StarRez
Data Processing Addendum
This Data Processing Addendum including its Schedules (also known as“Addendum” or “DPA”) forms part of the Master Subscription Agreement or other written agreement (collectively known as “Agreement”) between StarRez andCustomer to reflect the Parties’ agreement with regard to the processing of personal data.
1. Definitions and Interpretation
In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
1. Data Protection
1.1. The Parties agree the provisions of this Addendum shall apply to the personal data StarRez processes in the course of providing the Services. The Parties agree that the Customer is the controller and StarRez is the processor in relation to the personal data that StarRez processes in the course of providing the Services.
1.2. The Customer shall have sole responsibility for the legality of the personal data and the means by which customer acquired any personal data for the performance of the Services and Customer warrants and undertakes that any personal data collected, processed and transferred in accordance with the laws applicable to Customer including obtaining all required consents from the applicable data subjects for the processing carried out by StarRez under this Addendum.
1.3. The subject-matter of the data processing is the performance of the Services. The obligations and rights of the Customer are as set out in this Addendum. Schedule 1 of this Addendum sets out the nature, duration and purpose of the processing, the types of personal data StarRez processes and the categories of data subjects whose personal data is processed.
1.4. When StarRez processes personal data in the course of providing the Services it shall:
1.4.1 process the personal data only in accordance with documented instructions from the Customer. If StarRez is required to process the personal data for any other purpose by applicable laws to whichStarRez is subject to, StarRez will inform the Customer of this requirement first unless such law(s) prohibit this on important grounds of public interest; and
1.4.2 notify the Customer immediately if in StarRez's opinion an instruction for the processing of personal data given by the Customer infringes applicable Data Protection Laws and it being acknowledged that StarRez shall not be obliged to undertake additional work to determine if the Customer's instructions are compliant.
1.5. StarRez shall maintain the confidentiality of the personal data and shall not disclose the personal data to third parties unless the Customer or this Addendum authorises the disclosure, or as required by domestic law, court or data protection regulator.If a domestic law, court or data protection regulator requires StarRez to process or disclose the personal data to a third party StarRez shall first inform the Customer of such legal or regulatory requirement and give the Customer an opportunity to object or challenge the requirement unless the domestic law prohibits the giving of such notice.
1.6 The Customer acknowledges that as part of the provision of Services StarRez may collect, share and otherwise use fully anonymized, de-identified and de-identifiable data including statistical data, analytics, trends and other aggregated data derived from personal data processed for StarRez’s legitimate purposes such as to provide, maintain, operate and improve the Services on an ongoing basis. The Customer agrees and acknowledges that such processing activities including the anonymization and deidentification of personal data will not be considered as performed outside the scope of the instructions provided by the Customer. StarRez agrees not to use anonymized or deidentified data in a form that identifies the Customer or any data subject in any manner whatsoever.
1.7 StarRez shall ensure that personnel required to access the personal data are subject to a binding duty of confidentiality in respect of such personal data.
1.8 StarRez shall reasonably assist the Customer with meeting the Customer's compliance obligations under Data Protection Laws taking into account the nature of StarRez’s processing and the information available to StarRez including in relation to data subject rights (see Clause 6), data protection impact assessments and reporting to and consulting with relevant data protection regulator(s) under Data Protection Laws. To the extent legally permitted the Customer shall be responsible for any costs arising from StarRez’s provision of the assistance relating to Clause 1.8.
1.9 StarRez shall implement and maintain appropriate technical and organisational measures to protect the personal data against unauthorised or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction, damage or theft of the personal data and having regard to the nature of the personal data which is to be protected. (Refer to Schedule 3).
2.0 In the event of an actual Security Breach,StarRez will notify the Customer without undue delay, and in no event no more than seventy-two (72) hours. StarRez shall provide the Customer with the following information to the extent it has been able to determine:
2.0.1 description of the nature of the Security Breach including the categories of in-scope personal data and approximate number of both data subjects and the personal data records concerned.
2.0.2 the likely consequences.
