Archilogic Data Privacy Addendum

1. DEFINITIONS

Capitalised terms not otherwise defined below or otherwise in this DPA shall have the meaning given to them in the Agreement:

1.1 Agreement for the purposes of this DPA means the main agreement entered into between Archilogic and the Customer (comprising of the Terms and  Order) containing the terms and conditions relating to the provision and use of the Archilogic’s products and services as detailed in the Agreement.

1.2 Applicable Data Protection Laws means as applicable and as updated, (i) applicable Swiss privacy laws, (ii) GDPR, (iii) UK GDPR, (iv) UK Data Protection Act 2018, and (iv) CPRA, and (v) any other privacy laws that regulate the Processing of Personal Data by Archilogic in connection with the provision of its products and/or service as detailed in the Agreement that the parties agree in writing are applicable from time to time.

1.3 Controller means an entity that determines the purpose and means of Processing of the Personal Data. 

1.4 Customer means the customer identified in the Agreement (also referred to as “you”, “your”).

1.5 CPRA means the California Consumer Privacy Act of 2018 (CCPA) as further amended and modified by the California Privacy Rights Act, Cal. Civ. Code § 1798.100 et seq.

1.6 Customer Data: means the Customer’s data provided to Archilogic or otherwise uploaded, entered or submitted by or on behalf of the Customer into or via the Archilogic’s products and/or services as detailed in the Agreement. 

1.7 Data Subject means the individual to whom the Personal Data relates.

1.8 EU SCCs means the agreement, incorporated by reference under clause 4.2(a) of this DPA by and between Customer and Archilogic, pursuant to the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.

1.9 GDPR: means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data, and repealing Directive 95/46/EC. 

1.10 Purpose: the purposes for which the Personal Data is Processed, as set out in clause 3.6(a).

1.11 Personal Data means “personal data" or "personal information" (or any analogous concept) as defined under the applicable privacy law, including Applicable Data Protection Laws, that forms part of the Customer Data and is Processed by Archilogic as Processor (or its Sub-processors) as part of provision of Archilogic’s products and/or services as detailed in the Agreement.

1.12 Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 

1.13 Processor means an entity that Processes Personal Data directly or indirectly on behalf of a Controller. 

1.14 Sub-processor means any Processor engaged by Archilogic and involved in the Processing of Personal Data. 

1.15 UK GDPR: means GDPR as it applies under UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018.

1.16 UK SCCs means the International Data Transfer Addendum to the EU SCCs, issued by the Information Commissioner’s Office under s.119A (1) of the United Kingdom Data Protection Act 2018 and incorporated by reference under clause 4.2(b) of this DPA by and between Customer and Archilogic.

2. INTERPRETATION

2.1 Archilogic provides products and/or services purchased by the Customer as defined in the Agreement and it will Process Personal Data in connection with such products and/or services. Such Processing is governed by the terms and conditions of this DPA which is hereby incorporated by reference into the Agreement.

2.2 In the event of any inconsistency among the following documents, the order of precedence will be: (i) the terms of this DPA; and (ii) the Agreement.

3. DATA PROTECTION OBLIGATIONS

3.1 Each party will comply with the requirements of Applicable Data Protection Laws which are applicable to that party. 

3.2 The parties have determined that, for the purposes of Applicable Data Protection Laws, Archilogic shall Process the Personal Data set out in Appendix 1 as a Processor on behalf of the Customer in respect of the Processing activities set out in Appendix 1. Should the determination in this 3.2 change, then each party shall work together in good faith to make any changes which are necessary to this DPA or the related appendices, as applicable.

3.3 The Customer acknowledges and agrees that (i) Archilogic is not able or required to verify the residency of each Data Subject, (ii) the Customer solely determines whether to submit any Personal Data for Processing by the Archilogic’s products and/or services detailed in the Agreement, and (iii) the Customer is solely responsible for, and shall ensure that: 

    1. the Documented Instructions comply at all times with all applicable privacy laws, including Applicable Data Protection Laws, and that all Personal Data may be Processed by Archilogic in compliance with such laws. In the event either party is or becomes aware that those instructions are in conflict with any applicable privacy law, including any Applicable Data Protection Law, each party will promptly notify the other party in writing and the parties will work together to resolve any such conflict, provided that Archilogic shall be entitled to:
      1. charge the Customer for any agreed changes reasonably required to its products and services, related procedures and/or this DPA; or
      2. terminate the relevant Agreement and/or related Order (1) where the required changes impose an excessive burden on Archilogic, make the products and/or services substantially different to the existing ones or are not technically feasible, or (2) after the Customer has become aware that its instructions infringe applicable legal requirements, the Customer insists on compliance with those instructions.

3.4 Without prejudice to the generality of 3.1, the Customer shall ensure that it has all necessary and appropriate rights, consents and notices in place to enable the lawful transfer of Personal Data to and processing of Personal Data by Archilogic for the duration and purposes of this DPA and in accordance with the Documented Instructions.

3.5 In relation to the Personal Data, Appendix 1 sets out the scope, nature and purpose of Processing by Archilogic, the duration of the Processing and the types of Personal Data and categories of Data Subjects.

3.6 Without prejudice to the generality of 3.1 Archilogic shall, in relation to Personal Data:

    1. Process that Personal Data only on the Documented Instructions defined herein. This DPA, the Agreement and the nature and purposes of processing (along with the subject-matter, types of Personal Data and data subjects and duration of processing) set out in Appendix 1 constitute the complete set of instructions to Archilogic in relation to the Processing of Personal Data (“Documented Instructions”), unless Archilogic is required by applicable laws to otherwise Process that Personal Data. Where Archilogic is relying on applicable laws as the basis for Processing Customer Processor Data, Archilogic shall notify the Customer of this before performing the Processing required by the applicable laws unless those applicable laws prohibit the Provider from so notifying the Customer on important grounds of public interest;
    2. in accordance with applicable Data Protection Laws, implement appropriate technical and organisational measures to protect against unauthorised or unlawful Processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, which are appropriate to the harm that might result from the unauthorised or unlawful Processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures; 
    3. ensure that any personnel engaged and authorised by Archilogic to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory or common law obligation of confidentiality; 
    4. assist the Customer insofar as this is possible (taking into account the nature of the Processing and the information available to Archilogic), and at the Customer's cost and written request, in responding to any request from a Data Subject and in ensuring the Customer's compliance with its obligations under Applicable Data Protection Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
    5. notify the Customer without undue delay on becoming aware of any actual unauthorised disclosure of, or accidental or unlawful destruction, loss, compromise, damage or theft of Personal Data or any incidents or set of events, including any that give rise to a ‘personal data breach” (as such term, or any analogous terms, is defined under Applicable Data Protection Law) involving the Personal Data;
    6. at the written direction of the Customer, delete or return Personal Data and copies thereof to the Customer within 30 days of the date of termination of the Agreement unless Archilogic is required by applicable Law to continue to Process that Personal Data. For the purposes of this 3.6(f), Personal Data shall be considered deleted where it is put beyond further use by Archilogic; and
    7. maintain records to demonstrate its compliance with the terms of this DPA, and allow for reasonable related audits conducted by the Customer, the Customer's designated auditor for this purpose, or a competent supervisory authority under Applicable Data Protection Laws; provided that the Customer shall pay Archilogic’s reasonable costs and expenses incurred in connection with such audit and such audit (i)  is following reasonable prior written notice (at least 30 days) to Archilogic; (ii) is no more than once per year (except where mandated by a competent regulatory authority), (iii) is subject to reasonable confidentiality and security controls, and (iv) does not unreasonably interfere with Archilogic’s day to day business activities. The Customer shall comply with Archilogic’s reasonable security requirements.

3.7 The Customer hereby provides its prior, general authorisation for Archilogic to appoint Sub-Processors to Process the Personal Data. Archilogic’s then current Sub-processors as at the Effective Date of the Agreement are set out in Appendix 2. Archilogic shall:

    1. ensure that the terms on which it appoints such Sub-processors comply with Applicable Data Protection Laws, and are consistent with or similar in substance to those terms set out in this DPA;
    2. where, and to the extent, required under Applicable Data Protection Laws, be liable for the performance of its Sub-processors to the same extent Archilogic would be liable if Processing Personal Data itself; and
    3. inform the Customer of any intended changes concerning the addition or replacement of the Sub-processors at least 30 days in advance, thereby giving the Customer the opportunity to object to such changes provided that such objection is based on reasonable grounds relating to data protection. If no objection has been received by Archilogic within 30 days of the date of notice of such change, the Customer shall be deemed to have accepted such change. The parties agree to act reasonably and in good faith to resolve any objection by the Customer received within the objection period.

To the extent any audit undertaken by the Customer pursuant to clause 3.6(g) requires information relating to a Sub-processor, the Customer acknowledges that such information may only be obtained in accordance with the terms of the relevant Sub-processor agreement. 

4. Cross-Border Transfers

4.1 The Customer hereby gives Archilogic its prior, general authorisation for Archilogic to transfer Personal Data outside of the EEA, Switzerland and/or UK as required for the Purpose, provided that Archilogic shall ensure that all such transfers are effected in accordance with Applicable Data Protection Laws. 

4.2 Where the Personal Data is being transferred from the European Economic Area (“EEA”)the United Kingdom or Switzerland for Processing by Archilogic outside of those jurisdictions, the parties agree that:

    1. EU SCCs will apply to Personal Data that is transferred from the EEA or Switzerland, either directly or via onward transfer, to any country or recipient outside of the EEA or Switzerland that is not recognized by the competent EEA or Swiss regulatory authority or governmental body for the EEA or Switzerland (as applicable) as providing an adequate level of protection for personal data. For data transfers from the EEA or Switzerland that are subject to the EU SCCs, the EU SCCs will be deemed entered into and incorporated into this DPA by this reference and completed as set out in Appendix 3; and 
    2. UK SCCs will apply to Personal Data that is transferred from the United Kingdom, either directly or via onward transfer, to any country or recipient outside of the United Kingdom that is not recognized by the competent United Kingdom regulatory authority or governmental body for the United Kingdom as providing an adequate level of protection for personal data. For data transfers from the United Kingdom that are subject to the UK SCCs, the UK SCCs will be deemed entered into and incorporated into this DPA by this reference and completed  as set out in Appendix 4.

4.3 Where the Data Protection Law of a jurisdiction other than the EEAthe United Kingdom or Switzerland, applies to the Personal Data and requires the parties to enter into a set of standard contractual clauses to protect the transfer of Personal Data outside of that jurisdiction and no alternative mechanism, such as an adequacy decision, is available or applicable, the parties shall negotiate a related amendment to this DPA acting reasonably and in good faith.

4.4 By entering into the Agreement, the parties are deemed to have signed the relevant SCCs incorporated herein, including their Annexes, as of the effective date of the Agreement or as at the date they become applicable (based on a corresponding any change in Documented Instructions).

5. CPRA.

Where the CPRA applies to any Personal Data Processed by Archilogic under this DPA, in addition to the above terms and conditions, the parties agree that: (a) the Customer only discloses the Personal Data to enable Archilogic to process Personal Data pursuant to this DPA; and (b) Archilogic (i) will not ‘sell’ or ‘share’ (as those terms are defined in the CPRA) Personal Data (or be required by the Customer to do so); (ii) will not retain, use, or disclose Personal Data for any purpose, including any commercial purpose, except as permitted in the Agreement, the DPA or under CPRA; (iii) will not retain, use, or disclose Personal Data outside the direct business relationship between Archilogic and the Customer, including by not combining any Personal Data with other Personal Data collected or received from another source, except as permitted by CPRA; (iv) Archilogic will notify the Customer in accordance with clause 6.1 of this DPA if it determines that it can no longer meet its obligations under CPRA; and (v) if Archilogic is engaged in unauthorized use of Personal Data, Customer may, upon reasonable notice to Archilogic, take reasonable and appropriate steps to stop and remediate such unauthorised use of the Personal Data.

