This Data Processing Agreement (“DPA”) forms part of Backendless’s Terms Of Service Agreement (Agreement). The DPA applies in respect of the provision of theBackendless’s Services to the Customer if the Processing of User Personal Data is subject to the GDPR, only to the extent the Customer is a Controller (or Processor, as applicable) of User Personal Data and Backendless is a Processor or sub-Processor of User Personal Data (as defined below). This Addendum shall amend and supplement any provisions relating to the processing of User Personal Data contained in the Agreement, and shall be effective for the term of the Agreement.
- Capitalized terms used but not defined in this DPA shall have the meaning given to them in the Agreement or applicable Data Protection Laws.“User Personal Data” means Personal Data uploaded to or published, displayed or backed up through the Backendless Services.
“GDPR” means the General Data Protection Regulation (EU) 2016/679, together with any national implementing laws in any Member State of the European Union, as amended, repealed, consolidated or replaced from time to time.
“DPA Effective Date” means, as applicable, (a) May 25, 2018 if Customer clicked to accept or otherwise agreed to this DPA prior to or on such date; or (b) the date on which Customer clicked to accept otherwise agreed to this DPA, if such date is after May 25, 2018.
- “Personal Data”, “Personal Data Breach”, “Data Subject”, “Data Protection Authority”, “Data Protection Impact Assessment”, “Process”, “Processor” and “Controller” will each have the meaning given to them in Article 4 of the GDPR.
- Processing of User Personal Data
- For the For purposes of this DPA,Backendless and Customer agree that Customer is the Controller of User Personal Data and Backendless is the Processor of such data, except when Customer acts as a Processor of User Personal Data, in which case Backendless is a sub-Processor. If Customer is a Processor, Customer warrants that Customer’s instructions toBackendless with respect to that User Personal Data, including Customer’s designation of Backendless as a sub-Processor, have been authorized by the relevant Controller.
- Backendless will only Process User Personal Data on behalf of and in accordance with the Customer’s prior instructions and for no other purpose. Backendless is hereby instructed to Process User Personal Data to the extent necessary to enable Backendless to provide the Backendless Services in accordance with the Agreement.
- Each of the Customer and Backendless will comply with their respective obligations under the GDPR, to the extent applicable to the Processing of any User Personal Data in the context of the provision of the Backendless Services. Customer will (i) comply with all applicable privacy and data protection laws with respect to Customer’s Processing of User Personal Data and any Processing instructions that Customer issues toBackendless, and (ii) ensure that Customer has obtained (or will obtain) all consents and rights necessary forBackendless to Process User Personal Data in accordance with this Addendum.
- For Customers located in the EU, Customer acknowledges that Backendless may process User Personal Data in countries outside of the EU as necessary to provide the Backendless Services and in accordance with the terms of this Addendum. Where this is the case, Backendless will take such measures as are necessary to ensure that the transfer is in compliance with applicable data protection laws.
- The Customer acknowledges that Backendless is reliant on the Customer for direction as to the extent to which Backendless is entitled to use and Process User Personal Data on behalf of Customer in performance of the Backendless Services. Consequently Backendless will not be liable under the Agreement for any claim brought by a Data Subject arising from any action or omission by Backendless, to the extent that such action or omission resulted directly from the Customer’s instructions or from Customer’s failure to comply with its obligations under the applicable data protection law.
- If for any reason (including a change in applicable law) Backendless becomes unable to comply with any instructions of the Customer regarding the Processing of User Personal Data, Backendless will (a) promptly notify the Customer of such inability, providing a reasonable level of detail as to the instructions with which it cannot comply and the reasons why it cannot comply, to the greatest extent permitted by applicable law; and (b) cease all Processing of the affected User Personal Data (other than merely storing and maintaining the security of the affected User Personal Data) until such time as the Customer issues new instructions with which Backendless is able to comply. If this provision applies, Backendless will not be liable to Customer under the Agreement in respect of any failure to perform the Backendless Services due to its inability to process User Personal Data until such time as the Customer issues new instructions in regard to such Processing.
- Security Measures
- Backendless will implement and maintain appropriate technical and organizational measures designed to protect or secure (i) Customer Data, including Customer Personal Data, against unauthorized or unlawful processing and against accidental or unlawful loss, destruction or alteration or damage, unauthorized disclosure of, or access to, Customer Data, and (ii) the confidentiality and integrity of Customer Data.
