Data Processing AddendumApril 13, 2023
This Data Processing Addendum (the “DPA”) forms part of the Master SaaS Agreement, Master Hosted Software Subscription and Services Agreement, Master Software License and Services Agreement, and any agreement involving the processing of personal data by PowerPlan, Inc. (“PowerPlan”) on behalf of Client (“Agreement”). Client is the entity identified as such in the Agreement. Upon full execution of the Agreement (the “Addendum Effective Date”), this DPA will be incorporated into and become a part of the Agreement. In the event of a conflict between the DPA and Agreement, the terms, and conditions of the DPA will prevail. PowerPlan and Client may collectively be referred to as the “Parties.”
Terms defined in the Agreement will, unless otherwise defined in this DPA, have the same meanings when used in this DPA. Further, the following capitalised terms used in this DPA will be defined as follows:
“Applicable Data Protection Law” refers to all laws and regulations applicable to PowerPlan’s processing of Personal Data under the Agreement.
“Controller” means the Client when, alone or jointly with others, it determines the purpose and means of processing Personal Data.
“Client Account Data” means Personal Data that relates to Client’s relationship with PowerPlan, including the names and contact information of the individuals authorized by Client to access Client’s account and billing information of individuals that Client has associated with its Account. Client Account Data also includes any data PowerPlan may need to collect for the purpose of identity verification (e.g., providing multi-factor authentication services) or as part of its legal obligations to maintain records.
“Client Data” means any Client-provided, non-public or proprietary information exchanged as a result of using the Service form, including Personal Data processed by PowerPlan on behalf of Client in connection with the Services, as further described in Schedule 1. This includes the non-public or proprietary information (including Personal Data) of Client clients for whom Client acts as a processor.
“Data Subject” means a natural person who can be identified, directly or indirectly.
"Personal Data” means any information relating to a natural person who can be identified, directly or indirectly.
“process” or “processing” means any operation or set of operations which is performed upon Client Data whether or not by automated means.
“Processor” means the PowerPlan when the PowerPlan processes Personal Data on behalf of Client.
“Security Breach” means a breach of PowerPlan’s security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Client Data.
“Services” has the same meaning as defined in the Agreement, or if not defined in the Agreement, the processing of Client Data by the PowerPlan on behalf of the Client described in the Agreement.
"Subprocessor" means a processor appointed by the PowerPlan to process Client Data.
Instructions for Data Processing
- Generally. The Agreement and this DPA will be the Client's instructions to PowerPlan for the processing of Client Data as described in Schedule 1 or the Agreement. PowerPlan will process Client Data solely for the limited and specific purpose of providing the Services and will ensure that all individuals with access to the Client Data have a duty of confidentiality with respect to that Client Data. PowerPlan will not sell, share, disclose, retain, or otherwise use Client Data for any other purpose unless specifically authorized by Client in writing or as required by law.
- Regulatory and Legal Compliance. PowerPlan will process Client Data in compliance with Applicable Data Protection Law and provide at least the same level of privacy protection as required by Applicable Data Protection Law. PowerPlan will provide reasonable assistance to Client in complying with its obligations under Applicable Data Protection Law. Unless prohibited by law, PowerPlan will notify Client promptly of any inquiries or complaints received about the processing of Personal Data from regulators or law enforcement authorities. PowerPlan will not respond to any such inquiries or complaints except on the documented instructions of Client or as required by law. If disclosure of Client Data is required by applicable law or a compulsory legal process, PowerPlan will, unless prohibited by applicable law: (i) notify Client promptly in writing before complying with any such disclosure request and provide Client an opportunity to intervene, if appropriate; and (ii) disclose only the minimum amount of Client Data necessary to comply with applicable law or a compulsory legal process.
- Data Subject Rights. Unless prohibited by law, PowerPlan will promptly notify Client of any request from a data subject with respect to Personal Data contained in Client Data. PowerPlan will not respond to any data subject request without Client’s prior written consent, except to confirm that the request relates to Client. PowerPlan will provide reasonable and timely assistance to Client in complying with its data protection obligations with respect to data subject rights under Applicable Data Protection Law.
- Additional Costs. If any of the Client's instructions require processing Client Data in a manner that falls outside the scope of the Services, the PowerPlan may either (a) make the performance of any such instructions subject to the payment by the Client of any costs and expenses incurred by the PowerPlan or such additional charges as the PowerPlan may reasonably determine; or (b) terminate the Agreement and the Services.
Client Warranties and Undertakings
The Client represents and warrants that: (a) it has provided all applicable notices and obtained all required consents required for the lawful processing of Client Data; and (b) it has reviewed the security measures set out in Schedule 2 and agrees that the security measures are appropriate based on the nature and sensitivity of the Client Data.
- Conditional Authorization. Client provides a general authorization for PowerPlan to engage downstream Subprocessors that is conditioned on the following requirements:
- PowerPlan will impose contractual data protection obligations on any Subprocessor it appoints to process Client Data to meet the standards required by Applicable Data Protection Law and this DPA; and
- PowerPlan will remain liable for any breach of this DPA that is caused by an act, error, or omission of its Subprocessors.
- Current Subprocessors and Notification of Changes. Client authorizes PowerPlan to engage the Subprocessors listed on the webpage currently posted at https://powerplan.com/legal/subprocessors to process Client Data. At least 14 days before PowerPlan engages a Subprocessor, PowerPlan will update the applicable webpage and provide Client with a mechanism to obtain notice of that update. Client may object to PowerPlan's appointment or replacement of a Subprocessor within 14 days of the webpage update, provided such objection is in writing and based on reasonable grounds relating to data protection. In such an event, the parties agree to discuss commercially reasonable alternative solutions in good faith. If the parties cannot reach a resolution within 90 days from the date of PowerPlan’s receipt of Client’s written objection, Client may discontinue the use of the affected Services by providing written notice to PowerPlan. Such discontinuation will be without prejudice to any fees incurred by Client prior to the discontinuation of the affected Services. If no objection has been raised prior to PowerPlan replacing or appointing a new Subprocessor, PowerPlan will be deemed to have authorized the new Sub-processor.
- Cross Border Data Transfer Mechanisms for Data Transfers. To the extent Client’s use of the Services requires the transfer of Personal Data from a jurisdiction identified in Schedule 3 to a location outside of that jurisdiction (“Transfer Mechanism”), the terms set forth in Schedule 3 (Cross Border Transfer Mechanisms) of this DPA will apply.
Security Measures and Audits
- Security Measures. PowerPlan will implement reasonable physical, organizational, and technical measures to protect against any unauthorized or unlawful access, processing, loss, destruction, theft, damage, use or disclosure of Client Data or systems (collectively, “Appropriate Safeguards”), including, at a minimum, the security measures set forth as Schedule 2. These Appropriate Safeguards will be appropriate to the harm that might result from any risks to Client Data or systems and having regard to the nature of the Client Data or system which is to be protected and will take into consideration the state of the art, the costs of implementation and the nature, scope, context and purpose of the processing and the risks to the rights and freedoms of the Personal Data subjects.
- Variation of Measures. The PowerPlan may, by written notice to the Client, vary the security measures set out in Schedule 2, including (where applicable) following review by the PowerPlan of such measures, provided that such variation does not reduce the overall level of protection afforded to the Client Data by the PowerPlan under this DPA.
- Compliance Review. PowerPlan will cooperate with reasonable assessments by Client as to its compliance with this DPA and Applicable Data Protection Law but all such assessments must be conducted (i) on reasonable written notice to the PowerPlan; (ii) only during the PowerPlan's normal business hours; (iii) in a manner that does not disrupt the PowerPlan's business; (iv) subject to a confidentially agreement in a form such as PowerPlan may reasonably request; (v) in compliance with relevant policies for individuals visiting PowerPlan’s or sub-vendors premises; and (vi) at Client’s expense. Notwithstanding anything to the contrary, the assessment right provided in this Section 6.3 may be satisfied by the provision of a successful assessment result performed by an experienced, qualified independent auditor within the last 12 months. Customer agrees that the rights granted in this Section constitute reasonable and appropriate steps to allow Customer to help ensure that Vendor is using the Customer Data in a manner consistent with Applicable Data Protection Law.
Security Breach and Response
- Breach Notification. PowerPlan will promptly notify Client without undue delay and no later than 72 hours upon PowerPlan becoming aware of a Security Breach. PowerPlan will email Client’s primary account contact or other email address provided by Client for such notifications if PowerPlan has knowledge that there is, or reasonably believes that there has been, an actual Security Breach. To the extent known, notice must include the following: (a) the nature of the Security Breach, (b) the categories and numbers of data subjects concerned, and the categories and numbers of records concerned; (c) the name and contact details of PowerPlan’s DPO or other relevant contact from whom more information may be obtained; (d) the likely consequences of the Security Breach; and (e) the measures taken or proposed to be taken to address the Security Breach.
- Cooperation and Remediation. PowerPlan will (i) cooperate with Client in the manner reasonably requested by Client and in accordance with law to investigate and resolve the Security Breach and to mitigate any harmful effects of the Security Breach; (ii) promptly implement any necessary remedial measures to ensure the protection of Client Data; and (iii) document responsive actions taken related to any Security Breach.
- Information to Third Parties. Except as required by applicable law or regulation, PowerPlan will not inform any third party of any Security Breach without first obtaining Client’s prior written consent, other than to inform a complainant that Client will be informed of the Security Breach. Client will have the sole right to determine whether notice of the Security Breach is to be provided to any individuals, Supervisory Authorities, regulators, law enforcement agencies, consumer reporting agencies, or others and the contents of any such notice.
Duration and Termination
- Return/Deletion of Client Data. The PowerPlan will, within 30 days of the date of termination or expiry of the Agreement:
- if requested by the Client within that period, return a complete copy of all Client Data by secure file transfer in such a format as reasonably agreed to by the Client to the PowerPlan; and
- other than any Client Data retained by the PowerPlan after termination of the Agreement as expressly permitted by this DPA or as required by the Standard Contractual Clauses, delete, and use all reasonable efforts to procure the deletion of all other copies of Client Data processed by the PowerPlan or any sub-processors.
- Certification. Upon Client’s request, PowerPlan must promptly certify in writing to Client that it has destroyed or returned all Client Data. In the event that PowerPlan is unable to return or destroy all Client Data, PowerPlan will retain Client Data only to the extent and for such period as required by applicable laws, maintain the security and confidentiality of all such retained Client Data in accordance with the protections of this DPA, and ensure that such Client Data is only processed as necessary for the purposes specified in the applicable laws preventing its deletion and for no other purposes.
- Compliance with this DPA. If PowerPlan determines that it can no longer meet its obligations under this DPA or Applicable Data Protection Law, PowerPlan will notify Client of that determination within 5 business days and work with Client to take reasonable and appropriate steps to stop and remediate the unauthorized use of Client Data.
Law and Jurisdiction
Except to the extent expressly overridden by Schedule 3, the Parties agree that the laws, jurisdictions, and venues set forth in the Agreement will also govern this DPA.
Schedule 1: Details of Processing
Categories of data subjects
The categories of Data Subjects whose Personal Data are transferred: End users whom Client provisions with access credentials to the PowerPlan software and other Data Subjects whose Personal Data is included in the contracts that may be uploaded to the PowerPlan software (e.g., Data Subjects who countersign Client leases).
Categories of Personal Data
The transferred categories of Personal Data are: Personal Data required to log-in to, or otherwise utilize, the PowerPlan software (e.g., name, company email address, username, account details, IP address), other business contact information such as title, employer name, phone number, and Personal Data included in the contracts that may be uploaded to the PowerPlan software (e.g., name, title, and signature of lease signatories).
