Data Processing Addendum
Introduction
We take data protection seriously. This document outlines some of the measures we take to protect your data when you use Kupp.
We've created this data processing addendum for any Kupp user who can be considered a "controller" of personal data processed by Kupp. If you have a Kupp account and have one or more members living or traveling in the EU, you agree to be bound by this Addendum, and take steps to ensure your business is GDPR compliant.
Our DPA supplements our Terms of Service and Privacy Policy and addresses requirements for data processing agreements between controllers and processors under the GDPR.
To ensure that no inconsistent or additional terms are imposed on us beyond that reflected in our standard DPA and model clauses, we cannot agree to sign customers' DPAs. As a small team, we also can't make individual changes to our DPA since we don't have a legal team on staff. Any changes to the standard DPA would require legal counsel and a lot of back-and-forth discussion that would be cost-prohibitive for our team.
By registering for and/or using the site (as that term is defined in the Agreement), you agree to be bound by this Addendum, if applicable (a signed .pdf of our DPA is available upon request). You enter into this Addendum on behalf of yourself and, to the extent required under Data Protection Laws, in the name and on behalf of your Authorized Affiliates. The parties agree to comply with the terms and conditions in this Addendum in connection with such Personal Data. Subject to the foregoing conditions, the parties agree as follows:
1. Definitions
“Affiliate” means an entity that directly or indirectly Controls, is Controlled by or is under common Control with an entity.
“Authorized Affiliate” means any Affiliate(s) of you that is permitted to receive or is otherwise receiving the benefit of the Services pursuant to the Agreement.
“Control” means an ownership, voting, or similar interest representing more than fifty percent (50%) of the total interests then outstanding of the entity in question. The term “Controlled” shall be construed accordingly.
“Controller” means an entity that determines the purposes and means of the processing of Personal Data. “Customer Data” means any data that Kupp and/or its Affiliates processes on your behalf in the course of providing the Services under the Agreement.
“Data Breach” means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, or alteration of or unauthorized disclosure of or access to Personal Data. “Data Protection Laws” means all data protection and privacy laws and regulations applicable to the processing of Personal Data under the Agreement and this Addendum, including without limitation, where applicable, EU Data Protection Law.
“EU Data Protection Law” means (i) Regulation 2016/679 of the European Parliament and of the Council (General Data Protection Regulation) (“GDPR”); and (ii) the Privacy and Electronic Communications Directive 2002/58/EC (in each case, as may be amended, superseded, or replaced).
“Personal Data” means any Customer Data relating to an identified or identifiable natural person to the extent that such information is protected as personal data under applicable Data Protection Law. “Privacy Shield” means the EU-US and Swiss-US Privacy Shield Frameworks, as administered by the U.S. Department of Commerce.
“Processor” means an entity that processes Personal Data on behalf of the Controller. “Processing” has the meaning given to it in the GDPR and “process”, “processes” and “processed” shall be interpreted accordingly.
“Services” means any product or service provided by Kupp to you pursuant to and as more particularly described in the Agreement.
“Sub-processor” means any Processor engaged by Kupp or its Affiliates to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement or this Addendum. Sub-processors may include third parties or any Kupp Affiliate.
2. Relationship of the Parties
2.1 Controller and Processor. As between you and Kupp, you are the Controller of Personal Data and Kupp shall process Personal Data on your behalf only as a Processor.
2.2 Your Obligations. As the Controller, you agree that (i) you shall comply with your obligations as a Controller under Data Protection Laws in respect of your processing of Personal Data and any processing instructions you issue to Kupp; and (ii) you have provided notice and obtained (or shall obtain) all consents and rights necessary under Data Protection Laws for Kupp to process Personal Data and provide the Services pursuant to the Agreement and this Addendum.
2.3 Limited Processing by Kupp. As a Processor, Kupp shall process Personal Data only for the following purposes: (i) processing to perform the Services in accordance with the Agreement and this Addendum; (ii) processing to perform any steps necessary for the performance of the Agreement and this Addendum; and (iii) to comply with other reasonable instructions provided by you to the extent they are consistent with the terms of the Agreement and this Addendum and only in accordance with your documented lawful instructions. The Customer Data may be subject to the following process activities: (i) storage and other processing necessary to provide, maintain, and improve the Services provided to you; (ii) to provide you customer and technical support; and (iii) disclosures or further processing as required by law, in which case Kupp shall to the extent permitted by the Data Protection Laws inform you of that legal requirement before the relevant disclosure or processing of that Personal Data. The parties agree that this Addendum and the Agreement set out your complete and final instructions to Kupp in relation to the processing of Personal Data and that any processing outside the scope of these instructions (if any) shall require prior written agreement between you and Kupp.
2.4 Kupp Data. Notwithstanding anything to the contrary in the Agreement and/or this Addendum), you acknowledge that Kupp may use and disclose data relating to and/or obtained in connection with the operation, support, and/or use of the Services for its legitimate business purposes, such as billing, account management, technical support, product development, and sales and marketing. To the extent any such data is considered personal data under Data Protection Laws, Kupp is the Controller of such data and accordingly shall process such data in compliance with Data Protection Laws. Nothing in the Agreement or this Addendum shall prevent Kupp from using or sharing any data that Kupp would otherwise collect and process independently of your use of the Services.