- Backendless will take reasonable steps to ensure the reliability and competence of Backendless team members engaged in the processing of Customer Personal Data. Backendless will take appropriate steps to ensure that all Backendless team members engaged in the processing of Customer Personal Data (i) comply with the Security Measures to the extent applicable to their scope of performance, (ii) are informed of the confidential nature of the Customer Personal Data, and (iii) have received appropriate training on their responsibilities and (iv) have executed written confidentiality agreements. Backendless shall ensure that such confidentiality obligations survive the termination of the personnel engagement.
- Security Breach
- If Backendless becomes aware of a Data Breach, Backendless will: (a) notify Customer of the Data Breach without undue delay after becoming aware of the Data Breach; and (b) promptly take reasonable steps to minimize harm and secure Customer Data.
- Notification(s) of any Data Breach will be delivered to Customer by direct communication (for example, by phone call or email). Customer is solely responsible for ensuring that any contact information, including notification email address, provided to Backendless is current and valid.
- Backendless will not assess the contents of Customer Data in order to identify information subject to any specific legal requirements. Customer is solely responsible for complying with data breach notification laws applicable to Customer and fulfilling any third-party notification obligations related to any Data Breach.
- Backendless’s notification of or response to a Data breach under this Section 4. (Security Breach) will not be construed as an acknowledgement by Backendless of any fault or liability with respect to the Data Breach.
- Customer’s Security Responsibilities and Assessment of Backendless
- Customer agrees that, without prejudice to Backendless’s obligations under Section 3. (Security Measures) and Section 4. (Security Breaches):
- Customer is solely responsible for its use of the Services, including: (i) making appropriate use of the Services and any Additional Security Information to ensure a level of security appropriate to the risk in respect of the Customer Data; (ii) securing the account authentication credentials, systems and devices Customer uses to access the Services; and (iii) backing up the Customer Data; and
- Backendless has no obligation to protect Customer Data that Customer elects to store or transfer outside of Backendless’s systems.
- Customer is solely responsible for reviewing the Security Measures and evaluating for itself whether the Services, the Security Measures, and Backendless’s commitments under this Section 3 (Security Measures) will meet Customer’s needs, including with respect to any security obligations of Customer under the Data Protection Laws. Customer acknowledges and agrees that the Security Measures implemented and maintained by Backendless as set out in Section 3 (Security Measures) provide a level of security appropriate to the risk in respect of the Customer Data.
- Data Protection Impact Assessment; Prior Consultation
- Backendless will, at the Customer’s request and subject to the Customer paying all of Backendless’s fees at prevailing rates, and all expenses, provide the Customer with reasonable cooperation and assistance needed to fulfill Customer’s obligation under the GDPR to carry out a data protection impact assessment related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Backendless. Backendless will provide reasonable assistance to Customer in the cooperation or prior consultation with the applicable data protection authority in the performance of its tasks relating to this Section 6 (Data Protection Impact Assessment) to the extent required under the GDPR.
- Deletion of User Personal Data
- Backendless will enable Customer to delete during the Term Customer Data in a manner consistent with the functionality of the Services. If Customer uses the Services to delete any Customer Data during the Term and that Customer Data cannot be recovered by Customer, this use will constitute an instruction to Backendless to delete the relevant Customer Data fromBackendless’s systems in accordance with applicable law. Backendless will comply with this instruction as soon as reasonably practicable within a maximum of 30 days, unless the European Union or member state law requires storage.
- On expiration of the Agreement, Customer instructs Backendless to permanently and securely delete all User Personal Data in the possession or control of Backendless, within a reasonable period of time, maximum of 30 days (unless the applicable law of the EU or of an EU Member State requires otherwise), except if the Customer requests, prior to expiration of the Agreement, to have access to the Backendless Services in order to retrieve User Personal Data. Customer acknowledges and agrees that Customer will be responsible for exporting, before the Term expires, any Customer Data it wishes to retain afterwards.
- Order of Precedence
- With regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and any other agreements between the parties, including the Agreement, the provisions of this Addendum shall prevail.
Updated: August 21, 2018