BACKGROUND
This Data Processing Agreement (“DPA”) forms part of the TRAILD End User License Agreement (“TRAILD EULA”), as updated from time to time, between TRAILD PTY LTD (ACN 627 799 982), a company incorporated in Australia with its registered office at 35 Market St, South Melbourne, VIC 3205, Australia (“Provider,” “we,” “our,” or “us”) and the party agreeing to the TRAILD EULA (“Customer”). In the event of any conflict or inconsistency between this DPA and the TRAILD EULA, this DPA shall prevail.
All capitalised terms shall have the meaning assigned to them in the TRAILD EULA, unless otherwise defined in this DPA.
1 DEFINITIONS
|
Applicable Law |
means as applicable and binding on Customer or Provider: (a) any law, statute, regulation, byelaw or subordinate legislation in force from time to time to which a party is subject and/or in any jurisdiction that the Services are provided to or in respect of; (b) the common law and laws of equity as applicable to the parties from time to time; (c) any binding court order, judgment or decree; or (d) any applicable direction, policy, rule or order that is binding on a party and that is made or given by any regulatory body having jurisdiction over a party or any of that party’s assets, resources or business; |
|
Appropriate Safeguards |
means such legally enforceable mechanism(s) for transfers of Personal Data as may be permitted under Data Protection Laws from time to time; |
|
Business Day |
means any day except Saturdays, Sundays, banks holiday and public holidays in Ireland; |
|
Data Controller |
has the meaning given to that term (or to the term ‘controller’) in Data Protection Laws; |
|
Data Processor |
has the meaning given to that term (or to the term ‘processor’) in Data Protection Laws; |
|
Data Protection Laws |
means any laws and regulations relating to privacy or the use or processing of data relating to natural persons, including: (a) EU Directive 2002/58/EC (as amended by 2009/136/EC) and any legislation implementing or made pursuant to such directive; (b) EU Regulation 2016/679 (“GDPR”); (c) the GDPR as it forms part of the law in England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”) and the Data Protection Act 2018 (“DP Act”); (d) the Swiss Federal Act on Data Protection of 1 September 2023 and its corresponding ordinances (“Swiss FADP”); (e) any laws or regulations ratifying, implementing, adopting, supplementing or replacing the GDPR, UK GDPR, DP Act or Swiss FADP; (f) in each case, to the extent in force, and as such are updated, amended or replaced from time to time; and (g) any mandatory guidance or codes of practice issued by a Supervisory Authority in each case, to the extent in force and applicable to the parties, and as such are updated, amended or replaced from time to time; |
|
Data Subject |
means a natural person who can be identified, directly or indirectly, by the Personal Data; |
|
Data Subject Request |
means a request made by a Data Subject to exercise any rights of Data Subjects under Data Protection Laws; |
|
International Organisation |
means an organisation and its subordinate bodies governed by public international law, or any other body which is set up by, or on the basis of, an agreement between two or more countries; |
|
Personal Data |
means any information relating to an identified or identifiable natural person, including an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; |
|
Personal Data Breach |
means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, any Protected Data; |
|
Processing |
means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction (and related terms such as process have corresponding meanings); |
|
Processing Instructions |
has the meaning given to that term in clause 3.1.1; |
|
Protected Data
|
means Personal Data received from or on behalf of Customer in connection with the performance of Provider’s obligations under the TRAILD EULA and this DPA; |
|
Standard Contractual Clauses or “EU-SCCs” |
means the standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (Text with EEA relevance), as amended, superseded or replaced from time to time in accordance with this Addendum. When Customer is acting as a controller, the Controller-to-Processor Clauses (module 2) will apply to a Data Transfer. When Customer is acting as a processor, the Processor-to-Processor Clauses (module 3) will apply to a Data Transfer. Taking into account the nature of the processing, Customer agrees that it is unlikely that Provider will know the identity of Customer’s controllers because Provider has no direct relationship with Customer’s controllers and therefore, Customer will fulfil Provider’s obligations to Customer’s controllers under the Processor-to-Processor Clauses; |
|
Services |
means all services provided by Provider to Customer pursuant to the TRAILD EULA; |
|
Sub-Processor |
means another Data Processor engaged by Provider for carrying out processing activities in respect of the Protected Data on behalf of Customer; and |
|
Supervisory Authority |
means any local, national or multinational agency, department, official, parliament, public or statutory person or any government or professional body, regulatory or supervisory authority, board or other body responsible for administering Data Protection Laws; and |
|
UK Addendum |
means the International Data Transfer Addendum (version B1.0) issued by the Information Commissioner’s Office under S119(A) of the UK Data Protection Act 2018, as may be amended, superseded, or replaced from time to time. |
2 Data Processor and Data Controller
2.1 The parties agree that, for the Protected Data, Customer shall be the Data Controller and Provider shall be the Data Processor.
