REVISED on February 01, 2020
1.1 This data processing agreement (the "Data Processing Agreement") applies to QbitEdge® LLC's Processing of Personal Data on Your behalf as part of QbitEdge® LLC's provision of QbitEdge® LLC Cloud Services ("Cloud Services"). The Cloud Services are described in (i) the applicable order for Cloud Services, (ii) the applicable Agreement or other applicable master agreement by and between You and QbitEdge® LLC in which this Data Processing Agreement is referenced, and (iii) the Service Specifications (i, ii and iii collectively the "Cloud Services Agreement").
1.2 Unless otherwise expressly stated in the order for Cloud Services, this version of the Data Processing Agreement is incorporated into and subject to the terms of the Cloud Services Agreement and shall be effective and remain in force for the Service Period of the Cloud Services.
1.3 Except as expressly stated otherwise in this Data Processing Agreement or the order for Cloud Services, in the event of any conflict between the terms of the Cloud Services Agreement, including any policies or schedules referenced therein, and the terms of this Data Processing Agreement, the relevant terms of this Data Processing Agreement shall take precedence.
2.1 "Applicable Data Protection Law" means (i) Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data ("GDPR"); (ii) all relevant European Union member state laws or regulations supplementing the GDPR; and (iii) any other data privacy or data protection law or regulation that applies to the Processing of Personal Data under this Data Processing Agreement.
2.2 "You" means the customer entity that has executed the order for Cloud Services.
2.3 "Data Subject", "Data Protection Officer", "Process/Processing", "Personal Data", "Supervisory Authority", "Controller", "Processor" and "Binding Corporate Rules" (or any of the equivalent terms) have the meaning set forth under Applicable Data Protection Law.
2.4 "EU Model Clauses" means the standard contractual clauses annexed to the EU Commission Decision 2010/87/EU of 5 February 2010 for the Transfer of Personal Data to Processors established in Third Countries under the Directive 95/46/EC, or any successor standard contractual clauses that may be adopted pursuant to an EU Commission decision.
2.5 "Third Party Sub-processor" means a third-party subcontractor, other than QbitEdge® LLC, engaged by QbitEdge® LLC and which may Process Personal Data as set forth in Sections 3.3 and 8.
2.6 Other capitalized terms have the definitions provided for them in the Cloud Services Agreement or as otherwise specified below.
3.1 You are and will at times remain the Controller of the Personal Data Processed by QbitEdge® LLC under the Cloud Services Agreement. You are responsible for compliance with Your obligations as a Controller under Applicable Data Protection Law, in particular for justification of any transmission of Personal Data to QbitEdge® LLC (including providing any required notices and obtaining any required consents and/or authorizations, or otherwise securing an appropriate legal basis under Applicable Data Protection Law).
3.2 QbitEdge® LLC is and will always remain a Processor with regard to the Personal Data provided by You to QbitEdge® LLC under the Cloud Services Agreement. QbitEdge® LLC is responsible for compliance with its obligations under this Data Processing Agreement and for compliance with its obligations as a Processor under Applicable Data Protection Law.
3.3 QbitEdge® LLC and any persons acting under the authority of QbitEdge® LLC, including any QbitEdge® LLC Third Party Sub-processors as set forth in Section 8, will Process Personal Data solely for the purpose of (i) providing the Cloud Services in accordance with the Cloud Services Agreement and this Data Processing Agreement, (ii) complying with Your documented written instructions in accordance with Section 5, and/or (iii) complying with QbitEdge® LLC's regulatory obligations in accordance with Section 13.
4.1 In order to perform the Cloud Services and depending on the Cloud Services You have ordered, QbitEdge® LLC may Process some or all of the following categories of Personal Data: personal contact information such as name, home address, home telephone or mobile number, fax number, email address, and passwords; information concerning family, lifestyle and social circumstances including age, date of birth, marital status, number of children and name(s) of spouse and/or children; employment details including employer name, job title and function, employment history, salary and other benefits, job performance and other capabilities, education/qualification, identification numbers, and business contact details; financial details; goods and services provided; unique IDs collected from mobile devices, network carriers or data providers, IP addresses, and online behavior and interest data.
