This Data Processing Addendum (this “Addendum”) forms part of the Appspace End User Agreement (the “Agreement”) between you (“you” or “Customer”) and Appspace, Inc. a corporation formed under the laws of the state of Delaware, with offices located at 5005 LBJ Freeway, Suite 1100, Dallas, Texas 75244, USA (“Appspace”) for the provision of the Products. Capitalized terms not expressly defined in this Addendum will have the meanings given to them in the Agreement. Appspace may modify this Addendum from time to time, subject to the terms in Section 15.7 (Amendment) of the Agreement. If and to the extent language in this Addendum or any of its Appendices conflicts with the Agreement, this Addendum shall take precedence. The term of this Addendum corresponds to the duration of the Agreement.
“GDPR” means EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data.
2. Data Protection
2.1 Roles of the Parties. The provisions of this Section 2 shall apply to the Processing by Appspace of Customer Personal Data in the course of providing Customer the Products, as detailed in Appendix 1A of this Addendum. Customer is the Data Controller and/or Business and Appspace is the Data Processor and/or Service Provider in relation to Customer Personal Data.
2.3.1 implement appropriate technical and organizational measures necessary to meet the requirements of Article 32 of the GDPR;
2.3.2 taking into account the nature of the Processing and the information available to Appspace, reasonably assist Customer to fulfill Customer’s obligations under Data Protection Legislation:
(ii) with respect to Articles 32 to 36 of the GDPR.
2.6 Appspace’s Subprocessors. Appspace shall not engage another Processor to process Customer Personal Data without Customer’s prior written authorization. Customer specifically authorizes the engagement of Appspace’s Affiliates as Subprocessors, as listed in Appendix 1A. In addition, to the extent necessary to fulfill Appspace’s contractual obligations under the Agreement and subject to Appspace’s compliance with this Section 2.6, Customer generally authorizes Appspace to engage other Subprocessors, such as Google, Inc., whose Processing activities shall occur in US.
2.6.1 When engaging any Subprocessor, Appspace ensures that:
(i) the Subprocessor only processes Customer Personal Data to the extent required to perform the obligations subcontracted to it, and does so in accordance with the Agreement (including this Addendum);
(iii) Appspace remains fully liable to Customer where the Subprocessor fails to fulfil its data protection obligations under the Agreement.
2.14 Compliance with Data Protection Legislation Each Party will comply with the obligations applicable to it under the Data Protection Legislation with respect to the Processing of Customer Personal Data and the performance of the Agreement and this Addendum, including without limitation, compliance with Article 31 of GDPR. With respect to Customer Personal Data, Customer as the Data Controller, is responsible the administration and management of Customer Personal Data, in addition to, obtaining, and demonstrating evidence that is has obtained all authorizations, lawful bases, and consents necessary for Appspace to Process Customer Personal Data in accordance with the Agreement and this Addendum..
2.15 Data Subject Requests. Customer is responsible for communications and efforts to comply with requests made by Data Subjects under the Data Protection Legislation. If any such request requires Appspace assistance, Customer shall notify Appspace of the Data Subject request in a reasonable amount of time and sent to firstname.lastname@example.org
4.1 Save as specifically modified and amended in this Addendum, all of the terms, provisions and requirements contained in the Agreement shall remain in full force and effect and govern this Addendum. Except as otherwise expressly provided herein, no supplement, modification, or amendment of this Addendum will be binding, unless executed in writing by a duly authorized representative of each Party to this Addendum. If any provision of the Addendum is held illegal or unenforceable in a judicial proceeding, such provision shall be severed and shall be inoperative, and the remainder of this Addendum shall remain operative and binding on the Parties.
Details of Personal Data Processing
The subject matter
and duration of the
SYSTEMS: Appspace workplace experience hosted platform
SUBJECT MATTER: The subject-matter of the Processing is the provision of the Products that involves the Processing of Customer Personal Data.
DURATION OF PROCESSING: The Processing will be carried out until the Agreement terminates.
PURPOSES OF PROCESSING: In accordance GDPR Art. 6, the lawful processing of information will be conducted to meet the performance of the contract (EULA)
LEGAL BASIS FOR PROCESSING: EU and EEA organizations agree the legal basis for collecting, using and processing personal data as described below is in order for their users to experience the full benefits of the Appspace platform in accordance with Appspace’s EULA
NATURE OF PROCESSING: As part of our data minimization practices, the collection, storage and other Processing necessary to provide, maintain, and optimize the Products provided to Customer in accordance with the Agreement.
SPECIAL CATEGORIES OF PERSONAL DATA: Appspace does not knowingly collect (and Customer shall not submit or upload) any special categories of data as defined under the Data Protection Legislation.
Customer and Affiliates employees and/or users.
Area of use
London, United Kingdom
Appendix 1BProcessor and Sub-Processor Internal Security Measures
2. Access control to systems
Measures must be taken to prevent unauthorized access to IT systems. These must include the following technical and organizational measures for user identification and authentication:
3. Access control to data
Measures must be taken to prevent authorized users from accessing data beyond their authorized access rights and prevent the unauthorized input, reading, copying, removal modification or disclosure of data. These measures shall include:
Integrity (Article 32(1)(b) GDPR)
1. Disclosure control
Measures must be taken to prevent the unauthorized access, alteration or removal of data during transfer, and to ensure that all transfers are secure and are logged. These measures shall include:
2. Input controlMeasures must be put in place to ensure all data management and maintenance is logged, and an audit trail of whether data have been entered, changed or removed (deleted) and by whom must be maintained. Measures should include:
3. Job control
Measures should be put in place to ensure that data is processed strictly in compliance with the data importer’s instructions. These measures must include:
Availability and Resilience (article 32(1)(b))
1. Availability control
Measures should be put in place designed to ensure that data are protected against accidental destruction or loss. These measures must include:
2. Segregation control
Measures should be put in place to allow data collected for different purposes to be processed separately. These measures should include: