This Data Processing Addendum (“DPA”) supplements the Onehub Terms of Service (available at https://www.onehub.com/terms-of-service, as updated from time to time by Onehub) (the “Agreement”) governing Customer’s use of Onehub’s services and product offerings (the “Service”). This DPA is an agreement between Onehub Inc. having its principal place of business at 950 17th Street, Suite 1400, Denver, Colorado 8020 (“Company” or “Processor”), and the customer entity agreeing to the Onehub Terms of Service (“Customer” or “Controller”). This DPA is incorporated into and forms part of the Agreement, and except as expressly amended by the terms of this DPA, the terms and conditions of the Agreement remain unchanged and will continue in full force and effect. Capitalized terms used but not defined herein shall have the meaning set forth in the Agreement. This DPA applies solely with respect to personal data that may be contained within Customer Data that is uploaded to the Service governed by the Agreement and is regulated by Data Protection Laws.
Each party shall comply with the legal requirements under Data Protection Laws. “Data Protection Laws” means all applicable laws, rules, regulations, or implementing legislation that relate to the data privacy or security of personal data of individuals, including, as applicable: (A) the General Data Protection Regulation 2016/679 (“GDPR”), as well as any other applicable national rule and legislation on the protection of personal data in the European Union or any Member State that is already in force or that will come into force during the term of this DPA; (B) the United Kingdom Data Protection Act of 2018 and the GDPR as it forms part of UK domestic law under the European Union (Withdrawal) Act 2018, as amended (“UK GDPR”); and (C) the California Consumer Privacy Act (“CCPA”), and any other data protection laws substantially amending, replacing, or superseding the CCPA. The terms “personal data,” “processing,” “personal data breach,” and “data subject”, or similar terms, have the meaning given in the Data Protection Laws.
-
Controller hereby instructs Processor to process personal data for providing the Service described in the Agreement and Annex 1 to this DPA.
Processor will process personal data only on behalf of Customer to deliver Service in accordance with the Agreement or Customer’s other documented instructions. Specifically, Customer is disclosing personal data solely for the limited and specified purpose of receiving the Service and Processor shall only process personal data for the limited and specified purpose of Processor providing the agreed upon Service under the Agreement. Processor shall not (a) sell or share (each within the meaning of the CCPA) Customer’s personal data, (b) retain, use, or disclose any personal data for any purpose other than for the Business Purposes (as defined in the CCPA) specified in the Agreement, including for any Commercial Purpose (as defined in the CCPA) other than the Business Purposes specified in the Agreement, (c) retain, use, or disclose the personal data outside of the direct business relationship between Customer and Processor; or (d) combine personal data that the Processor receives from, or on behalf of, Customer with personal data that it receives from, or on behalf of, another person or persons, or collects from its own interaction with the consumer, except to perform any Business Purpose required by the Agreement. Notwithstanding anything in the Agreement, the parties acknowledge and agree that Processor’s access to personal data does not constitute part of the consideration exchanged by the parties in respect of the Agreement. Processor certifies and acknowledges that (i) it understands the restrictions set forth in this section and will at all times comply with them; (ii) it will comply with the applicable obligations under the CCPA, and shall provide the same level of privacy protection as is required by the CCPA; (iii) Controller shall be permitted to take reasonable and appropriate steps to help ensure that Processor uses personal data in a manner consistent with Controller’s obligations under the CCPA; (iv) it will notify Controller if it makes a determination that it can no longer meet its obligations under the CCPA; and (v) it will grant Controller the right, upon reasonable notice, to take reasonable and appropriate steps to stop and remediate any unauthorized use of Customer’s personal data. To the extent required by the CCPA, Controller shall inform Processor of any consumer requests made pursuant to the CCPA that they must comply with, and shall provide all information necessary for Processor to comply with such request -
Processor undertakes to take the technical, organizational and structural measures necessary to ensure the security, integrity and confidentiality of the personal data it processes in connection with this DPA as described in Annex 2 to the DPA and this Section 2. In particular, Processor will take security measures to prevent any personal data breach, including with respect to:
- destruction, alteration, misuse or loss of the personal data made accidentally or without authorization of the Controller;
- disclosure of or access to the personal data in an accidental or non-authorized manner; or
- any form or purpose of processing of the personal data which would be unlawful, unauthorized or not provided for in this DPA.
