This Data Processing Addendum (“DPA”) supplements the Climateware Customer Agreement , or other agreement in place between Customer and Climateware covering Customer’s use of Climateware’s Products and related Support and Advisory Services (the “Agreement”). Unless otherwise defined in this DPA or in the Agreement, all capitalized terms used in this DPA will have the meanings given to them in Section 9 of this DPA.
1. Scope and Term.
1.1 Roles of the Parties.
(a) Customer Personal Data. Climateware will Process Customer Personal Data as Customer’s Processor in accordance with Customer’s instructions as outlined in Section 2.1 (Customer Instructions).
(b) Climateware Account Data. Climateware will Process Climateware Account Data as a Controller for the following purposes: (i) to provide and improve the Products; (ii) to manage the Customer relationship (communicating with Customer and Users in accordance with their account preferences, responding to Customer inquiries and providing technical support, etc.), (iii) to facilitate security, fraud prevention, performance monitoring, business continuity and disaster recovery; and (iv) to carry out core business functions such as accounting, billing, and filing taxes.
(c) Climateware Usage Data. Climateware will Process Climateware Usage Data as a Controller for the following purposes: (i) to provide, optimize, secure, and maintain the Products; (ii) to optimize user experience; and (iii) to inform Climateware’s business strategy.
(d) Description of the Processing. Details regarding the Processing of Personal Data by Climateware are stated in Schedule 1 (Description of Processing).
1.2 Term of the DPA. The term of this DPA coincides with the term of the Agreement and terminates upon expiration or earlier termination of the Agreement (or, if later, the date on which Climateware ceases all Processing of Customer Personal Data).
1.3 Order of Precedence. If there is any conflict or inconsistency among the following documents, the order of precedence is: (1) the applicable terms stated in Schedule 2 (Region-Specific Terms including any transfer provisions); (2) the main body of this DPA; and (3) the Agreement.
2. Processing of Personal Data.
2.1 Customer Instructions. Climateware must Process Customer Personal Data in accordance with the documented lawful instructions of Customer as stated in the Agreement (including this DPA) and respective Orders, as necessary to (i) provide the Products and related Support and Advisory Services to Customer and enable the use of various features and functionalities in accordance with the Documentation (including as directed by Users through the Cloud Products), (ii) investigate security incidents and enforce the Acceptable Use Policy (e.g. enforce the prohibition on illegal content such as child sexual abuse material), or (iii) comply with its legal obligations. Climateware will notify Customer if it becomes aware, or reasonably believes, that Customer’s instructions violate Applicable Data Protection Law.
2.2 Confidentiality. Climateware must treat Customer Personal Data as Customer’s Confidential Information under the Agreement. Climateware must ensure personnel authorized to Process Personal Data are bound by written or statutory obligations of confidentiality.
3. Security.
3.1 Security Measures. Climateware has implemented and will maintain appropriate technical and organizational measures designed to protect the security , confidentiality, integrity and availability of Customer Data and protect against Security Incidents. Customer is responsible for configuring the Products and using features and functionalities made available by Climateware to maintain appropriate security in light of the nature of Customer Data. Climateware’s current technical and organizational measures are described here. Customer acknowledges that the Security Measures are subject to technical progress and development and that Climateware may update or modify the Security Measures from time to time, provided that such updates and modifications do not materially decrease the overall security of the Cloud Products during a Subscription Term.
3.2 Security Incidents. Climateware must notify Customer without undue delay and, where feasible, no later than seventy-two (72) hours after becoming aware of a Security Incident. Climateware must make reasonable efforts to identify the cause of the Security Incident, mitigate the effects and remediate the cause to the extent within Climateware’s reasonable control. Upon Customer’s request and taking into account the nature of the Processing and the information available to Climateware, Climateware must assist Customer by providing information reasonably necessary for Customer to meet its Security Incident notification obligations under Applicable Data Protection Law. Climateware’s notification of a Security Incident is not an acknowledgment by Climateware of its fault or liability.
4. Sub-processing
4.1 General Authorization. By entering into this DPA, Customer provides general authorization for Climateware to engage Sub-processors to Process Customer Personal Data. Climateware must: (i) enter into a written agreement with each Sub-processor imposing data protection terms that require the Sub-processor to protect Customer Personal Data to the standard required by Applicable Data Protection Law and to the same standard provided by this DPA; and (ii) remain liable to Customer if such Sub-processor fails to fulfill its data protection obligations with regard to the relevant Processing activities under the Agreement.
