Data Processing Agreement
Last Update: December 16, 2022
This Data Processing Agreement (the “DPA”) forms an integral part of the Agreement entered into by and between Lift Relations ApS (“Lift Relations”) and Customer. Lift Relations and Customer shall each be referred to as a “Party” and jointly as the “Parties”.
This DPA governs the Processing of Personal Data which Lift Relations processes on behalf of Customer to perform its Services under the Agreement.
The Parties will become bound by this DPA at the same time the Agreement is entered into. In the event of any conflict or inconsistency between the terms of this DPA and the terms of the Agreement, the terms of this DPA shall prevail in relation to its subject matter.
For the purposes of this DPA, capitalized terns and the expressions set out below have the following meanings:
- The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing”, “Processor”, and “Supervisory Authority” shall have the same meaning as in the GDPR and their related terms shall be construed accordingly.
- “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity.
- “Agreement” means the agreement whereby Customer purchases the Services from Lift Relations. The Agreement will either be a “Subscription Agreement” or “Master Service Agreement” between the Parties.
- “Authorized Affiliate” means any of Customer’s Affiliate(s) which is permitted to use the Services pursuant to the Agreement between Lift Relations and Customer, but has not signed its own separate Order Form with Lift Relations and is not a “Customer” as defined under this DPA.
- “Customer” means the entity that has signed Order Forms and executed the Agreement.
- “Data Protection Laws” means the GDPR and laws implementing or supplementing the GDPR and, to the extent applicable, the data protection or privacy laws of any other EU Member State or any other country.
- “EEA” means the European Economic Area.
- “EU” means European Union.
- “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses annexed to the EU Commission Decision (EU) 2021/914 of 4 June 2021 for the Transfer of Personal Data to Processors established in Third Countries under the Directive 95/46/EC, or any successor standard contractual clauses that may be adopted pursuant to an EU Commission decision.
- “GDPR” means Regulation 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
- “Services” means the products and services provided by Lift Relations to Customer under the Agreement.
- “Subprocessor” means any Processor engaged by Lift Relations to Process Personal Data in connection with the Agreement.
2. PROCESSING OF PERSONAL DATA
2.2 Lift Relations shall: (a) comply with all applicable Data Protection Laws, the Agreement, and this DPA in the Processing of Personal Data; and (b) not Process Personal Data other than on the relevant Customer’s documented instructions unless Processing is required by applicable laws.
2.3 Customer shall, in its use of the Services, comply with the requirements of applicable Data Protection Laws to Process Personal Data. Customer shall be responsible that it has the consent or other lawful basis necessary for its instructions for Processing of Personal Data to Lift Relations.
3. PROCESSOR PERSONNEL
Lift Relations shall take reasonable steps to ensure the reliability of its personnel engaged in the Processing of Personal Data, ensuring in each case that access to the Personal Data is strictly limited to those individuals on a need–to–know basis only, as strictly necessary for the purposes of the Agreement, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality. Such obligations of confidentiality shall survive the termination or expiration of this DPA.
4.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Lift Relations shall in relation to Customer Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR. The current technical and organisational measures implemented by Lift Relations are listed in Schedule 3. Lift Relations may update or modify these measures from time to time, provided that they do not materially decrease the overall security of the Services during a subscription term.
4.2 In assessing the appropriate level of security, Lift Relations shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
5.1 Subject to this DPA, Lift Relations has Customer’s general authorization for the engagement of Subprocessors for the purpose of the Agreement. At the date of this DPA, Lift Relations, authorized by Customer, uses the Subprocessors listed in Schedule 2 to provide the Services.
5.2 Lift Relations shall inform in writing Customer of any intended changes concerning the addition or replacement of Subprocessors at least twenty (20) days in advance, thereby giving Customer the opportunity to object to such changes prior to the engagement of the concerned Subprocessor(s). Customer may reasonably object to Lift Relations’ use of a new Subprocessor by notifying Lift Relations in writing within ten (10) days of receipt of Lift Relations’ notice, in which case the Parties agree to negotiate in good faith to find an alternative solution together. If Customer does not send written notice objecting to a new Subprocessor within the said ten (10) days, the new Subprocessor will be deemed authorized by Customer.