Special categories of Personal Data (if applicable)
The transferred Personal Data includes the following special categories of data: No sensitive or special categories of personal data are transferred save where it is contained within government issued identity documents which are required to be shared for legal and/or regulatory purposes (in which case it shall be protected in line with applicable law and these clauses).
Frequency of the transfer
The frequency of the transfer is: continuous during the term of the Agreement.
Subject matter / Purpose of the processing
The subject matter of the processing is: providing of use of cloud-deployed software or SaaS to Client, performing the Services, or otherwise carrying out PowerPlan’s obligations under the Agreement.
Nature of the processing
The nature of the processing is: collection, organisation, structuring, and storage, use, erasure, and destruction.
Purpose(s) of the data transfer and further processing
The purpose of the data transfer and further processing is: providing cloud-deployed software or SaaS to Client, performing the Services, or otherwise carrying out PowerPlan’s obligations under the Agreement.
The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period: as set out in Section 8 of the DPA.
Schedule 2: Technical and Organisational Measures
Description of the technical and organisational security measures implemented by the data importer / PowerPlan (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, as well as the risks for the rights and freedoms of natural persons.
Pseudonymisation and Encryption
Pseudonymisation contains measures that enable one to process Personal Data in such a manner that the Personal Data can no longer be attributed to a specific data subject without the use of additional information, provided that this additional information is stored separately, and is subject to appropriate technical and organisational measures. Encryption contains measures that enable one to convert clearly legible information into an illegible string by means of a cryptographic process.
Stored data is encrypted where appropriate, including any backup copies of the data.
The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services
Confidentiality and integrity are ensured by the secure processing of Personal Data, including protection against unauthorised or unlawful processing and against accidental loss, destruction, or damage.
- Physical access control
Measures that prevent unauthorised persons from gaining access to data processing systems with which Personal Data are processed or used.
- Physical access control systems
- Definition of authorises persons and Management and documentation of individual authorisations
- Regulation of Visitors and external staff
- Use of monitored data centres (monitoring performed by the infrastructure service providers)
- Logging of physical access
- System/Electronic access control
Measures that prevent data processing systems from being used without authorisation.
- User Authentication by simple authentication methods (using username/password)
- Secure transmission of credentials using networks (using TSL and SSL)
- Automatic account locking
- Guidelines for Handling of passwords
- Definition of authorised persons
- Managing means of authentication
- Access control to infrastructure that is hosted by cloud service provider
- Internal Access Control
Measures that ensure that persons entitled to use a data processing system have access only to the data to which they have a right of access, and that Personal Data cannot be read, copied, modified, or removed without authorisation in the course of processing or use and after storage.
- Automatic and manual locking
- Access right management
- Access right management including authorisation concept, implementation of access restrictions, implementation of the "need-to-know" principle, managing of individual access rights.
- Isolation/Separation Control
Measures to ensure that data collected for different purposes can be processed (storage, amendment, deletion, transmission) separately.
- Network separation
- Segregation of responsibilities and duties
- Document procedures and applications for the separation
- Job Control
Measures that ensure that, in the case of commissioned processing of Personal Data, the data are processed strictly corresponding the instructions of the principal.
- Training and confidentiality agreements for internal staff and external staff
- Physical access control
- Data transmission control
Measures ensure that Personal Data cannot be read, copied, modified, or removed without authorisation during electronic transmission or transport, and that it is possible to check and establish to which bodies the transfer of Personal Data by means of data transmission facilities is envisaged.
- Secure transmission between client and server and to external systems by using industry-standard encryption
- Secure network interconnections ensured by Firewalls etc.
- Logging of transmissions of data from IT system that stores or processes Personal Data
- Data input control
Measures that ensure that it is possible to check and establish whether and by whom have been input into data processing systems, modified, or removed.
- Logging authentication and monitored logical system access
- Logging of data access including, but not limited to access, modification, entry, and deletion of data
- Documentation of data entry rights and partially logging security related entries.
- Data transmission control
- Availability and Resilience of Processing Systems and Services
Availability includes measures that ensure that personal data is protected from accidental destruction or loss due to internal or external influences. Resilience of processing systems and services includes measures that ensure the ability to withstand attacks or to quickly restore systems to working order after an attack.
