Data Processing Addendum

This Data Processing Addendum (this “Addendum”) forms part of the Appspace End User Agreement (the “Agreement”) between you (“you” or “Customer”) and Appspace, Inc. a corporation formed under the laws of the state of Delaware, with offices located at 5005 LBJ Freeway, Suite 1100, Dallas, Texas 75244, USA (“Appspace”) for the provision of the Products. Capitalized terms not expressly defined in this Addendum will have the meanings given to them in the Agreement. Appspace may modify this Addendum from time to time, subject to the terms in Section 15.7 (Amendment) of the Agreement. If and to the extent language in this Addendum or any of its Appendices conflicts with the Agreement, this Addendum shall take precedence. The term of this Addendum corresponds to the duration of the Agreement.

By clicking “I agree” (or similar button) that is presented to you at the time you receive your license key or access to Appspace products, or by using or accessing Appspace products or services, you indicate your assent to be bound by this Addendum. If you do not agree to the terms of this Addendum, you are not authorized to, and should not use, any Appspace products or services.
1. Definitions “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
“Data Protection Legislation” means all applicable laws and regulations relating to the processing of personal data and privacy, including where applicable, the California Consumer Privacy Act of 2018, Cal. Civil Code § 1798.100 et seq., (“CCPA”), as well as any guidance notes and codes of practice issued by the European Commission, European Data Protection Board and applicable national supervisory authorities including without limitation the UK Data Protection Act 2018, UK GDPR, GDPR and Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (ePrivacy Directive), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426), Swiss Data Protection Act 2020 and all local or national laws and regulations implementing the aforementioned, in each case as may be updated, amended, supplemented or replaced from time to time.
“Data Subject” means the identified or identifiable natural person to whom Customer Personal Data relates.
“Customer Personal Data” means the Personal Data within Customer Data Processed by Appspace on Customer’s behalf in the course of providing Products to Customer.

“GDPR” means EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data.

“International Data Transfer” means any transfer of Customer Personal Data from the EEA, Switzerland or the United Kingdom to an international organization or to a country outside of the EEA, Switzerland and the United Kingdom.
“Personal Data” shall have the meaning assigned to the terms “personal data” or “personal information” under applicable Data Protection Legislation.
“Process” or “Processing” means any operation or set of operations which is performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment or combination, restriction, erasure, or destruction.
Personal Data Breach” means the actual breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.
Standard Contractual Clauses” means (i) where the GDPR applies, the standard contractual clauses adopted by the European Commission in its Implementing Decision (EU) 2021/91 of 4 June 2021 (the “EU/EEA SCCs”); (ii) where the Swiss DPA applies, the applicable standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection and Information Commissioner (the “Swiss SCCs”); and (iii) where UK Data Protection Law apply, the standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR (the “UK SCCs”).
Subprocessor” means Appspace’s authorized Affiliates, vendors and third-party service providers that Process Customer Personal Data in the course of providing the Products.
UK Addemdum” means the addendum to the Standard Contractual Clauses issued by the UK information Commissioner under Section 119A(1) of the UK Data Protection Act 2018 (version B1.0, in force March 21, 2022).
“UK GDPR” means means the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of Section 3 of the European Union (Withdrawal) Act 2018.
Data Controller”, “Data Processor”, “Business”, and “Service Provider”, shall be interpreted in accordance with applicable Data Protection Legislation.

2. Data Protection

2.1 Roles of the Parties. The provisions of this Section 2 shall apply to the Processing by Appspace of Customer Personal Data in the course of providing Customer the Products, as detailed in Appendix 1A of this Addendum. Customer is the Data Controller and/or Business and Appspace is the Data Processor and/or Service Provider in relation to Customer Personal Data.

