This Data Processing Addendum (“DPA“), forms part of the Hostroyale Service Agreement between Hostroyale Techonolgies Pvt Ltd and the undersigned customer of Hostroyale Technologies Pvt Ltd (“Customer“) and shall be effective on the date Customer accepts this DPA (“Effective Date“). All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.
1. Definitions
“Affiliate” means an entity that directly or indirectly Controls, is Controlled by or is under common Control with Hostroyale Technologies Pvt Ltd.
“Agreement” means Hostroyale's Service Agreement or any other document which govern the provision of the Services to Customer, as such terms may be updated by Hostroyale Technologies Pvt Ltd from time to time.
“Control” means an ownership, voting or similar interest representing fifty percent (50%) or more of the total interests then outstanding of the entity in question. The term “Controlled” shall be construed accordingly.
“Customer Data” means any Personal Data that originates from the EEA and/or that is otherwise subject to Data Protection Laws, which Hostroyale Technologies Pvt Ltd Processes on behalf of Customer as a Data Processor in the course of providing Services, as more particularly described in this DPA.
“Data Breach” means any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Data Processed by HNG or a Sub-processor.
“Data Controller” means an entity that determines the purposes and means of the Processing of Personal Data.
“Data Processor” means an entity that Processes Personal Data on behalf of a Data Controller.
“Data Protection Laws” means all data protection and privacy laws applicable to the Processing of Personal Data under the Agreement, including, where applicable, GDPR.
“EEA” means, for the purposes of this DPA, the European Economic Area, United Kingdom and Switzerland.
“GDPR” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) and any Member State law implementing the same.
“Personal Data” means any information relating to an identified or identifiable natural person.
“Privacy Shield” means the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield Framework self-certification program operated by the U.S. Department of Commerce and approved by the European Commission pursuant to Decision C(2016)4176 of 12 July 2016 and by the Swiss Federal Council on January 11, 2017 respectively.
“Privacy Shield Principles” means the Privacy Shield Principles (as supplemented by the Supplemental Principles) contained in Annex II to the European Commission Decision C(2016)4176 of 12 July 2016 (as may be amended, superseded or replaced).
“Processing” has the meaning given to it in the GDPR and “process”, “processes” and “processed” shall be interpreted accordingly.
“Services” means any product or service provided by Hostroyale Technologies Pvt Ltd to Customer pursuant to the Agreement.
“Standard Contractual Clauses” means the contractual language approved by 2010/87/EU Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (notified under document C(2010) 593).
“Sub-processor” means any Data Processor engaged by Hostroyale Technologies Pvt Ltd to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement or this DPA. Sub-processors may include third parties or Affiliates.
2. Relationship with the Agreement
2.1 The parties agree that DPA shall replace any existing DPA or other contractual provisions pertaining to the subject matter contained herein the parties may have previously entered into in connection with the Services.
2.2 Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict.
2.3 Any claims brought under or in connection with this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement.
2.4 Any claims against Hostroyale Technologies Pvt Ltd or its Affiliates regarding matters addressed by this DPA shall be brought solely against the entity that is a party to the Agreement. In no event shall any party limit its liability with respect to any individual’s data protection rights under this DPA or otherwise. Customer shall indemnify Hostroyale Technologies Pvt Ltd or its Affiliates, as applicable against any and all such claims or costs of any kind that exceed the exclusions and limitations set forth in the Agreement.
2.5 Except as may be otherwise provided pursuant to Hostroyale’s compliance with applicable data transfer mechanisms addressed in Section 6, no one other than a party to this DPA, its successors and permitted assignees shall have any right to enforce any of its terms.
2.6 This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.
3. Roles and Scope of Processing
3.1 Role of the Parties. As between Hostroyale Technologies Pvt Ltd and Customer, Customer is the Data Controller of Customer Data, and Hostroyale is the Processor of Customer Data. Hostroyale shall Process Customer Data only as a Data Processor acting at Customer’s direction.
