DATA PROCESSING ADDENDUM
This Data Processing Addendum (the “Addendum”) is between the entity identified on the Order Form (“Customer”) and Gazelle.ai Inc., a company incorporated under the laws of Canada and having an office at 416 de Maisonneuve Blvd. West, Suite 1000, Montreal (Québec) H3A 1C2 (“Gazelle.ai”).
This Addendum is effective upon the acceptance by Customer of an Order Form which requires the processing of Personal Data as defined below and shall continue in full force for as long as the Data Processor processes Personal Data on behalf of the Data Controller pursuant to the Agreement.
NOW, THEREFORE, the parties agree as follows:
1.1 The terms used with a capital letter and not defined herein are defined in the Master Services Agreement. The terms defined herein are applicable to this Data Processing Addendum.
1.2 “EU Applicable Laws” shall mean any statute, law, ordinance, regulation, rule, code, order, constitution, treaty, common law, judgment, decree, other requirements or rule of law applicable in the European Union.
1.3 “Data Controller” refers to the party who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any Personal Data is, or is to be, processed. Customer is the Data Controller of the Personal Data.
1.4 “Data Processor” refers to the party who processes Personal Data on behalf of the Data Controller on the basis of the Agreement, but who is not an employee of the Data Controller. Gazelle.ai is the Data Processor of the Personal Data under this Addendum.
1.5 “Data Subject” means an identified or identifiable natural person whose Personal Data is being processed by the Data Processor on behalf of the Data Controller, such as End Users.
1.6 “GDPR means the General Data Protection Regulation (EU) 2016/679, as amended from time to time.
1.7 “Personal Data” means any information relating to an identified or identifiable natural person. An identifiable natural person is one who can be identified, directly or indirectly, in particular, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Under this Addendum, Personal Data includes the Personal Data of End Users which are processed by the Data Processor on behalf of the Data Controller in order to provide the Services described in Order Forms to the Data Controller, and which are subject to the GDPR in accordance with EU Applicable Laws. For avoidance of doubt, Personal Data shall not include BI Data, BI Datasets or the Reports, which are subject to Gazelle.ai’s Data Sharing Addendum, and for which the parties are joint-Data Controllers.
1.8 “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed by the Data Processor on behalf of the Data Controller.
2. SCOPE AND APPLICATION
2.1 Addendum. This Addendum applies to Personal Data, and does not apply to Personal Information which is not subject to the GDPR. In case of conflict with any other parts of the Agreement, this Addendum shall prevail, and the remaining parts of the Agreement shall remain in full force.
2.2 EU Applicable Laws. The parties agree that the Customer is the Data Controller and Gazelle.ai is the Data Processor insofar as the Personal Data is concerned. Notwithstanding the foregoing, it is agreed and understood that each party is solely responsible for complying with its obligations under EU Applicable Laws.
2.3 Processing. The parties agree that the subject matter, purpose, nature and duration of the processing are as set forth in the table below.
The subject matter of the processing is to allow Customer’s employees (i.e. the End Users) to access and use the Services.
The purposes of the processing are:
· To create and manage accounts for End Users;
· To provide Customer and End Users with technical support;
· To ensure the maintenance of the Services, such as bug fixes;
· To provide the Training Services;
To allow End Users to use the functionalities of the Services
The processing of the Personal Data occurs through a software-as-a-service platform available through a browser and in a secured portal within Gazelle.ai’s publicly available website. The Personal Data is collected by technical means, including support tickets, e-mails, and through the automatic generation of electronical data such as logs.
The processing of the Personal Data shall continue for the duration of the Subscription Term, after which the Personal Data is deleted in accordance with the Agreement.
2.4 Instructions. The Data Processor will process the Personal Data in accordance with the Data Controller’s documented instructions, including those contained in the Agreement, unless the Data Processor is required to do otherwise as a consequence of EU Applicable Laws. In such a case, the Data Processor shall inform the Data Controller of that legal requirement before processing the Personal Data, unless EU Applicable Laws prohibit such information on important grounds of public interest. The Data Controller may modify the documented instructions by notice to the Data Processor, being agreed that such modification shall not result in a decrease in the Fees due by the Data Controller and a failure to comply shall not be considered a breach of this Agreement if the Data Processor cannot reasonable comply with the documented instructions, such as if prevented to do so by technical limitations. The Data Processor shall notify the Data Controller if the Data Processor reasonably believes that the documented instructions are not compliant with EU Applicable Laws and the Data Controller agrees to modify the documented instructions to ensure that they comply with EU Applicable Laws.