2.2 Processing Instructions. Appspace will Process the Customer Personal Data only in accordance with Customer’s documented instructions as set forth in this Addendum and the Agreement or as directed and documented by Customer through the Products, and in accordance with the requirements of Article 28(3) of GDPR. If Data Protection Legislation requires Appspace to Process the Customer Personal Data for any other purpose, Appspace will notify Customer of this requirement before processing, unless such law(s) prohibit the giving of notice on important grounds of public interest. Appspace will notify Customer promptly if, in Appspace’s opinion, an instruction for the Processing of Customer Personal Data given by Customer violates applicable Data Protection Legislation.
2.3 Assistance under Data Protection Legislation. Where Appspace processes the Customer Personal Data under or in connection with the performance of its obligations under the Agreement, Appspace shall:

2.3.1 implement appropriate technical and organizational measures necessary to meet the requirements of Article 32 of the GDPR;

2.3.2 taking into account the nature of the Processing and the information available to Appspace, reasonably assist Customer to fulfill Customer’s obligations under Data Protection Legislation:

(i) where possible, to respond to requests from Customers concerning Data Subjects exercising their rights in Customer Personal Data under Data Protection Legislation (e.g., access, rectification, erasure, data portability, etc.). If a request is sent directly to Appspace, Appspace will inform the requester to contact the Customer which is responsible for their Personal Data and will not otherwise respond to the request. In the event Appspace is unable to delete Customer Personal Data for reasons permitted under the Data Protection Legislation, Appspace shall (a) promptly inform Customer of the reason(s) for its inability to fulfill the deletion request, (b) ensure the continued privacy, confidentiality and security of such Customer Personal Data, and (c) delete the Customer Personal Data promptly after the reason(s) for Appspace’s inability to delete such data has expired

(ii) with respect to Articles 32 to 36 of the GDPR.

If changes in Data Protection Legislation result in new material obligations as it relates to Appspace’s assistance under this Section 2.3.2, the Parties will work together in good faith to agree upon an acceptable resolution. Each Party shall be responsible for its own costs incurred under this Section 2.3.2; and
2.3.3 make available to Customer all information reasonably requested by Customer for the purpose of demonstrating that Customer’s obligations relating to the appointment of Data Processors as set out in Article 28 of the GDPR have been met.
2.4 Information Security. In accordance with Appendix 1B, Appspace will implement and maintain commercially reasonable technical, administrative, and physical security measures designed to protect the Customer Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorized or unlawful Processing, accidental loss, destruction, damage or theft of Customer Personal Data and appropriate to the nature of the Customer Personal Data which is to be protected. In an effort to improve Appspace’s overall security, Appspace may amend its security measures, provided that the new or replacement measures do not reduce the level of security provided by the existing measures. Notwithstanding the foregoing, such safeguards shall, at a minimum, be no less rigorous than accepted industry practices for information security or other applicable industry standards.
2.5 Personal Data Breach. Upon discovering or otherwise becoming aware of a Personal Data Breach, Appspace will notify Customer without undue delay (but no more than seventy-two (72) hours). Such notification shall not be interpreted or construed as an admission of fault or liability by Appspace.

2.6 Appspace’s Subprocessors. Appspace shall not engage another Processor to process Customer Personal Data without Customer’s prior written authorization. Customer specifically authorizes the engagement of Appspace’s Affiliates as Subprocessors, as listed in Appendix 1A. In addition, to the extent necessary to fulfill Appspace’s contractual obligations under the Agreement and subject to Appspace’s compliance with this Section 2.6, Customer generally authorizes Appspace to engage other Subprocessors, such as Google, Inc., whose Processing activities shall occur in US.

2.6.1 When engaging any Subprocessor, Appspace ensures that:

(i) the Subprocessor only processes Customer Personal Data to the extent required to perform the obligations subcontracted to it, and does so in accordance with the Agreement (including this Addendum);

(ii) data protection obligations consistent with those described in this Addendum are imposed on the Subprocessor through a written agreement; and

(iii) Appspace remains fully liable to Customer where the Subprocessor fails to fulfil its data protection obligations under the Agreement.