5.3 With respect to each Subprocessor engaged by Lift Relations, Lift Relations shall ensure that the arrangement between Lift Relations and each Subprocessor is governed by a written agreement including terms which offer at least the same level of protection for Personal Data as those set out in this DPA and which meet the requirements of applicable Data Protection Laws.
5.4 Lift Relations shall ensure that any Processing of Personal Data by a Subprocessor complies with the requirements set out under this DPA. Lift Relations remains responsible to Customer for the Subprocessor’s performance of its agreement obligations.
6. DATA SUBJECT RIGHTS
6.1 Taking into account the nature of the Processing, Lift Relations shall assist Customer by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer’s obligations, as reasonably understood by Customer, to respond to requests to exercise Data Subject rights under the Data Protection Laws.
6.2 Lift Relations shall: (a) promptly notify Customer if it receives a request from a Data Subject under any Data Protection Law in respect of Personal Data; and (b) ensure that it does not respond to that request except on the documented instructions of Customer or as required by applicable laws to which Lift Relations is subject, in which case Lift Relations shall to the extent permitted by applicable laws inform Customer of that legal requirement before it responds to the request.
7. PERSONAL DATA BREACH
7.1 Lift Relations shall notify Customer without undue delay upon Lift Relations becoming aware of a Personal Data Breach affecting Personal Data, providing Customer with sufficient information to allow Customer to meet any obligations to report or inform Data Subjects or/and a Supervisory Authority of the Personal Data Breach under the Data Protection Laws.
7.2 Lift Relations shall cooperate with Customer and take reasonable commercial steps as are directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach.
8. DATA PROTECTION IMPACT ASSESSMENT AND PRIOR CONSULTATION
Lift Relations shall provide reasonable assistance to Customer with any data protection impact assessments and prior consultations with Supervising Authorities or other competent data privacy authorities, which Customer reasonably considers to be required by appliable Data Protection Laws, in each case solely in relation to Processing of Customer Personal Data by, and taking into account the nature of the Processing and information available to, Lift Relations.
9. DELETION OR RETURN OF PERSONAL DATA
9.1 Following the termination or expiration of the Agreement, Lift Relations shall, upon written request of Customer, delete and procure the deletion of all copies of the Personal Data or anonymize the Personal Data and shall certify to Customer that it has done so.
9.2 If Lift Relations is required by applicable laws to retain the Personal Data, Lift Relations will continue to ensure compliance with this DPA and will only process such Personal Data to the extent and for as long as required under applicable laws.
10. AUDIT RIGHTS
10.1 Subject to clause 10.2, Lift Relations shall, upon Customer’s reasonable request, make available to Customer all information solely necessary to demonstrate compliance with this DPA, and shall allow for and contribute to audits, including inspections, by Customer or a third-party auditor mandated by Customer in relation to the Processing of the Personal Data by Lift Relations.
10.2 Customer shall give Lift Relations at least three (3) weeks’ advance written notice of any audit to be conducted by Customer or a third-party auditor mandated by Customer under this clause unless an audit is required by a Supervisory Authority within a shorter notice. The Parties shall mutually agree upon the scope, timing and duration before any audit comments. The costs of any audit are at Customer’s expense.
10.3 Customer and third-party auditors shall comply with confidentiality obligations to conduct audits. Lift Relations may require the third-party audit to execute a non-disclosure agreement to protect Lift Relations’ Confidential Information prior to the audit. Audit reports shall be considered Confidential Information of the Parties.
