DATA PROCESSING ADDENDUM
Last updated: 8 June 2019
PLEASE READ THESE TERMS CAREFULLY.
This Addendum governs Twimo’s Processing of Personal Information (terms defined below) on behalf of the Customer in the course of providing the Services to the Customer under the Customer Agreement and is made effective as of the date the Customer opts into or otherwise accepts Twimo's Customer Agreement.
By entering into this Addendum, the Customer and Twimo agree to comply with the terms and conditions of this Addendum in connection with Personal Information.
- “Users” refers to individuals invited to teams belonging to the Customer on the Services, have user accounts (“User Accounts”) on the Services and are authorised to use the Services paid for by the Customer.
- “Customer Data” refers individually and collectively to any and all content submitted to the Services via User Accounts related to the Customer’s use of the Services.
- “GDPR” means the General Data Protection Regulation (EU) 2016/679 of the European Parliament that lays down rules relating to the protection of natural persons with regard to the processing of personal data and the free movement of personal data.
- “Data Protection Legislation” means all laws and regulations, including the GDPR and laws and binding regulations of the European Union, the European Economic Area and their member states, Switzerland and the United Kingdom, applicable to the Processing of Personal Information under the Customer Agreement.
- “Personal Information” as used in this Addendum means any Customer Data that relates to an identified or identifiable natural person that the Customer and/or its Users submit to the Services or authorise us to Process under the Customer Agreement, to the extent that such information is protected as ‘personal data’ under the applicable Data Protection Legislation.
- “Data Subject” means the identified or identifiable person to whom the Personal Information relates.
- “Processing” (also “Process”) means any operation or set of operations which is performed on Personal Information, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
- “Controller” means the entity which determines the purposes and means of Processing of Personal Information.
- “Processor” means the entity which Processes Personal Information on behalf of the Controller.
- “Subprocessor” means an entity which Processes Personal Information on behalf of the Processor.
- “Supervisory Authority” means an independent public authority which is established in accordance with the Data Protection Legislation.
- “Data Subject Rights” means the rights of access, rectification, restriction of Processing, erasure, data portability, objection to Processing and not to be subject to automated individual decision making, which are conferred to a Data Subject under the applicable Data Protection Legislation in relation to Personal Information of the Data Subject.
- “Security Practices Document” means the document outlining Twimo’s Security Practices that can be found here.
- “Security Incident” as used in this Addendum means a breach of security of the Services or Twimo’s systems used to Process Personal Information leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Information transmitted, stored or otherwise Processed by Twimo.
- “Sensitive Information” means Personal Information revealing a Data Subject’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, sex life or sexual orientation.
2. PROCESSING OF PERSONAL INFORMATION2.1 Roles of the parties : The Customer and Twimo acknowledge and agree that, with regard to the Processing of Personal Information,
- the Customer is the Controller of Personal Information,
- Twimo is the Processor of Personal Information, and
- Twimo may engage Subprocessors pursuant to the requirements set forth in “Subprocessors” section below.
2.2 Customer’s Processing of Personal Information : The Customer shall, in its use of the Services and provision of instructions,
- Process Personal Information in accordance with the requirements of applicable Data Protection Legislation and the terms and conditions of this Addendum;
- have the sole responsibility for the accuracy, quality, and legality of Personal Information and the means by which the Customer acquires or has acquired Personal Information;
- have the sole responsibility for providing the necessary notices to and obtaining the necessary consents from Data Subjects whose Personal Information the Customer or its Users submit to our Services or provide to us to Process under this Addendum;
- be responsible for ensuring that its Users, in their use of the Services, comply with the requirements of the applicable Data Protection Legislation and the terms and conditions of this Addendum.
2.3 Twimo’s Processing of Personal Information : Twimo shall Process Personal Information, solely as a Processor, on the Customer’s behalf, only for the purpose of and to the extent necessary for providing the Services, and in accordance with
- this Addendum and the Customer Agreement,
- any other documented instructions from the Customer (whether in written or electronic form), provided such instructions are commensurate with the functioning of the Services and consistent with the Customer Agreement,
- processing initiated by the Users in their use of the Services, consistent with the Customer Agreement.
2.4 Twimo’s Processing of Personal Information for legal reasons : If Twimo is required by law to Process the Personal Information for any other purpose not mentioned in 2.3 above, Twimo shall provide the Customer with prior notice of this requirement, unless Twimo is prohibited by law from providing such notice.
2.5 Notice of incompatible Customer instructions for Processing of Personal Information : If, in Twimo’s opinion,
- the Customer’s instructions for the Processing of Personal Information infringe on the applicable Data Protection Legislation, or
- Twimo cannot Process the Personal Information related to the Customer’s use of the Services in accordance with the Customer’s instructions, or
- any applicable law to which Twimo is subject, prevents the Processing of Personal Information in accordance with the Customer’s instructions,
2.6 Services incompatible with Processing of Sensitive Information : The Customer understands and acknowledges that our Services are not intended to be used for the Processing of Sensitive Information and the Customer agrees not to submit, and ensure that its Users do not submit, any Sensitive Information to the Services or provide to us for Processing.
2.7 Details of Processing : The duration of Processing, the nature and purpose of Processing, the types of Personal Information and categories of Data Subjects Processed under this Addendum are further specified in Appendix 1 to Exhibit A of this Addendum.
3. DATA SUBJECT REQUESTS3.1 The Customer is responsible for handling any requests or complaints from Data Subjects or Supervisory Authority with respect to the Personal Information Processed by Twimo under this Addendum or requests for the exercise of Data Subject Rights (“Data Subject Request”).
3.2 Twimo shall promptly notify the Customer, unless prohibited by applicable law and to the extent permitted by applicable law, if Twimo receives any Data Subject Request.
3.3 The Services contain technical and organisational measures, taking into account the nature of Processing, that have been designed to assist the Customer, insofar as is possible, in fulfilling its obligations to respond to such Data Subject Requests under the applicable Data Protection Legislation.
3.4 In addition, to the extent that the Customer, in its use of the Services, does not have the ability to address a Data Subject Request, Twimo shall, upon the Customer’s request, provide the Customer reasonable support for any further assistance the Customer needs to fulfill its obligations in responding to the Data Subject Request, to the extent that
- such request requires a response under the applicable Data Protection Legislation,
- such request relates to the Processing of Personal Information by Twimo, subject to this Addendum and the Customer Agreement,
- Twimo is legally permitted to assist the Customer in responding to such request.
4. SECURITY AND CONFIDENTIALITY4.1 Twimo shall implement and maintain, at all times throughout the term of the Addendum, appropriate technical and organisational measures as set forth in the Security Practices Document, to protect the confidentiality and integrity of Personal Information and prevent Security Incidents.
4.2 Such measures shall be appropriate to the nature of the Personal Information to be protected, the nature of the Processing of such Personal Information and the harm which might result from such a Security Incident.
4.3 Twimo regularly monitors compliance with these measures.
4.4 Twimo shall not materially decrease the overall security of the Services during a subscription term.
4.5 Twimo shall ensure that the personnel authorised to Process Personal Information are subject to the appropriate confidentiality obligations and/or agreements.
5. DATA PROTECTION IMPACT ASSESSMENTS5.1 The Customer may request Twimo to assist the Customer with conducting any data protection impact assessments (including subsequent consultation with a Supervisory Authority), if so required by the applicable Data Protection Legislation and only to the extent required by the applicable Data Protection Legislation, taking into account the nature of Processing and the Personal Information available to Twimo.
5.2 Twimo may charge a reasonable fee for any such assistance, to the extent permitted by applicable law.
5.3 Before commencement of any such assessment, the Customer and Twimo shall mutually agree upon the scope, timing, and duration of the assessment and the fees due to Twimo by the Customer.
5.4 The Customer shall promptly notify Twimo with the results of the assessment including, without limitation, any information related to non-compliance discovered during the course of the assessment and Twimo may pursue reasonable efforts to address any such non-compliance.
6. HANDLING OF SECURITY INCIDENTS6.1 Twimo shall notify the Customer promptly upon becoming aware of and confirming any Security Incident relating to the Personal Information we Process on the Customer’s behalf, which may require a notification to be made to a Supervisory Authority or a Data Subject under applicable Data Protection Legislation or which Twimo is required to notify to the Customer under applicable Data Protection Legislation.
6.2 In the event of such a Security Incident, Twimo shall provide the Customer with information about the Security Incident and the type of Personal Information concerned, unless otherwise prohibited by law or otherwise instructed by a law enforcement or Supervisory Authority.
6.3 Following such notification, Twimo shall take reasonable steps to mitigate the effects of the Security Incident and to minimise any damage resulting from the Security Incident, to the extent that such steps are within Twimo’s control.
6.4 Upon the Customer’s request, Twimo shall provide reasonable assistance and cooperation with respect to any notifications that the Customer is legally required to send to affected Data Subjects and Supervisory Authority. Twimo may charge a reasonable fee for such requested assistance.
