PhyStack Data Processing Addendum (DPA)
Background and Scope
1.1 This Data Processing Addendum (this "DPA") constitutes an agreement between a controller and a processor as required by the GDPR (as defined below) and consists of this main document and the Specification (as defined below). Where applicable and subject to Section 6, standard contractual clauses adopted by the EU Commission from time to time shall be deemed incorporated into this DPA by reference. This DPA and the Terms of Service jointly form the Agreement. PhyStack will, as part of the Service, process Covered Personal Data (as defined below) on behalf of Customer and thus be Customer's processor.
1.2 If Covered Personal Data includes personal data for which a third party is the data controller, Customer warrants and represents that it has been instructed by and obtained the mandate and authorization of all relevant data controllers to enter into this DPA with PhyStack on behalf of such third party data controller.
1.3 For the avoidance of doubt, Personal Data collected and processed by PhyStack as the data controller is not subject to this DPA. Please see PhyStack's Privacy Policy for further information.
Interpretation and Definitions
2.1 This DPA constitutes an addendum and an integrated part of the Agreement. In the event of inconsistencies between any section in other Agreement documents and this DPA in regards to PhyStack's processing of Covered Personal Data, this DPA shall prevail and apply in lieu of such inconsistent section in other Agreement documents. Notwithstanding the foregoing, standard contractual clauses shall (if incorporated) have the highest priority in the event of any conflict or inconsistency with this DPA or other parts of the Agreement.
2.2 Terms that are legally defined in the GDPR, such as "controller", "processor", "personal data", "processing" and "data subject", shall be construed and applied in accordance with the GDPR.
2.3 Terms defined in the Terms of Service shall have the same meaning when used in this DPA with an initial capital letter.
2.4 In addition to the preceding Sections and to the terms defined above, the following terms shall have the meanings stated below:
| Term | Definition |
|---|---|
| "GDPR" | Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). |
| "Covered Personal Data" | Personal data that is processed by PhyStack on behalf of Customer, see the Specification. |
| "Specification" | Means Annex A to this main document. |
| "Supervisory Authority" | A Swedish or EU authority such as the Swedish Authority for Privacy Protection (Sw. Integritetsskyddsmyndigheten) and, where applicable, any other supervisory authority with regulatory jurisdiction over Customer's business operations. |
Lawful Processing
3.1 PhyStack undertakes to process Covered Personal Data in accordance with the GDPR, this DPA, the Agreement and Customer's written and documented instructions from time to time in accordance with Section 4.
Instructions
4.1 PhyStack and any Subprocessors and persons acting under the authority of PhyStack may only process Covered Personal Data in accordance with Customer's written and documented instructions. Customer's instructions upon entering into this DPA follow from this DPA and the Agreement.
4.2 If the Customer has engaged an Approved Partner who is a Certified Solution Provider (as described in the Agreement), then Customer hereby instructs PhyStack to disclose and make available relevant Covered Personal Data to the Approved Partner to enable such Approved Partner to be able to provide application development and/or support services and other value-adds to the Customer. Following disclosure of Covered Personal Data by PhyStack to an Approved Partner in accordance with this Section 4.2, the relevant personal data will subsequently be processed by the Approved Partner as a data controller (unless otherwise agreed between the Customer and the Approved Partner).
4.3 The Customer has the right to continuously instruct PhyStack in writing regarding the processing of Covered Personal Data ("Additional Instructions"), and PhyStack has a corresponding obligation to follow such Additional Instructions, provided that they are consistent with the terms and scope of the Agreement and this DPA.
4.4 If PhyStack believes that Customer's instructions, in the opinion of PhyStack, might infringe the GDPR, PhyStack shall without undue delay notify Customer and await further instructions before continuing any processing of Covered Personal Data.
4.5 This DPA will not in any way prevent or limit PhyStack from processing Personal Data to the extent necessary in order to comply with legal requirements under the GDPR and/or other laws to which PhyStack is subject.
4.6 Notwithstanding any provisions regarding choice of law agreed between the parties in the Agreement, PhyStack will comply with data protection legislation applicable to data processors located in the EU, and the Customer shall comply with data protection legislation applicable to Customer as data controller.
Technical and Organizational Measures
5.1 PhyStack shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the processing of Covered Personal Data. The Customer agrees and acknowledges that technical and organizational measures are subject to technical progress and further development. Accordingly, PhyStack reserves the right to modify such measures provided that the functionality and security of the Service is not significantly degraded as a result of thereof. The Customer hereby discharges PhyStack of any obligation to notify and/or obtain prior approval from Customer of such changes. If the Customer so requests in writing, PhyStack shall provide information about the technical and organizational security measures which PhyStack has implemented, within fifteen (15) business days from Customer's request.