2.0.3 description of the measures taken or proposed to be taken to address including measures to mitigate its possible adverse effects.
2.1 Following a Security Breach the Parties shall coordinate with each other to investigate the matter. StarRez shall reasonably cooperate with the Customer in the Customer's handling of the matter including:
2.1.1 assisting with the Security Breach investigation; and
2.1.2 making available relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Laws or as otherwise reasonably required by the Customer.
2.2 StarRez shall not inform any third party of any accidental, unauthorised or unlawful processing of all or part of the personal data and/or Security Breach without first obtaining the Customer's written consent where the Security Breach relates to the Customer except when required to do so by domestic law.
3. Cross-border transfers of personal data
3.1 StarRez shall transfer personal data between jurisdictions in accordance with the requirements of applicable Data Protection Laws and StarRez shall put in place sufficient safeguards as prescribed by such laws where applicable to enable the lawful transfer of personal data.
3.2 EU/UK/Swiss personal data. StarRez may transfer personal data that is regulated by the GDPR/UK GDPR to territories outside the EEA/UK/Switzerland in the following circumstances:
3.2.1 Adequacy Decisions: Personal data may be transferred from EU Member States, the EEA member countries, the United Kingdom (“UK”) or Switzerland to countries that offer an adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the EEA, the European Union, the Member States or the European Commission, the UK, and/or Switzerland (“Adequacy Decision”).
3.2.2 Standard Contractual Clauses: if the processing of personal data by StarRez includes a transfer either directly or via onward transfer from the EEA (“EEATransfer”), the UK (“UK Transfer”) or Switzerland to other countries which have not been subject to a relevant Adequacy Decision and such transfers are not performed through an alternative recognized compliance mechanism for the lawful transfer of personal data as defined in the GDPR, the UK GDPR, the FADP as relevant outside the EEA the UK or Switzerland as applicable then the Standard Contractual Clauses incorporated by reference to this Addendum in Schedule 4(EU SCCs), 5 (UK Addendum) and 6 (Swiss Cross Border Transfers) shall apply in respect of the processing of such personal data.
3.2.3 Pursuant to Clause 3.2.3 in relation to the Standard Contractual Clauses StarRez will comply with the obligations of the ‘data importer’ in the Standard ContractualClauses and the Customer will comply with the obligations of the ‘data exporter’.
3.3 Appendices of the EU SCCs shall be deemed completed as set forth inSchedule 4 of this Addendum in relation to transfer of personal data outside the EEA. The UK International Data Transfer Addendum applicable to transfer of personal data outside the United Kingdom, shall be deemed completed as set forth in Schedule 5. The terms set forth in Schedule 6 (Swiss Cross Border Transfers) shall apply to any applicable such Swiss transfers.
3.4 To the extent the Standard Contractual Clauses conflict with any provision of this Addendum the Standard Contractual Clauses will prevail to the extent of such conflict.
4. Sub-contractors(s)
4.1 StarRez has the Customer’s general authorisation for the engagement of sub-contractor(s) from an agreed list (Refer to Schedule 2). StarRez shall inform the Customer in writing of any intended changes to that list through the addition or replacement of sub-contractors at least 20 working days in advance thereby giving the Customer sufficient time to be able to object to such changes prior to the engagement of the sub-contractor(s).
4.2 If the Customer objects to the appointment of a new sub-contractor within such period StarRez shall use reasonable efforts to make available to the Customer a change in the Services or recommend a change to the Customer’s configuration or use of the Services in each case to avoid the processing of the Customer's personal data by the objected-to sub-contractor for the Customer’s consideration and approval. If StarRez is unable to make available such change within a reasonable period of time which shall not exceed one month or the Customer does not approve any such changes proposed by StarRez the Customer may terminate that certain portion of the Service which cannot be provided by StarRez without the use of the objected-to sub-contractor.
4.3 Where StarRez engages a sub-contractor to carry out specific processing activities it shall do so by way of a written contract that provides for in substance the equivalent data protection obligations as those binding StarRez under these clauses including in terms of third-party beneficiary rights for data subjects.