6.5 Except as required by applicable Data Protection Legislation, the obligations herein shall not apply to incidents that are caused by Customer, its Users and/or any third party persons, products or services used in conjunction with the Services.
7. REGULATORY INVESTIGATIONS7.1 At the Customer’s request, Twimo will assist the Customer in the event of an investigation by a competent regulator, including a data protection regulator or similar authority, if and to the extent that such investigation relates to the Processing of Personal Information by Twimo on the Customer’s behalf in accordance with this Addendum. Twimo may charge a reasonable fee for such requested assistance except where such investigation arises from a breach by Twimo of the Customer Agreement or this Addendum, to the extent permitted by applicable law and subject to the Customer Agreement.
8. SUBPROCESSORS8.1 The Customer acknowledges and agrees that, in the course of providing our Services, Twimo may use Subprocessors to Process Personal Information.
8.2 Twimo’s use of any specific Subprocessor to Process Personal Information shall be in compliance with Data Protection Legislation and governed by a contract between Twimo and the Subprocessor that imposes on the Subprocessor obligations relating to the Processing of Personal Information that are at least as protective of Personal Information as those that apply to Twimo under this Addendum, to the extent applicable to the nature of the services provided by such Subprocessor.
8.3 The Customer can access the current list of Subprocessors Twimo uses to Process Personal Information here.
8.4 The Customer may also request (by email to firstname.lastname@example.org) to be notified by Twimo of the addition or replacement of Subprocessors. Twimo shall, upon such a request from the Customer, provide the Customer with notification of new or changed Subprocessors before authorising such new or changed Subprocessors to Process Personal Information in connection with the provision of the Services.
8.5 The Customer may object to such addition or replacement of Subprocessors on reasonable grounds within ten (10) business days after being notified by Twimo of the engagement of the Subprocessor and the Customer shall inform Twimo of such reasonable grounds for the objection.
8.6 In the event the Customer objects to the addition or replacement of a Subprocessor, as permitted in the preceding sentence, Twimo will use reasonable efforts to make available to the Customer a change in the Services or recommend a commercially reasonable change to the Customer’s configuration or use of the Services to avoid Processing of Personal Information by the objected-to new Subprocessor without unreasonably burdening the Customer.
8.7 If Twimo is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, either party may terminate without penalty the component of the Services which cannot be provided by Twimo without the use of the objected-to Subprocessor by providing written notice to the other party. Twimo will refund the Customer any prepaid fees covering the remainder of the term of the Customer’s subscription following the effective date of termination with respect to such terminated component of the Services, without imposing a penalty for such termination on the Customer.
8.8 Twimo shall be liable for the acts and omissions of its Subprocessors to the same extent Twimo would be liable if performing the Services of each Subprocessor directly under the terms of this Addendum.
9. DATA TRANSFERS9.1 The Customer understands and acknowledges that its use of our Services may result in Personal Information being transferred to and Processed in other regions and countries, including the United States, where Twimo or our Subprocessors maintain infrastructure or facilities.
9.2 In connection with the use of the Services and the performance of the Customer Agreement, the Customer consents to such transfer and Processing and authorises Twimo to perform such transfer and Processing of Personal Information, in compliance with this Addendum and applicable Data Protection Legislation.
9.3 For transfers and Processing of Personal Information under this Addendum from the European Union, the European Economic Area and/or their member states and Switzerland to countries which do not ensure an adequate level of data protection within the meaning of applicable Data Protection Legislation of the foregoing territories and to the extent such transfers are subject to such applicable Data Protection Legislation, the Customer and Twimo shall enter into the Standard Contractual Clauses for the Transfer of Personal Data to Processors Established In Third Countries pursuant to Commission Decision 2010/87/EU of 5 February 2010 (“Standard Contractual Clauses”), attached hereto as Exhibit A.
10. RETURN OR DISPOSAL OF PERSONAL INFORMATION10.1 Twimo shall, upon termination of the Customer’s use of the Services and subject to the Customer Agreement, promptly delete Personal Information in Customer Data relating to the Customer’s use of our Services and initiate the purge of such Personal Information from our backups and logs within 60 days from the date of termination.
10.2 Twimo will provide a copy of Personal Information in Customer Data relating to the Customer’s use of our Services, provided we get a request (in written or electronic form) from the Customer before or in conjunction with, but no later than, the request to terminate the Customer’s use of the Services. Depending upon the Personal Information involved and the subscription plan purchased by the Customer, the export of such Personal Information may incur additional fees.