2.2 Provider shall process Protected Data in compliance with:
2.2.1 the obligations of Data Processors under Data Protection Laws in respect of the performance of its obligations under this DPA; and
2.2.2 the terms of this DPA.
2.3 Customer shall comply with:
2.3.1 all Data Protection Laws in connection with the processing of Protected Data, the Services and the exercise and performance of its rights and obligations under this DPA, including maintaining all relevant regulatory registrations and notifications as required under Data Protection Laws; and
2.3.2 the terms of this DPA.
2.4 Customer warrants, represents and undertakes, that:
2.4.1 all data sourced by Customer for use in connection with the Services shall comply in all respects, including in terms of its collection, storage and processing (which shall include Customer providing all of the required fair processing information to, and obtaining all necessary consents from, Data Subjects), with Data Protection Laws;
2.4.2 all instructions given by Customer to Provider in respect of Personal Data shall at all times be in accordance with Data Protection Laws; and
2.4.3 it is satisfied that:
(a) Provider’s processing operations are suitable for the purposes for which Customer proposes to use the Services and engage Provider to process the Protected Data; and
(b) Provider has sufficient expertise, reliability and resources to implement technical and organisational measures that meet the requirements of Data Protection Laws.
3 Instructions and details of processing
3.1 Insofar as Provider processes Protected Data on behalf of Customer:
3.1.1 unless required to do otherwise by Applicable Law, Provider shall (and shall take steps to ensure each person acting under its authority shall) process the Protected Data only on and in accordance with Customer’s documented instructions as set out in this clause 3 and Schedule 1, Annex 1 to this DPA (“Data processing details”), as updated from time to time (“Processing Instructions”);
3.1.2 notwithstanding any other provision of this DPA, if any Applicable Law requires Provider to conduct Processing of the Personal Data other than in accordance with Customer’s Instructions, such Processing shall not constitute a breach of this DPA;
3.1.3 if Applicable Law requires it to process Protected Data other than in accordance with the Processing Instructions, Provider shall notify Customer of any such requirement before processing the Protected Data (unless Applicable Law prohibits such information on important grounds of public interest); and
3.1.4 shall promptly inform Customer if Provider becomes aware of a Processing Instruction that, in Provider’s opinion, infringes Data Protection Laws, provided that:
(a) this shall be without prejudice to clauses 2.3 and 2.4; and
(b) to the maximum extent permitted by mandatory law, Provider shall have no liability howsoever arising (whether in contract, tort (including negligence) or otherwise) for any losses, costs, expenses or liabilities arising from or in connection with any processing in accordance with Customer’s Processing Instructions following Customer’s receipt of that information.
4 Technical and organisational measures
4.1 Provider shall implement and maintain appropriate technical and organisational measures in relation to the processing of Protected Data by Provider, as set out in Schedule 1, Annex 2 to this DPA (“Technical and organisational measures”).
5 Using staff and other processors
5.1 Customer hereby gives Provider a general consent to engage Sub-Processors for Processing of Personal Data on behalf of Customer. Provider’s list of its current Sub-Processors is in Schedule 2. Where Provider adds a new Sub-Processor, the list will be updated promptly. Customer shall notify Provider if it objects to a Sub-Processor. Where such objection is reasonable and is raised within seven (7) days of the Sub-Processor first appearing on the list, Provider shall, at its sole option, either:
5.1.1 remove such Sub-Processor from the list and not engage such Sub-Processor to Process any Protected Data, in which case this DPA shall continue; or
5.1.2 discuss alternative solutions with Customer, in which case, where the parties have failed to agree on a solution within reasonable time, Provider shall have the right to terminate this DPA and the Service with a reasonable notice period. During the notice period, Provider shall not transfer any Personal Data to the Sub-Processor.
5.2 Provider shall enter into appropriate written agreements with all of its Sub-Processors on terms substantially similar to this DPA, including without limitation Customer’s right to conduct audits at the Sub-Processor, or ensure that the Sub-Processor will conduct audits using external auditors at least once per year. Provider shall remain primarily liable to Customer for the performance or non-performance of the Sub-Processor’s obligations.