3. OBLIGATIONS OF THE DATA PROCESSOR
3.1 The Data Processor shall ensure that access to Personal Data is on a need-to-know basis and that the persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.2 Taking into account the state of the art, the costs of implement and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of Data Subjects, the Data Processor shall implement appropriate technical and organizational measures in accordance with Article 32 GDPR.
3.3 The Data Controller hereby consents to the list of subprocessors included under Exhibit 1 to this Agreement. The Data Processor shall provide a prior written notice of at least ten (10) days for adding or replacing subprocessors, thereby giving the Data Controller the opportunity to object to such changes. If the Data Controller does not object within this ten (10) day delay, the Data Controller is presumed to have consented to the addition or replacement of the subprocessors.
3.4 Prior to engaging a subprocessor for carrying out specific processing activities on behalf of the Data Controller, the Data Processor shall enter into an agreement setting out requirements for the processing of Personal Data substantially in accordance with this Appendix A and as set forth in the GDPR.
3.5 The Data Processor shall deploy commercially reasonable efforts to ensure that subprocessors provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR. Notwithstanding anything to the contrary, should the Data Processor fail to fulfill such obligations, the Data Processor shall remain fully liable to the Data Controller for the performance of that other subprocessor’s obligations.
3.6 Taking into account the nature of the processing, the Data Processor shall assist the Data Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Data Controller’s obligation to respond to requests for exercising Data Subjects’ rights under the GDPR.
3.7 The Data Processor shall assist the Data Controller in ensuring compliance with the obligations pursuant to art. 32 to 36 GDPR, taking into account the nature of processing and the information available to the Data Processor. Without limiting the generality of the foregoing, the Data Processor shall notify the Data Controller of a Personal Data Breach without undue delay and within forty-eight (48) hours of its discovery.
3.8 Upon the termination of an Order Form for any reasons, the Data Processor shall delete or return the Personal Data pertaining to the Order Form to the Data Controller, and delete existing copies without undue delays, except if such copies much be retained in accordance with EU Applicable Laws. The foregoing shall not apply if the Order Form is replaced with another one, or if the Subscription Term is renewed for a Renewal Term.
3.9 The Data Processor shall ensure that adequate safeguards are in place pursuant to art. 44 seq. GDPR prior to any international transfer of Personal Data outside of the European Union. The Data Controller agrees and understands that the Personal Information may be processed outside of the European Union, including in Canada and the United States.
3.10 The Data Processor shall make available to the Data Controller the information reasonably required to demonstrate compliance with the obligations laid out in this Addendum and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller. The Data Controller shall be authorized to audit Partner’s compliance with this Agreement on an annual basis, whether on-site or off-site, and Partner agrees to collaborate with such audit diligently, including by sharing the requested documents, responding to questions, and reviewing any reasonable remediation items identified by the Data Controller. Subsequent audits may also be necessary and authorized under this Agreement if needed to follow-up on such remediation items. This right to audit is subject to a reasonable notice and must be performed during office hours. The Data Controller agrees to minimize operational impacts on Partner, and if possible, the Data Controller may rely on audits performed by independent third parties, in which case, such documentation shall be available to Gazelle.ai upon request, and at no additional costs.
4.1 This Addendum describes the entire understanding and agreement of the parties and supersedes all oral and written agreements or understandings between them related to its subject matter.
4.2 This Addendum, including its interpretation and effect, is governed by the laws applicable in the Province of Québec, Canada, without regard to its conflict of law provisions. Both parties hereby agree to submit to the exclusive jurisdiction of the courts located in the judicial district of Montreal, Québec, in respect to any claim, proceeding or action relating to or otherwise arising out of this Agreement or the Service howsoever arising.
4.3 The parties acknowledge that they have required this Addendum and all related documents to be prepared in English only. Les parties reconnaissent avoir demandé que le présent contrat ainsi que tous documents qui s'y rattachent soient rédigés uniquement en langue anglaise.
EXHIBIT 1 : LIST OF SUBPROCESSORS