DATA PROCESSING AGREEMENT
This is Bananatag Systems Inc.’s (“Bananatag”) Data Processing Agreement (“DPA”). It is incorporated into and forms part of the agreement that incorporates this DPA by reference (“Agreement”) made between Bananatag and the customer identified in the Agreement (“Customer”).
1. DEFINITIONS AND INTERPRETATION
“Authorized Affiliate” means each Affiliate of Customer that: (a) is subject to EU Data Privacy Law; and (b) is permitted to use the Bananatag Service under the Agreement.
“Customer Data”means any personal data that Bananatag processes on behalf of Customer under the Agreement.
“Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data in the custody of Bananatag or any of its authorized Sub-processors.
“Sub-processor” means any processor engaged by Bananatag to process Customer Data with respect to providing the Bananatag Service under the Agreement or this DPA.
The following terms have the meanings provided in the Agreement: “Affiliate”, “Bananatag Service”, “EEA”, “EU Data Privacy Law”, “Fees” and “GDPR”.
The following terms have the meanings provided in the GDPR: “controller”, “data subject”, “personal data”, “processing”, “processor” and “sensitive data”.
1.2 This DPA applies exclusively to the processing of Customer Data that is subject to applicable EU Data Privacy Laws.
1.3 The provisions of the Agreement that state how the Agreement is to be interpreted apply to the interpretation of this DPA.
1.4 This DPA forms a part of the Agreement. For clarity, the exclusions and limitations of liability set out in the Agreement apply to this DPA.
2.1 Details of Processing: Bananatag may process Customer Data on behalf of Customer. Schedule A sets out: (a) the subject matter and duration of the processing; (b) the nature and purpose of the processing; (c) the type of personal data being processed; and (d) the categories of data subject. Customer is the controller of all Customer Data and Bananatag, or its Sub-processor, is the processor.
2.2 Processing by Bananatag: Bananatag will, in respect of its processing of Customer Data: (a) process Customer Data only to the extent, and in such a manner, as is necessary for the purposes of the Agreement and in accordance with Customer’s lawful, documented instructions set out in this DPA or as Customer instructs in writing from time to time (provided Bananatag has agreed to follow such instructions); and (b) process Customer Data as required by applicable EU Data Privacy Laws, in which case Bananatag will inform Customer of the requirement prior to processing, unless prohibited by such applicable EU Data Privacy Law on important grounds of public interest.
2.3 Customer’s Instructions/Processing: Customer will ensure the following comply with all applicable laws, including applicable EU Data Privacy Laws: (a) all instructions it provides to Bananatag with respect to the Bananatag Service; and (b) its use of the Bananatag Service, including its processing of personal data directly. Customer is solely responsible for the accuracy, quality, legality and means of acquisition of all Customer Data.
2.4 Unlawful Instructions: Bananatag will notify Customer where Bananatag learns that Customer has provided Bananatag with instructions to process Customer Data that, in Bananatag’s reasonable opinion, would be in violation of applicable EU Data Privacy Laws.
2.5 Affiliates: By entering into the Agreement, Customer, as agent for the Authorized Affiliates, is entering into this DPA on behalf of each Authorized Affiliate (but, for clarity, no Authorized Affiliate is a party to the Agreement). Customer represents that it has all necessary authority to bind each Authorized Affiliate. Each Authorized Affiliate agrees to be bound by this DPA as if it was Customer. Any notice that Bananatag is required to provide to Authorized Affiliates, including under this DPA or EU Data Privacy Law, will be deemed to be sent to the Authorized Affiliates when sent to Customer. Customer will exercise any rights or seek any remedies under this DPA collectively (i.e., all Authorized Affiliates and Customer will exercise such rights or seek such remedies as if they were a single person, such as by sending collective notices and bringing claims as joint plaintiffs).
2.6 Sensitive Data: The Bananatag Service is not designed to process sensitive data and, therefore, Customer is prohibited from using the Bananatag Service to process sensitive data.
3 RIGHTS OF DATA SUBJECTS
3.1 Reasonable Assistance: Taking into account the nature of the processing, Bananatag will assist Customer by appropriate technical and organizational measures, insofar as possible, for the fulfilment of Customer’s obligation to respond to requests for exercising the data subject’s rights set out in applicable EU Data Privacy Laws.
3.2 Use of Available Tools: Before relying on the preceding section, Customer must first use all of the self-serve features available in the Bananatag Service that allow it to fulfill the request directly.
3.3 Direct Request: If a data subject that is the subject of Customer Data makes a request to exercise their rights under applicable EU Data Privacy Laws directly to Bananatag, Bananatag will redirect the request to Customer where permitted by applicable law. If Bananatag is required by applicable law to respond to the request, Bananatag will do so and notify Customer, where permitted by applicable law.
4. SECURITY AND BREACHES
4.1 Security: Bananatag will: (a) taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, and assist Customer in ensuring compliance with its obligations to secure Customer Data under applicable EU Data Privacy Laws; (b) ensure that any person authorized to process Customer Data on behalf of Bananatag in connection with the Agreement is subject to a duty of confidentiality; and (c) provide Customer with all information and assistance necessary to investigate Security Incidents and, where required by applicable EU Data Privacy Law, notify the relevant regulator and affected data subject of each applicable Security Incident.
