Data Processing Addendum

 

Sign and excute the online version


This Data Processing Addendum (“DPA”) is incorporated by reference into Paperturn’s Terms and Conditions of Service (“Principle Agreement”) available at https://www.paperturn.com/terms, entered by and between you, the Customer (as defined in the Principle Agreement) (collectively, “you”, “your”, “Customer”, “Data Controller”), and Paperturn ApS (“Paperturn”, “us”, “we”, “our”, “Data Processor”) to reflect the Parties’ agreement with regard to the Processing of Personal Data by Paperturn solely on behalf of the Customer. Both parties shall be referred to as the “Parties” and each, a “Party”.


Capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement. 


By using the Services, you as the Customer accept this DPA and represent and warrant that you have full authority to bind the Customer to this DPA. If you cannot, or do not agree to, comply with and be bound by this DPA, or do not have authority to bind the Customer or any other entity, you should not provide Personal Data to us or use our Service.
In the event of any conflict between certain provisions of this DPA and the provisions of the Principle Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Principle Agreement solely with respect to the Processing of Personal Data.
 

1. DEFINITIONS AND INTERPRETATION

Unless otherwise defined herein, capitalised terms and expressions used in this Agreement shall have the following meaning:

 

 “Agreement” means this Data Processing Agreement.


“CCPA” means the California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100 et. seq.


“Controller” is the party that determines the purposes and means of the Processing of Personal Data.


“Data Protection Laws” means all applicable and binding privacy and data protection laws and regulations, including such laws and regulations of the European Union, the European Economic Area and their Member States, Switzerland, the United Kingdom, Canada and the United States of America, as applicable to the Processing of Personal Data under the Agreement including (without limitation) the GDPR, the UK GDPR, and the CCPA, as applicable to the Processing of Personal Data hereunder and in effect at the time of Processor’s performance hereunder.

“Data Subject” is the identified or identifiable natural person that the Personal Data is related to.


“Data Transfer” means a transfer of Company Personal Data from the Company to a Contracted Processor; or an onward transfer of Company Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);

“EEA” means the European Economic Area;

"GDPR” means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data;


“Personal Data” means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, to or with an identified or identifiable natural person or consumer, which is processed by Paperturn solely on behalf of the Customer, under this DPA and the Agreement between the Customer and Paperturn.


“Principle Agreement” means the electronic agreement that is entered into between the Customer and Paperturn for the provision of subscription Services to the Customer (Paperturn’s Terms and Conditions of Service + Paperturn’s Privacy Policy).


“Processing” means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.


“Processor” is the party that Processes Personal Data on behalf of the Controller.


“Sensitive Data” means Personal Data that is protected under a special legislation and requires unique treatment, such as “special categories of data”, “sensitive data” or other materially similar terms under applicable Data Protection Laws, which may include any of the following: (a) social security number, tax file number, passport number, driver’s license number, or similar identifier (or any portion thereof); (b) credit or debit card number; (c) financial, credit, genetic, biometric or health information; (d) information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences; and/or (e) account passwords in unhashed form.


“Service or Service(s)” means the flipbook subscription services Paperturn provides in pursuance to the Principal Agreement.


“Standard Contractual Clauses”
means the Standard Contractual Clauses between Controllers and Processors, and between Processors and Processors, as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.


“Subprocessor” means any third party that processes Personal Data under the instruction or supervision of Paperturn.


“UK GDPR” means the Data Protection Act 2018, as well as the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419).


The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.
 

2. DETAILS OF DATA PROCESSING

(2.1) Roles of the Parties  The Parties acknowledge and agree that with regard to the processing of Personal Data, the Customer is the Controller and Paperturn is the Processor. In some circumstances, the Customer may be the Processor, in which case the Customer appoints Paperturn as the Customer’s sub-processor, which shall not change the obligations of either the Customer or Paperturn under this Data Processing Agreement, as Paperturn will remain a Processor with respect to the Customer in such event.