5.3 Upon Customer’s request, Provider shall provide information regarding any Sub-Processor, including name, email address and the Processing carried out by the Sub-Processor.
6 Assistance with Customer’s compliance and Data Subject rights
6.1 Provider shall refer all Data Subject Requests it receives to Customer within three (3) Business Days of receipt of the request.
6.2 Provider shall provide such reasonable assistance as Customer reasonably requires (taking into account the nature of processing and the information available to Provider) to Customer in ensuring compliance with Customer’s obligations under Data Protection Laws with respect to:
6.2.1 security of processing;
6.2.2 data protection impact assessments (as such term is defined in Data Protection Laws);
6.2.3 prior consultation with a Supervisory Authority regarding high risk processing; and
6.2.4 notifications to the Supervisory Authority and/or communications to Data Subjects by Customer in response to any Personal Data Breach.
6.3 The Customer shall pay Provider’s reasonable charges for providing the assistance described in this clause 6.
7 International data transfers
7.1 Customer consents that Provider may transfer Protected Data outside the United Kingdom (“UK”), European Economic Area (“EEA”) and Switzerland, as necessary to provide the Services to a jurisdiction for which the European Commission, the UK Supervisory Authority or the Swiss Supervisory Authority has not issued an adequacy decision (“Data Transfer”), provided that Provider has implemented a transfer solution compliant with Data Protection Laws, which shall include:
7.1.1 Standard Contractual Clauses. In relation to transfers of Protected Data protected by the GDPR, Provider shall process Protected Data in accordance with the EU-SCCs, which are incorporated into and form a part of this DPA, as follows:
(a) The Provider is the “data importer” and Customer is the “data exporter”;
(b) Clause 7: the Docking clause shall apply;
(c) Clause 9: Option 2 – general Authorization for sub-processors;
(d) Clause 17: the Governing Law shall be as per this DPA;
(e) Clause 18: Forum and Jurisdiction shall be as per this DPA;
(f) Annex I & II: Details are provided in Schedule 1 (Annex 1) to this DPA; and
(g) Annex I.C. Competent Supervisory Authority shall be the German Federal Commissioner for Data Protection and Freedom of Information (Bundesbeauftragter für Datenschutz und Informationsfreiheit or “BfDI”).
7.1.2 UK Addendum. In relation to transfers of Protected Data protected by UK GDPR, the EU-SCCs (i) apply as completed in accordance with paragraph 7.1.1 above; and (ii) are deemed amended as specified by the UK Addendum, which is deemed executed by the Parties and incorporated into and forming an integral part of this DPA as follows:
(a) Table 1 shall be deemed completed with the information set out in Schedule 1 (Annex I), as appropriate, the contents of which are hereby agreed by the Parties;
(b) In Table 2, the Parties select the checkbox reading: “the Approved EU-SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU-SCCs brought into effect for the purposes of this Addendum”, and the accompanying table shall be deemed to be completed according to the EU-SCCs in the form set out in Schedule 2;
(c) Table 3 shall be deemed completed with the information set out in Schedule 2 (Annexes I-III of the EU-SCCs), the contents of which are hereby agreed by the Parties;
(d) Table 4 in Part 1 is deemed completed by selecting the checkbox reading: “neither party”;
(e) Any conflict between the terms of the EU-SCCs and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum;
7.1.3 Swiss FADP. In relation to transfers of Protected Data protected by the Swiss FADP, the EU SCCs apply as completed in accordance with paragraph 7.1.1 above, except that:
(a) the competent supervisory authority in respect of such Protected Data shall be the Swiss Federal Data Protection and Information Commissioner;
(b) in Clause 17 of the EU SCCs, the governing law shall be the laws of Switzerland;
(c) references to “Member State(s)” in the EU SCCs shall be interpreted to refer to Switzerland, and data subjects located in Switzerland shall be entitled to exercise and enforce their rights under the EU SCCs in Switzerland; and
(d) references to the “General Data Protection Regulation”, “Regulation 2016/679” or “GDPR” in the EU SCCs shall be understood to be references to the Swiss FADP (as amended or replaced).
7.1.4 Another appropriate safeguard pursuant to Article 46 of the GDPR; or
7.1.5 Derogation pursuant to Article 49 of the GDPR.
7.2 Provider will promptly notify Customer if it becomes aware that it can no longer meet its obligations under this clause 7, and in such event, to work with Customer and promptly take all reasonable and appropriate steps to stop any Processing outside of the UK, the EEA and Switzerland. If that is not possible, Provider shall have the right to terminate this DPA and the TRAILD EULA upon reasonable notice. During the notice period, Customer shall not transfer any Protected Data to Provider.
8 Records, information and audit
8.1 Provider shall maintain, in accordance with Data Protection Laws binding on Provider, written records of all categories of processing activities carried out on behalf of Customer.
8.2 Provider shall, in accordance with Data Protection Laws, make available to Customer such information as is reasonably necessary to demonstrate Provider’s compliance with its obligations under Article 28 of the UK GDPR (and under any Data Protection Laws equivalent to that Article 28), and allow for and contribute to audits, including inspections, by Customer (or another auditor mandated by Customer) for this purpose, subject to Customer:
8.2.1 giving Provider reasonable prior notice of such information request, audit and/or inspection being required by Customer;
8.2.2 ensuring that all information obtained or generated by Customer or its auditor(s) in connection with such information requests, inspections and audits is kept strictly confidential (save for disclosure to the Supervisory Authority or as otherwise required by Applicable Law);
8.2.3 ensuring that such audit or inspection is undertaken during normal business hours, with minimal disruption to Provider ‘s business, the Sub-Processors’ business and the business of other customers of Provider; and
8.2.4 paying Provider’s reasonable costs for assisting with the provision of information and allowing for and contributing to inspections and audits.
9 Breach notification
9.1 In respect of any Personal Data Breach involving Protected Data, Provider shall, without undue delay:
9.1.1 notify Customer of the Personal Data Breach; and
9.1.2 provide Customer with details of the Personal Data Breach.
10 Deletion or return of Protected Data and copies
10.1 Provider shall, at Customer’s written request, either delete or return all the Protected Data to Customer in such form as Customer reasonably requests within a reasonable time after the earlier of:
10.1.1 the date on which all payments under the applicable Services have been made and the TRAILD EULA terminated or expired; or
10.1.2 once processing by Provider of any Protected Data is no longer required for the purpose of Provider’s performance of its relevant obligations under the TRAILD EULA,
and delete existing copies, unless storage of any data is required by Applicable Law and, if so, Provider shall inform Customer of any such requirement. Notwithstanding the Customer hereby authorises Provider to retain one copy of the Protected Data for backup purposes only.
11 Dispute Resolution
11.1 This DPA shall be governed by the laws of England and Wales and the parties hereby submit to the exclusive jurisdiction of the English Courts.
SCHEDULE 1 TO THE DPA
ANNEX 1
DETAILS OF PROCESSING
Under Data Protection Law, Provider shall only Process Personal Data in accordance with Customer’s Processing Instructions, as regulated in the DPA. This document forms part of Customer’s Processing Instructions, directing Provider on the scope, nature, and purpose when Processing Personal Data on behalf of Customer. The Processing Instructions may be amended in writing by Customer from time to time, as communicated in writing to Processor by authorised representative of Customer or through Customer’s use of the Service.
Provider shall process Personal Data only for the purpose of performance of the Services for Customer.
Health data (if contained in invoices processed using the TRAILD Services).
Personal Data shall not be processed for a period longer than is necessary for serving its purpose. The processing of data collected in respect of a project shall cease on expiry or termination of the services provided in connection with such project and all personal data will be returned to customer and all copies destroyed, save for one copy that Provider will keep securely for its own records for 7 years after termination of the applicable services.
Processing takes place in data centres located in the locations listed here:
Personal Data is stored in the data centre closest to the Customer, but can be accessed by the Provider from other jurisdictions.
ANNEX 2
TECHNICAL AND ORGANISATIONAL MEASURES
The following includes the information required by Annex II of the EU SCCs and Annex II of the UK Addendum.