11. TRANSFER OF DATA TO THIRD COUNTRIES
11.1 Any transfer of Personal Data to third countries or international organisations by Lift Relations shall only occur on the basis of documented instructions from Customer and shall always take place in compliance with Chapter V GDPR. Subject to this DPA, Customer acknowledges and agrees that, in connection with the performance of the Services under the Agreement, Personal Data may be transferred to Subprocessors listed in Schedule 2 in the United States.
11.2 If the Processing of Personal Data involves a transfer of Personal Data from a country within the EU/EEA/UK to a country outside the EU/EEA/UK which has not been designated by the European Commission as ensuring an adequate level of protection, the SCCs shall be incorporated by reference and form part of this DPA as if they had been set out in full, with Customer and/or its Authorized Affiliates as “data exporter” (as defined in the SCCs) and Lift Relations as “data importer” (as defined in the SCCs). In case of conflict or inconsistency between the terms of the SCCs and the terms of this DPA, the terms of the SCCs shall prevail.
11.3 Lift Relations will ensure Subprocessors comply with the SCCs or otherwise ensure appropriate safeguards pursuant to Articles 46 or 47 of the GDPR.
12. AUTHORIZED AFFILIATES
12.1 Contractual Relationship. The Parties acknowledge and agree that, by executing this DPA, Customer enters into this DPA on behalf of itself and, as applicable, in the name and on behalf of its Authorized Affiliates, in which case each Authorized Affiliate agrees to be bound by Customer’s obligations under this DPA. Customer warrants that it has the power and authority to enter into the DPA on behalf of itself and, as applicable, in the name and on behalf of its Controller Affiliates. All access to and use of the Services by Authorized Affiliates must comply with the terms and conditions of the Agreement and this DPA.
12.2 Communication. Customer shall remain responsible for coordinating all communication with Lift Relations under the Agreement and this DPA and shall be entitled to make and receive any communication in relation to this DPA on behalf of its Authorized Affiliates.
12.3 Rights of Authorized Affiliates. Except where applicable Data Protection Laws require an Authorized Affiliate to exercise a right or seek any remedy under this DPA against Lift Relations directly by itself, the Parties agree that Customer shall (a) exercise any such right or seek any such remedy on behalf of the Authorized Affiliate, and (b) exercise any such rights under this DPA in a combined manner for all of its Authorized Affiliates together.
This DPA will take effect as and from the date that the Agreement commences and remain in force until the Agreement is terminated or expired and all Personal Data is deleted or anonymized by Lift Relations pursuant to clause 9 of this DPA.
14. General Terms
14.1 Governing Law and Jurisdiction
14.1.1 This DPA shall be exclusively governed by and construed in accordance with the laws of Denmark without regard to its conflicts of law rules. Any dispute, controversy, or claim arising out of or in connection with this DPA shall be subject to the exclusive and final jurisdiction of the courts of Denmark.
14.1.2 In the event that Customer is located in a jurisdiction where judgments rendered by the above-mentioned courts cannot be enforced, any dispute, controversy, or claim arising out of or in connection with this DPA shall be exclusively and finally settled by arbitration in accordance with the Arbitration Rules of The Danish Institute of Arbitration (Copenhagen Arbitration). The arbitral tribunal shall be composed of one arbitrator, who shall be appointed in accordance with the above arbitration rules. The language to be used in the arbitral proceedings shall be English.
14.2 Severability. If any provision of this DPA is held to be invalid or unenforceable, the validity and enforceability of the other provisions of this DPA will not be affected.
14.3 Liability. Any claims and liability arising out of this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement, and insofar it does not limit nor exclude any liability that cannot be limited or excluded under applicable laws.
14.4 Notice. Any notifications given under this DPA must be in writing and will be (a) mailed by certified or registered mail, (b) delivered by an express courier (with confirmation), or (c) sent by email. Customer may contact Lift Relations at email: firstname.lastname@example.org to seek expedient assistance to clarify and respond to questions regarding the Processing of Personal Data for the purposes of this DNA.
