DATA PROCESSING AGREEMENT
1
GENERAL
- This DPA is applicable between the Customer and SignUp in relation to SignUp's processing of personal data within the scope of the provision of the SignUp Services, as ordered by the Customer under an Order Agreement.
- By executing an Order Agreement that references this DPA, the Customer agrees to the terms and conditions set out herein and that this DPA shall form an integrated part of the Agreement.
- If any provision of this DPA is found by any court of competent jurisdiction to be invalid or unenforceable, the invalidity of such provision shall not affect the other provisions hereof, and all provisions not affected by such invalidity shall remain in full force and effect.
- Unless otherwise agreed between the Parties, this DPA shall not be applicable between the Parties if the Customer is a non-EU or non-UK entity without any EU or UK based Affiliates that will use the SignUp Services and the contracting SignUp entity (as set out in the Order Agreement) is a non-EU or non-UK SignUp entity.
- It is acknowledged and agreed that with regard to processing of personal data under this DPA, the Customer is the controller (for its own part and on behalf of its Affiliates, as the case may be), and SignUp is the processor for such processing.
- The duration, nature and purpose of the processing, the types of personal data and categories of data subjects processed under this DPA are specified in Annex 1 hereto, as may be updated by the Parties as applicable from time to time.
2
DEFINITIONS
Capitalized terms used in this DPA shall have the meaning assigned to them in the General Terms and Conditions, unless the context requires otherwise. In addition to the definitions under the General Terms and Conditions, the below terms shall have the following meaning:
"Applicable Data Protection Laws" means all EU and relevant member state legislation and regulations, including regulations and decisions issued by relevant supervisory authorities, protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data that from time to time apply to SignUp and the Customer, including without limitation the GDPR, including any future interpretations thereof in court precedence from the EU Court of Justice or any other authorized court or supervisory authority.
"DPA" means this data processing agreement and the appendices attached hereto (as amended from time to time in accordance herewith).
"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). If the Customer is a UK entity, any reference to the “GDPR” shall be interpreted to include a reference to the UK GDPR.
"Sub-processor" means any processor engaged by SignUp, by an Affiliate of SignUp or by another Sub-processor, including Affiliates of SignUp acting as processors (as the case may be).
"Standard Contractual Clauses" or sometimes also referred to the "EU Model Clauses" means the standard contractual clauses for the transfer of personal data to third countries pursuant to the Regulation (EU) 2016/679 of the European Parliament and of the Council, based on the Commission Decision (EU) 2021/914 of 4th June 2021. The terms "controller", "processor", "data subject", "processing", "personal data", and "personal data breach", shall have the same meanings as set out in article 4 of the GDPR
3
CUSTOMER OBLIGATIONS
- Except as may be otherwise required under the Applicable Data Protection Law, the Customer shall, on behalf of any Affiliate, serve as a single point of contact for SignUp in all matters under this DPA and shall be responsible for the internal coordination, review and submission of instructions or requests to SignUp as well as the onward distribution of any information, notifications and reports provided by SignUp hereunder.
- In its capacity as controller the Customer confirms (for its own part and/or on behalf of its Affiliates, as the case may be) that it is entitled to provide access to personal data to SignUp for the purposes hereof and, consequently, that it has a lawful basis and any necessary approvals from any relevant data subjects for SignUp's performance of the SignUp Services.
- The Customer shall have sole responsibility for the accuracy, quality, and legality of personal data and the means by which the Customer acquired personal data.
4
SIGNUP'S OBLIGATIONS
4.1
SignUp shall process personal data hereunder solely in accordance with the documented instructions of
the Customer, for the following limited purposes:
- performance of the SignUp Services under the terms of the Agreement;
- where applicable depending on the SignUp Services provided to the Customer under the Agreement, setting up, operating, and monitoring the underlying infrastructure (hardware, software, servers, environments, connectivity, etc) required to provide the SignUp Services to the Customer and to meet the technical, security and organizational requirements for the processing of the personal data in connection therewith;
- processing initiated by authorized users of the Customer in their use of the SignUp Services;
- executing documented instructions of the Customer provided such instructions relate to and are consistent with the SignUp Services;
- addressing service issues or technical problems; and/or
- meeting any express requirement under the Applicable Data Protection Laws, in which case SignUp shall, unless it is prohibited by applicable laws from doing so, inform the customer of that legal requirement before processing.
4.2
SignUp is prohibited from processing the Customer's personal data for SignUp's own purposes unless
the Customer has provided its approval for such processing or if SignUp is required to process the
personal data by virtue of applicable laws, in which case SignUp will be the controller for such
processing.
4.3
SignUp will report to the Customer without undue delay any request, demand or order received by
SignUp from a competent supervisory authority or a data subject relating to the processing of personal
data on the Customer's behalf.
