SIDEDRAWER DATA PROCESSING AGREEMENT
This SideDrawer Data Processing Agreement and its Annexes (“DPA”) reflects the parties’ agreement with respect to the Processing of Customer Personal Data (as defined below) by SideDrawer in connection with the SideDrawer Terms of Use or Enterprise Software Agreement as applicable (the “Agreement”).
This DPA is supplemental to, and forms an integral part of, the Agreement and is effective upon its incorporation into the Agreement, which may be specified in the Agreement, an order or an executed amendment to the Agreement. In case of any conflict or inconsistency with the terms of the Agreement, this DPA will take precedence over the terms of the Agreement to the extent of such conflict or inconsistency.
SideDrawer may update these terms from time to time. If you have an active subscription, SideDrawer will let you know when we do so via email or via in-app notification.
The term of this DPA will follow the term of the Agreement. Terms not otherwise defined in this DPA will have the meaning as set forth in the Agreement.
- Definitions
- In this DPA, the following terms shall have the meanings set out below:
“Applicable Law” means applicable Data Protection Laws;
“Contracted Processor” means SideDrawer or a Sub-processor;
“Customer” refers to the counterparty to the Agreement;
“Customer Personal Data” means any Personal Data that SideDrawer or a Sub-processor receives, collects, accesses, or otherwise Processes in the provision of the Services to Customer pursuant to the Agreement provided that such Personal Data is electronically submitted by or for Customer to the Services;
“Data Protection Laws” means all laws and regulations of any jurisdiction in respect to privacy, data protection, data security, communications secrecy, breach notification, or the Processing of Personal Data, including, without limitation, the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA”), the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”), UK Data Protection Act of 2018, the UK GDPR, the Swiss Federal Act on Data Protection, in each of the foregoing instances, as applicable to the Processing of Customer Personal Data by a Contracted Processor;
“Personal Data” means any information relating to an identified or identifiable natural person, or that is defined as “Personal Data,” “Personal Information,” “Personally Identifiable Information,” “Sensitive Personal Information,” or any similar term by Applicable Law;
“Personal Data Breach” means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorized access to, any Customer Personal Data;
“Restricted Transfer” means: (i) a transfer of Customer Personal Data from Customer to SideDrawer or a Sub-processor; or (ii) an onward transfer of Customer Personal Data from SideDrawer or a Sub-processor to a Sub-processor; in each case, where such transfer would be prohibited or restricted by applicable Data Protection Laws, in each case, in the absence of a legal transfer mechanism to be established under this DPA;
“Standard Contractual Clauses” means a legally acceptable version of the Standard Contractual Clauses (as selected by SideDrawer or a Contracted Sub-processor) for the transfer of Personal Data to Processors or Sub-processors established in third countries which do not ensure an adequate level of data protection as enacted pursuant to the European Commission’s decision 2021/915 of 4 June 2021; and
“Sub-processor” means any Processor engaged by SideDrawer who Processes Customer Personal Data in connection with the provision of the Services.
The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Processing,” “Processor” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
- Scope and Compliance with Data Protection Laws
- This DPA applies only to the extent that SideDrawer Processes Customer Personal Data on behalf of Customer in providing the Services and where such Customer Personal Data is subject to the Data Protection Laws.
- The parties acknowledge and agree that with regard to the Processing of Customer Personal Data, Customer is the Controller and SideDrawer is the Processor and SideDrawer may engage Sub-processors subject to the requirements set forth in Section 6. Customer shall, in its use of the Services, Process Customer Personal Data in accordance with the requirements of Data Protection Laws, including any applicable requirement to provide notice to Data Subjects of the use of SideDrawer as Processor. For the avoidance of doubt, Customer’s instructions for the Processing of Personal Data shall comply with Data Protection Laws. Customer shall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and how Customer acquired such Customer Personal Data, and, in particular, Customer shall be solely responsible for obtaining any relevant authorizations, consents and permissions from Data Subjects for the Processing of Customer Personal Information in accordance with this DPA. SideDrawer will Process Personal Data only as set forth in this DPA and in compliance with Data Protection Laws.
- Each party hereby certifies that it understands its restrictions and obligations set forth in this DPA and will comply with them.
