CyberCube Data Processing Agreement

This Data Processing Agreement is entered into by the Customer (the “Data Controller”) and CyberCube Analytics, LLC (the “Data Processor”) (each a “Party” and jointly the “Parties”) in respect of CyberCube’s Services and are incorporated into the Agreement between the Customer and CyberCube and shall be construed in accordance with the Agreement in the event that CyberCube is acting as a Processor to the Customer.

Background:

1. CyberCube and the Data Controller have entered into an agreement relating to CyberCube’s provision of the Service via an Order Form (the “Main Agreement”).
   
   
2. When performing the contractual obligations in the Main Agreement, it is anticipated that CyberCube may Process Personal Data on behalf of the Data Controller. The Processing of such Personal Data by CyberCube is conducted on behalf of the Data Controller for which CyberCube is the Data Processor. This Data Processing Agreement regulates the terms and conditions for how CyberCube will Process Personal Data on behalf of the Data Controller as further detailed in Appendix 1.
   
   
3. If any provision of the Main Agreement conflicts with the terms of this Data Processing Agreement, the terms of this Data Processing Agreement shall take precedence to the extent its terms provide greater protection for Personal Data.

1. Definitions
   1. In this Data Processing Agreement the following terms have the following meanings:
   2. "Agreement Date" means the date that the Customer entered into an Order Form with CyberCube;
   3. "Authority" means for Personal Data originating in the: a) EEA, the European Commission; and b) UK, the Information Commissioner's Office;
   4. "Processing", "Data Controller", "Personal Data", "Data Processor", "Personal Data Breach", and "Data Subject" shall have the same meaning given to it in the GDPR Laws;
   5. "Data Processing Agreement" means this Data Processing Agreement and all appendices attached hereto;
   6. "Applicable Laws" means all data protection and privacy laws, including guidance issued by any applicable data protection authority, applicable to any Personal Data, as may be amended or replaced from time to time, including without limitation: (a) in the European Union, the General Data Protection Regulation 2016/679 (the "EU GDPR") and the Privacy and Electronic Communications Directive 2002/58/EC (as the same may be superseded by the Regulation on Privacy and Electronic Communications); b) in the UK, the UK General Data Protection Regulation 2016/679, as implemented by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 and the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2020 (the "UK GDPR"), the Data Protection Act 2018, and the Privacy and Electronic Communications (EC Directive) Regulations 2003;
   7. "Applicable Data Protection Laws" means from time to time applicable legislation and regulations, including regulations issued by relevant supervisory authorities, protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the Processing of Personal Data that apply to CyberCube and the Data Controller, including data protection laws and regulations implementing the Data Protection Directive 95/46/EC and as of 25 May 2018 the GDPR;
   8. "Third Country" means a country which is not a member of the European Union (EU) or the European Economic Area (EEA);
   9. “EU Processor-to-Processor Clauses” means the standard contractual clauses between processors for data transfers to Third Countries, as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as at Schedule 1;
   10. “EU Controller-to-Processor Clauses” means the standard contractual clauses between controllers and processors for data transfers to Third Countries, as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as at Schedule 2;
   11. “GDPR Laws” means the EU GDPR and the UK GDPR collectively;
   12. “International Data Transfer Addendum” or “IDTA” means the International Data Transfer Addendum to the EU Processor-to-Processor Clauses and the EU Controller-to-Processor Clauses as approved by the Information Commissioner’s Office of the United Kingdom under section 119A(1) of the Data Protection Act 2018, as at Schedule 4, currently located within the Standard Contractual Clauses document found at Schedule 3.
   13. “Standard Contractual Clauses” means the EU Processor-to-Processor Clauses, EU Controller-to-Processor Clauses and the International Data Transfer Addendum;
   14. "Third Country" means in respect of Personal Data originating in the: (a) EEA, a country outside of the EEA not recognized by the European Commission as providing an adequate level of protection for Personal Data (as described in the EU GDPR); and (b) UK, a country outside the UK not recognized by the Information Commissioner's Office as providing an adequate level of protection for Personal Data (as described in the UK GDPR).
   15. When the context requires it, singular shall include plural, and vice versa, and the gender of each pronoun shall include all genes.
       
       
2. General Obligations for the Data Controller
   1. The Data Controller shall in its role as the Data Controller ensure the compliance with the Applicable Data Protection Laws.
   2. The Data Controller shall in accordance with Section 30 (1) in the GDPR provide the Data Processor records of processing activities that are required in order for the Data Processor to be able to comply with its obligation to maintain a record of processing activities in accordance with Section 30 (2) in the GDPR.
   3. The Data Controller shall appoint a data protection officer and/or a representative if required by the Applicable Data Protection Laws and, where necessary, provide the Data Processor with the contact details to such person.
   4. By entering into this Data Processing Agreement, the Data Controller confirms that the technical and organizational measures stated in Appendix 2 are considered adequate and sufficient in order to protect the Personal Data covered by this Data Processing Agreement and that the Data Processor gives sufficient guarantees in accordance with Section 28 (1) in the GDPR.
      
