Data Protection Agreement
This Data Processing Agreement and its Annexes (“Labviva DPA”) form part of the Agreemententered into between You (“Customer”) and Labviva, Inc., 239 Causeway St., Suite 500,Boston, MA 02114, United States of America, (“Labviva”) (collectively, the “Parties”) and setsforth the terms and conditions under which the Parties may process Personal Data. In the eventof a conflict in relation to the processing of Personal Data between this DPA, and any otheragreement, this DPA shall prevail. Unless otherwise specified, capitalized terms used but notdefined in this DPA shall have the meaning set forth elsewhere in the Terms. This DPA iseffective on the date the Agreement is entered into and will continue in force until the expirationor termination of the Agreement in accordance with its terms
1. Definitions
The following definitions shall apply for the purposes of this DPA:
“Agreement” means the Labviva DPA together with any document related to theCustomer’s subscription to the Services including SaaS Agreements and Order Forms butnot limited to any statements of work, contracts and/or any other agreements executed orapproved by the Customer with respect to Customer’s subscription to the Labviva Services.
"Contact Data" means Personal Data provided by the Customer to Labviva including names, usernames (Labviva login details, and other communication software other usernames), business email addresses, business phone numbers, job titles, and such otherinformation as is specified in the Agreement.
“Controller”, “Data Subject”, “Personal Data”, “Personal Data Breach”,“Processing”, “Processor” and “Supervisory Authority” shall have the meanings setout in the GDPR (and related terms such as “Process” have corresponding meanings).
“Customer” means legal entities and businesses, excluding any natural persons, withwhich Labviva engages into an Agreement.
“Data Protection Laws” is defined as all legislation and regulations relating to theprotection of Personal Data, including (without limitation), the Data Protection Acts1988-2018, the GDPR, and all other statutory instruments, industry guidelines (whetherstatutory or non-statutory) or codes of practice or guidance issued by a relevant Supervisory Authority relating to the processing of Personal Data or privacy, each asamended, revised, modified or replaced from time to time.
“Documented Instructions” includes and are limited to statements of work, contractsand/or any other agreements executed or approved by the Customer.
“GDPR” means the General Data Protection Regulation (EU) 2016/679 on the protectionof natural persons regarding the Processing of Personal Data and on the free movement ofsuch data.
“Security Event” means an incident which results in (or may result in) the accidental orunlawful destruction, loss, alteration or unauthorized disclosure of, or access to,Customer’s Personal Data while in the custody or control of Labviva or a Sub-Processor.
“Services” means the service(s) and/or product(s) between Labviva and the Customer asdefined in the respective Agreement between the named Parties.
“Standard Contractual Clauses” means (a) in respect of any Personal Data subject tothe GDPR, the standard contractual clauses for the transfer of Personal Data to thirdcountries pursuant to the GDPR between (i) controllers and processors (Module 2)("Controller to Processor") and/or (ii) processors and (sub-)processors (Module 3)("Processor to Processor") as approved by the European Commission ImplementingDecision (EU) 2021/914 of 4 June 2021 available athttp://data.europa.eu/eli/dec_impl/2021/914/oj and the Addendum B.1.0 issued by theInformation Commissioner's Office and laid before Parliament in accordance with s119Aof the Data Protection Act 2018 on 2 February 2022 (incorporating the MandatoryClauses of that Addendum) appended to the Standard Contractual Clauses.
“Sub-Processor” means the third party sub-processors set out in Annex 3 to this DPAengaged by Labviva to process Personal Data as authorized by Customer in accordancewith this DPA.
“Third Country” means all countries that are not members of the European EconomicArea (“EEA”) or which have not been recognized by the European Commission asproviding an adequate level of protection for Personal Data.
"Transfer Solution" means the Standard Contractual Clauses or any other means or basisfor permitting the transfer of Personal Data in accordance with applicable Data ProtectionLaws.
“TOMs” means technical and organizational measures.
“Labviva Terms” means Labviva’s terms and conditions defined in the respectiveagreement between the Parties.
2. Data Protection Roles
The Parties acknowledge that:
In the context of Labviva’s Services, Labviva will act as a Processor to the Customer who caneither act as a Controller or Processor of Contact Data.
