Data Processing Agreement

This Data Processing Agreement (the "DPA") is incorporated into the agreement pursuant to which the Customer obtains the right to use the Services (the "Terms of Service") (collectively, the "Agreement").

Definitions

“Data Protection Law” means any and all data protection laws and regulations that apply to the Processing of Personal Data by The Supplier under the Agreement.
“Data Subject” means an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
“Personal Data” means any data that: (a) is deemed “personal data” or “personal information” (or other analogous variations of such terms) under Data Protection Law; and (b) that Customer submits using the Services for The Supplier to Process on Customer’s behalf.
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
“Process” or “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Services” means any of the following services provided by The Supplier pursuant to the Agreement: (a) The Supplier's branded product offerings made available via the Internet, (b) consulting or training services provided by The Supplier either remotely via the Internet or in person, and (c) any support services provided by The Supplier, including access to Form Approvals’ help desk.
“Standard Contractual Clauses” means the modernized standard contractual clauses issued on 4 June 2021.

Processing of Company Personal Data

The Company instructs Processor to process Company Personal Data.

The Processor will comply with applicable laws and process data only for the purpose of providing the service, including troubleshooting, and diagnosing errors.

Data Processing and Protection

This DPA applies when The Supplier processes Customer’s data for which The Supplier will act as “processor” or “service provider” (or other analogous variations of such terms) under Data Protection Law.

Limitations on Use. The Supplier will process Personal Data only: (a) in a manner consistent with documented instructions from Customer, including (i) to provide the Services, (ii) as permitted under the Agreement, and (iii) consistent with other reasonable instructions of Customer; and (b) with prior notice (unless notice is legally prohibited), as required by applicable law. Without limiting the foregoing, The Supplier will not collect, retain, use, or disclose the Personal Data for any purpose other than as necessary for the specific purpose of performing the Services, including not collecting, retaining, using, or disclosing the Personal Data for a commercial purpose other than providing the Services.

Confidentiality. The Supplier will ensure that persons authorized by The Supplier to Process any Personal Data are subject to appropriate confidentiality obligations.

Security. The Supplier will protect Personal Data in accordance with requirements under Data Protection Law, including by implementing appropriate technical and organizational measures designed to protect Personal Data against Personal Data Breach per The Supplier’s Security Overview.

Return or Disposal. At the choice of Customer, delete or return (or will enable Customer to delete or retrieve) all Personal Data after the end of the provision of Services (unless applicable law requires The Supplier to store any Personal Data). To request the return or disposal of your data refer to our Privacy Policy.

Customer Obligations. Customer will not instruct The Supplier to perform any Processing of Personal Data that violates any Data Protection Law. The Supplier may suspend Processing based upon any Customer instructions that The Supplier reasonably suspects violate Data Protection Law. Subject to the cooperation of The Supplier as specified in this DPA, Customer will be solely responsible for safeguarding the rights of Data Subjects. Customer will promptly notify The Supplier about any faults or irregularities in the Processing by The Supplier discovered by Customer.

Subprocessors

Customer authorizes The Supplier to use third-party subprocessors to Process Personal Data in connection with the provision of Services to Customer (“Subprocessor”). Customer may request a list of current Subprocessors at any time. If Customer objects to any Subprocessor, The Supplier may terminate the Agreement immediately upon notice to Customer without liability.

Miscellaneous

If there is a conflict the Terms of Service will prevail over this DPA. Except for the matters covered by this DPA, all terms of the Terms of Service, remain in effect. Capitalized terms not defined in this DPA have the same meaning as in the Terms of Service. Except as otherwise stated in the Terms of Service, this DPA and the Standard Contractual Clauses will automatically terminate upon the termination or expiration of the Terms of Service.

Types and categories of data

Other than in connection with configuration and subscription related data stored by the Service, Customer controls the types of Personal Data and categories of Data Subjects uploaded via the Services for Processing.