Last updated on February 2023
This Data Processing Addendum (this “Addendum”) forms part of the Appspace End User Agreement (the “Agreement”) between you (“you” or “Customer”) and Appspace, Inc. a corporation formed under the laws of the state of Delaware, with offices located at 5005 LBJ Freeway, Suite 1100, Dallas, Texas 75244, USA (“Appspace”) for the provision of the Products. Capitalized terms not expressly defined in this Addendum will have the meanings given to them in the Agreement. Appspace may modify this Addendum from time to time, subject to the terms in Section 15.7 (Amendment) of the Agreement. If and to the extent language in this Addendum or any of its Appendices conflicts with the Agreement, this Addendum shall take precedence. The term of this Addendum corresponds to the duration of the Agreement.
“Data Protection Legislation” means all applicable laws and regulations relating to the processing of personal data and privacy, including where applicable, the California Consumer Privacy Act of 2018, Cal. Civil Code § 1798.100 et seq., (“CCPA”), California Privacy Rights Act of 2020 (“CPRA”), Virginia Consumer Data Protection Act (“VCDPA”), as well as any guidance notes and codes of practice issued by the European Commission, European Data Protection Board and applicable national supervisory authorities including without limitation the UK Data Protection Act 2018, UK GDPR, GDPR and Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (ePrivacy Directive), the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426), Swiss Data Protection Act 2020 and all local or national laws and regulations implementing the aforementioned, in each case as may be updated, amended, supplemented or replaced from time to time.
“GDPR” means EU Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data.
2. Data Protection
2.1 Roles of the Parties. The provisions of this Section 2 shall apply to the Processing by Appspace of Customer Personal Data in the course of providing Customer the Products, as detailed in Appendix 1A of this Addendum. Customer is the Data Controller and/or Business and Appspace is the Data Processor and/or Service Provider in relation to Customer Personal Data.
2.3.1 implement appropriate technical and organizational measures necessary to meet the requirements of Article 32 of the GDPR;
2.3.2 taking into account the nature of the Processing and the information available to Appspace, reasonably assist Customer to fulfill Customer’s obligations under Data Protection Legislation:
(ii) with respect to Articles 32 to 36 of the GDPR.
2.6 Appspace’s Subprocessors. Appspace shall not engage another Processor to process Customer Personal Data without Customer’s prior written authorization. Customer specifically authorizes the engagement of Appspace’s Affiliates as Subprocessors, as listed in Appendix 1A. In addition, to the extent necessary to fulfill Appspace’s contractual obligations under the Agreement and subject to Appspace’s compliance with this Section 2.6, Customer generally authorizes Appspace to engage other Subprocessors, such as Google, Inc., whose Processing activities shall occur in US.
2.6.1 When engaging any Subprocessor, Appspace ensures that:
(i) the Subprocessor only processes Customer Personal Data to the extent required to perform the obligations subcontracted to it, and does so in accordance with the Agreement (including this Addendum);
(iii) Appspace remains fully liable to Customer where the Subprocessor fails to fulfil its data protection obligations under the Agreement.
2.9 Deletion or Return of Customer Personal Data. Appspace shall retain Customer Personal Data for the term of the Agreement provided that such retention does not conflict with a Data Subject request made pursuant to Section 2.3.2. Upon expiration or termination of the Agreement and upon Customer’s written request, Appspace will securely destroy or return to Customer in a format of Appspace’s choosing all Customer Personal Data, and destroy existing copies. Notwithstanding the foregoing, Appspace may retain copies of the Customer Personal Data disclosed hereunder that are contained in routine system backups or are necessary to fulfill its ongoing obligations or exercise its ongoing rights hereunder, subject to the ongoing obligation to maintain the confidentiality of such information in accordance with the terms the Agreement and this Addendum.
2.11 Data Protection Impact Assessment. Solely upon Customer’s reasonable request, Appspace may undertake an assessment when applicable to relevant Data Protection Legislation and complete any elements required for a data protection impact assessment. Such request for the data protection impact assessment, shall only be in response to Appspace processing Customer Personal Data that is likely to result in a high risk to the rights and freedoms of natural persons. Prior to such processing, Customer shall carry out an assessment on potential impact of the future processing operations on the protection of Customer Personal Data.
2.12 Data Protection Officer. The contact details for the team responsible for data protection at Appspace are: Sam Baxter, Chief Information Security Officer, email@example.com
2.13 European Economic Area Data Transfers. Upon separate, prior written approval from Customer, Appspace and its Subprocessors will be authorized to transfer Customer Personal Data across international borders, including from the European Economic Area, Switzerland, and/or the United Kingdom to the United States. If Customer Personal Data originating in the European Economic Area, Switzerland, and/or the United Kingdom is transferred by Customer to Appspace in a country that has not been found to provide an adequate level of protection under Data Protection Legislation, the Parties agree to execute the EU/EEA SCCs and any necessary amendment to this DPA, but to the extent that and for so long as the EU/EEA SCCs cannot be relied on for a lawful transfer in compliance with the UK Data Protection Law or the Swiss DPA, the Parties agree to execute the UK SCCs or Swiss SCCS (or such applicable, superseding standard contractual clauses).
