Data Processing Agreement - Refiner.io

Data Processing Agreement

Please note: This document is a template only. To be legally binding, the Data Processing Agreement must be signed by both parties. You can sign the agreement using this link.

This Data Processing Agreement (“Agreement”) forms part of the Terms of Service (“Principal Agreement”) between:

·················

·················

(the “Company”)

and

Refiner SASU 10 rue de Penthièvre 75008 Paris, France

(the “Data Processor”)

(together as the “Parties”)

WHEREAS

  • The Company acts as a Data Controller.
  • The Company wishes to subcontract certain Services, which imply the processing of personal data, to the Data Processor.
  • The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“General Data Protection Regulation” or “GDPR”), and in particular with Commission Implementing Decision (EU) 2021/915 of 4 June 2021 on standard contractual clauses between controllers and processors under Article 28(7) of Regulation (EU) 2016/679 (the “SCC Decision”).
  • The Parties wish to lay down their rights and obligations.

IT IS AGREED AS FOLLOWS:

1. Definitions and Interpretation

Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:

“Agreement” means this Data Processing Agreement and all Schedules;

“Contracted Processor” means a Subprocessor;

“Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;

“EEA” means the European Economic Area;

“EU Data Protection Laws” means Regulation (EU) 2016/679 (GDPR) and all national implementing or supplementary laws, as amended or superseded from time to time;

“GDPR” means EU General Data Protection Regulation 2016/679;

“International Transfer” means any transfer of User Data to a country outside the EEA where such transfer is subject to the provisions of Chapter V of the GDPR;

“Data Transfer” means:

  • a transfer of User Data from the Company to a Contracted Processor; or
  • an onward transfer of User Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor;

“Services” means the Refiner.io survey software services provided by the Processor to the Company;

“Subprocessor” means any person appointed by or on behalf of the Processor to process Personal Data of the Company in connection with the Agreement.

The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

The terms, “Refiner Solution”, “Service”, “Subscribed Plan”, “User Data”, “Contact”, “Contact Data”, “Behavioral Data“, “Survey Response Data”, “API (Application Programming Interface)”, Third Party API, and “Company Data” shall have the same meaning as in the Principal Agreement.

Interpretation - Where terms defined in the GDPR are used in this Agreement, they shall have the same meaning as in the GDPR. This Agreement shall be read and interpreted in the light of the GDPR. It shall not be interpreted in a manner that conflicts with rights and obligations provided for in the GDPR, or in a manner that prejudices the fundamental rights or freedoms of Data Subjects.

2. Hierarchy

In the event of a contradiction between this Agreement and the provisions of related agreements between the Parties, existing at the time this Agreement is agreed or entered into thereafter, this Agreement shall prevail.

3. Processing of User Data

Processor shall:

  • comply with all applicable Data Protection Laws in the Processing of User Data; and
  • not process User Data other than on the relevant Company’s documented instructions, unless required to do so by Union or Member State law applicable to the Processor, in which case the Processor shall inform the Company of that legal requirement before Processing, unless prohibited from doing so on important grounds of public interest.

The Processor shall immediately inform the Company if, in its opinion, an instruction given by the Company constitutes an infringement of the GDPR or other applicable Union or Member State Data Protection Laws. The Processor may in such case suspend the execution of that instruction pending further confirmation or modification by the Company.

The Company instructs the Processor to process User Data in order to provide the Services as described in Appendix A. The Processor shall process User Data solely for the specific purposes set out in Appendix A, unless it receives further documented instructions from the Company. Processing by the Processor shall only take place for the duration set out in Appendix A.

4. Processor Personnel

The Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the User Data, ensuring in each case that access is strictly limited to those individuals who need to know or access the relevant User Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with applicable laws in the context of that individual’s duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

5. Security

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall in relation to the User Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.

The technical and organisational measures implemented by the Processor are set out in Appendix C. In assessing the appropriate level of security, the Parties shall take account in particular of the risks presented by Processing, in particular from a Personal Data Breach.

6. Documentation and Compliance

Both Parties shall be able to demonstrate their compliance with this Agreement.

The Processor shall promptly and adequately handle requests from the Company regarding the processing of data in accordance with this Agreement.

The Processor shall make available to the Company all information necessary to demonstrate compliance with the obligations set out in this Agreement and arising directly from the GDPR. At the Company’s request, the Processor shall also allow for and contribute to audits of the processing activities covered by this Agreement at reasonable intervals or where there are indications of non-compliance. When deciding on a review or audit, the Company may take into account relevant certifications held by the Processor.

The Company may conduct the audit itself or appoint an independent auditor. Audits may also include inspections at the premises or physical facilities of the Processor and shall, where applicable, be carried out with reasonable prior notice.

