Prommt’s obligations under this DPA are in addition to and not in lieu of its obligations under other provisions of the Agreement. In the event of a conflict between the terms of the Agreement and the terms of this DPA, the terms that afford Customer the greater protection shall apply.
In the event of a conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
Processing of Personal Data
Roles of the Parties. The parties acknowledge and agree that with regard to Personal Data:
Customer Affiliates. Prommt shall also provide the Services to, and Process Personal Data provided by or on behalf of Affiliates of Customer. In such circumstances, each Affiliate shall have the same Controller or Processor status as the Customer in respect of the Personal Data that it provides to Prommt and such Affiliate shall have the same rights that Customer has under this DPA.
Prommt’s Processing of Personal Data
Purpose; Categories of Personal Data and Data Subjects. The purpose of Processing of Personal Data by Prommt is the performance of the Services pursuant to the Agreement and the duration of the Processing shall, subject to the provisions of the Agreement, be the term of the Agreement. The types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Attachment 1 (Data Processing Details Addendum).
Limitation on Disclosure. Other than as expressly permitted by the Agreement or required by law, Prommt shall not disclose Personal Data to any third parties without Customer’s prior consent.
Prommt shall, to the extent permitted by law, promptly notify Customer upon (and in no event later than two business days after) receipt of a Data Subject Request or any other request or complaint of a Data Subject relating to Personal Data. Prommt shall not respond to any such Data Subject request without Customer’s prior written instructions.
Prommt shall promptly and without undue delay provide such co-operation and assistance and take such action as Customer may reasonably request (including assistance by appropriate technical and organisational measures) to allow Customer to fulfil its obligations to clients or under Data Protection Laws in respect of such requests or complaints, including, without limitation, meeting any deadlines imposed by such obligations.
Prommt shall ensure that its personnel engaged in Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements in respect of the Personal Data that survive termination of the personnel engagement.
Prommt shall not authorise a Subcontractor to process Personal Data without the prior written consent of Customer. Prommt shall ensure that the subcontract entered into with any Subcontractor imposes on the Subcontractor equivalent obligations as those to which Prommt is subject under this DPA. Prommt shall be responsible and liable for the acts, omissions or defaults of its Subcontractors in the performance of obligations under this Agreement or otherwise as if they were Prommt’s own acts, omissions or defaults.
Prommt shall take technical and organisational measures to ensure the confidentiality, integrity, availability and resilience of Prommt systems used for Processing Personal Data and protect against the unlawful destruction, loss, alteration, unauthorised disclosure of or access to Personal Data transmitted, stored or otherwise Processed.
Prommt agrees to notify Customer immediately (but in no case later than 48 hours) after becoming aware to a reasonable degree of certainty of a Security Incident. Notification must include a phone call and email to Customer’s primary account contact, with a copy email to Client Contact email. Notification shall include at a minimum (a) a description of the Security Incident including impact and likely consequences thereof, (b) the expected resolution time (if it has not already been resolved), (c) corrective measures to be taken, evaluation of alternatives, and next steps, and (d) the name and phone number of the Prommt representative that Customer may contact to obtain further information and updates.
Prommt will perform regular (i.e. at least quarterly) vulnerability tests and assessments against all systems Processing Personal Data, and shall perform regular (i.e. at least annually) penetration tests against any Internet-facing systems used in connection with the Services. Prommt further agrees to perform regular (i.e. at least annually) risk assessments of the physical and logical security measures and safeguards it maintains applicable to its protection of Personal Data. With respect to systems Processing Personal Data, Prommt will provide Customer, upon request, a summary report of such tests and assessments, including a description of any significant (i.e. moderate or greater) risks identified and an overview of the remediation effort(s) undertaken to address such risks.
In addition to any other audit obligations that may be contained in this Agreement, Customer or its designated third party, at its sole expense, may inspect (i) Prommt’s information security and privacy policies, practices and procedures applicable to the systems, applications, and facilities Processing Personal Data, including data centres or premises where the Personal Data is stored at or accessed from, and (ii) Prommt’s Processing practices, (“Inspection”). Prommt shall make relevant personnel available for interviews and provide all information and assistance reasonably requested by Customer in connection with any such Inspections, including, without limitation, such information as Customer requires to verify compliance with the Agreement, this DPA and Data Protection Laws. Prommt shall take such remedial actions as are reasonably required by Customer following the Inspection.
Prommt shall not transfer or otherwise process, or permit Personal Data to be Processed, outside the EEA/UK (as applicable) unless the transfer is on the basis of an adequacy decision granted pursuant to Article 45(3) of the GDPR (or where applicable, UK GDPR),
Or
Prommt shall promptly and without undue delay notify Customer of all enquiries or requests from a Regulator that Prommt receives which relate to the Processing of Personal Data, the provision or receipt of the Services or either party’s obligations under this Agreement, unless prohibited from doing so at law or by the Regulator. If Prommt or Customer receives such an enquiry or request from a Regulator, Prommt shall promptly and without undue delay provide Customer with such information as Customer may reasonably request to satisfy such inquiry or request.
Unless a Customer notifies Prommt that Prommt will be responsible for handling a particular communication or correspondence with a Regulator or a Regulator requests in writing to engage directly with Prommt, Customer will handle all communications and correspondence relating to Personal Data or the Services.
