Data Processing Agreement

StarRez

Data Processing Addendum

This Data Processing Addendum including its Schedules (also known as“Addendum” or “DPA”) forms part of the Master Subscription Agreement or other written agreement (collectively known as “Agreement”) between StarRez andCustomer to reflect the Parties’ agreement with regard to the processing of personal data.

1. Definitions and Interpretation

In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

  • Controller”,“processor”, “data subject”, “personal data”, “processing”and “appropriate technical and organisational measures” shall be interpreted in accordance with the GDPR.
  • EU personal data means the processing of personal data to which data protection legislation of the European Union or of a Member State of theEuropean Union or European Economic Area is applicable.
  • EU GDPR or GDPR means Regulation (EU) 2016/679 of the EuropeanParliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data ProtectionRegulation) including as implemented or adopted under the laws of the UnitedKingdom (“UK GDPR”).
  • FADP means the Swiss Federal Act on Data Protection enacted on 1 September 2023.
  • Data Protection Laws means all laws and regulations applicable to the processing of personal data under the Agreement including those of the EuropeanUnion, the European Economic Area and their member states, Switzerland, theUnited Kingdom and the United States and its states.  
  • Security Breach means any accidental, unauthorised or unlawful destruction, loss, alteration, or disclosure of, or access to the personal data that StarRez processes in the course of providing the Services.
  • Services means the work performed by StarRez and set out in accordance with the Agreement, Work Order or other equivalent documentation.
  • Standard Contractual Clauses means;
    • where the EU GDPR applies, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of4 June 2021 on standard contractual clauses for the transfer of personal data to third countries (“EU SCCs”); and
    • where the UK GDPR applies, for the transfer of data from the United Kingdom to a non-adequate country, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force 21 March 2022 (“UKInternational Data Transfer Addendum” or “UK Addendum”).
  • StarRez shall mean either StarRez, Inc., StarRez Ltd, or StarRez Global Pty Ltd depending upon the contracting entity with the Customer.
  • Sub-contractor means any sub-processor engaged by StarRez.
  • Swiss personal data means personal data to which the FADP was applicable prior to its processing by StarRez.
  • UK GDPR means the GDPR as applicable as part of UK domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (as amended).
  • UK personal data means the processing of personal data to which data protection laws of the United Kingdom were applicable prior to its processing by StarRez.

1. Data Protection

1.1. The Parties agree the provisions of this Addendum shall apply to the personal data StarRez processes in the course of providing the Services. The Parties agree that the Customer is the controller and StarRez is the processor in relation to the personal data that StarRez processes in the course of providing the Services.

1.2. The Customer shall have sole responsibility for the legality of the personal data and the means by which customer acquired any personal data for the performance of the Services and Customer warrants and undertakes that any personal data collected, processed and transferred in accordance with the laws applicable to Customer including obtaining all required consents from the applicable data subjects for the processing carried out by StarRez under this Addendum.

1.3. The subject-matter of the data processing is the performance of the Services. The obligations and rights of the Customer are as set out in this Addendum. Schedule 1 of this Addendum sets out the nature, duration and purpose of the processing, the types of personal data StarRez processes and the categories of data subjects whose personal data is processed.

1.4. When StarRez processes personal data in the course of providing the Services it shall:

       1.4.1 process the personal data only in accordance with documented instructions from the Customer. If StarRez is required to process the personal data for any other purpose by applicable laws to whichStarRez is subject to, StarRez will inform the Customer of this requirement first unless such law(s) prohibit this on important grounds of public interest; and

       1.4.2 notify the Customer immediately if in StarRez's opinion an instruction for the processing of personal data given by the Customer infringes applicable Data Protection Laws and it being acknowledged that StarRez shall not be obliged to undertake additional work to determine if the Customer's instructions are compliant.

