Data Processing Agreement v1.0
Effective as of: February 20, 2023
This Data Processing Agreement (“Agreement”, “DPA”) forms part of the Contract for Services (“Principal Agreement”) between you (either an individual or a single legal entity and its affiliates using eazyBI Services, the “Customer”) and eazyBI SIA, registration number: 40103398174, legal address: Aveņu iela 7 k-1, Jūrmala, LV-2008, a Latvian company (“eazyBI”) (together as the “Parties”)
WHEREAS
(A) The Customer acts as a Data Controller.
(B) The Customer subcontracts Services, which imply the processing of personal data by eazyBI.
(C) The Parties seek to implement a data processing agreement that complies with the requirements of the current legal framework in relation to data processing and with the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
(D) The Parties wish to lay down their rights and obligations.
IT IS AGREED AS FOLLOWS:
1. Definitions and Interpretation
- 1.1. Unless otherwise defined herein, capitalized terms and expressions used in this Agreement shall have the following meaning:
-
1.1.1. “Customer Personal Data” means any data, including Personal Data, provided by Customer that are processed pursuant to or in connection with the Principal Agreement;
-
1.1.2. “Contracted Processor” or a “Sub-processor” means any person appointed by or on behalf of eazyBI to process Personal Data on behalf of the Customer in connection with the Agreement;
-
1.1.3. “Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or to the extent specified applicable by the Principal Agreement – privacy laws of another country;
-
1.1.4. “EEA” means the European Economic Area;
-
1.1.5. “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;
-
1.1.6. “GDPR” means EU General Data Protection Regulation 2016/679;
-
1.1.7. “Data Transfer” means:
-
- transfer of Customer Personal Data from the Customer to eazyBI; or
-
- an onward transfer of Customer Personal Data from eazyBI to a Contracted Processor, in each case, where such transfer would be permitted by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);
-
1.1.8. “Services” means using the eazyBI website (eazybi.com) or any eazyBI app sold through eazyBI’s partners.
1.2. The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
2. Processing of Customer Personal Data
- 2.1. eazyBI shall:
- 2.1.1. comply with all applicable Data Protection Laws in the Processing of Customer Personal Data; and
- 2.1.2. process Customer Data only for the purposes described in this Agreement and only in accordance with the Customer’s documented lawful instructions.
2.2. The Parties agree that this Agreement and the Principal Agreement set out the Customer’s complete and final instructions to eazyBI in relation to the processing of Customer Personal Data, and processing outside the scope of these instructions (if any) shall require a prior written agreement between Customer and eazyBI.
2.3. In the event eazyBI processes Customer Personal Data outside of the scope of Services, eazyBI becomes an independent personal data controller with respect to such personal data processing.
2.4. The Customer Personal Data processed using the Services for each eazyBI Cloud product is described in respective Security statements:
3. Security
3.1. eazyBI, to the extent required under the Agreement, will implement appropriate technical and organizational measures in accordance with Applicable Data Protection Law (e.g., Art. 32 GDPR) to protect Customer Personal Data from Security Incidents and to preserve the security of Customer Personal Data appropriate to the risks related to the processing of the Customer Personal Data and to avoid alteration, loss or non-authorized processing thereof or access thereto, taking into account the current state of technology, nature of the stored data and the risks to which they are exposed, as well as the confidentiality of the Customer Personal Data.
3.2. eazyBI’s current technical and organizational measures are described in Annex II (“Security Measures”).
3.3. Parties acknowledge that the Security Measures are subject to technical progress and development and that eazyBI may unilaterally update or modify the Security Measures from time to time, provided that such updates and modifications upgrade and further develop the overall security of the Services. In the event such amendments to Security Measures take place, eazyBI notifies the Customer about implemented changes without undue delay.
3.4. eazyBI ensures that the persons authorized to process Customer Personal Data as described in this Agreement are bound by appropriate confidentiality requirements.
4. Sub-processing
4.1. Customer agrees that eazyBI may engage Sub-processors to process Customer Personal Data on Customer’s behalf. The Sub-processors currently engaged by eazyBI and authorized by Customer are listed at Annex I.
- 4.2. eazyBI shall:
- 4.2.1. enter into a written agreement with each Sub-processor imposing data protection terms that require the Sub-processor to protect the Customer’s Personal Data to the standard required by Applicable Data Protection Law and, in substance, to the same standard provided by this Agreement; and
- 4.2.2. remain liable to Customer if such Sub-processor fails to fulfill its data protection obligations with regard to the relevant processing activities under Data Protection Laws or this Agreement.
- 4.3. eazyBI must:
- 4.3.1. make available an up-to-date list of the Sub-processors it has appointed upon written request from the Customer; and
- 4.3.2. notify Customer if it adds any new Sub-processors at least fourteen (14) days prior to allowing such Sub-processor to process Customer Personal Data. Customer may object in writing to eazyBI’s_appointment of a new Sub-processor within five (5) calendar days of such notice, provided that such objection is based on reasonable grounds relating to data protection. In such an event, the Parties will discuss such concerns in good faith with a view to achieving a resolution. If the Parties are not able to achieve a resolution, Customer, as its sole and exclusive remedy, may terminate the Agreement (including this DPA) for convenience.