6. LIABILITY

This DPA is subject to the indemnification and limitations of liability provisions of the Agreement.

7. MISCELLANEOUS

7.1 Notifications. For notices required to be given by Archilogic under this DPA or the Agreement to notify the Customer of any changes to the Processing of Personal Data under this DPA, Archilogic will notify the Customer by sending an email to the Customer’s nominated representative.

7.2 Governing law. This DPA shall be governed and construed in accordance with the laws governing the Agreement.

Appendix 1 - Processing, Personal Data and Data Subjects     

1. Processing by the Provider – Scope/Subject Matter, Nature and Purpose

The Processing carried out by Archilogic relates to the provision of its products and/or services as detailed in the Agreement.    

2. Duration of the Processing

The duration of Processing will be for the duration of the provision of Archilogic’s products and/or services as specified in the Agreement plus a reasonable period after expiry of the Agreement to return or delete the Personal Data.     

3. Types of Personal Data

Any personal data or personal information (or any analogous concept) as defined under the applicable privacy law, including Applicable Data Protection Laws, that forms part of the Customer Data.     

4. Categories of Data Subject

The data subjects may include Customer’s customers, employees, suppliers and end-users.     

5. Special Categories of Data

No sensitive or health-related or special category of personal data is required for the provision of the Archilogic’s products and/or services, and submitting such data for Processing is prohibited except in circumstances where the Customer has obtained the prior written agreement of an authorised representative of Archilogic (which agreement may be subject to additional requirements and terms).      

Appendix 2 – Sub-processors

Name of Sub-processor

Nature of processing

Place of performance of core Processing activities

Amazon Web Services, Inc.

Virtual cloud servers

EU West Region

Google LLC

Google Workspace

US/Europe

Hubspot, Inc.

Customer success/Sales/Marketing

US

Stripe, Inc.

Payment processing

EU West

 

Appendix 3 - EU SCCs

EU SCCs

PART A – EU SCCs Schedule to the DPA

This EU SCCs Schedule applies if the EU SCCs apply as set forth in clause 4.2(a) of the DPA. 

1. Processing Generally.
    1. Modules. Customer and Archilogic acknowledge and agree that Module 2 (Transfer Controller to Processor) of the EU SCCs applies to the Processing of Personal Data described in the DPA.
    2. Instructions. Customer’s complete and final documented instructions for the Processing of Personal Data for the purposes of the EU SCCs, including clause 8.1(a) of the EU SCCs, are those referred to in clause 3.6 of the DPA.
    3. Deletion. The parties acknowledge and agree that any deletion or return of Personal Data that is described in clause 8.5 of the EU SCCs (and certification of the same) shall be conducted as set forth in clause 3.6 of the DPA, and a certification shall be provided by Archilogic only upon Customer’s request.
    4. Onward Transfers. The parties acknowledge and agree that Customer’s documented instructions for disclosure of Personal Data to a third party as described in clause 8.8 of the EU SCCs shall be carried out in accordance with clauses 3.7 and 4 of the DPA.
    5. Access by public authorities. Customer agrees to reimburse Archilogic for all reasonable fees, costs and expenses (including reasonable legal fees) it incurs in complying with its obligations under clause 15 of the of the EU SCCs.
2. Sub-processors.

