StarRez
Data Processing Addendum
This Data Processing Addendum including its Schedules (also known as “Addendum”) forms part of the Master Subscription Agreement or other written agreement (collectively known as “Agreement”) between StarRez and Customer to reflect the Parties’ agreement with regard to the processing of personal data.
1. Definitions and Interpretation
In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
2. Data Protection
2.1. The Parties agree the provisions of this Addendum shall apply to the personal data StarRez processes in the course of providing the Services. The Parties agree that the Customer is the controller and StarRez is the processor in relation to the personal data that StarRez processes in the course of providing the Services.
2.2. The Customer shall have sole responsibility for the legality of the personal data and the means by which the Customer acquired any personal data for the performance of the Services and the Customer warrants and undertakes that any personal data collected, processed and transferred in accordance with the laws applicable to Customer including obtaining all required consents from the applicable data subjects for the processing carried out by StarRez under this Addendum.
2.3. The subject-matter of the data processing is the performance of the Services. The obligations and rights of the Customer are as set out in this Addendum. Schedule 1 of this Addendum sets out the nature, duration and purpose of the processing, the types of personal data StarRez processes and the categories of data subjects whose personal data is processed.
2.4. When StarRez processes personal data in the course of providing the Services it shall:
2.4.1 process the personal data only in accordance with documented instructions from the Customer. If StarRez is required to process the personal data for any other purpose by applicable laws to which StarRez is subject to, StarRez will inform the Customer of this requirement first unless such law(s) prohibit this on important grounds of public interest; and
2.4.2 notify the Customer immediately if in StarRez's opinion an instruction for the processing of personal data given by the Customer infringes applicable Data Protection Laws and it being acknowledged that StarRez shall not be obliged to undertake additional work to determine if the Customer's instructions are compliant.
2.5. StarRez shall maintain the confidentiality of the personal data and shall not disclose the personal data to third parties unless the Customer or this Addendum authorises the disclosure, or as required by domestic law, court or data protection regulator. If a domestic law, court or data protection regulator requires StarRez to process or disclose the personal data to a third party StarRez shall first inform the Customer of such legal or regulatory requirement and give the Customer an opportunity to object or challenge the requirement unless the domestic law prohibits the giving of such notice.
2.6 The Customer acknowledges that as part of the provision of Services StarRez may collect, share and otherwise use fully anonymized, de-identified and de-identifiable data including statistical data, analytics, trends and other aggregated data derived from personal data processed for StarRez’s legitimate purposes such as to provide, maintain, operate and improve the Services on an ongoing basis. The Customer agrees and acknowledges that such processing activities including the anonymization and deidentification of personal data will not be considered as performed outside the scope of the instructions provided by the Customer. StarRez agrees not to use anonymized or deidentified data in a form that identifies the Customer or any data subject in any manner whatsoever.
2.7 StarRez shall ensure that personnel required to access the personal data are subject to a binding duty of confidentiality in respect of such personal data.
2.8 StarRez shall reasonably assist the Customer with meeting the Customer's compliance obligations under Data Protection Laws taking into account the nature of StarRez’s processing and the information available to StarRez including in relation to data subject rights (see Clause 6), data protection impact assessments and reporting to and consulting with relevant data protection regulator(s) under Data Protection Laws. To the extent legally permitted the Customer shall be responsible for any costs arising from StarRez’s provision of the assistance relating to Clause 2.8.
2.9 StarRez shall implement and maintain appropriate technical and organisational measures to protect the personal data against unauthorised or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction, damage or theft of the personal data and having regard to the nature of the personal data which is to be protected. (Refer to Schedule 3).
3. Security Incidents
3.1 In the event of an actual Security Incident, StarRez will notify the Customer without undue delay, and in no event no more than seventy-two (72) hours. StarRez shall provide the Customer with the following information to the extent it has been able to determine:
3.1.1 description of the nature of the Security Incident including the categories of in-scope personal data and approximate number of both data subjects and the personal data records concerned.
3.1.2 the likely consequences.
3.1.3 a description of the measures taken or proposed to be taken to address including measures to mitigate its possible adverse effects.
3.2 Following a Security Incident the Parties shall coordinate with each other to investigate the matter. StarRez shall reasonably cooperate with the Customer in the Customer's handling of the matter including:
3.3.1 assisting with the Security Incident investigation; and
3.3.2 making available relevant records, logs, files, data reporting and other materials required to comply with all Data Protection Laws or as otherwise reasonably required by the Customer.
