This Data Processing Addendum ("Addendum") forms an integral part of the Agreement between Acumen Ltd. (the "Company") and the entity entering into the Company's Terms of Service to which this Addendum is attached by reference (the "Partner") and applies to the extent that the Company processes Personal Data, or has access to Personal Data, in the course of its performance under the Agreement. Company shall qualify as the Data Processor and Partner shall qualify as the Data Controller, as these terms are defined under Data ProtectionLegislation. All capitalized terms not defined herein shall have the meaning set forth in theAgreement.
Definitions
"Agreement" means the agreement between Company and Partner which involves Company having access to or otherwise processing Personal Data.
"Approved Jurisdiction" means a jurisdiction approved as having adequate legal protections for a Personal Data transfer from (i) the EEA to a country outside the EEA as approved by an adequacy determination by the European Commission; (ii) the United Kingdom to any other country as approved by the adequacy regulations pursuant to Section 17A of the UK Data Protection Act 2018 ; and/or (iii) a territory (outside the EEA, Switzerland or the UK) to other territories as a permitted derogation under local Data Protection Legislation and which is not subject to any restrictions or requirements to put in place a lawful transfer mechanism such as the Standard Contractual Clauses.
"Breach Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
"Data Protection Legislation" means all worldwide data protection and privacy laws and regulations applicable to the Personal Data in question, including without limitation, applicable laws and regulations of the European Economic Area (EEA) and their member states, Switzerland, the United Kingdom, and the United States and its states, as such laws and regulations may be amended or superseded from time to time.
"Data Processor", "data subject", "process" and "processing" shall have the meanings ascribed to them in the Data Protection Legislation.
"EEA" means those countries that are member of the European Economic Area.
"EU Data Protection Law" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).
“UK SCCs” means standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK General Data Protection Regulation, as amended or superseded by a competent UK authority from time to time.
"Personal Data" means any information which (i) can be related to an identifiable individual, including any information that can be linked to an individual or used to directly or indirectly identify an individual; and (ii) supplied by Partner to Company pursuant to the Agreement. Personal Data may include information which is related to Partner's employees and contractors.
"Security Measures" mean appropriate technical and organizational measures, including without limitation security-related policies, standards, measures, safeguard and practices to protect the Personal Data from a Breach Incident, taking into account the (i) state of the art; (ii) nature, scope, context and purposes of processing; and (iii) risks involved for the Data Subjects. Commensurate with the size and complexity of Company's business, the level of sensitivity of the data collected, handled and stored, and the nature of Company's business activities.
"Standard Contractual Clauses" means, collectively, (i) the EU SCCs: (ii) the UK SCCs; and (iii) the standard contractual clauses issued by any other applicable competent authority as a legally permissible mechanism for Restricted Transfers, as amended or superseded by such authority from time to time.
"Sub-Processor" means any Data Processor (including any third party and any affiliate/group company of Company) appointed by Company to process Personal Data on behalf of Partner in connection with this Addendum.
“UK SCCs” means standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK General Data Protection Regulation, as amended or superseded by a competent UK authority from time to time.
Compliance with laws
The Partner instructs the Company to process the types of Personal Data for the duration and purpose(s) described in Annex A on its behalf. In respect of such processing, the Partner shall be the Controller and the Company shall be a Processor.
Company shall comply at all times with its respective obligations under the Data Protection Legislation.
Company shall provide reasonable cooperation and assistance to Partner in relation to requests from individuals or applicable data protection authorities relating to the processing of Personal Data under the Agreement, including requests from individuals seeking to exercise their rights under Data Protection Legislation, in order to allow Partner to comply with its obligations under Data Protection Legislation.
Company agrees to notify Partner promptly if it becomes unable to comply with the terms of this Addendum or the Data Protection Legislation and shall take appropriate measures to remedy such non-compliance.
If required under Data Protection Legislation, Company shall appoint a data protection officer; if there is no legal requirement for Company to appoint a data protection officer, Company shall name a contact person in its company to Partner who will be available as the contact person for all matters relating to the protection of the Personal Data covered by this Agreement.
Processing purpose and instructions
Company shall only process Personal Data to the extent necessary to deliver the Services (as defined in the Agreement) and strictly in accordance with Partner’s written instructions unless required otherwise by applicable laws which are not incompatible with Data Protection Legislation (in which case, the Company shall inform the Partner before processing, unless applicable laws prohibit such information on important grounds of public interest). The Company must promptly notify the Provider if, in its opinion, the Partner's instructions do not comply with the Data Protection Legislation. Unless permitted under the Agreement or this Addendum, Company shall not otherwise modify, amend, disclose or permit the disclosure of any Personal Data to any third party (including any Sub-Processors) unless authorized or directed to do by Partner. For the avoidance of doubt, Subject to clause 5, Partner hereby provides its express consent for Company to subcontract certain Services to the Sub-processors listed in Annex A.
