Data Processing Addendum
Effective date: [01/25/2023]
-
Definitions
Capitalized terms that are used but not defined in this DPA have the meanings given to them in the Agreement.
1.1. “Affiliate” means an entity that directly or indirectly controls (e.g., subsidiary), is controlled by (e.g., parent), or is under common control with (e.g., sibling) such party; and the term “control” (including the terms “controlled by” and “under common control with”) means either: (a) ownership or control of more than 50% of the voting interests of the subject entity; or (b) the power to direct or cause the direction of the management and policies of an entity, whether through ownership, by contract, or otherwise.
1.2. “Agreement” means any services agreement including, but not limited to, Chassi’s Order Form and SaaS Services Agreement, or other services agreement between Chassi and Customer under which the Service is provided by Chassi to Customer.
1.3. “Authorized Affiliate” means Customer’s Affiliate(s) which (a) are subject to Data Protection Laws; (b) are permitted to use the Service pursuant to the Agreement between Customer and Chassi; and (c) have not signed their own Agreement with Chassi and are not “Customers” as defined under this DPA.
1.4. “Controller” means the entity that determines the purposes and means of the Processing of Personal Information.
1.5. “Customer” means the entity and the entity’s Authorized Affiliates that agree to be bound by the Agreement and this DPA.
1.6. “Customer Account Data” means Personal Information that relates to Customer’s relationship with Chassi, including the names or contact information of the business point(s) of contact between Customer and Chassi, individuals, Customer billing information, and customer relationship management information.
1.7. “Customer Workforce” means any Data Subjects who are employees, contractors, representatives, or other individuals engaged by Customer who have access to the Service via a user account.
1.8. “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer’s Personal Information transmitted, stored, or otherwise Processed.
1.9. “Data Protection Laws” means all applicable laws and regulations applicable to Chassi’s processing of Personal Information under the Agreement, including GDPR, all as amended or replaced from time to time.
1.10. “Data Subject” means an individual whose Personal Information is subject to Data Protection Laws.
1.11. “EEA” means the European Economic Area.
1.12. “End User” means any Data Subject accessing or otherwise using Customer’s Website Content.
1.13. “EU Standard Contractual Clauses” or “EU SCCs” means the annex found in the European Commission decision of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (available as of August 1, 2021 at data.europa.eu/eli/dec_impl/2021/914/oj) and any amendments, replacements, or updated standard contractual clauses as recognized and approved by the European Commission from time to time.
1.14. “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
1.15. “Personal Information” means any information relating to a Data Subject.
1.16. “Processing” means any operation or set of operations which is performed upon Personal Information, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.
1.17. “Processor” means the entity which Processes Personal Information on behalf of the Controller.
1.18. “Regulator” means any supervisory authority with authority under Data Protection Laws over all or any part of the provision or receipt of the Service or the Processing of Personal Information.
1.19. “Service” means access to Chassi’s cloud-based, AI-powered process intelligence tools and the related technology services as subscribed to by the Customer.
1.20. “Subprocessor” means any Processor engaged by Chassi to Process Personal Information on behalf of Chassi.
1.21. “Website Content” means any content that Customer submits, posts, displays, or otherwise makes available on or via the Service
-
Applicability
This DPA forms a legally binding contract between you and Chassi, applies to the extent Chassi processes Customer Personal Information on your behalf when you are the Data Controller, and is incorporated into the Agreement. This DPA will apply to the extent Customer is subject to relevant Data Protection Laws. Users of Chassi’s external website should refer to the privacy policy found at the following location: https://chassi.com/privacy-policy/.
-
Relationship of the Parties
3.1. Chassi as a Processor. The Parties hereby agree that with regard to the processing of Customer Personal Information, Customer may act either as a Controller or Processor and Chassi is a Processor for all Customer Personal Information except for Customer Account Data as set forth in Section 3.2 (Chassi as a Controller of Customer Account Data). Chassi will process Customer Personal Information in accordance with Customer’s instructions as set forth in Section 4.1 (Instructions).
