GDPR DATA PROCESSING AGREEMENT
This Data Processing Agreement (DPA) is an addendum to our Terms of Service (Agreement) and is part of the requirements of the
European Union General Data Protection Regulation (GDPR).
1 - Scope of DPA
This DPA applies when Everleap processes Personal Data on behalf of the Customer to provide
Everleap Services and when the Personal Data is subject to Data Protection Laws of the European Union, the European Economic Area and/or
their member states, Switzerland and/or the United Kingdom.
The parties agree to comply with this DPA in connection with such Personal Data.
1.1 - Definitions
Controller: Entity that manages the means of processing Personal Data.
Customer Data: Customer Data that Everleap processes on behalf of Customer in the course of providing Services.
GDPR: European Union General Data Protection Regulation. (GDPR PDF)
Personal Data: Customer Data that maps to an identifiable natural person.
Privacy Shield: EU-US and Swiss-US Privacy Shield framework. See: privacyshield.gov
Processor: Entity that processes Personal Data on behalf of Controller.
Security Incident: Any security breach that results in loss, alteration, access, disclosure, destruction or theft of Personal Data.
Sub-Processor: Any Processor that Everleap uses to help provide Services.
1.2 - Role of Parties
The Customer is the Controller of Personal Data and Everleap is the Processor that processes Personal Data on behalf of Customer.
The Personal Data processed by Everleap is provided by the Controller. The DPA does not cover data that Everleap may have collected
and processed independently of Customer's use of the Services.
1.3 - Obligations of Customer
As the Controller, the Customer agrees to comply with Data Protection Laws
in regard to its processing of Personal Data and processing instructions given to Everleap; and
will obtain all consents and rights necessary under Data Protection Laws for Everleap
to process Personal Data and provide the Services.
1.4 - Processing of Personal Data
As a Processor, Everleap will only process Personal Data to perform the Services in accordance with the Agreement and
will comply with reasonable and lawful instructions provided by Customer that are consistent with the
terms of the Agreement.
Everleap processes Customer Data provided by Customer. The Customer Data may contain special categories of data depending on how the Services
are used. The Customer Data may be subject to the following: (i) storage and other processing necessary to provide,
maintain and improve the Services; (ii) customer care and technical support; and
(iii) disclosures as required by law or otherwise set forth in the Agreement.
1.5 - Everleap as Controller
Customer acknowledges that Everleap has the right to use and
disclose data relating to and/or obtained in connection with the operation, support and/or use of the Services for its legitimate business purposes,
such as billing, technical support, product development and marketing. For data considered
personal data under Data Protection Laws, Everleap is the Controller and will process the data in compliance with
Data Protection Laws.
2 - Sub-Processing
2.1 - Sub-Processors
Customer agrees that Everleap may engage Sub-Processors to process Personal Data on behalf of the Customer. You may request a list of
Sub-Processors currently engaged by Everleap.
2.2 - Sub-Processor Obligations
When Everleap engages a Sub-Processor, Everleap will: (i) enter an agreement with the Sub-Processor that imposes data protection terms requiring
the Sub-Processor to protect Personal Data to standards required by Data Protection Laws; and
(ii) remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-Processor
that cause Everleap to breach any of its obligations under this DPA.
2.3 - Sub-Processor Changes
Everleap will provide Customer reasonable advance notice via email if it adds or removes a Sub-Processor.
2.4 - Objection to Sub-Processor
Customer may object in writing to Everleap’s engagement with a new Sub-Processor on reasonable grounds
relating to data protection. Customer must notify Everleap in writing within five calendar days of receipt of Everleap’s notice in
accordance with Section 2.3.
In the event of an objection, the parties will discuss
their concerns in good faith and strive for a reasonable resolution. If this is not possible, either party may terminate the
3 - Security
3.1 - Security Measures
Everleap will implement and maintain appropriate technical and organizational security measures to protect Personal Data from Security Incidents
and to preserve the security and confidentiality of the Personal Data.
3.2 - Processing Confidentiality
Everleap will ensure that any person who is authorized by Eveleap to process Personal Data, including staff and subcontractors,
will be under an appropriate obligation of confidentiality.
3.3 - Response to Security Incident
In the event of a Security Incident, Everleap will notify Customer without undue delay about the incident and provide timely information relating
to the Security Incident as it becomes known.
3.4 - Security Measure Updates
Customer acknowledges that Security Measures can change and evolve and that Everleap may update or modify the Security Measures from time to time.
4 - International Transfers
4.1 - Locations of Processing Operations
Everleap stores and processes Personal Data from EU citizens in data centers located outside the European Union.
Everleap's Sub-Processors may be located in the United States or anywhere in the world.
Everleap will implement appropriate safeguards to protect the Personal Data, wherever it is processed, in accordance with the requirements of
Data Protection Laws.
4.2 - Transfer Mechanisms
To the extent Everleap processes or transfers Personal Data under this DPA from the
European Union, the European Economic Area and/or their member states and Switzerland in or to other countries, the parties agree that Everleap will
be deemed to provide appropriate safeguards for such data by virtue of having certified its compliance with the Privacy Shield Framework and Everleap will
process such data in compliance with the Privacy Shield Principles.
5 - Return and Data Deletion
Customer has access to their uploaded data/content and databases and can download the data/content at any time.
Should the Customer have any difficulties in downloading their data/content from Everleap servers, Everleap technical support can assist.
Upon deactivation of the Services, all Personal Data shall be deleted, except for that which is
required by applicable law to retain, or Personal Data Everleap has archived on back-up systems,
which are securely isolated and protected from any further processing. Back-ups are regularly rotated, therefore,
the Personal Data from a deactivated account will be removed from the back-up on the next rotation.
6 - Cooperation
In response to requests from individuals or data protection authorities, if the Customer is unable to independently access Personal Data
within the Services, Everleap will (at Customer's expense) provide reasonable cooperation to assist Customer to gain access or obtain the data
If such a request is made directly to Everleap, Everleap will not respond to such
communication directly without Customer's prior authorization, unless legally compelled to do so.
If Everleap is required to respond to such
a request, Everleap will notify the Customer and provide them with a copy of the request unless legally prohibited from doing so.
To the extent Everleap is required under Data Protection Law, Everleap will (at Customer's expense) provide reasonably requested information
regarding Everleap's processing of Personal Data under the Agreement and this DPA to enable the Customer to carry out data protection impact assessments
or prior consultations with data protection authorities as required by law.
7 - General
7.1 - Entire Agreement and Conflict
Except as amended by this DPA, the Agreement remains unchanged and in full force and effect.
If there is any conflict between the Agreement and this DPA, then this DPA will prevail.
7.2 - Jurisdiction
This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement,
unless required otherwise by Data Protection Laws.
Updated: May 23, 2018