Enhesa Data Processing Agreement

This Data Processing Agreement (including its appendices and annexes, the “DPA”), as may be updated from time to time to fully comply with changing regulations, are incorporated by default and form part of the entire Agreement(s) between Parties as defined below, unless specifically stated otherwise.

1. Preamble

This DPA describes the Parties’ obligations, including under applicable privacy, data security, and data protection laws, with respect to the processing and security of Customer Data (as defined below). This Addendum will be effective on the Effective Date

2. Definitions

“Agreement” means the contract under which Enhesa has agreed to provide the applicable Services to Customer.

“Applicable Privacy Law” means, as applicable to the processing of Customer Personal Data, any national, federal, European Union, state, provincial or other privacy, data security, or data protection law or regulation.

“Customer Data”, has the meaning defined in the Agreement.

“Customer Personal Data” means the personal data contained within the Customer Data, including any special categories of personal data or sensitive data defined under Applicable Privacy Law.

“Data Incident”means a breach of Enhesa’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Data on systems managed by or otherwise controlled by Enhesa.

“GDPR” means, as applicable: (i) the EU GDPR; i.e. Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, or (ii) the UK GDPR.

“European Data Protection Law” means, as applicable: (a) the GDPR; or (b) the Swiss FADP.

“Services” means the services as described in the Agreement.

“Subprocessor” means a third party authorized as another processor under this DPA to process Customer Data in order to provide parts of the Services or to host Enhesa’s software solutions.

“Supervisory Authority” means, as applicable: (a) a “supervisory authority” as defined in the EU GDPR; or (b) the “Commissioner” as defined in the UK GDPR or the Swiss FADP.

“UK GDPR” means the EU GDPR as amended and incorporated into UK law under the UK European Union (Withdrawal) Act 2018, and applicable secondary legislation made under that Act.

3. Duration

Regardless of whether the applicable Agreement has terminated or expired, this DPA will remain in effect until, and automatically expire when, Enhesa deletes all Customer Data as described in this DPA.

4. Roles of Parties – Processing details

4.1 Enhesa is a processor and Customer is a controller or processor, as applicable, of Customer Personal Data.
4.2 The subject matter and details of the processing of Customer Personal Data are as follows:
a. The subject-matter of the Processing relates strictly to the provision and enhancement of the Services.
b. The data collected through or by the Services only includes business personal information, i.e. user’s first and last name, user’s email address and company name.
c. The Personal Data may relate to Customer, End-Users and/or any other Data Subject to whom the data may relate as provided by Customer.
d. The nature and purpose of the Processing includes Enhesa processing Personal Data on behalf of Customer through i.a. recording, storage, adaption, transmission & dissemination, in provision of the Services.
4.3 Each party will comply with its obligations related to the processing of Customer Personal Data under Applicable Privacy Law.

5. Data Processing

5.1 Customer instructs Enhesa to process Customer Data in accordance with the applicable Agreement (including this DPA) and applicable law only as follows: (i) to provide, secure, and monitor the Services; and (ii) as further specified via Customer’s use of the Services, any other written instructions given by Customer and acknowledged by Enhesa as constituting instructions under this DPA.
5.2 Enhesa will comply with the Instructions unless prohibited by European Law, where European Data Protection Law applies, or prohibited by applicable law, where any other Applicable Privacy Law applies.
5.3 Personal Data Processed in the context of this DPA may be transferred to a country outside the European Economic Area without the prior written consent of Customer, where Enhesa ensures that appropriate safeguards are in place for such transfer or an adequate level of protection is guaranteed. Customer hereby authorises Enhesa to enter into Standard Contractual Clauses (SCC’s) within the meaning of article 46(2) (c) & (d) GDPR, on behalf of Customer. For the sake of clarity in such case, Customer shall be the data exporter (as defined in the SCC’s) and Enhesa or its Suprocessor shall be the data importer (as defined in the SCC’s).

6. Data Deletion

Upon request by Customer made within one-hundred eighty (180) days after any expiration or termination of the Agreement, Enhesa shall provide Customer a file of all Customer Data in a standard machine-readable format. After such one-hundred eighty (180) day period, Enhesa will have no obligation to maintain or provide any Customer Data and may thereafter, unless legally prohibited, delete, wipe or otherwise purge all Customer Data.