- premises where personal data is processed are secured;
- authentication/identification mechanisms to access personal data on information systems are in place;
- a password policy is implemented and enforced;
- the network and the information systems are protected against intrusions and other attacks;
- backups of personal data are regularly performed; and
- the personnel and the staff of the third party processors processing personal data are properly trained on confidentiality, integrity, and availability measures.
- Controller agrees that Processor may use sub-processors to fulfill its contractual obligations under this DPA or to provide certain services on its behalf. Annex 3 to the DPA lists sub-processors that are currently engaged by Processor or its affiliates to carry out processing activities with respect to Customer’s personal data. Processor shall notify Controller if it adds or removes sub-processors at least 10 days prior to any such changes if Controller opts in to receive such notifications by notifying Processor of such intent. Controller reserves the right to object (with reasonable cause) to a sub-processor, or the appointment of a new sub-processor who processes any Controller personal data. Prior to engaging any sub-processor, Processor shall enter into a written contract with such sub-processor containing data protection obligations at least equivalent in substance to those in this DPA. Processor shall be liable for all acts and omissions of the sub-processor as if they were Processor’s acts and omissions.
-
Processor will comply with all requirements of this DPA and Data Protection Laws to which it is subject with respect to all personal data received from or processed for Controller. Without limiting the generality of the foregoing, Processor will:
- ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
- take all measures required to protect Customer’s personal data, including, without limitation, implementing and maintaining reasonable safeguards appropriate to protect Customer’s personal data;
- process Customer’s personal data only on documented instructions from Customer, unless required to do so by law to which Processor is subject; in such a case, the Processor will inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
- taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the data subject’s rights under Data Protection Laws; and
- assist the Controller in ensuring compliance with Articles 32 to 36 of the GDPR taking into account the nature of processing and the information available to the Processor.
-
Processor will, to the extent required under the applicable Data Protection Laws, without undue delay, and within the period specified by applicable law, inform the Controller of any personal data breach.
Processor will promptly investigate such personal data breach and will, to the extent required under the applicable Data Protection Laws, provide Controller with reasonable assistance to satisfy any legal obligations (including obligations to notify data protection authorities or data subjects) of Controller in relation to such personal data breach. -
Upon termination of the Agreement (in whole or in part) or earlier upon Controller’s request, and at Controller’s choice, Processor will, unless any applicable law, competent court, or supervisory or regulatory body prevents Processor from returning or destroying the personal data transferred:
- destroy all personal data processed and any copies thereof and certify to Controller on request that Processor has done so; or
- in accordance with Controller’s instructions, return all personal data processed and the copies thereof to Controller or other recipient identified by Controller.
- Processor may monitor and audit (either through self-audit or third-party audit) its own compliance with its obligations under Data Protection Laws and this DPA (“Company Audit”) and will provide Controller with such Company Audit (if one is performed) upon Controller’s written request (except that Processor will provide such Company Audit no more than once per calendar year).
- Upon Controller’s request, Processor shall, no more than once per calendar year make available for Controller’s review copies of certifications or reports demonstrating Processor’s compliance with prevailing data security standards applicable to the processing of Controller’s personal data. To the extent required by Data Protection Laws and if Controller requires information in addition to such reports, Processor shall make available to Controller on request all information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections by Controller or an auditor mandated by Controller, not being competitors of Processor (“Mandated Auditor”) of any premises where the processing of Customer’s personal data takes place in order to assess compliance with this DPA (a “Customer Audit”). Processor shall provide reasonable cooperation to Controller with respect to a Customer Audit. Controller agrees that: (a) a Customer Audit may only occur during normal business hours, and where possible only after reasonable notice to Processor (not less than 20 days’ advance written notice); (b) a Customer Audit will be conducted in a manner that does not have any adverse impact on Processor’s normal business operations; (c) Controller and any Mandated Auditor will comply with Processor’s standard safety, confidentiality, and security procedures in conducting any Customer Audit; (d) any records, data, or information accessed by Controller or any Mandated Auditor in the performance of any Customer Audit will be deemed to be the Confidential Information of Processor; and (e) a Customer Audit shall be at the Customer’s sole cost and expense. If the controls or measures to be assessed in a request for a Customer Audit are addressed in a Company Audit, Controller agrees to accept such Company Audit in lieu of requesting a Customer Audit.