- Implementation of transport policies
- Backup Concept
- Protection of stored backup media
The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident
Organisational measures that ensure the possibility to quickly restore the system or data in the event of a physical or technical incident.
- Continuity planning (Recovery Time Objective & Recovery Point Objective)
- Documented and timed quarterly disaster recovery exercises
A process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing
Organisational measures that ensure the regular review and assessment of technical and organisational measures.
- Documentation of interfaces and Personal Data fields
- Internal assessments
Additional technical and organisational measures
The following additional technical and organisational measures will be implemented:
- Measures for certification/assurance of processes and products
- Measures for ensuring data minimisation
- Measures for ensuring data quality
- Measures for ensuring limited data retention
- Measures for ensuring accountability
- Measures for allowing data portability and ensuring erasure
For transfers to (sub-) processors, technical and organisational measures to be taken by the (sub-) processor to assist to the data exporter
For transfers to (sub-) processors, the technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the data exporter / Client are as summarised in clause 2 above.
Schedule 3: Cross Border Transfer Mechanism
“EEA” means the European Economic Area
“EU Standard Contractual Clauses” means the Standard Contractual Clauses approved by the European Commission in decision 2021/914.
“UK International Data Transfer Agreement” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, in force 21 March 2022.
This Schedule will apply when Client’s use of the Services requires the transfer of Personal Data from the EEA, the United Kingdom, or Switzerland to another jurisdiction.
Cross Border Data Transfer Mechanisms.
- Order of Precedence. In the event the Services are covered by more than one Transfer Mechanism, the transfer of Personal Data will be subject to a single Transfer Mechanism in accordance with the following order of precedence: (a) the EU Standard Contractual Clauses as set forth in Section 3.2 (EU Standard Contractual Clauses) of this Schedule; (b) the UK International Data Transfer Agreement as set forth in Section 3.3 (UK International Data Transfer Agreement) of this Schedule; and, if neither (a) nor (b) is applicable, then (c) other applicable data Transfer Mechanisms permitted under Applicable Data Protection Law.
- EU Standard Contractual Clauses. The parties agree that the EU Standard Contractual Clauses will apply to Personal Data that is transferred via the Services from the EEA or Switzerland, either directly or via onward transfer, to any country or recipient outside the EEA or Switzerland that is not recognized by the European Commission (or, in the case of transfers from Switzerland, the competent authority for Switzerland) as providing an adequate level of protection for Personal Data. For data transfers from the EEA that are subject to the EU Standard Contractual Clauses, the EU Standard Contractual Clauses will be deemed entered into (and incorporated into this DPA by this reference) and completed as follows:
- Module One (Controller to Controller) of the EU Standard Contractual Clauses will apply where PowerPlan is processing Client Account Data;
- Module Two (Controller to Processor) of the EU Standard Contractual Clauses will apply where Client is a Controller of Client Data and PowerPlan is processing Client Data;
- Module Three (Processor to Processor) of the EU Standard Contractual Clauses will apply where Client is a processor of Client Data and PowerPlan is processing Client Data on behalf of Client;
- Module Four (Processor to Controller) of the EU Standard Contractual Clauses will apply where Client is a Processor of Client Data and PowerPlan processes Client Account Data; and
- For each Module, where applicable:
- in Clause 7 of the EU Standard Contractual Clauses, the optional docking clause will not apply;
- in Clause 9 of the EU Standard Contractual Clauses, Option 2 will apply and the time period for prior written notice of sub-processor changes will be as set forth in Section 4.2 (Current Subprocessors and Notification of Changes) of this DPA;
- in Clause 11 of the EU Standard Contractual Clauses, the optional language will not apply;
- in Clause 17 (Option 1), the EU Standard Contractual Clauses will be governed by Irish law;
- in Clause 18(b) of the EU Standard Contractual Clauses, disputes will be resolved before the courts of Ireland;
- in Annex I, Part A of the EU Standard Contractual Clauses:
- Data Exporter: Client
- Contact details: The email address(es) designated by Client in Client’s account via its notification preferences.