2.14 Compliance with UK Addendum. Customer and Appspace acknowledge and agree the UK Addendum will hereby be incorporated and apply to International Data Transfers out of the UK. Part 1 of the UK Addendum is completed as follows: (i) in Table 1, the “Exporter” is Customer and the “Importer” is Appspace, and their details are set forth in this section and the Agreement; (ii) in Table 2, the first option is selected and the “Approved EU SCCs” are the Module 2 Standard Contractual Clauses; (iii) in Table 3, Annexes 1 (A and B) & III, and II to the “Approved EU SCCs” are found in Appendix 1A and Appendix 1B respectively; and (iv) in Table 4, both the “Importer” and the “Exporter” can terminate the UK Addendum.
2.15 Compliance with Data Protection Legislation Each Party will comply with the obligations applicable to it under the Data Protection Legislation with respect to the Processing of Customer Personal Data and the performance of the Agreement and this Addendum, including without limitation, compliance with Article 31 of GDPR. With respect to Customer Personal Data, Customer as the Data Controller, is responsible the administration and management of Customer Personal Data, in addition to, obtaining, and demonstrating evidence that is has obtained all authorizations, lawful bases, and consents necessary for Appspace to Process Customer Personal Data in accordance with the Agreement and this Addendum..
2.16 Data Subject Requests. Customer is responsible for communications and efforts to comply with requests made by Data Subjects under the Data Protection Legislation. If any such request requires Appspace assistance, Customer shall notify Appspace of the Data Subject request in a reasonable amount of time and sent to firstname.lastname@example.org
2.17 Limitation on Disclosure of Customer Personal Data. To the extent legally permitted, Appspace shall: (i) promptly notify Customer in writing upon receipt of an order, demand, or document purporting to request, demand or compel the production of Customer Personal Data to any third party, including, but not limited to the United States government for surveillance and/or other purposes; and (ii) to the extent possible, provide at least seventy-two (72) hours’ notice prior to disclosing Customer Personal Data to any third party without providing Customer, so that Customer may, at its own expense, exercise such rights as it may have under applicable laws to prevent or limit such disclosure.
4.1 Save as specifically modified and amended in this Addendum, all of the terms, provisions and requirements contained in the Agreement shall remain in full force and effect and govern this Addendum. Except as otherwise expressly provided herein, no supplement, modification, or amendment of this Addendum will be binding, unless executed in writing by a duly authorized representative of each Party to this Addendum. If any provision of the Addendum is held illegal or unenforceable in a judicial proceeding, such provision shall be severed and shall be inoperative, and the remainder of this Addendum shall remain operative and binding on the Parties.
Details of Personal Data Processing
The subject matter
and duration of the
SYSTEMS: Appspace workplace experience hosted platform
SUBJECT MATTER: The subject-matter of the Processing is the provision of the Products that involves the Processing of Customer Personal Data.
DURATION OF PROCESSING: The Processing will be carried out until the Agreement terminates.
PURPOSES OF PROCESSING: In accordance GDPR Art. 6, the lawful processing of information will be conducted to meet the performance of the contract (EULA)
LEGAL BASIS FOR PROCESSING: EU and EEA organizations agree the legal basis for collecting, using and processing personal data as described below is in order for their users to experience the full benefits of the Appspace platform in accordance with Appspace’s EULA
NATURE OF PROCESSING: As part of our data minimization practices, the collection, storage and other Processing necessary to provide, maintain, and optimize the Products provided to Customer in accordance with the Agreement.
SPECIAL CATEGORIES OF PERSONAL DATA: Appspace does not knowingly collect (and Customer shall not submit or upload) any special categories of data as defined under the Data Protection Legislation.
Customer and Affiliates employees and/or users.
Area of use
London, United Kingdom
Appendix 1BProcessor and Sub-Processor Internal Security Measures
2. Access control to systems
Measures must be taken to prevent unauthorized access to IT systems. These must include the following technical and organizational measures for user identification and authentication:
3. Access control to data
Measures must be taken to prevent authorized users from accessing data beyond their authorized access rights and prevent the unauthorized input, reading, copying, removal modification or disclosure of data. These measures shall include:
Integrity (Article 32(1)(b) GDPR)
1. Disclosure control
Measures must be taken to prevent the unauthorized access, alteration or removal of data during transfer, and to ensure that all transfers are secure and are logged. These measures shall include:
2. Input controlMeasures must be put in place to ensure all data management and maintenance is logged, and an audit trail of whether data have been entered, changed or removed (deleted) and by whom must be maintained. Measures should include:
3. Job control
Measures should be put in place to ensure that data is processed strictly in compliance with the data importer’s instructions. These measures must include:
Availability and Resilience (article 32(1)(b))
1. Availability control
Measures should be put in place designed to ensure that data are protected against accidental destruction or loss. These measures must include:
2. Segregation control
Measures should be put in place to allow data collected for different purposes to be processed separately. These measures should include: