Data Processing Agreement & Non-disclosure Agreement for Support & Consulting Services
Between SuperOffice (“SuperOffice”, “Processor”) and Customer (“Customer”, “Controller”)
This agreement is valid from May 25th, 2018.
The purpose of this Agreement is to regulate the parties’ responsibilities related to Support and Consulting Services (“Services”) performed by SuperOffice personnel in relation to SuperOffice CRM products used by the Customer.
Services may include processing of Customer Data on SuperOffice controlled servers and in this case, the processing is governed by the Data Processing Agreement (DPA) in Section A and the Non-disclosure Agreement (NDA) in Section B.
If Services are performed on Customer Data residing on Customer controlled servers, the Services is governed by the Non-disclosure Agreement in Section B.
Services will have separate Assignments where the task, terms, milestones, resources, etc. will be described. For Consulting Assignments this is normally the “Task Descriptions” provided by a consultant or a sales representative. For Support Assignments, this is normally the “Request” registered by Online case submission.
The Customer’s use of SuperOffice products are governed by one or more of the below-listed agreements (“Customer Use Agreements”):
i. SuperOffice CRM Online Master Subscription Agreement (“MSA”)
ii. SuperOffice Onsite Subscription Agreement
iii. SuperOffice Software Maintenance Agreement
Authority to sign this Agreement
This is a legally binding agreement and by accepting it you agree to the terms of this Agreement on behalf of the Company with which you are employed, affiliated or associated with.
The content of this Agreement
Between SuperOffice AS (“Processor”) and Customer (“Controller”)
1. Purpose and definitions of the DPA
The purpose of this Data Processing Agreement is to regulate the Processor’s processing of personal data on behalf of the Controller whilst providing Support & Consulting Services related to SuperOffice CRM products.
This Data Processing Agreement governs the Processor’s rights and obligations, in order to ensure that all Processing of Personal Data is conducted in compliance with applicable data protection legislation.
Processing of Personal Data (as defined below) is subject to requirements and obligations pursuant to applicable law. When the Controller is a legal entity established in the European Economic Area (the "EEA") relevant data protection legislation will include local data protection legislation and the present EU- Regulation 2016/679 dated April 27th, 2016. The parties agree to amend this Data Processing Agreement to the extent necessary due to any mandatory new requirements following from the EU Regulation 2016/679.
“Personal Data” shall mean any information relating to an identified or identifiable natural person, as further defined in applicable law and EU- Regulation 2016/679.
“Processing” of Personal Data shall mean any use, operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, transfer, storage, alteration, disclosure as further defined in applicable law and EU- Regulation 2016/679.
“Third Countries” shall mean countries outside of the EU/EEA area which is not recognized as countries providing adequate protection of Personal Data.
2. Controller’s responsibilities
The Controller acknowledges and accepts that any Personal Data that the Controller uploads as part of the Service, such as uploaded Personal Data pertaining to the Controller’s own customers, may be transferred to a third party (sub-processor) based in the European Economic Area (EEA) which will provide for hosting of the Service, including the provisioning of all hardware, infrastructure, data storage and communication lines. The obligations of the third party in regard to Personal Data are set forth in a separate data processing agreement between Processor and the third party within the framework of this Data Processing Agreement. All data in the Service are stored on servers located in Europe.
3. Processor’s responsibilities
The Processor shall comply with all provisions for the protection of Personal Data set out in this Data Processing Agreement and in applicable data protection legislation with relevance for Processing of Personal Data.
The Processor shall comply with the instructions and routines issued by the Controller in relation to the Processing of Personal Data.
3.2 Restrictions on use
The Processor shall only Process Personal Data on, and in accordance with, the instructions from the Controller. The Processor shall not Process Personal Data without a prior written agreement with the Controller or without written instructions from the Controller beyond what is necessary to fulfil its obligations towards the Controller under the Agreement.
3.3 Information Security
The Processor shall by means of planned, systematic, organizational and technical measures ensure appropriate information security with regard to confidentiality, integrity, and accessibility in connection with the Processing of Personal Data in accordance with the information security provisions in applicable data protection legislation.
The measures and documentation regarding internal control shall be made available to the Controller upon request.
3.4 Discrepancies and data breach notifications
Any use of the information systems and the Personal Data not compliant with established routines, instructions from the Controller or applicable data protection legislation, as well as any security breaches, shall be treated as a discrepancy.
The Processor shall have in place routines and systematic processes to follow up discrepancies, which shall include re-establishing of the normal state of affairs, eliminating the cause of the discrepancy and preventing its recurrence.
The Processor shall immediately notify the Controller of any breach of this Data Processing Agreement or of accidental, unlawful or unauthorized access to, use or disclosure of Personal Data, or that the Personal Data may have been compromised or a breach of the integrity of the Personal Data. The Processor shall provide the Controller with all information necessary to enable the Controller to comply with applicable data protection legislation and enabling the Controller to answer any inquiries from the applicable data protection authorities. It is the Controller`s responsibility to notify the applicable Data Protection Authority of discrepancies in accordance with applicable law.
The Processor shall keep confidential all Personal Data and other confidential information. The Processor shall ensure that each member of the staff of the Processor, whether employed or hired employee, having access to or being involved with the Processing of Personal Data under the MSA (i) undertakes a duty of confidentiality and (ii) is informed of and complies with the obligations of this Data Processing Agreement. The duty of confidentiality shall also apply 1 year after termination of the MSA or this Data Processing Agreement.
3.6 Security audits
The Processor shall on a regular basis carry out security audits for systems and similar relevant for the Processing of Personal Data covered by this Data Processing Agreement. Reports documenting the security audits shall be available to the Controller.
The Controller has the right to demand security audits performed by an independent third party at the Processors choice. The third party will provide a report to be delivered to the Controller upon request. The Controller accepts that the Processor may claim compensation for the performance of the audit.
3.7 Use of sub-contractors (sub-processors)
The Processor is entitled to use sub-contractors and the Controller accepts the use of sub-contractors. A list of pre-approved sub-processors is available in the SuperOffice Trust Center. The Processor shall, by written agreement with any sub-contractor ensure that any Processing of Personal Data carried out by sub-contractors shall be subject to the same obligations and limitations as those imposed on the Processor according to this Data Processing Agreement.
If the Processor plans to change sub-contractors or plans to use a new sub-contractor, Processor shall notify the Controller in writing 4 months prior to any Processing by the new sub-contractor, and the Controller may within 1 month of the notice object to the change of sub-contractors. Should the Controller object to the change, Controller may terminate the MSA upon 3 months' notice. To the extent Controller does not terminate the MSA, the change of sub-contractor shall be regarded as accepted.
3.8 Transfer of Personal Data to Third Countries
If the Processor uses sub-contractors outside the EU/EEA area for Processing of Personal Data, such Processing must be in accordance with the EU Privacy Shield Framework, EU Standard Contractual Clauses for transfer to third countries, or another specifically stated lawful basis for the transfer of personal data to a third country. For the avoidance of doubt, the same applies if the data is stored in the EU/EEA but may be accessed from locations outside the EU/EEA.
Should the Controller approve such transfer of Personal Data, the Processor is obligated to cooperate with the Controller in order to ensure compliant transfers.
4. Non-disclosure Agreement
4.1 Each of the parties to this Agreement intends to disclose information (the Confidential Information) to the other party for the purpose of Support and Consulting services related to SuperOffice CRM products (“Purpose”).
4.2 Each party to this Agreement is referred to as ‘the Recipient’ when it receives or uses the Confidential Information disclosed by the other party.
4.3 The Recipient undertakes not to use the Confidential Information disclosed by the other party for any purpose except the Purpose, without first obtaining the written agreement of the other party.
4.4 The Recipient undertakes to keep the Confidential Information disclosed by the other party secure and not to disclose it to any third party, except to its employees and professional advisers who need to know the same for the Purpose, who know they owe a duty of confidence and are bound by obligations equivalent to those in this NDA.
4.5 The undertakings in clauses 4.3 and 4.4 above apply to all of the information disclosed by each of the parties to the other, regardless of the way or form in which it is disclosed or recorded, but they do not apply to:
a) any information which is or in future comes into the public domain (unless as a result of the breach of this Agreement); or
b) any information which is already known to the Recipient and which was not subject to any obligation of confidence before it was disclosed to the Recipient by the other party.
4.6 Nothing in this Agreement will prevent the Recipient from making any disclosure of the Confidential Information required by law or by any competent authority.
4.7 The Recipient will, on request from the other party, return all copies and records of the Confidential Information disclosed by the other party to the Recipient and will not retain any copies or records of the Confidential Information disclosed by the other party.
4.8 Neither this Agreement nor the supply of any information grants the Recipient any license, interest or right in respect of any intellectual property rights of the other party except the right to copy the Confidential Information disclosed by the other party solely for the Purpose.
4.9 The parties shall ensure that each member of the staff of the parties, whether employed or hired employee, having access to or being involved in performing the Services, undertakes a duty of confidentiality and is informed of and complies with the obligations of this Non-disclosure Agreement. The duty of confidentiality shall also apply 1 year after termination of this Agreement.
5. Liability, breach
In the event of a breach of this Agreement, or a breach of obligations according to applicable law on Processing of Personal Data, the relevant provisions regarding breach of the Customer Use Agreement shall apply.
Claims from one party due to the other party’s non-compliance with the Data Processing Agreement shall be subject to the same limitations as in the Customer Use Agreement. In assessing whether the limitation is reached, claims under this Agreement and the Customer Use Agreement shall be viewed in conjunction, and the limitation in the Customer Use Agreement shall be viewed as a total limitation.
6. Term and termination of the Agreement, changes
This Agreement shall be effective from the date it is signed/approved by both parties and until SuperOffice’s obligations in relation to Customer Use Agreements is terminated, except for provisions that continue to apply after such termination.
For Services performed for Customers not having an active Customer Use Agreement, an Addendum to this DPA/NDA Agreement must be made to describe the circumstances and define the Termination clause, which normally will be when a specific Service is completed.
Upon termination of this Data Processing Agreement, the Personal Data/data shall be returned to facilitate the Controller’s further use of the Personal Data/data if the Controller request so. The Processor shall first return and subsequently delete all Personal Data and other data. The Processor (and its sub-contractors) shall immediately stop the Processing of Personal Data from the date stipulated by the Controller.
As an alternative to returning the Personal Data (or other data), the Controller may, at its sole discretion, instruct the Processor in writing, that all or parts of the Personal Data (or other data) shall be deleted by the Processor, unless the Processor is prevented by mandatory law from deleting the Personal Data.
The Processor has no right to keep a copy of any data provided by the Controller in relation to this Data Protection Agreement in any format, and all physical and logical access to such Personal Data or other data shall be deleted.
The Processor shall provide the Controller with a written declaration whereby the Processor warrants that all Personal Data or other data mentioned above has been returned or deleted according to the Controller’s instructions and that the Processor has not kept any copy, print out or kept the data on any medium.
The obligations pursuant to sections 3.5 (Confidentiality) and 4 (NDA) shall continue to apply 1 year after termination.
The parties shall amend this Data Protection Agreement upon relevant changes in applicable law.
SuperOffice reserves the right to make amendments to the terms and conditions of this Agreement with 4 months prior notice. All Customers will be informed of such amendments by email or through the information being made available on SuperOffice’s websites, Trust Center or Customer Community.