3.3 StarRez shall not inform any third party of any accidental, unauthorised or unlawful processing of all or part of the personal data and/or Security Incident without first obtaining the Customer's written consent where the Security Incident relates to the Customer except when required to do so by domestic law.
4. Cross-border transfers of personal data
4.1 StarRez shall transfer personal data between jurisdictions in accordance with the requirements of applicable Data Protection Laws and StarRez shall put in place sufficient safeguards as prescribed by such laws where applicable to enable the lawful transfer of personal data.
4.2 EU/UK/Swiss personal data. StarRez may transfer personal data that is regulated by the GDPR/UK GDPR to territories outside the EEA/UK/Switzerland in the following circumstances:
4.2.1 Adequacy Decisions: Personal data may be transferred from EU Member States, the EEA member countries, the United Kingdom (“UK”) or Switzerland to countries that offer an adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the EEA, the European Union, the Member States or the European Commission, the UK, and/or Switzerland (“Adequacy Decision”).
4.2.2 Standard Contractual Clauses: if the processing of personal data by StarRez includes a transfer either directly or via onward transfer from the EEA (“EEA Transfer”), the UK (“UK Transfer”) or Switzerland to other countries which have not been subject to a relevant Adequacy Decision and such transfers are not performed through an alternative recognized compliance mechanism for the lawful transfer of personal data as defined in the GDPR, the UK GDPR, the FADP as relevant outside the EEA the UK or Switzerland as applicable then the Standard Contractual Clauses incorporated by reference to this Addendum in Schedule 4 (EU SCCs), 5 (UK Addendum) and 6 (Swiss Cross Border Transfers) shall apply in respect of the processing of such personal data.
4.2.3 In relation to the Standard Contractual Clauses StarRez will comply with the obligations of the ‘data importer’ in the Standard Contractual Clauses and the Customer will comply with the obligations of the ‘data exporter’.
4.3 Appendices of the EU SCCs shall be deemed completed as set forth in Schedule 4 of this Addendum in relation to transfer of personal data outside the EEA. The UK International Data Transfer Addendum applicable to transfer of personal data outside the United Kingdom, shall be deemed completed as set forth in Schedule 5. The terms set forth in Schedule 6 (Swiss Cross Border Transfers) shall apply to any applicable such Swiss transfers.
4.4 To the extent the Standard Contractual Clauses conflict with any provision of this Addendum the Standard Contractual Clauses will prevail to the extent of such conflict.
4.5 The Parties shall co‑operate in good faith to complete any data‑transfer impact assessment or supplementary measure analysis reasonably required under the EU GDPR, UK GDPR, FADP, or guidance of competent supervisory authorities.
5. Sub-processors
5.1 StarRez has the Customer’s general authorisation for the engagement of sub-processors as set out at https://trust.starrez.com/subprocessors (as updated from time to time) (the “Sub-processor List”). StarRez shall provide notice of any intended changes to the Sub-processor List, including the addition or replacement of sub-processors, by updating the Sub-processor List. Customers may subscribe via the Trust Center to receive notifications of such updates. Customer acknowledges that monitoring the Sub-processor List or subscribing to such notifications is the Customer’s responsibility and StarRez shall have no obligation to provide separate or additional notice. StarRez shall publish such updates at least 20 working days in advance, thereby giving the Customer sufficient time to object to such changes on reasonable data protection grounds prior to the engagement of the sub-processor(s). Updates to the Sub-processor List shall be deemed effective notice to the Customer as of the date of publication. StarRez shall ensure that any changes to the Sub-processor List do not materially reduce the level of protection afforded to personal data under this Addendum..
5.2 If the Customer objects to the appointment of a new sub-processor within such period StarRez shall use reasonable efforts to make available to the Customer a change in the Services or recommend a change to the Customer’s configuration or use of the Services in each case to avoid the processing of the Customer's personal data by the objected-to sub-processor for the Customer’s consideration and approval. If StarRez is unable to make available such change within a reasonable period of time which shall not exceed one month or the Customer does not approve any such changes proposed by StarRez the Customer may terminate that certain portion of the Service which cannot be provided by StarRez without the use of the objected-to sub-processor.
5.3 Where StarRez engages a sub-processor to carry out specific processing activities it shall do so by way of a written contract that provides for in substance the equivalent data protection obligations as those binding StarRez under these clauses including in terms of third-party beneficiary rights for data subjects.
5.4 StarRez shall remain fully responsible to the Customer for the performance of the sub-processor’s obligations under its contract with the Customer. StarRez shall notify the Customer of any failure by the sub-processor to fulfil its obligations under that contract.