- Processor will assist Controller, to the extent reasonably possible, to comply with applicable law in a reasonable time. Without limiting the generality of the foregoing, Processor will assist Controller, at the Controller’s cost, in responding to any request from a data subject and in ensuring compliance with its obligations under Data Protections Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators, if any that relate to the Service provided by Processor to Controller and the personal data that Processor handles for Controller.
-
Processor will, to the extent required by applicable Data Protection Laws, notify Controller without undue delay:
- about any legally binding request for disclosure of personal data by a law enforcement authority, unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation; and
- about any complaints and requests received directly from data subjects (e.g., regarding access, rectification, erasure, data portability, objection to processing of data, automated decision-making), and assist Controller with a response and resolution of the request, but not respond until Controller provides instructions.
-
In connection with the performance of the Agreement, Processor may be a recipient of personal data in the United States originating from the European Economic Area, Switzerland or the UK (“European, Swiss or UK Data”). In such case, Processor will comply with the following:
- The EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework self-certification programs (as applicable) operated by the U.S. Department of Commerce; as may be amended, superseded or replaced (the “Data Privacy Framework”). Processor will use the Data Privacy Framework to lawfully receive European, Swiss or UK Data in the United States and ensure that it provides at least the same level of protection to such data as is required by the means the Principles and Supplemental Principles contained in the relevant Data Privacy Framework; as may be amended, superseded or replaced (collectively, the “Data Privacy Framework Principles”) and will let Customer know if it is unable to comply with this requirement.
- Standard Contractual Clauses. If Data Protection Laws require that appropriate safeguards are put in place (for example, if the Data Privacy Framework does not cover the transfer to Processor and/or the Data Privacy Framework is invalidated), the Standard Contractual Clauses described in Sections 12 and 13 below, as applicable, shall apply to the transfer.
-
With respect to any transfers of personal data originating from the European Economic Area or Switzerland to Processor in a country whose laws have not been deemed by the European Commission to provide an adequate level of protection for personal data, and such transfer is not subject to an alternative adequate transfer mechanism under Data Protection Laws or the Data Privacy Framework described in Section 11(a) above, the parties agree to comply with the relevant terms of the European Commission’s decision (C(2021)3972) of 4 June 2021 on Standard Contractual Clauses (Module Two: Transfer controller to processor) for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/678 (available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en), which are incorporated into this DPA by reference (the “EU SCCs”). The parties hereby agree that details in Annex 1 to this DPA will be used to complete Annex I of the EU SCCs, and details in Annex 2 to this DPA will be used to complete Annex II of the EU SCCs. In accordance with Clause 2 of the EU SCCs, the parties wish to supplement the EU SCCs with additional commercial clauses, which shall neither be interpreted nor applied in such a way as to contradict the EU SCCs (whether directly or indirectly) or to prejudice the fundamental rights and freedoms of data subjects. Processor (as “data importer”) and Controller (as “data exporter”) therefore agree that the applicable terms of the Agreement and this DPA shall apply if, and to the extent that, they are permitted under the EU SCCs, including without limitation the following:
- The instructions described in Clause 8.1(a) are as set forth in Sections 1 and 4(c) of this DPA.
- In the event a data subject requests a copy of the EU SCCs or this DPA in accordance with Clause 8.3 of the EU SCCs, data exporter shall make all redactions reasonably necessary to protect business secrets or other confidential information of data importer.
- Certification of deletion of personal data under Clause 8.5 and Clause 16(d) of the EU SCCs shall be provided upon the written request of data exporter.
- Data importer shall be deemed in compliance with Clause 8.8 of the EU SCCs to the extent such onward transfers occur in accordance with Article 4 of the Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
- Any information requests or audits provided for in Clause 8.9 of the EU SCCs shall be fulfilled in accordance with Sections 7 and 8 of this DPA.
- Pursuant to Clause 9(a) Option 2 of the EU SCCs, data exporter agrees that data importer may engage new sub-processors as described in Section 3 of this DPA. With respect to Clause 9 of the EU SCCs, the parties select the time period set forth in Section 3 of this DPA.
- The relevant sections of the Agreement, which govern indemnification and limitation of liability, shall apply to data importer’s liability under Clause 12(a), 12(d), and 12(f) of the EU SCCs.
- The parties agree that, for purposes of Clause 13 of the EU SCCs, the data exporter’s competent supervisory authority will be determined in accordance with the GDPR EU SCCs, the data exporter’s competent supervisory authority will be determined in accordance with the GDPR.