3.2. Chassi as a Controller of Customer Account Data. The parties hereby agree that, with regard to the processing of Customer Account Data, Chassi is an independent Controller, not a joint Controller with Customer. Chassi will process Customer Account Data as a Controller: (a) to manage the relationship with Customer; (b) to carry out Chassi’s core business operations, such as accounting and filing taxes; (c) to detect, prevent, or investigate Data Breaches, fraud, and other abuse or misuse of the Service; (d) to comply with applicable law; and (e) as otherwise permitted under Data Protection Law and in accordance with this DPA, the Agreement, and Chassi’s Privacy Policy.
-
Customer Obligations
4.1. Instructions. Customer instructs Chassi, when acting as a Processor, to Process Customer Personal Information to provide the Service. Customer warrants that the instructions it provides to Chassi pursuant to this DPA will comply with Data Protection Laws.
4.2. Data Subject and Regulator Requests. Customer shall be responsible for communications and leading any efforts to comply with all requests made by Data Subjects under Data Protection Laws and all communications from Regulators that relate to the Personal Information, in accordance with Data Protection Laws. To the extent such requests or communications require Chassi’s assistance, Customer shall immediately notify Chassi in writing of the Data Subject’s or Regulator’s request.
4.3. Notice, Consent, and Other Authorizations. Customer agrees that the Personal Information it collects shall be in accordance with Data Protection Laws, including all legally required consents, bases of processing, approvals, and authorizations. Upon Chassi’s request, Customer shall provide all information necessary to demonstrate compliance with these requirements.
-
Chassi’s Obligations as a Processor
5.1. Scope of Processing and Customer Instructions. Chassi will Process the Personal Information on documented instructions from Customer in such manner as is necessary for the provision of the Service under the Agreement, except as may be required to comply with any legal obligation to which Chassi is subject.
5.2. Lawfulness of Instructions. Chassi may make reasonable effort to inform customers if, in its opinion, the execution of an instruction relating to the Processing of Personal Information could infringe on any Data Protection Laws. In the event Chassi must Process or cease Processing Personal Information for the purpose of complying with a legal obligation, Chassi will inform the Customer of that legal requirement before Processing or ceasing to Process, unless prohibited by the law.
5.3. Chassi Confidentiality Obligations. Chassi will grant access to Customer Personal Information to its personnel only to the extent strictly necessary for implementing, managing and monitoring the Service. Chassi shall ensure that personnel authorized to Process Customer Personal Information have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
5.4. Security of Processing.
- Security Measures. Chassi shall, while taking into account the cost of implementation and the nature, scope, context and purposes of Processing as well as the risks of varying likelihood and severity for rights and freedoms of Data Subjects resulting from the Processing, implement appropriate administrative, technical, physical, and organizational measures (“Security Measures”) to protect Customer Personal Information. Details regarding the specific Security Measures that apply to the Chassi Services are as described in the Schedule 2 of this agreement. Customer acknowledges that Chassi’s Security Measures are subject to technical progress and development and that Chassi may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Chassi Services purchased by Customer.
- Customer Security Responsibilities. Customer shall be responsible for properly implementing access and use controls and configuring certain features and functionalities of the Chassi Services that Customer may elect to use and agrees that it will do so in accordance with this DPA and the Agreement in such manner that Customer deems adequate, including, without limitation, maintaining appropriate security, protection, deletion, and backup of its own Personal Information.
5.5. Data Breach
- Notification. In accordance with Article 33 GDPR and UK GDPR, as applicable, Chassi will notify the Data Controller without undue delay and, where feasible, no more than 72 hours after becoming aware of a Data Breach. Chassi will also provide the Data Controller with a description of the Data Breach, the type of data that was the subject of the Data Breach, (to the extent known to Chassi) the categories of data subjects affected, and other information required by applicable Data Protection Law, as soon as such information can be collected or otherwise becomes available.
