Data Processing Agreement

Last updated : March 30th, 2023

This Data Processing Agreement (“DPA”) reflects the agreement between AtmanCo Inc. (“AtmanCo”) and the entity subscribing to the Atman Platform (hereinafter “Customer”).

This DPA is supplemental to, and forms an integral part of, the agreement between the entity of the AtmanCo group identified in the Purchase Order and the Customer. This DPA is in force upon its incorporation into such agreement be reference.

1. Definitions

1.1.  Capitalized terms not defined herein have the meaning ascribed to them in the Agreement.

1.2.  In this DPA:

(a) “Agreement” means the agreement between AtmanCo and the Customer regarding the Services comprising several documents, including the any Purchase Order and the AtmanCo Terms of Service, as applicable.

(b) “AtmanCo Group” means the AtmanCo and any affiliates thereof.

(c) “Canadian Data Protection Laws” means the Personal Information Protection and Electronic Documents Act, SC 2000, c 5 and the Act respecting the protection of personal information in the private sector, CQLR c P-39.1 as may be amended, superseded or replaced.

(d) “Controller” means any Person which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

(e) “Data Protection Laws” means all applicable worldwide legislation relating to data protection and privacy which applies to a party to this DPA, including without limitation European Data Protection Laws and Canadian Data Protection Laws in each case as amended, repealed, consolidated or replaced from time to time. 

(f) “Data Subject” means the individual to whom Personal Data relates.

(g) “Europe” means the European Union, the European Economic Area and/or their member states, Switzerland and the United Kingdom. 

(h) “European Data Protection Laws” means data protection laws applicable in Europe, as may be amended, superseded or replaced from time to time.  

(i) “European Data” means Personal Data that is subject to the protection of European Data Protection Laws.

(j) “Partner” means an intermediary who resells access to the Services or uses the Services to itself provide services to third parties.

(k) “Permitted Affiliates” means any Customer Affiliates that (i) are permitted to use the Services pursuant to the Agreement, (ii) qualify as a Controller of Personal Data Processed by AtmanCo, and (iii) are subject to European Data Protection Laws.

(l) “Person” is to be interpreted broadly and includes any individual, corporation, limited liability company, limited partnership, company, association, partnership, trust or estate, joint venture, governmental entity or political subdivision thereof, or any other entity.

(m) “Personal Data” means any information relating to an identified or identifiable individual.

(n) “Processing” or “Process” means any operation or set of operations which is performed by a Processor upon Personal Data, whether or not by automatic means;

(o) “Processor” means a Person which Processes Personal Data on behalf of the Controller.

(p) “Purchase Order” means the documents, in any format, exchanged and accepted by the parties in connection with the purchase of psychometric tests and the use of the Atman Platform by Customer.

(q) “Regulator” means, as applicable, any Person or law enforcement or other agency having regulatory, supervisory or governmental authority (whether under a statutory scheme or otherwise) over all or any part of the Processing of Personal Data in connection with the provision or receipt of the Services, including, without limitation, the European data protection supervisory authorities;

(r) “Respondent Data” means data provided or inputted directly by a Respondent on the Atman Platform, but excluding any data generated or derived from such data though the Services.

(s) “Respondent” means an individual using the Service at the request or direction of the Customer, such as a candidate for a position or an employee of the Customer performing an assessment.

(t) “Security Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by AtmanCo and/or Sub-Processors in connection with the provision of the Services, not including events that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

(u) “Services” means the services provided by any entity of the AtmanCo Group to the Customer or to its Affiliates as established in the Agreement.

(v) “Standard Contractual Clauses” means the standard contractual clauses for Processors annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021, in the form set out at Schedule 4; as may be amended, superseded or replaced.

(w) “Sub-Processor” means any Processor engaged by AtmanCo or AtmanCo Affiliates to assist in fulfilling AtmanCo obligations with respect to the provision of the Services under the Agreement.  Sub-Processors may include third parties or AtmanCo Affiliates but will not include individuals employed or engaged by AtmanCo.

