Data Processing Addendum

Updated 1 September 2023

This Dataweavers Data Processing Addendum ("DPA"), forms part of the Dataweavers Managed Services Agreement (“Agreement”) between Dataweavers Pty Ltd (“Dataweavers”) and Customer ("Customer"), together referred to as the Parties (“Parties”), and applies where Dataweavers will process Customer Data when providing Services under the Agreement. All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.

Upon Dataweavers’ receipt of a validly completed DPA by Customer, this DPA will become effective and is legally binding.

1. Definitions

Affiliate means an entity that directly or indirectly Controls, is Controlled by or is under common Control with an entity.

Agreement means the written or electronic agreement between Customer and Dataweavers for the provision of the Services to Customer.

CCPA means the California Consumer Privacy Act, Cal. Civ. Code §1798.100 et seq., and its implementing regulations.

Control means an ownership, voting or similar interest representing fifty percent (50%) or more of the total interests then outstanding of the entity in question. The term "Controlled" will be construed accordingly.

Customer Data means data owned or supplied by the Customer and stored on the systems of Dataweavers or a Hosting Service as a result of the Customer’s usage of the Product, including Personal Data, that Dataweavers processes on behalf of Customer through Customer’s use of the Managed Services.

Data Processing Addendum means the data processing addendum made available on Dataweavers website at https://www.dataweavers.com/legal/dpa, as amended from time to time.

Data Processing Consent Form means the Data Processing Consent Form containing the relevant information required for completion of Annexes I to III of the SCCs in ANNEX D: Data Processing Consent Form as updated or notified to you by us in writing from time to time.

Data Subject or Data Subjects means an identified or identifiable natural person who can be identified directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data or an online identifier or to one or more factors specific to his or her physical, physiological, mental, economic, cultural or social identity. A legal person may qualify as a Data Subject under the Data Protection Laws of specific jurisdictions. This includes, to the extent applicable, any analogous variations of such terminology, such as “Consumer” as may relevant under US state laws.

Data Protection Laws means all data protection and privacy laws and regulations applicable to the Processing of Personal Data under the Agreement, including, where applicable, the laws of the European Union, the EEA and their member states, Switzerland, Australia and the United Kingdom that apply to the Processing of Personal Data, including but not limited to any applicable privacy and information security laws and regulations such as:

1. the EU General Data Protection Regulation 2016/679 ("GDPR"), the Data Protection Directive (95/46/EC), the GDPR, the ePrivacy Directive (2002/58/EC) and any national derogations, supplemental or implementing regulations, authorizations or otherwise which are intended to supplement the GDPR;
2. the Data Protection Act 2018 (UK) (incorporating the UK General Data Protection Regulation as defined in the Data Protection Act 2018 (UK) (“UK GDPR”) and the Privacy and Electronic Communications (EC Directive) Regulations 2003, and the laws implementing or supplementing them;
3. the Australian Privacy Act 1988 (Cth) including the Australian Privacy Principles;
4. the CCPA; or
5. any other applicable law pertaining to privacy or data protection.

EEA means the European Economic Area.

Personal Data means any Customer Data relating to an identified or an identifiable natural person or as otherwise defined under Data Protection Laws. For the sake of clarity, this includes “Personal Information” or analogous variations of such terminology within the meaning of applicable US state laws, to the extent that these may be applicable and “Personal Information” as defined in the Australian Privacy Act 1988 (Cth).

Security Incident means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Data transmitted, stored or otherwise Processed.

Service Provider has the meaning set forth in Section 1798.140(v) of the CCPA.

Services as used in this DPA means the “Managed Services” as defined in the Agreement.

Standard Contractual Clauses or SCCs means:

1. In the case of Personal Data exported from the EEA:

1. 1. Where Dataweavers acts as Controller, the contractual clauses located at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN, which for avoidance of doubt shall include all Module Two clauses included therein; and
   2. Where Dataweavers acts as Processor, the contractual clauses located at https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN, which for avoidance of doubt shall include all Module Three clauses included therein, in each case, as may be amended supplemented or replaced by the European Commission from time to time, and incorporating as Annexes the information contained in the applicable Data Processing Consent Form for such transfer.
2. In the case of Personal Data exported from the United Kingdom, the contractual clauses set forth in paragraph (a)(i) above, as supplemented and amended by the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (“IDTA”) located at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf.