4.4 StarRez shall remain fully responsible to the Customer for the performance of the sub-contractor’s obligations under its contract with theCustomer. StarRez shall notify the Customer of any failure by the sub-contractor to fulfill its obligations under that contract.
4.5 StarRez where applicable and pursuant to Data Protection Laws shall agree a third-party beneficiary clause with the sub-contractor whereby in the event StarRez as processor has factually disappeared, ceased to exist in law or has become insolvent the Customer shall have the right to terminate the sub-contractor contract and to instruct the sub-contract to erase or return personal data.
5. Audit rights
5.1 StarRez shall provide all reasonable assistance in order to facilitate the Customer in exercising its audit rights and allow the Customer and its respective auditors or authorised agents to conduct audits or inspections during the term of the Agreement provided that no such audit or inspection has been conducted in the preceding 12 months. By default, any audits or inspections shall be carried out remotely by the Customer and not onsite.
5.2 The Customer will provide StarRez with 30business days’ notice prior to such an audit or inspection which will be conducted at a time mutually agreed between the Parties and in any event will be conducted during normal business hours and will not materially disrupt StarRez’s business where nominated staff of StarRez is required.
5.3 If the Customer's request for information or access relates to a sub-contractor or information held by a sub-contractor which StarRez cannot provide to the Customer itself StarRez will submit a request for additional information in writing to the relevant sub-contractor(s).
5.3.1 Pursuant to Clause 5.3 above the Customer acknowledges that access to the sub-contractor's premises or to information about the sub-contractor's previous independent audit reports is subject to agreement from the relevant sub-contractor, and that StarRez cannot guarantee access to that sub-contractor's premises or audit information at any particular time or at all. The Customer shall bear all costs in connection with any such audits or inspections and reimburse StarRez for all costs incurred by StarRez and time spent by StarRez in connection with any such inspection or audit.
6. Rights of Data Subjects
6.1 StarRez acting as processor shall notify the Customer if StarRez receives a request from a data subject to exercise the data subject’s rights under Data Protection Laws and shall not respond to such request without the Customer’s prior written consent except to confirm that such request relates to the Customer.
7. Data return and destruction
7.1 At the Customer's request StarRez will make available for download an electronic copy of the Customer Data and any Confidential Information of the Customer in a database backup in a BACPAC FILE, which is a zip file with an extension of BACPAC containing the metadata and data from the database and a temporary link to the cloud storage which contains Customer’s attachment files, provided such request is made by the Customer within 30 days of termination. StarRez may charge a reasonable fee in line with industry standard for any required work.
7.2 Unless agreed to otherwise, StarRez shall keep a backup of Customer’s data for up to ninety (90) days after termination of the Agreement for any reason or expiry of its term. After this period, StarRez shall securely delete or destroy or if directed in writing by the Customer return and not retain all or any of the personal data related to this Addendum in its possession or control unless any law, regulation or government or regulatory body requires StarRez to retain any documents or materials or personal data that StarRez would otherwise be required to return or destroy.
8. Liability
8.1 This Addendum is subject to the rights and obligations of the Parties under the Agreement which shall continue to have full force and effect including any limitations and exclusions on liability contained therein which shall apply to this Addendum as if fully set forth here. In the event of any conflict between the terms of this Addendum and the terms of the Agreement the terms of the Agreement shall prevail.
9.Term and Termination
9.1 This Addendum is effective as of the effective date of the Agreement and shall remain in full force until the Agreement has expired or is terminated for any reason. This Addendum will terminate simultaneously and automatically with the termination of the Agreement.
9.2 Notwithstanding anything to the contrary herein express or implied any StarRez confidentiality obligations under the Agreement and this Addendum and Clause 7 above will survive the expiration or termination for any reason of the Agreement and of this Addendum.
By entering into and executing the Agreement the parties are deemed to have signed this Addendum.
Schedule 1: Data processing information
Subject Matter of the processing
The personal data shall be processed in order to allow StarRez to provide the Services.
