Hauberk Tech GLOBAL DATA PROTECTION AGREEMENT
INSTRUCTIONS for CREATING A LEGALLY BINDING DPA:
This Data Protection Agreement (“DPA”) has been pre-signed on behalf of Hauberk Tech, Inc. (“Hauberk Tech”).
This Data Protection Agreement (“DPA”) supplements any current Hauberk Tech Terms and Conditions, Master Purchase Agreement or other similar agreement (each “Agreement”) previously made between Hauberk Tech and the Customer (defined below) (collectively, the “Parties”), if and to the extent: (i) this DPA is required under Applicable Laws (defined below), and (ii) where Hauberk Tech Processes Customer Personal Data (both defined below). This DPA supersedes and replaces any prior Data Protection Agreement, or any other prior understanding or agreement, related to the processing of Customer Personal Data in connection with the Agreement.
This DPA will become legally binding when Customer:
1. Completes the information in the signature box of this DPA;
2. Signs the DPA in the signature box;
3. Sends the signed DPA to Hauberk Tech by email to dpa@hauberktech.com AND
4. Hauberk Tech has received the validly completed and signed DPA via dpa@hauberktech.com; (the date of such receipt is the ”DPA Effective Date”)
1. Definitions
1.1 Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement. Except as modified below, the terms of the Agreement shall remain in full force and effect. Cognate terms shall be construed to have the same meaning.
1.1.1 “Adequate Country” means a country providing an adequate level of data protection pursuant to Applicable Laws;
1.1.2 "Applicable Laws" means any laws that regulate the Processing, privacy or security of Customer Personal Data and that directly apply to each respective party to this DPA in the context of Hauberk Tech Processing Customer Personal Data;
1.1.3 “CCPA” means the California Consumer Privacy Act of 2018, including, but not limited to, amendments of the CCPA or applicable regulations promulgated by the California Privacy Protection Agency. Exhibit C contains provisions governing Hauberk Tech’s compliance with the CCPA;
1.1.4 "Hauberk Tech Affiliate" means an entity belonging to the Hauberk Tech group of companies. The term “Hauberk Tech” is inclusive of the applicable Hauberk Tech Affiliate when: (i) Applicable Laws require a direct relationship between the Hauberk Tech Affiliate and the Customer with respect to data protection agreements, and (ii) the Hauberk Tech Affiliate Processes Customer Personal Data. Hauberk Tech represents that it is duly and effectively authorized (or will be subsequently ratified) to act on the Hauberk Tech Affiliate’s behalf;
1.1.5 “Customer” means (i) the person or entity that is indicated below in the signature block, or (ii) if there is no signature block or it is not completed, then Customer is the person or entity that has entered into the Agreement with Hauberk Tech. Customer also means a Customer Affiliate when: (i) Applicable Laws require a direct relationship between Hauberk Tech and the Customer’s Affiliate with respect to data protection agreements, (ii) Customer is duly and effectively authorized (or subsequently ratified) to act on its Affiliate’s behalf, and (iii) Hauberk Tech processes the Affiliate’s Customer Personal Data; 1.1.6 "Customer Personal Data" means any Personal Data Processed by Hauberk Tech or a Subprocessor on behalf of the Customer in the provision of the Offerings;
1.1.7 “EU-U.S. Data Privacy Framework” or “EU-U.S. DPF” means the transfer mechanism in terms of Art. 45 of the EU GDPR that enables participating organizations - pursuant to the European Commission's Implementing Decision C(2023) 4745 final of 10.7.2023 and the EU-U.S. Data Privacy Framework Principles as set forth by the U.S. Department of Commerce - to Process Customer Personal Data originating from the European Union (EU) and the European Economic Area (EEA) (“EU Customer Personal Data”) in the United States (U.S.) in accordance with Chapter V of the EU GDPR;
1.1.8 "EU GDPR" means the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and any local laws implementing or supplementing the GDPR;
1.1.9 “Onward Transfer” means any transfer of Customer Personal Data from Hauberk Tech to a Subprocessor;
1.1.10 “Personal Data” means information provided by Customer to Hauberk Tech or collected by Hauberk Tech from Customer used to distinguish or trace a natural person’s identity, either alone or when combined with other personal or identifying information that is linked or linkable by Hauberk Tech to a specific natural person. Personal Data also includes such other information about a specific natural person to the extent that the data protection law applicable in the jurisdictions in which such person resides define such information as Personal Data.