- Processing of Customer Personal Data
- SideDrawer shall:
- not Process Customer Personal Data other than on Customer’s written instructions (including instructions provided and Processing initiated by Customer’s users in their use of the Service) unless Processing is required by Applicable Law to which SideDrawer is subject; and
- promptly inform Customer if, in SideDrawer’s opinion, an instruction from Customer concerning the Processing of Customer Personal Data violates Data Protection Laws.
- Customer hereby instructs SideDrawer to Process Customer Personal Data (including instructions provided and Processing initiated by Customer’s users in their use of the Service) and to transfer Customer Personal Data to any country or territory for the provision of the Services in accordance with this DPA.
- Annex 1 to this DPA sets out certain information regarding the Processing of the Customer Personal Data pursuant to the Agreement and this DPA as required by Article 28(3) of the GDPR (and, possibly, equivalent requirements of other Data Protection Laws). Nothing in Annex 1 confers any right or imposes any obligation on any party to this DPA.
- SideDrawer shall not:
- Sell Customer Personal Data;
- otherwise Process Customer Personal Data for any purpose other than for the specific purposes set forth in this DPA (including Annex 1) and the Agreement; or
- attempt to link, identify, or otherwise create a relationship between Customer Personal Data and non-Personal Data or any other data without the express authorization of Customer or as otherwise authorized in this DPA (including Annex 1) or the Agreement.
For purposes of this Section 3.4, “Sell” shall have the meaning set forth in the CCPA.
- Authorized Personnel
- SideDrawer shall (i) take commercially reasonable steps to ensure the reliability of the SideDrawer personnel it authorizes to Process Customer Personal Data (“Authorized Personnel”), ensuring in each case that access to Customer Personal Data is limited to those Authorized Personnel who need to know and/or access the Customer Personal Data to provide the Services, and (ii) ensure that all Authorized Personnel are bound by confidentiality obligations (whether by contract or under Applicable Law) in respect of the Processing of Customer Personal Data.
- Security
- SideDrawer shall in relation to the Customer Personal Data implement appropriate technical and organizational measures to provide a level of security appropriate to the types of Customer Personal Data being Processed by SideDrawer and the risk to applicable Data Subjects in the event of unauthorized use or disclosure of such Customer Personal Data, including, as appropriate, the measures referred to in Article 32(1) of the GDPR.
- In assessing the appropriate level of security, SideDrawer shall take account of the risks that are presented by Processing, including from a Personal Data Breach in respect to the Customer Personal Data.
- Sub-processing
- Customer authorizes SideDrawer to appoint (and permit each Sub-processor appointed in accordance with this Section 6 to appoint) Sub-processors in accordance with this Section 6. Customer hereby consents to SideDrawer’s use of its current Sub-processors which are set forth at: https://sidedrawer.com/supbrocessors.html.
- Customer may reasonably object to SideDrawer’s use of a new Sub-processor by notifying SideDrawer promptly in writing within thirty (30) days after receipt of SideDrawer’s notice in accordance with the mechanism set out in Section 6.2. If Customer objects to a new Sub-processor, as permitted in the preceding sentence, SideDrawer will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor. If SideDrawer is unable to make available such change within a reasonable time, which shall not exceed thirty (30) days, Customer may terminate the applicable Order Form(s) with respect only to those Services which cannot be provided by SideDrawer without the use of the objected-to new Sub-processor by providing written notice to SideDrawer. SideDrawer will refund to Customer any prepaid fees covering the remainder of the term of such Order Form(s) following the effective date of termination with respect to such terminated Services, without imposing a penalty for such termination on Customer.
- With respect to each Sub-processor, SideDrawer shall:
- before the Sub-processor first Processes Customer Personal Data, carry out commercially reasonable due diligence to determine that the Sub-processor is capable of providing the level of protection for Customer Personal Data required by this DPA;
- enter into an agreement with such Sub-processor (including in electronic form) that is consistent with the terms of this DPA in respect to such Sub-processor’s Processing of Personal Data;
- if an arrangement with a Sub-processor involves a Restricted Transfer, utilize a legal transfer mechanism under Applicable Law (such as the Standard Contractual Clauses, approved Binding Corporate Rules or any other transfer mechanism that may be approved by applicable Supervisory Authorities from time to time); and
- provide to Customer for review, copies of SideDrawer’s agreements with its Sub-processors (which may be redacted to remove confidential commercial information) as Customer may request in writing from time to time.
