Data Processing Agreement

StarRez

Data Processing Addendum

This Data Processing Addendum including its Schedules (also known as “Addendum”) forms part of the Master Subscription Agreement or other written agreement (collectively known as “Agreement”) between StarRez and Customer to reflect the Parties’ agreement with regard to the processing of personal data.

1. Definitions and Interpretation

In this Addendum, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:

  • “Controller”, “processor”, “data subject”, “personal data”, “processing” and “appropriate technical and organisational measures” shall be interpreted in accordance with the GDPR.
  • “Data Exporter” means the Party that transfers Personal Data to a country outside the jurisdiction from which the data originated.
  • “Data Importer” means the recipient Party that receives such Personal Data for Processing.
  • EU personal data means the processing of personal data to which data protection legislation of the European Union or of a Member State of the European Union or European Economic Area is applicable.
  • EU GDPR or GDPR means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) including as implemented or adopted under the laws of the United Kingdom (“UK GDPR”).
  • FADP means the Swiss Federal Act on Data Protection enacted on 1 September 2023.
  • Data Protection Laws means all laws and regulations applicable to the processing of personal data under the Agreement including but not limited to the GDPR, UK GDPR, FADP and U.S. state comprehensive privacy laws such as the CPRA (California), CPA (Colorado), CTDPA (Connecticut), VCDPA (Virginia) and UCPA (Utah), as well as Canada (PIPEDA) and its provincial laws (such as PIPA in British Columbia), and South Africa (POPIA)
  • Security Incident means any accidental, unauthorised or unlawful destruction, loss, alteration, or disclosure of, or access to the personal data that StarRez processes in the course of providing the Services.
  • Services means the work performed by StarRez and set out in accordance with the Agreement, Work Order or other equivalent documentation.
  • Standard Contractual Clauses means;
    • where the EU GDPR applies, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries (“EU SCCs”); and
    • where the UK GDPR applies, for the transfer of data from the United Kingdom to a non-adequate country, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force 21 March 2022 (“UK International Data Transfer Addendum” or “UK Addendum”).
  • StarRez shall mean either StarRez, Inc., StarRez Ltd, or StarRez Global Pty Ltd depending upon the contracting entity with the Customer.
  • Sub-processor means any sub-processor engaged by StarRez.  
  • Swiss personal data means personal data to which the FADP was applicable prior to its processing by StarRez.
  • UK GDPR means the GDPR as applicable as part of UK domestic law by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (as amended).
  • UK personal data means the processing of personal data to which data protection laws of the United Kingdom were applicable prior to its processing by StarRez.

2. Data Protection

2.1. The Parties agree the provisions of this Addendum shall apply to the personal data StarRez processes in the course of providing the Services. The Parties agree that the Customer is the controller and StarRez is the processor in relation to the personal data that StarRez processes in the course of providing the Services.

2.2. The Customer shall have sole responsibility for the legality of the personal data and the means by which the Customer acquired any personal data for the performance of the Services and the Customer warrants and undertakes that any personal data collected, processed and transferred in accordance with the laws applicable to Customer including obtaining all required consents from the applicable data subjects for the processing carried out by StarRez under this Addendum.

2.3. The subject-matter of the data processing is the performance of the Services. The obligations and rights of the Customer are as set out in this Addendum. Schedule 1 of this Addendum sets out the nature, duration and purpose of the processing, the types of personal data StarRez processes and the categories of data subjects whose personal data is processed.

2.4. When StarRez processes personal data in the course of providing the Services it shall:

2.4.1 process the personal data only in accordance with documented instructions from the Customer. If StarRez is required to process the personal data for any other purpose by applicable laws to which StarRez is subject to, StarRez will inform the Customer of this requirement first unless such law(s) prohibit this on important grounds of public interest; and

2.4.2 notify the Customer immediately if in StarRez's opinion an instruction for the processing of personal data given by the Customer infringes applicable Data Protection Laws and it being acknowledged that StarRez shall not be obliged to undertake additional work to determine if the Customer's instructions are compliant.

2.5. StarRez shall maintain the confidentiality of the personal data and shall not disclose the personal data to third parties unless the Customer or this Addendum authorises the disclosure, or as required by domestic law, court or data protection regulator. If a domestic law, court or data protection regulator requires StarRez to process or disclose the personal data to a third party StarRez shall first inform the Customer of such legal or regulatory requirement and give the Customer an opportunity to object or challenge the requirement unless the domestic law prohibits the giving of such notice.

