GOVERNING LAW | For the purposes of Clause 17 of the SCCs, the parties select the law of Ireland. |
CHOICE OF FORUM | For the purposes of Clause 18 of the SCCs, the parties agree that the courts of Ireland will have jurisdiction. |
E. OTHER | |
Where the SCCs identify optional provisions or provisions with multiple options the following will apply: | For Clause 7 (Docking Clause), the optional provision will apply. |
For Clause 9(a), option 2 will apply. The parties will follow the process agreed in Section 3 (Subprocessors). | |
For Clause 11(a) (Redress), the optional provision will not apply. | |
For Clause 12 (Liability), the limitation of liability in the Terms of Service applies to these Data Processing Terms. | |
ANNEX 2
SECURITY MEASURES
This Annex 2 describes the Security Measures designed to protect and secure our Services when we process Personal Data under the Agreement. We may update or modify the Security Measures from time to time provided that such updates and modifications do not result in a material degradation of the overall security of the Services provided under the Agreement. Beta offerings may be subject to different practices.
CATEGORIES | PRACTICES |
Risk Management | · Digify maintains a documented risk management program that includes periodic risk assessment overseen by senior executive management and the security, legal, and audit functions. · Digify is ISO27001 certified. |
Personnel Security | · Digify personnel engaged in data processing are under a written obligation of confidentiality and may not collect, process or use Personal Data without authorization. · Digify conducts or obtains background checks, where allowed by local law and reasonable for job roles, which may include educational, employment, and identity verification. · Digify’s annual compliance training includes a requirement for employees to complete an online course and pass an assessment covering information security and data privacy. · Digify maintains an established set of procedures designed to ensure all staff promptly report actual and/or suspected security events. · Subprocessors with access to Digify networks are required to sign a non-disclosure agreement. · Digify performs due diligence and vetting procedures on third party vendors and contractors. |
Data Handling | · Digify uses commercially standard encryption management standards for encrypting data-at-rest and data-in-transit. · Multi-tenant applications hosted on cloud are segregated logically. · Digify maintains appropriate data security controls including: (i) identity and access management controls; (ii) periodic access reviews; (iii) role based access (least privilege); (iv) secure log-in with unique user-ID/password; (v) complex password requirements; (vi) inactivity timeout requiring re-authentication; and (vii) auditing and logging of access to production data. |
Operations Security | · Security monitoring solutions to detect and alert suspicious activities. · Change management process for IT systems and applications. · Commercially reasonable efforts to apply security patches. · Encryption management standards for encrypting data-at-rest and data-in-transit. |
Incident Management | · Incident response procedures exist for security and data protection incidents, which includes incident analysis, containment, response, remediation, reporting and the return to normal operations. · Digify implements logging and analysis of system usage. |
Backup | · Backups are performed on a periodic basis, encrypted, and remotely stored. |
Business Continuity | · Digify maintains a business continuity plan and disaster recovery plans to ensure a minimum level of continuity for the delivery of critical products and services during a significant interruption. |
Network Security | · Network perimeter security through intrusion detection and prevention systems, web firewalls, and vulnerability scanning. · Anti-malware and anti-virus mechanisms. |
Third Parties | · Digify uses Amazon Web Services for our cloud computing infrastructure and physical data center facilities for Services. · Digify relies on the physical and environmental controls of third-party cloud providers. All data centers are ISO27001, SOC 2 or equivalent compliant facilities. · Digify uses commercially reasonable efforts to ensure that third-party suppliers and licensors to the Services conform to substantially similar standards and levels of security as described in this Policy. |