1.1.11 “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
1.1.12 "Restricted Transfer" means: (i) any export by Customer of Customer Personal Data from its country of origin to Hauberk Tech to a jurisdiction that is not an Adequate Country. 1.1.13 “Standard Contractual Clauses” or “SCCs” means the contractual clauses or other documentation required by Applicable Laws for the transfer of Personal Data to Processors that are not established in Adequate Countries, as may be amended, superseded or replaced by Applicable Law;
1.1.14 "Subprocessor" means any contracted service provider (including any third party and Hauberk Tech Affiliate but excluding sub-contractors unless specified in an applicable Statement of Work) Processing Customer Personal Data in the course of Hauberk Tech’s provisioning of the Offerings set forth in the Agreement. 1.1.15 “Swiss-U.S. Data Privacy Framework Program” or “Swiss-U.S. DPF” means the transfer mechanism that enables participating organizations to Process Customer Personal Data (“Swiss Customer Personal Data”) in the United States in accordance with the Federal Act on Data Protection of 25 September 2020 as amended;
1.1.16 “UK Extension to the EU-U.S. DPF” means the transfer mechanism that enables participating organizations to Process Customer Personal Data originating from the United Kingdom (“UK”) (“UK Customer Personal Data”) in the U.S. in accordance with Art. 45 of the UK GDPR.
1.1.17 "UK GDPR" means the UK Government approved and updated Data Protection Act 2018 including all the clauses from the EU-GDPR being the basis upon which Processing of Personal Data would be judged within the UK.
1.2 The terms "Commission", "Controller", "Data Subject", "Member State", "Personal Data Breach", “Processor”, and "Supervisory Authority" shall have the same meaning as in the EU GDPR.
1.3 The word "include" shall be construed to mean include without limitation.
2. Processing of Customer Personal Data
2.1 Hauberk Tech shall: 2.1.1 Process Customer Personal Data only on Customer’s documented instructions, as set out in the Agreement and this DPA, including Customer providing instructions via APIs made available by Hauberk Tech with the Offerings, and as required by Applicable Laws (the “Documented Instructions”). Any additional or alternate instructions, having an impact to the Offerings must be agreed upon by the Parties separately in writing; and
2.1.2 Unless prohibited by Applicable Law, inform the Customer if Hauberk Tech determines that: (i) Customer’s instructions conflict with Applicable Laws; or (ii) Applicable Laws require any Processing contrary to the Customer’s instructions.
2.2 Customer shall:
* 2.2.1 Be responsible for complying with Applicable Laws when making decisions and issuing instructions for the Processing of Customer Personal Data, including securing all permissions, consents or authorizations that may be required; and
* 2.2.2 Defend and indemnify Hauberk Tech, Hauberk Tech Affiliates, and Hauberk Tech Subprocessors for any claim brought against any one or more of them arising from an allegation of Customer’s breach of this Section, whether by a Data Subject or a government authority. In the event of such a claim, the Parties shall follow the process set forth in the Agreement for Customer to defend and indemnify Hauberk Tech and if none, then Hauberk Tech will: (a) notify Customer of such claim, (b) permit Customer to control the defense or settlement of such claim; provided, however, Customer shall not settle any claim in a manner that requires Hauberk Tech to admit liability or make any changes with respect to the Offerings without Hauberk Tech’s prior written consent, and (c) provide Customer with reasonable assistance in connection with the defense or settlement of such claim, at Customer’s cost and expense. In addition, Hauberk Tech may participate in the defense of any claim, and if Customer is already defending such claim, Hauberk Tech’s participation will be at Hauberk Tech’s expense. This provision does not diminish Customer or Data Subject’s rights under Applicable Laws related to Hauberk Tech’s adherence to its obligations under Applicable Laws.