The parties agree to use Option 2 in clause 9(a) of the EU SCCs, and that changes to Sub-processors as described under clause 9(a) shall be dealt with in accordance with clause 3.7 of the DPA. The parties agree that the copies of the Sub-processor agreements that must be provided by Archilogic to Customer pursuant to clause 9(c) of the EU SCCs may have all commercial information, or clauses unrelated to the EU SCCs or their equivalent, removed by Archilogic beforehand; and, that such copies will be provided by Archilogic, in a manner to be determined in its discretion, only upon written request by Customer.

3. Governing Law.

The parties agree to use Option 1 set forth in clause 17 of the EU SCCs. The Parties agree that the law of Switzerland. Furthermore, the parties agree to use the courts of Switzerland for purposes of clause 18 of the EU SCCs. 

4. Miscellaneous.
The parties agree that: (i) in clause 7 of the EU SCCs, the optional docking clause will apply; (ii) in clause 11 of the EU SCCs, the optional language will not apply; (iii) in respect of Switzerland, the EU SCCs will apply provided that any references in the clauses to the GDPR shall refer to the FADP; the FDPIC is the competent supervisory authority; the term ‘member state’ must not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence in accordance with clause 18(c) of the clauses and the clauses shall also protect the data of legal persons until the entry into force of the revised FADP). 

5. Annexes to EU SCCs
    1.   Annex I of EU SCCs. Annex I of the EU SCCs is completed as set out in Annex 1 of this Appendix 3.
    2. Annex II of EU SCCs. Annex II of the EU SCCs is completed as set out in Annex 2 of this Appendix 3.
Annex 1 of Appendix 3

A. LIST OF PARTIES

Data exporter(s): Customer (as defined in the Agreement)

Contact person’s name, position and contact details: the contact details specified by Customer in the Agreement

Activities relevant to the data transferred under these Clauses: see part B. below

Role (controller/processor): controller

Data importer(s): Archilogic (as defined in the DPA)

Contact person’s name, position and contact details: 

Sjef Tijssen, SVP Operations

privacy@archilogic.com

Activities relevant to the data transferred under these Clauses: see Part B. below

Role (controller/processor): processor

B. DESCRIPTION OF TRANSFER

Categories of data subjects whose personal data is transferred

As per the Documented Instructions including Appendix 1 of the DPA.

Categories of personal data transferred

As per the Documented Instructions including Appendix 1 of the DPA.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

As per the Documented Instructions including Appendix 1 of the DPA.

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

The Personal Data is transferred on a continuous basis.

Nature of the processing

The nature of the Processing is the provision and performance of the Archilogic’s products and/or services pursuant to the Agreement.

Purpose(s) of the data transfer and further processing

The purposes of the Processing is the provision and performance of the Archilogic’s products and/or services pursuant to the Agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

Personal Data will be retained by the data importer no longer than necessary for the purposes set forth in the Agreement and in accordance with the DPA.

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

The subject matter, nature and duration of the processing are the provision and performance of the Archilogic’s products and/or services pursuant to the Agreement.

C. COMPETENT SUPERVISORY AUTHORITY

The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer shall act as competent supervisory authority.

Annex 2 of Appendix 3

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES (TOMs) TO ENSURE THE SECURITY OF THE DATA. 

Capitalised terms not otherwise defined in this document have the meanings assigned to them in the Agreement.

Information Security Program. 

Archilogic will maintain an information security program (including the adoption and enforcement of internal policies and procedures) designed to (a) help Customer secure Customer Data against accidental or unlawful loss, access or disclosure, (b) identify reasonably foreseeable and internal risks to security and unauthorised access to the Archilogic Network, and (c) minimise security risks, including through risk assessment and regular testing. Archilogic will designate one or more employees to coordinate and be accountable for the information security program. 