1.5. StarRez shall maintain the confidentiality of the personal data and shall not disclose the personal data to third parties unless the Customer or this Addendum authorises the disclosure, or as required by domestic law, court or data protection regulator.If a domestic law, court or data protection regulator requires StarRez to process or disclose the personal data to a third party StarRez shall first inform the Customer of such legal or regulatory requirement and give the Customer an opportunity to object or challenge the requirement unless the domestic law prohibits the giving of such notice.

1.6 The Customer acknowledges that as part of the provision of Services StarRez may collect, share and otherwise use fully anonymized, de-identified and de-identifiable data including statistical data, analytics, trends and other aggregated data derived from personal data processed for StarRez’s legitimate purposes such as to provide, maintain, operate and improve the Services on an ongoing basis. The Customer agrees and acknowledges that such processing activities including the anonymization and deidentification of personal data will not be considered as performed outside the scope of the instructions provided by the Customer. StarRez agrees not to use anonymized or deidentified data in a form that identifies the Customer or any data subject in any manner whatsoever.

1.7 StarRez shall ensure that personnel required to access the personal data are subject to a binding duty of confidentiality in respect of such personal data.

1.8 StarRez shall reasonably assist the Customer with meeting the Customer's compliance obligations under Data Protection Laws taking into account the nature of StarRez’s processing and the information available to StarRez including in relation to data subject rights (see Clause 6), data protection impact assessments and reporting to and consulting with relevant data protection regulator(s) under Data Protection Laws. To the extent legally permitted the Customer shall be responsible for any costs arising from StarRez’s provision of the assistance relating to Clause 1.8.

1.9 StarRez shall implement and maintain appropriate technical and organisational measures to protect the personal data against unauthorised or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction, damage or theft of the personal data and having regard to the nature of the personal data which is to be protected. (Refer to Schedule 3).

2.0 In the event of an actual Security Breach,StarRez will notify the Customer without undue delay, and in no event no more than seventy-two (72) hours. StarRez shall provide the Customer with the following information to the extent it has been able to determine:  

       2.0.1 description of the nature of the Security Breach including the categories of in-scope personal data and approximate number of both data subjects and the personal data records concerned.

       2.0.2 the likely consequences.

       2.0.3 description of the measures taken or proposed to be taken to address including measures to mitigate its possible adverse effects.

2.1 Following a Security Breach the Parties shall coordinate with each other to investigate the matter. StarRez shall reasonably cooperate with the Customer in the Customer's handling of the matter including:

       2.1.1 assisting with the Security Breach investigation; and

    2.1.2 making available relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Laws or as otherwise reasonably required by the Customer.  

2.2 StarRez shall not inform any third party of any accidental, unauthorised or unlawful processing of all or part of the personal data and/or Security Breach without first obtaining the Customer's written consent where the Security Breach relates to the Customer except when required to do so by domestic law.

3. Cross-border transfers of personal data

3.1 StarRez shall transfer personal data between jurisdictions in accordance with the requirements of applicable Data Protection Laws and StarRez shall put in place sufficient safeguards as prescribed by such laws where applicable to enable the lawful transfer of personal data.

3.2 EU/UK/Swiss personal data. StarRez may transfer personal data that is regulated by the GDPR/UK GDPR to territories outside the EEA/UK/Switzerland in the following circumstances:

       3.2.1 Adequacy Decisions: Personal data may be transferred from EU Member States, the EEA member countries, the United Kingdom (“UK”) or Switzerland to countries that offer an adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the EEA, the European Union, the Member States or the European Commission, the UK, and/or Switzerland (“Adequacy Decision”).

       3.2.2 Standard Contractual Clauses: if the processing of personal data by StarRez includes a transfer either directly or via onward transfer from the EEA (“EEATransfer”), the UK (“UK Transfer”) or Switzerland to other countries which have not been subject to a relevant Adequacy Decision and such transfers are not performed through an alternative recognized compliance mechanism for the lawful transfer of personal data as defined in the GDPR, the UK GDPR, the FADP as relevant outside the EEA the UK or Switzerland as applicable then the Standard Contractual Clauses incorporated by reference to this Addendum in Schedule 4(EU SCCs), 5 (UK Addendum) and 6 (Swiss Cross Border Transfers) shall apply in respect of the processing of such personal data.

