Client is a Controller and appoints Textel as a Processor on behalf of Client.

3.  Scope

3.1.  This DPA applies to the Processing of Personal Data by Textel in the context of the Agreement.

3.2.  The subject matter, nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects are set out in Appendix 1, which is an integral part of this DPA, the Agreement, and any applicable statement of work.

4. Instructions

4.1.  Client shall only disclose Personal Data to Textel solely for a valid business purpose as set forth in the Agreement, and solely in connection with the Services.

4.2.  Textel must only Process Personal Data on documented instructions of Client and is prohibited from Processing Personal Data for any other purpose.  Client shall be solely responsible for, and represents and warrants that, any documented instructions it provides hereunder shall comply with Data Protection Law. Moreover, Client shall have sole responsibility for the accuracy, quality, and legality of Client Personal Data and the means by which Client acquired Client Personal Data.

4.3.  Client has taken and further undertakes that throughout the Term it shall take, all necessary steps (having regard to the nature of the circumstances in which Client Personal Data will be collected) to provide affected data subjects with an accurate, comprehensible, concise, conspicuous and easily accessible description of all processing of Client Personal Data carried out under and in connection with the DPA, which are sufficient to meet the standards and requirements of Article 13/14 of the GDPR.

4.4.  Client’s instructions are documented in Appendix 1, the Agreement, and any applicable statement of work.

4.5.  Client may issue additional instructions to Textel as it deems necessary to comply with Data Protection Law.  Client shall be responsible for any additional fees, or costs arising from any such additional instructions, which fees or costs shall be mutually agreed upon by the Parties.

5. Subprocessing

5.1.  Client authorizes Textel to engage Subprocessors set forth on Appendix 3.

5.2.  Textel must inform Client at least thirty (30) days prior to any intended change of Subprocessor.

5.3.  Textel must obtain sufficient guarantees from all Subprocessors that they will implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of Data Protection Law and this DPA.

5.4.  Textel must enter into a written agreement with all Subprocessors which imposes the same obligations on the Subprocessors as this DPA imposes on Textel.

5.5.  If any Subprocessor fails to fulfill its obligations under Data Protection Law, this DPA, or the agreements between Textel and Subprocessor, Textel will be fully liable to Client for the performance of such obligations.

6. International Data Transfers

6.1.  Client authorizes Textel to perform International Data Transfers to the countries specified in Appendix 3. 

6.2.  Client authorizes Textel to perform other International Data Transfers if it complies with Section 6.3 and provided that the International Data Transfers are performed: (i) to any country that is subject to a valid adequacy decision of the EU Commission; (ii) to an organization that relies on binding corporate rules authorized by Supervisory Authorities; (iii) under Standard Contractual Clauses concluded between Textel and Client; or (v) other adequate safeguards as provided under Data Protection Law.

6.3.  Textel must inform Company at least thirty (30) days prior to any intended change of International Data Transfers, including the country, and the legal basis of the International Data Transfer pursuant to Section 6.2.  

6.4.  By signing this DPA, Client and Textel conclude the Standard Contractual Clauses are hereby incorporated into this DPA and as listed in Appendix 5.  

6.5.  Any authorization of International Data Transfers is expressly conditioned upon Textel’s ongoing compliance with the requirements of Data Protection Law applicable to International Data Transfers, and any applicable legal instrument for International Data Transfers. If such compliance is affected by circumstances outside of Textel’s control, including circumstances affecting the validity of an applicable legal instrument, Client and Textel will work together in good faith to reasonably resolve such non-compliance.

6.6.   Alternative transfer mechanism. To extent that and for so long as the Standard Contractual Clauses as implemented in accordance with Section 6 cannot be relied on to lawfully transfer personal data in compliance with Data Protection Laws. Additionally, to the extent Textel adopts an alternative lawful data transfer mechanism for the transfer of Personal Data not described in this DPA (“Alternative Transfer Mechanism”), the Alternative Transfer Mechanism shall apply instead of the transfer mechanisms described in this DPA (but only to the extent such Alternative Transfer Mechanism complies with applicable Data Protection Laws and extends to the countries to which Personal Data is transferred). In addition, if and to the extent that a court of competent jurisdiction or supervisory authority orders (for whatever reason) that the measures described in this DPA cannot be relied on to lawfully transfer European Data (within the meaning of applicable Data Protection Laws), Textel may implement any additional measures or safeguards that may be reasonably required to enable the lawful transfer of Personal Data.