(x) “Third-Country” means a jurisdiction or recipient: (i) not recognized by the European Commission as providing an adequate level of protection for personal data; and (ii) not covered by a suitable framework recognized by the relevant authorities or courts as providing an adequate level of protection for personal data.

2. Role of the parties

2.1  In Processing Personal Data, the parties acknowledge and agree that:

(a) AtmanCo is the Controller with respect to Respondent Data;

(b) Customer acts as the Controller and that AtmanCo acts as a Processor with respect to any other Personal Data, including data generated by AtmanCo in the course of providing Services.

(c) If the Services are purchased through a Partner, the Partner may act as the Controller with respect to Personal Data depending on the agreement between the Partner and the Customer. Where Partner is the Controller with respect to Personal Data, references to Customer in this DPA shall be deemed to include Partner.

2.2  When acting as joint Controller, the parties agree to process Personal Data in accordance with the requirements of this DPA.

3. Compliance with Data Protection Laws

3.1  Each party shall carry out any processing of Personal Data in compliance with all applicable Data Protection Laws.

3.2  AtmanCo is not responsible for compliance with any Data Protection Laws applicable to the Customer or to the Customer’s industry that are not generally applicable to AtmanCo.

3.3  If AtmanCo becomes aware that it cannot Process Personal Data in accordance with Customer’s instructions due to a legal requirement under any applicable law, AtmanCo will (i) promptly notify the Customer of that legal requirement to the extent permitted by applicable law; and (ii) where necessary, stop all Processing (other than merely storing and maintaining the security of the affected Personal Data) until such time as the Customer issues new instructions in compliance with applicable law. If this provision is invoked, AtmanCo will not be liable to Customer under the Agreement for any failure to perform the applicable Services until such time AtmanCo reasonably determines that Customer’s instruction are lawful.

4. AtmanCo Obligations

4.1  AtmanCo will only Process Personal Data for the purposes described in this DPA or in the AtmanCo Privacy Statement or as otherwise agreed within the scope of lawful instructions received from the Customer, except where and to the extent otherwise required by applicable law.

4.2  AtmanCo will process Respondent Data as necessary to perform its obligations under the Agreement, to respond to Data Subject requests with respect to Respondent Data, as set forth in the Privacy Statement or with the explicit consent of the relevant Data Subject. AtmanCo has no obligation to provide Respondent Data to the Customer except with the consent of the relevant Data Subject.

4.3  AtmanCo shall implement and maintain appropriate technical and organizational measures to protect Personal Data from Security Incidents, including as described under Schedule 2 to this DPA (“Security Measures”). AtmanCo may modify or update the Security Measures at its discretion provided that such modification or update does not result in a material degradation in the protection offered by the Security Measures.

4.4  AtmanCo shall treat Personal Data as Customer’s confidential information and will ensure that any of its employees or contactors authorized to access or Process Personal Data is subject to appropriate confidentiality obligations (whether contractual or statutory) with respect to that Personal Data.

4.5  AtmanCo will delete or return all Personal Data Processed on behalf of Customer pursuant to this DPA upon request by Customer or Partner, as applicable. AtmanCo may retain copies of Personal Date where required by applicable law, or where Personal Data has been archived on back-up systems, which data will be securely isolated and protected from any further Processing and deleted in accordance with applicable deletion practices.

4.6  AtmanCo will retain Respondent Data as set forth in the Privacy Statement or as agreed between AtmanCo and the relevant Data Subject.

5. Customer’s Obligations

5.1  The Customer is responsible to ensure that its use of the Services is in accordance with all applicable Data Protection Laws, including by ensuring that (i) it is authorized to appoint AtmanCo to Process Personal Data on its behalf in accordance with this DPA, (ii) it has the right to transfer, or provide access to, the Personal Data to AtmanCo for Processing in accordance with the terms of the Agreement (including this DPA), (iii) ensuring that Customer’s instructions with respect to the Processing of Personal Data comply with applicable laws, including Data Protection Laws;

5.2  Customer shall promptly notify AtmanCo in writing if it has reason to believe or if it has been notified that the Processing of Personal Data effected by Customer through the Services is or may be in violation of applicable law, including Data Protection Laws.

