Effective Date: July 29, 2024
This Data Processing Addendum (“this DPA”) is an addendum to the licensing agreement (“Agreement”) between Smart Glazier Software (hereafter “SGS”) and the licensee (“Customer”) for the use of SGS’s software services (“Services”).
1. Definitions
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
“Agreement” means the signed licensing agreement between SGS and Customer which grants the Customer rights to use the Services.
“Authorised Affiliate” means any of Customer’s Affiliate(s) which:
- is permitted to use the Services under the Agreement between Customer and SGS without signing its own licensing agreement with SGS, and
- qualifies as a Controller of Personal Data Processed by SGS.
“Controller” means the entity which determines the purposes and means of the Processing of Personal Data, and includes “business” as defined in the CCPA.
“Customer Data” means data which is entered into the Services by Customer or any End Users.
“Applicable Data Protection Law” means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including, to the extent applicable, laws and regulations of the European Union, the European Economic Area and their member states, the United Kingdom, and the United States including:
- “GDPR” means the General Data Protection Regulation, Regulation (EU) 2016/679.
- “UK GDPR” means the United Kingdom Data Protection Act of 2018.
- “EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR.
- “CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. and associated regulations and amendments, including, when effective, the California Privacy Rights Act amendments.
- “U.S. Privacy Laws” means the collective privacy laws of other U.S. states.
“Data Subject” means the identified or identifiable person to whom Personal Data relates.
“End Users” means Customer’s end users such as employees, contractors, or any others, including third parties, that Customer grants access to the Services.
“Personal Data” means any information that is Customer Data and that relates to:
- an identified or identifiable natural person; and/or
- an identified or identifiable legal entity (where such information is protected similarly as personal data under Applicable Data Protection Law)
“Processing” (including its various forms) means any operation or set of operations which is performed upon Personal Data, including storing, collecting, retrieving, using, combining, erasing and destroying personal data, and can involve automated or manual operations.
“Processor” means the entity that Processes Personal Data on behalf of the Controller and includes a “service provider” as defined under the CCPA.
“Security Breach” means any unauthorized breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
“Subprocessor” means any Processor contracted by SGS.
2. Processing of Personal Data
Scope
This DPA applies where and only to the extent that SGS processes Personal Data in the course of providing the Services to the Customer and this Personal Data is subject to Applicable Data Protection Law.
Customer enters into this DPA on behalf of itself and in the name and on behalf of Customer’s Authorised Affiliates.
Roles of the Parties
The parties acknowledge and agree that regarding the Processing of Personal Data, Customer is either a Controller or Processor of Personal Data and SGS is a Processor.
Customer’s Processing of Personal Data
Customer shall ensure that the End Users in their use of the Services:
- process Personal Data in accordance with the requirements of Applicable Data Protection Law. For the avoidance of doubt, the Customer’s instructions for the Processing of Personal Data shall comply with Applicable Data Protection Law;
- have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquires Personal Data;
- have provided adequate notices to, and obtained valid consents from, any Data Subjects relating to the Processing (including the disclosure) of Personal Data by Customer and, as applicable, to cross-border transfers of such Personal Data; and
- shall not, by act or omission, cause SGS to violate any Applicable Data Protection Law, or notices provided to or consents obtained from Data Subjects as result of Processing the Personal Data.
- shall not disclose any Special Categories of Personal Data, as defined within Applicable Data Protection Law, to SGS by any means including entering into the Services.
SGS’s Processing of Personal Data
SGS shall treat Personal Data as confidential information and shall only Process Personal Data:
- to fulfil its obligations to Customer under the Agreement and this DPA;
- on behalf of Customer and in accordance with Customer’s documented instructions; and
- in compliance with Applicable Data Protection Law.
Nature of the Data
SGS handles Customer Data which may be subject to the following processing activities: (i) storage and other processing necessary to provide, maintain and improve the Services provided to Customer; (ii) to provide technical support to Customer; and (iii) disclosures as required by law or otherwise set forth in the Agreement.
Confidentiality
SGS shall ensure that its personnel, including employees and contractors, engaged in the Processing of Personal Data shall be under appropriate obligations of confidentiality (whether contractual or statutory).
Duration of the Processing
SGS will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing or as required otherwise by the Agreement, this DPA or Applicable Data Protection Law.
3. Subprocessors
Appointment of Subprocessors
Customer acknowledges and agrees that SGS may engage third-party Subprocessors in connection with the provision of the Services.
List of Current Subprocessors and Notification of New Subprocessors
Current SGS Subprocessors are listed in SGS’s Privacy Policy, available at https://smartglazier.com/privacy-policy/.
SGS shall provide notification to the Customer of a new Subprocessor(s) where commercially applicable.
Objection Right for New Subprocessors
Customer may object to SGS’s use of a new Subprocessor by notifying SGS promptly in writing within ten (10) business days after receipt of SGS’s notice of a new Subprocessor, where commercially applicable.
In the event Customer objects to a new Subprocessor, SGS may, at its option, use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid Processing of Personal Data by the new Subprocessor without unreasonably burdening the Customer.
If SGS is unable to make available such change within 30 days then Customer may immediately terminate in writing to SGS the applicable Agreement without the notice period normally required by the Agreement, such option to be taken within 60 days of the Customer’s objection.
4. Security
SGS shall maintain appropriate technical and organizational measures to protect Personal Data from Security Breaches and to preserve the confidentiality of the Personal Data in accordance with SGS’s security policy at https://smartglazier.com/security-policy/.