- Investigation. Chassi agrees to immediately take action to investigate the Data Breach, to identify, prevent, and mitigate the effects of any such Personal Information Breach, and with the Data Controller’s prior agreement, to carry out any recovery or other action necessary to remedy the Personal Information Breach.
5.6. GDPR Articles 32-36. Taking into account the nature of the Processing and the information available to Chassi, Chassi will provide reasonable assistance to Customer in complying with its obligations under GDPR Articles 32-36, which address obligations with regard to security, breach notifications, data protection impact assessments, and prior consultation.
5.7. Fulfillment of Data Subject Requests. Chassi shall promptly, and in any event within 72 hours, notify Customer of any request it has received from a Data Subject. Chassi shall not respond to the request itself, unless authorized to do so by Customer. Chassi shall provide assistance, insofar as it is commercially reasonable, to Customer in fulfilling its obligations to respond to Data Subject requests concerning notably the right of access, to rectification, erasure and to object, right to restriction of processing, right to data portability, right not to be subject to an automated individual decision (including profiling).
5.8. Deletion of Personal Information. Following termination of the Agreement, Chassi shall, at the request of Customer, delete all Customer Personal Information processed on its behalf unless such continued processing is otherwise required by applicable law or regulations.
5.9. Compliance Documentation. Chassi shall maintain records of its security standards. Upon Customer’s written request, Chassi shall provide (on a confidential basis) copies of external audit report summaries and/or other relevant documentation reasonably required by Customer to verify Chassi’s compliance with this DPA.
5.10. Disclosure to Third Parties. Except as expressly provided in this DPA, Chassi will not disclose Customer Personal Information to any third party without Customer’s consent. If requested or required by a competent governmental authority to disclose Customer Personal Information, to the extent legally permissible and practicable, Chassi will provide Customer with sufficient prior written notice in order to permit Customer the opportunity to oppose any such disclosure.
-
Use of Subprocessors
Customer hereby agrees and gives its general authorization for Chassi, when acting as a Processor, to engage new Subprocessors in connection with the processing of Customer Personal Information. A list of Chassi’s current Subprocessors is located at https://chassi.com/legal-dpa/subprocessors/. Customer must sign up at the aforementioned URL to receive email notifications concerning the addition of new Subprocessors. Customer may reasonably object to the addition of any new Subprocessor within 15 calendar days of receiving such email notification, in which case Chassi will use reasonable efforts to make a change in the Service or recommend a commercially reasonable change to avoid processing by such Subprocessor. If Chassi is unable to provide an alternative, Customer may terminate the Service and shall pay Chassi any fees or expenses not yet paid for all services provided pursuant to any Agreement. If Customer fails to sign up for these email notifications, Customer shall be deemed to have waived its right to object to the newly added Subprocessor(s).
-
Audit
7.1. Scope and Process. To the extent required by Data Protection Laws, Chassi shall make available third-party audit reports reasonably requested by Customer to confirm Chassi’s compliance with this DPA (e.g., SOC 2, similar audit reports issued by a qualified third-party auditor, “Audit Report”). If Customer has a reasonable basis to conclude that an Audit Report provided by Chassi is not satisfactory to confirm such compliance, Customer may, at Customer’s sole expense, upon thirty (30) days’ prior notice, request an audit during normal business hours of those Chassi systems and records relevant to Chassi’s Processing of Personal Information on Customer’s behalf. Customer shall limit its exercise of audit rights to not more than once in any twelve (12) calendar month period.
7.2. Confidentiality of Audit Information. All information obtained during any such request for information or audit will be considered Chassi’s Confidential Information under the Agreement and this DPA. The results of the inspection and all information reviewed during such inspection will be deemed Chassi’s Confidential Information. The third party auditor may only disclose to Customer specific violations of this DPA, if any, and the basis for such findings, and shall not disclose any of the records or information reviewed during the inspection.