11. OTHER INFORMATION AND NOTIFICATIONS11.1 Twimo shall notify the Customer of any legally-binding request for disclosure of Personal Information by a law enforcement authority or as required by law, unless otherwise prohibited by law from such disclosure.
11.2 Twimo shall make available to the Customer all information necessary to demonstrate compliance with our obligations laid down in this Addendum and allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer.
12. MISCELLANEOUS12.1 Conflict : In the event of any conflict or inconsistency between the provisions of the Customer Agreement and this Addendum, the provisions of this Addendum shall prevail. In the event of any conflict or inconsistency between the provisions of this Addendum and the Standard Contractual Clauses in Exhibit A, the Standard Contractual Clauses shall prevail.
12.2 Limitation of Liability : Each party’s liability, taken together in the aggregate, arising out of or related to this Addendum, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ section of the Customer Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party under the Customer Agreement and the Addendum together. For avoidance of doubt and to the extent allowed by applicable law, any and all liability under this Addendum, including limitations thereof, will be governed by the relevant provisions of the Customer Agreement.
12.3 Severability : Save as specifically modified and amended in this Addendum, all of the terms, provisions and requirements contained in the Customer Agreement shall remain in full force and effect and govern this Addendum. If any provision of the Addendum is held illegal or unenforceable in a judicial proceeding, such provision shall be severed and shall be inoperative, and the remainder of this Addendum shall remain operative and binding on the parties. The invalid or unenforceable provision will be modified by the court and interpreted so as best to accomplish the objectives of the original provision to the fullest extent permitted by law.
12.4 Governing Law : This Addendum and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by, and construed in accordance with, the laws of India, without regard to principles of conflicts of laws.
12.5 Jurisdiction : The parties irrevocably and unconditionally submit to the exclusive jurisdiction of the courts of Bangalore, Karnataka, India with respect to any dispute or claim arising out of or in connection with this Addendum.
Standard Contractual Clauses (processors)
The Standard Contractual Clauses referenced in and incorporated into this Addendum can be found at this link https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32010D0087&from=EN.
The Customer agrees to these Standard Contractual Clauses in its role as the data exporter. Twimo agrees to these Standard Contractual Clauses in its role as the data importer.
Appendices 1 and 2 form an integral part of the Standard Contractual Clauses and hence this Addendum. Appendix 1 includes the details of the transfer and in particular the special categories of personal data where applicable. Appendix 2 details the technical and organisational security measures implemented by Twimo.
APPENDIX 1 TO THE STANDARD CONTRACTUAL CLAUSES
This Appendix forms part of the Clauses. The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this Appendix.
The data exporter is (please specify briefly your activities relevant to the transfer):
The data exporter is the legal entity that has executed the Standard Contractual Clauses as a data exporter and is the Customer of the data importer’s online collaboration and data management platform that includes its web-based application, website, services and systems.
The data importer is (please specify briefly activities relevant to the transfer):
The data importer is Twimo Solutions Private Limited, a provider of online collaboration and data management platform that includes its web-based application, website, services and systems. Twimo Processes Personal Information upon the instruction of the data exporter in accordance with the terms of the Customer Agreement.
The personal data transferred concern the following categories of data subjects (please specify):
The data exporter may submit Personal Information to the data importer through the Services, the extent of which is determined and controlled by the data exporter in its sole discretion and in compliance with applicable Data Protection Legislation, and which may include, but is not limited to Personal Information relating to the following categories of data subjects: data exporter’s Users (including employees, consultants, contractors, volunteers or agents), donors, volunteers, customers, beneficiaries and any other third-parties.
Categories of data
The personal data transferred concern the following categories of data (please specify):
Any Personal Information comprised in Customer Data which refers individually and collectively to any and all content submitted to the Services via User Accounts related to the Customer’s use of the Services. Such Personal Information may include, but is not limited to, first and last name, address, phone, email and other contact information.
Special categories of data (if appropriate)
The personal data transferred concern the following special categories of data (please specify):
Not applicable, as the data exporter is prohibited from submitting Sensitive Information under the terms of the Customer Agreement.
The personal data transferred will be subject to the following basic processing activities (please specify):
The objective of Processing of Personal Information by the data importer is the performance of the Services pursuant to the Customer Agreement.
APPENDIX 2 TO THE STANDARD CONTRACTUAL CLAUSES
This Appendix forms part of the Clauses.
Description of the technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) (or document/legislation attached):
The data importer shall maintain appropriate technical and organisational safeguards for protection of the security, confidentiality and integrity of Personal Information uploaded to the Services, as described in the Security Practices Document.