7. Dispute and jurisdiction
This Data Processing Agreement and Non-disclosure agreement shall be governed by the laws according to the SuperOffice entity the Customer is contracting with:
|If you domiciled in:||Customer is contracting with:||Notices should be sent to:||The governing law is:||The courts having exclusive jurisdiction are:|
|Denmark||SuperOffice Danmark A/S||Delta Park 46, 2665 Vallensbæk Strand, Denmark||Danish||Copenhagen, Denmark|
|Finland and Sweden||SuperOffice Sweden AB||Ynglingatan 14, 113 47 Stockholm, Sweden||Swedish||Stockholm, Sweden|
|Norway||SuperOffice Norge AS||Wergelandsveien 27, 0167 Oslo, Norway||Norwegian||Oslo, Norway|
|Germany||SuperOffice GmbH||Martin-Schmeißer-Weg 3b, 44227 Dortmund, Germany||German||Dortmund, Germany|
|United Kingdom and Ireland||SuperOffice Software Ltd.||Cranfield Innovation Centre, University Way, Cranfield, MK43 0BT, United Kingdom||UK||Milton Keynes, UK|
|Switzerland||SuperOffice AG||Uferstrasse 90, 4057 Basel, Switzerland||Swiss||Basel, Switzerland|
|Netherlands, Belgium and Luxemburg||SuperOffice Benelux B.V.||Emmasingel 29.41, 5611 AZ, Netherlands||Dutch||Oost-Brabant, locatie Eindhoven,
This Agreement is digitally signed and approved by the responsible person at the customer by returning an email with such consent / approval.
for Support & Consulting Services
This document provides an overview of how SuperOffice process customers data in relation to the Data Processing Agreement for Support & Consulting Services (Section A). A Guide with further instructions will also be made available to Customer.
SuperOffice employees shall comply with the instructions and routines issued in this document in relation to the Processing of Personal Data and Confidentiality / Non-disclosure.
3 Scenarios for access to Customer data
Personal data will be processed only to the extent necessary to provide the required Services, i.e. to fulfill a Task Description or a Support Request issued by Customer.
Access to Customer Data is performed in 3 different scenarios as described below:
Scenario 1. Access to Customer Data via Consultant present at Customer location
Customer Data is stored and processed on Customer controlled servers. The SuperOffice Consultant connects to the Customers computers/servers through a customer-owned computer or his own computer. Data and systems are accessed real time and no customer data is copied onto any device not accepted and controlled by Customer.
This process consists of these steps:
- The Customer representative provides the SuperOffice Consultant with access credentials to Customer network and relevant systems.
- The SuperOffice Consultant performs the task at hand.
- The SuperOffice Consultant logs out of all customer systems and leaves the premises.
- If Customer Data is copied onto the computer owned by the SuperOffice Consultant, the Customer representative may supervise the process of deleting all Customer Data from Consultant’s computer before leaving the premises. If Customer and SuperOffice Consultant agrees, the Customer data can reside on the Consultant Computer when leaving the premises if this is beneficial for completing the Service.
- The Customer representative removes the SuperOffice Consultant's access credentials to Customer network/systems.
Scenario 2. Access to Customer Data via a Remote Access Tool
Customer Data is stored and processed on Customer controlled servers. The SuperOffice Consultant connects to Customers computers to access database/customer data via a Remote Access Tool. Data and systems are accessed real time and no customer data is copied onto any device not accepted and controlled by Customer. For clarity: SuperOffice Consultant is not present in Customers location, but is located externally (i.e. in a SuperOffice office location).
This process consists of 6 steps:
- The SuperOffice Consultant invites the Customer representative to start a Remote Access Tool session through an email.
- The Customer representative accepts the invitation and provides the SuperOffice Consultant with access to the Customer network and relevant systems.
- The SuperOffice Consultant performs the task at hand.
- The Customer removes the Consultant's access to the customer data.
- The Customer removes the Consultant's access to the computer by closing the Remote Access Tool.
- The SuperOffice Consultant sends confirmation: “Data is no longer accessible”.
Scenario 3. Access to Customer Data on SuperOffice controlled servers
Customer Data is stored and processed on SuperOffice controlled servers. When it is beneficial for the purpose of performing a Consultancy Task or Support Request, the Customer Data can be transferred and stored on SuperOffice controlled servers. The transfer of Customer Data is performed in a secure process.
This process consists of 6 steps:
- The Customer will export and transfer Customer Data from Customer to SuperOffice in a secure channel provided by SuperOffice.
- The Customer Data is stored on secure SuperOffice servers.
- The SuperOffice Consultant performs the task at hand.
- If relevant; Customer Data is transferred from SuperOffice and back to Customer in a secure channel.
- SuperOffice deletes all Customer Data and relevant credentials to access the Customer Data.
- SuperOffice Consultant sends confirmation: “Data is no longer accessible”.