5.3  Customer is responsible for determining whether the security measures implemented by AtmanCo adequately meets Customer’s obligations under applicable Data Protection Laws. Customer is also responsible to ensure that its access to the Services is secured and reserved to authorized personnel.

6. Security Breach

6.1  AtmanCo will promptly notify Customer if it becomes aware of any Security Breach and will provide timely information relating to such Security Breach as it becomes known or reasonably requested by Customer.

6.2  Upon request, AtmanCo will promptly provide reasonable assistance to Customer as necessary to allow Customer to notify a Security Breach to Regulators and/or affected Data Subjects, if such notification is required under Data Protection Laws.

7. Sub-Processors

7.1  AtmanCo may engage Sub-Processors to Process Personal Data. Current Sub-Processors are listed at Schedule 3, any change to Sub-Processors will be notified to Customer.

7.2  AtmanCo selects Sub-Processors who offer data protection undertakings that provide at least the same level of protection for Personal Data as those in this DPA (including, where appropriate, the Standard Contractual Clauses), to the extent applicable to the nature of the services provided by such Sub-Processors. AtmanCo remains responsible for each Sub-Processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-Processor causing a breach any of AtmanCo’ obligations under this DPA.

7.3  If AtmanCo Processes European Data on behalf of Customer, Customer may object to the appointment of a new Sub-Processor, acting reasonably. If notified of such an objection, AtmanCo agrees to discuss the matter in good faith to achieve a commercially reasonable resolution. If no such resolution can be reached, AtmanCo may either elect to forgo the appointment of the new Sub-Processor, or allow the Customer to terminate such portion of its subscription to the Services which relies on the new Sub-Processor without liability to either party (but without prejudice to any fees incurred prior to termination).

7.4  If required by law or under the Standard Contractual Clauses, AtmanCo will make reasonable effort to make available to Customer required information about AtmanCo’ agreements with Sub-Processors. Customer agrees that some information may be redacted from such agreements and that any agreement or information will be provided on a confidential basis.

8. Transfer of Personal Data

8.1  The processing of Personal Data other than European Data by AtmanCo Group entities will take place in any jurisdiction where such processing is permitted by the applicable Data Protection Laws.

8.2  The processing of European Data shall take place exclusively:

(a) within Europe;

(b) in a jurisdiction that provides an adequate level of protection under a decision of the European Commission based on applicable Data Protection Laws;

(c) in any jurisdiction, by an organization or entity offering appropriate safeguards, including through the Standard Contractual Clauses; or

(d) in any jurisdiction, with the written consent of the Customer.

8.3  When Processing of European Data takes place in a Third-Country, the parties shall be deemed to have entered into the Standard Contractual Clauses only with respect to the relevant Personal Data and the relevant Processing. The parties agree that for the purposes of the Standard Contractual Clauses, (i) AtmanCo will be the "data importer" and Customer will be the "data exporter" (on behalf of itself and Permitted Affiliates); (ii) the relevant information set out in Schedule 1 and Schedule 2 of this DPA shall be deemed to be included in the Annexes of the Standard Contractual Clauses; (iii) if and to the extent the Standard Contractual Clauses conflict with any provision of this DPA, the Standard Contractual Clauses will prevail to the extent of such conflict.

8.4  Switzerland and United Kingdom Transfers. To the extent that a transfer of Personal Data between Customer and AtmanCo and/or a Sub-Processor is subject to the Data Protection Laws of Switzerland or the United Kingdom, the Standard Contractual Clauses shall be deemed to be amended to reflect the requirements of the applicable Swiss and UK Data Protection Laws, including references to legislation, applicable law and competent authorities and courts.

9. Third-Party Requests

9.1  AtmanCo will respond directly to inquiries or request from Respondents which relate to Respondent Data. AtmanCo may keep Customer informed of such inquiries, but shall have no obligation to do so.

9.2  Customer shall be responsible to address any request from a Data Subject or Regulator with respect to Personal Data other than Respondent Data (including data generated through the Services from Respondent Data) and Customer shall use the features available on the Atman Platform to retrieve relevant information about Personal Data processing.