7. Personnel

7.1.  Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Textel must implement appropriate technical and organizational measures to ensure that Personnel do not Process Personal Data except on the instructions of the Controller.

7.2.  Textel must ensure that all Personnel authorized to Process Personal Data are subject to a contractual or statutory obligation of confidentiality.

7.3.  Textel must regularly train Personnel regarding the protection of Personal Data.

8. Security and Personal Data Breaches

8.1.  Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Textel must implement technical and organizational measures to ensure a level of security appropriate to the risks presented by the Processing, including:

1. the pseudonymisation and encryption of personal data;

2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

4. a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing; and,

5. as appropriate and without limiting the foregoing, the measures listed in Appendix 2.

8.2.  Textel must inform Client without undue delay and no later than forty-eight (48) hours after becoming aware of a Personal Data Breach. Textel must, either in the initial notice or in subsequent notices as soon as the information becomes available, inform Client of the nature of the Personal Data Breach, the categories and number of Data Subjects, the categories and amount of Personal Data, the likely consequences of the Personal Data Breach, and the measures taken or proposed to be taken to address the Personal Data Breach and mitigate possible adverse effects. If Textel’s notice or subsequent notices are delayed, they must be accompanied by reasons for the delay.

9. Assistance

9.1.  Taking into account the nature of the Processing, Textel may reasonably assist Client, by implementing appropriate technical and organizational measures, for fulfillment of Client’s own obligations under Data Protection Law, including:

1. Complying with Data Subjects’ requests to exercise Data Subject Rights;

2. Replying to inquiries or complaints from Data Subjects;

3. Replying to investigations and inquiries from Supervisory Authorities;

4. Conducting data protection impact assessments, and prior consultations with Supervisory Authorities; and

5. Notifying Personal Data Breaches.

9.2.  Unless prohibited by applicable law, Textel must inform Client without undue delay if Textel:

1. Receives a request, complaint or other inquiry regarding the Processing of Personal Data from a Data Subject or Supervisory Authority;

2. Receives a binding or non-binding request to disclose Personal Data from law enforcement, courts or any government body;

3. Is subject to a legal obligation that requires Textel to Process Personal Data in contravention of Client’s instructions;

4. Is otherwise unable to comply with Data Protection Law or this DPA.

9.3.  Unless prohibited by applicable law, Textel must obtain Client’s written authorization before responding to, or complying with any requests, orders, or legal obligations referred to in Section 9.2.

10. Accountability

10.1. Textel must maintain records of Processing of Personal Data, including at a minimum the categories of information required under Data Protection Law.

10.2. Textel shall not be responsible for assessing any instruction or verifying the lawfulness of any instructions from Client for the Processing of Personal Data. Textel may inform Client if Textel believes that an instruction of Client violates Data Protection Law.  Textel may suspend Processing in its discretion, until Client has modified or confirmed the lawfulness of the instructions in writing.

11. Liability

11.1. Textel is fully liable to Client for any infringements of Data Protection Law or this DPA by Textel or Textel’s Subprocessors.

11.2. Client represents and warrants that on the effective date of this DPA and during the term of this DPA:

1. Personal Data has been and will be collected and Processed by Client in accordance with the Data Protection Laws;

2. The Processing of Personal Data in accordance with this DPA by Textel will not violate the Data Protection Laws;

3. Client shall provide Data Subjects with appropriate opt-outs where applicable under the Data Protection Laws, and shall inform Textel of any exercise of such rights by a Data Subject; and

4. Client will take all steps necessary to ensure it achieves the foregoing, including without limitation, by providing Data Subjects with appropriate privacy notices, obtaining any required consent, and ensuring that there is a lawful basis for Textel to Process Personal Data.