4.2 Categories of Data Subjects whose Personal Data may be Processed in order to perform the Cloud Services may include, among others, Your representatives and end users, such as Your employees, job applicants, contractors, collaborators, partners, suppliers, customers and clients.
4.3 Additional or more specific categories of Personal Data and/or Data Subjects may be described in the Cloud Services Agreement. Unless otherwise specified in the Cloud Services Agreement, Your Content may not include any sensitive or special personal data that imposes specific data security or data protection obligations on QbitEdge® LLC in addition to or different from those specified in the Service Specifications.
5.1 QbitEdge® LLC will Process Personal Data on Your written instructions as specified in the Cloud Services Agreement and this Data Processing Agreement, including instructions regarding data transfers as set forth in Section 7.
5.2 You may provide additional instructions in writing to QbitEdge® LLC regarding Processing of Personal Data in accordance with Applicable Data Protection Law. QbitEdge® LLC will promptly comply with all such instructions to the extent necessary for QbitEdge® LLC to (i) comply with its Processor obligations under Applicable Data Protection Law; or (ii) assist You to comply with Your Controller obligations under Applicable Data Protection Law relevant to Your use of the Cloud Services, including assistance with notifying Personal Data Breaches as set forth in Section 11, Data Subject requests as set forth in Section 6, implementing appropriate technical and organizational measures as set forth in Section 9, data protection impact assessments and prior consultations as set forth in Section 10.8.
5.3 To the extent required by Applicable Data Protection Law, QbitEdge® LLC will immediately inform You if, in its opinion, Your instruction infringes Applicable Data Protection Law. You acknowledge and agree that QbitEdge® LLC is not responsible for performing legal research and/or for providing legal advice to You.
5.4 QbitEdge® LLC will comply with Your instructions at no additional cost to You. To the extent, QbitEdge® LLC expects to incur additional charges or fees not covered by the fees for Cloud Services payable under the Cloud Services Agreement, such as additional license or third-party contractor fees, it will promptly inform You thereof upon receiving Your instructions. Without prejudice to QbitEdge® LLC's obligation to comply with Your instructions, the parties will then negotiate in good faith with respect to any such charges or fees.
6.1 QbitEdge® LLC will grant You electronic access to Your Cloud Services environment that holds Personal Data to enable You to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Law, including requests to access, delete or erase, restrict, rectify, receive and transmit (data portability), block access to or object to Processing of specific Personal Data or sets of Personal Data.
6.2 To the extent such electronic access is not available to You, You can submit a "service request" via My QbitEdge® LLC Support (or other applicable primary support tool provided for the Cloud Services), and provide detailed written instructions to QbitEdge® LLC (including the Personal Data necessary to identify the Data Subject) on how to assist with such Data Subject requests in relation to Personal Data held in Your Cloud Services environment. Subject to Section 5.4 and considering the nature of the Processing, QbitEdge® LLC will promptly follow such instructions within the timeframes reasonably necessary for You to respond to such Data Subject requests under Applicable Data Protection Law.
6.3 If QbitEdge® LLC directly receives any requests from Data Subjects that have identified You as the Data Controller, it will promptly pass on such requests to You without responding to the Data Subject. If the Data Subject does not identify You as the Data Controller, QbitEdge® LLC will instruct the Data Subject to contact the relevant Data Controller.
7.1 Without prejudice to Section 7.1 and in accordance with Your instructions under Section 5.1, QbitEdge® LLC may access and Process Personal Data on a global basis as necessary to perform the Cloud Services, including for IT security purposes, maintenance and performance of the Cloud Services and related infrastructure, Cloud Services technical support and Cloud Service change management.
8.1 Subject to the terms and restrictions specified in Sections 3.3, 7 and 8, You provide QbitEdge® LLC general written authorization to engage Third Party Sub-processors to assist in the performance of the Cloud Services.