9.3  If Customer is unable to independently address a request for a Data Subject or Regulator (“Request”), AtmanCo will provide reasonable assistance to Customer, at Customer’s expense, in order respond to any such requests relating to the Processing of Personal Data under the Agreement. Except where and to the extent that a request is based on the failure of AtmanCo to respect its obligations under this DPA, Customer shall reimburse AtmanCo for its expenses in providing any assistance to Customer.

9.4  If a Request or other communication regarding the Processing of Personal Data under the Agreement (other than concerning Respondent Data) is made directly to AtmanCo, AtmanCo will promptly inform Customer and will advise the Data Subject or Regulator to submit their Request directly to Customer. Customer will be solely responsible for responding substantively to any such Requests or communications involving Personal Data.

10. Audit Relating to Personal Data

10.1  Upon request and reasonable notice to AtmanCo, the Customer is authorized, at its own expense, to carry out the necessary verifications to ensure that the Personal Data processed by AtmanCo on the Customer’s behalf is processed in accordance with the Customer’s instructions. At the Customer’s request, AtmanCo shall provide access to the premises where the Personal Data is processed and allow for the audit and inspection of the processing carried out by AtmanCo. Such an audit may be conducted by the Customer and/or a third party (selected by the Customer and reasonably accepted by AtmanCo) acting on the Customer’s behalf. The Customer shall take all necessary measures to avoid causing any damage or disruption to the premises, equipment, personnel and business of AtmanCo Group entities.

10.2  The Customer and AtmanCo shall agree in advance on the nature, scope and duration of any audit by the Customer, and the Customer shall reimburse AtmanCo for all reasonable costs associated with such an audit, which may be estimated at the Customer’s request prior to the start of the audit.

10.3  If AtmanCo Processes European Data on behalf of Customer, AtmanCo will provide Customer, upon reasonable request, (on a confidential basis) (i) a summary copy of its security testing report(s) and (ii) written responses to all reasonable requests for information made by Customer necessary to confirm AtmanCo compliance with this DPA, provided that Customer shall not exercise such right more than once per calendar year unless Customer can show reasonable grounds to suspect AtmanCo’ non-compliance with the DPA or Data Protection Laws.

11. Limitation of Liability

11.1  Each party and each of their Affiliates’ liability, taken in aggregate, arising out of or related to this DPA (and any other agreement regarding the processing of Personal Data between the parties) and the Standard Contractual Clauses (where applicable), whether in contract, tort or under any other theory of liability, will be limited to the aggregate amount of the Fees paid by Customer to AtmanCo in consideration for the Services during the 12 month period preceding the occurrence giving rise to liability.

12. Jurisdiction

12.1  Unless required otherwise by applicable Data Protection Laws, this DPA shall be governed and construed in accordance with the laws applicable to the Agreement and any dispute regarding this Agreement shall be resolved by the competent courts of the jurisdiction indicated in the Agreement.

12.2  To the extent Data Protection Laws require that this DPA be governed by the laws of a member state of the European Union, this DPA shall be governed by the laws of France and disputes regarding this Agreement shall be resolved by the French courts.

13. General

13.1  In the event of any inconsistency between any of the provisions of this DPA and any other provision of the Agreement, the provisions of the DPA shall always take precedence, unless and to the extent that it is expressly stipulated that another provision of the Agreement shall take precedence or that a provision of this DPA shall be set aside or modified.

13.2  AtmanCo may amend this DPA to reflect changes in its data processing practices. Any amendment other than non-substantive changes to clarify language (which will be routinely communicated to the Customer) will be submitted to the Customer and will not apply unless accepted by Customer. If a modification of this DPA is required by applicable law, Customer will have the option of accepting such modification or terminating its subscription to the Services.

13.3  If any individual provisions of this DPA are determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this DPA will not be affected.

Schedule 1 – Details of Processing

Identification of Controller

 

The Customer

Contact Person: If the Customer is an individual, the Customer, if the Customer is an entity, the individual representing such entity in subscribing to the Atman Platform.