Table 1 to the IDTA shall be deemed to include the information at the beginning of this Agreement. Table 2 to the IDTA shall refer to the contractual clauses set forth in clause 14.1(n)(i)(A) above. Table 3 to the IDTA shall refer to the information contained in the applicable Data Processing Consent Form for such transfer that forms part of this Agreement. For purposes of Table 4 to the IDTA, the parties agree that Exporter may end this DPA as set out in Section 19 of the IDTA;
and any amendment or replacement of these terms (as applicable) published from time to time;

Subprocessor means any Data Processor or Service Provider engaged by Dataweavers or its Affiliates to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement or this DPA. Subprocessors may include third parties or Affiliates of Dataweavers.

Controller, Processor, Processing, process, processes and Processed have the meanings given by applicable Data Protection Laws.

2. Scope of this DPA

2.1     Scope

This DPA applies where Dataweavers processes Customer Data, including Personal Data, on behalf of Customer in the course of providing Services to the Customer pursuant to the Agreement

2.2     Application to Australia

For clarity, references to provisions or concepts of the GDPR in this DPA will be deemed to be references to equivalent or corresponding provisions of, and concepts under, the applicable Data Protection Laws. For example, in respect of Australia:

1. references to ‘personal data’ will be deemed to be references to ‘personal information’ as defined in the Australian Privacy Act 1988 (Cth); and
2. where the concepts such as ‘processing’, ‘processor’ and ‘controller’ are used but do not have application under the applicable Data Protection Laws, the Parties' obligations will be interpreted to align as closely as possible with the scope of those roles under the GDPR while still complying fully with the applicable Data Protection Laws.

3. Roles and Scope of Processing

3.1     Role of the Parties

As between Dataweavers and Customer, Customer is the Data Controller of Customer Data and Dataweavers shall process Customer Data only as a Data Processor acting on behalf of Customer.

3.2     Customer’s obligations

Customer shall have the sole and exclusive authority to determine the purposes and means of Processing Customer Data transferred or otherwise disclosed to Dataweavers. As between the Parties, the Customer shall have the sole responsibility for the accuracy, quality and legality of Personal Data as required by applicable Data Protection Laws and the means by which the Customer acquired Personal Data, including the provision of proper notice and obtaining consents where appropriate for Dataweavers’ Processing.

3.3     Dataweavers Processing of Customer Data

1. Treated as Confidential Information:Dataweavers will treat Customer Data as Confidential Information pursuant to the terms of the Agreement.
2. Processing to follow Customer instructions: Dataweavers shall process Customer Data only for the purpose of providing the Services and in accordance with Customer’s documented lawful instructions, as set forth in the Agreement and this DPA. The categories of Personal Data, categories of Data Subjects and the purposes of the Processing are as set out in ANNEX C: Data Processing The Parties agree that the Customer’s complete and final instructions with regard to the nature and purposes of the Processing are set out in this DPA unless (or except as) required under applicable laws. Processing outside the scope of these instructions (if any) will require prior written agreement between Customer and Dataweavers with additional instructions for Processing.
3. Dataweavers does not sell Personal Data: Dataweavers shall not:
   1. sell or rent Customer Personal Data;
   2. retain, use, or disclose the Personal Data for any purpose (commercial or otherwise) other than for the specific purpose of performing the Services under the Agreement, and as instructed by Customer, pursuant to Section 3.3 (b) above, or
   3. retain, use or disclose Customer Data outside of the direct business relationship between Dataweavers and Customer except to the extent as may be required by applicable laws.
4. Security Measures and adequate safeguards: Dataweavers represents that it has implemented adequate technical and organizational measures necessary to secure Customer Data, including, as appropriate, the measures referred to by Data Protection Laws, in accordance with ANNEX A: Technical and organizational security measures.

3.4    Details of Data Processing

1. Subject matter: The subject matter of the Processing under this DPA is Customer Data, as detailed in ANNEX C: Data Processing.
2. Duration: As between Dataweavers and Customer, the duration of the Processing under this DPA is the term of the Agreement or as otherwise agreed upon by the Parties.
3. Purpose: The purpose of the Processing under this DPA is the provision of the Services to the Customer and the performance of Dataweavers’ obligations under the Agreement and this DPA (or as otherwise agreed by the Parties) and more fully described in ANNEX C: Data Processing.

