This Data Processing Addendum (“Addendum”) forms part of the agreement (the “Agreement”) between TestFit, Inc acting on its own behalf and as agent for each of its affiliates (collectively “Vendor”), and the undersigned customer (“Customer”) (each a “party” and collectively the “parties”), and reflects the parties’ agreement with regard to the processing of Personal Data in accordance with the requirements of the applicable Data Protection Legislation.
In the event of any conflict or inconsistency between this Addendum and the Agreement, this Addendum shall prevail.
1. DEFINITIONS AND INTERPRETATIONS
The terms used in this Addendum shall have the meanings set forth below. Capitalized terms not otherwise defined herein shall have the meaning given to them in the Agreement:
(a) “Business”, “Controller”, “Personal Data”, “Personal Data Breach”, “Processing (and variants of it, such as “processing” and “processed” (whether capitalized or not)), “Processor”, “Service Provider”, and “Supervisory Authority” shall be given their meaning under the Data Protection Legislation;
(b) “Customer Personal Data” shall have the meaning given to it in Clause 3.1;
(c) “Data Protection Legislation” means all laws and regulations which are applicable to a party relating to the processing of Personal Data under the Agreement, including (without limitation) state, federal and national laws and regulations of the United States of America (“U.S.”) European Union (“EU”), the European Economic Area (“EEA”), their Member States, and the United Kingdom including (without limitation) the GDPR as amended, repealed or replaced from time to time;
(d) “GDPR” means either or both the General Data Protection Regulation (EU) 2016/679 (“EU GDPR”) and the EU GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (“UK GDPR”) as the context may require;
(e) "Restricted Transfer” means, as applicable:
(a) a transfer of Customer Personal Data from the Customer to the Vendor; or
(b) an onward transfer of Customer Personal Data from Vendor to a Subprocessor, or between two establishments of Vendor,
in each case, where such transfer would be prohibited by Data Protection Legislation in the absence of an approved method of lawful transfer, including through (i) an adequacy decision by a Supervisory Authority; (ii) Standard Contractual Clauses; or (iii) by the terms of other recognized forms of data transfer agreements or other lawful processes approved by a Supervisory Authority;
(f) “Services” shall have the meaning set forth in the Agreement or, if the Agreement does not define “Services”, shall mean the services and other activities to be performed by Vendor as set forth in and pursuant to the Agreement;
(g) “Standard Contractual Clauses” means, as applicable:
i. the standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission in Decision (EU) 2021/914 as supplemented by Schedule 2 (“EU Standard Contractual Clauses”); and/or
ii. the UK International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses as approved by the UK Information Commissioner’s Office under section 119A(1) of the UK Data Protection Act 2018 as supplemented by Schedule 2 (“UK Addendum”); or
iii. any other standard contractual clauses, model clauses, data transfer addenda, or equivalent contractual safeguards for international transfers of Personal Data that are adopted, recognised, or approved by a competent data protection authority under any applicable Data Protection Legislation, and which the parties agree in writing to rely upon for a given transfer; and
(h) “Subprocessor” means any person or entity appointed by or on behalf of Vendor (or the relevant intermediate Subprocessor) to process Personal Data as described in Clause 5.
1.2 This Addendum shall apply only to the extent strictly necessary for compliance with Data Protection Legislation applicable to either of the Parties.
2. ROLES OF THE PARTIES
2.1 Each party will comply with all requirements of the Data Protection Legislation that are applicable to the party.
2.2 The parties acknowledge and agree that for the purposes of the Data Protection Legislation, Customer is the Controller (or Business) and Vendor is the Processor (or Service Provider) of the Customer Personal Data.
2.3 Customer shall ensure that it has and will continue to have, the right to provide the Customer Personal Data to Vendor for processing and shall ensure that all instructions issued to Vendor are lawful.
3. SCOPE OF PROCESSING
3.1 Vendor shall process Personal Data only as necessary on behalf of Customer to perform its obligations under the Agreement for the term of the Agreement (“Customer Personal Data”) in accordance with this Addendum. For the avoidance of doubt, the Agreement and this Addendum constitute a documented instruction to process Customer Personal Data as necessary to perform the Services. A list of the categories of data subjects, types of Customer Personal Data and the processing activities are set out in Schedule 1.
3.2 Vendor shall process Customer Personal Data only on the documented instructions of Customer unless Vendor is required by applicable law to process such Customer Personal Data. Where Vendor is relying on applicable Law as the basis for processing Customer Personal Data, Vendor shall notify Customer of this before performing the processing required by the applicable law unless applicable law prohibits Vendor from so notifying Customer.
3.3 Vendor shall not: (a) combine Customer Personal Data with the Personal Data that it receives from any other party other than affiliates of the Customer; (b) sell or share (as defined under the applicable Data Protection Legislation) Customer Personal Data; or (c) retain, use, or disclose the Personal Data that it collected pursuant to the Agreement with Customer outside the direct business relationship between the Vendor and Customer or for any purpose other than the business purposes specified in this Agreement or as otherwise permitted under applicable Data Protection Legislation.
3.4 Use of Aggregated Data. Customer agrees that Vendor may aggregate information processed by Vendor in the ordinary course of performing the Services to create aggregated data which it may use for its own lawful and proper uses and purposes ("Aggregated Data"), provided however that Vendor does not:
(a) present a single attribute that is so narrow as to identify any individual Data Subject;
(b) identify or attribute, by express reference, inference or implication, any such Aggregated Data to Customer; or
(c) present such Aggregated Data in a manner which has the effect or capability of identifying or attributing Aggregated Data to Customer or any Data Subject.
4. DATA PROCESSING OBLIGATIONS
4.1 Without prejudice to the generality of Clause 2.1, Vendor shall, in relation to any Customer Personal Data processed in connection with the performance by Vendor of its obligations under the Agreement:
(a) taking into account the nature of the processing and the information available to Vendor, provide reasonable assistance to Customer in relation to the security of the processing of Personal Data and ensure that it has in place appropriate technical and organizational measures to protect against a Personal Data Breach and notify Customer without undue delay on becoming aware of a Personal Data Breach;
(b) ensure that all personnel who have access to and/or process Customer Personal Data are obliged to keep Customer Personal Data confidential;
(c) taking into account the nature of the processing and the information available to Vendor, provide reasonable assistance to Customer in responding to requests from a Data Subject and in ensuring compliance with its obligations under the Data Protection Legislation, only to the extent that the relevant information or means are not otherwise at the Customer's disposal;
(d) at the written direction of Customer, delete or return Customer Personal Data and copies thereof to Customer on termination of the Agreement unless required by applicable law to store Customer Personal Data, provided that Vendor may retain Customer Personal Data in its routine backups for up to ninety (90) days following termination, during which time such data will remain protected in accordance with this Addendum, will not be actively processed except for backup or recovery purposes, and will be deleted or overwritten in accordance with Vendor’s standard backup processes; and
(e) allow Customer to take reasonable and appropriate steps to ensure that Vendor uses the Customer Personal Data consistent with Customer’s obligations under Data Protection Legislation by responding to reasonable requests from Customer for information to demonstrate its compliance with this Addendum. Should Customer provide well-founded indications that such information does not reasonably demonstrate compliance with this Addendum or an audit is requested by a Supervisory Authority, Vendor shall allow Customer to audit, by itself or using an independent third-party auditor (acceptable to Vendor and subject to a non-disclosure agreement), Vendor’s compliance. Such audits may be performed at most once annually. Customer shall give Vendor no less than thirty (30) days’ written notice of any audit. Customer and Vendor shall cooperate in good faith to agree a plan covering the scope, duration, and activities of the audit, including necessary precautions to maintain the confidentiality of Vendor data that is outside the scope of the audit. The records and results of such Audit shall be deemed Vendor’s confidential information. Customer shall bear all its own costs and expenses of audit.
4.2 Vendor shall notify Customer if it determines it can no longer meet its obligations under Data Protection Legislation. Upon such notice, Customer reserves the right to take reasonable and appropriate steps to stop and remediate the Vendor’s unauthorized use of Customer Personal Data
5. APPOINTMENT OF SUBPROCESSORS
5.1 Customer authorises Vendor to appoint (and permit each Subprocessor appointed in accordance with this Clause 5 to appoint) Subprocessors in accordance with this Clause 5 and any restrictions in the Agreement.
5.2 Vendor shall make available to Customer a Subprocessor list, which shall be accessible online (currently located at https://www.testfit.io/legal/list-of-subprocessors) (the “Subprocessor List”). Customer authorises Vendor to appoint the Subprocessors that appear on the Subprocessor List at the date of the Agreement.
5.3 Vendor shall inform Customer of any intended changes concerning the addition or replacement of Subprocessors by updating the Subprocessor List at least thirty (30) days before the appointment of such Subprocessor, thereby giving Customer the opportunity to object to such changes on reasonable grounds. Customer shall notify Vendor in writing of any objections within fourteen (14) days of notice.
5.4 With respect to each Subprocessor, Vendor shall take commercially reasonable steps to ensure that the arrangement between on the one hand (a) Vendor, or (b) the relevant intermediate Subprocessor; and on the other hand the Subprocessor, is governed by a written contract including terms which offer at least the same level of protection for Customer Personal Data as those set out in this Addendum;
5.5 As between Customer and Vendor, Vendor shall remain fully liable for the performance of the Subprocessor’s obligations.
6.RESTRICTED TRANSFERS
6.1 To the extent that Vendor’s provision of the Services involves a Restricted Transfer, Vendor and Customer hereby enter into the relevant Standard Contractual Clauses (which are incorporated by reference in, and form an integral part of, this Addendum) in respect of such Restricted Transfer.
6.2 The Standard Contractual Clauses shall not apply to a Restricted Transfer unless their effect, together with all compliance steps required under Data Protection Legislation (which, for the avoidance of doubt, do not include obtaining consents from individuals), is to allow the Restricted Transfer to take place without breach of applicable Data Protection Legislation. The Standard Contractual Clauses shall come into effect on the commencement of a Restricted Transfer as described in this Clause 6.
6.3 In the event that Vendor self-certifies under an any applicable adequacy decision or adequacy framework by a Supervisory Authority, Vendor shall notify Customer promptly of such self-certification and the parties agree and acknowledge that any Restricted Transfer will be subject to such decision or framework instead of the Standard Contractual Clauses. Vendor shall at all times during the term of the Agreement maintain compliance with any applicable rules of the decision or framework and provide Customer with evidence of its compliance upon request.
7. GENERAL TERMS
7.1 Termination and Survival. The parties agree that this Addendum shall terminate automatically upon termination of the Agreement. Notwithstanding the foregoing, any obligation imposed on Vendor under this Addendum in relation to the processing of Customer Personal Data shall survive any termination or expiration of this Addendum.
7.2 Governing Law and Jurisdiction. This Addendum shall be governed by the governing law of the Agreement. The parties to this Addendum hereby submit to the choice of jurisdiction stipulated in the Agreement.
7.3 Severance. Should any provision of this Addendum be invalid or unenforceable, then the remainder of this Addendum shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
SCHEDULE 1
DATA PROCESSING DETAILS
SCHEDULE 2
APPENDIX TO THE EU STANDARD CONTRACTUAL CLAUSES
This Appendix forms part of the EU Standard Contractual Clauses and must be completed by the parties.
ANNEX I
ANNEX II
TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Description of the technical and organizational security measures implemented by the data importer:
Please see TestFit’s Information Security Policy.
OPTIONAL CLAUSES
The following optional clauses shall apply to the Standard Contractual Clauses:
UK ADDENDUM
Tables 1, 2, and 3 to the UK Addendum are populated with the information contained in this Schedule 2. Table 4 shall be “Exporter” only.