      
3. Instructions
   1. The Data Controller instructs the Data Processor to process Personal Data only on behalf of the Data Controller and in accordance with the instructions by the Data Controller, as set out in this Data Processing Agreement and the Main Agreement. The Data Controller ensures that the instructions comply with the Applicable Data Protections Laws.
   2. If the Data Controller leaves instructions that go beyond what is stated in this Data Processing Agreement and the Main Agreement, the following shall apply. In the event the implementation of actions required by the instructions entail costs for the Data Processor, the Data Processor shall inform the Data Controller thereof and provide an explanation of why the actions entail costs. The Data Processor shall be required to implement the measures only on condition that the Data Controller confirms that the Data Processor shall bear the costs of the actions. The instructions must be submitted in writing, unless there are special reasons justifying that the instructions may be given orally, in which case the Data Processor shall document and confirm the instructions in writing without undue delay.
   3. The Data Processor shall notify the Data Controller if the Data Processor considers that an instruction regarding the Processing of Personal Data given by the Data Controller would be in a breach of Applicable Laws (”Challenged Instruction”). The Data Processor will not in such a case be obliged to follow the Challenged Instruction unless the Data Controller maintains it and takes the responsibility for the Challenged Instruction. In such a case, the Data Processor shall take the measures required by the Data Controller provided that the measures do not concern: (i) implementation of technical and organizational measures; (ii) Data Subject’s rights; or (iii) appointing Sub-Processors. In case of disagreement, the Data Processor is entitled to seek guidance from the relevant supervisory authority. If such authority considers that the proposed measures are lawful, the Data Processor shall take them, in which case the Section 3.2 applies with regard to the costs for the measures. The Data Processor’s obligation to notify the Data Controller according to the first sentence in this Section shall not apply to the extent the Data Processor is prevented from doing so in accordance with Applicable Laws.
      
      
4. The General Obligations for the Data Processor
   1. The Data Processor will Process Personal Data only in accordance with the written instructions issued by the Data Controller by this Data Processing Agreement and the Main Agreement.
   2. Notwithstanding what is stated in Section 4.1 above, the Data Processor may Process the Personal Data to the extent it is necessary for the Data Processor in order to comply with legal requirements under Applicable Laws to which the Data Processor is subject. If so, the Data Processor shall inform the Data Controller of that legal requirement before the Processing, unless Applicable Laws prohibit the Data Processor from providing this information.
   3. The Data Processor shall upon request by the Data Controller assist the Data Controller by providing with necessary information that the Data Processor has access to, in order for the Data Controller to be able to comply with its obligations to perform an impact assessment in accordance with Section 35 and consult the supervisory authority in accordance with Section 36 in the GDPR, regarding the Processing of Personal Data that is conducted in accordance with the Data Processing Agreement. The Data Processor is entitled to compensation for the costs from the Data Controller for such measures. The Data Processor’s obligation to assist the Data Controller is limited to such information that the Data Controller otherwise has no access to.
   4. CyberCube will take reasonable steps to ensure the reliability of any persons authorized to process any Customer Data and shall ensure that all such persons have committed themselves to confidentiality.
      
      
5. Security measures
   1. The obligation to implement technical and organizational measures to protect the Personal Data
   2. The Data Processor shall implement appropriate technical and organizational measures in accordance with what is provided in Appendix 2 to protect and safeguard Personal Data that is processed against Personal Data Breaches. The Data Processor shall have a right to change these measures under the condition that the changes do not result in worse protection of the Personal Data and at least reach the level of protection that follows from the Applicable Data Protection Laws. In case the Data Controller requests that the Data Processor shall take technical and organizational measures that are in addition to what is stated above in this Section 5.1.1, the Section 3.2 shall not be applied to the costs for such measures.
   3. Access to Personal Data etc.
   4. The Data Processor shall ensure that access to the Personal Data is limited to those employees of the Data Processor who need access to the Personal Data in order for the Data Processor to fulfill its obligations under this Data Processing Agreement and the Main Agreement as well as in order to perform their job duties.
   5. The Data Processor shall ensure that all employees authorized to access and Process the Personal Data have committed themselves to confidentiality.
   6. Personal Data Breach
   7. In the event of a Personal Data Breach at the Data Processor, the Data Processor shall notify the Data Controller about the Personal Data Breach without undue delay after when the Data Processor became aware of such Personal Data Breach. Moreover, the Data Processor shall provide such information that follows from the information obligation in Section 33 (3) in the GDPR, that the Data Processor has access to and that the Data Controller cannot access by other means.
   8. The notification to the Data Controller shall include the following information:
   9. a description of the nature of the Personal Data Breach including the categories and number of Data Subjects concerned and the categories and number of Personal Data records concerned;
   10. the likely consequences of the Personal Data Breach; and
   11. a description of the measures taken or proposed to be taken by the Data Processor to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
   12. Where, and in so far as, it is not possible for the Data Processor to provide the above information in Section 5.3.2 above at the same time, the information may be provided in phases (without undue further delay).
       