-
Transfers Outside of EEA, UK, and Switzerland
To the extent Customer’s use of the Service requires an onward transfer mechanism to lawfully transfer Personal Information from the European Economic Area, the United Kingdom, or Switzerland to a country or territory which has not been formally recognized by the European Commission as affording the Personal Information an adequate level of protection, Customer hereby acknowledges, agrees, and instructs Chassi to transfer Customer Personal Information as set forth in Schedule 3 (Cross Border Transfers) of this DPA.
If Schedule 3 applies to Customer’s use of the Service, then, if applicable, under the order of precedence, by entering into this DPA, the Parties are deemed to be signing such EU Standard Contractual Clauses, including each of its applicable Annexes.
-
Jurisdiction-Specific Terms
To the extent Chassi processes Personal Information originating from and protected by Data Protection Laws in one of the jurisdictions listed in Schedule 5 (Jurisdiction Specific Terms), the terms specified in Schedule 5, with respect to the applicable jurisdiction(s), will apply.
-
Obligations Post-Termination
Termination or expiration of this DPA shall not discharge the Parties from their obligations that by their nature may reasonably be deemed to survive the termination or expiration of this DPA.
-
Limitation of Liability
This DPA shall be subject to the limitations of liability agreed between Customer and Chassi in the Agreement and such limitation shall apply in aggregate for all claims under the Agreement and DPA.
-
Severability
Any provision of this DPA that is prohibited or unenforceable in any jurisdiction shall, as to such jurisdiction, be ineffective to the extent of such prohibition or unenforceability without invaliding the remaining provisions hereof, and any such prohibition or unenforceability in any jurisdiction shall not invalidate or render unenforceable such provision in any other jurisdiction. The Parties will attempt in good faith to agree upon a valid and enforceable provision that is a reasonable substitute and shall incorporate such substitute provision into this Agreement.
-
Updates
Chassi may update the terms of the DPA from time to time. Customers may sign up at the following URL to receive email notifications concerning updates to this DPA. https://chassi.com/legal-dpa/
SCHEDULE 1 – Description of Transfer and Processing
- LIST OF PARTIES
Data exporter(s):
The exporter (Controller) is Customer and Customer’s contact details are as provided in the Agreement and the DPA.
Data importer(s):
The importer (Processor) is Chassi, Inc. and Chassi’s contact details are as provided in the Agreement and the DPA.
- DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred:
Any data subjects whose Customer Personal Information is contained in Data Exporter’s data being used in the Chassi’s Services, as set out in the Agreement which describes the provision of Chassi Services to Customer.
Categories of personal data transferred:
Any Customer Personal Information that is provided by Data Exporter to Data Importer in connection with the Agreement and the DPA, including, without limitation, contact information such as name, address, telephone or mobile number, email address, and passwords.
Sensitive data transferred (if applicable): N/A.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):
On a continuous basis as needed to provide the Chassi Services to Customer for the term of the Agreement.
Nature of the processing:
The nature of the Processing is set out in the Agreement between the parties.
Purpose(s) of the data transfer and further processing:
The purposes of the data transfer are for Chassi to provide the Chassi Services pursuant to the Agreement.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:
The data will be retained for the time period needed to accomplish the purposes of Processing and providing Chassi services pursuant to the agreement, unless otherwise required by applicable law.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:
Please see Section 6 for information about how to access a list of Chassi’s Subprocessors and the nature of the services they provide. All transfers will last for the duration of the Agreement between the parties.
- COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13:
The Data Exporter’s competent supervisory authority will be determined in accordance with Data Protection Law.
SCHEDULE 2 – Technical and Organizational Measures Including Technical and Organizational Measures to Ensure the Security of the Data
Chassi obtains SOC 2 Type II audits with privacy and security criteria annually and is dedicated to the continued validation of its security and privacy programs. Specifically, Chassi implements the following security measures with respect to Personal Information:
Data Center Security
Chassi infrastructure is managed via Amazon Web Services’ ISO 27001 certified data centers, and hosted in the region US-East-1 (N. Virginia).