3. Hauberk Tech Personnel
Hauberk Tech shall implement appropriate security controls designed to ensure that:
3.1 Access to Customer Personal Data within Hauberk Tech or its Subprocessors’ control is strictly limited to those individuals who need to know/access the relevant Customer Personal Data as reasonably necessary for the purposes outlined in this DPA, the Agreement or as required under Applicable Laws; and
3.2 Ensure all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
4. Security
4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Hauberk Tech shall in relation to the Processing of Customer Personal Data maintain appropriate technical and organizational measures as specified in the Agreement and in Exhibit B that are designed to ensure a level of security appropriate to the risk, including, as appropriate, the measures referred to in Applicable Laws.
4.2 In assessing the appropriate level of security, Hauberk Tech shall take into account the nature of the data and the Processing activities in assessing the risks posed by a potential Personal Data Breach.
5. Sub-Processing
5.1 To the extent required under Applicable Laws, Customer specifically authorizes Hauberk Tech to use those Subprocessors already engaged as of the date of this DPA and listed at: Hauberk Tech Subprocessors. In addition, and subject to Section 5.3, Customer generally authorizes Hauberk Tech’s engagement of other third parties as Subprocessors (“New Subprocessor(s)”).
5.2 Hauberk Tech shall provide notice of a New Subprocessor to the Customer at least 30 days prior to Hauberk Tech’s use of the New Subprocessor to Process Customer Personal Data, through the applicable Hauberk Tech Offering or platform, where Customer may elect to subscribe to such notices. Customers may also sign up for email notifications at https://www.hauberktech.com/subprocessor-notification/. Customer is responsible for ensuring that its notification email addresses remain current. During the notice period, Customer may object to a New Subprocessor in writing and Hauberk Tech may, in its sole discretion, attempt to resolve Customer’s objection, including providing the Offerings without use of the New Subprocessor. If (a) Hauberk Tech provides Customer written notice that it will not pursue an alternative, or (b) such an alternative cannot be made available by Hauberk Tech to Customer within 90 days of Customer providing notice of its objection, then in either case, and notwithstanding anything to the contrary in the Agreement or Order, Customer may terminate the Agreement or Order to the extent that it relates to the Offerings which require the use of the New Subprocessor.
5.3 With respect to each Subprocessor, to the extent required under Applicable Laws, Hauberk Tech shall:
5.3.1 Carry out adequate due diligence to ensure that the Subprocessor is capable of providing the level of protection for Customer Personal Data required by Applicable Laws, this DPA and the Agreement;
5.3.2 Have a written contract between Hauberk Tech and Subprocessor with that obligates the Subprocessor to provide substantially the same level of protection for Customer Personal Data as required by this DPA and Applicable Laws, including Customer’s ability to protect the rights of Data Subjects in the event Hauberk Tech is insolvent, liquidated or otherwise ceases to exist;
5.3.3 Apply an adequacy mechanism recognized by Customer’s Supervisory Authority as ensuring an adequate level of data protection under Applicable Laws where Subprocessor’s Processing of Customer Personal Data involves a Restricted Transfer;
5.3.4 Maintain copies of the agreements with Subprocessors and make these reasonably available upon Customer’s written request. To the extent necessary to protect Confidential Information, Hauberk Tech may redact the copies prior to sharing with Customer; and
5.3.5 Notify Customer of Subprocessor’s relevant failure to comply with obligations set out by Applicable Laws and this DPA where Hauberk Tech has received notice of such.
6. Data Subject Rights
6.1 Customer represents and warrants to provide appropriate transparency to any Data Subjects concerning Hauberk Tech’s Processing of Customer Personal Data and respond to any request filed by Data Subjects as required under Applicable Laws.
