In the course of the performance of the Services, Candle will have access to or will be provided by the Client, its affiliated companies, subsidiaries and holding company, with certain Personal Data which Candle will need to Process on behalf of the Client. To ensure that all Personal Data at all times is processed in accordance with Data Protection laws, the Parties have agreed to execute this Data Processing Addendum, including its Appendixes (the “DPA”);
With respect to the Processing of the Personal Data, the Client acts as a Data Controller and Candle acts as Data Processor.
This Addendum sets forth the requirements applicable to Personal Data Processed in connection with providing the Services.
It has been agreed as follows:
The following terms have the following meanings when used in this DPA:
Data Protection Laws means the General Data Protection Regulation (EU 2016/679) (GDPR), the Directive on privacy and electronic communications (2002/58/EC), the California Consumer Privacy Act of 2018 and its implementing regulations (CCPA), the California Privacy Rights Act (CPRA), and any other applicable laws to the scope of the Services, including any implementing national laws, any regulatory requirements, guidance and codes of practice applicable to the processing or Personal Data (as amended or replaced from time to time).
Personal Data means information that is Processed solely for Client by or on behalf of Candle in connection with the Services that constitutes “personal data”, “personal information” or its equivalent term under applicable Data Protection Laws.
Process or Processing, Data Subjects, Data Controller (or Controller), Data Processor (or Processor) and Sell have the meaning given to those terms or equivalent terms under Data Protection Laws.
2. ROLES OF THE PARTIES
2.1. The Client shall be the Data Controller and Candle shall be the Data Processor in respect of Personal Data processed by Candle on the Client's behalf in performing its obligations under this DPA.
2.2. The Client shall be solely responsible for determining the purposes for which and the manner in which Personal Data are, or are to be, processed.
3. CANDLE'S OBLIGATIONS
3.1. Candle, as Data Processor, shall comply with the requirements of Data Protection Laws in respect of the provision of the Services and otherwise in connection with this DPA and will assist Client in its compliance with applicable Data Protection Laws.
3.2. Without prejudice to clause 3.1 above, Candle shall in respect of the Processing of the Personal Data:
3.2.1. Process the Personal Data only according to the contractually intended purpose and on written instructions and directions received from the Client (which shall include the terms of this DPA) and comply promptly with all such instructions and directions received from the Client from time to time;
3.2.2. immediately notify the Client if, in Candle' reasonable opinion, any instruction or direction from the Client infringes applicable Data Protection Laws;
3.2.3. not Process the Personal Data or permit it to be processed or access, in whole or in part, other than for the provision of the Services and only to the extent reasonably necessary for the performance of this DPA;
3.2.4. Process the Personal Data in accordance with the specified duration, purpose, type and categories of Data Subjects as set out in Appendix 1 (Particulars of the Data Processing);
3.2.5. not Sell Personal Data and not retain, use, or disclose the Personal Data outside of its direct business relationship with Client and under Client's prior written authorization only.
3.2.6. not copy, export or extract any Personal Data in any manner and ensure full compliance of this obligation by its representatives and potential sub-processor, as defined under this DPA;
3.2.7. ensure that it has in place, and shall maintain for the duration of the DPA or the destruction of Personal Data, whichever is later, all necessary or appropriate technical and organizational measures, taking into account the nature and volume of Personal Data, that are designed to:
(a) protect the integrity, availability, resilience, confidentiality, and security of all Personal Data,
(b) protect the Personal Data against accidental or unlawful destruction, damage, or loss, alteration, or unauthorized disclosure or access,
(c) pseudonymize and encrypt Personal Data as appropriate, and
(d) provide a level of security appropriate to the risk represented by the Processing and the nature of the Personal Data to be protected as required under Data Protection Laws;
3.2.8. ensure full compliance with any technical and organizational measures as set forth in Appendix 2 to the DPA;
3.2.9. keep the Personal Data confidential, and not disclose, in whole or in part, the Personal Data to any person or entity, except to its employees, subcontractors or agents:
(a) on a need-to-know basis and only as necessary for the performance of the Services;
(b) who are duly authorized to this effect as a result of their position and qualification and bound by obligations equivalent to those set out under this Clause 3;
(c) who have received appropriate training about the Data Protection Laws concerning the handling of Personal Data;
(d) who are informed of the confidentiality nature of the Personal Data; and
(e) who are subject to a duty of confidence.