2.6 The Customer acknowledges that as part of the provision of Services StarRez may collect, share and otherwise use fully anonymized, de-identified and de-identifiable data including statistical data, analytics, trends and other aggregated data derived from personal data processed for StarRez’s legitimate purposes such as to provide, maintain, operate and improve the Services on an ongoing basis. The Customer agrees and acknowledges that such processing activities including the anonymization and deidentification of personal data will not be considered as performed outside the scope of the instructions provided by the Customer. StarRez agrees not to use anonymized or deidentified data in a form that identifies the Customer or any data subject in any manner whatsoever.

2.7 StarRez shall ensure that personnel required to access the personal data are subject to a binding duty of confidentiality in respect of such personal data.

2.8 StarRez shall reasonably assist the Customer with meeting the Customer's compliance obligations under Data Protection Laws taking into account the nature of StarRez’s processing and the information available to StarRez including in relation to data subject rights (see Clause 6), data protection impact assessments and reporting to and consulting with relevant data protection regulator(s) under Data Protection Laws. To the extent legally permitted the Customer shall be responsible for any costs arising from StarRez’s provision of the assistance relating to Clause 2.8.

2.9 StarRez shall implement and maintain appropriate technical and organisational measures to protect the personal data against unauthorised or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction, damage or theft of the personal data and having regard to the nature of the personal data which is to be protected. (Refer to Schedule 3).

3. Security Incidents

3.1 In the event of an actual Security Incident, StarRez will notify the Customer without undue delay, and in no event no more than seventy-two (72) hours. StarRez shall provide the Customer with the following information to the extent it has been able to determine:

3.1.1 description of the nature of the Security Incident including the categories of in-scope personal data and approximate number of both data subjects and the personal data records concerned.

3.1.2 the likely consequences.

3.1.3 a description of the measures taken or proposed to be taken to address including measures to mitigate its possible adverse effects.

3.2 Following a Security Incident the Parties shall coordinate with each other to investigate the matter. StarRez shall reasonably cooperate with the Customer in the Customer's handling of the matter including:

3.3.1 assisting with the Security Incident investigation; and

3.3.2 making available relevant records, logs, files, data reporting and other        materials required to comply with all Data Protection Laws or as otherwise reasonably required by the Customer.  

3.3 StarRez shall not inform any third party of any accidental, unauthorised or unlawful processing of all or part of the personal data and/or Security Incident without first obtaining the Customer's written consent where the Security Incident relates to the Customer except when required to do so by domestic law.

4. Cross-border transfers of personal data

4.1 StarRez shall transfer personal data between jurisdictions in accordance with the requirements of applicable Data Protection Laws and StarRez shall put in place sufficient safeguards as prescribed by such laws where applicable to enable the lawful transfer of personal data.

4.2 EU/UK/Swiss personal data. StarRez may transfer personal data that is regulated by the GDPR/UK GDPR to territories outside the EEA/UK/Switzerland in the following circumstances:

4.2.1 Adequacy Decisions: Personal data may be transferred from EU Member States, the EEA member countries, the United Kingdom (“UK”) or Switzerland to countries that offer an adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the EEA, the European Union, the Member States or the European Commission, the UK, and/or Switzerland (“Adequacy Decision”).

4.2.2 Standard Contractual Clauses: if the processing of personal data by StarRez includes a transfer either directly or via onward transfer from the EEA (“EEA Transfer”), the UK (“UK Transfer”) or Switzerland to other countries which have not been subject to a relevant Adequacy Decision and such transfers are not performed through an alternative recognized compliance mechanism for the lawful transfer of personal data as defined in the GDPR, the UK GDPR, the FADP as relevant outside the EEA the UK or Switzerland as applicable then the Standard Contractual Clauses incorporated by reference to this Addendum in Schedule 4 (EU SCCs), 5 (UK Addendum) and 6 (Swiss Cross Border Transfers) shall apply in respect of the processing of such personal data.

4.2.3 In relation to the Standard Contractual Clauses StarRez will comply with the obligations of the ‘data importer’ in the Standard Contractual Clauses and the Customer will comply with the obligations of the ‘data exporter’.

4.3 Appendices of the EU SCCs shall be deemed completed as set forth in Schedule 4 of this Addendum in relation to transfer of personal data outside the EEA. The UK International Data Transfer Addendum applicable to transfer of personal data outside the United Kingdom, shall be deemed completed as set forth in Schedule 5. The terms set forth in Schedule 6 (Swiss Cross Border Transfers) shall apply to any applicable such Swiss transfers.