12. Confidentiality

Textel must keep all Personal Data and all information relating to the Processing thereof, in strict confidence.

13. Term and duration of the Processing

13.1. The Processing will last no longer than the term of the Agreement.

13.2. Upon termination of the Processing, Textel must, at Client’s choice, delete or return all Personal Data and must delete all remaining copies within ninety (90) days after confirmation of Client’s choice.  The foregoing shall be subject to any prohibitions under applicable law.

13.3. This DPA is terminated upon Textel’s deletion of all remaining copies of Personal Data in accordance with Section 13.2.

14. Modification of this DPA

This DPA may only be modified by a written amendment signed by both Client and Textel.

15. Invalidity and severability

If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this DPA and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.

Appendix 1

Description of the Processing

1. Data Subjects

The Personal Data Processed concern the following categories of Data Subjects (please specify):

2.     Categories of Personal Data

The Personal Data Processed concern the following categories of data (please specify):

3.     Sensitive Data

The Personal Data Processed concern the following special categories of data (please specify): None

4.     Processing operations

The Personal Data will be subject to the following basic Processing activities (please specify):

Appendix 2

Security Measures

Description of the technical and organizational security measures implemented by the data importer in accordance with Section II, Clause 1.6(a) (or document/legislation attached): 

Textel has in place, and shall maintain technical and organizational security measures including:

i. Asset Management. Textel creates and maintains an inventory of all computer systems utilized by Textel to Process Personal Data.

ii. Human Resources Security. Textel informs all personnel of Textel’s security obligations under the DPA and conducts identity verification background checks of such personnel prior to such personnel performing any aspect of the Services.

iii. Physical and Environmental Security. Textel maintains IT infrastructure that Process Personal Data in a secured area that is protected by a defined security perimeter, with appropriate security barriers and entry controls. Textel environmentally regulates any such defined security perimeter so that the appropriate climate and temperature is maintained to avoid disruptions in the Services.

iv. Encryption. Textel stores all Personal Data in encrypted form using a commercially supported encryption solution.

v. Communications and Operations Management. Textel deploys anti-virus software on all systems commonly affected by computer viruses and/or malicious code. Textel implements and maintains firewalls at the network perimeter between Textel’s internal (private) and public (Internet) networks.

vi. Access Control. Textel implements access controls on any computer system associated with the Service. This includes: (1) user authentication that uses unique identifiers (“User ID”) for each individual; (2) complex password policy that is enforced for each User ID requiring, at minimum, passwords of at least seven characters in length; (3) user access rights/privileges to information resources containing Personal Data that must be granted on a need-to-know basis consistent with role-based authorization; (4) user access to Personal Data is immediately removed upon user separation or role transfer eliminating valid business need for continued access; and (5) default passwords and security parameters are changed in third-party products/applications used to Process Personal Data.

vii. Business Continuity Management. Textel maintains a business continuity plan that will enable Textel, within a reasonable period of time after the occurrence of a disaster, to restore and provide the affected Service to a condition where such Service conforms to the requirements set forth in the Agreement (“Business Continuity Plan”). 

Appendix 3

Subprocessors and International Data Transfers

 Client authorizes Textel to engage the following Subprocessors:

Client authorizes Textel to transfer Personal Data in the following countries:

Appendix 4

Jurisdiction Specific Terms

1.     Europe

1.1.  Objection to Subprocessors. Client may object in writing to Textel’s appointment of a new Subprocessor within five (5) calendar days of receiving notice in accordance with Section 5 of the DPA, provided that such objection is based on reasonable grounds relating to data protection. In such event, the parties shall discuss such concerns in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, Textel will, at its sole discretion, either not appoint such Sub-processor, or permit Client to suspend or terminate the affected Service in accordance with the termination provisions in the Agreement without liability to either party (but without prejudice to any fees incurred by Client prior to suspension or termination).