(2.2) Customer’s Processing of Personal Data Customer, in its use of the Services, and Customer’s instructions to the Processor, shall comply with Data Protection Laws. Customer shall establish and have any and all required legal bases in order to collect, Process and transfer to Processor the Personal Data, and to authorise the Processing by Processor, and for Processor’s Processing activities on Customer’s behalf, including the pursuit of ‘business purposes’ as defined under the CCPA.


(2.3) Processor’s Processing of Personal Data Paperturn, when Processing on the Customer’s behalf under the Agreement, shall Process Personal Data for the following purposes: 

 

(i) Processing in accordance with the Principle Agreement and this DPA; 

(ii) Processing for the  Customer as part of its provision of the Services; 

(iii) Processing to comply with the Customer’s reasonable and documented instructions, where such instructions are consistent with the terms of the Principle Agreement, regarding the manner in which the Processing shall be performed;

(iv) Processing as required under the laws applicable to Processor, and/or as required by a court of competent jurisdiction or other competent governmental or semi-governmental authority, provided that Processor shall inform Customer of the legal requirement before Processing, unless such law or order prohibit such information on important grounds of public interest.

 

(2.4) Details of the Processing The subject-matter of Processing of Personal Data by Paperturn is the performance of the Services pursuant to the Principle Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in ANNEX 1 (Details of Processing) to this DPA.


(2.5) Sensitive Data The Parties agree that the Service is not intended for the Processing of Sensitive Data, and that if the Customer wishes to use the Services to Process Sensitive Data, it must first obtain the Processor’s explicit prior written consent and enter into any additional agreements as may be required by Paperturn.

(2.6) CCPA Standard of Care; No Sale of Personal Information Processor acknowledges and confirms that it does not receive or process any Personal Information as consideration for any services or other items that Processor provides to Customer under the Agreement. Processor shall not have, derive, or exercise any rights or benefits regarding Personal Information Processed on Customer’s behalf, and may use and disclose Personal Information solely for the purposes for which such Personal Information was provided to it, as stipulated in the Principle Agreement and this DPA. Processor certifies that it understands the rules, requirements and definitions of the CCPA and agrees to refrain from selling (as such term is defined in the CCPA) any Personal Information Processed hereunder without Customer’s prior written consent, nor take any action that would cause any transfer of Personal Information to or from Processor under the Agreement or this DPA to qualify as “selling” such Personal Information under the CCPA.
 

3. SECURITY 

(3.1) Security Measures Paperturn shall implement and maintain appropriate technical and organisational security measures that are designed to protect Customer Data from Security Incidents and designed to preserve the security and confidentiality of Customer Data in accordance with Paperturn’s security standards described in Annex 2 (“Security Measures”) of this DPA.


(3.2) Confidentiality of Processing Paperturn shall ensure that any person who is authorised by Paperturn to process Customer Data (including its staff, agents, and subcontractors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).


(3.3) Updates to Security Measures Customer is responsible for reviewing the information made available by Paperturn relating to data security and making an independent determination as to whether the Service meets Customer’s requirements and legal obligations under Data Protection Laws. Customer acknowledges that the Security Measures are subject to technical progress and development and that Paperturn may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Service provided to Customer.

(3.4) Security Incident Response Upon becoming aware of a Security Incident, Paperturn shall: 

 

(i) notify Customer without undue delay, and where feasible, in any event no later than 72 hours from becoming aware of the Security Incident; 

(ii) provide timely information relating to the Security Incident as it becomes known or as is reasonably requested by Customer; and 

(iii) promptly take reasonable steps to contain and investigate any Security Incident. Paperturn’s notification of or response to a Security Incident under this Section 3.4 shall not be construed as an acknowledgment by Paperturn of any fault or liability with respect to the Security Incident.

 

(3.5) Customer Responsibilities Notwithstanding the above, Customer agrees that except as provided by this DPA, Customer is responsible for its secure use of the Service, including securing its account authentication credentials, protecting the security of Customer Data when in transit to and from the Service, and taking any appropriate steps to securely encrypt or backup any Customer Data uploaded to the Service.
 

4. AUDITS

(4.1) Paperturn’s Audit Reports To help the Customer assess Paperturn’s compliance with the terms of this DPA, on Customer’s request, and subject to the confidentiality provisions of the Agreement, Paperturn will make available to Customer copies of, or extracts from, Paperturn’s audit reports related to the security of the Services, including, for example, its Voluntary Security Assessment, and public penetration test results.