- SideDrawer shall be liable for the acts and omissions of its Sub-processors to the same extent SideDrawer would be liable if performing the services of each Sub-processor directly under the terms of this DPA and the Agreement.
- SideDrawer’s use of Sub-processors is at SideDrawer’s discretion, provided that: SideDrawer shall inform Customer in advance (by email, by posting within the Services, or by updating SideDrawer’s publicly posted list of Sub-processors) of any additions to or replacements of the Sub-processors used by SideDrawer (including the name, jurisdiction in which such Sub-processor is located, and the types of Personal Information to be Processed by such Sub-processor), and (b) Customer may object to the use of any new Sub-processor as provided in Section 6.2.
- Data Subject Rights
- Considering the nature of the Processing of the Customer Personal Data by the Contracted Processors, SideDrawer will assist Customer, by appropriate technical and organizational measures, insofar as reasonably possible, in the fulfilment of Customer’s obligations to respond to requests by Data Subjects (or their representatives) for exercising their rights under Data Protection Laws (such as rights to access, correct, or delete Personal Data).
- SideDrawer shall, unless prohibited by applicable law:
- promptly notify Customer if SideDrawer receives (i) a request from a Data Subject under any Data Protection Laws in respect of Customer Personal Data (including requests of Data Subjects that may be communicated to SideDrawer by its Sub-processors), or (ii) a Data Subject complaint made to SideDrawer regarding the Processing of Customer Personal Data (including Data Subject complaints that may be communicated to SideDrawer by its Sub-processors) (collectively, the matters in items (i) and (ii) hereinafter referred to as “Data Subject Requests”); and
- not respond to any Data Subject Requests except on the documented instructions of Customer or as required by Applicable Law; and
- to the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, SideDrawer shall upon Customer’s request provide commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent SideDrawer is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws. Customer shall be responsible for any costs arising from SideDrawer’s provision of such assistance.
- Personal Data Breach
- SideDrawer shall notify Customer without undue delay (and in any event within seventy-two (72) hours) upon SideDrawer becoming aware of a Personal Data Breach affecting Customer Personal Data (including any Personal Data Breach for which SideDrawer receives notice from a Sub-processor), providing Customer with sufficient information to allow Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under Data Protection Laws. Any notification by SideDrawer of any Personal Data Breach shall not be interpreted or construed as an admission of fault or liability by SideDrawer.
- SideDrawer shall use reasonable efforts to identify the cause of any Personal Data Breach affecting Customer Personal Data and take those steps as SideDrawer deems necessary and commercially reasonable to remediate the cause of such a Personal Data Breach affecting Customer Personal Data to the extent the remediation is within SideDrawer’s reasonable control. The obligations herein shall not apply to incidents that are caused by Customer or Customer’s users.
- Data Protection Impact Assessment and Prior Consultation
- SideDrawer shall provide Customer with commercially reasonable assistance with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which are required under Data Protection Laws, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to SideDrawer, and, in each case, to the extent Customer does not otherwise have access to the relevant information. To the extent legally permitted, Customer shall be responsible for any costs arising from SideDrawer’s provision of such assistance.
- Deletion or Return of Customer Personal Data
- Subject to Section 10.3, if Customer does not provide SideDrawer written notice under Section 10.2, SideDrawer shall promptly and in any event within twenty (20) business days of the date of cessation of any Services involving the Processing of Customer Personal Data (the “Cessation Date”), delete and procure the deletion of all copies of the Customer Personal Data held by or under the control of SideDrawer and/or any of its Sub-processors.
- Subject to Section 10.3, Customer may in its absolute discretion by written notice to SideDrawer within ten (10) business days of the Cessation Date require SideDrawer to: (a) return a complete copy of all Customer Personal Data to Customer by secure file transfer in a format supported by the Services; and (b) delete and procure the deletion of all other copies of Customer Personal Data Processed by any Contracted Processor pursuant to this DPA. SideDrawer shall where practicable, comply with the requirements of this Section 10.2 within twenty (20) business days of the Cessation Date.