 

AtmanCo Inc.

Contact Person: Leen Sawalha, VP Product & Growth
300-1050 rue de la Montagne
Montréal QC H3G 1Y8 Canada
[email protected]

Identification of Processor

 

AtmanCo Inc.

Contact Person: Leen Sawalha, VP Product & Growth
300-1050 rue de la Montagne
Montréal QC H3G 1Y8 Canada
[email protected]

Categories of Data Subjects

  • Customer Employees and Users
  • Candidates

Categories of Personal Data

  • Contact Information
  • Employment Information
  • Respondent Data:
    • Questionnaire Answers
  • Analysis Data
    • Psychometric Profiles
    • Survey responses
    • Socio-demographic responses

Nature of Processing

  • Storage and other Processing necessary to provide, maintain and improve the Services provided to Customer;
  • Disclosure in accordance with the Agreement (including this DPA) and/or as compelled by applicable laws.
  • Disclosure and Deletion of Respondent Data upon request by the relevant Respondent.
  • Deletion of AtmanCo Data relying on deleted Respondent Data from the Atman Platform.

AtmanCo will Process Personal Data as necessary to provide the Services pursuant to the Agreement, and as further instructed by Customer in its use of the Services.

Period for which Personal Data will be retained

Subject to AtmanCo’ obligation to delete or return data to Customer, under the Agreement AtmanCo will Process Personal Data for the duration of the Agreement, unless otherwise agreed in writing.

Respondent Data will be kept for a period of 7 years or until the relevant Respondent request the Deletion of their data.

Schedule 2 – Security Measures

1.      Data center security

AtmanCo product environment is in Microsoft Azure. We mainly utilize the Azure Platform as a Service (PaaS) offerings for our product. Utilizing PaaS and not traditional VMs significantly reduces our threat surface. We extensively leverage Azure’s advanced security features such as Identity Protection and Microsoft Defender for cloud to secure our product infrastructure.

We have strict access controls in the production environment, based on the principles of Need to Know and Least Privilege. Only AtmanCo employees who have the need to access the production environment for legitimate purposes such as deploying and troubleshooting the application have access. They receive the least privileges they need to accomplish their legitimate purpose.

We have established an Azure Governance Team that owns the roadmap of our Azure infrastructure and ensures that security is built in at the architecture level.

2.      Data security

AtmanCo relies on strong encryption for the data at rest (while it is stored) and in transit (while it is being transmitted).

The access to the stored customer data is on a Need to Know basis. Typical personnel who are authorized to access are Customer Support and Engineering Developers while troubleshooting issues and DevOps personnel for deploying services.

3.      Access control

AtmanCo maintains the servers, relevant databases, and other hardware and/or software components that store Personal Data in a secure data center with access controlled and monitored to admit only authorized personnel.

AtmanCo employs effective logical access control measures on all systems used to create, transmit, or process Personal Data, such measures including, but not limited to:

  • Authentication of the user, who must use unique identifiers ("user IDs") and names.
  • A sufficiently complex and robust password strategy.
  • User access rights/privileges to information resources containing Personal Data must be granted on a need-to-know basis related to the user's duties and responsibilities.
  • Users' access to computer systems permitting access to Personal Data are deleted immediately upon the user's departure or if the user changes jobs and the new job does not require access.
  • Default passwords and security settings must be changed in the third-party products/applications used to support Personal Data.
  • Third party service providers are subject to equivalent security requirements and obligations as AtmanCo's authorized users when processing Personal Data.
  • Annual revalidation of the justification of user accounts and associated authorizations with access to personal information.

4.      User Access

  • The functions and responsibilities of AtmanCo users and user profiles with access to Personal Data and information systems are clearly defined.
  • AtmanCo adopts measures to inform its users of the security rules that affect the performance of their duties and the consequences if they violate these rules.
  • Clear text protocols are not used to access or transfer Personal Data. Only the SSL protocol is accepted for these operations.
  • AtmanCo ensures the security of processes and procedures for the handling or disposal of physical media or equipment that may contain Personal Data.
  • Personal Data is physically separated, or logically separated if it is on a database or virtual environment, from other AtmanCo data. If Personal Data is not physically separated from other data, systems or applications not related to the Customer, AtmanCo employs appropriate security controls, including access controls.