4.4
Taking into account the nature of the processing, SignUp will assist the Customer in complying with its
obligation to respond to requests of data subjects under Applicable Data Protection Laws (including
requests for exercising data subjects' rights under the Applicable Data Protection Law) by appropriate
technical and organizational measures, insofar as this is possible provided that SignUp will provide such
assistance to the extent:
- the information is available to SignUp, and such information is not otherwise available to the Customer or the requested assistance cannot practicably be performed by the Customer;
- the Customer acknowledges that SignUp has no responsibility to interact directly with any data subject or supervisory authority in respect of any request, demand or order (except as expressly provided under the Applicable Data Protection Law or as otherwise agreed by the Parties in writing); and
- to the extent legally permitted, the Customer shall be responsible for any costs arising from SignUp's provision of such assistance.
4.5
Subject to applicable legal retention obligations, upon termination of the Agreement SignUp will return
to the Customer or delete any personal data that has been processed on the Customer's behalf under this
DPA. If the Customer has not instructed SignUp whether the personal data should be returned or deleted
within fourteen (14) calendar days from termination of the Agreement, SignUp is entitled to delete the
personal data.
4.6
SignUp will only rely on personnel in the processing of personal data who are contractually or by
statutory obligation bound to maintain confidentiality, ensure that access to personal data processed is
limited to those personnel who require such access to perform the applicable SignUp Services, and take
commercially reasonable steps to ensure the reliability of personnel engaged in the processing of
personal data hereunder.
4.7
SignUp will promptly inform the Customer if, in its opinion, any instruction or request violates
Applicable Data Protection Law, and SignUp disclaims any obligation or liability with regard to any
such instructions or requests.
4.8
The Customer may request SignUp to provide assistance if the Customer is carrying out a data
protection impact assessment. Such assistance will in such case consist of SignUp providing relevant
information to the Customer regarding the personal data processed in the SignUp Services. SignUp shall
be entitled to charge the Customer its Professional Services Fees on a time and material basis for such
assistance.
4.9
The Customer accepts that any requests for information, assistance or activities beyond SignUp's
ordinary course of business, routines or practices, or what is otherwise commercially reasonable, shall
be specifically agreed in an Order Agreement and may be subject to additional fees and charges.
5
SECURITY
In connection with its processing of personal data hereunder SignUp will provide for and maintain appropriate administrative, physical, technical and organizational security measures for such processing, which are intended to protect personal data against accidental or unauthorized loss, destruction, alteration, disclosure or access, and to ensure a level of security appropriate to the particular risks involved in the processing. In this connection:
- it is acknowledged that further details on the administrative, physical, technical and organizational security measures that will be implemented and maintained by SignUp in processing the personal data are described or referred to in Annex 1 hereto; and
- SignUp will not materially decrease the overall security of any SignUp Services with respect to processing of personal data.
6
PERSONAL DATA BREACH
6.1
SignUp will inform the Customer without undue delay after it becomes aware of any personal data
breach in connection with the processing of personal data under this DPA, observing the following
process:
- SignUp will investigate the personal data breach and take reasonable measures to identify its root cause(s) and, where such breach is caused by SignUp or a SignUp Sub-processor;
- as information is collected or otherwise becomes available, to the extent legally permitted, SignUp will provide the Customer with a description of the personal data breach, the type of the data to which the breach relates, and, other information the Customer may reasonably request concerning the affected data subject(s) where such information is available to SignUp; and
- the Parties agree to coordinate in good faith on developing the content of any related public statements or any required notices for the affected data subject(s) and/or the competent supervisory authorities.
6.2
The obligations set out above will not apply, to the extent that the personal data breach is caused by the
Customer, the Customer's Affiliate or anyone acting for the Customer, save that SignUp will inform the
Customer of the personal data breach and provide information it discovers up to the stage it identifies
the breach is caused by the Customer, the Customer's Affiliate or anyone acting for the Customer.
SignUp may charge the Customer for any assistance that the Customer may request when a personal
data breach is attributable to or caused by the Customer.
7
AUDITS
SignUp shall upon the Customer's request, make all necessary information available to demonstrate compliance hereof and allow for audits, including inspections, to be performed by the Customer (or an independent third-party auditor mandated by the Customer that is reasonably acceptable to SignUp and subject to signature of a confidentiality agreement with SignUp) of SignUp relevant to the personal data processed under this DPA.
8
SUB-PROCESSORS
- SignUp may delegate the processing of personal data to a Sub-processor. SignUp shall ensure that SignUp has concluded a data processing agreement with such Sub-processor on terms equivalent to and not less restrictive than the provisions in this DPA. Moreover, SignUp shall remain fully liable for the conduct of any of its Sub-processors as for its own conduct.