- Data Exporter Role: The Data Exporter’s role is set forth in Section 2.1 and Section 3 of this DPA.
- Signature and Date: By entering into the Agreement, Data Exporter is deemed to have signed these EU Standard Contractual Clauses incorporated herein, including their Annexes, as of the effective date of the Agreement.
- Data Importer: PowerPlan
- Contact details: General Counsel, firstname.lastname@example.org
- Data Importer Role: The Data Importer’s role is set forth in Section 2.2 of this DPA.
- Signature and Date: By entering into the Agreement, Data Importer is deemed to have signed these EU Standard Contractual Clauses, incorporated herein, including their Annexes, as of the effective date of the Agreement;
- in Annex I, Part B of the EU Standard Contractual Clauses:
- The categories of data subjects are set forth in Section 1 of Schedule 1 (Details of Processing) of this DPA.
- The Sensitive Data transferred is set forth in Section 3 of Schedule 1 (Details of Processing) of this DPA.
- The frequency of the transfer is a continuous basis for the duration of the Agreement.
- The nature of the processing is set forth in Section 6 of Schedule 1 (Details of Processing) of this DPA.
- The purpose of the processing is set forth in Section 7 of Schedule 1 (Details of Processing) of this DPA.
- The period for which the Personal Data will be retained is set forth in Section 8 of Schedule 1 (Details of Processing) of this DPA.
- For transfers to sub-processors, the subject matter, nature, and duration of the processing is set forth on the webpage currently posted at https://powerplan.com/legal/subprocessors.
- in Annex I, Part C of the EU Standard Contractual Clauses: The Irish Data Protection Commission will be the competent supervisory authority; and
- Schedule 2 (Technical and Organizational Security Measures) of this DPA serves as Annex II of the EU Standard Contractual Clauses.
- Notwithstanding anything to the contrary, in the event of a conflict between Clause 12 of the EU Standard Contractual Clauses and Section 9 of the DPA, Clause 12 will prevail.
- UK International Data Transfer Agreement. The parties agree that the UK International Data Transfer Agreement will apply to Personal Data that is transferred via the Services from the United Kingdom, either directly or via onward transfer, to any country or recipient outside of the United Kingdom that is not recognized by the competent United Kingdom regulatory authority or governmental body for the United Kingdom as providing an adequate level of protection for Personal Data. For data transfers from the United Kingdom that are subject to the UK International Data Transfer Agreement, the UK International Data Transfer Agreement will be deemed entered into (and incorporated into this DPA by this reference) and completed as follows:
- In Table 1 of the UK International Data Transfer Agreement, the parties’ details and key contact information is in Section 3.2(e)vi of this Schedule 3.
- In Table 2 of the UK International Data Transfer Agreement, information about the version of the Approved EU SCCs, modules, and selected clauses which this UK International Data Transfer Agreement is appended to is located in Section 3.2 (EU Standard Contractual Clauses) of this Schedule 3.
- In Table 3 of the UK International Data Transfer Agreement:
- The list of Parties is in Section 3.2(e)vi of this Schedule 3.
- The description of the transfer is set forth in Sections 6 and 7 (Nature and Purpose of the Processing) of Schedule 1 (Details of Processing).
- Annex II is in Schedule 2 (Technical and Organizational Security Measures)
- The list of sub-processors is on the webpage currently posted at https://www.powerplan.com/legal/subprocessors.
- In Table 4 of the UK International Data Transfer Agreement, both the Importer and the exporter may end the UK International Data Transfer Agreement in accordance with the terms of the UK International Data Transfer Agreement.
- Conflict. To the extent there is any conflict or inconsistency between the EU Standard Contractual Clauses or UK International Data Transfer Agreement and any other terms in this DPA, the Agreement, or the PowerPlan Privacy Notice, the provisions of the EU Standard Contractual Clauses or UK International Data Transfer Agreement, as applicable, will prevail.