- Each Contracted Processor may retain Customer Personal Data to the extent required by Applicable Law and for such period as required by Applicable Law and always provided that SideDrawer shall comply with the obligations of this DPA in respect of all such Customer Personal Data and shall only Process such Customer Personal Data as necessary for the purpose(s) specified in the Applicable Law requiring its storage and for no other purpose except as otherwise provide in this Section 10.3. In addition, each Contracted Processor may retain Customer Personal Data that is contained in archival records made by such Contracted Processors’ back-up systems pursuant to such Contracted Processor’s standard back-up and disaster recovery procedures, provided that such Customer Personal Data shall be deleted when the corresponding archival records are deleted in accordance with such Contracted Processor’s standard deletion schedule for back-up and disaster recovery records.
- Upon written request from Customer, SideDrawer shall provide written certification to Customer that SideDrawer has fully complied with this Section 10 within twenty (20) business days of the Cessation Date.
- Audit Rights
- SideDrawer shall make available to Customer (provided that Customer is not a competitor of SideDrawer) on request, all reasonable information that is available to SideDrawer and that is relevant to the Processing of the Customer Personal Data by the Contracted Processors, and shall allow for and contribute to audits, including inspections, by Customer or an auditor (provided that both Customer and the selected auditor are not competitors of SideDrawer) mandated by Customer that are relevant to the Processing of the Customer Personal Data by the Contracted Processors. Any information provided by SideDrawer (or any other Contracted Processor) to Customer, or to any auditor selected by Customer in connection with an audit, shall be SideDrawer’s Confidential Information and shall be protected by Customer (and Customer’s auditor) in accordance with the Confidential Information provisions of the Agreement.
- Customer shall give SideDrawer reasonable notice of any audit or inspection to be conducted under Section 11.1 and shall avoid (and shall ensure that each of its mandated auditors avoids) causing any damage, injury or disruption to the Contracted Processors' premises, equipment, personnel and business while its personnel are on those premises (which includes access to any IT systems) in the course of such an audit or inspection. If Customer elects to use a third-party auditor, such third-party auditor shall be required to enter into a non-disclosure agreement with SideDrawer. SideDrawer need not give access to its premises for the purposes of such an audit or inspection:
- to any individual unless he or she produces reasonable evidence of identity and authority;
- outside normal business hours at those premises, unless the audit or inspection needs to be conducted on an emergency basis and Customer and SideDrawer have agreed that this is the case before attendance outside those hours begins; or
- for the purposes of more than one audit or inspection, in respect of SideDrawer or any Sub-processor, in any calendar year, except for any additional audits or inspections which Customer is required or requested to carry out by Data Protection Laws, a Supervisory Authority or any similar regulatory authority responsible for the enforcement of Data Protection Laws in any relevant country or territory.
- Customer shall reimburse SideDrawer for any time expended by SideDrawer or its Sub-processors for any such audit at the SideDrawer’s then-current professional services rates, which shall be made available to Customer upon request. Before the start of any such audit, Customer and SideDrawer shall mutually agree upon the scope, timing, and duration of the audit in addition to the reimbursement rate for which Customer shall be responsible. All reimbursement rates shall be reasonable, considering the resources expended by SideDrawer, or its Sub-processors. Customer acknowledges and agrees that any audit of any Sub-processor is subject to the agreement of such Sub-processor, which is outside of SideDrawer’s control, and which may be denied by the applicable Sub-processor in such Sub-processor’s sole discretion. Customer shall promptly notify SideDrawer with information regarding any non-compliance discovered during any audit.
- Restricted Transfers
12.1 To the extent that the Processing of Customer Personal Data by SideDrawer or a Sub-processor involves a Restricted Transfer, such transfer shall be done in accordance with a legal transfer mechanism under Applicable Law (such as the Standard Contractual Clauses, approved Binding Corporate Rules or any other transfer mechanism that may be approved by applicable Supervisory Authorities from time to time).