3.2. Customer Processing of Customer Data. Customer agrees that (i) it shall comply with its obligations as a Data Controller under Data Protection Laws in respect of its Processing of Customer Data and any Processing instructions it issues to Hostroyale Technologies Pvt Ltd; and (ii) it has provided notice and obtained (or shall obtain) all consents and rights necessary under Data Protection Laws for Hostroyale Technologies Pvt Ltd to Process Customer Data and provide the Services pursuant to the Agreement and this DPA.
3.3 Hostroyale Processing of Customer Data.Hostroyale shall Process Customer Data only for the purposes described in this DPA or in accordance with Customer’s documented lawful instructions. Customer acknowledges that Hostroyale shall have a right to Process Customer Data in order to provide Services to Customer, fulfill its obligations under the Agreement and this DPA, and for legitimate purposes relating to the operation, support and/or use of the Services such as billing, account management, technical support, product development, and sales and marketing.
3.4 Tracking Technologies. Customer acknowledges that in connection with the performance of the Services, Hostroyale Technologies Pvt Ltd may employ the use of cookies, unique identifiers, web beacons and similar tracking technologies. Customer shall maintain appropriate notice, consent, opt-in and opt-out mechanisms as required by Data Protection Laws, including Directive 2002/58/EC and applicable national implementations, as may be amended, superseded or replaced, to enable Hostroyale to deploy these technologies lawfully on, and collect data from, the devices of individuals accessing and/or using the Services or who otherwise engage with or communicate via the Services in accordance with and as described in the Hostroyale's privacy policy or similar, applicable privacy statements.
4. Sub-processing
4.1 Authorized Sub-processors. Customer agrees that this DPA constitutes Customer’s written authorization for Hostroyale to engage Sub-processors to Process Customer Data on Customer’s behalf. The Sub-processors currently engaged by Hostroyale and authorized by Customer will be provided to Customer by Hostroyale. Hostroyale shall notify Customer in writing if it intends to add or replace Sub-processors. Customer may object in writing within five (5) calendar days of such notice, provided that such objection is based on reasonable, documented grounds relating to data protection. Customer’s failure to timely respond or to document the basis of the objection will constitute Customer’s authorization of the proposed changes. In the event of a timely, reasonable and documented objection, the parties shall discuss Customer’s concerns in good faith with a view to achieving resolution.
4.2 Sub-processor Obligations. Hostroyale shall: (i) take commercially reasonable measures to ensure that Sub-processors have the requisite capabilities to Process Customer Data in accordance with this DPA; (ii) enter into a written agreement with the Sub-processor imposing data protection terms that require the Sub-processor to protect the Customer Data to the standard required by Data Protection Laws; and (iii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause Hostroyale to breach any of its obligations under this DPA.
5. Security
5.1 Security Measures. Hostroyale shall implement and maintain appropriate technical and organizational security measures designed to protect Customer Data from Data Breaches, to help ensure the ongoing confidentiality, integrity, and availability of the Customer Data and Processing systems, in accordance with Hostroyale’s security standards. The specific security measures applicable to Customer Data, regardless of the transfer mechanism relied upon as provided by Section 6, are further described in Appendix 2 (all collectively “Security Measures”).
5.2 Updates to Security Measures. Customer acknowledges that the Security Measures are subject to technical progress and development and that Hostroyale may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by the Customer.
5.3 Customer Responsibilities. Notwithstanding the above, Customer agrees that except as provided by this DPA, Customer is responsible for its secure use of the Services, including securing its account authentication credentials, protecting the security of Customer Data when in transit to and from the Services and taking any appropriate steps to securely encrypt or backup any Customer Data uploaded to the Services.
5.4 Confidentiality of Data Processing. Hostroyale shall ensure that any person who is authorized by Hostroyale to Process Customer Data (including its staff, agents and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
5.5 Data Breach Response. Hostroyale shall notify Customer without undue delay and, where feasible, no later than 48 hours after becoming aware, of any Data Breach. Hostroyale shall make reasonable efforts to identify the cause of the Data Breach and shall undertake such steps as Hostroyale deems necessary and reasonable in order to remediate the cause of such Data Breach. Hostroyale shall provide information related to the Data Breach to Customer in a timely fashion and as reasonably necessary for Customer to maintain compliance with Data Protection Laws. The obligations herein shall not apply to incidents that are caused by Customer, including Customer’s employees or agents.