|
Technical and Organizational Security Measure |
Details |
|
Measures of pseudonymisation and encryption of personal data |
Company has deployed secure methods and protocols for transmission of confidential or sensitive information over public networks. Databases housing sensitive customer data are encrypted at rest. Company uses only recommended secure cipher suites and protocols to encrypt all traffic in transit and Customer Data is securely encrypted with strong ciphers and configurations when at rest. |
|
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services |
Company’s customer agreements contain strict confidentiality obligations. Additionally, Company requires every downstream Subprocessor to sign robust confidentiality provisions in order to protect customer information. Company has implemented all SOC 2 Type 2 controls required for the Security Trust Service Criteria. |
|
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident |
Daily, weekly and monthly backups of production datastores are taken. |
|
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing |
Company has implemented all SOC 2 Type 2 controls required for the Security Trust Service Criteria. |
|
Measures for user identification and authorization |
Company uses secure access protocols and processes and follows industry best-practices for authentication, including Multifactor Authentication and Single Sign On (SSO). All production access requires the use of two-factor authentication, and network infrastructure is securely configured to vendor and industry best practices to block all unnecessary ports, services, and unauthorized network traffic. |
|
Measures for the protection of data during transmission |
Company has deployed secure methods and protocols for transmission of confidential or sensitive information over public networks. Company uses only recommended secure cipher suites and protocols to encrypt all traffic in transit (i.e. TLS 1.2) |
|
Measures for the protection of data during storage |
Encryption-at-rest is automated using GCP’s transparent disk encryption, which uses industry standard AES-256 encryption to secure all volume (disk) data. All keys are fully managed by GCP. |
|
Measures for ensuring physical security of locations at which personal data are processed |
All Company processing occurs in physical data centers that are managed by AWS. https://aws.amazon.com/compliance/data-center/controls/ |
|
Measures for ensuring events logging |
Company monitors access to applications, tools, and resources that process or store Customer Data, including cloud services. Monitoring of security logs is managed by the security and engineering teams. Log activities are investigated when necessary and escalated appropriately. |
|
Measures for ensuring system configuration, including default configuration |
Company adheres to a change management process to administer changes to the production environment for the Services, including changes to its underlying software, applications, and systems. [All production changes are automated through CI/CD tools to ensure consistent configurations.] |
|
Measures for internal IT and IT security governance and management |
Company maintains an ISO 27001-compliant risk-based information security governance program. The framework for Company’s security program includes administrative, organizational, technical, and physical safeguards reasonably designed to protect the Services and confidentiality, integrity, and availability of Customer Data. |
|
Measures for certification/assurance of processes and products |
Company undergoes annual SOC 2 Type II and ISO 27001 audits. |
|
Measures for ensuring data minimisation |
Company’s Customers unilaterally determine what data they route through the Services. As such, Company operates on a shared responsibility model. Company gives Customers control over exactly what data enters the platform. Additionally, Company has built in self-service functionality to the Services that allows Customers to delete and suppress data at their discretion. |
|
Measures for ensuring data quality |
Company has a multi-tiered approach for ensuring data quality. These measures include: (i) unit testing to ensure quality of logic used to process API calls, (ii) database schema validation rules which execute against data before it is saved to our database, (iii) a schema-first API design using GraphQL and strong typing to enforce a strict contract between official clients and API resolvers. Company applies these measures across the board, both to ensure the quality of any Usage Data that Company collects and to ensure that the Company Platform is operating within expected parameters. Company ensures that data quality is maintained from the time a Customer sends Customer Data into the Services and until that Customer Data is presented or exported. |
|
Measures for ensuring limited data retention |
Customers unilaterally determine what data they route through the Services. As such, Company operates on a shared responsibility model. If a Customer is unable to delete Personal Data via the self-services functionality of the Services, then the Company deletes such Personal Data upon the Customer’s written request, within the timeframe specified in this DPA and in accordance with Applicable Data Protection Law. All Personal Data is deleted from the Services following service termination (save for one copy that Provider will keep securely for its own records for 7 years after termination of the applicable services). |
|
Measures for ensuring accountability |
Company has adopted measures for ensuring accountability, such as implementing data protection and information security policies across the business, recording and reporting Personal Data Breaches, and formally assigning roles and responsibilities for information security and data privacy functions. Additionally, the Company conducts regular third-party audits to ensure compliance with our privacy and security standards. |
|
Measures for allowing data portability and ensuring erasure |
Personal Data submitted to the Services by Customer may be deleted by the Customer or at the Customer’s request. Personal Data is incidental to the Company’s Services. Based on Privacy by Design and Data Minimization principles, Company severely limits the instances of Personal Data collection and processing within the Services. Most use cases for porting Personal Data from Company are not applicable. However, Company will respond to all requests for data porting in order to address Customer needs. |
|
Technical and organizational measures of sub-processors |
The Company enters into Data Processing Agreements with its Authorized Sub-Processors with data protection obligations substantially similar to those contained in this DPA. |
SCHEDULE 2 TO THE DPA
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Refer to Schedule 1, Annex 2 of the DPA
ANNEX III – LIST OF SUB-PROCESSORS
The controller has authorised the use of the following sub-processors: https://trust.traildsoftware.com
