GDPR DATA PROCESSING AGREEMENT

This Data Processing Agreement (DPA) is an addendum to our Terms of Service (Agreement) and is part of the requirements of the European Union General Data Protection Regulation (GDPR).

1 - Scope of DPA

This DPA applies when Everleap processes Personal Data on behalf of the Customer to provide Everleap Services and when the Personal Data is subject to Data Protection Laws of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom. The parties agree to comply with this DPA in connection with such Personal Data.

1.1 - Definitions

  • Controller: Entity that manages the means of processing Personal Data.
  • Customer Data: Customer Data that Everleap processes on behalf of Customer in the course of providing Services.
  • GDPR: European Union General Data Protection Regulation. (GDPR PDF)
  • Personal Data: Customer Data that maps to an identifiable natural person.
  • Privacy Shield: EU-US and Swiss-US Privacy Shield framework. See: privacyshield.gov
  • Processor: Entity that processes Personal Data on behalf of Controller.
  • Security Incident: Any security breach that results in loss, alteration, access, disclosure, destruction or theft of Personal Data.
  • Sub-Processor: Any Processor that Everleap uses to help provide Services.
  • 1.2 - Role of Parties

    The Customer is the Controller of Personal Data and Everleap is the Processor that processes Personal Data on behalf of Customer. The Personal Data processed by Everleap is provided by the Controller. The DPA does not cover data that Everleap may have collected and processed independently of Customer's use of the Services.

    1.3 - Obligations of Customer

    As the Controller, the Customer agrees to comply with Data Protection Laws in regard to its processing of Personal Data and processing instructions given to Everleap; and will obtain all consents and rights necessary under Data Protection Laws for Everleap to process Personal Data and provide the Services.

    1.4 - Processing of Personal Data

    As a Processor, Everleap will only process Personal Data to perform the Services in accordance with the Agreement and will comply with reasonable and lawful instructions provided by Customer that are consistent with the terms of the Agreement.

    Everleap processes Customer Data provided by Customer. The Customer Data may contain special categories of data depending on how the Services are used. The Customer Data may be subject to the following: (i) storage and other processing necessary to provide, maintain and improve the Services; (ii) customer care and technical support; and (iii) disclosures as required by law or otherwise set forth in the Agreement.

    1.5 - Everleap as Controller

    Customer acknowledges that Everleap has the right to use and disclose data relating to and/or obtained in connection with the operation, support and/or use of the Services for its legitimate business purposes, such as billing, technical support, product development and marketing. For data considered personal data under Data Protection Laws, Everleap is the Controller and will process the data in compliance with Data Protection Laws.

    2 - Sub-Processing

    2.1 - Sub-Processors

    Customer agrees that Everleap may engage Sub-Processors to process Personal Data on behalf of the Customer. You may request a list of Sub-Processors currently engaged by Everleap.

    2.2 - Sub-Processor Obligations

    When Everleap engages a Sub-Processor, Everleap will: (i) enter an agreement with the Sub-Processor that imposes data protection terms requiring the Sub-Processor to protect Personal Data to standards required by Data Protection Laws; and (ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-Processor that cause Everleap to breach any of its obligations under this DPA.

    2.3 - Sub-Processor Changes

    Everleap will provide Customer reasonable advance notice via email if it adds or removes a Sub-Processor.

    2.4 - Objection to Sub-Processor

    Customer may object in writing to Everleap’s engagement with a new Sub-Processor on reasonable grounds relating to data protection. Customer must notify Everleap in writing within five calendar days of receipt of Everleap’s notice in accordance with Section 2.3. In the event of an objection, the parties will discuss their concerns in good faith and strive for a reasonable resolution. If this is not possible, either party may terminate the applicable Services.

    3 - Security

    3.1 - Security Measures

    Everleap will implement and maintain appropriate technical and organizational security measures to protect Personal Data from Security Incidents and to preserve the security and confidentiality of the Personal Data.

    3.2 - Processing Confidentiality

    Everleap will ensure that any person who is authorized by Eveleap to process Personal Data, including staff and subcontractors, will be under an appropriate obligation of confidentiality.

    3.3 - Response to Security Incident

    In the event of a Security Incident, Everleap will notify Customer without undue delay about the incident and provide timely information relating to the Security Incident as it becomes known.

    3.4 - Security Measure Updates

    Customer acknowledges that Security Measures can change and evolve and that Everleap may update or modify the Security Measures from time to time.

    4 - International Transfers

    4.1 - Locations of Processing Operations

    Everleap stores and processes Personal Data from EU citizens in data centers located outside the European Union. Everleap's Sub-Processors may be located in the United States or anywhere in the world. Everleap will implement appropriate safeguards to protect the Personal Data, wherever it is processed, in accordance with the requirements of Data Protection Laws.

    4.2 - Transfer Mechanisms

    To the extent Everleap processes or transfers Personal Data under this DPA from the European Union, the European Economic Area and/or their member states and Switzerland in or to other countries, the parties agree that Everleap will be deemed to provide appropriate safeguards for such data by virtue of having certified its compliance with the Privacy Shield Framework and Everleap will process such data in compliance with the Privacy Shield Principles.

    5 - Return and Data Deletion

    Customer has access to their uploaded data/content and databases and can download the data/content at any time. Should the Customer have any difficulties in downloading their data/content from Everleap servers, Everleap technical support can assist. Upon deactivation of the Services, all Personal Data shall be deleted, except for that which is required by applicable law to retain, or Personal Data Everleap has archived on back-up systems, which are securely isolated and protected from any further processing. Back-ups are regularly rotated, therefore, the Personal Data from a deactivated account will be removed from the back-up on the next rotation.

    6 - Cooperation

    In response to requests from individuals or data protection authorities, if the Customer is unable to independently access Personal Data within the Services, Everleap will (at Customer's expense) provide reasonable cooperation to assist Customer to gain access or obtain the data if possible. If such a request is made directly to Everleap, Everleap will not respond to such communication directly without Customer's prior authorization, unless legally compelled to do so. If Everleap is required to respond to such a request, Everleap will notify the Customer and provide them with a copy of the request unless legally prohibited from doing so.

    To the extent Everleap is required under Data Protection Law, Everleap will (at Customer's expense) provide reasonably requested information regarding Everleap's processing of Personal Data under the Agreement and this DPA to enable the Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.

    7 - General

    7.1 - Entire Agreement and Conflict

    Except as amended by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between the Agreement and this DPA, then this DPA will prevail.

    7.2 - Jurisdiction

    This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by Data Protection Laws.

    Updated: May 23, 2018