(4.2) Customer’s Audit Rights Paperturn will allow Customer (directly or through a third-party auditor subject to written confidentiality obligations) to verify Paperturn’s compliance with the terms of this DPA if such an audit is required by Data Protection Laws and Paperturn’s compliance cannot be demonstrated by means that are less burdensome on Paperturn (including under Section 4.1). Customer may only perform an audit under this section as follows:

 

  • Customer must provide Paperturn at least 30 days’ prior written notice of a proposed audit unless otherwise required by a competent supervisory authority or Data Protection Laws;
  • Customer may not perform more than one audit in any 12-month period, except where required by a competent supervisory authority;
  • Customer and Paperturn must mutually agree on the audit’s participants, schedule, scope, and methodology of the audit in advance, in order to minimise the disruption to Paperturn’s normal business operations;
  • Customer must reimburse Paperturn for its time expended in connection with an audit at Paperturn’s reasonable professional service rates, which will be made available to Customer on request;
  • Customer must ensure that its representatives performing an audit protect the confidentiality of all information obtained through the audit in accordance with the Agreement, execute an enhanced mutually agreeable nondisclosure agreement if requested by Paperturn, and abide by Paperturn’s security policies while on Paperturn’s premises; and
  • Customer must promptly disclose to Paperturn any written audit report created, and any findings of noncompliance discovered, as a result of the audit.
 

5. SUB-PROCESSORS

(5.1) Appointment of Sub-processors Paperturn may respectively engage third-party Sub-processors in connection with the provision of the Services and has the Customer’s general authorisation for the engagement of sub-processor(s) from an agreed list, as outlined in s.(5.2) below. Paperturn will specifically inform the Customer in writing of any intended changes to that list through the addition or replacement of sub-processors at least ten (10) business days in advance, thereby giving the Customer sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.

(5.2) List of Current Sub-processors and Notification of New Sub-processors 

Paperturn’s current list of Sub-Processors used to process Personal Data can be viewed here. The Sub-processor List includes the identities of the Sub-processors and their entity’s country. The Customer is deemed to authorise the Processor’s Sub-Processors upon first use of the Services. Paperturn agrees to provide notice to the Customer when adding or making changes to the Subprocessors; this notice will be given via email.

(5.3) Agreements with Sub-processors Paperturn will enter into a written agreement with each Subprocessor that contains data protection obligations equivalent to those in this DPA. Paperturn will be liable for the actions and omissions of its Subprocessors undertaken in connection with Paperturn’s performance under this DPA to the same extent Paperturn would be liable if performing the Services directly.

(5.4) Objection to New Sub-processors The Customer may reasonably object to Paperturn’s use of a new Sub-processor, for reasons relating to the protection of Personal Data intended to be Processed by such Sub-processor, by notifying Paperturn promptly in writing within seven (7) days after receipt of notification of new Sub-Processor. The written objection shall include reasons for objecting to the Processor’s use of such a new Sub-processor. Failure to object to the new Sub-processor in writing within seven (7) days following Processor’s notice, shall be deemed as an acceptance of the new Sub-Processor. In the event the Customer reasonably objects to a new Sub-processor, as permitted in the preceding sentences, the Processor will use reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid Processing of Personal Data by the objected-to new Sub-processor without unreasonably burdening the Customer. If Processor is unable to make available such change within thirty (30) days, Customer may, as a sole remedy, terminate the Agreement and this DPA with respect only to those elements of the Services which cannot be provided by Processor without the use of the objected-to new Sub-processor, by providing written notice to Processor. All amounts outstanding under the Agreement before the termination date with respect to the Processing at issue shall be duly paid to Processor. Until a decision is made regarding the new Sub-processor, Processor may temporarily suspend the Processing of the affected Personal Data and/or suspend access to the Services. The Customer will have no further claims against the Processor due to the termination of the Agreement (including, without limitation, requesting refunds) and/or the DPA in the situation described in this paragraph.
 