1.2.  Government data access requests. As a matter of general practice, Textel does not voluntarily provide government agencies or authorities (including law enforcement) with access to or information about Textel accounts (including Personal Data). If Textel receives a compulsory request (whether through a subpoena, court order, search warrant, or other valid legal process) from any government agency or authority (including law enforcement) for access to or information about a Textel account (including Personal Data) belonging to Client whose primary contact information indicates the data subject is located in Europe, Textel shall: (i) review the legality of the request; (ii) inform the government agency that Textel is a processor of the data; (iii) attempt to redirect the agency to request the data directly from Client; (iv) notify Client via email sent to Client’s primary contact email address of the request to allow Client to seek a protective order or other appropriate remedy; and (v) provide the minimum amount of information permissible when responding to the agency or authority based on a reasonable interpretation of the request. As part of this effort, Textel may provide Client’s primary and billing contact information to the agency. Textel shall not be required to comply with this paragraph 2 if it is legally prohibited from doing so, or it has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual, public safety, or Textel’s property, or the Service, but where Textel is legally prohibited from notifying Client of requests it shall use its best efforts to obtain a waiver of the prohibition.

2.     California

2.1.  The following additional terms apply related to the Processing of Personal Data of California residents:

a) Each of the parties will comply with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).

b) To the extent Textel receives from Client any personal information (as defined in the CCPA/CPRA) of any “consumer” (as defined in the CCPA/CPRA) for processing (as defined in the CCPA/CPRA) on behalf of the Client pursuant to the Agreement, Textel shall:

2.1.b.1.1. be a “service provider” to the Client under the CCPA/ CPRA

2.1.b.1.2. not retain, use, or disclose the personal information for any purpose other than for the specific purpose of the Services or as otherwise permitted by the CCPA/CPRA, including for any “business purpose” (as defined in the CCPA);

2.1.b.1.3. not retain, use, or disclose the personal information for a “commercial purpose” (as defined in the CCPA/CPRA) other than providing the Services;

2.1.b.1.4. not “sell” the personal information (as “sell” is defined in the CCPA/CPRA); and

2.1.b.1.5. promptly (and, in any case within seven days of receipt) comply with the Client’s written instructions with responding to an individual’s request to exercise their privacy rights with respect to their personal information.

2.2. If Textel authorizes any subcontractor, service provider or third party to Process personal information of the Client, Textel shall into contractual provisions so that such subcontractor, service provider or third party is a “service provider” as defined in the CCPA/CPRA and not a “third party” as defined in the CCPA/CPRA.

3.     Canada

3.1.  The following additional terms apply related to the Processing of Personal Data of Canadian residents:

a) Textel takes steps to ensure that Textel’s Subprocessors, as described in Section 5 (Subprocessing) of the DPA, are third parties under PIPEDA, with whom Textel has entered into a written contract that includes terms substantially similar to this DPA. Textel conducts appropriate due diligence on its Subprocessors.

b) Textel will implement technical and organizational measures as set forth in Section 8 of the DPA.

 Appendix 5

Standard Contractual Clauses (European Union)

Having regard to the European Commission’s implementing decision (EU) 2021/914 of 4 June 2021 on Standard Contractual Clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council. 

Client

The data exporting organization (the “data exporter“)

– And-

Textel

(the “data importer“)

each a “party”; together “the parties”,

HAVE AGREED on the Contractual Clauses for the transfer of personal data to third countries from a data controller in the European Economic Area to a data processor in the United States pursuant to the European Commission implementing decision of 4 June 2021 on Standard Contractual Clauses for the transfer of Personal Data to Processors established in third countries under Regulation (EU) 2016/679 of the European Parliament and of the Council (the Clauses) in order to adduce adequate safeguards with respect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the data exporter to the data importer of the personal data specified in Appendix 1.

The Clauses are attached hereto by reference with the options and optional modules selected as follows:

·       All Sections: Module TWO.

·       Section II, Clause 9(a): OPTION 2, general written authorization for sub-processing.

·       Section III, Clause 11(a): OPTION NOT INCLUDED.

·       Section IV, Clause 17: OPTION 1, the location of the data exporter.

·       Section IV, Clause 18: the jurisdiction associated with the data exporter. 

Annex I, II, and III are attached to Clauses hereto.

Annex I to Appendix 5

A. LIST OF PARTIES

         Data Exporter(s): Client, the Data Controller

         Data Importer(s): Textel, the Data Processor

B. DESCRIPTION OF THE TRANSFER

The parties agree that the details of Textel’s processing activities are set forth in Appendix 1 to the Addendum.

Annex II to Appendix 5

TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA.

The parties agree that the technical and organization measures are set forth in Appendix 2 to the Addendum.

Annex III to Appendix 5

LIST OF SUBPROCESSORS 

The Parties agree that the list of approved sub-processors is set forth in Appendix 3 to the Addendum.

Appendix 6 

Transfer Impact Assessment

This Transfer Impact Assessment (“TIA”) provides information to help Client conduct data transfer impact assessments in connection with use of our Services, factoring in the “Schrems II” ruling of the Court of Justice for the European Union and the recommendations from the European Data Protection Board. 

This document describes the legal landscape that applies to Textel in the US, the safeguards Textel puts in place regarding transfers of personal data from the European Economic Area, United Kingdom, or Switzerland, and Textel’s efforts to comply with its obligations as a data importer under the Standard Contractual Clauses (“SCCs”).

1.     Step 1: Know your transfer

Where Textel processes Personal Data governed by European data protection laws as a data processor, Textel complied with its obligations under this DPA. This Textel DPA incorporates the SCCs and describes Textel’s processing of personal data and Textel’s security measures.

Please see Appendix 1, 2, and 3 of this DPA for information on the nature of Textel’s processing activities in connection with the provision of the Service, the types of Personal Data processed, and the categories of data subjects.

In connection with providing our Service, Textel only stores Personal Data associated with client accounts in the U.S.

Textel does not typically transfer personal data outside the country or region agreed-upon with the customer. In rare cases where we are required to produce personal data in order to comply with our legal obligations, such as in response to a demand pursuant to a subpoena or law enforcement request, we will produce (transfer) it to that party. See our privacy policy  for more information.

2.     Step 2: Identify the transfer took relied upon

Where Personal Data originating from Europe is transferred to Textel, Textel relies upon the European Commission’s SCCs to provide an appropriate safeguard for the transfer, as described in detail in this DPA. Where Personal Data originating from the UK is transferred to Textel, Textel relies upon the UK Addendum to provide an appropriate safeguard for the transfer, as described in detail in this DPA.

3.     Step 3: Assess whether the transfer tool relied upon is effective in light of the circumstances of the transfer U.S. Surveillance Laws

There are a number of surveillance laws in effect in the US. The ECJ of the European Union has identified certain laws as being potential obstacles to the protection of personal data in the US, including FISA Section 702, Executive Order 12333, and the CLOUD Act. New laws may be enacted.

Textel could technically be subject to FISA 702 where it is deemed to be a service provider, but we do not typically process Personal Data that would be of interest to US intelligence agencies. Also, 702 requires an independent court to authorize a specific type of foreign intelligence data acquisition which is generally unrelated to the types of data we collect. EO 12333 does not authorize the government to compel private companies such as Textel to disclose personal data to US authorities.

We have not been subject to requests under these laws in our day-to-day business operations.

4.     Step 4: Identify the technical, contractual and organizational measures applied to protect the transferred data

For information on the technical and organizational measures and practices and procedures Textel takes to secure Personal Data, see our Appendix 2 to this DPA.

5.     Step 5: Procedural steps necessary to implement effective supplementary measures

Given all of the above information provided in this document, and our considerable experience in protecting Personal Data combined with our legal and contractual obligations, we believe that any perceived risks in transferring and processing the Personal Data of European and UK residents are low. As such, no additional supplementary measures are necessary at this time.

6.     Step 6: Re-revaluate at appropriate intervals

Textel is committed to reviewing the risks of applicable transfers over time in response to changes in laws and other factors.

Legal Notice: Please make your own independent assessment. The information in this document is for informational purposes only, reflects the current Textel Service – which is subject to change without notice, and does not create any commitments or assurances, warranties, or guarantees as to any such matters. This document is not part of, nor does it modify, any agreement between Textel and any customer.