Data Processing Agreement

Updated June 2022

This Data Processing Agreement (“DPA”) is an agreement between you and the entity you represent (Customer, “You or “Your”) and the phData Contracting Party (together, “phData”). This DPA also supplements any agreement between Customer and phData governing the Services when the GDPR applies to the Services to process Customer Data (the “Agreement”). Unless otherwise defined in this DPA or in the Agreement, all capitalized terms used in this DPA have the meanings given to them in Section 16 of this DPA.

  1. Data Processing
    1. This DPA applies when Customer Data is processed by phData.
    2. Details of Data Processing.
      1. Subject Matter. The subject matter of the data processing under this DPA is Customer Data.
      2. Duration. As between phData and Customer, the duration of the data processing under this DPA is determined by Customer.
      3. Business Purpose. The purpose of the data processing under this DPA is the provision of Services initiated by Customer from time to time (the “Business Purpose”).
      4. Nature of the processing. Technology consulting, SaaS, and such other Services as described in the Agreement.
      5. Type of Customer Data. All Customer Data in phData’s technology environment.
      6. Categories of Data Subjects. The Data Subjects could include Customer’s employees, customers, or suppliers.
    3. Customer retains control of Customer Data and remains responsible for Customer’s compliance obligations under the applicable Privacy and Data Protection Requirements, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to phData.
  2.  
  3. phData’s Obligations
    1. phData will only process Customer Data to the extent, and in such a manner, as is necessary for the Business Purpose in accordance with Customer’s written instructions. phData will not process Customer Data for any other purpose. phData must promptly notify Customer if, in its opinion, Customer’s instruction would not comply with the Privacy and Data Protection Requirements.
    2. phData must promptly comply with any Customer request or instruction requiring phData to amend, transfer, or delete Customer Data, or to stop, mitigate, or remedy any unauthorized processing.
    3. phData will maintain the confidentiality of all Customer Data, will not sell it to anyone, and will not disclose it to third parties unless Customer or this DPA specifically authorizes the disclosure, or as required by law. If a law requires phData to process or disclose Customer Data, phData must first inform Customer of the legal requirement and give Customer an opportunity to object or challenge the requirement, unless the law prohibits such notice.
    4. phData will reasonably assist Customer with meeting Customer’s compliance obligations under the Privacy and Data Protection Requirements, taking into account the nature of phData’s processing and the information available to phData.
    5. phData must promptly notify Customer of any changes to Privacy and Data Protection Requirements that may adversely affect phData’s performance of this DPA or the Agreement.
    6. Customer acknowledges that phData is under no duty to investigate the completeness, accuracy, or sufficiency of any specific Customer instructions or Customer Data other than as required under the Privacy and Data Protection Requirements.
    7. phData will only collect Customer Data for Customer using a notice or method that Customer specifically pre-approves in writing, which contains an approved data privacy notice informing the Data Subject of Customer’s identity and its appointed data protection representative, if applicable, the purpose or purposes for which their Customer Data will be processed, and any other information that is required by applicable Privacy and Data Protection Requirements. phData will not modify or alter the notice in any way without Customer’s prior written consent.
  4.  
  5. Provider’s Employees
    1. phData will limit Customer Data access to:
      1. those employees who require Customer Data access to meet phData’s obligations under this PIPA and the Master Agreement; and
      2. the part or parts of Customer Data that those employees strictly require for the performance of their duties.
    2. phData will ensure that all employees:
      1. are informed of Customer Data’s confidential nature and use restrictions;
      2. have undertaken training on the Privacy and Data Protection Requirements relating to handling Customer Data and how it applies to their particular duties; and
      3. are aware of their personal duties and obligations under the Privacy and Data Protection Requirements and this DPA.
    3. phData will take reasonable steps to ensure the reliability, integrity, and trustworthiness of, and conduct background checks consistent with applicable law on, all of phData’s employees with access to Customer Data.
  6.  
  7. Security
    1. phData must at all times implement appropriate technical and organizational measures designed to safeguard Customer Data against unauthorized or unlawful processing, access, copying, modification, storage, reproduction, display, or distribution, and against accidental loss, destruction, or damage. phData must document those measures in writing and periodically review them, at least annually, to ensure they remain current and complete. phData has implemented and will maintain the technical and organizational measures for the Services as described in Appendix B (phData Data Security Standards).
    2. phData will immediately notify Customer if it becomes aware of any advance in technology and methods of working, which indicate that the parties should adjust their security measures.
    3. phData must take reasonable precautions to preserve the integrity of any Customer Data it processes and to prevent any corruption or loss of Customer Data, including but not limited to establishing effective back-up and data restoration procedures.