3. Customer Obligations
Customer represents and warrants that it will only use the Contact Data to process Personal Dataif such processing is in compliance with the applicable Data Protection Laws.
4. Labviva Obligations
4.1. Compliance with instructions
The parties agree that the Labviva DPA and the Agreement (including Customer providing instructions via configuration tools) constitute Customer’s documented instructions provided in the Agreements regarding Labviva’s processing of Customer Data (“Documented Instructions”) Labviva, as the Processor, will process the Contact Data only in accordance withDocumented Instructions by the Customer.
Additional instructions outside the scope of the Documented Instructions (if any) require prior written agreement between Labviva and Customer, including agreement on any additional fees payable by Customer to Labviva for carrying out such instructions. Customer is entitled to terminate this DPA and the Agreement if Labviva declines to follow instructions requested byCustomer that are outside the scope of, or changed from, those given or agreed to be given in thisDPA. Considering the nature of the processing, Customer agrees that it is unlikely Labviva can form an opinion on whether Documented Instructions infringe Applicable Data Protection Law.If Labviva forms such an opinion, it will immediately inform Customer, in which case, Customer is entitled to withdraw or modify its Documented Instructions. Labviva, as the Processor, willalso immediately inform the Customer whether it is obliged, under EU or EU Member State law,to process data contrary to the instructions of the Customer or without the instructions of theCustomer (if such notification is permissible).
4.2. Confidentiality
The parties agree that the Labviva DPA and the Agreement (including Customer providinginstructions via configuration tools) constitute Customer’s documented instructions provided inthe Agreements regarding Labviva’s processing of Customer Data (“DocumentedInstructions”) Labviva, as the Processor, will process the Contact Data only in accordance withDocumented Instructions by the Customer.
Additional instructions outside the scope of the Documented Instructions (if any) require priorwritten agreement between Labviva and Customer, including agreement on any additional feespayable by Customer to Labviva for carrying out such instructions. Customer is entitled toterminate this DPA and the Agreement if Labviva declines to follow instructions requested byCustomer that are outside the scope of, or changed from, those given or agreed to be given in thisDPA. Considering the nature of the processing, Customer agrees that it is unlikely Labviva canform an opinion on whether Documented Instructions infringe Applicable Data Protection Law.If Labviva forms such an opinion, it will immediately inform Customer, in which case, Customeris entitled to withdraw or modify its Documented Instructions. Labviva, as the Processor, willalso immediately inform the Customer whether it is obliged, under EU or EU Member State law,to process data contrary to the instructions of the Customer or without the instructions of theCustomer (if such notification is permissible).
4.3. Return of Personal Data
At the choice of the Customer, all Contact Data held by Labviva shall be deleted or returned to the Contact upon the termination of the Agreement, unless EU or Member State law otherwise requires such Contact Data to be retained by Labviva for a prescribed period.
If the Customer chooses to have the data returned, the Labviva shall transmit the data to theCustomer in a reusable and common electronic data format, which the Customer may freely choose.
4.4. Data Security
Labviva shall implement and maintain appropriate TOMs designed to meet the requirements ofArticle 32 GDPR to protect Data Subjects and Personal Data against any misuse, accidental, unlawful or unauthorized destruction, loss, alteration, disclosure, acquisition or access.
Labviva shall without undue delay , notify Customer of a Security Event. Where, and insofar as,it is not possible to provide all information at the same time, the initial notification of a SecurityEvent shall contain the information then available and further information shall be provided as it becomes available without undue delay.
Labviva will provide Customer with information about:
● the details of a contact point where more information concerning the Security Event canbe obtained;
● the nature of the Security Event including the categories and approximate number of DataSubjects and Personal Data records concerned;
● the likely consequences of the Security Event; and
● the steps Labviva has taken to address the Security Event.
Labviva shall take all necessary steps to mitigate the effects and to minimize any damage resulting from the Security Event and to prevent a recurrence of such Security Event; and provide such assistance and cooperation as Customer requires in responding to the SecurityEvent including in relation to notifying any relevant regulatory authority and/or Data Subject ofthe Security Event.
5. Sub-Processors
Customer agrees that Labviva may share Personal Data with the Sub-Processors listed in AnnexIII. Labviva may remove or replace the current Sub-Processors from time to time as necessary to provide the Services and will notify You of any such changes.