Company will not use Personal Data for any use other than as expressly provided in the Agreement. Processing any Personal Data outside the scope of the Agreement will require prior written agreement between Company and Partner by way of written amendment to the Agreement.
Reasonable security and safeguards
Company represents, warrants, and agrees to implement, maintain and use Security Measures to (i) protect the availability, confidentiality, and integrity of any Personal Data collected, accessed, used, or transmitted by Company in connection with this Agreement; and (ii) to protect such data from Breach Incidents.
The Security Measures are subject to technical progress and development and Company shall update or modify the Security Measures from time to time based on such progress and development, provided that such updates and modifications do not result in the degradation of the over all level of security.
Company shall take reasonable steps to ensure the reliability of its staff and any other person acting under its supervision who has access to Personal Data. Company shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Company will impose appropriate contractual obligations on its personnel, including relevant obligations regarding confidentiality, data protection and data security.
Subprocessing
The Partner consents to the Company engaging Sub-processors to process the Personal Data provided that: (i) the Company provides at least fifteen (15) days' prior notice of the addition or removal of any sub processor (including without limitation details of the processing it performs or will perform); (ii) the Company imposes terms and conditions on any sub processor that protect the Personal Data, in substance, to the same standard provided for by this Addendum in a binding written agreement (a copy of which shall be provided to the Partner upon request, redacted as necessary to protect business secrets or other confidential information); and (iii) the Partner remains fully liable for any breach of this Addendum that is caused by an act, error or omission of its sub processor.
If the Partner objects to the Company's appointment of a third party sub processor on grounds relating to the protection of the Personal Data at any time, the Partner will not appoint or will cease to use (as applicable) the sub processor.
Breach Incidents
Upon becoming aware of a Breach Incident, Company will notify Partner in writing without undue delay (and within 48 hours of becoming aware of the breach) and will provide all relevant information relating to the Breach Incident as requested by Partner, including:
the nature of the Breach Incident, the categories and numbers of Partner’ sdata subjects concerned, and the categories and numbers of Personal Data records concerned;
the name and contact details of Company’s data protection officer or other relevant contact from whom more information may be obtained;
the likely consequences of the Breach Incident; and
the measures taken or proposed to be taken to address the Breach Incident.
Company shall reasonably cooperate with Partner to provide any notifications Partner is required to make as a result of the Breach Incident and shall make all reasonable efforts to identify and remediate the cause of such Breach Incident.
Records and security audits
The Company must keep detailed, accurate and up-to-date written records regarding any processing of the Personal Data in accordance with Data Protection Legislation and shall make such records available to the Partner on request.
Company shall permit Partner (or its designee) or its supervisory authorities to inspect, audit and copy any relevant records, processes and systems in order that Partner may satisfy itself that the provisions of this Addendum and applicable Data Protection Legalisation are being complied with.
Company shall cooperate in good faith with audit requests by providing access to all relevant knowledgeable personnel and documentation.
Company shall use best efforts to immediately remedy any defects found in the context of the audit reports and findings and in connection with this Addendum.
Cooperation and assistance
If Company receives any requests from individuals or applicable data protection authorities relating to the processing of Personal Data under the Agreement, including requests from individuals seeking to exercise their rights under Data Protection Legislation, Company will promptly notify Partner. Company will not respond to such communication directly without Partner's prior authorization, unless legally compelled to do so. If Company is required to respond to such a request, Company will promptly notify Partner and provide Partner with a copy of the request, unless legally prohibited from doing so.
If Company receives a legally binding request for the disclosure of Personal Data which is subject to this Addendum, Company shall (to the extent legally permitted) notify Partner upon receipt of such order, demand, or request. Not with standing the foregoing, Company will cooperate with Partner with respect to any action taken pursuant to such order, demand or request, including ensuring that confidential treatment will be accorded to such disclosed Personal Data.
Upon reasonable notice, Company shall provide reasonable assistance to Partner in:
allowing data subjects to exercise their rights under the Data Protection Legislation, including (without limitation) the right of access, right to rectification, restriction of processing, erasure ("right to be forgotten"), data portability, object to the processing, or the right not to be subject to an automated individual decision making;
ensuring compliance with any notification obligations of Brach Incidents to the supervisory authority and communication obligations to data subjects, as required under Data Protection Legislation;
ensuring compliance with its obligation to carry out data protection impact assessments or prior consultations with data protection authorities with respect to the processing of Personal Data.
International data transfers
Subject to clauses 8(c) and 8(d), Company may transfer and process Personal Data to and in other locations around the world where Company maintain data processing operations as necessary to provide the Services as set forth in the Agreement, including by transfer to Sub- Processors, subject to the terms of this Section 9.
If Company or any Sub-Processor processes Personal Data in a jurisdiction that is not an Approved Jurisdiction, Company shall ensure that it is full compliance with Data Protection Legislation and is made pursuant to the required Standard Contractual Clauses in the form attached hereto.
If the Standard Contractual Clauses cease to be a valid mechanism for a transfer to a jurisdiction that is not an Approved Jurisdiction under applicable Data Protection Legislation, then the Company shall either (i) replace the Standard Contractual Clauses with an alternative mechanism which is valid under applicable Data Protection Legislation; or (ii) cease to transfer affected Personal Data.
Data retention and destruction
Company will only retain Personal Data for as long as Services are provided to Partner in accordance with this Agreement. Following expiration or termination of the Agreement, Company will, at the Partner’s choice, delete or return to Partner all Personal Data in its possession as provided in the Agreement except to the extent Company is required by applicable law to retain some or all of the Personal Data (in which case Company will implement reasonable measures to prevent the Personal Data from any further processing). In case of a deletion or destruction of Personal Data, Company must give Partner a copy of the record of the destruction on request.
Liability and indemnification
The parties agree that if Partner is held liable for a violation of Data Protection Legislation resulting from a breach by Company of this Addendum, Company will, to the extent to which it is liable, indemnify Partner for any cost, charge, damages, expenses or loss it has incurred. Indemnification is contingent upon: (i) Partner promptly notifying Company of the claim; and (ii) Company being given the possibility to cooperate with Partner in the defense and settlement of the claim.
Miscellaneous
These Terms constitute the entire agreement between the parties concerning the subject matter hereof. These Terms shall be governed by the laws of the State of Israel, without giving effect to any principles of conflicts of laws thereof, and the eligible courts in Tel Aviv, Israel, shall have exclusive jurisdiction over all disputes between the parties related to these Terms. You may not assign or otherwise transfer by operation of law or otherwise these Terms or any right or obligation herein without the express written consent of the Company. The Company expressly reserves its right to assign or transfer these Terms and to delegate any of its obligations hereunder at its sole discretion. If any part of these Terms is found void and unenforceable, it will not affect the validity of the balance of the Terms, which shall remain valid and enforceable according to its terms. The failure of the Company to act with respect to a breach of these Terms by you or others shall not constitute a waiver and shall not limit the Company's rights with respect to such breach or any subsequent breaches.
General
Company acknowledges and agrees that it has no ownership of Personal Data other than as expressly permitted under the Agreement or as authorized by Partner.b. In the event of a conflict between the Agreement (or any document referred to the rein) and this Addendum, the provisions of this Addendum shall prevail.
In the event of a conflict between the Agreement (or any document referred to the rein) and this Addendum, the provisions of this Addendum shall prevail.
The parties may modify the terms of this Addendum in circumstances such as: (i) if required to do so by a supervisory authority or other government or regulatory entity; (ii) if necessary to comply with Data Protection Legislation; or (iii) to implement or adhere to Standard Contractual Clauses, approved codes of conductor certifications, binding corporate rules, or other compliance mechanisms, which may be permitted under Data Protection Legislation. Each party will provide notice of such changes to the other party, and the modified Addendum will become effective once agreed in writing between the parties.
Any notice, information or other communication given to the Partner under or in connection with this Addendum must be in writing, in English, and delivered to [__________] and to Company daniel@acumen.io.
Annex A
Description of processing and subprocessors
Data Subject Categories:
The employees, contractors, workers Customer and its Affiliates.
Personal Data Categories:
Name, email and any other personal data that may be included in correspondence between the parties or data uploaded to the product.
Sensitive Personal Data:
N/A
Duration/Frequency of processing:
The Personal Data shall be processed on a continuous basis and during the period as further specified in the Agreement
Nature of Processing:
Metadata from the Customer’s project management software is fetched, processed and retained.
Purpose of Processing:
For the purpose to conducting data analysis to aid the Customer in seeing past performance and project manage.
Retention Period:
As specified in clause 10 of the Addendum
Provider’s Data Protection Contact:
Daniel Shir, CTO, daniel@acumen.io
Approved Subprocessors:
Daniel Shir, CTO, daniel@acumen.io
Approved Subprocessors:
Google Cloud Platform for the purpose of cloud services -https://cloud.google.com/terms/
Mixpanel Inc for the purpose of usage analytics
https://mixpanel.com/legal/terms-of-use/
Auth0 Inc. for the purpose of authentication
https://auth0.com/web-terms
The transfer of Personal Data from the Partner to the Company in Israel is an Approved Jurisdiction and does not constitute a restricted transfer under applicable Data Protection Legislation at the date of this Agreement.