5.      System and Network Security

AtmanCo maintains an accurate inventory of our systems and perform full lifecycle management, including performing timely patching and decommissioning systems that are near the end of their support period.

AtmanCo has an effective Vulnerability Management program that includes frequent scanning and agent-based collection of security data from the network and the endpoints. This is reviewed at least weekly and new issues are remediated expeditiously, in a timeframe proportional to the severity of the issue.

AtmanCo employs effective network access control measures on all systems used to create, transmit, or process Personal Data, such measures including, but not limited to:

  • Firewalls are operational at all times and are installed at the network perimeter between the internal (private) network of AtmanCo and the public network (Internet).
  • Properly configured and monitored intrusion detection and prevention systems are used on the AtmanCo network.
  • Only those services/processes and ports necessary to perform routine programs are enabled on the database and other information systems used for processing Personal Data. All other services/processes on the host are disabled.
  • All information systems, repositories and other systems used to process Personal Data must be physically located in a controlled data center environment and used for the purpose of protecting information systems.
  • Secure channels (e.g., TLS, SFTP, SSH, IPSEC, etc.) must be used consistently for communications to AtmanCo data center.

6.      Governance

AtmanCo implements appropriate policies and procedures regarding Personal Data, including:

  • Information Security Procedures;
  • Policies on the use of Personal Data ;
  • Security and Privacy Incident Reporting Procedure ;
  • Risk Assessment Mechanisms;
  • Internal Audit Procedures ;
  • Contractual Measures.

7.      Vulnerability Management Controls

AtmanCo employs effective vulnerability management controls on all systems used to create, transmit, or process Personal Data, such measures including but not limited to:

  • Deployment of network prevention and detection devices to help filter phishing emails and malware before they reach workstations managed by AtmanCo and having direct or indirect access to Personal Data.
  • Deployment of anti-virus and anti-malware prevention and detection software on all workstations managed by AtmanCo and processing Personal Data.
  • Maintain a standard patch management process and practice to ensure the protection of all devices used to access, process or store Personal Data.
  • Devices and documents containing Personal Data must allow identification of the information accessed, be inventoried and accessible only to users who are authorized to access the data in accordance with the security document.
  • Measures to prevent theft, loss or unauthorized access to Personal Data during transmission and transfer operations.

8.      Data backup, recovery and availability

AtmanCo implements the following disaster recovery and business continuity plans to minimize maximum downtime and data loss.

  • AtmanCo implements disaster recovery functions designed to restore the functionality of the system containing Personal Data within a period of time agreed upon by the parties or, failing that, within a reasonable period of time given the nature of the Personal Data.
  • AtmanCo systematically ensure that Personal Data is inaccessible other than by authorized AtmanCo personnel (e.g. external back-ups are systematically encrypted).
  • To reduce the risks from environmental threats, hazards and opportunities for unauthorized access equipment are located away from locations subject to high probability environmental risks and supplemented by redundant equipment located a reasonable distance.
  • Security mechanisms and redundancies are implemented to protect equipment from utility service outages (e.g., power failures, network disruptions, etc.).
  • Policies and procedures for data retention and storage are established and backup or redundancy mechanisms implemented to ensure compliance with regulatory, statutory, contractual or business requirements. Testing the recovery of disk or tape backups are implemented at planned intervals.
  • All data and configurations are replicated to a second region for recovery in the event of a disaster

9.      Product Security

  • AtmanCo has a strong security controls in the product, including Role-Based Access Control (RBAC), Data Segregation, Data Anonymization, and Login Attack Protection.
  • AtmanCo Platform has four different user roles, helping ensure that our customers have the ability to provide their users the right level of access. The AtmanCo platform also has a role for 3rd party users, enabling our partners to securely share data with clients.
  • Our data segregation features provide the ability to restrict access to the data within the application. This enables our customers to segregate data, for instance, by organizational unit or geographical location, so that only users that are responsible for those organizational units or geographical locations could be provided access to the data.
  • We have thoughtful privacy features in the product. For example, we have an “Anonymize Personal Data” feature in our product to remove the personal information of selected users from the system. We are committed to adding security and privacy features like these to allow our customers greater control of their data.
  • We utilize industry-leading OpenID Connect as the authentication and authorization protocol throughout our products and systems.