4.2 Notice of New Sub-processors. Climateware maintains an up-to-date list of its Sub-processors, which contains a mechanism for Customer to subscribe to notifications of new Sub-processors. Climateware will provide such notice, to those emails subscribed, at least thirty (30) days before allowing any new Sub-processor to Process Customer Personal Data (the “Sub-processor Notice Period”).
4.3 Objection to New Sub-processors. Customer may object to Climateware’s appointment of a new Sub-processor during the Sub-processor Notice Period. If Customer objects, Customer, as its sole and exclusive remedy, may terminate the applicable Order for the affected Cloud Product and related Support and Advisory Services in accordance with Section 12.2 (Termination for Convenience) of the Agreement.
5. Assistance and Cooperation Obligations.
5.1 Data Subject Rights. Taking into account the nature of the Processing, Climateware must provide reasonable and timely assistance to Customer to enable Customer to respond to requests for exercising a data subject’s rights (including rights of access, rectification, erasure, restriction, objection, and data portability) in respect to Customer Personal Data.
5.2 Cooperation Obligations. Upon Customer’s reasonable request, and taking into account the nature of the Processing, Climateware will provide reasonable assistance to Customer in fulfilling Customer’s obligations under Applicable Data Protection Law (including data protection impact assessments and consultations with regulatory authorities), provided that Customer cannot reasonably fulfill such obligations independently with help of available Documentation.
5.3 Third Party Requests. Unless prohibited by Law, Climateware will promptly notify Customer of any valid, enforceable subpoena, warrant, or court order from law enforcement or public authorities compelling Climateware to disclose Customer Personal Data. Climateware will follow its law enforcement guidelines in responding to such requests. In the event that Climateware receives an inquiry or a request for information from any other third party (such as a regulator or data subject) concerning the Processing of Customer Personal Data, Climateware will redirect such inquiries to Customer, and will not provide any information unless required to do so under applicable Law.
6. Deletion and Return of Customer Personal Data.
6.1 During Subscription Term. During the Subscription Term, Customer and its Users may, through the features of the Cloud Products, access, retrieve or delete Customer Personal Data.
6.2 Post Termination. Following expiration or termination of the Agreement, Climateware must, in accordance with the Documentation, delete all Customer Personal Data . Notwithstanding the foregoing, Climateware may retain Customer Personal Data (i) as required by Applicable Data Protection Law or (ii) in accordance with its standard backup or record retention policies, provided that, in either case, Climateware will maintain the confidentiality of, and otherwise comply with the applicable provisions of this DPA with respect to retained Customer Personal Data and not further Process it except as required by Applicable Data Protection Law.
7. Audit.
7.1 Audit Reports. Climateware is regularly audited by independent third-party auditors and/or internal auditors, including as described here. Upon request, and on the condition that Customer has entered into an applicable non-disclosure agreement with Climateware, Climateware will supply a summary copy of relevant audit report(s) (“Report”) to Customer, so Customer can verify Climateware’s compliance with the audit standards against which it has been assessed, and this DPA. If Customer cannot reasonably verify Climateware’s compliance with the terms of this DPA, Climateware will provide written responses (on a confidential basis) to all reasonable requests for information made by Customer related to its Processing of Customer Personal Data, provided that such right may be exercised no more than once every twelve (12) months.
7.2 On-site Audits. Only to the extent Customer cannot reasonably satisfy Climateware’s compliance with this DPA through the exercise of its rights under Section 7.1 above, or where required by Applicable Data Protection Law or a regulatory authority, Customer, or its authorized representatives, may, at Customer’s expense, conduct audits (including inspections) during the term of the Agreement to assess Climateware’s compliance with the terms of this DPA. Any audit must (i) be conducted during Climateware’s regular business hours, with reasonable advance written notice of at least sixty (60) calendar days (unless Applicable Data Protection Law or a regulatory authority requires a shorter notice period); (ii) be subject to reasonable confidentiality controls obligating Customer (and its authorized representatives) to keep confidential any information disclosed that, by its nature, should be confidential; (iii) occur no more than once every twelve (12) months; and (iv) restrict its findings to only information relevant to Customer.