2.6.2 Prior to engaging any new Subprocessor, Appspace will, at least ten (10) days before the new Subprocessor Processes any Customer Personal Data, inform Customer of the engagement (including the name and location of the relevant Subprocessor and the activities it will perform) in accordance with applicable Data Protection Legislation.
2.6.3 Customer may object to Appspace’s use of a new Subprocessor by notifying Appspace within ten (10) days after notice has been given with Customer’s grounds for its objection. In the event Customer objects to a new Subprocessor, as permitted in the preceding sentence, Appspace will use commercially reasonable efforts to make available to Customer a change in the Products or recommend a commercially reasonable change to Customer’s configuration or use of the Products to avoid Processing of Customer Personal Data by the objected-to new Subprocessor without unreasonably burdening Customer. If Appspace is unable to make available such change within a reasonable period of time, which shall not exceed thirty (30) days, either Party may terminate without penalty the applicable Order with respect only to those Products which cannot be provided by Appspace without the use of the objected-to new Subprocessor by providing written notice. Appspace will refund Customer any prepaid, unused fees covering the remainder of the term of such applicable Order following the effective date of termination with respect to such terminated Products, without imposing a penalty on Customer for such termination.
2.7 Confidentiality. Appspace will ensure that Appspace’s personnel with access to the Customer Personal Data are subject to a binding duty of confidentiality with regard to such Customer Personal Data. Except as set forth in Section 2.6 above or in accordance with documented instructions from Customer (as set forth in this Addendum or the Agreement or as directed by Customer through the Products), Appspace will ensure that none of Appspace’s personnel publish, disclose or divulge any Customer Personal Data to any third party.
2.8 Selling of Customer Personal Data Prohibited. The Customer Personal Data that Customer discloses to Appspace is provided to Appspace for a Business Purpose, as defined under the CCPA, and nothing about the Agreement or the Services involves the “selling” or a “sale” of Customer Personal Data under Cal. Civ. Code § 1798.140(t)(1).
2.9 Deletion or Return of Customer Personal Data. Appspace shall retain Customer Personal Data for the term of the Agreement provided that such retention does not conflict with a Data Subject request made pursuant to Section 2.3.1. Upon expiration or termination of the Agreement and upon Customer’s written request, Appspace will securely destroy or return to Customer in a format of Appspace’s choosing all Customer Personal Data, and destroy existing copies. Notwithstanding the foregoing, Appspace may retain copies of the Customer Personal Data disclosed hereunder that are contained in routine system backups or are necessary to fulfill its ongoing obligations or exercise its ongoing rights hereunder, subject to the ongoing obligation to maintain the confidentiality of such information in accordance with the terms the Agreement and this Addendum.
2.10 Audits. Appspace is regularly audited by independent third-party auditors and internal auditors to test and verify the security controls of Appspace and its people. Upon request and provided that the Parties have an applicable non-disclosure agreement in place, Appspace will allow Customer and Customer’s authorized representatives to access and review up-to-date attestations, reports (e.g. external auditors) or suitable certifications to ensure compliance with the terms of this Addendum. Notwithstanding the foregoing, any review of aforementioned materials or audit must be conducted during Appspace’s regular business hours, with reasonable advance notice to Appspace and subject to reasonable confidentiality procedures. In addition, reviews and/or audits shall be limited to once per year, unless (a) Appspace has experienced a Personal Data Breach within the prior twelve (12) months; (b) an audit is carried out at the direction of a government entity; or (c) an audit reveals a material noncompliance. Appspace shall be entitled to charge Customer a reasonable fee for any Appspace effort or costs in complying with this Section 2.10.
2.11 Data Protection Officer. The contact details for the team responsible for data protection at Appspace are: Sam Baxter, Chief Information Security Officer, privacy@appspace.com
2.12 European Economic Area Data Transfers. Upon separate, prior written approval from Customer, Appspace and its Subprocessors will be authorized to transfer Customer Personal Data across international borders, including from the European Economic Area, Switzerland, and/or the United Kingdom to the United States. If Customer Personal Data originating in the European Economic Area, Switzerland, and/or the United Kingdom is transferred by Customer to Appspace in a country that has not been found to provide an adequate level of protection under Data Protection Legislation, the Parties agree to execute the EU/EEA SCCs and any necessary amendment to this DPA, but to the extent that and for so long as the EU/EEA SCCs cannot be relied on for a lawful transfer in compliance with the UK Data Protection Law or the Swiss DPA, the Parties agree to execute the UK SCCs or Swiss SCCS (or such applicable, superseding standard contractual clauses).
2.13 Compliance with UK Addendum. Customer and Appspace acknowledge and agree the UK Addendum will hereby be incorporated and apply to International Data Transfers out of the UK. Part 1 of the UK Addendum is completed as follows: (i) in Table 1, the “Exporter” is Customer and the “Importer” is Appspace, and their details are set forth in this section and the Agreement; (ii) in Table 2, the first option is selected and the “Approved EU SCCs” are the Module 2 Standard Contractual Clauses; (iii) in Table 3, Annexes 1 (A and B) & III, and II to the “Approved EU SCCs” are found in Appendix 1A and Appendix 1B respectively; and (iv) in Table 4, both the “Importer” and the “Exporter” can terminate the UK Addendum.