7. Data Security

7.1 Enhesa’s Security Measures, Controls and Assistance.
7.1.1 Enhesa will implement and maintain technical, organizational, and physical measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access. The Security Measures include measures to encrypt Customer Data at rest and in transit; to help ensure ongoing confidentiality, integrity, availability and resilience of Enhesa’s systems and services; to help restore timely access to Customer Data following an incident; and for regular testing of effectiveness. Enhesa may update the Security Measures from time to time provided that such updates do not result in a material reduction of the security of the Services.
Security measures take into account the state of the art, the costs of implementation, the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Customer shall be solely responsible for its means of accessing the Services (e.g. through proxies) and providing adequate measures to ensure an appropriate level of security;
7.1.2 Organizational requirements are as follows:
a. security policy
b. appointment internal responsible for information security / data protection
c. asset management staff training
d. classification of information
e. periodic verification of the adequacy of the processing systems and services
f. processing register
g. infringement log
7.1.3 Technical requirements are as follows:
a. backup system
b. access control (physical and logical)
c. authenticate & authorization
d. password policy logging system
e. detection and analysis of access
f. anti-virus firewall network security
g. supervision, review and maintenance of the systems
h. encryption of company data and user’s password
i. sub-processing and data hosting exclusively by ISO 27001 certified providers”
7.1.4 Access and Compliance.
Enhesa will (a) authorize its employees, contractors and Subprocessors to access Customer Data only as strictly necessary to comply with Instructions, (b) take appropriate steps to ensure compliance with the Security Measures by its employees, contractors and Subprocessors to the extent applicable to their scope of performance; and (c) ensure that all persons authorized to process Customer Data are under an obligation of confidentiality.
7.2 Data Incidents.
7.2.1 Enhesa will notify Customer without undue delay after becoming aware of a Data Incident, and promptly take reasonable steps to minimize harm and secure Customer Data.
7.2.2 Enhesa’s notification of a Data Incident will describe: the nature of the Data Incident, the measures Enhesa has taken, or plans to take, to address the Data Incident and mitigate its potential risk; the measures, if any, Enhesa recommends that Customer take to address the Data Incident; and details of a contact point where more information can be obtained. If it is not possible to provide all such information at the same time, Enhesa’s initial notification will contain the information then available and further information will be provided without undue delay as it becomes available.
7.2.3 Enhesa’s notification of or response to a Data Incident under this Section will not be construed as an acknowledgement by Enhesa of any fault or liability with respect to the Data Incident.
7.3 Customer’s Security Responsibilities and Assessment.
7.3.1 Without prejudice to Enhesa’s obligations under Sections 7.1 and 7.2, Customer is responsible for its use of the Services and its storage of any copies of Customer Data outside Enhesa’s or Enhesa’s Subprocessors’ systems, including:
a. using the Services and Additional Security Controls to ensure a level of security appropriate to the risk to the Customer Data;
b. securing the account authentication credentials, systems and devices Customer uses to access the Services; and
c. backing up or retaining copies of its Customer Data as appropriate.
7.3.2 Customer agrees that the Services and Security Measures provide a level of security appropriate to the risk to Customer Data
7.4 Compliance Certifications.
Enhesa will supply, on simple written demand, all relevant ISO- and any additional certifications as well as penetration testing (“Pentest”) reports produced by Enhesa’s accredited Third-Party Auditor and updated annually (the “Pentest Reports”).
Enhesa may replace a Compliance Certification with an equivalent or enhanced alternative.
7.5 Reviews and Audits of Compliance.
7.5.1 To demonstrate compliance by Enhesa with its obligations under this DPA, Enhesa will make the Security Documentation and Pentest Reports available for review by Customer, on Customer demand.
7.5.2 Enhesa will, if required under Applicable Privacy Law, allow Customer or an independent auditor appointed by Customer to conduct audits (including inspections), at Customer’s cost and with 10 days advance notice, to verify Enhesa’s compliance with its obligations under this DPA. During an audit, which may not disrupt Enhesa’s day-to-day business – Enhesa will reasonably cooperate with Customer or its auditor.

8. Assistance to Customer

Enhesa will assist Customer in ensuring compliance with its obligations relating to data protection assessments, risk assessments, prior regulatory consultations or equivalent procedures under Applicable Privacy Law, by:

a. making the Security Documentation available;

b. providing the information contained in the applicable Agreement (including this DPA); and

c. if subsections (a) and (b) above are insufficient for Customer (or the relevant controller) to comply with such obligations, upon Customer’s request, providing Customer with additional reasonable cooperation and assistance.

9. Access – Data Subject Rights – Data Export

9.1 Access; Rectification; Restricted Processing; Portability.
During the Term, Enhesa will enable Customer, in a manner consistent with the functionality of the Services, to access, rectify and restrict processing of Customer Data, and to export Customer Data. If Customer becomes aware that any Customer Personal Data is inaccurate or outdated, Customer will be able to rectify that data.
9.2 Data Subject Requests.
9.2.1 During the Term, if Enhesa receives a request from a data subject that relates to Customer Personal Data and identifies Customer, Enhesa will (i) advise the data subject to submit their request to Customer, (ii) promptly notify Customer; and (iii) not otherwise respond to that data subject’s request without authorization from Customer. Customer will be responsible for responding to any such request.
9.2.2 Enhesa will, upon Customer’s request, provide Customer with additional reasonable cooperation and assistance.

10. Data Processing Locations

Customer Data may be processed in any country where Enhesa or its Subprocessors maintain facilities. The locations of Enhesa and sub-processors’ data centers is described in Section 11.

11. Subprocessors

Customer specifically authorizes Enhesa’s engagement as of these entities:

In addition, Customer generally authorizes Enhesa’s engagement of other third Parties as Subprocessors under the condition that when engaging any Subprocessor, Enhesa will (a) ensure via a written contract that (i) the Subprocessor only accesses and uses Customer Data to the extent required to perform the obligations subcontracted to it, and does so per the applicable Agreement (including this DPA); and (ii) if required under Applicable Privacy Laws, the data protection obligations described in this DPA are imposed on the Subprocessor and (b) remain fully liable for all obligations subcontracted to, and all acts and omissions of, the Subprocessor.

Enhesa shall specifically inform the Customer in writing of any intended changes to that list through the addition or replacement of sub-processors at least 30 days in advance, thereby giving the Customer sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). Enhesa shall provide the Customer with the information necessary to enable the Customer to exercise its right to object.

12. Records Retention

Enhesa will keep appropriate documentation of its processing activities as required by Applicable Privacy Law. Enhesa may make any such information available to competent regulators, including a Supervisory Authority, if required by Applicable Privacy Law.

13. Notices

Notices under this DPA (including notifications of any Data Incidents) will be delivered to the contact details in the Agreement.

14. Privacy Statement

Enhesa may Process certain Personal Data for its own purposes (e.g. execution of the Agreement) and such processing shall not be subject to this DPA. , for more information please refer @ https://www.enhesa.com/privacy-policy