4.4 To the extent the Standard Contractual Clauses conflict with any provision of this Addendum the Standard Contractual Clauses will prevail to the extent of such conflict.  

4.5 The Parties shall co‑operate in good faith to complete any data‑transfer impact assessment or supplementary measure analysis reasonably required under the EU GDPR, UK GDPR, FADP, or guidance of competent supervisory authorities.

5. Sub-processors

5.1 StarRez has the Customer’s general authorisation for the engagement of sub-processors as set out at https://trust.starrez.com/subprocessors (as updated from time to time) (the “Sub-processor List”). StarRez shall provide notice of any intended changes to the Sub-processor List, including the addition or replacement of sub-processors, by updating the Sub-processor List. Customers may subscribe via the Trust Center to receive notifications of such updates. Customer acknowledges that monitoring the Sub-processor List or subscribing to such notifications is the Customer’s responsibility and StarRez shall have no obligation to provide separate or additional notice. StarRez shall publish such updates at least 20 working days in advance, thereby giving the Customer sufficient time to object to such changes on reasonable data protection grounds prior to the engagement of the sub-processor(s). Updates to the Sub-processor List shall be deemed effective notice to the Customer as of the date of publication. StarRez shall ensure that any changes to the Sub-processor List do not materially reduce the level of protection afforded to personal data under this Addendum..

5.2 If the Customer objects to the appointment of a new sub-processor within such period StarRez shall use reasonable efforts to make available to the Customer a change in the Services or recommend a change to the Customer’s configuration or use of the Services in each case to avoid the processing of the Customer's personal data by the objected-to sub-processor for the Customer’s consideration and approval. If StarRez is unable to make available such change within a reasonable period of time which shall not exceed one month or the Customer does not approve any such changes proposed by StarRez the Customer may terminate that certain portion of the Service which cannot be provided by StarRez without the use of the objected-to sub-processor.

5.3 Where StarRez engages a sub-processor to carry out specific processing activities it shall do so by way of a written contract that provides for in substance the equivalent data protection obligations as those binding StarRez under these clauses including in terms of third-party beneficiary rights for data subjects.  

5.4 StarRez shall remain fully responsible to the Customer for the performance of the sub-processor’s obligations under its contract with the Customer. StarRez shall notify the Customer of any failure by the sub-processor to fulfil its obligations under that contract.

5.5 StarRez where applicable and pursuant to Data Protection Laws shall agree a third-party beneficiary clause with the sub-processor whereby in the event StarRez as processor has factually disappeared, ceased to exist in law or has become insolvent the Customer shall have the right to terminate the sub-processor contract and to instruct the sub-contract to erase or return personal data.

5.6 Where a Sub‑processor will Process Personal Data outside an Adequate Jurisdiction, StarRez shall ensure that an appropriate transfer mechanism is in place before such Processing commences.

6. Audit rights

6.1 StarRez shall provide all reasonable assistance in order to facilitate the Customer in exercising its audit rights and allow the Customer and its respective auditors or authorised agents to conduct audits or inspections during the term of the Agreement provided that no such audit or inspection has been conducted in the preceding 12 months. By default, any audits or inspections shall be carried out remotely by the Customer and not onsite.  

6.2 The Customer will provide StarRez with 30 business days’ notice prior to such an audit or inspection which will be conducted at a time mutually agreed between the Parties and in any event will be conducted during normal business hours and will not materially disrupt StarRez’s business where nominated staff of StarRez is required.

6.3 At Customer’s option, the obligation to facilitate an audit may be satisfied by providing the most recent SOC 2 (Type II) or similar certification report covering the Services, together with a written attestation of no material changes since the report date.

6.4 If the Customer's request for information or access relates to a sub-processor or information held by a sub-processor which StarRez cannot provide to the Customer itself StarRez will submit a request for additional information in writing to the relevant sub-processor(s).

6.4.1 Pursuant to Clause 5.3 above the Customer acknowledges that access to the sub-processor's premises or to information about the sub-processor's previous independent audit reports is subject to agreement from the relevant sub-processor, and that StarRez cannot guarantee access to that sub-processor's premises or audit information at any particular time or at all. The Customer shall bear all costs in connection with any such audits or inspections and reimburse StarRez for all costs incurred by StarRez and time spent by StarRez in connection with any such inspection or audit.