Labviva must ensure that a written contract is entered into with each Sub-Processor that is compliant with the same data protection obligations as those to which the Labviva itself is subject under the applicable Data Protection Laws.
Labviva shall be responsible and liable for any acts or omissions of the Sub-Processor.Instructions given by Labviva to any Sub-Processor must be within the scope of this DPA.
6. Third Country Transfer of Personal Data
The Parties acknowledge and agree Labviva may transfer Contact Data outside of the EEA.
Therefore, the Parties agree that the Standard Contractual Clauses will be incorporated by reference and form part of this DPA as follows: Customer shall be the “data exporter” and Labviva shall be the “data importer”.
In relation to Customer’s Contact Data as well as data extracted using Labviva Services, the following modules shall apply:
• Module 2 (Controller to Processor)
• Module 3 (Processor to Processor)
The Parties acknowledge that the Customer may either act as a Processor (and Labviva as a Sub-Processor) or as a Controller (and Labviva as a Processor),depending on the specific data at issue.
In Clause 7, the optional docking clause shall not apply
In Clause 9, Option 2 shall apply with at least 7 days prior notice (including email).
In Clause 11, the optional language shall not apply.
In Clause 17, the law of the Republic of Ireland shall apply
In Clause 18, the courts of the Republic of Ireland shall have jurisdiction.
the Annex I and II to the Standard Contractual Clauses are set out in the Annex I and II to this DPA.
In the event of a change in any applicable Data Protection Laws relating to the country/countries where an adequate level of data protection exists requiring an alternative Transfer Solution to be implemented to permit the continued transfers of Personal Data anticipated in the Agreement, theParties each agree to act reasonably to seek to agree an alternative Transfer Solution permitting the relevant Party to continue Processing the Personal Data in the relevant country/countries and the relevant international transfer(s) to continue.
In the event the European Commission issues any replacement or substitution of the StandardContractual Clauses, upon receipt of written notice from a Party requiring the same, the StandardContractual Clauses incorporated into this DPA pursuant to this clause shall be deemed to be deleted and replaced with such replacement or substitution which each Party agrees shall be deemed to be incorporated into this Agreement in place of the Standard Contractual Clauses (and all references in this DPA shall be deemed to refer to such replacement or substitutions clauses accordingly). To the extent necessary, each Party agrees to co-operate taking such other measures as may be necessary to give effect to such replacement or substitution of the StandardContractual Clauses in order to comply with applicable Data Protection Laws and/or otherwise satisfy any administrative or documentary requirements relating to the same.
7. Liability
The liability of either Party under or in connection with this agreement shall be limited to 200%of the contact volume between Labviva and the Customer and, in case of a contact with an unlimited term, 200% of the yearly contract volume between Labviva and the Customer.
8. General
Nothing in this DPA reduces the Customer's obligations under the Agreement in relation to the protection of Personal Data.
This DPA and any disputes or claims arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by, and construed, in accordance with, the laws of Ireland.
The Parties irrevocably agree that in relation to any dispute or claim that arises out of or in connection with the DPA or its subject matter or formation (including non-contractual disputes or claims) the courts of Ireland shall have jurisdiction.
Amendments to this agreement shall be made exclusively in writing. This shall also apply to thisrequirement of written form. Notwithstanding the above, Labviva may propose amendments tothis Agreement by sending the proposed amendment to the primary contact email addressprovided by the Customer and such proposal shall be deemed accepted by the Customer if theCustomer does not object to the proposal by response email within 14 days of receiving theproposal. Should any provision of this agreement be invalid or ineffective, it shall, to the extentpermitted by law, be replaced by that provision which comes closest in economic terms to theinvalid or ineffective provision.
ANNEX I
A. List of Parties
Data Importer:
Data Exporter:
B. Description of Transfer
C. Competent Supervisory Authority
ANNEX II
TECHNICAL AND ORGANIZATIONAL MEASURES INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
B. Description of Transfer
ANNEX III
LIST OF SUB-PROCESSORS
The controller has authorized the use of the following sub-processors (including a clear delimitation of responsibilities in case several sub-processors are authorized) :