8.2 Within fourteen (14) calendar days of QbitEdge® LLC providing such notice to You, You may object to the intended involvement of a Third Party Sub-processor in the performance of the Cloud Services, providing objective justifiable grounds related to the ability of such Third Party Sub-processor to adequately protect Personal Data in accordance with this Data Processing Agreement or Applicable Data Protection Law in writing by submitting a "service request" via QbitEdge® LLC Support, or other applicable primary support tool provided for the Cloud Services. In the event Your objection is justified, You and QbitEdge® LLC will work together in good faith to find a mutually acceptable resolution to address such objection, including but not limited to reviewing additional documentation supporting the Third Party Sub-processors' compliance with this Data Processing Agreement or Applicable Data Protection Law, or delivering the Cloud Services without the involvement of such Third Party Sub-processor. To the extent You and QbitEdge® LLC do not reach a mutually acceptable resolution within a reasonable timeframe, You shall have the right to terminate the relevant Cloud Services (i) upon serving thirty (30) days prior notice; (ii) without liability to You and QbitEdge® LLC and (iii) without relieving You from Your payment obligations under the Cloud Services Agreement up to the date of termination. If the termination in accordance with this Section 8.3 only pertains to a portion of Cloud Services under an order, You will enter into an amendment or replacement order to reflect such partial termination.
8.3 Third Party Sub-processors are required by written agreement to abide by the same level of data protection and security as QbitEdge® LLC under this Data Processing Agreement as applicable to their Processing of Personal Data. You may request that QbitEdge® LLC audit a Third Party Sub-processor or provide confirmation that such an audit has occurred (or, where available, obtain or assist customer in obtaining a third-party audit report concerning the Third Party Sub-processor's operations) to verify compliance with such obligations. You will also be entitled, upon written request, to receive copies of the relevant privacy and security terms of QbitEdge® LLC's agreement with any Third Party Sub-processors and QbitEdge® LLC Affiliates that may Process Personal Data.
8.5 QbitEdge® LLC remains responsible at all times for the performance of the QbitEdge® LLC Third Party Sub-processors' obligations in compliance with the terms of this Data Processing Agreement and Applicable Data Protection Law.
9.1 QbitEdge® LLC has implemented and will maintain appropriate technical and organizational security measures for the Processing of Personal Data. These measures take into account the nature, scope and purposes of Processing as specified in this Data Processing Agreement, and are intended to protect Personal Data against the risks inherent to the Processing of Personal Data in the performance of the Cloud Services, in particular risks from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise Processed.
9.2 In particular, QbitEdge® LLC has implemented the physical access, system access, data access, transmission and encryption, input, data backup, data segregation and security oversight, enforcement and other security controls and measures specified in the relevant Cloud Services Hosting and Delivery Policies and other Service Specifications. You are advised to carefully review the applicable Service Specifications to understand which specific security measures and practices apply to the particular Cloud Services ordered by You, and to ensure that these measures and practices are appropriate for the Processing of Personal Data pursuant to this Data Processing Agreement.
9.3 All QbitEdge® LLC staff, as well as any Third-Party Sub-processors that Process Personal Data are subject to appropriate written confidentiality arrangements.
10.1 You may audit compliance with its obligations under this Data Processing Agreement up to once per year. In addition, to the extent required by Applicable Data Protection Law, including where mandated by Your Supervisory Authority, You or Your Supervisory Authority may perform more frequent audits, including inspections of the Cloud Service data center facility that Processes Personal Data. QbitEdge® LLC will contribute to such audits by providing You or Your Supervisory Authority with the information and assistance reasonably necessary to conduct the audit, including by making available a record of Processing activities and other information.
10.2 You will provide QbitEdge® LLC any reports generated in connection with any audit under this Section 10, unless prohibited by Applicable Data Protection Law or otherwise instructed by a Supervisory Authority. You may use the audit reports only for the purposes of meeting Your regulatory audit requirements and/or confirming compliance with the requirements of this Data Processing Agreement. The audit reports are Confidential Information under the terms of the Cloud Services Agreement.
10.3 Each party will bear its own costs in relation to the audit, unless QbitEdge® LLC promptly informs you upon reviewing Your audit plan that it expects to incur additional charges or fees in the performance of the audit that are not covered by the fees for Cloud Services payable under the Cloud Services Agreement, such as additional license or third party contractor fees. The parties will negotiate in good faith with respect to any such charges or fees.