3. Security
3.1 Technical and Organizational Security Measures. Kupp shall implement and maintain appropriate technical and organizational security measures to protect Personal Data from Data Breaches and to preserve the security and confidentiality of the Personal Data. For additional information, please review our Security Policy and submit specific questions to hjelp@dinekupp.no to acknowledge that Kupp’s technical and organizational security measures are subject to continued development and that Member may update or modify them from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by you.
3.2 Confidentiality of Processing. Kupp shall ensure that any person who is authorized by Kupp to process Personal Data shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
3.3 Data Breaches. Kupp shall, to the extent permitted by law, notify you without undue delay upon Kupp or any Sub-processor becoming aware of a Data Breach affecting your Personal Data, providing you with sufficient information to allow you to meet any obligations to report or inform data subjects of the Data Breach under the Data Protection Laws. Kupp shall cooperate with you and take such reasonable commercial steps as are directed by you to assist in the investigation, mitigation, and remediation of each such Data Breach.
3.4 Recordkeeping. Kupp shall maintain records of its security standards. Upon your written request, Kupp shall provide (on a confidential basis) copies of relevant external certifications, audit report summaries, and/or other documentation reasonably required by you to verify Kupp's compliance with this Addendum. Kupp shall further provide written responses (on a confidential basis) to all reasonable requests for information made by you, including without limitation responses to information security and audit questionnaires, that you (acting reasonably) consider necessary to confirm Kupp's compliance with this Addendum.
4. Sub-processing
4.1 Authorized Sub-processors. You agree that Kupp may engage Sub-processors to process Personal Data on your behalf. The Sub-processors currently engaged by Kupp and authorized by you are listed in our List of Sub-processors. Kupp shall provide you reasonable advance notice (for which email shall suffice) if it adds or replaces Sub-processors. You may object in writing to Kupp’s appointment of a new Sub-processor on reasonable grounds relating to data protection by notifying Kupp promptly in writing within ten (10) calendar days of receipt of Kupp’s notice in accordance herewith. Such notice shall explain the reasonable grounds for the objection. In such event, the parties shall discuss such concerns in good faith with a view to achieving commercially reasonable resolution. If this is not possible, either party may terminate the applicable Services.
4.2 Obligations Respecting Sub-processors. Kupp shall: (i) enter into a written agreement with the Sub-processor imposing data protection terms that require the Sub-processor to protect the Personal Data to the standard required by Data Protection Laws; and (ii) remain responsible for its compliance with the obligations of this Addendum and for any acts or omissions of the Sub-processor that cause Kupp to breach any of its obligations under this Addendum.
5. International Transfers
5.1 Processing Locations. Kupp stores and processes EU Data (defined below) in data centers located outside the European Union. All other Customer Data may be transferred and processed in the United States and anywhere in the world where Kupp, its Affiliates, and/or its Sub-processors maintain data processing operations. Kupp shall implement appropriate safeguards to protect the Personal Data, wherever it is processed, in accordance with the requirements of Data Protection Laws.
6. Cooperation
6.1 Response to Requests. To the extent Kupp is required under Data Protection Laws, Kupp shall (at your expense) provide reasonably requested information regarding Kupp's processing of Personal Data under the Agreement and/or this Addendum to enable you to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.
6.2 Correction or Erasure by You. Kupp shall comply with any commercially reasonable request by you to correct, amend, block, or delete Personal Data, as required by Data Protection Laws, to the extent Kupp is legally permitted to do so.
6.3 Access. To the extent that you are unable to independently access the relevant Personal Data within the Services, Kupp shall (at your expense) taking into account the nature of the processing, provide reasonable cooperation to assist you, in so far as is possible, to respond to any requests from individuals or applicable data protection authorities relating to the processing of Personal Data under the Agreement and/or this Addendum. In the event that any such request is made directly to Kupp, Kupp shall not respond to such communication directly without your prior authorization, unless legally compelled to do so. If Kupp is required to respond to such a request, Kupp shall promptly notify you and provide it with a copy of the request unless legally prohibited from doing so.
6.4 Exercise of Rights by Data Subjects. Taking into account the nature of the processing, Kupp shall assist you by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of your obligations, as reasonably understood by you, to respond to requests by data subjects to exercise rights under the Data Protection Laws. To the extent legally permitted, you shall be responsible for any costs arising from Kupp’s provision of such assistance (to the extent the provision of such assistance is not included in the Services to which you are entitled under the Agreement).
6.5 Return of Deletion of Data Upon Termination. Upon the end of the provisions of Services to you, all Personal Data shall be deleted, save that this requirement shall not apply to the extent Kupp is required by applicable law to retain some or all of the Personal Data, or to Personal Data it has archived on backup systems, which such Personal Data Kupp shall securely isolate and protect from any further processing, except to the extent required by applicable law.
7. Miscellaneous
7.1 Conflict. Except for the changes made by this Addendum, the Agreement remains unchanged and in full force and effect. If there is any conflict between this Addendum and the Agreement, this Addendum shall prevail to the extent of that conflict.
7.2 Liability. Each party’s liability, taken together in the aggregate, arising out of or related to this Addendum and/or the Agreement, whether in contract, tort or under any other theory of liability, is subject to the ‘Limitations of liability’ section of the Agreement. For the avoidance of doubt, Kupp’s total liability for all claims arising out of or related to the Agreement and this Addendum shall apply in the aggregate for all claims under both the Agreement and this Addendum.
7.3 Governance. This Addendum shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement unless required otherwise by Data Protection Laws.