5. Security Breach Response
Upon becoming aware of a Security Breach, SGS shall notify Customer without undue delay and shall provide timely information relating to the Security Breach as it becomes known or as is reasonably requested by Customer.
SGS will use reasonable efforts to identify the cause of any Security Breach and shall without undue delay take any steps that SGS deems necessary and reasonable in order to remediate the cause of such a Personal Data Incident to the extent the remediation is within SGS’s reasonable control.
The obligations herein shall not apply to incidents that are caused by Customer, it’s Authorised Affiliates or the End Users. SGS’s obligation to report or respond to a Security Breach under this Section is not be construed as an acknowledgement by SGS of any fault or liability with respect to the Security Breach.
6. Cooperation
SGS will provide reasonable and timely assistance to the Customer (at the Customer’s expense) to enable the Customer to respond to:
(i) any request from a Data Subject to exercise any of its rights under Applicable Data Protection Law; and
(ii) any other correspondence, enquiry or complaint received from a Data Subject, regulator or other third party in connection with the processing of Personal Data. If any such request, correspondence, enquiry or complaint is made directly to SGS, SGS will promptly inform the Customer, providing full details.
To the extent SGS is required under Applicable Data Protection Law, SGS shall (at Customer’s expense) provide reasonably requested information regarding SGS’s processing of Personal Data under the Agreement to enable the Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.
7. Retention and Deletion of Personal Data
If the Customer terminates their contract with SGS services then, as per the Agreement, the data they have collected may be securely retained unless Customer requests in writing that it be destroyed.
Deletion or return of Company Personal Data
If Customer does request SGS delete the data, including Personal Data, then SGS shall delete the current versions of the Personal Data as per the Agreement. This requirement will not apply to the extent that SGS is required by applicable law to retain some or all of the Personal Data, or to Personal Data it has archived on back-up systems, which SGS shall keep secure.
8. Authorised Affiliates
Contractual Relationship
Each Authorised Affiliate agrees to be bound by the terms of this DPA and, to the extent applicable, the Agreement. Further, all access to and use of the Services by Authorised Affiliates must comply with the terms and conditions of the Agreement, and any violation of the terms and conditions of the Agreement by an Authorised Affiliate shall be deemed a violation by Customer. For the avoidance of doubt, an Authorised Affiliate is not and does not become a party to the Agreement by Customer entering into this DPA, and is only a party to the DPA.
Communication
Customer shall remain responsible for coordinating all communication with SGS under this DPA and be entitled to make and receive any communication in relation to this DPA on behalf of its Authorised Affiliates.
Rights of Authorised Affiliates
Where an Authorised Affiliate becomes a party to the DPA with SGS, it shall, to the extent required under applicable Applicable Data Protection Law, be entitled to exercise the rights and seek remedies under this DPA, subject to the following:
Except where applicable Applicable Data Protection Law require that the Authorised Affiliate exercise a right or seek any remedy under this DPA against SGS directly by itself, the parties agree that
- only Customer shall exercise any such right or seek any such remedy on behalf of the Authorised Affiliate, and that
- Customer shall exercise any such rights under this DPA in a combined manner for all of its Authorised Affiliates together, not separately for each Authorised Affiliate individually.
The parties agree that Customer shall where possible combine any activities it needs to carry out on behalf of itself and/or different Authorised Affiliates to limit any impact on impact on SGS and its Subprocessors.
9. Limitation of Liability
To the extent permitted under Applicable Data Protection Law, each party and all of its Affiliates liability arising out of or related to this DPA and all DPAs between Authorised Affiliates and SGS, whether in contract, tort or under any other theory of liability, is subject to the limitations of liability outlined in the Agreement, and such limitations apply to the aggregate liability of that party and all of its Affiliates under the Agreement and all DPAs together.
For the avoidance of doubt, SGS’s and its Affiliates’ total liability for all claims from the Customer and all of its Authorised Affiliates arising out of or related to the Agreement and each DPA shall not be understood to apply individually and severally to Customer and/or to any Authorised Affiliate that is a contractual party to any such DPA.
10. International Data Transfers
SGS store Customer Data on SGS hosting servers which are located in the United Kingdom, New Zealand, and the United States of America (USA). European Customer Data will not be unnecessarily be put onto USA hosting servers.
Backup and disaster recovery facilities are provided by Subprocessors who align with the European Commission's "Adequacy Decision” and, if necessary, are enlisted in the Data Privacy Framework List, for example, Google or Microsoft.
Processor to Processor Clauses
For purposes of any Processor to Processor Clauses within the Applicable Data Protection Law, Customer agrees that it is unlikely that SGS will know the identity of Customer's Controller(s) because SGS does not have a direct relationship with such Controller(s). Therefore, Customer will fulfil any and all of SGS's obligations to Customer's Controller(s) under such Processor to Processor Clauses.
11. Miscellaneous
The Agreement is the primary document between SGS and Customer. In the case of any conflict between this DPA and the Agreement regarding Personal Data Processing then the DPA takes precedence, in all other cases the Agreement takes precedence unless specifically stated otherwise.
This DPA takes precedence over any previous data processing addendum. The terms and conditions of this DPA may be changed by SGS without Customer’s authorization as SGS deems necessary, including to reflect changes in Applicable Data Protection Laws or their interpretation.
This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by Applicable Data Protection Law.
Should any provision of this DPA be invalid or unenforceable, the remainder shall remain valid and in full force.