Version Number: 2.0
Date Last Revised: 13 January 2023
This Data Processing Agreement (“DPA”) is incorporated into and forms part of the Kdb Insights Enterprise Agreement entered into between the parties or other applicable service agreement between you and KX Systems, Inc (“KX) (“Agreement”). This DPA shall apply to all Processing of Client Personal Data (as defined below) by KX in order to provide the services under the Agreement. Terms not defined in the Agreement, shall have the meaning given to them in clause 1 below. In the event of inconsistencies between the provisions of this DPA and the Agreement, the provisions of this DPA shall prevail with regard to the parties’ data protection obligations relating to Client Personal Data.
1. DEFINITIONS
“Standard Contractual Clauses” means as the circumstances require
i) the clauses set out in the Commission Implementing Decision dated 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council as may be amended or replaced from time to time in accordance with the European Commission’s requirements, under the Data Protection Laws (“EU Standard Contractual Clauses”) , and/or
ii) the ICO International Data Transfer Addendum to the EU Standard Contractual Clauses which applies in the UK laid before Parliament in accordance with section 119A of the DPA 2018 on 2 February 2022, as it is revised under Section 18 from time to time in accordance with the Data Protection Laws (“UK Standard Contractual Clauses”).
“Subprocessor” means any third party Processor engaged by KX or engaged by any subprocessor of KX. For the avoidance of doubt, Subprocessor shall include a KX Affiliate.
2. RELATIONSHIP BETWEEN THE PARTIES
2.1 KX shall be the Processor regarding the Personal Data that is uploaded to the Licensed Software under your account (“Client Personal Data“) and you shall be either the Controller or the Processor of the Client Personal Data under this DPA.
3. PERSONAL DATA PROCESSING INSTRUCTIONS
3.1 KX shall only process the Client Personal Data on your behalf for the sole purpose of carrying out the Services under the Agreement and 1) in accordance with the Agreement, this DPA and your documented instructions as set out in Section 3.2 below (unless otherwise required by the Data Protections Laws) and 2) in accordance with its obligations as a Processor under the Data Protection Laws. If your instructions to KX change in relation to Processing the Personal Data, such change shall be subject to agreement in writing between you and KX.
3.2 Details of the Personal Data processing under this DPA;
3.2.1 Subject matter of the Processing. The subject matter of the processing under this DPA is Client Personal Data.
3.2.2 Duration of the Processing. The duration of the Processing corresponds to the duration of the Agreement.
3.2.3 Purpose of Processing. The purpose of the Client Personal Data processing under this DPA, is the provision of the Services in connection with the Licensed Software under the Agreement.
3.2.4 Nature of the Processing. The nature of the processing is accessing Client Personal Data in order to provide the Services as described in the Agreement.
3.2.5 Types of Personal Data. The types of Client Personal Data processed under this DPA include any Client Personal Data uploaded to the Licensed Software.
3.2.6 Data Subjects. The data subjects may include your customers, employees, suppliers, and end users, or any other individual whose personal data you upload to the Licensed Software.
3.3 KX shall notify you of any instruction which, in KX’s opinion, infringes the Data Protection Laws. You acknowledge and agree that KX is not obliged on an ongoing basis to monitor and assess the lawfulness of instructions and KX has no obligation to provide or procure legal advice to you.
3.4 Except to the extent expressly provided otherwise in this DPA, you have sole responsibility for the lawfulness of your written and other instructions in relation to Processing, the legal basis for such Processing and the notification obligations to data subjects in relation to such Processing.
3.5 If KX is legally required to process or disclose Client Personal Data otherwise than as instructed by you, KX shall notify you immediately and before such processing occurs unless prohibitied by law, in which case it shall notify you as soon as it is permitted to do so.
4. PERSONAL DATA CONFIDENTIALITY
4.1 KX shall treat all Client Personal Data as confidential information and not disclose such confidential information to any third party without Client’s prior written consent except 1) to KX Affiliates or 2) where it is required by a court order or there is a statutory obligation to do so, but only to the minimum extent necessary to comply with such order or obligation. Where KX is required to disclose Client Personal Data under court order or statutory obligation, section 3.5 shall apply.
4.2 KX shall take reasonable steps to ensure that its personnel who have access to the Client Personal Data are subject to a duty of confidence and and KX shall remain responsible for the actions of its personnel under this Agreement as if such actions were carried out by KX itself.
5. SECURITY
5.1 KX agrees that it has implemented and will maintain appropriate technical and organisational measures as set out in Schedule 1 to ensure the security of the processing.