SCHEDULE 1 – INSTRUCTIONS FOR PROCESSING OF PERSONAL DATA
Subject Matter of the Processing
The subject matter of the Processing shall be Customer Personal Data to be processed by Lift Relations on behalf of Customer pursuant to or in connection with the Agreement.
Nature and Purpose of the Processing
The nature and purpose of Processing of Personal Data shall be the provision of the Services in accordance with the Agreement.
Duration of the Processing
Lift Relations will Process Personal Data during the term of the Agreement and this DPA until the deletion or anonymization of all Personal Data in accordance with section 9 of this DPA.
Categories of Data Subjects Whose Personal Data Is Processed
Customer’s and/or its Affiliates’ employees/consultants (if applicable)
Customer’s and/or its Affiliates’ clients and clients’ employees
Categories of Personal Data Processed
Customer may provide certain Personal Data to the Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include:
- First name and last name
- Job title
- Email address
- Phone number (optional)
- IP Address
- Survey comments
Sensitive Personal Data transferred (if applicable)
The Frequency of the Transfer
Continuous basis depending on the use of the Services by Customer
SCHEDULE 2 – LIST OF SUBPROCESSORS
Customer has authorized Lift Relations to use the following Subprocessors:
|Microsoft Azure||EU||Cloud Hosting Services and Data Storage|
|Salesforce||USA||Customer Relationship Management|
|Totango||USA||Customer Success Management|
SCHEDULE 3 – TECHNICAL AND ORGANISATIONAL MEASURES
Lift Relations has implemented the following technical and organisational measures to protect Customer Personal Data as described in this Schedule 3. Lift Relations will continuously improve the technical and organizational measures according to feasibility and state of the art.
Lift Relations is hosted on Microsoft Azure (Azure), a cloud infrastructure provider that provides a wide array of security tools and capabilities. Azure adheres to security controls for ISO 27001, ISO 27018, SOC 1, SOC 2, SOC3, FedRAMP, HITRUST, MTCS, IRAP, and ENS. All Customer Personal Data is stored in the service providers’ data center as listed in Schedule 2 and is not stored on-premises.
Physical Access Control
Lift Relations’ premises is secured with lock and key access control, video surveillance, and an alarm system.
System Access Control
- Lift Relations uses unique IDs, passwords and multi-factor authentication (where applicable) to prevent unauthorized users from gaining access to systems used to process Customer Personal Data.
- System access is granted or modified subject to approval from IT system administrators. Following the termination of employment, employee access to systems, including any access the employee might have had to Customer Personal Data, will be removed.
- Lift Relations ensures that authorized users can only access and use Customer Personal Data subject to their authorization.
- Access rights are checked periodically to ensure compliance.
All Customer Personal Data stored on Lift Platform is encrypted at rest and in transit using transport layer security (TLS).
Lift Relations maintains a monitoring system to log user activities on Lift Platform to check and establish retrospectively whether and by whom Customer Personal Data have been entered into, modified or deleted.
- Customer Data including Personal Data is backed up periodically against accidental destruction or loss.
- Lift Relations maintains comprehensive backup and recovery concepts to ensure redundancy and seamless failover during power or critical service failure.
Lift Relations will implement an incident response policy to respond to and limit consequences of data breaches, data leaks, cyber attacks and security incidents including data breach notification to Customer without undue delay when a breach is known or reasonably suspected to impact Customer Personal Data. Appropriate employees have been appointed to react promptly to known incidents. All incidents will be logged, including causes, handling process, impact, and solutions.
Lift Relations performs security a risk-based assessment of vendors before engaging them to provide services or products and regularly checks after engagement to ensure they comply with applicable laws and have implemented adequate technical and organizational measures to protect data security.
Lift Relations requires all its employees to protect Customer Personal Data and acknowledge such confidentiality obligations in the employment contract.
Training and Awareness
Lift Relations has security awareness and will provide ongoing security awareness training to ensure that its employees carry out their security-related duties and responsibilities in compliance with applicable policies and procedures related to data security and the protection of Customer Personal Data.