10.          Security audit

AtmanCo employs controls on all systems used to create, transmit, or process Personal Data, such controls including, but not limited to:

  • Third party vulnerability scans or audits of externally facing (public) infrastructure devices containing Personal Data.
  • Third party penetration testing of AtmanCo systems that store and process Personal Data.
  • Periodic third-party evaluation where applications or processes support financial information.
  • AtmanCo undertakes to deal with all vulnerabilities identified as a result of penetration tests and to notify the Customer of the remediation actions.

11.   Training and awareness

AtmanCo provides annual security awareness training that is mandatory for all employees. We also perform phishing tests. Our phishing test results are shared with all employees and additional resources are provided to those who fail the tests, such as remedial training.

AtmanCo implements a security awareness program for its employees and service providers who interact with the systems handling Personal Data, including:

  • AtmanCo shall ensure that its staff has an understanding of information risk management threats and concerns relating to the AtmanCo Services and of relevant information risk management policies.
  • AtmanCo staff shall receive training and regular updates on relevant information risk management policies and procedures of standard risk management classification scheme and appropriate procedures.
  • Sub-contractor staff are made aware of AtmanCo's information risk management classification scheme and appropriate procedures.
  • Policies and procedures are established for clearing visible documents containing sensitive data when a workspace is unattended and enforcement of workstation session logout for a period of inactivity.

Schedule 3 – Sub-Processors

Sub-processor Purpose Location
Amazon Web Services Email Sender Service USA
Azure Infrastructure Hosting Service Canada
Microsoft Exchange Email Sender Service Canada
Microsoft Sharepoint File sharing & organization USA
Microsoft Teams Communications USA
Azure DevOps Project Management & Source Code Host USA
Cloudflare Domain hosting and security service USA
Intercom Customer Relationship, Support, & Marketing Automation USA & Europe
Pipedrive Customer Relationship Management USA & Europe
QuickBooks Accounting service Canada
Twilio SMS Functionality USA
Sentry Debugging and support tool used for error reporting USA
Zendesk Help Center USA & Europe
Slack Internal messaging service USA
Stripe Payment Processor USA
Zoom Communication platform for client Canada
Google Captcha Captcha services USA
Google Drive File sharing & organization USA
Google Analytics Business analytics & insights USA
Zapier Business Automation USA
IpInfo Geo Location service USA
IpStack Geo Location service USA
MailChimp Email Sender Service USA
DocuSign E-Signatures service USA, Canada, & Europe
Ubity Cloud-based phone solutions Canada
OneTrust Privacy and security software provider Canada
Acuity Scheduling Scheduling USA
GoDaddy DNS/SSL Provider USA
Asana Project Management Europe
DropBox Storage USA
Survey Monkey Online surveys Canada
Thinkific Learning Management System USA

Schedule 4 – Standard Contractual Clauses

Controller to Processor

SECTION I

Clause 1

Purpose and scope

(a)  The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of data to a third country.

(b)  The Parties:

(i)  the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter ‘entity/ies’) transferring the personal data, as listed in Annex I.A (hereinafter each ‘data exporter’), and

(ii)  the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A (hereinafter each ‘data importer’)

have agreed to these standard contractual clauses (hereinafter: ‘Clauses’).

(c)  These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.

(d)  The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2

Effect and invariability of the Clauses

(a)  These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.

