This Data Processing Agreement (DPA) is entered into by and between Appello Inc, an Ontario corporation having it’s registered office address at 643 Railroad Street, Mount Brydges, ON, N0L1W0 and the party that electronically accepts or otherwise agrees or opts-in to this DPA, for instance by signing a SaaS Subscription Order Form and/or a SaaS License, Support, and Services Agreement (SLSA), it being specified within those documents that the acceptance constitutes acceptance of the DPA.
It is expressly understood that the DPA forms an integral part of the overall subscription agreement applying to the Parties regarding the provision of the Appello software platform under the terms of the SLSA.
ARTICLE 1 - Definitions
"Administrator": An individual authorized to manage the Company platform on behalf of the Data Controller.
"Company": Appello, responsible for Processing Personal Data on behalf of the Data Controller.
Contract": The agreement between the Data Controller and the Data Processor outlining the terms and conditions for Processing Personal Data. This also includes the SLSA and SaaS Subscription Order Form.
“Client”: Means any customer of the Appello software platform, other than an Administrator.
"Data Controller": The entity, typically the client, which determines the purposes and means of the Processing of Personal Data.
"Data Processor": The Company, responsible for Processing Personal Data on behalf of the Data Controller.
"Data Subject": The individual to whom the Personal Data relates.
"Personal Data": Any information relating to an identified or identifiable Data Subject.
"End-User": An individual who uses the services provided by the Company, typically employed by the Client
"Processing": Any operation or set of operations performed on Personal Data.
The personal data is collected and processed as follows:
2.1 The Personal Data of the Clients Staff
In accordance with its subscription to the Contract and the availability of the Appello software platform, the Company collects information about the Clients identification (corporate name, address, time zone, year-end tax date, etc.) and its contacts PersonalData (names, emails).
For the collection of Personal Data of the Clients staff (including the email address), the Company will be qualified as a Data Controller.
2.2 The Personal Data of End-Users
The End-Users' Personal Data, which are processed through the use of the Appello software platform, is the sole responsibility of the Client who collects and processes the Personal Data for its own account, it being understood that the Client determines the purposes and the general means of the processing of Personal Data in accordance with the applicable data protection legislation in their region and according to any Collective Bargaining Agreements related to their staff.
2.3 Processing of End-Users' Personal Data by the Company
The Client is informed that its End-User’s Personal Data is collected for the sole purpose of executing the Contract and the Appello software platform to which Client has subscribed. If the Client does not communicate the required Personal Data, the Client will not be able to utilize the full functionality of the services. The Client is informed that the Company carries out data analysis, as well as effective uses of the Appello software platform, but only after de-identifying the End- Users’ Personal Data. In addition, any data analysis is intended for Appello, to the exclusion of all third parties, for the sole purpose of optimizing and improving the functionalities of the Appello software platform and designing future products and solutions.
2.4 Obligations of the Client as Data Controller
The Client, while using the Appello software platform, must be qualified as Data Controller of the Personal Data of End-Users. As Data Controller, the Client explicitly commits to:
(i) having a legal basis to collect and process its Personal Data prior to collecting, hosting;
(ii) collect the End-Users’ Personal Data only for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
(iii) keep a record of the processing of Personal Data carried out through the Appello software platform;
(iv)put in place all necessary technical and organizational appropriate measures to ensure the safety of the processing that is carried out, guarantee the protection of the rights of the persons concerned by the processing, and meet the requirements of any applicable data protection legislation;
(v) limit the access to Personal Data of the Users solely to the persons empowered to this effect, meaning the End-Users of the Appello software platform;
(vi) increase awareness and train staff members regarding the processing of Personal Data, the provisions of any applicable data protection legislation as well as its consequences;
(vii) never transfer, in any way whatsoever, the Personal Data of the End-Users to a third party, unless this transfer complies with any applicable data protection legislation;
(viii) guarantee all rights regarding the access, portability, erasure, rectification, opposition, and limitation of the Personal Data of the Users collected during the use of the Appello software platform; if the Client requires the Company’s assistance to do so, the Client commits to notify any request to exercise any of the above-mentioned rights without delay to the Company;
(ix) notify the appropriate supervisory authority of any security breach presenting a serious risk regarding the rights and liberties of the End-Users within 72 hours after becoming aware of the breach;
(x) following the termination of the Contract with the Company, and in the event retention is no longer necessary, proceed with the deletion of the Personal Data of the Users within a timeframe compatible with any applicable data protection legislation.