5.2 PhyStack shall ensure that only personnel that needs access to Covered Personal Data in order to fulfil their obligations towards Customer have access to Covered Personal Data and that any person who has access to Covered Personal Data is subject to appropriate confidentiality undertakings, as determined by PhyStack (in its reasonable discretion).
5.3 PhyStack shall, at no additional cost for Customer, comply with the Supervisory Authority's applicable decisions, guidelines and recommendations on necessary or recommended measures to comply with the security requirements in the GDPR.
Transfer of Covered Personal Data Outside the EU/EEA
6.1 Customer agrees that PhyStack or any of its Subprocessors may process Covered Personal Data on equipment, infrastructure or through resources that are physically located outside the EU/EEA, for the performance of PhyStack's undertakings under the Agreement and provided that PhyStack ensures a valid Transfer Mechanism.
6.2 A valid "Transfer Mechanism" is any of the following:
a) the third country in which the data recipient resides provides an adequate level of protection for Covered Personal Data, according to a valid adequacy decision by the EU Commission; or
b) PhyStack and the data recipient enter into standard contractual clauses adopted by the EU Commission from time to time and Customer hereby authorizes and mandates PhyStack to enter into such standard contractual clauses on behalf of the Customer (if required); or
c) the cross-border transfer is otherwise made in accordance with Chapter V of the GDPR.
6.3 Regardless of PhyStack's choice of Transfer Mechanism, PhyStack shall take appropriate safeguards to ensure a level of protection for Covered Personal Data which is essentially equivalent to that of the GDPR.
6.4 If during the term of the DPA, the EU Commission issues new or revised standard contractual clauses, such updated clauses shall automatically be incorporated and supersede the prior standard contractual clauses under this DPA, unless otherwise notified to Customer in writing by PhyStack. Where deemed necessary by PhyStack, the Parties shall at their own cost take necessary actions (if any) to properly implement the updated standard contractual clauses.
Obligation to Provide Information and Assist Customer
7.1 PhyStack shall assist Customer by appropriate technical and organizational measures for fulfilment of Customer's obligations regarding Covered Personal Data, such as to respond to requests on the exercise of data subjects' rights and, without undue delay, rectify, erase, restrict and/or block the processing of Covered Personal Data in accordance with Customer's instructions and to always do so in accordance with the GDPR.
7.2 PhyStack undertakes to notify Customer in writing of any personal data breach involving Covered Personal Data, attributable to PhyStack or any of its Subcontractors, without undue delay after the personal data breach is detected by PhyStack. The notification shall be sent to the Customer's contact person (as specified in the Agreement).
7.3 PhyStack's notification to the Customer in accordance with Section 7.2 shall include the following information:
a) a description of the nature of the personal data breach including the categories and approximate number of data subjects concerned and the categories and approximate number of Covered Personal Data records concerned; and
b) a description of the measures taken or proposed to be taken by PhyStack to address the Covered Personal Data breach, including, where appropriate, measures to mitigate its possible adverse effects.
7.4 Where, and in so far as, it is not possible to provide the information at the same time, PhyStack may provide the information to the Customer in phases and without undue delay.
7.5 If a personal data breach is attributable to the Customer, PhyStack shall only be responsible for notifying Customer about the personal data breach and await written instructions from Customer about whether or not Customer wishes PhyStack to investigate the personal data breach on behalf of Customer (at Customer's sole cost).
7.6 PhyStack shall otherwise, upon Customer's request, assist Customer to ensure that Customer can fulfil its obligations under the GDPR, including but not limited to providing Customer with all information that may reasonably be required to demonstrate PhyStack's compliance with its obligations as a processor set out in the GDPR. Such assistance may include data protection impact assessments and prior consultations.
Contact with Data Subjects and Supervisory Authorities
8.1 As the data controller, Customer shall act as the single-point-of-contact in relation to data subjects on all matters and issues related to the processing activities carried out under this DPA. PhyStack shall, subject to compensation as set out in Section 13, duly assist Customer in responding to requests from data subjects and to correct, erase, limit and/or block Covered Personal Data in accordance with Customer's instructions.
8.2 In the event that a data subject, Supervisory Authority, or any other third party requests information from PhyStack regarding the processing of Covered Personal Data, PhyStack shall immediately refer such request to Customer, provided that PhyStack is not prohibited from doing so by a decision of a court or public authority.
8.3 If a data subject's Covered Personal Data is not accessible to the Customer through the Service, PhyStack will, as necessary to enable Customer to meet its obligations under applicable data protection legislation, provide reasonable assistance to make such Covered Personal Data available to Customer. PhyStack is entitled to compensation from the Customer for any costs and expenses relating to PhyStack's assistance in accordance with Customer's request pursuant to this Section 8.3.