       3.2.3 Pursuant to Clause 3.2.3 in relation to the Standard Contractual Clauses StarRez will comply with the obligations of the ‘data importer’ in the Standard ContractualClauses and the Customer will comply with the obligations of the ‘data exporter’.

3.3 Appendices of the EU SCCs shall be deemed completed as set forth inSchedule 4 of this Addendum in relation to transfer of personal data outside the EEA. The UK International Data Transfer Addendum applicable to transfer of personal data outside the United Kingdom, shall be deemed completed as set forth in Schedule 5. The terms set forth in Schedule 6 (Swiss Cross Border Transfers) shall apply to any applicable such Swiss transfers.

3.4 To the extent the Standard Contractual Clauses conflict with any provision of this Addendum the Standard Contractual Clauses will prevail to the extent of such conflict.  

4. Sub-contractors(s)

4.1 StarRez has the Customer’s general authorisation for the engagement of sub-contractor(s) from an agreed list (Refer to Schedule 2). StarRez shall inform the Customer in writing of any intended changes to that list through the addition or replacement of sub-contractors at least 20 working days in advance thereby giving the Customer sufficient time to be able to object to such changes prior to the engagement of the sub-contractor(s).

4.2 If the Customer objects to the appointment of a new sub-contractor within such period StarRez shall use reasonable efforts to make available to the Customer a change in the Services or recommend a change to the Customer’s configuration or use of the Services in each case to avoid the processing of the Customer's personal data by the objected-to sub-contractor for the Customer’s consideration and approval. If StarRez is unable to make available such change within a reasonable period of time which shall not exceed one month or the Customer does not approve any such changes proposed by StarRez the Customer may terminate that certain portion of the Service which cannot be provided by StarRez without the use of the objected-to sub-contractor.

4.3 Where StarRez engages a sub-contractor to carry out specific processing activities it shall do so by way of a written contract that provides for in substance the equivalent data protection obligations as those binding StarRez under these clauses including in terms of third-party beneficiary rights for data subjects.  

4.4 StarRez shall remain fully responsible to the Customer for the performance of the sub-contractor’s obligations under its contract with theCustomer. StarRez shall notify the Customer of any failure by the sub-contractor to fulfill its obligations under that contract.

4.5 StarRez where applicable and pursuant to Data Protection Laws shall agree a third-party beneficiary clause with the sub-contractor whereby in the event StarRez as processor has factually disappeared, ceased to exist in law or has become insolvent the Customer shall have the right to terminate the sub-contractor contract and to instruct the sub-contract to erase or return personal data.

5. Audit rights

5.1 StarRez shall provide all reasonable assistance in order to facilitate the Customer in exercising its audit rights and allow the Customer and its respective auditors or authorised agents to conduct audits or inspections during the term of the Agreement provided that no such audit or inspection has been conducted in the preceding 12 months. By default, any audits or inspections shall be carried out remotely by the Customer and not onsite.  

5.2 The Customer will provide StarRez with 30business days’ notice prior to such an audit or inspection which will be conducted at a time mutually agreed between the Parties and in any event will be conducted during normal business hours and will not materially disrupt StarRez’s business where nominated staff of StarRez is required.

5.3 If the Customer's request for information or access relates to a sub-contractor or information held by a sub-contractor which StarRez cannot provide to the Customer itself StarRez will submit a request for additional information in writing to the relevant sub-contractor(s).

5.3.1 Pursuant to Clause 5.3 above the Customer acknowledges that access to the sub-contractor's premises or to information about the sub-contractor's previous independent audit reports is subject to agreement from the relevant sub-contractor, and that StarRez cannot guarantee access to that sub-contractor's premises or audit information at any particular time or at all. The Customer shall bear all costs in connection with any such audits or inspections and reimburse StarRez for all costs incurred by StarRez and time spent by StarRez in connection with any such inspection or audit.