- Subject to Section 8.1, the Customer hereby gives its general written consent and authorization to SignUp to use Sub-processors for processing of personal data solely for the purposes set forth in this DPA. The current list of SignUp Sub-processors is available at GDPR-Sub-Processors - SignUp Software ("Sub-processor List"). SignUp shall update the Sub-processor List before authorizing any new Sub-processor(s) to process personal data in connection with the provision of the SignUp Services.
- The Customer may object to SignUp's use of a new Sub-processor by notifying SignUp in writing within ten (10) Business Days from when the Sub-processor List was updated. In the event the Customer objects to a new Sub-processor, SignUp will use commercially reasonable efforts to provide the SignUp Services without engaging the Sub-processor subject to the objection. If such work-around is not possible, the Customer shall be entitled to terminate the relevant SignUp Service. In the event of such termination, the Customer shall not be entitled to any refund of any fees paid to SignUp within the scope of the Agreement.
9
LIMITATION OF LIABILITY
9.1
The Parties liability with respect to data subjects’ claims for compensation shall be handled in
accordance with article 82 of the GDPR.
9.2
The Parties acknowledge and agree that neither Party shall have an obligation to indemnify the other
Party for any administrative fines imposed by a supervisory authority or a court under Applicable Data
Protection Legislation.
9.3
For the purposes of Section 9.2 above, both Parties shall, to a reasonable extent, provide information to
the other Party which may be useful within the scope of a supervisory matter or a court proceeding.
9.4
Without prejudice to the foregoing, the Parties' liability under this DPA shall be limited in accordance
with the provisions of the General Terms and Conditions.
10
TRANSFER OF PERSONAL DATA
10.1
The Customer acknowledges and agrees that SignUp is only entitled to transfer personal data to a
country located outside the EU/EEA under the following circumstances:
- the country is subject to an adequacy decision made by the European Commission, or, in the absence of an adequacy decision;
- SignUp has taken measures to ensure that the transfer is lawful, e.g. by ensuring that there is a transfer mechanism in place subject to article 46 GDPR or a specific derogation according to article 49 GDPR.
10.2
Where personal data is transferred outside the EU/EEA on the basis of a transfer mechanism under
article 46 GDPR, SignUp will conduct a risk analysis in accordance with the recommendations 01/2020
and 02/2020 of the European Data Protection Board. The Customer is, in accordance with Section 7
above, entitled to receive information about the result of such risk analysis.
10.3
The Sub-processor List includes information about any potential third-country transfers made by
SignUp within the scope of the Agreement.
1
EXFLOW AND AXTENSION
The following description of processing relates to Customer’s that are using ExFlow and Axtension.
| Name | Desc |
|---|---|
| Description of processing | Personal data will be processed to a limited extent within the scope of providing implementation services, Consultancy Services and Support Services and only in cases where SignUp needs access to the Customers environment (which is only provided upon Customer’s approval). Generally, there will be no need to access any personal data, but in circumstances where said services requires access to an invoice, processing of data in that invoice will occur. |
| Purpose of the processing | The purpose of the processing is to be able to provide the implementation, Consultancy Services or Support Services in accordance with the Agreement. |
| Categories of personal data | Any data that may be available on an invoice, typically name, title, personal identification number, and other invoicing related identifiers. |
| Categories of data subjects | Generally persons employed by or representing the Customer, or any other individual whose personal data appears on an invoice. |
| Retention and erasure | SignUp will not store any data on behalf of the Customer. |
2
EXFLOW WEB
| Name | Desc |
|---|---|
| Description of processing | ExFlow Web is a cloud-based interface for approval of invoices. The processing that will be carried out is mainly storage and processing of invoices through the ExFlow Web application. |
| Purpose of the processing | The purpose is to provide the ExFlow Web service to the Customer. |
| Categories of personal data | Any data that may be available on an invoice, typically name, title, personal identification number, and other invoicing related identifiers. |
| Categories of data subjects | Generally persons employed by or representing the Customer, or any other individual whose personal data appears on an invoice. |
| Retention and erasure | Invoices are stored for sixty (60) days and are thereafter automatically erased by SignUp. |
3
EXFLOW DATA CAPTURE
| Name | Desc |
|---|---|
| Description of processing | The processing in ExFlow Data Capture includes processing of invoices in a cloud-based environment. This will include storage and processing of invoice data. |
| Purpose of the processing | The purpose of the processing is to provide the ExFlow Data Capture service in order for the Customer to be able to seamlessly interpret and extract critical invoice data. |
| Categories of personal data | Any data that may be available on an invoice, typically name, title, personal identification number, and other invoicing related identifiers. |
| Categories of data subjects | Generally persons employed by or representing the Customer, or any other individual whose personal data appears on an invoice. |
| Retention and erasure | Personal data is stored for ninety (90) days and is thereafter automatically erased. |
4
EXFLOW E-INVOICING
| Name | Desc |
|---|---|
| Description of processing | The processing in ExFlow e-invoicing includes cloud based transmission of invoice data, which may include personal data. |
| Purpose of the processing | The purpose of the processing is to be able to send, receive and verify invoice data on behalf of the Customer. |
| Categories of personal data | Name, title, personal identification number, contact information, IP address and other data that may appear on an invoice. |
| Categories of data subjects | Generally persons employed by or representing the Customer, or any other individual whose personal data appears on an invoice. |
| Retention and erasure | For as long as necessary, however not longer than ninety (90) days, whereafter the personal data is automatically erased. |
4 ORGANIZATIONAL SECURITY MEASURES
Confidentiality
SignUp enters into non-disclosure agreements or other customary confidentially arrangements with all its employees, consultants or other personnel that are authorized to access and process personal data, through which they commit themselves to confidentiality in relation to the processing of data.