6. PERSONAL DATA BREACH NOTIFICATION
KX will notify you as soon as reasonably practicable if KX becomes aware of any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Client Personal Data transmitted, stored or otherwise processed (“Personal Data Breach”). KX will include in such notification the applicable information required by Data Protection Laws to the extent such information is in the possession of or can reasonably be ascertained by KX in the circumstances. KX shall have no obligation to communicate directly with any Data Subject or with any regulator unless otherwise agreed in writing by KX or unless KX is legally obliged to do so.
7. SUBPROCESSING
7.1 You agree that KX may retain the parties listed at Subprocessors as Subprocessors in connection with the provision of the Services under the Agreement. You may register to receive email notifications of any change to the list of Subprocessors which KX will update at least 14 days before the addition or replacement of any Subprocessor. If you do not object to the appointment of the Subprocessor(s) within 14 days from the date of such notification, the appointment shall be deemed accepted. In the event you object, 1) KX shall work with you to find a commercially reasonable alternative and 2) if KX is unable to provide an alternative or you object to the alternative, either party may terminate the Agreement (without prejudice to KX’s right to claim fees for the remainder of the term where you terminate the Agreement).
7.2 KX shall require all Subprocessors (including KX Affiliates) to abide by substantially the same obligations as KX under this DPA and shall enter into a written agreement with each of the Subprocessors and Standard Contractual Clauses (where applicable). KX remains responsible at all times to you for the Subprocessor’s performance of its obligations under its agreement.
8. INTERNATIONAL DATA TRANSFER
8.1 KX may be required to transfer Client Personal Data to a jurisdiction outside the UK or the EEA in connection with providing the Services under the Agreement. Where applicable, the Parties agree that the Standard Contractual Clauses, shall form part of this DPA as set out in Schedule 2.
8.2 The Standard Contractual Clauses shall not apply if the transfer of Personal Data is to a country or is carried out in accordance with a framework or agreement, that the European Commission has recognised as providing adequate legal protection in respect of Personal Data and the Standard Contractual Clauses shall automatically terminate with effect from the date of that European Commission decision.
8.3 The Parties agree that in the event of any conflict or inconsistency between the DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
9. DATA SUBJECT REQUESTS
Where KX receives a request from a Data Subject for access to their Personal Data or to exercise any of their other rights under the Data Protection Laws and where the Data subject idenitifes you, KX shall promptly notify you of such request. Where you are unable to access the Client Personal Data yourself and taking into account the nature of the Processing being carried out by KX, KX will assist you by appropriate technical and organisational measures insofar as is possible, to enable youto respond to such Data Subject requests. You must provide KX with a written request setting out the scope of the assistance required. KX shall have no obligation to communicate directly with any Data Subject unless otherwise agreed in writing by KX. To the extent legally permitted, you will be responsible for any costs arising from such assistance, including any fees associated with the provision of additional functionality.
10. ASSISTANCE
KX agrees to provide reasonable assistance, taking into account the nature of the Processing and the information available to KX, and at your cost, within such reasonable timescale as may be specified by you, in order to assist you, on request, in complying with your obligations pursuant to the Data Protection Laws and provided that KX shall have no obligation to communicate directly with any Data Subject or with any regulator unless otherwise agreed in writing by KX or unless KX is legally obliged to do so.
11. AUDIT
Following your reasonable prior written request, KX shall permit you or a third party appointed by you to carry out audits and/or inspections, at your cost, of KX’s data processing facilities where Client Personal Data is processed by KX under this DPA. Such requests shall be carried out during KX’s normal business hours and shall not unduly interfere with the provision of the Services and/or KX’s normal business activities. KX shall make available to you upon written request, all information and evidence necessary to demonstrate that KX is complying with its obligations under this DPA. Nothing in this Clause 11, shall oblige KX to disclose information which is confidential, commercially sensitive or subject to legal privilege or to breach any confidentiality obligations which KX has to its personnel or its other customers, suppliers or partners. KX reserves the right to charge you additional fees where compliance with this clause requires the use of resources that are additional or different to those used in the provision of the Services.
12. TERM AND TERMINATION
12.1 The parties agree that Client Personal Data will be processed by KX for the duration of the Services under the Agreement or as otherwise set out in Section 3.2 above.
12.2 The parties agree that upon the completion of the services under the Agreement or upon termination or expiry of the Agreement, in so far as they relate to Client Personal Data, KX and all Subprocessors shall, at your option, either return or destroy all Client Personal Data unless any law, regulation or government or regulatory body to which KX or a Subprocessor are subject prevent KX or Subprocessor from returning or destroying all or part of the Client Personal Data. In such a case, KX will keep the Client Personal Data confidential until the legal obligation to not return or destroy the information is no longer in effect.