All database servers are isolated inside virtual private networks, and accessible only by key personnel via multi-factor authentication.
All access to production environments is logged, and access can be immediately revoked.
Protection from Data Loss and Corruption
All data is backed up on a daily basis and stored on highly-redundant storage media in multiple availability zones.
All data is encrypted at rest using Amazon’s EBS encryption functionality
Application Level Security
User account passwords are hashed using industry standard encryption algorithms.
All applications are served exclusively via TLS with a modern configuration.
All login pages have brute-force logging and protection.
Two-factor authentication is supported and is mandatory for all internal administrator functions of the application.
All code changes to our applications require testing via an enforced testing process.
Regular application security penetration tests are conducted by an independent third-party. These tests include high-level server penetration tests across various parts of our platform, as well as security-focused source code reviews.
SCHEDULE 3 – Cross Border Data Transfers.
1.1 Order of Precedence. In the event the Service is covered by more than one Transfer Mechanism, the transfer of Customer Personal Information will be subject to a single Transfer Mechanism in accordance with the following order of precedence: (a) Any valid successor to the EU-US and Swiss-US Privacy Shield Framework, including the Trans-Atlantic Data Privacy Framework, if enacted, provided Chassi is certified under the new framework; (b) the EU Standard Contractual Clauses as set forth in Section 1.2 (EU Standard Contractual Clauses) of this Schedule 3; (c) the UK International Data Transfer Agreement as set forth in Section 1.3 (UK International Data Transfer Agreement) of this Schedule 3; and, if neither (a) nor (b) nor (c) is applicable, then (d) other applicable data Transfer Mechanisms permitted under Data Protection Law.
1.2 EU Standard Contractual Clauses. The parties agree that the EU Standard Contractual Clauses will apply to Customer Personal Information that is transferred via the Service from the EEA or Switzerland, either directly or via onward transfer, to any country or recipient outside the EEA or Switzerland that is: (a) not recognized by the European Commission (or, in the case of transfers from Switzerland, the competent authority for Switzerland) as providing an adequate level of protection for Customer Personal Information. For data transfers from the EEA that are subject to the EU Standard Contractual Clauses, the EU Standard Contractual Clauses will be deemed entered into (and incorporated into this DPA by this reference) and completed as follows:
(a) (Controller to Controller) of the EU Standard Contractual Clauses will apply where Chassi is processing Customer Account Data;
(b) (Controller to Processor) of the EU Standard Contractual Clauses will apply where Customer is a Controller of Customer Personal Information and Chassi is processing Customer Personal Information;
(c) (Processor to Processor) of the EU Standard Contractual Clauses will apply where Customer is a Processor of Customer Personal Information and Chassi is processing Customer Personal Information;
For the purposes of the Standard Contractual Clauses:
- Clause 9, Module 2A: The parties select Option 2. The time period is 5 days.
- Clause 11A: The parties do not select the independent dispute resolution option.
- Clause 17, Module 2: The parties select Option 2. The Member State of the data exporter is: EU Member State Customer is located in.
- Clause 18B, Module 2: The Parties agree that those shall be the courts of the EU Member State Customer is located in.
- Annex IA: The data exporter is Customer. The data importer is Chassi. Contact details for Customer is the email address(s) designated by Customer in Customer’s account. Contact detail for Chassi is: legal@chassi.com.
- Annex IB: The parties agree that Schedule 1 describes the transfer.
- Annex IC: The competent supervisory authority is the supervisory authority of: Customer who acts as data exporter.
- Annex II: The parties agree that Schedule 2 describes the technical and organizational measures applicable to the transfer.
1.3 UK International Data Transfer Agreement. The parties agree that the UK International Data Transfer Agreement will apply to Customer Personal Information that is transferred via the Service from the United Kingdom, either directly or via onward transfer, to any country or recipient outside of the United Kingdom that is: (a) not recognized by the competent United Kingdom Regulator or governmental body for the United Kingdom as providing an adequate level of protection for Personal Information. For data transfers from the United Kingdom that are subject to the UK International Data Transfer Agreement, the UK International Data Transfer Agreement will be deemed entered into (and incorporated into this DPA by this reference) and completed as set forth in Schedule 4.