6. DATA SUBJECT RIGHTS

(6.1) Data Subject Requests Paperturn shall, to the extent legally permitted, notify Customer or refer Data Subject to Customer, if Processor receives a request from a Data Subject or Consumer to exercise their rights (to the extent available to them under applicable Data Protection Laws) of access, right to rectification, restriction of Processing, erasure, data portability, objection to the Processing, their right not to be subject to automated individual decision making, to opt-out of the sale of Personal Information, or the right not to be discriminated against (“Data Subject Request”). Taking into account the nature of the Processing, Processor shall assist Customer by implementing appropriate technical and organisational measures, insofar as this is possible and reasonable, for the fulfilment of Customer’s obligation to respond to a Data Subject Request under Data Protection Laws. Processor may advise Data Subjects on available features for self-exercising their Data Subject Requests through the Platform (where appropriate), and/or refer Data Subject Requests received, and the Data Subjects making them, directly to the Customer for its treatment of such requests. For the avoidance of doubt, nothing in the Agreement (including this DPA) shall restrict or prevent Paperturn from responding to any data subject or data protection authority requests in relation to personal data for which Paperturn is a controller.

(6.2) Data Protection Impact Assessment Upon Customer’s reasonable request, Paperturn shall provide Customer, at Customer’s cost, with reasonable cooperation and assistance needed to fulfil Customer’s obligation under the GDPR or the UK GDPR (as applicable) to carry out a data protection impact assessment related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Paperturn. Paperturn shall provide, at Customer’s cost, reasonable assistance to Customer in the cooperation or prior consultation with the Supervisory Authority in the performance of its tasks relating to this Section 6.2, to the extent required under the GDPR or the UK GDPR, as applicable.

 

7. RETURN AND DELETION OF PERSONAL DATA

Upon termination or expiration of the Principle Agreement, Paperturn shall, in accordance with the terms of the Principle Agreement, delete or make available to Customer for retrieval all relevant Personal Data (including copies) in Paperturn's possession, save to the extent that Paperturn is required by any applicable law to retain some or all of the Personal Data. In such an event, Paperturn shall extend the protections of the Agreement and this DPA to such Personal Data and limit any further Processing of such Personal Data to only those limited purposes that require the retention, for so long as Paperturn stores the Personal Data.
 

8. DATA TRANSFER

(8.1) Transfers from the EEA, Switzerland and the United Kingdom to Countries That Offer Adequate Level of Data Protection Personal Data may be transferred from EU Member States, the three EEA member countries (Norway, Liechtenstein and Iceland) (collectively, “EEA”), Switzerland and the United Kingdom (“UK”) to countries that offer an adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the EEA, the European Union, the Member States or the European Commission, Switzerland, and/or the UK as relevant (“Adequacy Decisions”), as applicable, without any further safeguard being necessary.

(8.2)  Transfers from the EEA, Switzerland and the United Kingdom to Other Countries If the Processing of Personal Data by Processor includes a transfer (either directly or via onward transfer):

 

(i) from the EEA or Switzerland to other countries which have not been subject to a relevant Adequacy Decision, and such transfers are not performed through an alternative recognized compliance mechanism as may be adopted by Processor for the lawful transfer of personal data (as defined in the GDPR) outside the EEA or Switzerland (“EEA Transfer”), the terms set forth in the Standard Contractual Clauses shall apply;

(ii) from the UK to other countries which have not been subject to a relevant Adequacy Decision, and such transfers are not performed through an alternative recognized compliance mechanism as may be adopted by Processor for the lawful transfer of personal data (as defined in the UK GDPR) outside the EEA or UK (“UK Transfer”), the terms set forth in the Standard Contractual Clauses, in accordance with Annex III thereto (UK Cross Border Transfers) shall apply;

(iii) the terms set forth in Annex IV to the Standard Contractual Clauses (Additional Safeguards) shall apply to an EEA Transfer and a UK Transfer.

 

9. CONFIDENTIALITY

Each Party must keep this Agreement and information it receives about the other Party and its business in connection with this Agreement confidential and must not use or disclose that Confidential Information without the prior written consent of the other Party except to the extent that:

  • Disclosure is required by law;
  • The relevant information is already in the public domain.