7. Rights of Data Subjects

7.1 StarRez acting as processor shall notify the Customer if StarRez receives a request from a data subject to exercise the data subject’s rights under Data Protection Laws and shall not respond to such request without the Customer’s prior written consent except to confirm that such request relates to the Customer. StarRez shall forward any data‑subject request to Customer promptly and, in any event, within five (5) business days of receipt, and shall provide reasonable assistance to enable Customer to respond within the time limits set by applicable Data Protection Laws.

8. Data Return and Destruction

8.1 At the Customer's request StarRez shall give the Customer a copy of or access to all or part of the personal data in its possession or control in the format and on the media reasonably specified by the Customer.

8.2 Unless agreed to otherwise, StarRez shall keep a backup of Customer’s data for up to ninety (90) days after termination of the Agreement for any reason or expiry of its term. After this period, StarRez shall securely delete or destroy or if directed in writing by the Customer return and not retain all or any of the personal data related to this Addendum in its possession or control unless any law, regulation or government or regulatory body requires StarRez to retain any documents or materials or personal data that StarRez would otherwise be required to return or destroy.  

9. Liability

9.1 This Addendum is subject to the rights and obligations of the Parties under the Agreement which shall continue to have full force and effect including any limitations and exclusions on liability contained therein which shall apply to this Addendum as if fully set forth here. In the event of any conflict between the terms of this Addendum and the terms of the Agreement the terms of the Agreement shall prevail.

10. Term and Termination

10.1 This Addendum is effective as of the effective date of the Agreement and shall remain in full force until the Agreement has expired or is terminated for any reason. This Addendum will terminate simultaneously and automatically with the termination of the Agreement.

10.2 Notwithstanding anything to the contrary herein express or implied any StarRez confidentiality obligations under the Agreement and this Addendum and Clause 7 above will survive the expiration or termination for any reason of the Agreement and of this Addendum.

By entering into and executing the Agreement the parties are deemed to have signed this Addendum.

Schedule 1: Data processing information

Subject Matter of the processing  The personal data shall be processed in order to allow StarRez to provide the Services.
Nature and purpose of processing operations  StarRez processes personal data to provide the Services and host the personal data of the Customer’s end users so that Customers can provide services to their customers. This includes processing to:

• respond to inquiries and provide customer support

• improve StarRez’s existing products or develop new ones

• conduct audits and comply with regulation and industry standards

Categories of data subject  • Customer’s employees & contractors

• Customer’s end users

Categories of data  The personal data transferred concern the following categories of data (please specify):

• Names

• Addresses

• Dates of birth

• Telephone numbers

• Emails

• Job titles

• Card Numbers

• Transaction history

• Device IDs

• IP addresses

• Customer’s Customized Fields

Special categories of data (if appropriate)  The personal data transferred by Customer may concern the following special categories of data:

Personal data revealing racial or ethnic origin; personal data revealing political opinions; personal data revealing religious or philosophical beliefs; personal data revealing trade union membership; genetic data; biometric data (where used for identification purposes); data concerning health; or data concerning a person’s sex life or sexual orientation.

Duration of Processing  The personal data shall be processed for the term of the Agreement or for such longer or shorter period as StarRez provides data processing services.

Schedule 3: Technical and Organisational Measures

Annex II for the purposes of the EU SCCs

&

Appendix 2 for the purposes of the UK SCCs

1. Measures of encryption of personal data

2. Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

3. Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

4. Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

5. Measures for user identification and authorisation

6. Measures for the protection of data during transmission

7. Measures for the protection of data during storage

8. Measures for ensuring physical security of locations at which personal data are processed

9. Measures for ensuring events logging

10. Measures for ensuring system configuration, including default configuration

11. Measures for internal IT and IT security governance and management

12. Measures for certification/assurance of processes and products

13. Measures for ensuring data minimisation

14. Measures for ensuring data quality

15. Measures for ensuring limited data retention

16. Measures for ensuring accountability

17. Measures for allowing data portability and ensuring erasure

For transfers to (sub-) processors, the following specific technical and organisational measures to be taken by the (sub-) processor shall be, as appropriate, the same.

StarRez may amend the Technical and Organisational Measures contained in Schedule 3 from time to time provided that such amendments do not materially diminish the overall level of security offered to Customer.