6.2 Taking into account the nature of the Customer Personal Data Processing, Hauberk Tech shall:
6.2.1 Not respond to the Data Subject request itself or by Subprocessor unless required by Applicable Laws;
6.2.2 Notify Customer without undue delay if Hauberk Tech or any Subprocessor receives a request from a Data Subject under any Applicable Laws in respect to Customer Personal Data; and
6.2.3 Reasonably assist Customer through appropriate technical and organizational measures to fulfill Customer’s obligation to respond to Data Subject requests arising under Applicable Law, and where Customer is unable to respond to Data Subject requests through the information available by the Offerings.
7. Personal Data Breach
7.1 Upon Hauberk Tech becoming aware of any Personal Data Breach affecting Customer Personal Data, Hauberk Tech shall without undue delay notify Customer of such Personal Data Breach. To the extent known, Hauberk Tech shall provide Customer with sufficient information to meet obligations under Applicable Laws to report or inform Data Subjects about the Personal Data Breach.
7.2 Hauberk Tech shall cooperate with Customer and take commercially reasonable steps to assist in the investigation, mitigation, and remediation of such Personal Data Breach.
8. Obligations to Assist Customer
Taking into account the nature of the Processing and information available to Customer in each case solely in relation to Hauberk Tech’s Processing of Customer Personal Data, Hauberk Tech shall provide reasonable assistance to Customer with any:
8.1 Necessary data protection impact assessments required of Customer by Applicable Laws;
8.2 Consultation with or requests of a competent data protection authority;
8.3 Inquiries about Hauberk Tech’s Processing of Customer Personal Data pursuant to the Agreement and this DPA.
9. Deletion of Customer Personal Data
9.1 Upon termination of the Offerings to Customer and pursuant to the Agreement:
9.1.1 Customer Personal Data will be deleted within 90 days of the Offerings being deprovisioned unless the retention of Customer Personal Data is required under Applicable Laws or the Agreement.
9.1.2 Upon Customer’s written request, Hauberk Tech shall:
9.1.2.1 Make Customer Personal Data available for return to Customer, where such a request has been made prior to deletion by Hauberk Tech, by providing Customer with a reasonable means by which Customer can retrieve Customer Personal Data from the Offerings; and
9.1.2.2 Provide written confirmation that Customer Personal Data was deleted.
10. Audit Rights
10.1 Subject to Sections 10.2 to 10.4 and upon Customer’s written request, Hauberk Tech shall make available to Customer information necessary to demonstrate compliance with Applicable Laws and this DPA.
10.2 To the extent required by Applicable Laws, Hauberk Tech shall contribute to audits by Customer or an independent auditor engaged by the Customer, that is not a competitor of Hauberk Tech, in relation to the Processing of the Customer Personal Data.
10.3 Information and audit rights of the Customer only arise under Section 10.1 to the extent that the Agreement does not otherwise give them information and audit rights meeting the relevant requirements of Applicable Laws.
10.4 Notwithstanding the foregoing, Hauberk Tech may exclude information and documentation that would reveal the identity of other Hauberk Tech customers or information that Hauberk Tech is required to keep confidential. Any information or records provided pursuant to this assessment process shall be considered Hauberk Tech’s Confidential Information and subject to the Confidentiality section of the Agreement.
11. Cross-Border Transfers of Customer Personal Data
At the time of Order placement, Customer has the option to designate the cloud-hosting region (either the EU or US) where Customer Personal Data will be physically stored within Hauberk Tech Systems. Independent of the hosting location, Hauberk Tech may Process Customer Personal Data internationally where Hauberk Tech and Subprocessors have operations. Whenever Customer Personal Data is a Restricted Transfer, each Party will ensure such Restricted Transfer complies with Applicable Laws.
11.1 EU Customer Personal Data. Hauberk Tech’s Processing of EU Customer Personal Data in the U.S. shall adhere to the EU-U.S. Data Privacy Framework Principles. Hauberk Tech is certified under the EU-US DPF. Hauberk Tech’s certification status is available in the U.S. Department of Commerce's Data Privacy Framework List. In the event that Hauberk Tech is required to adopt an alternative transfer mechanism pursuant to Chapter V of the EU GDPR for Processing EU Customer Personal Data in the U.S other than the EU-U.S. DPF, then the Parties agree that SCCs as set forth in Exhibit D shall apply.