       
6. Right to Audit and Inspection
   1. CyberCube agrees to maintain its ISO 27001 certifications for the duration of CyberCube acting as a Data Processor to the Data Controller. CyberCube will use an external auditor to verify that its security measures meet ISO 27001 standards in accordance with the ISO certification process. On Data Controller’s written request, and subject to appropriate confidentiality obligations, CyberCube will make available to the Data Controller: (a) a copy of the current certificate in relation to ISO 27001 when made available to CyberCube; and (b) any information reasonably requested by the Data Controller concerning CyberCube’s processing of Customer Data under the Main Agreement and this Data Processing Agreement.
   2. Other than in the context of investigating a Personal Data Breach involving Customer Data, Data Controller agrees to exercise any right it may have to conduct an audit or inspection under Article 28(3)(h) (or the Standard Contractual Clauses, if applicable) by requesting the information outlined in paragraph 6.1.
      
      
7. Use of Sub-Processors
   1. The Data Processor may engage outside sub-contractors, consultants or other third parties to Process Personal Data on behalf of the Data Controller (“Sub-Processors”). Moreover, the Data Controller may let the Data Processor enter into a data processing agreement on behalf of the Data Controller directly with Sub-Processors. Such data processing agreement with a Sub-Processor shall impose the Sub-Processor corresponding and not less restrictive obligations than what follows from this Data Processing Agreement.
   2. The Data Processor shall, in the event the Data Processor engages a Sub-Processor without undue delay, provide the Data Controller with the information stated in Appendix 1 in writing.
   3. The Data Controller has a right to, by providing a cause within five (5) working days after the Data Processor has informed the Data Controller in writing about engaging a Sub-Processor, object to the Data Processor engaging the actual Sub-Processor. If the Data Controller has not objected within the stated time, the proposed Sub-Processor is deemed accepted. If the Data Controller objects to the Sub-Processor, the Data Processor has a right to choose one of the following alternatives: (a) refrain from engaging the Sub-Processor to process Personal Data covered by this Data Processing Agreement; (b) take measures that reasonably eliminate the reason for the Data Controller’s objection; or (c) temporarily or permanently cease to provide the part of the service/services that entail Processing of Personal Data by the actual Sub-Processor. If none of these alternatives is feasible and the Data Controller maintains its objection after thirty (30) days has passed after the objection was made, each Party has a right to by giving a reasonable notice period terminate that part of the service/services that entails Processing of Personal Data by the actual Sub-Processor.
   4. The Data Processor shall, in addition to the information stated in Section 7.2 above, upon the Data Controller’s request provide information regarding the measures that have been taken to ensure that the Sub-Processor gives sufficient guarantees to implement technical and organizational measures in a way that complies with the requirements in Applicable Data Protection Laws.
   5. The Data Processor is liable towards the Data Controller for the Processing of Personal Data by the Sub-Processors covered by this Data Processing Agreement in accordance with Applicable Data Protection Laws.
      
      
8. Liability
   1. The terms and conditions regarding liability in the Main Agreement shall apply to this Data Processing Agreement.
      