Schedule 1
Technical and Organisational Measures can be found here
Schedule 2
Data Transfers
1. EU Standard Contractual Clauses.
For transfer of Client Personal Data out of the EEA or Switzerland that are subject to Section 8.1 of the DPA, the EU Standard Contractual Clauses are incorporated into this DPA by reference and will apply in the following manner;
1.1 Module Two (Controller to Processor) will apply where you are a Controller of Client Personal Data and KX is a Processor of Client Personal Data.
1.2 Module Three (Processor to Processor) will apply where you are a processor of Client Personal Data and KX is a Subprocessor of Client Personal Data.
1.3 For each of the Modules specified above, the a parties agree the following;
(i) Clause 7 will not apply;
(ii) in Clause 9(a), Option 2 will apply, and the time period for notifying you about Subprocessor changes will be 14 days as set out in Section 7.1 of the DPA;
(iii) in Clause 11(a), the optional language will not apply;
(iv) in Clause 17, Option 1 will apply. The parties agree that the governing law shall be the law of the Republic of Ireland;
(v) in Clause 18(b), disputes will be resolved before the courts of the Republic of Ireland;
(vi) Schedule 2 Annex 1, Part A, B and C of this DPA shall serve as Annex I, Part A, B and C of the EU Standard Contractual Clauses
(vii) Schedule 1 of this DPA shall serve as Annex 2 of the EU Standard Contractual Clauses.
2. UK Standard Contractual Clauses
For transfer of Client Personal Data out of the UK that are subject to Section 8.1 of the DPA, the UK Standard Contractual Clauses are incorporated into this DPA by reference and will apply in the following manner;
(i) Schedule 2 Annex 1 Part A of this DPA shall serve as Table 1 of the UK Standard Contractual Clauses
(ii) For the purposes of Table 2, the EU Standard Contractual Clauses (as defined in the DPA) with only those modules, clauses and optional provisions as set out in paragraph 1 of Schedule 2 of the DPA shall apply.
(iii) For the purposes of Table 3, Schedule 1, Schedule 2 Annex 1, Part A and B and the list of Subprocessors referenced at Section 7 of the DPA shall apply.
(iv) For the purposes of Table 4, the Importer may end the UK Standard Contractual Clauses if any provisions are changed by the ICO as set out in Clause 19 of the UK Standard Contractual Clauses.
3. Additional Clauses
To the greatest extent permitted under Data Protection Laws, the following additional terms shall form part of the Standard Contractual Clauses and sets out the parties’ understanding of their respective obligations under the Standard Contractual Clauses;
(i) Data Exporter acknowledges and agrees that it exercises its audit right(s) under Clause 8.9 of the EU Standard Contractual Clause to which the UK Standard Contractual Clauses are appended, as applicable, by instructing Data Importer to comply with the audit measures described in Section 11 of the DPA.
(ii) Any claims brought under the Standard Contractual Clauses will be subject to any aggregate limitations on liability set out in the Agreement.
Annex 1
A. DESCRIPTION OF PARTIES
Data Exporter
Name: Client/ you
Address: Your address associated with your account
Contact persons: Contact details associated with your account
Activites relevant to the data transferred under these clauses: as set out in Section 3.2 of the DPA
Signature and date: By entering into the Agreement, Data Exporter is deemed to have signed the EU Standard Contractual Clauses configured in accordance with paragraph 1 of this Schedule 2.
Role: as outlined in Section 2.1 of the DPA
Data Importer
Name: KX Systems, Inc/KX
Address: 45 Broadway, Floor 20 New York, NY 10006 USA
Contact persons: KXLegal@KX.com
Activites relevant to the data transferred under these clauses: as set out in Section 3.2 of the DPA
Signature and date: By entering into the Agreement, Data Importer is deemed to have signed the EU Standard Contractual Clauses configured in accordance with paragraph 1 of this Schedule 2.
Role: as outlined in Section 2.1 of the DPA
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred.
As specified in Section 3.2 of the DPA
Categories of personal data transferred.
As specified in Section 3.2 of the DPA
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
None
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Personal data is transferred as required for the purpose as set out in Section 3.2 of the DPA.
Nature of the processing.
As specified in Section 3.2 of the DPA
Purpose(s) of the data transfer and further processing.
As specified in Section 3.2 of the DPA
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period.
As specified in Section 3.2 and Section 12.2 of the DPA
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing.
As specified in Section 3.2 of the DPA.
C. COMPETENT SUPERVISORY AUTHORITY
The data exporter’s competent supervisory authority will be determined in accordance with the GDPR.