Data Processing Addendum
This Data Processing Addendum ("DPA") forms part of the Terms of Service between GV Cloud Consulting Inc. ("Processor") and the Customer ("Controller") accessing and using LabInventory services.
1. Definitions
"Customer Data" means any personal data that Processor processes on behalf of Controller as a data processor in the course of providing Services.
"Data Protection Laws" means all data protection laws and regulations applicable to a party's processing of Customer Data under the Agreement, including where applicable the GDPR and UK GDPR.
"GDPR" means the General Data Protection Regulation (Regulation (EU) 2016/679).
"Services" means LabInventory software services provided by Processor.
"Sub-processor" means any third party engaged by Processor to process Customer Data.
2. Scope and Roles
2.1 This DPA applies where and only to the extent that Processor processes Customer Data on behalf of Controller as a data processor in the course of providing the Services.
2.2 The parties acknowledge and agree that Controller is the data controller and Processor is the data processor with respect to Customer Data.
3. Processor Obligations
3.1 Processor shall:
- Process Customer Data only in accordance with Controller's documented instructions
- Ensure that persons authorized to process Customer Data are subject to confidentiality obligations
- Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk
- Only engage Sub-processors with Controller's authorization and ensure Sub-processors are bound by data protection obligations
- Assist Controller in responding to data subject requests
- Delete or return all Customer Data within 60 days after termination of Services
- Make available information necessary to demonstrate compliance with this DPA
4. Sub-processors
4.1 Controller acknowledges and agrees that Processor may engage the Sub-processors listed at Appendix 1
4.2 Processor shall provide Controller with at least 10 days' notice before adding any new Sub-processor, giving Controller the opportunity to object.
5. Security
5.1 Processor shall implement and maintain appropriate technical and organizational security measures to protect Customer Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure.
5.2 Processor's infrastructure provider maintains SOC 2 Type II compliance and other relevant security certifications.
6. Security Incidents
6.1 Processor shall notify Controller without undue delay and in any event within 72 hours after becoming aware of any personal data breach affecting Customer Data.
6.2 Processor shall provide reasonable assistance to Controller in relation to any personal data breach notifications Controller is required to make.
7. Data Transfers
7.1 Controller acknowledges that Processor may transfer and process Customer Data anywhere in the world where Processor or its Sub-processors maintain facilities.
7.2 For transfers of Customer Data out of the EEA or UK, the parties agree to be bound by the Standard Contractual Clauses for the transfer of personal data to processors established in third countries.
8. Controller Responsibilities
8.1 Controller shall ensure that:
- Its instructions comply with Data Protection Laws
- It has all necessary rights to provide Customer Data to Processor for processing
- It has provided all necessary notices to data subjects
9. Liability
The liability of each party under this DPA shall be subject to the limitations of liability set forth in the Terms of Service.
10. Term and Termination
This DPA shall continue in force until the termination of the Terms of Service.
11. Governing Law
This DPA is governed by the laws set forth in the Terms of Service.
Appendix 1: List of Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| DigitalOcean | Infrastructure and hosting | Global |
| Paddle | Payment processing | Global |
| Brevo | Email services | EU |