In the event that information is directly collected from the End-Users, the Client, as Data Controller, commits to provide the End-Users, as applicable, with the following information:
(i) the information regarding the identity of the Client as well as the name of the Data Controller;
(ii) the purpose of the Personal Data processing;
(iii) the recipient of the Personal Data: the Client and the Company, as well as its subcontractors;
the Personal Data conservation period;
(iv) the existence of their rights regarding the access, rectification, erasure, and portability of the Personal Data, or any limitation or opposition to the processing of such data;
(vi) where applicable, the right to withdraw their consent regarding the processing;
the right for the End-Users to lodge a complaint with the competent supervisory authority, if they consider that their rights have not been respected;
Pursuant to the present DPA, the Client commits to carry out all declaratory formalities and/or authorization requests and/or impact assessments, if necessary, as well as to ensure the mandatory compliance with the competent supervisory authority in light of the processing it carries out in relation to the usage of the Appello software platform. In the event the Client has not yet carried out the above-mentioned formalities, it explicitly commits to promptly do so. The Client remains responsible for the Personal Data processing carried out under its own responsibility.
2.5 Obligations of the Company as Data Processor
The Company, while providing the Appello software platform, acts as a Data Processor for the Personal Data of End-Users. As Data Processor, the Company commits to the following:
(i) Process the Personal Data solely for the purposes specified by the Data Controller, in accordance with the terms of the Contract, SaaS Order Form, SLSA, and any other written instructions provided by the Data Controller;
(ii) Implement appropriate technical and organizational measures to ensure the confidentiality, integrity, availability, and resilience of the Personal Data;
(iii) Ensure that all personnel authorized to process the Personal Data are subject to confidentiality obligations;
(iv) Assist the Data Controller in ensuring compliance with its obligations under any applicable data protection legislation, including but not limited to data subject rights, data protection impact assessments, and reporting to and consulting with supervisory authorities where necessary;
(v) Notify the Data Controller without undue delay upon becoming aware of a Personal Data breach;
(vi) At the choice of the Data Controller, delete or return all Personal Data at the end of the provision of services, and delete existing copies unless required by law to store the data;
(vii) Provide the Data Controller with all information necessary to demonstrate compliance with the obligations laid down in this section and allow for and contribute to audits conducted by the Data Controller or another auditor mandated by the Data Controller;
(viii) Obtain written authorization from the Data Controller before engaging a sub-processor and inform the Data Controller of any intended changes concerning the addition or replacement of sub-processors, thereby giving the Data Controller the opportunity to object to such changes.
By fulfilling these obligations, the Company aims to ensure that the Processing of Personal Data is conducted in a manner that ensures compliance with any applicable data protection legislation and protects the rights of the Data Subjects. Details about the Company's obligations as a Data Processor, including security measures, record-keeping, and data transfer restrictions.
2.6 Data Breach
In the event of a Personal Data breach, the Company shall take the following actions:
(i) Immediately assess the nature and extent of the breach, including the types of Personal Data affected and the potential impact on End-Users;
(ii) Notify the Data Controller without undue delay, and in any case, within 72 hours of becoming aware of the breach;
(iii) Take all necessary measures to contain and mitigate the effects of the breach, including but not limited to, isolating the affected systems, enhancing security measures, and informing affected End-Users if required by any applicable data protection legislation;
(iv) Cooperate fully with the Data Controller in investigating and remedying the breach, including providing all necessary information and assistance;
(v) Prepare a detailed report outlining the cause of the breach, the measures taken to prevent future occurrences, and any other information required by the Data Controller or data protection legislation;
(vi) Submit to any audits or inspections conducted by the Data Controller or any regulatory authority to assess the Company's compliance with this section and data protection legislation;Implement any corrective actions or improvements recommended by the Data Controller or regulatory authority to prevent future breaches.
By adhering to these procedures, the Company aims to ensure swift and effective management of any Personal Data breaches, thereby minimizing harm and maintaining trust.
2.7 Appropriate Technical and Organizational Measures Put into Place by the Company
The Company is committed to ensuring the security and protection of the Personal Data processed through the Appello platform. To this end, the Company undertakes the following measures:
(i) Implement robust access controls to ensure that only authorized personnel have access to Personal Data;
(ii) Utilize state-of-the-art encryption technologies for the secure transmission and storage of Personal Data;
(iii) Conduct regular security audits and assessments to identify and remediate potential vulnerabilities;
(iv) Establish a comprehensive data backup and recovery plan to ensure the availability and resilience of Personal Data;
(v) Monitor and log all data processing activities to enable auditing and accountability;
(vi) Implement data minimization techniques to ensure that only necessary Personal Data is collected and processed;
(vii) Establish procedures for regular testing and evaluation of the effectiveness of technical and organizational measures for ensuring data security;
(viii) Collaborate with third-party experts and authorities to continuously update and improve security measures.
The code of the Appello platform and the processed Personal Data are hosted on the Amazon servers and Digital Ocean, as these both present sufficient guarantees in terms of technical and organizational measures that are required pursuant to applicable data protection legislation.