5.5 StarRez where applicable and pursuant to Data Protection Laws shall agree a third-party beneficiary clause with the sub-processor whereby in the event StarRez as processor has factually disappeared, ceased to exist in law or has become insolvent the Customer shall have the right to terminate the sub-processor contract and to instruct the sub-contract to erase or return personal data.
5.6 Where a Sub‑processor will Process Personal Data outside an Adequate Jurisdiction, StarRez shall ensure that an appropriate transfer mechanism is in place before such Processing commences.
6. Audit rights
6.1 StarRez shall provide all reasonable assistance in order to facilitate the Customer in exercising its audit rights and allow the Customer and its respective auditors or authorised agents to conduct audits or inspections during the term of the Agreement provided that no such audit or inspection has been conducted in the preceding 12 months. By default, any audits or inspections shall be carried out remotely by the Customer and not onsite.
6.2 The Customer will provide StarRez with 30 business days’ notice prior to such an audit or inspection which will be conducted at a time mutually agreed between the Parties and in any event will be conducted during normal business hours and will not materially disrupt StarRez’s business where nominated staff of StarRez is required.
6.3 At Customer’s option, the obligation to facilitate an audit may be satisfied by providing the most recent SOC 2 (Type II) or similar certification report covering the Services, together with a written attestation of no material changes since the report date.
6.4 If the Customer's request for information or access relates to a sub-processor or information held by a sub-processor which StarRez cannot provide to the Customer itself StarRez will submit a request for additional information in writing to the relevant sub-processor(s).
6.4.1 Pursuant to Clause 5.3 above the Customer acknowledges that access to the sub-processor's premises or to information about the sub-processor's previous independent audit reports is subject to agreement from the relevant sub-processor, and that StarRez cannot guarantee access to that sub-processor's premises or audit information at any particular time or at all. The Customer shall bear all costs in connection with any such audits or inspections and reimburse StarRez for all costs incurred by StarRez and time spent by StarRez in connection with any such inspection or audit.
7. Rights of Data Subjects
7.1 StarRez acting as processor shall notify the Customer if StarRez receives a request from a data subject to exercise the data subject’s rights under Data Protection Laws and shall not respond to such request without the Customer’s prior written consent except to confirm that such request relates to the Customer. StarRez shall forward any data‑subject request to Customer promptly and, in any event, within five (5) business days of receipt, and shall provide reasonable assistance to enable Customer to respond within the time limits set by applicable Data Protection Laws.
8. Data Return and Destruction
8.1 At the Customer's request StarRez shall give the Customer a copy of or access to all or part of the personal data in its possession or control in the format and on the media reasonably specified by the Customer.
8.2 Unless agreed to otherwise, StarRez shall keep a backup of Customer’s data for up to ninety (90) days after termination of the Agreement for any reason or expiry of its term. After this period, StarRez shall securely delete or destroy or if directed in writing by the Customer return and not retain all or any of the personal data related to this Addendum in its possession or control unless any law, regulation or government or regulatory body requires StarRez to retain any documents or materials or personal data that StarRez would otherwise be required to return or destroy.
9. Liability
9.1 This Addendum is subject to the rights and obligations of the Parties under the Agreement which shall continue to have full force and effect including any limitations and exclusions on liability contained therein which shall apply to this Addendum as if fully set forth here. In the event of any conflict between the terms of this Addendum and the terms of the Agreement the terms of the Agreement shall prevail.
10. Term and Termination
10.1 This Addendum is effective as of the effective date of the Agreement and shall remain in full force until the Agreement has expired or is terminated for any reason. This Addendum will terminate simultaneously and automatically with the termination of the Agreement.
10.2 Notwithstanding anything to the contrary herein express or implied any StarRez confidentiality obligations under the Agreement and this Addendum and Clause 7 above will survive the expiration or termination for any reason of the Agreement and of this Addendum.
By entering into and executing the Agreement the parties are deemed to have signed this Addendum.
Schedule 1: Data processing information
Schedule 3: Technical and Organisational Measures
Annex II for the purposes of the EU SCCs
&
Appendix 2 for the purposes of the UK SCCs
1. Measures of encryption of personal data
2. Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
3. Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
4. Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing
5. Measures for user identification and authorisation
6. Measures for the protection of data during transmission
7. Measures for the protection of data during storage
8. Measures for ensuring physical security of locations at which personal data are processed
9. Measures for ensuring events logging
10. Measures for ensuring system configuration, including default configuration
11. Measures for internal IT and IT security governance and management
12. Measures for certification/assurance of processes and products
13. Measures for ensuring data minimisation
14. Measures for ensuring data quality
15. Measures for ensuring limited data retention
16. Measures for ensuring accountability
17. Measures for allowing data portability and ensuring erasure
For transfers to (sub-) processors, the following specific technical and organisational measures to be taken by the (sub-) processor shall be, as appropriate, the same.