8. International Provisions.
To the extent Climateware Processes Personal Data protected by Applicable Data Protection Laws in one of the regions listed in Schedule 2 (Region-Specific Terms), the terms specified for the applicable regions will also apply, including the provisions relevant for international transfers of Personal Data (directly or via onward transfer).
9. Definitions.
“Applicable Data Protection Law” means all Laws applicable to the Processing of Personal Data under the Agreement.
“Climateware Account Data” means Personal Data relating to Customer’s relationship with Climateware, including: (i) Users’ account information (e.g. name, email address, or Climateware’s account ID (AAID)); (ii) billing and contact information of individual(s) associated with Customer’s Climateware account (e.g. billing address, email address, or name); (iii) Users’ device and connection information (e.g. IP address); and (iv) content/description of technical support requests (excluding attachments) alongside with the Support Entitlement Number (SEN).
“Climateware Usage Data” means Personal Data relating to or obtained in connection with the use, performance, operation, support or use of the Products, including via their connection to Third-Party Products. Climateware Usage Data may include event name (i.e. what action Users performed), event timestamps, browser information, diagnostic data, data types, file sizes, and similar information associated with data from the Products and Third-Party Products that Customer connects to the Products. For clarity, Climateware Usage Data does not include Customer Personal Data.
“Controller” means the natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
“Customer Personal Data'' means Personal Data contained in Customer Data and/or Customer Materials that Climateware Processes under the Agreement solely on behalf of Customer. For clarity, Customer Personal Data includes any Personal Data included in the attachments provided by Customer or its Users in any technical support requests.
“Personal Data” means information about an identified or identifiable natural person, or which otherwise constitutes “personal data”, “personal information”, “personally identifiable information” or similar terms as defined in Applicable Data Protection Law.
“Processing” (and “Process”) means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
“Processor” means the entity which Processes Personal Data on behalf of the Controller.
“Security Incident'' means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data Processed by Climateware and/or its Sub-processors.
“Sub-processor” means any third party (inc. Climateware Affiliates) engaged by Climateware to Process Customer Personal Data.
Schedule 1 Description of Processing
1. Categories of data subjects whose Personal Data is Processed: Customer and its Users.
2. Categories of Personal Data Processed: Climateware Account Data, Climateware Usage Data, and Customer Personal Data.
3. Sensitive data transferred: Climateware Account Data and Climateware Usage Data do not contain data (i) revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, (ii) genetic data, biometric data Processed for the purposes of uniquely identifying a natural person, data concerning health, or data concerning a natural person's sex life or sexual orientation, or (iii) relating to criminal convictions and offences (altogether “Sensitive Data”). Subject to Section 6.3 of the Agreement (Sensitive Health Information and HIPAA), Customer or its Users may upload content to the Cloud Products which may include Sensitive Data, the extent of which is determined and controlled solely by Customer.
4. The frequency of the transfer: Continuous.
5. Nature of the Processing: Climateware will Process Personal Data in order to provide the Products and related Support and Advisory Services in accordance with the Agreement, including this DPA. Additional information regarding the nature of the Processing (including transfer) is described in respective Orders for relevant Products and Documentation referring to technical capabilities and features, including but not limited to collection, structuring, storage, transmission, or otherwise making available of Personal Data by automated means.
6. Purpose(s) of the Processing:
6.1. Customer Personal Data: Climateware will Process Customer Personal Data as Processor in accordance with Customer’s instructions as set out in Section 2.1 (Customer Instructions).
6.2. Climateware Account Data and Climateware Usage Data: Climateware will Process Climateware Account Data and Climateware Usage Data for the limited and specified purposes outlined in Section 1.1 (Roles of the Parties).
7. Duration of Processing:
7.1. Customer Personal Data: Climateware will Process Customer Personal Data for the term of the Agreement as outlined in Section 6 (Deletion and Return of Customer Personal Data).
7.2. Climateware Account Data and Climateware Usage Data: Climateware will Process Climateware Account Data and Climateware Usage Data only as long as required (a) to provide Products and related Support and Advisory Services to Customer in accordance with the Agreement; (b) for Climateware’s legitimate business purposes outlined in Section 1.1 (Roles of the Parties); or (c) by applicable Law(s).
8. Transfers to Sub-processors: Climateware will transfer Customer Personal Data to Sub-processors as permitted in Section 4 (Sub-processing).