  8.  
  9. Security Breaches and Customer Data Loss
    1. phData will promptly notify Customer if any Customer Data is lost or destroyed.
    2. phData will immediately notify Customer if it becomes aware of:
      1. any unauthorized or unlawful processing of Customer Data; or
      2. any Security Breach.
    3. Immediately following any unauthorized or unlawful Customer Data processing or Security Breach, the parties will co-ordinate with each other to investigate the matter. phData will reasonably co-operate with Customer in Customer’s handling of the matter, including:
      1. assisting with any investigation;
      2. providing Customer with physical access to any facilities and operations affected;
      3. facilitating interviews with phData’s employees, former employees, and others involved in the matter; and
      4. making available all relevant records, logs, files, data reporting, and other materials required to comply with all Privacy and Data Protection Requirements or as otherwise reasonably required by Customer.
    4. phData will not inform any third party of a Security Breach without first obtaining Customer’s prior written consent, except when law or regulation requires it.
    5. phData agrees that Customer has the sole right to determine:
      1. whether to provide notice of the Security Breach to any Data Subjects, regulators, law enforcement agencies, or others, as required by law or regulation or in Customer’s discretion, including the contents and delivery method of the notice; and
      2. whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.
    6. phData will cover all reasonable expenses associated with the performance of the obligations under 5.2 and 5.3, unless the matter arose from Customer’s specific instructions, negligence, willful default, or breach of this DPA or the Agreement, in which case Customer will cover all reasonable expenses.
    7. phData will also reimburse Customer for actual reasonable expenses Customer incurs when responding to and mitigating damages, to the extent that phData caused a Security Breach, including all costs of notice and any remedy as set out in 5.5.
  10.  
  11. Cross-Border Transfers of Customer Data
    1. If the Privacy and Data Protection Requirements restrict cross-border Customer Data transfers, Customer will only transfer that Customer Data to phData under the following conditions:
      1. phData, either through its location or participation in a valid cross-border transfer mechanism under the Privacy and Data Protection Requirements may legally receive that Customer Data, however, phData must immediately notify Customer of any change to that status; or
      2. Customer obtained valid Data Subject consent to the transfer under the Privacy and Data Protection Requirements.
    2. If any Customer Data transfer between phData and Customer requires execution of Standard Contractual Clauses in order to comply with the Privacy and Data Protection Requirements, the parties will complete all relevant details in, and execute, the Standard Contractual Clauses contained in Appendix A, and take all other actions required to legitimize the transfer, including, if necessary:
      1. co-operating to register the Standard Contractual Clauses with any supervisory authority in any European Economic Area country;
      2. procuring approval from any such supervisory authority; or
      3. providing additional information about the transfer to such supervisory authority.
    3. phData will not transfer any Customer Data to another country unless the transfer complies with the Privacy and Data Protection Requirements.
  12.  
  13. Subcontractors
    1. phData may only authorize a third party (subcontractor) to process Customer Data if:
      1. Customer is given an opportunity to object within ten (10) days after phData supplies Customer with full details regarding such subcontractor; and
      2. phData enters into a written contract with the subcontractor that contains terms substantially the same as those set out in this DPA, upon Customer’s written request, provides Customer with copies of such contracts.
    2. phData utilizes the approved subcontractors in Appendix C.
    3. Where the subcontractor fails to fulfill its obligations under such written agreement, phData remains fully liable to Customer for the subcontractor’s performance of its obligations in this DPA.
    4. The Parties consider phData to control any Customer Data controlled by or in the possession of its subcontractors.
    5. Upon Customer’s written request, phData will audit a subcontractor’s compliance with its obligations regarding Customer’s Customer Data and provide Customer with the audit results.
  14.  
  15. Complaints, Data Subject Requests, and Third Party Rights
    1. phData must notify Customer immediately if it receives any complaint, notice, or communication that directly or indirectly relates to Customer Data processing or to either party’s compliance with the Privacy and Data Protection Requirements.
    2. phData must notify Customer within five (5) working days if it receives a request from a Data Subject for access to or deletion of their Customer Data.
    3. phData will give Customer its full co-operation and assistance in responding to any complaint, notice, communication, or Data Subject request.
    4. phData must not disclose Customer Data to any Data Subject or to a third party unless the disclosure is either at Customer’s request or instruction, permitted by this DPA, or is otherwise required by law.
  16.  
  17. Term and Termination
    1. This DPA will remain in full force and effect so long as:
      1. the Agreement remains in effect; or
      2. phData retains any Customer Data related to the Agreement in its possession or control (the “Term”).
    2. Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Agreement in order to protect Customer Data will remain in full force and effect.
    3. phData’s failure to comply with the terms of this DPA is a material breach of the Agreement. In such event, Customer may terminate any part of the Agreement authorizing the processing of Customer Data effective immediately upon written notice to phData.
    4. If a change in any Privacy and Data Protection Requirement prevents either party from fulfilling all or part of its Agreement obligations, the parties will suspend the processing of Customer Data until that processing complies with the new requirements. If the parties are unable to bring Customer Data processing into compliance with the Privacy and Data Protection Requirement within a reasonable amount of time in accordance with applicable law, they may terminate the Agreement upon written notice to the other party.
  18.  
  19. Data Return and Destruction
    1. At Customer’s request, phData will give Customer a copy of or access to all or part of Customer’s Customer Data in its possession or control in the format and on the media reasonably specified by Customer.
    2. On termination of the Agreement for any reason or expiration of its term, phData will securely destroy or, if directed in writing by Customer, return and not retain, all or any Customer Data related to this DPA in its possession or control, except for one copy that it may retain and use for three (3) years for audit purposes only.
    3. phData will certify in writing that it has destroyed Customer Data within five (5) working days after it completes the destruction.
  20.  
  21. Records
    1. phData will keep detailed, accurate, and up-to-date records regarding any processing of Customer Data it carries out for Customer, including but not limited to, the access, control, and security of Customer Data, approved subcontractors and affiliates, the processing purposes, and any other records required by the applicable Privacy and Data Protection Requirements (the “Records”).
    2. phData will ensure that the Records are sufficient to enable Customer to verify phData’s compliance with its obligations under this DPA.
  22.  
  23. Audit
    1. At least once per year, phData will conduct audits of its Customer Data processing practices and the information technology and information security controls for all facilities and systems used in complying with its obligations under this DPA, including, but not limited to, obtaining a network-level vulnerability assessment performed by a recognized third-party audit firm based on recognized industry best practices.
    2. Upon Customer’s written request, phData will make all of the relevant audit reports available to Customer for review, including as applicable: phData’s latest Payment Card Industry (PCI) Compliance Report, WebTrust, Systrust, Statement on Standards for Attestation Engagements (SSAE) No. 18 audit reports for Reporting on Controls at a Service Organization, reports relating to its ISO/IEC 27001 certification.
    3. phData will promptly address any issues, concerns, or exceptions noted in the audit reports with the development and implementation of a corrective action plan by phData’s management.
  24.  
  25. Warranties
    1. phData warrants and represents that:
      1. its employees, subcontractors, agents, and any other person or persons accessing Customer Data on its behalf are reliable and trustworthy and have received the required training on the Privacy and Data Protection Requirements relating to Customer Data; and
      2. it and anyone operating on its behalf will process Customer Data in compliance with both the terms of this DPA and all applicable Privacy and Data Protection Requirements; and
      3. it has no reason to believe that any Privacy and Data Protection Requirements prevent it from providing any of the Agreement’s Services; and
      4. considering the current technology environment and implementation costs, it will take appropriate technical and organizational measures to prevent the unauthorized or unlawful processing of Customer Data and the accidental loss or destruction of, or damage to, Customer Data, and ensure a level of security appropriate to:
        1. the harm that might result from such unauthorized or unlawful processing or accidental loss, destruction, or damage; and
        2. the nature of Customer Data protected; and
        3. comply with all applicable Privacy and Data Protection Requirement and its information and security policies.
    2. Customer warrants and represents that phData’s expected use of Customer Data for the Business Purpose and as specifically instructed by Customer will comply with all Privacy and Data Protection Requirements.
  26.  
  27. Indemnification
    1. phData agrees to indemnify, keep indemnified, and defend at its own expense Customer against all costs, claims, damages, or expenses incurred by Customer or for which Customer may become liable due to any material breach of this DPA by phData or its employees, subcontractors, or agents to comply with any of its obligations under this DPA or applicable Privacy and Data Protection Requirements.
    2. Any limitation of liability set forth in the Agreement between you and phData will apply to this DPA’s indemnity or reimbursement obligations.
  28.  
  29. Notice
    1. Any notice or other communication given to phData under or in connection with this DPA must be in writing and delivered to phData at: 400 South Fourth Street, Suite 401, Minneapolis, MN 55415, United States of America, Attention: Privacy.
    2. 15.1 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.
  30.  
  31. Definitions and Interpretation
    1. Unless otherwise defined in this Agreement, all capitalized terms used in this DPA will have the meanings given to them below:

“Data Subject” means an individual who is the subject of Customer Data.

“Customer Data” means the “personal data” (as defined in GDPR) that enters phData’s Network.  

“GDPR”means Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). 

“phData Contracting Party Subject” means the applicable phData entity providing Services to Customer. 

“phData Network” means phData’s host software systems that are within phData’s control and are used to provide the Services.  

“Processing “ has the meaning given to it in the GDPR.

“Processor”has the meaning given to it in the GDPR. 

“Privacy and Data Protection Requirements” means all applicable federal, state, and foreign laws and regulations relating to the processing, protection, or privacy of Customer Data, including where applicable, the guidance and codes of practice issued by regulatory bodies in any relevant jurisdiction. 

“Security Breach” means a breach of phData’s Network leading to the accidental or unlawful destruction, loss, unauthorized disclosure of, or access to, Customer Data. 

“Services”means 

“Standard Contractual Clauses (SCC)”means the European Commission’s standard contractual clauses for the transfer of personal data from the European Union to third countries (Module One, Two, Three, and Four), as set out in the Annex to Commission Decision (EU) 2021/914, a completed copy of which comprises Appendix A.

  1. The Appendices form part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Appendices.
  2. A reference to writing or written includes email.
  3. In the case of conflict or ambiguity between:
    1. any provision contained in the body of this DPA and any provision contained in the Appendices, the provision in the body of this DPA will prevail;
    2. the terms of any accompanying invoice or other documents annexed to this DPA and any provision contained in the Appendices, the provision contained in the Appendices will prevail; 
    3. any of the provisions of this DPA and the provisions of the Agreement, the provisions of this DPA will prevail; and
    4. any of the provisions of this DPA and any executed Standard Contractual Clauses, the provisions of the executed Standard Contractual Clauses will prevail.

APPENDIX A

Standard Contractual Clauses

The Standard Contractual Clauses, available at: https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en, as may be amended from time to time. 

APPENDIX B

phData Security Standards 

phData implements and maintains appropriate technical and organizational measures to protect against unlawful destruction, loss, alteration, disclosure of, or access to, Customer Data. These measures comply with the requirements set forth in ISO/IEC 27001, ISO/IEC 27701, and SOC 2 Type 2.

  1. Permitted Use.  phData will use and disclose Customer Data only for the Business Purpose, or purposes for which Customer provides the Customer Data. No Information is transmitted through, stored, or otherwise processed by phData’s systems in the provision of Services.
  2.  
  3. Connectivity & Transmission. Customer is responsible for granting appropriate access to phData as necessary to enable phData to provide the Services. To the extent phData may transmit any Customer Data, phData uses industry-recognized encryption technologies that provide reasonable assurance it will protect the encrypted information from unauthorized access and is adequate to protect the confidentiality and privacy of the encrypted information.
  4.  
  5. Authorized Disclosure. phData will not disclose Customer Data to any person other than phData’s employees, contractors, agents, and auditors who have a need to know or otherwise access Customer Data to enable phData to perform the Services ( “Authorized Personnel” ) without Customer’s prior written consent unless required by applicable law, in which case, phData will use reasonable efforts to the extent permitted by applicable law to notify Customer before such disclosure or as soon as reasonably practicable thereafter.
  6.  
  7. Security Incidents.  phData maintains an Incident Response Plan in accordance with generally recognized industry standards and will implement the procedures required under such plan on the occurrence of any Security Breach. phData will notify Customer of a Security Breach as soon as reasonably practicable after phData becomes aware of it.
  8.  
  9. Independent Audit.  Annually, phData obtains an audit performed by an independent third party based on generally recognized industry standards. Upon Customer’s written request, phData will make all relevant audit reports available to Customer for review.
  10.  
  11. Return or Disposal of Information. Upon Customer’s written request, phData will promptly return to Customer or securely dispose of all Customer Data in its possession but may retain copies contained in archived computer system backups in accordance with security or disaster recovery procedures or to the extent required by law, regulation, or internal compliance procedures. Customer is responsible for terminating phData’s access after completion of Services.

Controller consents to the use of the following sub-processors:

Subprocessor Address/County Description of Services Provided by Subprocessors
Amazon Web Services, Inc Worldwide Infrastructure-as-a-Service
Atlassian Corporation Plc Worldwide Software-as-a-Service
Okta, Inc. Worldwide Software-as-a-Service
Salesforce Worldwide Software-as-a-Service
Docebo Worldwide Software-as-a-Service
Calendly Worldwide Software-as-a-Service
data-process-table

Have additional questions?

Accelerate and automate your data projects with the phData Toolkit

Data Coach is our premium analytics training program with one-on-one coaching from renowned experts.