The Parties shall make available to the competent Supervisory Authority, upon request, the information set out in this clause, including the results of any audit.

7. Sensitive Data

If the processing involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data processed for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation, or data relating to criminal convictions and offences (“Sensitive Data”), the Processor shall apply specific restrictions and/or additional safeguards adapted to the nature of the data and the risks involved.

The Company undertakes to inform the Processor in advance of any circumstance in which User Data may include Sensitive Data, prior to their processing. The Parties shall agree on the additional safeguards applicable in such case. By default, the Services are not designed to process Sensitive Data, and the Company undertakes not to import Sensitive Data into the Services without the Processor’s prior written consent.

8. Data Residency

Company agrees that Processor processes and stores all User Data within the EEA in the EU-WEST-1 (Ireland) data center operated by Amazon Web Services EMEA SARL (AWS Europe).

9. Subprocessing

The Company grants the Processor general written authorisation to engage Subprocessors on the basis of the list set out in Appendix B. The Processor shall inform the Company in writing of any intended changes to that list by way of addition or replacement of Subprocessors at least fourteen (14) days in advance, thereby giving the Company sufficient time to object to such changes prior to the engagement of the concerned Subprocessor(s). The Processor shall provide the Company with the information necessary to exercise its right to object.

Where the Processor engages a Subprocessor for carrying out specific processing activities on behalf of the Company, it shall do so by way of a contract that imposes on the Subprocessor, in substance, the same data protection obligations as those imposed on the Processor under this Agreement, in particular providing sufficient guarantees to implement appropriate technical and organisational measures. The Processor shall ensure that the Subprocessor complies with the obligations to which the Processor is itself subject pursuant to this Agreement and the GDPR.

The Processor shall remain fully liable to the Company for the performance of the Subprocessor’s obligations. The Processor shall notify the Company of any failure by a Subprocessor to fulfil its contractual obligations.

A copy of such a Subprocessor agreement and subsequent amendments shall – at the Company’s request – be submitted to the Company. To the extent necessary to protect business secrets or other confidential information, including personal data, the Processor may redact the text before sharing a copy.

The Processor agrees with each Subprocessor a third-party beneficiary clause under which – in the event that the Processor has factually disappeared, ceased to exist in law or has become insolvent – the Company shall have the right to terminate the subprocessor agreement and to instruct the Subprocessor to erase or return the personal data.

Subprocessors engaged by Processor to process User Data may store and process data outside the EEA.

The Subprocessors with access to User Data are listed in Appendix B.

Third Party APIs, services, or systems selected and enabled by Company through the Service are not considered Subprocessors engaged by Processor, unless expressly listed in Appendix B.

10. Data Subject Rights

Taking into account the nature of the Processing, Processor shall assist the Company by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Company obligations, as reasonably understood by Company, to respond to requests to exercise Data Subject rights under the Data Protection Laws.

Processor shall:

  • promptly notify Company if it receives a request from a Data Subject under any Data Protection Law in respect of User Data; and
  • ensure that it does not respond to that request, except on the documented instructions of Company or as required by applicable laws to which the Processor is subject, in which case Processor shall to the extent permitted by applicable laws inform Company of that legal requirement before the Contracted Processor responds to the request. In performing its obligations under this Clause 10, the Processor shall comply with the instructions of Company.

11. Personal Data Breach

The Processor shall notify the Company without undue delay and, in any event, no later than seventy-two (72) hours after becoming aware of a Personal Data Breach affecting User Data, providing the Company with sufficient information to allow it to meet its obligations to report or inform Data Subjects of the Personal Data Breach under Data Protection Laws. Such notification shall include at a minimum: (a) a description of the nature of the Personal Data Breach, including where possible the categories and approximate number of Data Subjects concerned and records affected; (b) the contact details of a point of contact from whom further information can be obtained; (c) the likely consequences of the Personal Data Breach; (d) the measures taken or proposed to address the Personal Data Breach, including where appropriate measures to mitigate its possible adverse effects. Where it is not possible to provide all information at the same time, the initial notification shall contain the information available at that time, with further information provided without undue delay.

The Processor shall cooperate with the Company and take such steps as are directed by the Company to assist in the investigation, mitigation and remediation of each Personal Data Breach, and shall assist the Company in complying with its obligations under Articles 33 and 34 of the GDPR, taking into account the nature of the Processing and the information available to the Processor.

12. Data Protection Impact Assessment and Prior Consultation

Processor shall provide assistance to the Company with any data protection impact assessments, and prior consultations with Supervisory Authorities or other competent data privacy authorities, which are required by Article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of User Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.