- Section 6 of this DPA, which governs termination, shall apply to a termination pursuant to Clause 14(f) or Clause 16 of the EU SCCs.
- With respect to Clause 17 of the EU SCCs, the parties select the law of Ireland.
- With respect to Clause 18 of the EU SCCs, the parties agree that any dispute arising from the EU SCCs shall be resolved by the courts of Ireland.
- With respect to transfers of personal data originating from Switzerland: (i) the term “member state” as used in the EU SCCs shall not be interpreted in such a way as to exclude data subjects in Switzerland of suing for their rights in their place of habitual residence in accordance with Clause 18(c) of the EU SCCs; (ii) the EU SCCs shall also protect the data of legal entities until the entry into force of the revised Swiss Federal Act of Data Protection (FADP) on or about 1 January 2023; (iii) references to the GDPR or other governing law contained in the EU SCCs shall also be interpreted to include the FADP; and (iv) the parties agree that the supervisory authority as indicated in Clause 13 and Annex I.C of the EU SCCs shall be the Federal Data Protection and Information Commissioner (FDPIC) of Switzerland.
-
With respect to any transfers of personal data originating from the United Kingdom to Processor in a country whose laws have not been deemed by the government of the United Kingdom to provide an adequate level of protection for personal data, and such transfer is not subject to an alternative adequate transfer mechanism under Data Protection Laws or the Data Privacy Framework described in Section 11(a) above, the parties agree to comply with the relevant terms of the United Kingdom’s standard contractual clauses for international transfers from controllers to processors (available at: https://ico.org.uk/media/for-organisations/documents/2620100/uk-sccs-c-p-202107.docx), which are incorporated into this DPA by reference (the “UK SCCs”). The parties hereby agree that details in Annex 1 to this DPA will be used to complete Appendix 1 of the UK SCCs, and details in Annex 2 to this DPA will be used to complete Appendix 2 of the UK SCCs. In accordance with Clause 10 of the UK SCCs, the parties wish to supplement the UK SCCs with additional commercial clauses, which shall neither be interpreted nor applied in such a way as to overlap or contradict the UK SCCs (whether directly or indirectly), reduce the level of protection that the data importer is required to provide for personal data, or to reduce the rights of data subjects or make it more difficult for them to exercise their rights. Processor (as “data importer”) and Controller (as “data exporter”) therefore agree that the applicable terms of the Agreement and this DPA shall apply if, and to the extent that, they are permitted under the UK SCCs, including without limitation the following:
- In the event a data subject requests a copy of the UK SCCs or this DPA in accordance with Clause 4(h) of the UK SCCs, data exporter data exporter shall make all redactions reasonably necessary to protect business secrets or other confidential information of data importer.
- The instructions described in Clause 5(a) are as set forth in Section 1 of this DPA.
- Any information requests or audits provided for in Clauses 5(f) and 12(2) of the UK SCCs shall be fulfilled in accordance with Sections 7 and 8 of this DPA.
- Pursuant to Clause 5(h) of the UK SCCs, data exporter acknowledges and expressly agrees that data importer may engage new sub-processors as described in Section 3 of this DPA.
- Copies of any sub-processor agreements required to be sent to data exporter under Clause 5(j) of the UK SCCs shall only be sent upon data exporter’s written request. The parties agree that data importer may remove or redact all commercial information unrelated to the UK SCCs or their equivalent beforehand.
- Certification of deletion of personal data as described in Clause 12(1) of the UK SCCs shall be provided upon the written request of data exporter.
- Section 6 of this DPA, which governs termination, shall apply to a termination pursuant to Clauses 5(a) and 5(b) of the UK SCCs.
- The relevant sections of the Agreement, which govern indemnification and limitation of liability, shall apply to data importer’s liability under Clause 6(2) of the UK SCCs.
- All obligations under this DPA apply in addition to, not in lieu of, any other contractual, statutory and other obligations of Processor.
- In case of any conflict or inconsistency, the order of precedence in respect of the processing of personal data shall be: the Annexes to this DPA, this DPA, and then the Agreement.
- This DPA shall not restrict the Data Protection Laws. If any provision in this DPA is ineffective or void, this shall not affect the remaining provisions. The parties shall replace the ineffective or void provision with a lawful provision that reflects the business purpose of the ineffective or void provision. In case a necessary provision is missing, the parties shall add an appropriate one in good faith.
- This DPA shall commence on the date that the Agreement is deemed agreed to by the Customer.