6. Rights of Data Subjects

6.1 StarRez acting as processor shall notify the Customer if StarRez receives a request from a data subject to exercise the data subject’s rights under Data Protection Laws and shall not respond to such request without the Customer’s prior written consent except to confirm that such request relates to the Customer.

7. Data return and destruction

7.1 At the Customer's request StarRez  will make available for download an electronic copy of the Customer Data and any Confidential Information of the Customer in a database backup in a BACPAC FILE, which is a zip file with an extension of BACPAC containing the metadata and data from the database and a temporary link to the cloud storage which contains Customer’s attachment files, provided such request is made by the Customer within 30 days of termination. StarRez may charge a reasonable fee in line with industry standard for any required work.

7.2 Unless agreed to otherwise, StarRez shall keep a backup of Customer’s data for up to ninety (90) days after termination of the Agreement for any reason or expiry of its term. After this period, StarRez shall securely delete or destroy or if directed in writing by the Customer return and not retain all or any of the personal data related to this Addendum in its possession or control unless any law, regulation or government or regulatory body requires StarRez to retain any documents or materials or personal data that StarRez would otherwise be required to return or destroy.  

8. Liability

8.1 This Addendum is subject to the rights and obligations of the Parties under the Agreement which shall continue to have full force and effect including any limitations and exclusions on liability contained therein which shall apply to this Addendum as if fully set forth here. In the event of any conflict between the terms of this Addendum and the terms of the Agreement the terms of the Agreement shall prevail.

9.Term and Termination

9.1 This Addendum is effective as of the effective date of the Agreement and shall remain in full force until the Agreement has expired or is terminated for any reason. This Addendum will terminate simultaneously and automatically with the termination of the Agreement.

9.2 Notwithstanding anything to the contrary herein express or implied any StarRez confidentiality obligations under the Agreement and this Addendum and Clause 7 above will survive the expiration or termination for any reason of the Agreement and of this Addendum.

By entering into and executing the Agreement the parties are deemed to have signed this Addendum.

Schedule 1: Data processing information

Subject Matter of the processing

The personal data shall be processed in order to allow StarRez to provide the Services.

Nature and purpose of processing operations

StarRez process personal data to provide the Services and host the personal data of the Customer’s end users so that Customers can provide services to their customers. This includes processing to:

  • respond to inquiries and provide customer support
  • improve StarRez’s existing products or develop new ones
  • conduct audits and comply with regulation and industry standards

Categories of data subject

  • Customer’s employees & contractors
  • Customer’s end users

Categories of data

The personal data transferred concern the following categories of data:

  • Names
  • Addresses
  • Dates of birth
  • Telephone numbers
  • Emails
  • Job titles
  • Card numbers
  • Transaction history
  • Device IDs
  • IP addresses
  • Customer’s Customized Fields

Special categories of data (if appropriate)

The personal data transferred by Customer may concern the following special categories of data:

Personal data revealing racial or ethnic origin; personal data revealing political opinions; personal data revealing religious or philosophical beliefs; personal data revealing trade union membership; genetic data; biometric data (where used for identification purposes); data concerning health; or data concerning a person’s sex life or sexual orientation.

Duration of Processing

The personal data shall be processed for the term of the Agreement or for such longer or shorter period as StarRez provides data processing services.

Schedule 2: Sub-contractors list

Name of subcontractor Description Location

Adobe

Global software company (creative suite: Photoshop, Illustrator).

Adobe's data centers (Global)

Atlassian

Collaboration tools provider (e.g. Jira, Confluence).

Atlassian's data centers (Global)

AWS

Comprehensive cloud computing platform.

AWS Data Centers (Global, user-selectable regions)

Clarizen

Project management and work collaboration platform.

Clarizen's data centers (United States)

EvaluAgent

QA Platform

Hosted within AWS

MaestroQA

Quality assurance and coaching platform for customer support.

Hosted within AWS

Microsoft

Multinational tech company (e.g. Windows, Office, Azure).