3.2.10. notify the Client without undue delay of becoming aware, of any accidental, unlawful or unauthorized access, loss and/or destruction of Personal Data on Candle's systems or as a result of or related to Candle's access or Processing of such Personal Data or otherwise during the execution of the Services by Candle ("Personal Data Breach") in writing, with such notice to include relevant known details of the breach such as (i) the time and nature of the incident, (ii) the affected system, the number of Data Subjects affected, the categories of Personal Data affected, (iii) the likely consequences of the Personal Data Breach, (iv) the name and contact details of the data protection officer or other point of contact at Candle where more information can be obtained and (v) the measures taken or proposed to be taken to address the Personal Data Breach, including measures to mitigate possible adverse effects of the Personal Data Breach. Candle shall co-operate and assist the Client with any investigation regarding the Personal Data Breach, including with notification obligations as mandated under Data Protection Laws and take all necessary measures to limit further unauthorized disclosure of or unauthorized Processing of Personal Data in connection with the Personal Data Breach. Candle shall further assist the Client to comply with its obligation to document any Personal Data Breach by performing a root cause analysis promptly upon becoming aware of such Personal Data Breach and sharing the outcome of such analysis with the Client;
3.2.11. deal promptly and properly with all reasonable enquiries from the Client relating to its Processing of the Personal Data;
3.2.12. assist the Client in conducting any required privacy impact assessment upon request from the Client;
3.2.13. implement privacy by design and privacy by default principles in relation to the tools and applications Candle uses to provide the Services and especially regarding the data science and machine learnings techniques that may be used for the needs of the Services;
3.2.14. implement and maintain a complete and updated record of Processing activities of the Personal Data in accordance with the Data Protection Laws. Candle will provide the Client a copy of such record annually upon Client's request;
3.2.15. assist the Client promptly for any exercise of Data Subjects' rights and reasonably cooperate with and support the Client in fulfilling its obligations as Data Controller in relation to such Data Subject requests at all times;
3.2.16. notify the Client promptly upon receipt of any request from government office or other administrative body, or law enforcement authority, court order to disclose any of the Personal Data, including the basis for the requirement, the scope of the disclosure and to whom the Personal Data must be disclosed, and shall provide all reasonable assistance in opposing such disclosure at the request and cost of the Client;
3.2.17. Candle shall select any such sub-processor with due diligence, and verify whether the sub-processor is able to comply with their obligations under Data Protection Laws in relation to the Processing of Personal Data. Furthermore, Candle shall:
(a) procure that sub-processors enter into written agreements with Candle which contain terms no less onerous than the terms set out under this DPA; and.
(b) remain fully liable to the Client for the performance of the sub-processor's obligations under Data Protection Laws or for any acts or omissions of any sub-processors.
Sub processors may be added and removed at Candle's sole discretion.
3.2.18. make available, up to once per annum upon the Client's reasonable request, information necessary to demonstrate compliance with their obligations under this DPA and with Data Protection Laws. Candle will allow for, at client's expense, audit of Candle's systems that are used to Process or access Personal Data, including inspections, conducted, during normal business hours with advance prior written notice and not more than once annually (except in case of suspected breach or Personal Data Breach), by the Client or another auditor as mandated by the Client who will have entered into a confidentiality undertaking covering the audit at any time. Candle shall grant to the Client all reasonable access rights and information required to perform such audits;
4. STANDARD CONTRACTUAL CLAUSES
So long as Candle continues to be located outside the EEA, the United Kingdom, or Switzerland and the Personal Information Processed by Candle pertains to Data Subjects located in the EEA, the United Kingdom, or Switzerland, the Company and Candle agree that the Standard Contractual Clauses for transfers reflecting the roles of the parties as described in the form approved by the European Commission and currently available at https://ec.europa.eu/info/law/law-topic/data-protection/data-transfers-outside-eu/model-contracts-transfer-personal-data-third-countries_en (as amended or updated from time to time) (“Standard Contractual Clauses”) shall be incorporated by reference and form an integral part of this Addendum. Purely for the purposes of the descriptions in the Standard Contractual Clauses and only as between Client and Candle, Candle is a “data importer” and the Client is the “data exporter” under the Standard Contractual Clauses. Further, Appendixes 1 and 2 of this Addendum will take the place of Appendixes 1 and 2 of the Standard Contractual Clauses, as applicable.
5. RETURN AND DESTRUCTION OF THE PERSONAL DATA
5.1. At the Client's written request at any time, Candle and the authorized sub-processor (if any) shall promptly return all Personal Data as well as authorized copies (if any) of the Personal Data in its possession, including extracts or other reproductions (if any), whether in written, electronic or other readable and processable format or media, to the Client;
5.2. Upon termination of retention periods as defined by the Client for each category of Personal Data, or upon termination or expiration of the DPA, Candle shall securely delete, remove and destroy all Personal Data processed on behalf of the Client as well as authorized copies (if any) of the Personal Data in its possession, including extracts, backups or other reproductions (if any), whether in written, electronic or other form or media, except where necessary to retain such Personal Data strictly for the purposes of compliance with applicable law.
5.3. Upon Client's written request, Candle shall certify that it has complied with Client's request regarding the return and deletion of the Personal Data.
5.4. Candle shall store all documents evidencing compliance of Processing of the Personal Data with this DPA and Data Protection Laws after termination or expiration of the DPA in accordance with applicable Data Protection Laws;
5.5. The parties acknowledge that Data Protection Laws are evolving over time and that new legislation is anticipated which might increase the Client's or Candle's data protection compliance obligations. The Client shall have responsibility for ensuring that the terms of this DPA satisfy its obligations as Data Controller of the Personal Data, and accordingly may submit to Candle from time to time requests for these terms to be varied to the extent necessary to comply with mandatory requirements of the Data Protection Laws, specifying the scope of the required amendments in sufficient detail. Upon receipt of such a request, Candle shall prepare a document which describes any changes to this DPA, which shall be promptly submitted to the Client for review. For the avoidance of doubt, no such changes shall take effect until a written agreement describing the amendments has been executed by both parties.
6.1. Without limiting the generality of the foregoing, Candle is prohibited from:
6.1.1. using, disclosing, or Processing Personal Data for Candle's own purposes or to provide services to another person or entity, including but not limited to marketing or commercially exploiting (such as selling, renting, or leasing) Personal Data;
6.1.2. retaining, using, or disclosing Personal Data for any purpose other than for the specific purpose of providing Services under the Agreement, including retaining, using, or disclosing Personal Data for a commercial purpose other than providing Services specified in the Agreement; and
6.1.3. retaining, using, or disclosing Client Data outside of the direct business relationship between Client and Candle.
6.1.4. Notwithstanding the foregoing, to the extent permitted by the CCPA/CPRA and other Applicable Law, Candle may use Personal Data internally to build or improve the quality of the Services, provided that such use does not include building or modifying household or consumer profiles to use in providing another business, or correcting or augmenting data acquired from another source.
7. ORDER OF PRECEDENCE
6.1 This Addendum supplements, and does not replace, any existing obligations related to the privacy and security of Personal Data as already set forth in the Agreement. In the event of a conflict between the terms of this Addendum and the Agreement, Candle shall comply with the obligations that provide the most protection for Personal Data. Subject to the foregoing, in the event of any inconsistency or conflict between the terms of the Agreement and this Addendum, the terms of the Agreement shall control.
Appendix 1 - Details of Processing
Types of Data
Any data subject contained in the data Client chooses to store with Candle.
Categories of Data Subjects
Any type of data that the client chooses to store with Candle.
Any type of data that the client chooses to store with Candle.
Duration of Processing
The processing is conducted until termination of the Agreements unless instructed otherwise by Controller at Client's sole discretion.
Nature and Purpose of Processing
Candle is a Platform as a Service ("PaaS") provider who, on behalf of Client, will process the data based on Client's application.
Appendix 2 - Technical and Organizational Measures
Candle may update or modify these Technical and Organizational Measures from time to time provided such updates and modifications will not result in a degradation of the overall security of the Services during the term of the Agreement.
1. Data Center.
Infrastructure. Candle stores all production data in physically secure data centers operated by Microsoft Azure (“Azure”). Azure maintains several compliance certifications covering their operations. These can be viewed at https://azure.microsoft.com/en-us/explore/trusted-cloud/compliance/
Redundancy. Infrastructure systems have been designed to eliminate single points of failure and minimize the impact of anticipated environmental risks. Most Services are designed to allow Candle to perform certain types of preventative and corrective maintenance without interruption. Preventative and corrective maintenance of the Service is scheduled through a standard change process according to documented procedures.
Power. The data center electrical power systems are designed to be redundant and maintainable without impact to continuous operations.
Server Operating Systems. Certain Candle servers use a Linux based implementation customized for the application environment.
Business Continuity. Candle replicates data over multiple systems to help to protect against accidental destruction or loss.
2. Networks & Transmission.
Data Transmission. Data centers are typically connected via virtual private networks. This is designed to prevent data from being read, copied, altered or removed without authorization during electronic transfer. Candle transfers data via Internet standard protocols.
External Attack Surface. Candle employs multiple layers to protect its external attack surface. Candle considers potential attack vectors and incorporates appropriate purpose-built technologies into external facing systems.
Encryption Technologies. Candle makes HTTPS encryption (also referred to as SSL or TLS connection) available using a minimum of TLS 1.2.
3. Access Controls.
Infrastructure Security Personnel. Candle has, and maintains, a security policy for its personnel, and requires security training as part of the training package for its personnel. Candle's operations personnel are responsible for the ongoing monitoring of Candle's security, the review of the Services, and responding to incidents.
Access Control and Privilege Management. The Controller's administrators must authenticate themselves using multi-factor authentication in order to administer the Services.
4. Data Storage and Isolation.
Candle stores data in a multi-tenant environment. Candle logically isolates the Controller's data, and the Controller will be given control over specific data sharing policies. Those policies, in accordance with the functionality of the Services, will enable the Controller to determine the product sharing settings applicable to end users for specific purposes.
5. Personnel Security.
Candle personnel are required to conduct themselves in a manner consistent with the company's guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. Candle conducts reasonably appropriate backgrounds checks on all employees.
Personnel are required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, Candle's confidentiality and privacy policies. Personnel are provided with security training. Candle's personnel will not process customer data without written authorization.
6. Security by Design.
Candle's platform and software code have been designed with the security of our customer's data in mind. Candle employs a code review process to increase the security of the code used to provide the Services and enhance the security posture in production environments.