This Data Processing Addendum (this “Addendum”) is attached and incorporated in by reference to the above Terms of Service (“Terms of Service”), by and between Logik Systems, Inc. (dba Logikcull), a Delaware corporation (“Logikcull”), and the customer agreeing to be bound by such Terms of Service (“Customer”). Logikcull and Customer shall be collectively referred to herein as “Parties” and individually as a “Party”.
a. Logikcull facilitates and supports the large-scale collection, storage, processing, analysis, and management of Customer Data. User accounts and various channels for user communications have been created or made available in relation to Logikcull’s services and product offering in order to communicate with, support, and facilitate access for Logikcull’s users.
b. The United States ensures an adequate level of protection for Personal Data transferred from the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom to organizations in the United States that self-certify compliance under the U.S. Department of Commerce’s EU-U.S. Privacy Shield (“Privacy Shield Framework”).
c. Logikcull has certified compliance with the Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of Personal Data transferred to the United States.
d. Logikcull may Process Personal Data collected for, from, or on behalf of Customer or its users as a result of Customer’s engagement with Logikcull and use of the Logikcull services (“Services”). Customer desires to adhere to this Addendum in order for Logikcull to provide the Services to Customer.
NOW, THEREFORE, in consideration of the foregoing recitals and the covenants and agreements set forth herein, the Parties hereby agree as follows:
a. “Controller” means the entity which determines the purposes and means of the Processing of Personal Data.
b. “Data Protection Laws and Regulations” means all laws and regulations, including laws and regulations of the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom, applicable to the Processing of Personal Data under this Addendum.
c. “Data Subject” means the identified or identifiable person to whom Personal Data relates.
d. “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
e. “Personal Data” means any information relating to (i) an identified or identifiable natural person and, (ii) an identified or identifiable legal entity (where such information is protected similarly as personal data or personally identifiable information under applicable Data Protection Laws and Regulations), where for each (i) or (ii), such data is Customer Data.
f. “Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
g. “Processor” means the entity which Processes Personal Data on behalf of the Controller.
h. “Sub-processor” means any Processor engaged by Logikcull.
This Addendum (A) applies to the extent that Logikcull stores, accesses, transmits, Processes, or otherwise uses Personal Data provided by or collected from (i) Customer, (ii) Customer’s users, or (iii) the Data Subjects (collectively, (i), (ii) and (iii) referred to herein as, “Customer Data”) for the nature and purpose of performing the Services; and (B) is hereby made an integral part of the Terms of Service or other written or electronic agreement under which Logikcull may perform such services (as applicable). Except as otherwise set forth in this Addendum, the obligations set forth in the Terms of Service are hereby incorporated herein, including, without limitation, all obligations with respect to confidentiality.
3. Processing of Personal Data.
a. Roles of the Parties. The Parties agree that with regard to the Processing of Personal Data, Customer is the Controller and that Logikcull is the Processor. Logikcull will engage Sub-processors pursuant to the requirements set forth in Section 4 of this Addendum.
b. Customer’s Processing of Personal Data. Customer shall, in its use of the Services, Process Personal Data in accordance with, and in compliance with, all applicable laws, including, without limitation, Data Protection Laws and Regulations and GDPR. Customer’s instructions provided to Logikcull with respect to the Processing of Personal Data shall at all times comply with Data Protection Laws and Regulations. Customer shall have sole responsibility for the accuracy, quality and legality of Personal Data and the means by which Customer acquired Personal Data, including, without limitation, receiving consent of each Data Subject to the extent required under applicable law.
c. Logikcull’s Processing of Personal Data. Logikcull agrees to treat Personal Data as confidential information of Customer in accordance with the Terms of Service and will only Process Personal Data on behalf of and in accordance with Customer’s documented written instructions in connection with: (i) Processing in accordance with this Addendum; (ii) Processing in relation to the provision by Logikcull of Services to Customer; (iii) Processing initiated by Customer’s users in their use or receipt of the Services; and (iv) Processing to comply with other documented written instructions provided by Customer where such documented written instructions are consistent with the terms of this Addendum. The subject matter of the Processing of Personal Data by Logikcull is the performance of the Services pursuant to the Terms of Service.
d. Data Subject Requests. Logikcull will, to the extent legally permitted, promptly notify Customer if Logikcull receives a request from a Data Subject to exercise the Data Subject's right of access, right to rectification, restriction of Processing, erasure (i.e. “right to be forgotten”), data portability, object to the Processing, or its right not to be subject to an automated individual decision making (“Data Subject Request”). Taking into account the nature of the Processing, Logikcull will assist Customer by appropriate technical and organizational measures, insofar as each are possible and reasonable, for the fulfillment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws and Regulations. In addition, to the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, Logikcull shall, upon Customer’s request, use commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent Logikcull is legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws and Regulations. Customer shall be responsible for any costs arising from Logikcull’s provision of such assistance.
e. Logikcull Personnel. Logikcull will ensure that its personnel engaged in the Processing of Customer Data are informed of the confidential nature of any Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements. Logikcull will ensure that such confidentiality obligations survive the termination of the personnel engagement. Logikcull will use commercially reasonable efforts to take necessary steps to ensure the reliability of any Logikcull personnel engaged in the Processing of Personal Data. Logikcull will use commercially reasonable efforts to ensure that Logikcull’s access to Personal Data is limited to those personnel performing Services to Customer pursuant to the Terms of Service. Logikcull has appointed a data protection officer. The appointed person may be reached at firstname.lastname@example.org.
f. Return and Deletion of Customer Data. With respect to Customer Data submitted through the Services, Logikcull will return Customer Data to Customer and/or, to the extent permitted under applicable law, may delete such Customer Data in accordance with the procedures and timeframes set forth in the Terms of Service and in compliance with Data Protection Laws and Regulations. With respect to Customer Data collected by or provided to Logikcull other than Customer Data submitted through the Services, Logikcull will retain and/or delete such Customer Data in accordance with its retention and deletion policy and in compliance with Data Protection Laws and Regulations. To the extent any Personal Data is retained by Logikcull longer than the timeframes set forth in Logikcull’s retention and deletion policy, such Personal Data will be rendered anonymous in such a manner that the Data Subject is not or no longer identifiable.
Customer acknowledges and agrees that Logikcull may engage third-party Sub-processors in connection with the provision of Services. A list of current subprocessors is available at this link. In the event that Logikcull intends to engage a new Sub-processor with respect to the Service, Logikcull will update this list and send notification to the primary account owner. Customer may object to Logikcull’s use of a new Sub-processor by notifying Logikcull promptly in writing within ten (10) business days after receipt of Logikcull’s notice in accordance with the notice requirements set forth in this Addendum. In the event Customer objects to a new Sub-processor, Logikcull will use commercially reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening Customer. If Logikcull is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, Customer may terminate the applicable Terms of Service and other related documents with respect to receipt of those Services which cannot be provided by Logikcull without the use of the objected-to new Sub-processor by providing written notice to Logikcull. Logikcull will remain liable for the acts and omissions of its Sub-processors to the same extent Logikcull would be liable if performing the services of each Sub-processor directly under the Terms of Service, except as otherwise set forth in this Addendum.
5. Security and Incident Management.
a. Security. Logikcull maintains appropriate technical and organizational measures for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Personal Data), confidentiality and integrity of Personal Data, in compliance with Logikcull’s then-current policies and procedures and Data Protection Laws and Regulations. Logikcull regularly monitors compliance with these measures. Logikcull agrees not to materially decrease the overall security of the Services during the applicable subscription term. Logikcull has obtained industry standard data security and privacy certificates and agrees to maintain such certificates during the applicable subscription term with respect to Customer’s receipt of Services. Upon Customer request at reasonable intervals, and subject to the confidentiality obligations set forth in the Terms of Service, Logikcull shall make available to Customer a copy of Logikcull’s then most recent third-party audits or certifications.
b. Incident Management. Logikcull maintains an industry standard security incident management policy and shall notify Customer without undue delay after becoming aware of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data, including Personal Data, transmitted stored or otherwise Processed by Logikcull or any of its Sub-processors (“Data Incident”). Logikcull shall use reasonable efforts to identify the cause of any such Data Incident and take reasonable steps necessary to remediate the cause of such Data Incident, to the extent remediation is within Logikcull’s reasonable control. The obligations set forth herein shall not apply to any incident caused by Customer or Customer’s users.
c. Recordkeeping and Audit. Logikcull will maintain such records with respect to Processing Personal Data in connection with the Services as necessary to comply with its obligations under GDPR. Upon Customer’s request, and subject to the confidentiality obligations set forth in the Terms of Service, Logikcull will make available to Customer information regarding Logikcull’s compliance with this Addendum in the form of third party certifications and audits, to the extent that Logikcull generally makes such information available to all of its customers.
6. Limitations on Liability.
Each Party’s liability arising out of or related to this Addendum, whether in contract, tort or under any other theory of liability, is subject to those limitations of liability set forth in the Terms of Service and any reference in the Terms of Service limited a Party’s liability means the aggregate liability of that Party under the Terms of Service and this DPA.
7. European Specific Provisions.
Effective May 25, 2018, Logikcull will Process Personal Data in accordance with the GDPR requirements directly applicable to Logikcull’s provision of its Services. Effective May 25, 2018, upon Customer request, Logikcull shall provide Customer with reasonable cooperation and assistance necessary to fulfill Customer’s obligations under GDPR to carry out a data protection impact assessment related to Customers use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Logikcull. Logikcull shall provide reasonable assistance to Customer and cooperation with respect to any consultation or request by any regulatory or supervisory authority who has governance over Customer, to the extent required under GDPR.
8. Data Protection under Privacy Shield.
Logikcull will only transfer and Process Personal Data from the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom in accordance with this Addendum. Logikcull self-certifies to and complies with the Privacy Shield Framework and agrees to provide the same level of protection as the Privacy Shield Principles as defined by the US Department of Commerce. Logikcull agrees to maintain its self-certification to and compliance with the Privacy Shield Framework with respect to Processing Personal Data from the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom to the United States.
9. Notice Requirements.
Logikcull agrees that it will notify Customer if it determines that it cannot or will no longer meet the obligations set forth in this Addendum or the GDPR with respect to performing the Services for Customer; and upon such notice, Logikcull will take reasonable and necessary steps, without undue delay, to stop Processing such Personal Data. All such notices shall be sent to the email address associated with your Logikcull Account Owner. In notices required to be delivered by Customer to Logikcull hereunder shall be sent to email@example.com.
Logikcull will Process Personal Data for the duration of the Terms of Service, unless otherwise agreed in writing.
If one or more provisions of this Agreement are held to be unenforceable under applicable law, the Parties agree to renegotiate such provision in good faith. In the event that such provision was not required by the Data Protection Laws and Regulations and the Parties cannot reach a mutually agreeable and enforceable replacement, then (a) such provision shall be excluded from this Agreement, (b) the balance of this Agreement shall be interpreted as if such provision were so excluded, and (c) the balance of this Agreement shall be enforceable in accordance with its terms.
12. Independent Contractors.
The Parties are independent contractors, and nothing contained in this Agreement shall be construed to constitute the Parties as partners, joint venturers, co-owners or otherwise as participants in a joint or common undertaking.
13. Governing Law.
Apart from the specific provisions and requirements governed by Data Protection Laws and Regulations, including, without limitation, GDPR, this Agreement and all acts and transactions pursuant hereto and the rights and obligations of the parties hereto shall be governed, construed and interpreted in accordance with the laws of the State of Delaware, without giving effect to principles of conflicts of law.
Logikcull and Customer each agree that the obligations set forth in this Agreement are necessary and reasonable in order to ensure that Data Subjects continue to benefit from effective safeguards and protection as required by the Data Protection Laws and Regulations with respect to the Processing Personal Data. Logikcull and Customer each expressly agree that due to the unique nature of the Personal Data covered hereunder monetary damages would be inadequate to compensate either Party for any breach by the other Party of its covenants and agreements set forth in this Agreement. Accordingly, Logikcull and Customer each agree and acknowledge that any such violation or threatened violation shall cause irreparable injury to a Party and that, in addition to any other remedies that may be available, in law, in equity or otherwise, such Party shall be entitled to obtain injunctive relief against the threatened breach of this Agreement or the continuation of any such breach by the other Party, without the necessity of proving actual damages.
15. Amendment and Waiver.
Any term of this Agreement may be amended with the written consent of the Parties. Any amendment or waiver effected in accordance with this Section shall be binding upon the parties and their respective successors and assigns. Failure to enforce any provision of this Agreement by a Party shall not constitute a waiver of any term hereof by such Party.
This Agreement may be executed in two or more counterparts, each of which shall be deemed an original and all of which together shall constitute one instrument.
17. Entire Agreement.
This Agreement is the product of both of the Parties, constitutes the entire agreement between the Parties pertaining to the subject matter hereof, and merges all prior negotiations and drafts of the Parties with regard to the transactions contemplated herein. Any and all other written or oral agreements existing between the Parties hereto regarding such transactions are expressly canceled.