Privacy Policy

• Definitions

• “Applicable Data Protection Law” means all data privacy or data protection laws or regulations globally that apply to the Processing of Personal Information under this Data Processing Agreement, which may include Applicable European Data Protection Law.

• “Applicable European Data Protection Law” means (i) the EU General Data Protection Regulation EU/2016/679, as supplemented by applicable EU Member State law and as incorporated into the EEA Agreement; (ii) the Swiss Federal Act on Data Protection 2023, as amended; and (iii) the UK Data Protection Act 2018.

• “Business Operations” means such Personal Data Processing Customer authorizes Company to carry out for its own internal purposes. This is the use of Service Generated Data in accordance with Section “Service Generated Data” in the General Terms.

• “Individual” shall have the same meaning as the term “data subject” or the equivalent term under Applicable Data Protection Law.

• “Process/Processing”, “Controller”, “Processor” have the meaning set forth under Applicable Data Protection Law.

• “Personal Data” means personal data that (a) has the meaning given to it in the Applicable Data Protection Law.

• “Personal Data Breach” means a breach of security leading to the misappropriation or accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed on Company systems or the Services environment that compromises the security, confidentiality or integrity of such Personal Data.

• “Regulator” shall have the same meaning as the term “supervisory authority”, “data protection authority” or the equivalent term under Applicable Data Protection Law.

• “Subprocessor” means an Affiliate or a third party which Company subcontracts with and which may Process Personal Data as set forth in Section “Use of Subprocessors”.

 

Other capitalized terms have the definitions provided for them in the Quote and the underlying General Terms and Services Terms (altogether referred to as the “Agreement”).

 

• Scope and Details of the Processing

1. This Annex A – Data Processing Agreement or “DPA” applies to Company’s Processing of Personal Data on behalf of Customer as Processor for the provision of the Services specified in the Quote. 

2. In addition, any Processing of Personal Data subject to Applicable European Data Protection Law is subject to the additional terms of the European DPA Addendum set out in Exhibit 1. 

• Responsibility for Processing of Personal Data and Instruction Right

1. Customer is a Controller and Company is a Processor for the Processing of Personal Data for the provision of the Services except where Company Processes Personal Data to carry out its Business Operations in which case it acts as a Controller. Each Party is responsible for compliance with its respective obligations under Applicable Data Protection Law.

2. Company will Process Personal Data solely for the purpose of providing the Services in accordance with the applicable Quote and this DPA.

3. In addition to Customer’s instructions incorporated into the Quote, Customer may provide additional instructions in writing to Company with regard to Processing of Personal Information in accordance with Applicable Data Protection Law. Company will promptly comply with all such instructions to the extent necessary for Company to (i) comply with its Processor obligations under Applicable Data Protection Law; or (ii) assist Customer to comply with its Controller obligations under Applicable Data Protection Law relevant to its use of the Services.

4. Company will follow Customer’s instructions at no additional cost to Customer and within the timeframes reasonably necessary for Customer to comply with its obligations under Applicable Data Protection Law. To the extent Company expects to incur additional charges or fees not covered by the Subscription Fees payable under the applicable Quote, such as additional license or third party contractor fees, it will promptly inform Customer thereof upon receiving the respective instructions. Without prejudice to Company’s obligation to comply with Customer’s instructions, the Parties will then negotiate in good faith with respect to any such charges or fees.

5. Unless otherwise specified in the applicable Quote, Customer may not provide Company with any sensitive or special Personal Data that imposes specific data security or data protection obligations on Company in addition to or different from those specified in the DPA or the Quote or the underlying General Terms and Services Terms.

• Inquiries and Requests submitted by Individuals

1. If Customer receives a request or inquiry from an Individual related to Personal Data processed by Company for the provision of Services under an applicable Quote, Customer can either (i) securely access the Services environment that holds Personal Data to address the request, or (ii) to the extent such access is not available to Customer, submit a “service request” to Company with detailed written instructions to Company on how to assist Customer with such request.

2. If Company directly receives any requests or inquiries from Individuals that have identified Customer as the Controller, it will pass on such requests to Customer without undue delay and without responding to the Individual. Otherwise, Company will advise the Individual to identify and contact the relevant controller(s).

• Use of Subprocessors

To the extent Company engages Subprocessors to Process Personal Data, such entities shall be subject to the same level of data protection and security as Company under the terms of the Quote and this DPA. Company is responsible for the performance of such Subprocessors’ obligations in compliance with the terms of this DPA and Applicable Data Protection Law.

• Cross-Border Personal Data Transfers

1. Without prejudice to any applicable restrictions for hosted Services specified in the Agreement, Company may Process Personal Information globally as necessary to perform the Services.

2. To the extent such global access involves a transfer of Personal Information subject to cross-border transfer restrictions under Applicable Data Protection Law, such transfers shall be subject to security and data privacy requirements consistent with the relevant requirements of this DPA and Applicable Data Protection Law.

• Audit Rights

1. Customer may audit Company’s compliance with its obligations under this DPA up to once per year. In addition, to the extent required by Applicable Data Protection Law, Customer or Customer’s Regulator may perform more frequent audits.

2. If a third party is to conduct the audit, the third party must be mutually agreed to by Customer and Company (except if such third party is a Regulator). Company will not unreasonably withhold its consent to a third party auditor requested by Customer. The third party must execute a written confidentiality agreement acceptable to Company or otherwise be bound by a statutory or legal confidentiality obligation.

3. To request an audit, Customer must submit a detailed proposed audit plan to Company at least two weeks in advance of the proposed audit date. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Company will review the proposed audit plan and provide Customer with any concerns or questions. Company will work cooperatively with Customer to agree on a final audit plan.

4. The audit must be conducted during regular business hours at the applicable facility, subject to the agreed final audit plan and Company’s health and safety or other relevant policies, and may not unreasonably interfere with Company’s business activities.

5. Upon completion of the audit, Customer will provide Company with a copy of the audit report, which is subject to the confidentiality terms of the Agreement. Customer may use the audit reports only for the purposes of meeting its regulatory audit requirements and/or confirming compliance with the requirements of this DPA.

6. Each party will bear its own costs in relation to the audit, unless Company promptly informs Customer upon reviewing the audit plan that it expects to incur additional charges or fees in the performance of the audit that are not covered by the Subscription Fees payable under the applicable Quote, such as additional license or third party contractor fees. The Parties will negotiate in good faith with respect to any such charges or fees.

7. Without prejudice to the rights granted in Section 6.1 above, if the requested audit scope is addressed in a SOC, ISO, NIST, PCI DSS, HIPAA or similar audit report issued by a qualified third party auditor within the prior twelve months and Company provides such report to Customer confirming there are no known material changes in the controls audited, Customer agree to accept the findings presented in the third party audit report in lieu of requesting an audit of the same controls covered by the report.

 

• Security and Confidentiality

1. Company has implemented and will maintain appropriate technical and organizational security measures for the Processing of Personal Data designed to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Information. These security measures govern all areas of security applicable to the Services, including physical access, system access, data access, transmission and encryption, input, data backup, data segregation and security oversight, enforcement and other security controls and measures.

2. All Company and Subprocessors that Process Personal Data, are subject to appropriate written confidentiality arrangements, including confidentiality agreements, regular training on information protection, and compliance with Company policies concerning protection of confidential information.

• Incident Management and Breach Notification

1. Company has implemented controls and policies designed to detect and promptly respond to incidents that create suspicion of or indicate destruction, loss, alteration, unauthorized disclosure or access to Personal Data transmitted, stored or otherwise Processed. Company will define escalation paths to investigate such incidents in order to confirm if a Personal Data Breach has occurred, and to take reasonable measures designed to identify the root cause(s) of the Personal Data Breach, mitigate any possible adverse effects and prevent a recurrence.

2. Company will notify Customer of a confirmed Personal Data Breach without undue delay but at the latest within 24 hours. As information regarding the Personal Data Breach is collected or otherwise reasonably becomes available to Company, Company will also provide Customer with (i) a description of the nature and reasonably anticipated consequences of the Personal Data Breach; (ii) the measures taken to mitigate any possible adverse effects and prevent a recurrence; and (iii) where possible, information about the types of Personal Data that were the subject of the Personal Data Breach. Customer agrees to coordinate with Company on the content of the intended public statements, if any, or required notices for the affected Individuals and/or notices to the relevant Regulators regarding the Personal Data Breach.

• Return and Deletion of Personal Data

1. Upon termination of the applicable Quote, Company will promptly return, including by providing available data retrieval functionality, or delete any remaining copies of Personal Data on Company systems or Services environments, except as otherwise stated in the Agreement or except as Applicable Data Protection Law requires storage of such Personal Data. Export and retrieval may be subject to technical limitations, in which case Company and Customer will find a reasonable method to allow Customer access to Personal Data.

2. For Personal Data held on Customer’s systems or environments, or for Services for which no data retrieval functionality is provided by Company as part of the Services, Customer is advised to take appropriate action to back up or otherwise store separately any Personal Data while the production Services environment is still active prior to termination.

• Mandatory Personal Data Access

1. Company may be required by law to provide access to Personal Data, such as to comply with a subpoena or other legal process, or to respond to government requests, including public and government authorities for national security and/or law enforcement purposes.

2. Company will promptly inform Customer of requests to provide access to Personal Data, unless otherwise required by law.

• Miscellaneous 

1. For the avoidance of doubt, Section “Limitation of Liability” in the General Terms applies with respect to Company’s liability under this DPA.

• The term of this DPA corresponds to the Term.

1. Customer shall inform Company without delay if it considers that this DPA does not meet the requirements of a processing contract according to the relevant provisions of the GDPR and/or any guidelines, recommendations, or other positions of the supervisory authorities, in particular the European Data Protection Board. In this case Customer and Company shall endeavour to adapt this DPA to the legal and/or official requirements.

2. Amendments and additions to this DPA require written form. This also applies to any waiver of the written form requirement.