4. Subprocessing
4.1    Authorized Subprocessors 

Customer agrees that in order to provide the Services, Dataweavers may engage Subprocessors to process Customer Data. A list of Dataweavers’ current authorized Subprocessors is found in ANNEX B: Subprocessors.

4.2    Subprocessor Obligations 

Where Dataweavers authorizes any Subprocessor as described in Section 4.1:

1. Restricted to a need-to-know: Dataweavers will restrict the Subprocessors access to Customer Data only to what is necessary to assist Dataweavers in providing or maintaining the Services, and will prohibit the Subprocessor from accessing Customer Data for any other purpose;
2. Dataweavers due diligence: Before any Subprocessor first processes Customer Data, Dataweavers shall carry out adequate due diligence to ensure that the Subprocessor is capable of providing the same level of protection for Customer Data required by the Agreement and this DPA.
3. Entry into written agreements: Dataweavers will enter into a written agreement with the Subprocessor imposing data protection terms that require the Subprocessor to protect the Customer Data to the standard required by Data Protection Laws;
4. Liability for Subprocessors: Dataweavers will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Subprocessor that cause Dataweavers to breach any of its obligations under this DPA; and
5. Objection Right for new Subprocessors: If Customer has a reasonable basis relating to privacy or data security to object to Dataweavers’ use of a new Subprocessor, Customer shall notify Dataweavers promptly in writing within 30 business days after such notice being made by Dataweavers on its website of a new Subprocessor. In the event Customer objects to any new Subprocessor(s) on a such grounds, Dataweavers will use reasonable efforts to work in good faith with Customer to find an acceptable, commercially reasonable, alternate solution. If the Parties are not able to agree to an alternate solution within a reasonable time (no more than 90 days from Dataweavers’ receipt of notice of Customer’s objection), Dataweavers will either not appoint or replace the Subprocessor or, if this is not possible, Customer may suspend or terminate the applicable Order for Services in respect only to the specific Services which cannot be provided by Customer without the use of the objected-to new Subprocessor, by providing written notice to Dataweavers and without prejudice to any fees incurred by Customer prior to suspension or termination.

5. Security Measures and Security Incident Response
5.1    Security Measures 

Dataweavers has implemented and will maintain appropriate technical and organizational security measures to protect Customer Data from Security Incidents and to preserve the security and confidentiality of the Customer Data ("Security Measures"). The Security Measures applicable to the Services are set forth in ANNEX A: Technical and organizational security measures as updated or replaced from time to time in accordance with Section 5.2. Customer is responsible for reviewing the information made available by Dataweavers relating to data security and making an independent determination as to whether the Services meet Customer’s requirements and legal obligations under Data Protection Laws, taking into account the nature, scope, context and purposes of processing, the risks associated with the Personal Data and the Data Protection Laws.

5.2    Updates to Security Measures

Dataweavers has implemented a procedure for the regular testing, inspection, assessment and evaluation of the effectiveness of Dataweavers’ Security Measures. Accordingly, Customer acknowledges that the Security Measures are subject to technical progress and development and that Dataweavers may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by the Customer. Such updates to the Security Measures will be made available to Customer upon its reasonable request.

5.3    Personnel

Dataweavers shall take reasonable steps to ensure the reliability of any employee, agent, contractor or Subprocessor who may have access to Customer Data, ensuring that access is strictly limited on a least-privilege basis to those individuals who need to know or need to have access to Customer Data as is necessary for the provision of the Services under the Agreement. Further, Dataweavers shall ensure that personnel with access to Customer Data are under an appropriate obligation of confidentiality and that such personnel have received appropriate data protection and security training pertaining to the responsibilities of their role.

5.4    Customer Responsibilities

Notwithstanding the above, Customer agrees that except as provided by this DPA, Customer is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Customer Data when in transit to and from the Services and taking any appropriate steps to securely encrypt or backup any Customer Data uploaded to the Services.

5.5    Sufficient Evidence

Upon the reasonable request of Customer, Dataweavers shall provide Customer with sufficient information to enable Customer to demonstrate that the necessary technical and organizational security measures (as further detailed in Annex A) have been implemented.