      
9. Data Subjects’ Rights
   1. The Data Controller shall be liable to assess if a request by a Data Subject to exercise its rights under Applicable Data Protection Laws is legitimate or not and provide the Data Processor with instructions regarding the scope of support that is stated below is required.
   2. The Data Processor shall without undue delay inform the Data Controller about complaints and other notices from the Data Subjects exercising their rights. However, the Data Processor shall not, unless the Data Controller has given the Data Processor sufficient instructions thereof, communicate with the Data Subject.
   3. The Data Controller is responsible for handling in connection with the Data Subject exercising its rights under Applicable Data Protection Legislation.
   4. The Data Processor shall upon the request assist the Data Controller with following appropriate technical and organizational measures in connection with the Data Subject exercising its rights under Chapter III in the GDPR:
   5. In connection with a request of information the Data Processor shall provide the Data Controller with such information that is covered by Sections 13 and 14 in the GDPR to the extent such information is available for the Data Processor and the Data Controller does not have access to such information.
   6. In connection with a request of right of access the Data Processor shall provide the Data Controller with such information that is covered by Section 15 in the GDPR to the extent such information is available for the Data Processor and the Data Controller does not have access to such information.
   7. In connection with a request of rectification (Section 16 in the GDPR), erasure (Section 17 in the GDPR), restriction of processing (Section 18 in the GDPR), and data portability (Section 20 in the GDPR), the Data Processor shall, to the extent the Data Controller cannot take the measures requested by the Data Subject(s), either by enabling the Data Controller to take such measures, or, if not possible, assisting the Data Controller to take such measures.
   8. The Data Processor shall, on instructions for the Data Controller, notify the Sub-Processors that Process Personal Data covered by the request by the Data Subject to rectify, erase or restrict the processing (Section 19 in the GDPR) that such request has been made. The Data Controller undertakes to inform other recipients.
   9. In relation to the Data Subject’s right to object processing in Section 21-22 in the GDPR, the Data Controller shall assess whether the objection is legitimate and how it is to be handled. In the event the Data Controller wishes to be assisted by the Data Processor, the Data Controller shall issue further instructions, whereby the routines described in Section 3.2 shall apply to the Data Processor’s right to compensation for costs.
   10. In the event the Data Controller requests that the Data Processor shall take technical and organizational measures in addition to what is stated in Section 5.1.1 for the purpose of handling the Data Subject’s rights under this Section 9, the Section 3.2 shall apply to the costs for such measures.
   11. Notwithstanding what is stated above in Section 9.5, the Data Processor is entitled to compensation for reasonable expenses due to the Data Subject exercising its rights as set out above.
       
       
10. Return of Personal Data
    1. Upon termination of the Main Agreement, the Data Processor shall return (and/or upon the Data Controller's written request in a secure and irreversible way delete or anonymise) all Personal Data which belongs to the Data Controller that the Data Processor and or any Sub-Processors have in its possession or control. This applies unless the Data Processor is required under Applicable Laws to continue to store the Personal Data.
       
       
11. Transfer to and Processing of Personal Data in a Third Country
    1. The Data Processor may transfer Personal Data belonging to the Data Controller to a Third Country, provided that:
    2. the Third Country provides an adequate level of protection for Personal Data in accordance with an adequacy decision issues by the EU Commission that covers the Processing of Personal Data;
    3. the Data Processor ensures that there are appropriate safeguards in place in accordance with Applicable Data Protection Laws, e.g. standard data protection clauses adopted by the EU Commission under Applicable Data Protection Laws, covering the transfer and Processing of Personal Data; or
    4. Another exception exists under Applicable Data Processing Laws that covers the Processing of Personal Data.
    5. For the avoidance of doubt, Personal Data may not be transferred to or Processed in Third Countries unless any of the conditions above in Sections 11.1 apply.
    6. When a Customer is acting as a Controller and transfers Customer Data originating in the (a) EEA, to a Processor located in a Third Country, the EU Controller-to-Processor Clauses will apply; or (b) UK, to a Processor located in a Third Country, Information Commissioner’s Office of the United Kingdom’s International Data Transfer Addendum will apply.
    7. When CyberCube, its affiliates, or any other identified or unidentified third party is acting as a Processor and transfers Customer Data originating in the (a) EEA to a Processor located in a Third Country, the EU Processor-to-Processor Clauses will apply; or (b) UK, to a Processor located in a Third Country, Information Commissioner’s Office of the United Kingdom’s International Data Transfer Addendum will apply.
       
       
12. Term and termination
    1. This Data Processing Agreement will enter into force on the Agreement Date and is valid during the term of the Main Agreement or the longer period of time that the Data Processor or any Sub-Processor engaged by the Data Processor Processes Personal Data on behalf of the Data Controller.
       
       
13. Non-assignment
    1. Neither the rights nor the obligations of either Party under this Data Processing Agreement may be assigned in whole or in part without the prior written consent of the other Party.
       
       
14. Amendments
    1. Additions and amendments to this Data Processing Agreement shall be in writing and duly signed by both Parties to be valid. Each Party may request amendments to this Data Processing Agreement that are justified by changes in Applicable Data Protection Laws.
       
       
15. Applicable law
    1. This Data Processing Agreement shall be governed by the law as stated in the Main Agreement, without the application of the choice of law rules, to the extent Applicable Data Protection Laws do not stipulate another law.
       
       
16. Disputes
    1. Disputes arising out of this Data Processing Agreement shall be solved as stated in the Main Agreement, to the extent Applicable Data Protection Laws do not stipulate another law.

Appendix 1

SCOPE, PROCESSING AND USE OF PERSONAL DATA COVERED BY THE DATA PROCESSING AGREEMENT

This Appendix 1 shall be deemed to be an integral part of the Data Processing Agreement

Contact details of the contact person at the Data Processor: legal@cybcube.com

Appendix 2

SUB-PROCESSORS

Appendix 3

TECHNICAL AND ORGANIZATIONAL MEASURES

CyberCube’s Data Security Policy acts as our technical and organizational measures which can be found at security.cybcube.com as updated from time to time.