10. GOVERNING LAW AND JURISDICTION

This Agreement is governed by the laws of Denmark. Any dispute arising in connection with this Agreement, which the Parties will not be able to resolve amicably, will be submitted to the exclusive jurisdiction of the courts of Denmark.

 

 

ANNEX 1 - DETAILS OF PROCESSING

 

Nature and Purpose of Processing

Paperturn will Process Personal Data as necessary for the following reasons:

 

1. Providing the Services to Customer;

2. Performing the Agreement, this DPA and/or other contracts executed by the Parties;

3. Acting upon Customer’s instructions, where such instructions are consistent with the terms of the Agreement;

4. Sharing Personal Data with third parties in accordance with Customer’s instructions and/or pursuant to Customer’s use of the Services (e.g., integrations between the Services and any services provided by third parties, as configured by or on behalf of Customer to facilitate the sharing of Personal Data between the Services and such third party services);

5. Complying with applicable laws and regulations;

6. Any and all tasks related to any of the above.

Duration of Processing

Subject to any section of the DPA and/or the Principle Agreement dealing with the duration of the Processing and the consequences of the expiration or termination thereof, Paperturn will Process Personal Data pursuant to the DPA and Principle Agreement for the duration of the Principle Agreement, unless otherwise agreed upon in writing.

 

Data subjects

The personal data transferred concerns the following categories of data subjects: The categories of data subjects whose personal data may be processed in connection with the Subscription Services are determined and controlled by the data exporter in its sole discretion and may include but are not limited to: customers, contacts and prospects of data exporter; affiliates, employees or contractors of data exporter.

 

Categories of data

The personal data transferred concern the following categories of data:

The categories of personal data are determined by the data exporter in its sole discretion and may include but are not limited to: first and last name; employer; business role; professional title; contact information (e,g., email, phone, physical address); financial information (credit card number, banking details); business network; business experience; business interests; localization data, and; device identification data.

 

Special categories of data (if appropriate)

The parties do not anticipate the transfer of any special categories of data.

 

Processing operations

Personal Data will be Processed in accordance with the Agreement (including this DPA) and may be subject to the following Processing activities:

 

a. Storage and other Processing necessary to provide, maintain and improve the Subscription Services provided to you; and/or

b. Disclosure in accordance with the Agreement (including this DPA) and/or as compelled by applicable laws.

 

 

 

ANNEX 2 - SECURITY MEASURES

 

a) Access Control

 

i) Preventing Unauthorised Product Access

  • Outsourced processing: We host our Service with outsourced cloud infrastructure providers. Additionally, we maintain contractual relationships with vendors in order to provide the Service in accordance with our DPA. We rely on contractual agreements, privacy policies, and vendor compliance programs in order to protect data processed or stored by these vendors.
  • Physical and environmental security: We host our product infrastructure with multi-tenant, outsourced infrastructure providers. The physical and environmental security controls are audited for ISO 27001 compliance, among other Certifications.
  • Authentication: We implement a uniform password policy for our customer products. Customers who interact with the products via the user interface must authenticate before accessing non-public customer data.
  • Authorization: Customer Data is stored in multi-tenant storage systems accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of our products is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.
  • Application Programming Interface (API) access: Public product APIs may be accessed using an API key.

 

ii) Preventing Unauthorised Product Use

We implement industry standard access controls and detection capabilities for the internal networks that support its products.

  • Access controls: Network access control mechanisms are designed to prevent network traffic using unauthorised protocols from reaching the product infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.
  • Intrusion detection and prevention: We implement a Web Application Firewall (WAF) solution to protect our Customer’s flipbooks in their flipbook viewer. The WAF is designed to identify and prevent attacks against publicly available network services.
  • Static code analysis: Security reviews of code stored in our source code repositories is performed, checking for coding best practices and identifiable software flaws.

 

iii) Limitations of Privilege & Authorization Requirements

  • Product access: A subset of our employees have access to the products and to customer data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. Access is enabl
Create your flipbook now - no strings attached START MY FREE TRIAL
 
cancel