- General Terms
- Governing law and jurisdiction
- Without prejudice to the mediation, jurisdiction and governing law provisions of the Standard Contractual Clauses (to the extent the Standard Contractual Clauses are applicable to a Contracted Processor):
- the parties to this DPA hereby submit to the choice of jurisdiction stipulated in the Agreement with respect to any disputes or claims arising under this DPA, including disputes regarding its existence, validity or termination or the consequences of its nullity; and
- this DPA shall be governed by the laws of the country or territory stipulated for this purpose in the Agreement.
- Order of precedence
- Nothing in this DPA reduces SideDrawer's obligations under the Agreement in relation to the protection of Customer Personal Data or permits SideDrawer to Process (or permit the Processing of) Customer Personal Data in a manner which is prohibited by the Agreement.
- In the event of any conflict or inconsistency between this DPA and the Standard Contractual Clauses (to the extent the Standard Contractual Clauses are applicable to a Contracted Processor), the Standard Contractual Clauses shall prevail. For greater certainty, to the extent this DPA specifies rules in respect to the appointment of Sub-processors, the conduct of audits, and the certification of deletions, such rules also apply in relation to the Standard Contractual Clauses.
- With regard to the subject matter of this DPA, in the event of any conflict or inconsistency between the provisions of this DPA and other provisions in the Agreement, or any other agreements between the parties, the provisions of this DPA shall prevail.
- To the extent the Standard Contractual Clauses are applicable between Customer and SideDrawer, Customer shall be the data exporter and SideDrawer shall be the data importer, and to the extent the Standard Contractual Clauses require a description of the types of Customer Personal Information to be Processed, the types of Processing to be performed on the Customer Personal Information, the purpose of the Processing to be performed on the Customer Personal Information, the duration of the Processing of the Customer Personal Information and any other relevant information about the Processing to be performed on Customer Personal Information, the information set forth in Annex 1 to this DPA is deemed to be added to the Standard Contractual Clauses (mutatis mutandis).
- Severance
Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in full force and effect. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained in this DPA.
Last Updated: November 7, 2022
ANNEX 1: DETAILS OF PROCESSING OF CUSTOMER PERSONAL DATA
This Annex 1 includes certain details of the Processing of Customer Personal Data as required by Article 28(3) GDPR.
- List of Parties
Data exporter:
Name: The Customer, as defined in the Agreement
Address: The Customer's address, as set out in the Agreement/Order Form
Contact person’s name, position and contact details: The Customer's contact details, as set out in the Agreement, Order Form and/or as set out in the Customer’s account
Role (controller/processor): Controller
Data importer:
Name: SideDrawer Inc.
Address: 3080 Yonge St, Suite 6060, Toronto, ON, M4N 3N1
Contact person’s name, position and contact details: J. Gaston Siri, Data Protection Officer, SideDrawer Inc., support@sidedrawerinc.com.
Role (controller/processor): Processor
- Subject matter and duration of the Processing of Customer Personal Data
The subject matter and duration of the Processing of the Customer Personal Data are as set forth in the Agreement and this DPA.
- The nature and purpose of the Processing of Customer Personal Data
SideDrawer will Process Customer Personal Data as necessary to perform the Services pursuant to the Agreement.
- The types of Customer Personal Data to be Processed
Customer may submit Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include personal data of the data subjects described in E below.
- The categories of Data Subjects to whom the Customer Personal Data relates
Customer contacts and other end users including Customer employees, contractors, collaborators, customers, prospects, suppliers and subcontractors. Data Subjects may also include individuals attempting to communicate with or transfer Personal Data to Customer’s end users.
- Frequency of the transfer
Continuous
- Nature of the Processing
Customer Personal Data will be Processed in accordance with the Agreement (including this DPA) and may be subject to the following Processing activities:
- Storage and other Processing necessary to provide, maintain and improve the Services provided to Customer; and/or
- Disclosure in accordance with the Agreement (including this DPA) and/or as compelled by applicable laws.
- Purpose of the transfer and further processing
SideDrawer will Process Customer Personal Data as necessary to provide the Services pursuant to the Agreement, and as further instructed by Customer in Customer’s use of the Services.
- Period for which Personal Data will be retained
SideDrawer will Process Customer Personal Data for the duration of the Agreement, unless otherwise agreed in writing.
- Competent Supervisory Authority
The supervisory authority that will act as competent supervisory authority, as applicable, will be determined in accordance with GDPR.