Microsoft's data centers (Global)

NetSuite

Cloud-based business management applications (ERP, CRM).

NetSuite's data centers (Global)

Pendo

Platform for understanding user behavior and improving UX.

Pendo's infrastructure or cloud services (Europe)

Salesforce

Cloud-based CRM platform.

Salesforce's data centers (Global)

Shibboleth (InCommon)

Open-source identity federation system.

Shibboleth's infrastructure or cloud services.

StarRez Global Pty*

StarRez products and services

Melbourne, Australia

StarRez Inc*

StarRez products and services

Denver, Colorado, United States

StarRez Ltd*

StarRez products and services

United Kingdom

Zendesk

Customer service and engagement platform.

Zendesk's infrastructure or cloud services

Zoom

Video conferencing platform for online meetings.

Zoom's data centers (Global)
* Subcontractor status does not apply to the contracting entity

Schedule 3: Technical and Organisational Measures

Annex II for the purposes of the EU SCCs & Appendix 2 for the purposes of the UK SCCs

  1. Measures of encryption of personal data
  2. Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
  3. Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
  4. Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing
  5. Measures for user identification and authorisation
  6. Measures for the protection of data during transmission
  7. Measures for the protection of data during storage
  8. Measures for ensuring physical security of locations at which personal data are processed
  9. Measures for ensuring events logging
  10. Measures for ensuring system configuration, including default configuration
  11. Measures for internal IT and IT security governance and management
  12. Measures for certification/assurance of processes and products
  13. Measures for ensuring data minimisation
  14. Measures for ensuring data quality
  15. Measures for ensuring limited data retention
  16. Measures for ensuring accountability
  17. Measures for allowing data portability and ensuring erasure

For transfers to (sub-) processors, the following specific technical and organisational measures to be taken by the (sub-) processor shall be, as appropriate, the same.

Schedule 4: EU SCCsT

For the EU SCCs:  

The contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”) will be deemed entered into (and incorporated into the Agreement by reference between the Data Exporter (Customer) and that Data Importer (StarRez) as follows:

  • Module Two (Controller to Processor) will apply where Customer is a controller and StarRez is a processor.
  • in Clause 7, the optional docking Clause will not apply.
  • in Clause 9, Option 2 will apply and the time period for prior notice of sub-contractor as set out in Clause 4 of the Data Processing Addendum.
  • in Clause 11, the optional language will not apply.
  • in Clause 17, Option 1 will apply and the EU SCCs will be governed by the law of Ireland.
  • in Clause 18(b), disputes shall be resolved before the courts of Ireland.
  • In Annex I:
  • Section A of Annex 1 shall be completed in the table below.  
  • For Section B of Annex 1, the description of transfer shall be as detailed in the Data Processing Addendum in Schedule 1.
  • For Section C of Annex 1, the competent supervisory authority/ies shall be determined in accordance with the Data Protection Commission (Ireland)
  • For Annex II: The Technical and Organisational measures are as detailed in Schedule 3 of the Data Processing Addendum.
  • For Annex III, the sub-contractors are as detailed in Schedule 2 of the Data Processing Addendum.  

By entering into and executing the Agreement the parties are deemed to have signed these SCCs including their annexes as of the date the Parties entered into the Agreement.

Name
Address
Contact person name and contact details Activities relevant to the data transferred under these Clauses Role
(controller/processor)
Data Exporter:
Customer in this Addendum who is a party to the Agreement
The address of the Customer as detailed in the Agreement Customer’s email address or details as stated in the Agreement As detailed in the Agreement and the Addendum Controller
Data Importer: StarRez - - As detailed in the Agreement Processor

Schedule 5: UK International Data Transfer Addendum

For the UK GDPR:  

The "International Data Transfer Addendum to the EU Commission Standard Contractual Clauses" issued by the Information Commissioner's Office under s.119A(1) of the Data Protection Act 2018 (“UK Addendum”) will be deemed entered into and incorporated into the Agreement by reference as follows:

  1. Part 1: Tables 1 to 3 in Part 1 of the UK Addendum shall be deemed completed with the information set out above in Schedule 4 of the Data Processing Addendum as applicable with the Security Measures, in Schedule 3, and table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting "both party".
  2. Part 2: Each Party agrees to be bound by the terms and conditions set out in this Part 2, in exchange for the other Party also agreeing to be bound by this Part 2. The EU SCCs completed as set out above for EU Personal Data shall apply to transfers of such data and shall be deemed amended as specified by Part 2 of the UK Addendum in respect of the transfer of such personal data. This Part 2 shall be interpreted in a manner that is consistent with UK data protection laws and so that it fulfills the Parties’ obligation to provide appropriate safeguards.

By entering into and executing the Agreement the parties are deemed to have signed this UK Addendum.

Schedule 6: Swiss Cross Border Transfers

The Parties agree that the Standard Contractual Clauses as detailed in Schedule 4 shall be adjusted as set out below where the FADP applies to Swiss transfers:

  1. References to the Standard Contractual Clauses mean the Standard Contractual Clauses as amended by this Schedule 6.
  2. The Swiss Federal Data Protection and Information Commissioner shall be the sole Supervisory Authority for Swiss transfers exclusively subject to the FADP.
  3. The terms “General Data Protection Regulation” or “Regulation (EU) 2016/679” as utilized in the Standard Contractual Clauses shall be interpreted to include the FADP with respect to Swiss transfers.
  4. References to Regulation (EU) 2018/1725 are removed.
  5. Swiss transfers subject to both the FADP and the GDPR shall be dealt with by the EU Supervisory Authority named in Schedule 4.
  6. References to the “Union”, “EU” and “EU Member State” shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of exercising their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the Standard Contractual Clauses.
  7. Where Swiss transfers are exclusively subject to the FADP, all references to the GDPR in the Standard Contractual Clauses are to be understood to be references to the FADP.
  8. Where Swiss transfers are subject to both the FADP and the GDPR, all references to the GDPR in the Standard Contractual Clauses are to be understood to be references to the FADP insofar as the Swiss transfers are subject to the FADP.

By entering into and executing the Agreement the parties are deemed to have signed these SCCs including their annexes and taking into the adjustments above as of the date the Parties entered into the Agreement.

Schedule 7: United States Privacy Laws

Notwithstanding the foregoing, the parties agree that relevant UnitedStates privacy laws shall apply to data subjects from the United States. If applicable, the following shall apply.

USA Federal Privacy Laws

FERPA. By entering into this agreement, StarRez agrees to comply with the Family Educational Rights and Privacy Act (“FERPA”) regulations and acknowledges its designation as a “school official” with legitimate educational interests as defined under FERPA.

HIPPA. If this Contract involves services, activities or products subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), StarRez agrees that it will appropriately safeguard Protected Health Information (defined in 45 CFR160.103), and agrees that it is subject to, and shall comply with, the provisions of 45 CFR 164 Subpart E regarding use and disclosure of Protected Health Information.

USA State Privacy Laws

California

CCPA. To the extent that StarRez’s processing of personal information (as such term is defined in the CCPA) on behalf of Customer falls within the scope of the California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq. (“CCPA”), the parties agree that (i)Customer is considered a “Business” under the CCPA and (ii) StarRez is acting as a “Service Provider,” as such terms are defined pursuant to the CCPA.Accordingly, Customer as the “Business” bears the primary responsibility for ensuring that any processing of personal information is compliant with the CCPA. StarRez will use, process and transfer any personal information provided by Customer solely for the purpose of performing StarRez’s obligations under this Agreement, and for no commercial purpose other than the performance of such obligations and improvement of the Service. For the avoidance of any doubt,StarRez will not sell, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate personal information of Authorized Users to a third party for monetary or other valuable consideration. StarRez may share aggregated and/or anonymized information regarding Customer’s use of the Services with third parties to help StarRez develop and improve the Services in accordance with Section 4.4. of the MSA.