Excluded Processing:
This Addendum does not apply to Personal Data that the Company collects and processes as an independent Controller for the purposes of (i) managing the account relationship with the Partner (including without limitation sending marketing emails to Partner personnel, generating and processing sales, conducting credit and compliance checks, and invoicing); and (ii) developing and enhancing the Company’s own products and services (including without limitation conducting feedback surveys and monitoring telemetry data). The Company acknowledges and agrees that it is solely responsible for compliance with Data Protection Legislation as Controller in respect of such Personal Data.
Cross border transfers
The parties agree that the terms of the Standard Contractual Clauses are hereby incorporated by reference and shall apply to an EEA Transfer
Module Two (Controller to Processor) of the Standard Contractual Clauses shall apply where the EEA Transfer is effectuated by Partner as the data controller of the Personal Data and Company is the data processor of the Personal Data.
Module Three (Processor to Processor) of the Standard Contractual Clauses shall apply where the EEA Transfer is effectuated by Partner as the data processor of the Personal Data and Company is a Sub-processor of the Personal Data.
Clause 7 of the Standard Contractual Clauses (Docking Clause) shall not apply.
Option 2: GENERAL WRITTEN AUTHORISATION in Clause 9 of the Standard Contractual Clauses shall apply, and the method for appointing and time period for prior notice of Sub-processor changes shall be as set forth in Section 5.a of the DPA.
In Clause 11 of the Standard Contractual Clauses, the optional language will not apply.
In Clause 17 of the Standard Contractual Clauses, Option 1 shall apply, and the Parties agree that the Standard Contractual Clauses shall be governed by the laws of the Republic of Ireland.
In Clause 18(b) of the Standard Contractual Clauses, disputes will be resolved before the courts of the Republic of Ireland.
Annex I.A of the Standard Contractual Clauses shall be completed as follows:
Data Exporter: Partner.
Contact details: As detailed in the Agreement.
Data Exporter Role:
Module Two: The Data Exporter is a data controller.
Module Three: The Data Exporter is a data processor.
Signature and Date: By entering into the Agreement and DPA, Data Exporter is deemed to have signed these Standard Contractual Clauses incorporated herein, including their Annexes, as of the Effective Date of the Agreement.
Data Importer: Company.
Contact details: As detailed in the Agreement.
Data Importer Role:
Module Two: The Data Importer is a data processor.
Module Three: The Data Importer is a sub-processor.
Signature and Date: By entering into the Agreement and DPA, Data Importer is deemed to have signed these Standard Contractual Clauses, incorporated herein, including their Annexes, as of the Effective Date of the Agreement.
Annex I.B of the Standard Contractual Clauses shall be completed as follows:
The categories of data subjects are described in Annex A of this DPA.
The Parties do not intend for Sensitive Data to be transferred.
The frequency of the transfer is a continuous basis for the duration of the Agreement.
The nature of the processing is described in Annex A of this DPA.
The purpose of the processing is described in Annex A of this DPA.
The period for which the personal data will be retained is for the duration of the Agreement, unless agreed otherwise in the Agreement and/or the DPA.
In relation to transfers to Sub-processors, the subject matter, nature, and duration of the processing is set forth in Annex A of the DPA.
Annex I.C of the Standard Contractual Clauses shall be completed as follows:
The competent supervisory authority in accordance with Clause 13 is the supervisory authorityin the Member State stipulated in Section 7 above.
The attached Security Standards serve as Annex II of the Standard Contractual Clauses.
To the extent there is any conflict between the Standard Contractual Clauses and any other terms in this DPA or the Agreement, the provisions of the Standard Contractual Clauses will prevail.
Security Standards
Acumen Labs Ltd. will maintain an information security program which includes the adaptation and enforcement of internal policies. These set policies are designed to secure customer data against accidental or unlawful loss, access or disclosure.
Network Security. Access to the company servers and assets is remote by default, restricted to authorized sources and protected accordingly with strong passwords, multi-factor authentication and access-lists.
Physical and Environmental Security. Access to the company facilities is restricted to authorized personnel and monitored at all times (on and off hours). Visitors must be screened, provisioned with a visitor tag and escorted while on premises
Security Training. Security reminders will be sent periodically and on a regular basis. Employees and Contractors will undergo security awareness sessions at least once a year
Risk Assessment The company processes information of business, financial, and personal nature. Vulnerabilities (technical, logical or procedural) may affect the confidentiality, integrity, and availability of that information. The company will perform risk assessments annually to determine the best counter measures to be applied.