Schedule 4: EU SCCs

For the EU SCCs:

The contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (“EU SCCs”) will be deemed entered into (and incorporated into the Agreement by reference between the Data Exporter (Customer) and that Data Importer (StarRez) as follows:

• Module Two (Controller to Processor) will apply where Customer is a controller and StarRez is a processor.

• in Clause 7, the optional docking Clause will not apply.

• in Clause 9, Option 2 will apply and the time period for prior notice of sub-processor as set out in Clause 5.1 of the Data Processing Addendum.

• in Clause 11, the optional language will not apply.

• in Clause 17, Option 1 will apply and the EU SCCs will be governed by the law of Ireland.

• in Clause 18(b), disputes shall be resolved before the courts of Ireland.

• In Annex I:

• Section A of Annex 1 shall be completed in the table below.

• For Section B of Annex 1, the description of transfer shall be as detailed in the Data Processing Addendum in Schedule 1.

• For Section C of Annex 1, the competent supervisory authority/ies shall be determined in accordance with the Data Protection Commission (Ireland)

• For Annex II:

The Technical and Organisational measures are as detailed in Schedule 3 of the Data Processing Addendum.

• For Annex III, the sub-processors are as set out in the Sub-processor List (as defined in Clause 5.1).

By entering into and executing the Agreement the parties are deemed to have signed these SCCs including their annexes as of the date the Parties entered into the Agreement.


Name
Address
Contact person name and contact details Activities relevant to the data transferred under these Clauses Role
(controller/processor)
Data Exporter:
Customer in this Addendum who is a party to the Agreement
The address of the Customer as detailed in the Agreement Customer’s email address or details as stated in the Agreement As detailed in the Agreement and the Addendum Controller
Data Importer: StarRez - - As detailed in the Agreement Processor

Schedule 5: UK International Data Transfer Addendum

For the UK GDPR:

The "International Data Transfer Addendum to the EU Commission Standard Contractual Clauses" issued by the Information Commissioner's Office under s.119A(1) of the Data Protection Act 2018 (“UK Addendum”) will be deemed entered into and incorporated into the Agreement by reference as follows:

1. Part 1: Tables 1 to 3 in Part 1 of the UK Addendum shall be deemed completed with the information set out above in Schedule 4 of the Data Processing Addendum as applicable with the Security Measures, in Schedule 3, and table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting "both party".

2. Part 2: Each Party agrees to be bound by the terms and conditions set out in this Part 2, in exchange for the other Party also agreeing to be bound by this Part 2. The EU SCCs completed as set out above for EU Personal Data shall apply to transfers of such data and shall be deemed amended as specified by Part 2 of the UK Addendum in respect of the transfer of such personal data. This Part 2 shall be interpreted in a manner that is consistent with UK data protection laws and so that it fulfils the Parties’ obligation to provide appropriate safeguards.

By entering into and executing the Agreement the parties are deemed to have signed this UK Addendum.

Schedule 6: Swiss Cross Border Transfers

The Parties agree that the Standard Contractual Clauses as detailed in Schedule 4 shall be adjusted as set out below where the revised Swiss Federal Act on Data Protection, effective 1 September 2023 (FADP) applies to Swiss transfers:

1. References to the Standard Contractual Clauses mean the Standard Contractual Clauses as amended by this Schedule 6.

2. The Swiss Federal Data Protection and Information Commissioner shall be the sole Supervisory Authority for Swiss transfers exclusively subject to the FADP.

3. The terms “General Data Protection Regulation” or “Regulation (EU) 2016/679” as utilized in the Standard Contractual Clauses shall be interpreted to include the FADP with respect to Swiss transfers.

4. References to Regulation (EU) 2018/1725 are removed.

5. Swiss transfers subject to both the FADP and the GDPR shall be dealt with by the EU Supervisory Authority named in Schedule 4.

6. References to the “Union”, “EU” and “EU Member State” shall not be interpreted in such a way as to exclude Data Subjects in Switzerland from the possibility of exercising their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the Standard Contractual Clauses.

7. Where Swiss transfers are exclusively subject to the FADP, all references to the GDPR in the Standard Contractual Clauses are to be understood to be references to the FADP.

8. Where Swiss transfers are subject to both the FADP and the GDPR, all references to the GDPR in the Standard Contractual Clauses are to be understood to be references to the FADP insofar as the Swiss transfers are subject to the FADP.

By entering into and executing the Agreement the parties are deemed to have signed these SCCs including their annexes and taking into the adjustments above as of the date the Parties entered into the Agreement.