11.1 QbitEdge® LLC promptly evaluates and responds to incidents that create suspicion of or indicate unauthorized access to or Processing of Personal Data ("Incident"). All QbitEdge® LLC staff that have access to or Process Personal Data are instructed on responding to Incidents, including prompt internal reporting, escalation procedures, and chain of custody practices to secure relevant evidence. QbitEdge® LLC's agreements with Third Party Sub-processors contain similar Incident reporting obligations.
11.2 In order to address an Incident, QbitEdge® LLC defines escalation paths and response teams involving internal functions such as Information Security and Legal. The goal of QbitEdge® LLC's Incident response will be to restore the confidentiality, integrity, and availability of the Cloud Services environment and the Personal Data that may be contained therein, and to establish root causes and remediation steps. Depending on the nature and scope of the Incident, QbitEdge® LLC may also involve and work with You and outside law enforcement to respond to the Incident.
11.3 To the extent QbitEdge® LLC becomes aware and determines that an Incident qualifies as a breach of security leading to the misappropriation or accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed on QbitEdge® LLC systems or the Cloud Services environment that compromises the security, confidentiality or integrity of such Personal Data ("Personal Data Breach"), QbitEdge® LLC will inform You of such Personal Data Breach without undue delay but at the latest within 24 hours.
11.4 QbitEdge® LLC will take reasonable measures designed to identify the root cause(s) of the Personal Data Breach, mitigate any possible adverse effects and prevent a recurrence. As information regarding the Personal Data Breach is collected or otherwise reasonably becomes available to QbitEdge® LLC and to the extent permitted by law, QbitEdge® LLC will provide You with (i) a description of the nature and reasonably anticipated consequences of the Personal Data Breach; (ii) the measures taken to mitigate any possible adverse effects and prevent a recurrence; (iii) where possible, the categories of Personal Data and Data Subjects including an approximate number of Personal Data records and Data Subjects that were the subject of the Personal Data Breach; and (iv) other information concerning the Personal Data Breach reasonably known or available to QbitEdge® LLC that You may be required to disclose to a Supervisory Authority or affected Data Subject(s).
11.5 Within the timeframes required for You to meet Your Personal Data Breach notification obligations under Applicable Data Protection Law, You agree to coordinate with QbitEdge® LLC in good faith on the content of Your intended public statements or required notices for the affected Data Subjects and/or notices to the relevant Supervisory Authorities regarding the Personal Data Breach.
12.1 Following termination of the Cloud Services, QbitEdge® LLC will return or otherwise make available for retrieval Your Personal Data then available in Your Cloud Services environment, unless otherwise expressly stated in the Service Specifications. For Cloud Services for which no data retrieval functionality is provided by QbitEdge® LLC as part of the Cloud Services, You are advised to take appropriate action to back up or otherwise store separately any Personal Data while the production Cloud Services environment is still active prior to termination.
12.2 Following any applicable retrieval period, QbitEdge® LLC will promptly delete all copies of Personal Data from the Cloud Services environment, except as may be required by law. QbitEdge® LLC's data deletion practices, as well as any applicable retention or archival practices, are described in more detail in the relevant Cloud Services Hosting and Delivery Policies and other Service Specifications applicable to the Cloud Services.
13.1 If QbitEdge® LLC receives any subpoena, judicial, administrative or arbitral order of an executive or administrative agency, regulatory agency, or other governmental authority which relates to the Processing of Personal Data ("Disclosure Request"), it will promptly pass on such Disclosure Request to You without responding to it, unless otherwise required by applicable law (including to provide an acknowledgement of receipt to the authority that made the Disclosure Request).
13.2 At Your request, QbitEdge® LLC will provide You with reasonable information in its possession that may be responsive to the Disclosure Request and any assistance reasonably required for You to respond to the Disclosure Request in a timely manner.
14.1 QbitEdge® LLC has appointed a Data Protection Officer. To contact QbitEdge® LLC's Data Protection Officer email info@QbitEdge.com
14.2 If you have appointed a Data Protection Officer, You may request QbitEdge® LLC to include the contact details of Your Data Protection Officer in the relevant order for Cloud Services.