4.2 Incident Notice: Bananatag will notify Customer without undue delay if Bananatag becomes aware of any Security Incident by emailing Customer at the email address provided for legal notice. On Customer’s request, Bananatag will provide reasonable assistance to Customer in meeting Customer’s obligations under applicable EU Data Privacy Laws with respect to such Security Incident.
5. COMPLIANCE AND AUDIT
5.1 Information: Bananatag will make available to Customer all information necessary to demonstrate compliance with the obligations set out in this DPA.
5.2 Audit: With respect to audit rights, Bananatag will:
- on Customer’s written request, and subject to the confidentiality obligations set forth in the Agreement, provide Customer (or Customer’s independent, third-party auditor that is not a competitor of Bananatag) with a summary of Bananatag’s then most recent third-party audit report that demonstrates Bananatag’s compliance with this DPA, if available; and
- answer any reasonable questions regarding Bananatag’s compliance with this DPA sent to email@example.com by Customer, including any reasonable security and privacy questionnaires, once every 12 months.
6. INTERNATIONAL TRANSFERS
6.1 Transfers where Adequacy Finding: Bananatag may transfer Customer Data to a territory outside of the EEA where that territory has a finding of adequacy by the European Commission.
6.2 Transfers where No Adequacy Finding: Bananatag may transfer Customer Data to Canada or the United States of America provided that, if the applicable country does not have a finding of adequacy by the European Commission,:
- prior to such transfer Bananatag executes and procures that the relevant third party executes the standard contractual clauses set out in Commission Decision of February 5, 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC or its successor (“Model Clauses”) and ensures that it complies and procures that the relevant third party to comply with its relevant obligations under the Model Clauses;
- such transfer is in accordance with the EU–US Privacy Shield framework; or
- such transfer is in accordance with another legal transfer mechanism as may be available for the lawful transfer of Customer Data.
6.3 Mechanisms No Longer Valid: If the Model Clauses, EU–US Privacy Shield or other transfer mechanism ceases to exist or is no longer considered to be a lawful method of transferring personal data outside of the EEA, Bananatag will cease or procure that the relevant third party cease the processing of such Customer Data until such time as Bananatag has entered into an alternative mechanism to enable Customer Data to be transferred outside of the EEA in a compliant manner.
7.1 Sub-processor Agreements: Bananatag may engage Sub-processors to process Customer Data (or otherwise subcontract or outsource the processing of any Customer Data to a third party), provided that it enters into a written contract with any Sub-processor that:
- meets the requirements of the applicable EU Data Privacy Law; and
- provides protections or guarantees that are: (i) necessary to implement appropriate technical and organization measures in compliance with the applicable EU Data Privacy Law; and (ii) at least as protective as this DPA.
7.2 List of Sub-processors: Bananatag uses the Sub-processors set out at https://bananatag.com/sub-processors.
7.3 Changes to Sub-processors: Bananatag will notify Customer of any new or replacement Sub-processors by updating the list of Sub-processors published on https://bananatag.com/sub-processors. If Customer objects to the appointment of a new or replacement Sub-processor, it may notify Bananatag by contacting firstname.lastname@example.org. Customer will be deemed to have accepted the Sub-processor if Bananatag does not receive an objection within 30 days of updating the list of Sub-processors. If an objection cannot be resolved by the parties within 30 days of receipt by Bananatag of the written objection, Customer may, on written notice to Bananatag in accordance with the Agreement, terminate the Agreement without further liability and with a refund for any prepaid, unused Fees.
7.4 Liability: Bananatag remains liable for the performance of its obligations under EU Data Privacy Law that it delegates to a Sub-processor (except to the extent caused or exacerbated by Customer).
8. TERM AND TERMINATION
8.1 Term: This DPA will remain in force until Bananatag returns or destroys the Customer Data in accordance with the following section.
8.2 Return/ Destruction: Customer directs Bananatag to destroy Customer Data that is in the custody of Bananatag or a Sub-processor within 60 days of the termination of the Agreement (except for archival backup copies, which Bananatag will delete in accordance with its records retention schedule), except to the extent applicable law requires storage of the Customer Data for an additional period.
Schedule A – Data Processing Services
(I) Subject Matter and Duration of the Processing
- The subject matter of the processing is Customer Data.
- The processing will end in accordance with Section 8.2 of this DPA.
(II) Nature and Purpose of the Processing
- The purpose of the processing is for Bananatag to provide the Bananatag Service and for Customer to use the Bananatag Service, including any related support.
- The nature of the processing is to provide the Bananatag Service, which is a tool to create, send, track and measure employee communications.
(III) Type of Personal Data Being Processed
- Information about the device used to access the Bananatag Service
- Information about use of the Bananatag Service (e.g., the number of requests to the Bananatag Service) as well as events such as crashes
- Other log information (which may include Internet Protocol Address or other information or identifiers that may uniquely identify an account or browser or device)
- Information about a user’s location (e.g., used to identify time zone settings)
- Information about the Bananatag Service application version
- Electronic communication subject lines, recipient email address, distribution list names entered in the To and CC fields, and email content
- When an electronic communication is read; when a link in an electronic communication is clicked
- Any other personal data uploaded to the Bananatag Service by Customer or an Authorized Affiliate, excluding sensitive data (which Customer is not permitted to process using the Bananatag Service)
(IV) Categories of Data Subject
- The Data Subjects are employees or other personnel of Customer.