(b)  These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3

Third-party beneficiaries

(a)  Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:

(i)  Clause 1, Clause 2, Clause 3, Clause 6, Clause 7;

(ii)  Clause 8.1(b), 8.9(a), (c), (d) and (e);

(iii)  Clause 9(a), (c), (d) and (e);

(iv)  Clause 12(a), (d) and (f);

(v)  Clause 13;

(vi)  Clause 15.1(c), (d) and (e);

(vii)  Clause 16(e);

(viii)  Clause 18(a) and (b).

(b)  Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4

Interpretation

(a)  Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.

(b)  These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.

(c)  These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5

Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 6

Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7

Docking clause

(a)  An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A.

(b)  Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A.

(c)  The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 8

Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.

8.1  Instructions

(a)  The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.

(b)  The data importer shall immediately inform the data exporter if it is unable to follow those instructions.

8.2  Purpose limitation

The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.

8.3  Transparency

On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.

8.4  Accuracy

If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.

8.5  Duration of processing and erasure or return of data

Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).

8.6  Security of processing

(a)  The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter ‘personal data breach’). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.

(b)  The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

(c)  In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

(d)  The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.

8.7  Sensitive data

Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter ‘sensitive data’), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.

8.8  Onward transfers

The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union  (in the same country as the data importer or in another third country, hereinafter ‘onward transfer’) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:

(i)  the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;

(ii)  the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;

(iii)  the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or

(iv)  the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.

Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.

8.9  Documentation and compliance

(a)  The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.

(b)  The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.

(c)  The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.

(d)  The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.

(e)  The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.

Clause 9

Use of sub-processors

(a)  The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least 30 days in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.

(b)  Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.

(c)  The data importer shall provide, at the data exporter’s request, a copy of such a sub-processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.

(d)  The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfil its obligations under that contract.

(e)  The data importer shall agree a third-party beneficiary clause with the sub-processor whereby – in the event the data importer has factually disappeared, ceased to exist in law or has become insolvent – the data exporter shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.

Clause 10

Data subject rights

(a)  The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter.

(b)  The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.

(c)  In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with the instructions from the data exporter.

Clause 11

Redress

(a)  The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.

 (b)  In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.

(c)  Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:

(i)  lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;

(ii)  refer the dispute to the competent courts within the meaning of Clause 18.

(d)  The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.

(e)  The data importer shall abide by a decision that is binding under the applicable EU or Member State law.

(f)  The data importer agrees that the choice made by the data subject will not prejudice his/her substantive and procedural rights to seek remedies in accordance with applicable laws.

Clause 12

Liability

(a)  Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.

(b)  The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.

(c)  Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.

(d)  The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.

(e)  Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.

(f)  The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage.

(g)  The data importer may not invoke the conduct of a sub-processor to avoid its own liability.

Clause 13

Supervision

(a)  Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.

Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established, as indicated in Annex I.C, shall act as competent supervisory authority.

(b)  The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.

 

SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 14

Local laws and practices affecting compliance with the Clauses

 (a)  The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.

(b)  The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:

(i)  the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;

(ii)  the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;

(iii)  any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.

(c)  The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.

(d)  The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.

(e)  The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).

(f)  Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.

Clause 15

Obligations of the data importer in case of access by public authorities

15.1  Notification

(a)  The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:

(i)  receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or

(ii)  becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.

 (b)  If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.

(c)  Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).

(d)  The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.

(e)  Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.

15.2  Review of legality and data minimisation

(a)  The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).

(b)  The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.

(c)  The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

 

SECTION IV – FINAL PROVISIONS

Clause 16

Non-compliance with the Clauses and termination

(a)  The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.

(b)  In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).

(c)  The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:

(i)  the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;

(ii)  the data importer is in substantial or persistent breach of these Clauses; or

(iii)  the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.

In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.

(d)  Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.

(e)  Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.

Clause 17

Governing law

These Clauses shall be governed by the law of the EU Member State in which the data exporter is established. Where such law does not allow for third-party beneficiary rights, they shall be governed by the law of another EU Member State that does allow for third-party beneficiary rights. The Parties agree that this shall be the law of France.

Clause 18

Choice of forum and jurisdiction

(a)  Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.

(b)  The Parties agree that those shall be the courts of France.

(c)  A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.

(d)  The Parties agree to submit themselves to the jurisdiction of such courts.