By implementing these technical and organizational measures, the Company aims to provide a high level of security and compliance, thereby safeguarding the Personal Data processed through the Appello Solution.
2.8 Sub-processors of the Data Processor
The Client consents to the Processing of Personal Data by any sub-processors deemed necessary by the Company, provided that the Company warrants that any sub-processor is contractually subject to at least the same obligations as those that the Company itself are subject to.
2.9 International Personal Data Transfer
The Company will not transfer and Personal Data internationally without the express written consent of the Client. All of the Personal Data collected will be stored within the country of origin, or the Corporate Headquarters of the Client (at their request).
2.10 Personal Data Retention Period
A. The Personal Data of the Client’s Staff
Subject to the mandatory preservation period of all data related to Client files, which is three (3) years as of the end of the contractual relationship, the Client’s staff (including the customer contact email) identification data shall be retained by the Company for a period that shall not exceed the subscription period of the same of the Appello platform, to the exclusion of the statutory period for archiving.
B. The Personal Data of UsersThe Company hereby informs the Client that it deletes the Personal Data of the End-Users within a period of ninety (90) days following the termination of the Contract, notwithstanding any deletion request directly from Users.
At the end of the contractual relationship, the Company commits to return, free of charge and at the first request of the Client formulated by registered letter with acknowledgement of receipt, all Personal Data belonging to the Client that remains in possession of the Company in accordance with the terms of this DPA in a standard format (Microsoft Excel, SQL, and CSV) within ninety (90) days following the same request.
The Company commits to also respond to any questions formulated by the Client within the ninety (90) calendar days following the receipt of the return request.
2.11 Client's Responsibility
The Client remains solely liable for the legality of the processing carried out during the use of the Appello software platform. In addition, the Client remains solely liable for the Personal Data it collects and processes as Data Controller. The Client commits to proceed with the collection and the processing of the End-Users' Personal Data in strict accordance with the data protection legislation.
The Client is informed that certain categories of Personal Data, termed "sensitive" pursuant to any applicable data protection legislation, cannot be collected nor processed without the prior explicit consent of the data subjects, or any other formality provided for by the applicable data protection legislation. The Client commits to never proceed with the collection and processing of sensitive Personal Data aside from what is provided for by the data protection legislation for such processing. The Company declines any liability regarding the collection or processing of sensitive Personal Data.
The Company, as Data Processor, declines any liability regarding the quality, the relevance, and the legality of the Personal Data. Except as provided herein, the Company cannot be held liable in the event of a collection or Processing of Personal Data that would contravene the provisions of the data protection legislation.
The Client guarantees the Company, at first demand, against any and all harm incurred to it as a result of any action of a User or any third party due to the violation of the present clause, and/or any violation of any of its obligations as data controller pursuant to the data protection legislation.
A. Duration of the Processing
For the duration of the contractual relationship between the Parties.
B. Nature and Purpose of the Processing
Personal Data will be processed for purposes of providing the services set out and otherwise agreed to in this DPA, the SaaS Order Form, and SLSA. In that regard, the Company may carry out all kinds of processing operations.
C. Type of Personal Data Processed
i) Personal identification data (first name, last name, email, phone, etc.);
ii) Electronic identification data (IP addresses, cookies);
iii) Location data (if enabled within the Appello software platform by the Client);
D. Security Measures
The Company shall implement appropriate technical and organizational measures and shall control compliance with these measures on a regular basis. This includes:
(a) Physical access control: The Company shall take reasonable measures to prevent unauthorized persons from gaining access to Personal Data, such as secured buildings, key management, and logging of visitors (if applicable)
(b) System access control: The Company shall take reasonable measures to prevent unauthorized access to IT systems such as strong authentication procedures (passwords, double authentication), documented access approvals.
(c) Data access control: The Company shall take reasonable measures to prevent unauthorized access to Personal Data such as granting access to personal data granted only on a need-to-know basis, confidentiality obligations, and locking of workstations.
(d) Data transfer control: The Company shall take reasonable measures to ensure personal data cannot be read, copied, modified, or deleted without authorization during electronic transmission, transport, or storage and that it is possible to verify and establish to which bodies the transfer of personal data by means of data transmission facilities is envisaged (data transfer control); such as data encryption at rest and in transit.
(e) Input control: The Company shall take reasonable measures to provide that it is possible retrospectively to check and establish whether and by whom Personal Data has been entered into data processing systems, modified, or removed; such as logging systems.
(f) Job control: The Company shall take reasonable measures to ensure that personal data is processed in accordance with the directions of the Data Controller such as entering into appropriate data processing agreements with sub-processors.
(g) Availability control: The Company shall take reasonable measures to prevent the accidental destruction or loss of Personal Data.