StarRez may amend the Technical and Organisational Measures contained in Schedule 3 from time to time provided that such amendments do not materially diminish the overall level of security offered to Customer.
Schedule 4: EU SCCs
For the EU SCCs:
The contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”) will be deemed entered into (and incorporated into the Agreement by reference between the Data Exporter (Customer) and that Data Importer (StarRez) as follows:
• Module Two (Controller to Processor) will apply where Customer is a controller and StarRez is a processor.
• in Clause 7, the optional docking Clause will not apply.
• in Clause 9, Option 2 will apply and the time period for prior notice of sub-processor as set out in Clause 5.1 of the Data Processing Addendum.
• in Clause 11, the optional language will not apply.
• in Clause 17, Option 1 will apply and the EU SCCs will be governed by the law of Ireland.
• in Clause 18(b), disputes shall be resolved before the courts of Ireland.
• In Annex I:
• Section A of Annex 1 shall be completed in the table below.
• For Section B of Annex 1, the description of transfer shall be as detailed in the Data Processing Addendum in Schedule 1.
• For Section C of Annex 1, the competent supervisory authority/ies shall be determined in accordance with the Data Protection Commission (Ireland)
• For Annex II:
The Technical and Organisational measures are as detailed in Schedule 3 of the Data Processing Addendum.
• For Annex III, the sub-processors are as set out in the Sub-processor List (as defined in Clause 5.1).
By entering into and executing the Agreement the parties are deemed to have signed these SCCs including their annexes as of the date the Parties entered into the Agreement.
Schedule 5: UK International Data Transfer Addendum
For the UK GDPR:
The "International Data Transfer Addendum to the EU Commission Standard Contractual Clauses" issued by the Information Commissioner's Office under s.119A(1) of the Data Protection Act 2018 (“UK Addendum”) will be deemed entered into and incorporated into the Agreement by reference as follows:
1. Part 1: Tables 1 to 3 in Part 1 of the UK Addendum shall be deemed completed with the information set out above in Schedule 4 of the Data Processing Addendum as applicable with the Security Measures, in Schedule 3, and table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting "both party".
2. Part 2: Each Party agrees to be bound by the terms and conditions set out in this Part 2, in exchange for the other Party also agreeing to be bound by this Part 2. The EU SCCs completed as set out above for EU Personal Data shall apply to transfers of such data and shall be deemed amended as specified by Part 2 of the UK Addendum in respect of the transfer of such personal data. This Part 2 shall be interpreted in a manner that is consistent with UK data protection laws and so that it fulfils the Parties’ obligation to provide appropriate safeguards.
By entering into and executing the Agreement the parties are deemed to have signed this UK Addendum.
Schedule 6: Swiss Cross Border Transfers
The Parties agree that the Standard Contractual Clauses as detailed in Schedule 4 shall be adjusted as set out below where the revised Swiss Federal Act on Data Protection, effective 1 September 2023 (FADP) applies to Swiss transfers:
1. References to the Standard Contractual Clauses mean the Standard Contractual Clauses as amended by this Schedule 6.
2. The Swiss Federal Data Protection and Information Commissioner shall be the sole Supervisory Authority for Swiss transfers exclusively subject to the FADP.
3. The terms “General Data Protection Regulation” or “Regulation (EU) 2016/679” as utilized in the Standard Contractual Clauses shall be interpreted to include the FADP with respect to Swiss transfers.
4. References to Regulation (EU) 2018/1725 are removed.
5. Swiss transfers subject to both the FADP and the GDPR shall be dealt with by the EU Supervisory Authority named in Schedule 4.
6. References to the “Union”, “EU” and “EU Member State” shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of exercising their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the Standard Contractual Clauses.
7. Where Swiss transfers are exclusively subject to the FADP, all references to the GDPR in the Standard Contractual Clauses are to be understood to be references to the FADP.
8. Where Swiss transfers are subject to both the FADP and the GDPR, all references to the GDPR in the Standard Contractual Clauses are to be understood to be references to the FADP insofar as the Swiss transfers are subject to the FADP.
By entering into and executing the Agreement the parties are deemed to have signed these SCCs including their annexes and taking into the adjustments above as of the date the Parties entered into the Agreement.