Customer shall have the right, at its sole discretion, to assume control of the defence and settlement of any governmental or regulatory proceeding or third-party claim that relates to the Processing of Personal Data, including claims against Prommt or its Subcontractors, provided that Customer shall not enter into any compromise or settlement of such claim or compromise any such claim without Prommt’s prior written consent if such compromise or settlement would assert any liability against Prommt, increase the liability (including under an indemnity) of Prommt, or impose any obligations or restrictions on Prommt, such as imposing an injunction or other equitable relief upon Prommt. Where required, such consent shall not be unreasonably withheld or delayed. Customer’s exercise of such right under this clause 10.3 shall (a) not be construed to require Customer to bear the costs of such defence and settlement and (b) be without prejudice to its contractual, legal, equitable or other rights to seek recovery of such costs.
Where Prommt interacts directly with a Regulator in accordance with clause 10.2, Prommt shall do so in an open and co-operative way at its own expense and in consultation with <Customer >. With respect to such interaction with a Regulator, Prommt shall (and shall cause its Personnel and Subcontractors to):
Prommt shall provide Customer with such assistance and information as Customer may reasonably request in order for Customer to comply with any obligation to carry out a data protection impact assessment or consult with a Regulator pursuant to Articles 35 and 36 of GDPR (or where applicable, UK GDPR), respectively.
Prommt shall, at all times during and after the term of the Agreement, indemnify Customer and its Affiliates against losses, damages, costs or expenses and other liabilities (including legal fees) incurred by Customer and its Affiliates arising out of or in connection with any (a) breach of Prommt’s obligations under this DPA, (b) Prommt’s negligence or wilful misconduct or (c) any Security Incident.
This DPA and (where applicable) the Standard Contractual Clauses will terminate when Prommt ceases to Process Personal Data, unless otherwise agreed in writing between the parties. On termination of the DPA for whatever reason, or upon written request from Customer at any time, Prommt will cease Processing Personal Data, return a copy of the Personal Data to Customer and then securely delete or destroy, as applicable, all Personal Data in Prommt’s possession (except as prohibited by law or other explicit data retention and/or return provisions in the Agreement) within 90 days.
In this DPA, unless the context otherwise requires, references to a statutory provision include references to that statutory provision as from time to time amended, extended or re-enacted and any regulations made under it. In the event that the amendment, extension or re-enactment of any statutory provision or introduction of any new statutory provision, or the publication of a relevant court judgment or guidance, code of practice or similar document by a Regulator, has a material impact on the obligations of either party, the parties will negotiate in good faith to agree such amendments to this DPA as may be appropriate in the circumstances. If, within a reasonable period of time, the parties cannot reach agreement on the nature of the changes required, Customer may terminate this DPA and the Agreement without incurring any liability to Prommt, upon at least thirty (30) days written notice.
Neither party excludes or limits liability to the other party for:
Subject to clause 11.3.1, the Data Processor shall not in any circumstances be liable whether in contract, tort (including for negligence and breach of statutory duty howsoever arising), misrepresentation (whether innocent or negligent), restitution or otherwise, for:
Clause 11.3.2 shall not prevent claims, which fall within the scope of clause 11.3.4, for:
Subject to clause 11.3.1, the Data Processor’s total aggregate liability in contract, tort (including negligence and breach of statutory duty howsoever arising), misrepresentation (whether innocent or negligent), restitution or otherwise, arising in connection with the performance or contemplated performance of this agreement or any collateral contract shall in all circumstances be limited to €1,000,000.
Exclusion of third-party rights
Customer’s Affiliates shall have third-party rights in accordance with clause 3.2 and Data Subjects are granted third-party rights under the Standard Contractual Clauses. All other third-party rights are excluded.
To the extent required by applicable Data Protection Laws (e.g., in relation to the governing law of the Standard Contractual Clauses), this DPA shall be governed by the law of the applicable jurisdiction. In all other cases, this DPA shall be governed by the laws of the jurisdiction specified in the Agreement.
Customer/Client | Prommt |
___________________________________ Authorised Signature |
___________________________________ Authorised Signature |
___________________________________ Name |
___________________________________ Name |
___________________________________ Title |
___________________________________ Title |
___________________________________ Date |
___________________________________ Date |
ATTACHMENT 1
Data Processing Details Addendum
Data subjects
The Personal Data Processed concern the following categories of data subjects (please specify):
Customers of The Client
Categories of data
The Personal Data Processed concern the following categories of data (please specify):
First Name, Last Name, email address, phone number
Special categories of data (if appropriate)
The Personal Data Processed concern the following special categories of data (please specify):
N/A
USE OF SUB PROCESSORS
Subprocessor | Purpose | Location | Transfer Mechanism |
---|---|---|---|
Púca Technology | Provide SMS Services | EU | N/A |
Mailchimp | Provide eMail Services | USA | Standard Contractual Clauses |
Amazon | Storage and related services | EU | N/A |
Amplitude | To better understand how customers use our product | USA | Standard Contractual Clauses |
Intercom | To provide support to our customers | USA | Standard Contractual Clauses |
Token.io | To provide Pay by Bank payment and account initiation service | UK/EU | N/A |
We are available 24/7 to help your payments perform at a world-class level.
Request a Demo