2.14 Compliance with Data Protection Legislation Each Party will comply with the obligations applicable to it under the Data Protection Legislation with respect to the Processing of Customer Personal Data and the performance of the Agreement and this Addendum, including without limitation, compliance with Article 31 of GDPR. With respect to Customer Personal Data, Customer as the Data Controller, is responsible the administration and management of Customer Personal Data, in addition to, obtaining, and demonstrating evidence that is has obtained all authorizations, lawful bases, and consents necessary for Appspace to Process Customer Personal Data in accordance with the Agreement and this Addendum..

2.15 Data Subject Requests. Customer is responsible for communications and efforts to comply with requests made by Data Subjects under the Data Protection Legislation. If any such request requires Appspace assistance, Customer shall notify Appspace of the Data Subject request in a reasonable amount of time and sent to privacy@appspace.com

2.16 Limitation on Disclosure of Customer Personal Data. To the extent legally permitted, Appspace shall: (i) promptly notify Customer in writing upon receipt of an order, demand, or document purporting to request, demand or compel the production of Customer Personal Data to any third party, including, but not limited to the United States government for surveillance and/or other purposes; and (ii) to the extent possible, provide at least seventy-two (72) hours’ notice prior to disclosing Customer Personal Data to any third party without providing Customer, so that Customer may, at its own expense, exercise such rights as it may have under applicable laws to prevent or limit such disclosure.
3. Customer Obligations

3.1 Customer shall continue at all times to have in place recognized lawful legal bases under Data Protection Legislation and all necessary data privacy notices to ensure that all processing of personal data by the Processor and all Subprocessors that is contemplated by this Addendum will be lawful and shall not contravene the obligations of a data controller under Data Protection Legislation.

4. Miscellaneous

4.1 Save as specifically modified and amended in this Addendum, all of the terms, provisions and requirements contained in the Agreement shall remain in full force and effect and govern this Addendum. Except as otherwise expressly provided herein, no supplement, modification, or amendment of this Addendum will be binding, unless executed in writing by a duly authorized representative of each Party to this Addendum. If any provision of the Addendum is held illegal or unenforceable in a judicial proceeding, such provision shall be severed and shall be inoperative, and the remainder of this Addendum shall remain operative and binding on the Parties.

Appendix 1A

Details of Personal Data Processing

This summary sets out details of the processing of Customer Personal Data under the Agreement by Appspace and any authorized Subprocessors (as listed below):

The subject matter
and duration of the
Processing

SYSTEMS: Appspace workplace experience hosted platform

SUBJECT MATTER: The subject-matter of the Processing is the provision of the Products that involves the Processing of Customer Personal Data.

DURATION OF PROCESSING: The Processing will be carried out until the Agreement terminates.

The nature and purpose of the Processing

PURPOSES OF PROCESSING: In accordance GDPR Art. 6, the lawful processing of information will be conducted to meet the performance of the contract (EULA)

LEGAL BASIS FOR PROCESSING: EU and EEA organizations agree the legal basis for collecting, using and processing personal data as described below is in order for their users to experience the full benefits of the Appspace platform in accordance with Appspace’s EULA

NATURE OF PROCESSING: As part of our data minimization practices, the collection, storage and other Processing necessary to provide, maintain, and optimize the Products provided to Customer in accordance with the Agreement.

The types of
Personal Data being
Processed

PERSONAL DATA:

  • ● Data Subject – Direct identifying information (e.g., first name, last name, and email address).
  • ● Indirect identifying information (e.g., job title, telephone number)
  • ● Device identification and traffic data (e.g., Geolocation, IP addresses, cookies).

SPECIAL CATEGORIES OF PERSONAL DATA: Appspace does not knowingly collect (and Customer shall not submit or upload) any special categories of data as defined under the Data Protection Legislation.

The categories of Data Subject

Customer and Affiliates employees and/or users.

Approved Subprocessors of Personal Data are:

#

Name

Territory

Area of use

1

Google, LLC
Iowa, United States
Cloud Hosting Services

2

Google, LLC
St. Ghislain, Belgium
Cloud Hosting Services

3

Google, LLC

London, United Kingdom

Cloud Hosting Services

Appendix 1B

Processor and Sub-Processor Internal Security Measures
Confidentiality (Article 32(1)(b) GDPR) 1. Access control to premises and facilities Measures must be taken to prevent unauthorized physical access to premises and facilities holding Customer Personal Data. Measures shall include:
  • ● Access control system
  • ● ID reader, magnetic card, chip card
  • ● (Issue of) keys
  • ● Door locking (electric door openers etc.)
  • ● Surveillance facilities
  • ● Alarm system, video/CCTV monitor
  • ● Logging of facility exits/entries

2. Access control to systems 

Measures must be taken to prevent unauthorized access to IT systems. These must include the following technical and organizational measures for user identification and authentication:

  • ● Password procedures (incl. special characters, minimum length, forced change of password)
  • ● Hashing, Encryption and Cryptography measures
  • ● No access for guest users or anonymous accounts
  • ● Central management of system access
  • ● Access to IT systems subject to approval from HR management and IT system administrators
  •  

3. Access control to data

Measures must be taken to prevent authorized users from accessing data beyond their authorized access rights and prevent the unauthorized input, reading, copying, removal modification or disclosure of data. These measures shall include:

  • ● Differentiated access rights
  • ● Access rights defined according to duties
  • ● Automated log of user access via IT systems
  • ● Measures to prevent the use of automated data-processing systems by unauthorized persons using data communication equipment

Integrity (Article 32(1)(b) GDPR)

1. Disclosure control

Measures must be taken to prevent the unauthorized access, alteration or removal of data during transfer, and to ensure that all transfers are secure and are logged. These measures shall include:

  • Compulsory use of encrypted private networks for all data transfers
  • Creating an audit trail of all data transfers

2. Input control

Measures must be put in place to ensure all data management and maintenance is logged, and an audit trail of whether data have been entered, changed or removed (deleted) and by whom must be maintained. Measures should include:
  • ● Logging user activities on IT systems
  • ● That it is possible to verify and establish to which bodies Customer Personal Data have been or may be transmitted or made available using data communication equipment
  • ● That it is possible to verify and establish which Customer Personal Data have been input into automated data-processing systems and when and by whom the data have been input;

3. Job control

Measures should be put in place to ensure that data is processed strictly in compliance with the data importer’s instructions. These measures must include:

  • ● Unambiguous wording of contractual instructions
  • ● Monitoring of contract performance

Availability and Resilience (article 32(1)(b))

1. Availability control

Measures should be put in place designed to ensure that data are protected against accidental destruction or loss. These measures must include:

  • ● Installed systems may, in the case of interruption, be restored
  • ● Systems are functioning, and that faults are reported
  • ● Stored Customer Personal Data cannot be corrupted by means of a malfunctioning of the system
  • ● Uninterruptible power supply (UPS)
  • ● Business Continuity procedures
  • ● Remote storage
  • ● Antivirus/firewall systems

2. Segregation control

Measures should be put in place to allow data collected for different purposes to be processed separately. These measures should include:

  • ● Restriction of access to data stored for different purposes according to staff duties
  • ● Segregation of business IT systems
  • ● Segregation of IT testing and production environments
  •