Nature and purpose of processing operations
StarRez process personal data to provide the Services and host the personal data of the Customer’s end users so that Customers can provide services to their customers. This includes processing to:
Categories of data subject
Categories of data
The personal data transferred concern the following categories of data:
Special categories of data (if appropriate)
The personal data transferred by Customer may concern the following special categories of data:
Personal data revealing racial or ethnic origin; personal data revealing political opinions; personal data revealing religious or philosophical beliefs; personal data revealing trade union membership; genetic data; biometric data (where used for identification purposes); data concerning health; or data concerning a person’s sex life or sexual orientation.
Duration of Processing
The personal data shall be processed for the term of the Agreement or for such longer or shorter period as StarRez provides data processing services.
Schedule 2: Sub-contractors list
Schedule 3: Technical and Organisational Measures
Annex II for the purposes of the EU SCCs & Appendix 2 for the purposes of the UK SCCs
For transfers to (sub-) processors, the following specific technical and organisational measures to be taken by the (sub-) processor shall be, as appropriate, the same.
Schedule 4: EU SCCsT
For the EU SCCs:
The contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”) will be deemed entered into (and incorporated into the Agreement by reference between the Data Exporter (Customer) and that Data Importer (StarRez) as follows:
By entering into and executing the Agreement the parties are deemed to have signed these SCCs including their annexes as of the date the Parties entered into the Agreement.
Schedule 5: UK International Data Transfer Addendum
For the UK GDPR:
The "International Data Transfer Addendum to the EU Commission Standard Contractual Clauses" issued by the Information Commissioner's Office under s.119A(1) of the Data Protection Act 2018 (“UK Addendum”) will be deemed entered into and incorporated into the Agreement by reference as follows:
By entering into and executing the Agreement the parties are deemed to have signed this UK Addendum.
Schedule 6: Swiss Cross Border Transfers
The Parties agree that the Standard Contractual Clauses as detailed in Schedule 4 shall be adjusted as set out below where the FADP applies to Swiss transfers:
By entering into and executing the Agreement the parties are deemed to have signed these SCCs including their annexes and taking into the adjustments above as of the date the Parties entered into the Agreement.
Schedule 7: United States Privacy Laws
Notwithstanding the foregoing, the parties agree that relevant UnitedStates privacy laws shall apply to data subjects from the United States. If applicable, the following shall apply.
USA Federal Privacy Laws
FERPA. By entering into this agreement, StarRez agrees to comply with the Family Educational Rights and Privacy Act (“FERPA”) regulations and acknowledges its designation as a “school official” with legitimate educational interests as defined under FERPA.
HIPPA. If this Contract involves services, activities or products subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA), StarRez agrees that it will appropriately safeguard Protected Health Information (defined in 45 CFR160.103), and agrees that it is subject to, and shall comply with, the provisions of 45 CFR 164 Subpart E regarding use and disclosure of Protected Health Information.
USA State Privacy Laws
California
CCPA. To the extent that StarRez’s processing of personal information (as such term is defined in the CCPA) on behalf of Customer falls within the scope of the California Consumer Privacy Act, Cal. Civ. Code §§ 1798.100 et seq. (“CCPA”), the parties agree that (i)Customer is considered a “Business” under the CCPA and (ii) StarRez is acting as a “Service Provider,” as such terms are defined pursuant to the CCPA.Accordingly, Customer as the “Business” bears the primary responsibility for ensuring that any processing of personal information is compliant with the CCPA. StarRez will use, process and transfer any personal information provided by Customer solely for the purpose of performing StarRez’s obligations under this Agreement, and for no commercial purpose other than the performance of such obligations and improvement of the Service. For the avoidance of any doubt,StarRez will not sell, rent, release, disclose, disseminate, make available, transfer, or otherwise communicate personal information of Authorized Users to a third party for monetary or other valuable consideration. StarRez may share aggregated and/or anonymized information regarding Customer’s use of the Services with third parties to help StarRez develop and improve the Services in accordance with Section 4.4. of the MSA.