5. Data Subject Rights
5.1. Taking into account the nature of the Processing, eazyBI shall assist the Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer’s obligations, as reasonably understood by the Customer, to respond to requests to exercise Data Subject rights under the Data Protection Laws.
- 5.2. eazyBI shall:
- 5.2.1. promptly notify Customer if it receives a request from a Data Subject under any Data Protection Law in respect of Customer Personal Data; and
- 5.2.2. ensure that it does not respond to that request except on the documented instructions of Customer or as required by Applicable Laws to which the eazyBI is subject, in which case eazyBI shall to the extent permitted by Applicable Laws, inform Customer of that legal requirement before the Contracted Processor responds to the request.
5.3. If the requests of the Data Subject are manifestly unfounded or excessive or have a repetitive character, the Data Processor shall have the right to request remuneration for performing the requests.
6. Personal Data Breach
6.1. eazyBI shall notify Customer without undue delay, but in any case no later than 48 hours upon eazyBI becoming aware of a Personal Data Breach affecting Customer Personal Data, providing Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.
6.2. eazyBI shall co-operate with the Customer and take reasonable commercial steps as are directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
7. Deletion or return of Customer Personal Data
7.1. Customer acknowledges that all Customer Personal Data can be deleted by Customer using the Services. If Customer deletes the data using Services, eazyBI acknowledges that all copies of Customer Personal Data will be deleted within 10 (ten) business days.
7.2. If Customer does not delete Customer Personal Data before the cessation of any Services involving the Processing of Customer Personal Data, eazyBI shall retain data according to the Privacy policy.
7.3. Upon request, eazyBI shall provide written certification to Customer that it has fully complied with this section 7 within 10 business days of the cessation of any Services involving the Processing of Customer Personal Data.
8. Audit
- 8.1. Customer acknowledges that eazyBI is regularly audited by independent third-party auditors and/or internal auditors, including as may be described from time to time in Annex II. Upon request, and on the condition that Customer has entered into an applicable non-disclosure agreement with eazyBI, eazyBI shall:
-
8.1.1. supply (on a confidential basis) a summary copy of its audit report(s) (“Report”) to Customer so that the Customer can verify eazyBI’s compliance with the audit standards against which it has been assessed and this Agreement; and
-
8.1.2. provide written responses (on a confidential basis) to all reasonable requests for information made by Customer related to its Processing of Customer Personal Data, including responses to information security and audit questionnaires that are necessary to confirm eazyBI’s compliance with this DPA, provided that Customer cannot exercise this right more than once per calendar year.
- 8.2. Only to the extent Customer cannot reasonably satisfy eazyBI’s compliance with this DPA through the exercise of its rights under Section 8.1 above, where required by Applicable Data Protection Law or the Standard Contractual Clauses, Customer and its authorized representatives may conduct audits (including inspections) during the term of the Agreement to establish eazyBI’s compliance with the terms of this DPA, on the condition that Customer and its authorized representatives have entered into an applicable non-disclosure agreement with eazyBI. Notwithstanding the foregoing, any audit (or inspection) must be conducted during eazyBI’s regular business hours, with reasonable advance notice (which may not be less than 45 calendar days), and subject to reasonable confidentiality procedures. Such audit (or inspection) may not require eazyBI to disclose to the Customer or its authorized representatives or to allow the Customer or its authorized representatives to access the following:
-
8.2.1. any data or information of any other eazyBI customer (or such customer’s End Users);
-
8.2.2. any eazyBI’s internal accounting or financial information;
-
8.2.3. any eazyBI’s trade secret;
-
8.2.4. any information that, in eazyBI’s reasonable opinion, could: (1) compromise the security of eazyBI systems or premises; or (2) cause eazyBI to breach its obligations under Applicable Data Protection Law or its security, confidentiality, and or privacy obligations to any other eazyBI customer or any third party; or
-
8.2.5. any information that Customer or its authorized representatives seek to access for any reason other than the good faith fulfillment of Customer’s obligations under the Applicable Data Protection Law and eazyBI’s compliance with the terms of this Agreement.
8.3. An audit or inspection permitted in compliance with Section 8.2 will be limited to once per calendar year unless (1) eazyBI has experienced a Security Incident within the prior twelve (12) months that has impacted Customer Personal Data; or (2) Customer is able to provide trustworthy allegations of eazyBI’s material noncompliance with this Agreement. The Customer bears the costs and expenses of conducting an audit pursuant to Section 8.2.
9. Data Transfer
9.1. eazyBI may not transfer or authorize the transfer of Data to countries outside the EU and/or the European Economic Area (EEA) without the prior written consent of the Customer. If personal data processed under this Agreement is transferred from a country within the EEA to a country outside the EEA, the Parties shall ensure that the personal data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU-approved standard contractual clauses for the transfer of personal data.