11.2 UK (and Gibraltar) Customer Personal Data. Tech’s Processing of UK (and Gibraltar) Customer Personal Data in the U.S. shall adhere to the UK Extension to the EU-U.S. DPF approved by the UK government in its UK Adequacy Decision. Hauberk Tech is certified under the UK Extension to the EU-US DPF. Hauberk Tech’s certification status is available in the U.S. Department of Commerce's Data Privacy Framework List. In the event that Hauberk Tech is required to adopt an alternative transfer mechanism pursuant to Chapter V of the UK GDPR for Processing UK Personal Data in the U.S. other than the UK Extension to the EU-U.S. DPF, then the Parties agree that SCCs and the UK’s International Data Transfer Addendum as set forth in Exhibit D shall apply.
11.3 Swiss Customer Personal Data. Hauberk Tech is certified under the Swiss-US DPF. Hauberk Tech’s certification status is available in the U.S. Department of Commerce's Data Privacy Framework List. The Parties acknowledge that as of the DPA Effective Date, however, Personal Data cannot be received from Switzerland in reliance on the Swiss-U.S. DPF until the date on which Switzerland officially recognizes the United States as an Adequate Country. Therefore, Hauberk Tech and Customer agree that that SCCs as set forth in Exhibit D shall apply.
11.4 Argentinian Customer Personal Data. Where the Restricted Transfer concerns Customer Personal Data originating from Argentina, the standard contractual clauses approved under Resolution No. 60-E/2016 and available at https://www.hauberktech.com/legal/scc-ar/ will be incorporated into this DPA by reference and shall apply to the extent required under Applicable Laws and where this DPA does not provide adequate safeguards.
11.5 Other Restricted Transfers. Customer will notify Hauberk Tech in writing if a Restricted Transfer involving Customer Personal Data requires privacy provisions not already included in this DPA. The Parties will promptly enter into a written amendment to include such provisions, but only to the extent required under Applicable Law and where this DPA does not provide adequate safeguards.
12. General Terms
12.1 Governing Law and Jurisdiction. The Parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims arising under this DPA.
12.2 Order of Precedence. Any conflict between the terms of the Agreement and this DPA related to the processing of Customer Personal Data are resolved in the following order of priority: (1) Applicable Laws, (2) this DPA, and then (3) the Agreement.
12.3 Severability. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties’ intentions as closely as possible or, should this not be possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
12.4 No Third-Party Beneficiaries. The Parties do not intend to grant third-party beneficiary rights to Data Subjects under this DPA when those Data Subjects would not otherwise benefit from such rights under the Applicable Laws.
12.5 Unless required by Applicable Laws, Customer shall exercise any right or seek any remedy on behalf of itself, its Affiliates, and any other Controller that Customer instructs Hauberk Tech to process Customer Personal Data for under this DPA (collectively, the “Customer Parties”). The limitations of liability and any exclusions of damages set forth in the Agreement govern the aggregate liability for all Customer Parties’ claims arising out of or related to this DPA against Hauberk Tech and any Hauberk Tech Affiliate(s).
12.6 To the extent required by Applicable Laws, this Section is not intended to modify or limit (i) the Parties’ liability for Data Subject claims made against a Party where there is joint and several liability, or (ii) either Party's responsibility to pay penalties imposed on such Party by a regulatory authority.
The Parties by their duly authorized representatives have executed this DPA to be effective as of the DPA Effective Date.
| HAUBERK TECH, INC. | Customer:|
| :--- | :--- |
| By: [Signature]| By: |
| Name: [Pre-filled Name]| Name: |
| Title: [Pre-filled Title] | Title: |
| Date: [Pre-filled Date]| Date: |
| Send notices to:
[Hauberk Tech Address]
With a copy to: legal@hauberktech.com | Notice Address: |