Processing on a strict “need to know” basis
SignUp ensures that access to personal data is restricted to those employees, consultants or other personnel at SignUp who need access to personal data in order for SignUp to fulfil its obligations.Internal policies, processes and routines
SignUp has internal policies, processes and routines in place governing the security within the organization, such as e.g. descriptions on what is an acceptable use of networks, systems and physical resources within the organization and an action plan for how to act in the event of a security incident etc.Continuous awareness and training
SignUp ensures to annually continuously educate its employees, consultants and other personnel on how to process personal data in our systems. The training contributes to making employees, consultants and other personnel aware both of their data protection obligation, as well as of the application of specific security measures.Defined roles and responsibilities
SignUp has defined separate roles and responsibilities in terms of security. Clearly defining who really needs to access the data and limiting access only to those persons, as well as to define who is responsible, contributes to the security of the data.SignUp’s Head of Legal oversees SignUp’s data protection practices, monitoring compliance with the GDPR, and serves as a point of contact for privacy related matters.
Reviews and audits
Having policies and procedures in place is not enough if they are not effective. Thus, SignUp has established controls and audits to evaluate the effectiveness, detect and correct what is not working and improve whatever can be done better.External audits
SignUp hires external experts to perform penetration tests on the company’s GDPR compliance on a recurring schedule. Providers for this service and the delivery of reports are handled with security and integrity top of mind.Notable events 2024
SignUp has acquired several companies during 2024. In conjunction with the transactions and the following integration of the acquired companies into the SignUp group, SignUp has reviewed and updated parts of its data privacy compliance framework to further strengthen SignUp’s data privacy compliance on group level.Moreover, in order to further establish its position as a trustworthy business partner, SignUp has initiated the journey to become ISO27001 certified, a project that aims to be completed during 2025.
5 TECHNICAL SECURITY MEASURES
Security by design
SignUp’s approach to security is to create and offer a service that is secure by design, by using best-in-class providers that offers a high level of built-in security. To that end, technical features or systems within or connected to the service in which personal data might be processed are provided by well renowned suppliers with a high level of security. For instance, Azure AD (Entra ID) P2 with MFA and PIM (Privileged identity Management) to assure best in class implementation of principle of least privilege information.Encryption of personal data
By using best-in-class providers, SignUp’s technical features or systems within or connected to SignUp’s services are protected by advanced encryption services and tools to protect the data. Data is encrypted in transit by Transport Layer Security (TLS) and at rest by always using encrypted storage volumes. SignUp applies the most current version of the TLS protocol.Configuration under version control
In order to maintain traceability of changes to configuration and infrastructure SignUp keeps all possible configuration under version control. This applies both to pure configuration files as well as utilizing infrastructure as code where possible.Password controls
SignUp users and SignUp personnel are informed of their responsibility to maintain effective access control, such as choosing strong passwords and keeping them confidential. MFA is always used and enforced for any system where it is supported.Access restrictions
SignUp continuously manages the access rights to e.g. ensure that access is stripped when no longer necessary.Alarm system, locking system and key management
The physical environment relevant to the systems and services in which the data is processed must be adequately safeguarded to prevent unauthorized access to e.g. IT equipment and network components. To that end, access to SignUp’s office environment is protected by e.g. an alarm system, locking system and proper key management.SignUp’s hosting and service providers have best-in-class security at their facilities.
Log files
In order to identify potential internal or external attempts for unauthorized use or system violation, SignUp keep and monitor log files that enables identification and tracking of user actions.Appropriate disposal
When disposing paperwork or devices that contain personal data, SignUp ensures that it is done in a way that ensures that personal data cannot be retrieved by an unauthorized person, whether intentionally or unintentionally.Cybersecurity
SignUp ensures cybersecurity within its systems, which at the most basic level entails e.g. firewalls, malware scans, anti-virus protection, patches and updating the software when required. This applies to both the internal IT as well as for software and hardware that is offered to customers.Backup
Performed and maintained in accordance with SignUp’s routine for backup. The backup and restore functions are continuously tested, and the results are documented and registered.