10. Rights and obligations of the Customer
10.1. Customer warrants that as the Data Controller, it has fulfilled all of the obligations of the personal data controller referred to in the GDPR and applicable laws to ensure that eazyBI, as the Data Processor, has the right to process the Customer Personal Data in accordance with the Agreement before the Customer Personal Data has become available to eazyBI. This shall include but is not limited to ensuring the legal basis for the Customer Personal Data processing, the Customer Personal Data processing purpose limitation, informing the Customer Personal Data subjects on the processing of their Personal Data, complying with lawful retention terms of the Customer Personal Data and ensuring proper safeguards for the Customer Personal Data transfers.
10.2. Customer confirms that eazyBI ensures the Personal Data protection measures that are enough to comply with this Agreement and requirements of the GDPR if the Data Processor adopts the Personal Data protection measures referred to in Annex II of the Agreement.
11. General Terms
- 11.1. Confidentiality. Each Party must keep the information it receives about the other Party and its business, including Customer Personal Data in connection with this Agreement (“Confidential Information”) confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:
-
11.1.1. disclosure is required by law;
-
11.1.2. the relevant information is already in the public domain.
11.2. Notices. All notices by eazyBI shall be given by sending an email to the Customer’s technical contact or by publishing a message in the Latest news section in the Home section of Service. All notices by Customer shall be given by sending an email to eazyBI’s support mail: support@eazybi.com.
12. Term and termination of the Agreement
12.1. This Agreement is valid until the termination of the Agreement by the Parties or fulfillment of all obligations of the Parties under the Principal Agreement, including the period of data retention.
12.2. The Parties shall be entitled to terminate the Agreement unilaterally by notifying the other Party thereof at least 3 (three) calendar months in advance.
12.3. If provisions of the GDPR change or if a supervisory authority issues guidelines, decisions, or regulations regarding the application of the GDPR during the term of this Agreement, with the result that this Agreement does not meet the requirements for a data processing agreement, eazyBI shall change this Agreement to meet the requirements.
12.4. If any provision of this Agreement is or becomes invalid or void, this shall not affect the effectiveness of the remaining provisions under the Agreement. In such cases, the Parties shall make all efforts to replace the invalid provision with a new one, reflecting the intention and content of the replaced provision. If such a remedy is not possible, the Parties agree on the addition of a new provision to the Agreement, which, to the extent possible, shall govern the same relations and/or issues.
13. Governing Law and Jurisdiction
13.1. This Agreement is governed by the laws of the Republic of Latvia.
13.2. Any dispute arising in connection with this Agreement, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of the Republic of Latvia.
Annex I. List of eazyBI Subprocessors
Processor | Purpose | Entity country | Website |
---|---|---|---|
Google Cloud | Data hosting | Ireland | cloud.google.com |
SendGrid | Email service provider | USA | sendgrid.com |
AppSignal | Application monitoring | Netherlands | www.appsignal.com |
Annex II - Security Measures
This Annex describes eazyBI’s security program, security certifications, and technical, organizational and administrative controls and measures to protect Customer Data from unauthorized access, destruction, use, modification or disclosure (the “Security Measures“). The Security Measures are in line with the commonly accepted standards of similarly situated software-as-a-service providers.
Compliance and Certifications
eazyBI information security practices, policies, procedures, and operations meet the SOC 2 standards for security. Our SOC 2 covers all five of the Trust Service Principles, including security, availability, processing integrity, confidentiality, and privacy.
Secure Personnel
Confidentiality or Non-Disclosure Agreements (NDAs) are signed by all employees and contractors who have a need to access sensitive or internal information. Security training and testing are regularly conducted for eazyBI employees and contractors.
eazyBI support team accesses Customer Personal Data data only for the purposes of application health monitoring and performing system or application maintenance and upon customer request for support purposes. Only authorized eazyBI employees have access to application data.
Secure Software Development
All software development projects follow secure development lifecycle principles. All development undergoes design review to ensure security requirements are incorporated within Software. All software development team members undergo regular secure development training. Software development is conducted in line with OWASP Top 10 recommendations for web application security.
Secure Testing
eazyBI deploys third-party penetration testing and vulnerability scanning of all production and Internet-facing systems on a regular basis. eazyBI participates in bug bounty programs permanently testing our products for vulnerabilities. We perform static and dynamic software application security testing of all code, including open-source libraries, as part of our software development process.
Cloud Security
eazyBI Cloud provides maximum security with complete customer isolation in a modern, multi-tenant cloud architecture. eazyBI Cloud is hosted on the Google Cloud Platform (Europe-West1 data center in Belgium).
-
Each eazyBI account imported data are stored in a separate database scheme and are isolated from other Customer data. Each incoming web request is authenticated and authorized before access to Customer data is allowed.
-
All data is encrypted at rest and in transmission to prevent any unauthorized access and prevent data
-
eazyBI application database full backups are performed once per day and are retained for 10 days. All backup data are encrypted. Backups are stored in the Google Cloud Platform.