13. Further Assistance

The Processor shall further assist the Company in ensuring compliance with the following obligations, taking into account the nature of the Processing and the information available to the Processor:

  • the obligation to ensure that Personal Data are accurate and kept up to date, by informing the Company without delay if the Processor becomes aware that the Personal Data it is processing are inaccurate or have become outdated; and
  • the obligations provided for in Article 32 of the GDPR with respect to the security of Processing.

14. Deletion or return of User Data

Subject to this section, at the Company’s choice, the Processor shall promptly and in any event within ten (10) Business Days of the date of cessation of any Services involving the Processing of User Data (the “Cessation Date”), either: (i) delete and procure the deletion of all copies of User Data; or (ii) return all User Data to the Company and delete existing copies thereafter. The Processor shall continue to ensure compliance with this Agreement until the data are fully deleted or returned, unless Union or applicable national law requires further retention.

Processor shall provide written certification to Company that it has fully complied with this section within ten (10) Business Days of the Cessation Date.

15. Audit rights

Subject to this section, Processor shall make available to the Company on request all information necessary to demonstrate compliance with this Agreement, and shall allow for and contribute to audits, including inspections, by the Company or an auditor mandated by the Company in relation to the Processing of the User Data by the Contracted Processors.

Information and audit rights of the Company only arise under section 15.1 to the extent that the Agreement does not otherwise give the Company information and audit rights meeting the relevant requirements of Data Protection Law.

16. International Transfer

Any transfer of User Data to a third country or international organisation by the Processor shall only be carried out on the basis of documented instructions from the Company or in order to fulfil a specific requirement under Union or Member State law, and shall be effected in accordance with Chapter V of the GDPR. The Processor may not transfer or authorise the transfer of User Data to countries outside the EEA that are not recognised by the European Commission as providing an adequate level of protection, without the prior written consent of the Company.

Where the Processor transfers personal data with the Company’s consent from within the EEA to a country outside the EEA, the Processor shall ensure adequate protection, and shall unless otherwise agreed rely on the standard contractual clauses for international transfers adopted by the Commission pursuant to Article 46(2) of the GDPR (Commission Implementing Decision (EU) 2021/914, “SCCs for Transfers”).

The Company agrees that where the Processor engages a Subprocessor pursuant to Clause 9 for processing activities involving an international transfer, the Processor and Subprocessor may ensure compliance with Chapter V of the GDPR by using the SCCs for Transfers, provided the conditions for their use are met. Where a Subprocessor established in the United States is certified under the EU-U.S. Data Privacy Framework (DPF), such certification may constitute the applicable transfer safeguard. Where neither an adequacy decision nor the DPF applies, the Processor shall conduct a Transfer Impact Assessment (TIA) as required by applicable Supervisory Authority guidance. The transfer safeguards applicable to each Subprocessor are identified in Appendix B.

17. Non-Compliance with the Agreement and Termination

Without prejudice to any provisions of the GDPR, in the event of a breach by the Processor of its obligations under this Agreement, the Company may instruct the Processor to suspend the processing of User Data until the Processor has complied with this Agreement or the contract is terminated. The Processor shall promptly inform the Company if it is unable to comply with this Agreement, for whatever reason.

The Company shall be entitled to terminate the Agreement insofar as it concerns the processing of Personal Data, where:

  • a) the processing of User Data has been suspended by the Company pursuant to Clause 3.2 and compliance is not restored within a reasonable time, and in any event within one (1) month of suspension;
  • b) the Processor is in serious or persistent breach of this Agreement or its obligations under the GDPR; or
  • c) the Processor fails to comply with a binding decision of a competent Court or the competent Supervisory Authority regarding its obligations under this Agreement or the GDPR.

The Processor shall be entitled to terminate the Agreement insofar as it concerns the processing of Personal Data where, after having notified the Company that its instructions infringe applicable legal requirements pursuant to Clause 3.2, the Company insists on compliance with such instructions.

Following termination of the Agreement, the Processor shall comply with the provisions of Clause 14 of this Agreement. The Processor shall continue to ensure compliance with this Agreement until all Personal Data have been deleted or returned.

18. General Terms

Confidentiality. Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:

  • disclosure is required by law;
  • the relevant information is already in the public domain.

Notices. All notices and communications given under this Agreement must be in writing and will be delivered personally, sent by post or sent by email to the address or email address set out in the heading of this Agreement, or to such other address as a Party may notify to the other from time to time.

19. Governing Law and Jurisdiction

This Agreement is governed by the laws of France.

Any dispute arising in connection with this Agreement, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of France.

Signatures

IN WITNESS WHEREOF, this Agreement is entered into with effect from the date first set out below.

Your Company Processor Company
Signature Signature
Name: Name:
Title: Title:
Date Signed: Date Signed:

Appendix A - Information about the processing

The purpose of the Processor’s processing of personal data on behalf of the Data Controller is:

The Refiner Solution is a hosted cloud software, which enables a Company to collect User Data using Surveys. Amongst other functionalities, the Refiner Solution allows a Company to import Contacts and Contact Data, create Surveys, capture Survey Response Data, download their Contact Data and Survey Response Data, or send Contact Data and Survey Response Data to Third Party APIs. Any such transmission to Third Party APIs occurs only where enabled or configured by Company and is subject to the clarification on Company-configured Third Party APIs in Appendix B.

The Data Processor’s processing of personal data on behalf of the Data Controller shall mainly pertain to (the nature of the processing):

Collect and store Survey Response Data from Contacts. Segment Contacts based on Contact Data and Behavioural Data. Create reporting dashboards based on collected Survey Response Data. Provide collected Survey Response Data for export via API or file download.

The processing includes the following types of personal data about Data Subjects:

Typically, the name, email and a unique identifier is imported to the Refiner Solution for each Contact.

Company has the possibility to import additional Contact Data and Behavioral Data to the Refiner Solution for segmentation and reporting purposes.

Company has full control over the type of personal data being imported and collected by the Service.

Company can also choose to not import any Personal Data into the Refiner Solution.

Processing includes the following categories of Data Subject:

The categories of Data Subject are dependent on the Contact Data imported by Company (see above).

The Data Processor’s processing of personal data on behalf of the Data Controller may be performed when the Agreement commences. Processing has the following duration:

The minimal duration of the Agreement is one month as from the date of the subscription of a monthly Subscribed Plan and one year as from the date of the subscription of an annual Subscribed Plan.

User Data will be deleted from the Service at the termination date of the Agreement, unless Company elects to receive a return of User Data pursuant to Clause 14 of this Agreement prior to the termination date.

Appendix B - Authorized Subprocessors

The Subprocessors with access to User Data currently engaged by Processor and authorized by Company are as follows.

Legal Entity Transfer Safeguard (if outside EEA) Purpose
AWS Europe N/A (EEA) Cloud Hosting
IpData LLC SCCs for Transfers (Decision 2021/914) + TIA IP Geocoding
Customer.io (Peaberry Software Inc.) SCCs for Transfers (Decision 2021/914) + EU-U.S. DPF certification Email Service

Depending on how Company configures and uses the Service, User Data may be transmitted to Third Party APIs, services, or systems selected and enabled by Company, including through alerts, digests, integrations, webhooks, or other Company-configured data destinations.

For the avoidance of doubt, such Company-configured Third Party APIs are not Subprocessors engaged by Processor under this Agreement, unless they are expressly listed in this Appendix B. Company is responsible for assessing and enabling such Third Party APIs, including ensuring that its use of such Third Party APIs complies with applicable Data Protection Laws and that any required international transfer safeguards are in place.

Appendix C - Technical and Organisational Measures

(Corresponding to Annex III of the Standard Contractual Clauses – Commission Implementing Decision (EU) 2021/915)

The Processor implements the following technical and organisational measures (TOMs) to ensure a level of security appropriate to the risk presented by the processing of User Data:

Pseudonymisation and Encryption. Encryption of personal data in transit (minimum TLS 1.2) and at rest (AES-256). Encryption of all backups.

Confidentiality, Integrity, Availability and Resilience. Regular automated backups. Business continuity and disaster recovery procedures to restore availability of personal data within appropriate timeframes following a physical or technical incident. Redundant infrastructure hosted within the EEA.

Testing and Evaluation. Regular penetration testing and vulnerability assessments. Periodic review of the effectiveness of TOMs. Procedures to test, assess and evaluate the effectiveness of technical and organisational measures on an ongoing basis.

User Identification and Authorisation. Multi-factor authentication (MFA) for access to systems processing personal data. Role-based access control based on the principle of least privilege. Regular access rights reviews.

Data Protection during Transmission. Use of encrypted channels (TLS) for all data transmissions. Prohibition of unencrypted transmission of personal data.

Data Protection during Storage. Encrypted storage (AES-256). Logical separation of Company Data from data of other customers.

Physical Security. Access controls at data processing sites operated by Subprocessors (e.g. AWS Europe). Compliance with ISO 27001 or equivalent standards by hosting providers.

Event Logging and Monitoring. Audit logs of access to personal data. Intrusion detection and security monitoring.

Data Minimisation and Retention. Processing limited to data strictly necessary for the agreed purposes. Data retention and deletion policy aligned with the duration set out in Appendix A.

Accountability and Data Governance. Appointment of a data protection point of contact. Regular data protection training for all staff with access to personal data. Contractual confidentiality obligations imposed on all such staff.

Incident Management. Documented procedure for detection, investigation, classification and notification of Personal Data Breaches. Internal escalation process aligned with the 72-hour notification obligation.

Certifications. SOC 2 Type-II