SCHEDULE 4 – UK International Data Transfer Agreement
If applicable, this UK Addendum to the EU Standard Contractual Clauses International Transfer Agreement (“Addendum”) has been issued by the Information Commissioner for Parties making Restricted Transfers. The Information Commissioner considers that it provides Appropriate Safeguards for Restricted Transfers when it is entered into as a legally binding contract
Part 1: Tables
Table 1: Parties
Start date:
The Effective Date of the Agreement
The Parties:
Exporter (who sends the Restricted Transfer)
Importer (who receives the Restricted Transfer)
Parties’ details:
Customer
Full legal name: Chassi, Inc.
Main address (if a company registered address):
515 E Grant St, Phoenix, AZ 85004, USA
Key Contact
Attn: Customer
Contact details including email: email address provided by Customer
Attn: Privacy Officer
Contact details including email: legal@Chassi.com
Table 2: Selected SCCs, Modules and Selected Clauses
Addendum EU SCCs
The version of the Approved EU SCCs which this Addendum is appended to, detailed below, including the Appendix Information:
Table 3: Appendix Information
“Appendix Information” means the information which must be provided for the selected modules as set out in the Appendix of the Approved EU SCCs (other than the Parties), and which for this Addendum is set out in:
Annex IA: List of Parties: As set out in the Agreement
Annex IB: Description of Transfer: As set out in Schedule 1 of this DPA
Annex II: Technical and organizational measures including technical and organizational measures to ensure the security of the data: As set out in Schedule 2 of this DPA.
Annex III: List of Subprocessors: As referenced in Section 6 of this DPA.
Table 4: Ending this Addendum when the Approved Addendum Changes
Ending this Addendum when the Approved Addendum changes
Which Parties may end this Addendum as set out in Section 12:
☒ Importer
☒ Exporter
☐ neither Party
Part 2: Mandatory Clauses
Mandatory Clauses
Part 2: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.
SCHEDULE 5 – Jurisdiction Specific Terms
- California
To the extent that the California Consumer Privacy Act of 2018 (“CCPA”)(California Civil Code sections 1798.100 – 1798.199) applies, Chassi agrees it will not: (a) sell California Consumers’ Personal Information (as “sell” is defined in the CCPA); (b) retain, use, or disclose California Consumers’ Personal Information for a commercial purpose other than providing the Service specified in the Agreement; (c) retain, use, or disclose California Consumers’ Personal Information outside of the direct business relationship between Customer and Chassi.
Chassi certifies that it understands these restrictions set out in this section and will comply with them.
- Switzerland
2.1 The definition of “Data Protection Law” includes the Swiss Federal Act on Data Protection, as revised (“FADP”).
2.2 To the extent that Personal Information transfers from Switzerland are subject to the EU Standard Contractual Clauses in accordance with Section 1.2 of Schedule 3 (Cross Border Data Transfer Mechanisms), the following amendments will apply to the EU Standard Contractual Clauses:
references to “EU Member State” and “Member State’ will be interpreted to include Switzerland, and insofar as the transfer or onward transfers are subject to the FADP:
references to “Regulation (EU) 2016/679” are to be interpreted as references to the FADP;
the “competent supervisory authority” in Annex I, Part C will be the Swiss Federal Data Protection and Information Commissioner;
in Clause 17 (Option 1), the EU Standard Contractual Clauses will be governed by the laws of Switzerland; and
in Clause 18(b) of the EU Standard Contractual Clauses, disputes will be resolved before the courts of Switzerland.
- United Kingdom (UK)
References in this Addendum to GDPR will to that extent be deemed to be references to the corresponding laws of the United Kingdom (including the UK GDPR and Data Protection Act 2018).
Contact Us
If you have any questions about our DPA, please contact us at legal@chassi.com