5.6    Security Incident Response

Upon becoming aware of a Security Incident, Dataweavers will notify Customer without undue delay (and no later than 48 hours after becoming aware of the Security Incident) and will provide information relating to the Security Incident as it becomes known or as is reasonably requested by Customer including: 

1. details of the Customer Data compromised, including whether the Customer Data had been encrypted, hashed or otherwise rendered incomprehensible, inaccessible or unintelligible for unauthorized persons,
2. information on the Data Subjects affected, such as categories and the number of Data Subjects affected,
3. the categories and number of information data records affected,
4. description of the nature of the unlawful disclosure,
5. identity and contact details of Dataweavers’ Privacy contact,
6. when the Security Incident took place (date or time period) and suspected cause,
7. the likely consequences of the security incident, and
8. any recommendations to minimize harm. Dataweavers will also take reasonable steps to mitigate and, where possible, to remedy the effects of, any Security Incident.

Dataweavers shall provide reasonable assistance to Customer, in the event Customer is required under Data Protection Laws to notify a supervisory authority or any Data Subjects of a Security Incident. Dataweavers reserves the right to charge Customer for this assistance should it become overly burdensome.

6. Reports and Audit
6.1    Upon Customer’s request, Dataweavers will make available a statement from its Security Team containing all information necessary to demonstrate compliance with this DPA (a “Dataweavers Report”) and any documentation pursuant to Section 10.1.
6.2    No more than once per year, Customer may conduct reviews of Dataweavers’ documents and systems, by way of desk-based questionnaires and phone conferences with Dataweavers personnel.
6.3    Notwithstanding the foregoing, Customer will have the right, at its expense, to conduct an onsite audit, only in the event that:

1. Customer reasonably believes that Dataweavers is out of compliance with this DPA, or
2. Customer is subject to a regulatory audit or government investigation or court order that includes the scope of this DPA. Any on-site audit will be conducted during normal business hours, at a date and time as mutually agreed between the Parties, and only if such an audit at Dataweavers’ premises is necessary to prove facts or otherwise demonstrate applicable compliance that Dataweavers cannot otherwise evidence through a Dataweavers Report, questionnaires, phone conferences, third-party certification programs or third- party audit reports. Customer agrees that with respect to any Dataweavers Confidential Information received in connection with such audit, Customer will be subject to the same confidentiality obligations as set forth in the Agreement.

7. International Transfers
7.1    Data Centre locations. Dataweavers shall store Customer Data only in the selected Azure data centre region/s outlined in Schedule 2 of the Dataweavers Managed Services Agreement (“Agreement”) unless notified otherwise. For sake of clarity, Dataweavers makes no warranties for the appropriateness of a selected data centre.
7.2    Data Transfers. If applicable, Dataweavers will at all times ensure that any Customer Data which is transferred is done so in compliance with adequate transfer mechanisms. Further, Dataweavers will ensure that an adequate level of protection is provided for the Customer Data Processed, and that processing is done in accordance with the requirements of Data Protection Laws.
7.3    Standard Contractual Clauses. The Parties agree that the Standard Contractual Clauses shall be the adequate transfer mechanism pursuant to Section 7.3 above and apply to Customer Data that is transferred from the EEA and/or Switzerland to outside the EEA and Switzerland, either directly or via onward transfer, to any country or recipient not recognized by the European Commission as providing an adequate level of protection for personal data (as described in the Data Protection Laws).

8. Return or Deletion of Data
8.1    Upon termination or expiration of the Agreement, Customer may, within 30 days of the contract expiration date, require Dataweavers to:

1. return a complete copy of all Customer Data to Customer, at Customer’s expense and within a commercially reasonable time, by secure file transfer in an industry-standard file format and/ or
2. delete and procure the deletion of all other copies of Customer Data Processed by any Processor or Subprocessor, provided that Dataweavers may retain Customer Data in a manner that restricts further processing solely to the extent that it may be necessary to comply with applicable law. Dataweavers shall comply with any such written request within 30 days of the Agreement’s termination date.