Exhibits:

Exhibit 1 – European Data Processing Addendum

Exhibit 1

European Data Processing Addendum

 

This European DPA Addendum supplements the Data Processing Agreement to include additional Processor terms applicable to the Processing of Personal Data subject to Applicable European Data Protection Law. Except as expressly stated otherwise in the Data Processing Agreement, the Agreement, this European DPA Addendum, in the event of any conflict between these documents, the following order of precedence applies (in descending order): (i) this European DPA Addendum; (ii) the body of the Data Processing Agreement; and (iii) the Agreement.

 

• Cross-Border Personal Data Transfers

Company and any of its Subprocessors shall process Personal Data exclusively in the European Economic Area. If Company or its Subprocessors provide the agreed Services outside of the European Economic Area, Company shall ensure the lawfulness under data protection law by taking the appropriate measures (e.g. in accordance with Article 28 and Articles 45, 46, 47 GDPR).

• Details of Personal Data Processing

1. Subject Matter of Processing. The subject matter of the Processing is the provision of the Services as per the Agreement and as further specified in the applicable Quote.

2. Duration of Processing. The duration of the Processing is determined by the Term as specified in the Quote.

3. Purpose of Processing. The Processing serves the purpose of the provision of the Services as per the Agreement and as further specified in the applicable Quote. Insofar as Company Processes Personal Data in order to assist Customer in fulfilling his obligation to respond to requests from Individuals or to comply with other stipulations of Applicable Data Protection Law, the Processing also serves the purpose of fulfilling the legal obligations of Customer under the Applicable Data Protection Law.

4. Types of Personal Data. Customer contact data, Customer Data uploaded by Customer to the Binalyze Platform and/or Service Requests.

5. Categories of Individuals. Employees, prospects, contractors, and customers of Customer.

 

• Customer’s Instructions

1. Customer’s right to provide instructions to Company as specified in Section “Responsibility for Processing of Personal Data and Instruction Right” of the DPA encompasses instructions regarding (i) data transfers as set forth in Section 1 of this European DPA Addendum; and (ii) assistance with Individual’s requests to access, delete or erase, restrict, rectify, receive and transmit (data portability), block access to or object to Processing of specific Personal Data or sets of Personal Data as described in Section “Inquiries and Requests submitted by Individuals” of the Data Processing Agreement.

2. To the extent required by the Applicable European Data Protection Law, Company will immediately inform Customer if, in its opinion, Customer’s instruction infringes Applicable European Data Protection Law. Customer acknowledges and agrees that Company is not responsible for performing legal research and/or for providing legal advice to Customer.

• Notice and Objection Right to New Subprocessors

1. Subject to the terms and restrictions specified in this Section of the European DPA Addendum and Section “Use of Subprocessors” of the Data Processing Agreement, Customer provides Company a general written authorization to engage the following Subprocessors to assist in the performance of the Services:

Name	Address	Scope of processing
AWS, Inc.	410 Terry Avenue North,  Seattle, WA 98109-5210, USA	Hosting SaaS instances (with security and monitoring services attached) and trial instances
Sophos Technology GmbH	Steingasse 6a, 4020 Linz, Austria	Monitoring and security for cloud instances (SaaS, AWS, Azure)
Zendesk, Inc.	989 Market St, San Francisco, CA	Provision of support ticket portal
Hubspot, Inc.	Two Canal Park, Cambridge, MA 02141, USA	CRM, marketing and sales.

 

1. Company shall inform Customer of any intended changes, thereby granting Customer the right to object to such changes within two (2) weeks after receiving the information. Customer may object to the intended involvement of a Subprocessor in the performance of the Services, providing objective justifiable grounds related to the ability of such Subprocessor to adequately protect Personal Data in accordance with the Data Processing Agreement or Applicable European Data Protection Law in textual form.

2. In case of an objection, the Parties will work together in good faith to find a mutually acceptable resolution to address such objection, including but not limited to reviewing additional documentation supporting the Subprocessor’s compliance with the Data Processing Agreement or Applicable European Data Protection Law, or delivering the Services without the involvement of such Subprocessor. To the extent the Parties do not reach a mutually acceptable resolution within a reasonable timeframe, Customer shall have the right to terminate the relevant Services (i) upon serving thirty (30) days prior notice; (ii) without liability to Customer or Company and (iii) without relieving Customer from its payment obligations under the Agreement up to the date of termination. If the termination in accordance with this Section only pertains to a portion of Services under a Quote, Customer will enter into an amendment or replacement Quote to reflect such partial termination.

• Information and Assistance

1. For hosted Services, the audit rights under Section “Audit Right” of the Data Processing Agreement include the right to conduct inspections of the applicable Services data center facility that hosts Personal Data.

2. In addition, Customer may request that Company audit a Subprocessor or provide confirmation that such an audit has occurred (or, where available, obtain or assist Customer in obtaining a third-party audit report concerning the Subprocessor’s operations to verify compliance with the Subprocessor’s obligations. Customer will also be entitled, upon written request, to receive copies of the relevant privacy and security terms of Company’s agreement with any Subprocessors that may Process Personal Data.

3. Company provides Customer with information and assistance reasonably necessary for Customer to conduct Customer’s data protection impact assessments or consult with Customer’s Regulator(s), by granting Customer electronic access to a record of Processing activities.