The information security program will include the following measures, among others:

1. Measures to ensure confidentiality (Art. 32 para. 1 lit. b of the GDPR)

Logical access control

No unauthorized system usage. SSH keys are required when identifying trusted computers along with usernames and passwords. 2-step authentication is enabled on every cloud platform that is providing it (platforms as AWS ). Individual authentication credentials are not shared. SSH keys are frequently rotated. All end- points (computers, laptops, mobile phones) are using encrypted storage, secure passwords, and auto-locking mechanisms.

Data access control

No unauthorized reading, copying, changing or removing within the system.

Separation control

Customer data is logically separated at the database/datastore level using a unique identifier for the customer. The separation is enforced at the API layer where the client must authenticate with a chosen account and then the customer's unique identifier is included in the access token and used by the API to restrict access to data to the account. All database/datastore queries then include the account identifier.

Network Security

The Archilogic Network will be electronically accessible to employees, contractors and any other person as necessary to provide the Services. Archilogic will maintain access controls and policies to manage what access is allowed to the Archilogic Network from each network connection and user, including the use of firewalls or functionally equivalent technology and authentication controls. Archilogic will maintain corrective action and incident response plans to respond to potential security threats.

2. Measures to ensure integrity (Art. 32 para. 1 lit. b of the GDPR)

Transfer control

Data will only be transferred where strictly necessary for effective business processes. No unauthorized reading, copying, changing or removing during electronic transmission or transport. Data in transit is encrypted.

Encryption

All databases, data stores, and file systems are encrypted according to Archilogic’s Encryption Policy.

3. Measures to ensure availability and resilience (Art. 32 para. 1 lit. b of the GDPR)

Availability control

Protection against accidental damage or destruction or loss via backups, escalation ways and emergency plans.

Resilience

Systems and services are designed in a way that intermittent high stresses or high constant loads of Processing can be ensured.

4. Measures for the pseudonymization of Personal Data

Use of personnel, customer, and supplier IDs instead of names.

5. Procedures for periodical review, assessment, and evaluation (Art. 32 para. 1 lit. d of the GDPR; Art. 25 para. 1 of the GDPR)

Incident Response Management Plan

Disaster Recovery Plan

Data Protection Policy

Business Continuity Plan

Archilogic will conduct periodic reviews of the security of its Archilogic Network and adequacy of its information security program as measured against industry security standards and its policies and procedures. Archilogic will continually evaluate the security of its Archilogic Network and associated Services to determine whether additional or different security measures are required to respond to new security risks or findings generated by the periodic reviews.

APPENDIX 4 – UK SCCs

UK SCCs

This UK SCCs Schedule applies if the UK SCCs apply as set forth in clause 4.2(b) of the DPA. Appendix 3 of this DPA is hereby incorporated by reference into this Appendix 4 and applies to the UK SCCs in the same way and to the same extent as it does for the EU SCCs (except to the extent expressly amended by the UK SCCs). 

The Part 1: Tables of the UK SCCs are completed as set forth below: 

Table 1: Parties 

The parties’ details and key contact information is as set out in Annex 1A of Appendix 3 of this DPA.

Table 2: Selected SCCs, Modules and Selected Clauses

The Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum: 

    • Module 2 only
    • Clause 7 (Docking clause): this optional clause will apply
    • Clause 11: this optional clause will not apply
    • Clause 9a (Prior Authorisation or General Authorisation): Option 2 (general authorisation) will apply.
    • Clause 9a (Time Period): the time period set out in clause 3.7 of the DPA

Table 3: Appendix Information 

Annex IA: the list of Parties is set out in Annex 1A of Appendix 3 of this DPA.

Annex IB: the description of the transfer is set out in Annex 1A of Appendix 3 of this DPA.

Annex II: the technical and organisational measures (including technical and organisational measures to ensure the security of the data) are set out in Annex 2 of Appendix 3 of this DPA.

Annex III: the list of Sub-processors is set out in Appendix 2 of this DPA. 

Table 4: Ending this Addendum when the Approved Addendum Changes

Both the Exporter and the Importer may end this Addendum as set out in section 19 of the UK SCCs.