5.6 Reports and Audits. Customer acknowledges that Hostroyale is regularly audited against SSAE 16 or its successor standards by independent third party auditors and internal auditors, respectively. Upon request, HNG shall supply (on a confidential basis) a summary copy of its audit report(s) (“Report“) to Customer, so that Customer can verify Hostroyale’s compliance with the audit standards against which it has been assessed, and this DPA.]
6. International Transfers
6.1 Data Transfers. Hostroyale may Process Customer Data anywhere in the world where Hostroyale or its Sub-processors maintain data Processing operations. Hostroyale shall at all times provide an adequate level of protection for the Customer Data Processed, in accordance with the requirements of Data Protection Laws. The parties agree that this DPA and the data transfer methods required by this Section 6 constitute appropriate safeguards to transfer Customer Data to a third country pursuant to Article 46 of GDPR.
6.2 Privacy Shield. To the extent that Hostroyale Processes any Customer Data protected by GDPR under the Agreement in a country that has not been designated by the European Commission or Swiss Federal Data Protection Authority (as applicable) as providing an adequate level of protection for Personal Data, the parties acknowledge that Hostroyale shall be deemed to provide adequate protection (within the meaning of GDPR) for any such Customer Data that Hostroyale Processes pursuant to its current self-certification to and compliance with Privacy Shield and this DPA.Hostroyale agrees to protect such Personal Data in accordance with the requirements of the Privacy Shield Principles.
6.3 Alternative Transfer Mechanism. The parties agree that the data export solution identified in Section 6.2 shall not apply if and to the extent that Hostroyale’s Processing of Customer Data is not undertaken pursuant to its current self-certification to and compliance with Privacy Shield, including in the event Privacy Shield is invalidated by a competent governmental authority. In any such case, to the extent Hostroyale Processes any Customer Data protected by GDPR under the Agreement in a country that has not been designated by the European Commission or Swiss Federal Data Protection Authority (as applicable) as providing an adequate level of protection for Personal Data, the parties acknowledge that Hostroyale shall be deemed to provide adequate protection (within the meaning of GDPR) by applying the terms of this DPA and the Standard Contractual Clauses. In all such cases, for the purposes of implementing the Standard Contractual Clauses: (i) Customer is the data exporter and Hostroyale is the data importer; (ii) Customer directs Hostroyale to Process Personal Data in accordance with the Agreement and this DPA pursuant to Clause 5(a); (iii) Customer acknowledges and expressly agrees that Hostroyale may engage third-party Sub-processors as provided by this DPA pursuant to Clause 5(h); (iv) Customer acknowledges that Hostroyale’s obligations and cooperation pursuant to Clause 5(f), Clause 11 and Clause 12 shall be limited to the extent provided by the terms of this DPA; (v) Appendix 1 of this DPA shall serve as Appendix 1 of the Standard Contractual Clauses, and Appendix 2 of this DPA shall serve as Appendix 2 of the Standard Contractual Clauses.
7. Return or Deletion of Data. Upon termination or expiration of the Agreement, Hostroyale shall (at Customer’s election) delete or return, if feasible, to Customer all Customer Data remaining in its possession or control, save that this requirement shall not apply: (i) to the extent Hostroyale is required by applicable law to retain some or all of the Customer Data; (ii) if Hostroyale is reasonably required to retain some or all of the Customer Data for limited operational and compliance purposes; or (iii) to Customer Data Hostroyale has archived on back-up systems. In all such cases, Hostroyale shall maintain the Customer Data securely and protect from any further Processing. The terms of this DPA shall survive for so long as Hostroyale continues to retain any Customer Data.
8. Cooperation
8.1 Data Protection Authority Inquiries. Hostroyale shall (at Customer’s expense) provide commercially reasonable cooperation to assist Customer in its response to any requests from data protection authorities with authority relating to the Processing of Personal Data under the Agreement and this DPA. In the event that any such request is made directly to Hostroyale, Hostroyale shall not respond to such communication directly without Customer’s prior authorization, unless legally compelled to do so. If Hostroyale is required to respond to such a request, Hostroyale shall promptly notify Customer and provide it with a copy of the request unless legally prohibited from doing so.