8.4 If a data subject pursuant to mandatory law is entitled to exercise its right directly vis-à-vis PhyStack, PhyStack shall take relevant measures and shall be discharged of any obligation to inform or notify Customer.
8.5 Customer agrees to provide or distribute information notices to data subjects about specific data processing operations in the Service in accordance with PhyStack's instructions in writing from time to time.
Right to Audit
9.1 To the extent it is not possible to otherwise satisfy an audit obligation mandated by applicable law, PhyStack shall allow Customer, or a third party appointed by Customer, the right to audit PhyStack's business operations and the equipment used for the processing of Covered Personal Data in order to ensure that PhyStack and any Subprocessors engaged by PhyStack, comply with their respective obligations under this DPA and the GDPR. PhyStack shall provide reasonable assistance to Customer in connection with an audit. Audits may not be carried out by a direct competitor of PhyStack.
9.2 Customer undertakes to inform PhyStack of Customer's intention to carry out an audit and its planned scope in reasonable time before an audit. The audit shall be carried out during normal business hours and in a manner that minimizes disturbance on PhyStack's and any Subprocessor's business operations and are otherwise in line with applicable PhyStack practices and policies. Furthermore, Customer shall ensure that each individual performing the inspection is imposed an obligation to follow security instructions and the same confidentiality obligations as Customer under the Agreement, or, at PhyStack's request, signs a non-disclosure agreement in relation to PhyStack shall under no circumstances be obliged to disclose information that is subject to secrecy in accordance with law or agreement, nor trade secrets or similar information of PhyStack, its other customers or Subprocessors.
9.3 On-site audits shall be subject to at least sixty (60) days' prior written notice by the Customer to PhyStack.
9.4 Customer shall strive to minimize the extent of an audit and conduct audits with a risk-based approach and subject to the principle of proportionality. Any and all costs and expenses related to Customer's audits shall be borne by the Customer, including any potential costs and expenses incurred by PhyStack due to PhyStack's or any Subprocessors participation in such audit.
9.5 PhyStack may, at its option, conduct internal audits of its processing of Covered Personal Data, in order to verify its compliance with its obligations as a processor in accordance with the GDPR.
9.6 PhyStack shall allow for any audits that a Supervisory Authority requires in order to ensure lawful processing of Covered Personal Data.
Subprocessors
10.1 Customer hereby grants PhyStack a general prior authorization to engage service providers ("Subprocessors") to process Covered Personal Data and enter into data processing agreements with such Subprocessors with obligations no less restrictive than those set out in this DPA. Furthermore, Customer hereby approves the processing of Covered Personal Data by any Subprocessors engaged by PhyStack and the time of PhyStack and Customer entering into the Agreement, as specified in the Specification (if any).
10.2 PhyStack may replace or add new Subprocessors at any time, provided that PhyStack notifies the Customer of any such change without undue delay, thereby giving Customer the opportunity to object to such change.
10.3 A list of Subprocessors including geographical location can be provided by PhyStack upon Customer's written request.
10.4 Customer may object to a Subprocessor processing Covered Personal Data, provided that such objection is reasonable and based on data protection and protection of data subject's rights and freedoms. If PhyStack is unable to accommodate Customer's objection, Customer may terminate, in whole or in part (where possible), the Agreement including this DPA by providing PhyStack a written notice of termination within one (1) month of PhyStack's notice in accordance with Section 10.2. PhyStack will refund a prorated portion of any pre-paid charges for the period after such termination date.
10.5 PhyStack shall be liable for the acts and omissions of any Subprocessor to the same extent as if the acts or omissions were performed by PhyStack.
Confidentiality
11.1 Each Party's respective confidentiality undertakings under this DPA are set out in the Agreement.
11.2 The confidentiality undertaking in accordance with Section 11.1 is not applicable in relation to Subprocessors with whom PhyStack has entered into a data processing agreement in accordance with Section 10. However, any such data processing agreement shall include a corresponding confidentiality obligation for the Subprocessor.
Liability
12.1 Each Party's respective liability under this DPA are subject to the exceptions and limitations set out in the Agreement.
Compensation
13.1 Unless expressly set out in this Section 13, PhyStack is not entitled to any additional compensation for its performance under this DPA.
13.2 PhyStack is entitled to compensation on a time and material basis, for any work effort under this DPA which is not included in the Service, including work efforts related to:
-
Additional Instructions that go beyond what is included in the Service, except where the relevant Additional Instruction is an explicit requirement and obligation for PhyStack pursuant to the GDPR.
-
Assisting Customer in responding to requests from data subjects in accordance with Section 8.
-
Assisting Customer with data protection impact assessments and prior consultations, in accordance with Section 7.6.
-
Facilitating more than one (1) on-site audit per calendar year at PhyStack's premises, unless such audit is carried out due to a personal data breach related to Covered Personal Data attributable to PhyStack.
-
Assisting Customer in transferring Covered Personal Data to Customer in connection with the termination of the Agreement, as set out in Section 14.
13.3 Compensation shall, unless agreed otherwise, be based upon the agreed hourly rates in the Agreement.
Term and Termination
14.1 This DPA enters into force upon the date of its execution by both Parties and shall remain in force for as long as PhyStack or any Subprocessor processes Covered Personal Data.
14.2 Upon termination of the Agreement and during the Retention Period, PhyStack will provide Customer with a possibility to download and retrieve any Covered Personal Data in PhyStack's or any Subprocessor's possession in accordance with PhyStack's standard procedures for the Service. Upon expiry of the Retention Period, PhyStack shall delete or anonymize any Covered Personal Data, unless PhyStack is obligated under applicable law to continue storing the Covered Personal Data.
Miscellaneous
15.1 Without prejudice to the Agreement, this DPA shall constitute the entire agreement between the Parties on all issues to which the DPA relates. The contents of this DPA and its appendices supersede all previous written or oral commitments and undertakings between the Parties on the issues to which this DPA relates. Nothing in this DPA shall limit PhyStack or any of its Subprocessors from complying with applicable laws and/or orders from supervisory authorities, governmental agencies or regulatory bodies.
Governing Law and Dispute Resolution
16.1 Governing law as well as disputes regarding the interpretation or application of this DPA shall be settled in accordance with the governing law and dispute resolution provisions of the Agreement.
Annex A – Specification
Purpose
1.1 This Annex A (Specification) to this DPA between PhyStack and Customer describes the processing of Covered Personal Data that PhyStack will carry out on behalf of Customer under this DPA.
1.2 The purpose of this Annex A (Specification) is to clarify which processing and personal data that is covered by the Agreement, and to fulfil the requirements of the GDPR regarding the obligation to specify a processor's processing of personal data, see for example Article 28.3 GDPR.
Description of the Processing of Covered Personal Data
| Item | Description |
|---|---|
| Subject-matter and purpose of the processing | PhyStack will provide the Service to the Customer as described in the Agreement. The Service gives the Customer access to the PhyStack Marketplace with ready-to-use screen, IoT, cloud and mobile apps which can be configured depending on Customer's needs. PhyStack and the Customer may also agree on development of Customer-specific apps, where apps are developed for the Customer, based on the Customer's instructions in each case. Furthermore, Customer may be granted access to the PhyStack Platform for the purpose of developing its own apps and given the right to upload these apps to the PhyStack Marketplace, where they can be accessed by both the Customer and other customers. The processing of Covered Personal Data is necessary for the provision of the Service to the Customer. |
| Categories of Covered Personal Data | The Customer choose which categories of Covered Personal Data that will be processed when configuring the Service and the Apps running on the Service. Categories often include: - Contact details (such as name, address, e-mail, telephone number) - User ID - Device information (where relevant) - Azure Tenant information - Geographical location - Usage data - Pictures |
| Categories of data subjects | The Covered Personal Data concerns the following categories of data subjects: - Customer's employees and contractors/other resources (such as consultants) - The Customer's end-customers and visitors to it's public spaces |
| Duration of the processing and time of storage | Covered Personal Data will be processed and retained by PhyStack no longer than required for PhyStack to fulfil its obligations in relation to the Customer under the Agreement. |
| General description of the technical and organizational security measures | Please see PhyStack's Privacy Policy. |
| Authorized Subprocessors of Covered Personal Data | The following Subprocessors will be engaged by PhyStack for the processing of Covered Personal Data: Name of Subprocessor: Microsoft Corporation Processing carried out by Subprocessor: Infrastructure services Location for processing: All data storage on datacenters/regions inside EU/EEA by default, but the Customer can choose to store data in another Azure region when configuring the Service. Please note that cloud services may involve limited data transfers to locations outside EU/EEA, subject to applicable policies from Microsoft from time to time. Such transfers will be subject to the terms of this DPA. Name of Subprocessor: Hubspot, Inc. Processing carried out by Subprocessor: CRM and support Location for processing: Data is processed in the EU (Google Cloud) and subsequently stored in the US (AWS). For more information, see https://knowledge.hubspot.com/account/hubspot-cloud-infrastructure-frequently-asked-questions |
| Authorized recipients of Covered Personal Data | - Affiliates of PhyStack, if and when required to provide agreed services. - Approved Partners (where applicable) in accordance with Section 4.2. - Other recipients stated in PhyStack's Privacy Policy. - Governmental authorities, if and when required by law or binding court order. |