9. Privacy Rights

9.1    To the extent that Customer is unable to independently access the relevant Customer Data within the Services, Dataweavers shall provide reasonable and timely cooperation to assist Customer to respond to any requests from individuals or applicable data protection authorities relating to the Processing of Personal Data under the Agreement. In the case of complex or voluminous enquiries that can be managed by Customer through access within the Services but where Customer is requesting additional assistance beyond Dataweavers’ compliance requirements, Dataweavers reserves the right to charge Customer for reasonable expenses. In the event that any such request is made directly to Dataweavers, a Dataweavers Affiliate or any Subprocessor, Dataweavers shall not respond to such communication directly without Customer's prior authorization, unless legally compelled to do so. If Dataweavers is required to respond to such a request, Dataweavers will promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so.
9.2    If a law enforcement agency sends Dataweavers a demand for Customer Data (for example, through a subpoena or court order), Dataweavers will attempt to redirect the law enforcement agency to request that data directly from Customer. As part of this effort, Dataweavers may provide Customer’s basic contact information to the law enforcement agency. If compelled to disclose Customer Data to a law enforcement agency, then Dataweavers will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Dataweavers is legally prohibited from doing so.

9.3    Dataweavers shall, upon Customer request and at Customer’s expense, provide reasonable assistance to Customer needed to fulfil any Customer obligation under the applicable Data Protection Laws to perform any data protection impact assessments. Dataweavers shall, upon Customer request, provide reasonable assistance to Customer in any prior consultations with supervising authorities or other competent data privacy authorities, which Customer reasonably considers to be required of Customer under Data Protection Laws.

10. Privacy and Data Protection
10.1    Dataweavers maintains a privacy program that includes dedicated resourcing, audit and review processes designed to implement appropriate privacy controls and procedures, including but not limited to:

1. Designated individual: The designation of an employee or employees to coordinate, provide oversight and be responsible for the privacy program;
2. Privacy risk assessments: The identification of reasonably foreseeable, material risks, both internal and external, that could result in unauthorized collection, use, or disclosure of Personal Data, and an assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this privacy risk assessment should include consideration of risks in (1) employee training and management, (2) product design, development, and research and (3) adequacy of security controls;
3. Testing of Effectiveness: The design and implementation of reasonable privacy controls and procedures to address the risks identified through the privacy risk assessment, will be subject to and regular testing and monitoring of the effectiveness of those privacy controls and procedures; and
4. Reviews: Dataweavers will evaluate and adjust the privacy program to address any known change of circumstances that Vendor that may have a material impact on the effectiveness of the privacy program.

11. Compliance with this DPA
11.1    Dataweavers shall maintain appropriate documentation necessary to demonstrate Dataweavers’ compliance with the terms of the Agreement (including certifications, independent audit report summaries and policy tables of content) and make such documentation, subject to redaction of non-relevant Confidential Information, available to Customer upon request.
11.2    Upon Customer request, Dataweavers shall provide to Customer such copies of Dataweavers’ agreements with Subprocessors referred to in Section 4 (which may be redacted to remove Confidential information not relevant to the requirements of this DPA) as Customer may request annually.
11.3    Each Party shall appoint an individual within its organization authorized to respond from time to time to enquiries regarding the Personal Data and each Party shall deal with such enquiries promptly.
11.4    Dataweavers shall make reasonable efforts to notify Customer if it becomes aware of any possible violation of, or inability to comply with, this DPA or Data Protection Laws.

12. Contact

12.1    Customer may contact Dataweavers’ security team in relation to any security incident, notification or security question by emailing continuity@dataweavers.com.

12.2    All other queries relating to this DPA should be directed to continuity@dataweavers.com.

13. General

13.1    For the avoidance of doubt, any claim or remedies either party may have against the other party, any of its Affiliates and their respective employees, agents and Subprocessors arising under or in connection with this DPA, including any fines or damages payable under Data Protection Laws will be subject to the limitation of liability provisions (including any agreed aggregate financial cap) set forth in the Agreement.
13.2    Any claims against Dataweavers or its Affiliates under this DPA shall be brought solely against the entity that is a Party to the Agreement. In no event shall any Party limit its liability with respect to any individual's data protection rights under this DPA or otherwise.
13.3    No one other than a Party to this DPA, their successors and permitted assignees shall have any right to enforce any of its terms.
13.4    This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by Data Protection Laws.
13.5    Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict.
13.6    Upon termination of the Agreement, and the cessation of any Services to the Customer, the respective rights and obligations of the Parties shall survive until Customer Data is deleted.
13.7    The provisions of this DPA are severable. If any phrase, clause or provision is invalid or unenforceable in whole or in part, such invalidity or unenforceability shall affect only such phrase, clause or provision, and the rest of this DPA shall remain in full force and effect.