8.2 Individual Rights and Requests. To the extent Customer does not have the ability to independently correct, amend, or delete Customer Data, or block or restrict Processing of Customer Data, then at Customer’s written direction and to the extent required by Data Protection Laws, Hostroyale shall comply with any commercially reasonable request by Customer to facilitate such actions. To the extent legally permitted, Customer shall be responsible for any costs arising from Hostroyale’s or its Sub-processors’ provision of such assistance. Hostroyale shall, to the extent legally permitted, promptly notify Customer if it receives a request from an individual data subject for access to, correction, amendment or deletion of that person’s Personal Data, or a request to restrict Processing. Hostroyale shall provide Customer with commercially reasonable cooperation and assistance in relation to handling of a data subject’s request, to the extent legally permitted and to the extent Customer does not have the ability to address the request independently. To the extent legally permitted, Customer shall be responsible for any costs arising from Hostroyale’s provision of such assistance.
8.3 Assessments and Data Protection Impact Assessments. Hostroyale shall provide written responses (on a confidential basis) to all commercially reasonable requests for information made by Customer regarding Processing of Customer Data, including responses to information security reviews, that are reasonably necessary to confirm HNG’s compliance with this DPA. Customer shall not exercise this right more than once per year, including with respect to any support required to perform a data protection impact assessment.
8.4 Law Enforcement Requests. If a law enforcement agency sends Hostroyale a demand for Customer Data (for example, through a subpoena or court order), Hostroyale may attempt to redirect the law enforcement agency to request that data directly from Customer. As part of this effort, Hostroyale may provide Customer’s basic contact information to the law enforcement agency. If compelled to disclose Customer Data to a law enforcement agency, then Hostroyale shall give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Hostroyale is legally prohibited from doing so.
Appendix 1 to the Standard Contractual Clauses
Data exporter
The data exporter is (please specify briefly your activities relevant to the transfer):
Customer, which purchases services from Hostroyale pursuant to the Agreement and authorizes Hostroyale to Process Customer Data for purposes of providing the services.
Data importer
The data importer is (please specify briefly activities relevant to the transfer):
Hostroyale, which Processes Customer Data upon the instruction of the data exporter in accordance with the terms of the Agreement and the DPA.
Data subjects
The personal data transferred concern the following categories of data subjects (please specify):
The data exporter may transmit Customer Data using Hostroyale’s service, and the extent of this transmittal is determined by data exporter in its sole discretion such that data subjects may include, but may not be limited to, natural persons who are prospective customers, customers, resellers, referrers, business partners, vendors, employees, contractors, agents, or advisors of data exporter, or natural persons authorized to use the services by data exporter.
Categories of data
The personal data transferred concern the following categories of data (please specify):
The data exporter may transmit Customer Data using Hostroyale’s service, and the extent of this transmittal is determined by data exporter in its sole discretion such that categories of data may include, but may not be limited to, names, titles, position, employer, contact information (email, phone, fax, physical address, etc.), and data indicating geographic location (e.g., IP address).
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data (please specify):
The data exporter may transmit Customer Data using Hostroyale’s service, and the extent of this transmittal is determined by data exporter in its sole discretion such that sensitive personal data may be included, such as racial or ethnic origin, political opinion, religious or philosophical beliefs, trade union membership, and data concerning a person’s health or sex life.
Processing operations
The personal data transferred will be subject to the following basic processing activities (please specify):
Processing will be undertaken to the extent necessary for Hostroyale to provide services to data exporter and as otherwise authorized by the Agreement or the DPA.
Appendix 2 to the Standard Contractual Clauses
Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c):
Hostroyale has implemented and shall maintain a security program that includes appropriate administrative, physical, and technical safeguards designed to protect Customer Data from Data Breaches and to help ensure the ongoing confidentiality, integrity, and availability of the Customer Data and Processing systems. These safeguards include: