This Data Processing Addendum (“DPA”) sets out the terms that apply when Personal Data is processed by LogicGate, Inc. and/or its Affiliates (“LogicGate”) pursuant to the master agreement (the “Agreement”) executed by LogicGate and the customer agreeing to these terms by execution of the Agreement into which this DPA is incorporated. This DPA is governed by the Agreement. Other capitalized terms used but not defined in this DPA have the same meanings as set out in the Agreement.
1. Definitions
1.1. “EEA" means the European Economic Area, which constitutes the member states of the European Union, Norway, Iceland and Liechtenstein. For purposes of this DPA, the “EEA” includes the United Kingdom both before and after its withdrawal from the European Union.
1.2. “Data Protection Legislation” means any applicable laws or regulations regarding the processing of Personal Data or personal information (or similar term under the applicable law or regulation), including Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (as amended, replaced or superseded) ("GDPR"), including as the GDPR may be adopted or otherwise implemented by the United Kingdom.
1.3. “Model Contract Clauses” means the model contract clauses set out in European Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
1.4. “Personal Data” means any Customer Data relating to an identified or identifiable natural person provided to LogicGate in connection with LogicGate’s performance of Services under the Agreement.
1.5. “Data Subject”, “Process”, “Processor”, “Controller” and “Supervisory Authority” will each have the meaning given to them in applicable Data Protection Legislation.
2. Applicability of DPA
2.1. Applicability. This DPA will apply only to the extent that LogicGate Services are engaged in the Processing of Personal Data subject to Data Protection Legislation on behalf of the Customer.
2.2. Scope. The subject-matter of the data Processing is the provision of the Services and the Processing will be carried out for the duration of the Agreement. Schedule 1 attached hereto sets out the nature and purpose of the Processing, the types of Personal Data LogicGate Processes and the categories of Data Subjects whose Personal Data is Processed.
2.3. Changes to Data Protection Legislation. In the event Data Protection Legislation changes subsequent to the signing of this DPA or the Agreement, the Parties shall negotiate in good faith to reach agreement on reasonable next steps, including, where applicable, changes that may be necessary and operationally, technically and commercially feasible to the Agreement, the DPA and/or the Services (including, without limitation, the fees payable by Customer to LogicGate for the Services) in order to enable LogicGate to continue providing the Services in compliance with such revised Data Protection Legislation. No such changes shall be effective unless agreed in writing between the Parties.
3. Roles and Responsibilities
3.1. Parties' Roles. To the extent that LogicGate Processes Personal Data in the course of providing the Services, and if Data Protection Legislation recognize the roles of “Data Controller” and “Data Processor” as applied to Personal Data then, as between Customer and LogicGate, LogicGate acts as a Data Processor (or Subprocessor, as the case may be) in accordance with the Agreement and Customer acts as a Data Controller (or a Processor, as the case may be).
3.2. Purpose Limitation. To the extent that LogicGate Services are responsible for managing the security controls during the Processing of Personal Data subject to Data Protection Legislation on behalf of the Customer, LogicGate will Process the Personal Data only for the purpose of providing the Services in accordance with the Agreement and an applicable Order Form(s) which contains Customer’s instructions. If LogicGate is required to Process the Personal Data for any other purpose by applicable law to which LogicGate is subject, LogicGate shall inform Customer of this requirement before the Processing, except where otherwise required by such law.
3.3. Instructions. The Agreement, applicable Order Form(s), and this DPA set out Customer's complete documented instructions to LogicGate in relation to the Processing of the Personal Data in connection the Services, including with regard to transfers of Personal Data in accordance with Section 9, and any Processing requested outside of the scope of these instructions will require prior written agreement between the parties. LogicGate shall immediately inform Customer if, in its opinion, an instruction infringes Data Protection Legislation, provided that LogicGate is not responsible for, and shall not, provide legal advice to Customer, and any communications provided by LogicGate to Customer under this Section shall not be construed as legal advice.
3.4. Compliance. Customer, as Data Controller, shall be responsible for ensuring that:
a. it has complied, and will continue to comply, with Data Protection Legislation, and Customer’s instructions for the Processing of Personal Data shall comply with Data Protection Legislation; and
b. it has, and will continue to have, the right to transfer, or provide access to, the Personal Data to LogicGate for Processing in accordance with the terms of the Agreement, and applicable Order Form(s), and this DPA.
3.5. Notices and Consents. Customer shall provide all applicable notices and obtain any necessary consents required by applicable Data Protection Legislation for the lawful Processing of Personal Data by LogicGate in accordance with the Agreement. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data.
3.6. Sensitive Data. Unless set forth in an Order Form or other document agreed to by LogicGate, Personal Data may not include any sensitive or special data that imposes specific data security or data protection obligations on LogicGate in addition to or different from those specified in any LogicGate documentation or which are not provided as part of the Services.
4. Data Subjects' Rights
4.1. General. LogicGate shall, taking into account the nature of the Processing, provide reasonable assistance to Customer insofar as this is practicable and to the extent required by Data Protection Legislation, to enable Customer to respond to requests from a Data Subject seeking to exercise their rights under Data Protection Legislation (“Data Subject Inquiry”). LogicGate shall comply with Customer’s instructions regarding the handling of a Data Subject Inquiry, subject Sections 3.3 and 3.4. Except for such reasonable assistance (e.g., producing information about a Data Subject that Customer cannot access) required by LogicGate, to the extent Customer uploads a Data Subject’s Personal Data into the Service, Customer shall bear sole responsibility of responding to any Data Subject Inquiry related to such Personal Data.
4.2. Identification of Data Controller. In the event that a Data Subject Inquiry is made directly to LogicGate, LogicGate shall promptly inform Customer of the same provided the Data Subject identifies Customer as its relevant Data Controller. If the Data Subject does not identify a relevant Data Controller, LogicGate shall direct the Data Subject to contact the entity that collected their Personal Data.
4.3. Response to Inquiries. LogicGate shall not independently respond to Data Subject Inquiries without Customer's prior approval except where required by Data Protection Legislation.
5. Security
5.1. To the extent LogicGate Processes Personal Data, and taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, LogicGate will implement and maintain throughout the term of this DPA and the Agreement appropriate administrative, physical, and technical measures designed to protect the Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and against all other unlawful forms of Processing which compromise the confidentiality, integrity, or availability of Personal Data (a “Personal Data Breach”). LogicGate may update its security practices from time to time but will not materially decrease the overall security of the Services during the term of an Order Form or other ordering document.
5.2. Confidentiality. LogicGate will ensure that any person that it authorizes to process the Personal Data (including its staff, agents and subcontractors) shall be subject to a duty of confidentiality, whether a contractual or a statutory duty.
5.3. Notifications. In the event of a confirmed Personal Data Breach, LogicGate will notify Customer without undue delay, and in any event within 48 hours, with information regarding the Personal Data Breach (as such information becomes available), each in accordance with Data Protection Legislation. LogicGate’s contact point for additional details regarding a Personal Data Breach is [email protected]. Customer and LogicGate shall work together in good faith within the timeframes for Customer to provide notifications in accordance with Data Protection Legislation to finalize the content of any such notifications to Data Subjects or Supervisory Authorities, as required by Data Protection Legislation. LogicGate’s prior written approval shall be required for any statements regarding, or references to, the Personal Data Breach or LogicGate made by Customer in any such notifications.
6. Data Protection Impact Assessments; Prior Consultations. LogicGate shall, to the extent required by Data Protection Legislation, provide Customer with reasonable assistance with data protection impact assessments or prior consultations with data protection authorities that Customer is required to carry out under Data Protection Legislation.
7. Information and Audits
7.1. Information. At Customer’s written request, LogicGate shall make available to Customer security documentation, existing and unexpired audit reports, or other documentation for the sole purpose of confirming LogicGate's compliance with this DPA and Data Protection Legislation, as applicable, to the extent that such information is within LogicGate’s control and LogicGate is not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party.
7.2. Audit. If after reviewing such documentation and discussing such documentation with LogicGate, Customer has additional questions that LogicGate has not been able to reasonably and sufficiently answer and Customer would like to conduct an audit of LogicGate’s compliance with this DPA and Data Protection Legislation only, LogicGate shall permit Customer (or its appointed independent third party auditors) to carry out an audit of LogicGate processing of Personal Data under the Agreement once per anniversary of the Agreement or more often as required by Data Protection Legislation or Supervisory Authority. Customer must give LogicGate reasonable prior notice of such intention to audit and must provide LogicGate with a detailed proposed audit plan (including, at a minimum, the scope of the audit, start date and end date/duration) at least two (2) weeks prior to commencement of any audit activities. LogicGate will review and provide feedback on the audit plan and the plan shall be reasonably revised to account for such feedback. If after reviewing the audit plan, LogicGate reasonably determines the audit plan is covered by an existing and unexpired audit report, and LogicGate confirms no material changes to the audited systems or processes have occurred since the date of the audit report, Customer agrees to accept such audit report in lieu of conducting an audit.
7.3. Audit Procedure. If Customer engages a third party to conduct the audit, LogicGate must reasonably agree to the third party and the third party must sign LogicGate’s reasonable confidentiality and non-disclosure agreement or be bound by a statutory or other legal duty of confidentiality. The audit must be conducted during normal business hours at the applicable facility(ies) only, in accordance with the agreed audit plan, shall not cause unnecessary disruption to LogicGate's operations, and will be subject to any LogicGate health and safety policies. Any such audit shall be subject to LogicGate's security policies and confidentiality terms.
7.4. Audit Results. Any audit results, findings, or reports (“Audit Results”) will be Confidential Information. A copy of the Audit Results must be provided to LogicGate. Customer may only use Audit Results to confirm compliance with this DPA and Data Protection Legislation.
7.5. Costs. Customer is responsible for its audit costs. If LogicGate reasonably believes the audit requires resources in addition to those provided in connection with the Services, LogicGate will inform Customer and the Parties will agree upon any additional fees necessary to complete the audit.
7.6. Audit Obligations. Customer agrees that this Section 7 shall satisfy any audit or assessment obligations that may apply to LogicGate under the Model Contract Clauses or Data Protection Legislation.
8. Sub-processing
8.1. General. Customer agrees that LogicGate may engage LogicGate affiliates and third party sub‐processors (collectively, "Sub-processors") to process the Personal Data on LogicGate's behalf. LogicGate shall enter into terms with each Sub-processor which shall be no less restrictive than those set forth in this DPA related to the processing of Personal Data and shall remain liable for any breach of this DPA caused by a Sub‐processor in connection with the services provided by Sub‐processor to LogicGate. For the avoidance of doubt and in accordance with Clause 9, Option 2 of the Model Contract Clauses, the above constitutes Customer’s general authorization for LogicGate’s engagement of Sub-processors and LogicGate’s appointment of additional or replacement Sub-processors identified on the Subcontractor List in Schedule 1, Annex III.
8.2. Changes and Objection. LogicGate may, by giving reasonable notice to the Customer, add or make changes to the Sub‐processors. If the Customer reasonably objects in writing to the appointment of an additional Sub‐processor within ten (10) calendar days of such notice on reasonable and objective grounds relating to the Sub-processor’s compliance with this DPA or Data Protection Legislation, LogicGate and Customer will work in good faith to address the objection, including reviewing security or audit documentation related to such Sub-processor. To the extent the parties are not able to mutually address appointment of the Sub-processor in a reasonable timeframe, LogicGate will use reasonable endeavors to make available to the Customer a change in the Services, or will recommend a commercially reasonable change to the Services to prevent the applicable Sub-processor from processing Personal Data. If LogicGate is unable to make available such a change within a reasonable period of time, which shall not exceed thirty (30) days, Customer shall have the right to terminate the relevant Services which include the Sub-processor (i) in accordance with the termination provisions in the Agreement; (ii) without liability to Customer or LogicGate, and (iii) without relieving Customer from its payment obligations under the Agreement up to the date of termination.
9. International Transfers
9.1. Transfers Generally. Personal Data will be processed in the United States or other regions, which may have data protection and data privacy laws different from those in Customer’s jurisdiction.
9.2. EEA Transfers. Where Personal Data originating in the EEA is processed by LogicGate outside the EEA, in a territory that has not been designated by Customer’s jurisdiction as ensuring an adequate level of protection pursuant to Data Protection Legislation, LogicGate and Customer agree that the transfer will be subject to the Model Contract Clauses, where Schedule 1 provides the necessary information for the Appendix of the Model Contract Clauses, or if the Model Contract Clauses are no longer available or valid, another mechanism compliant with Data Protection Legislation.
9.3. United Kingdom Provisions. Where Personal Data originating from the United Kingdom specifically is processed by LogicGate outside of the United Kingdom, in a territory that has not been designated by Customer’s jurisdiction as ensuring an adequate level of protection pursuant to Data Protection Legislation, and to the extent such processing and transfer is subject to the Model Contract Clauses and Data Protection Legislation applicable in the United Kingdom (“UK Data Protection Legislation”) the Parties agree that: (i) general and specific references in the Model Contract Clauses to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 have the same meaning as the equivalent reference in UK Data Protection Legislation; (ii) references in the Model Contract Clauses to a “Member State” mean the United Kingdom and references to a “supervisory authority” shall mean the UK Information Commissioner’s Office; and (iii) any other obligation in the Model Contract Clauses determined by the Member State in which the data exporter is established refer to an equivalent obligation under UK Data Protection Legislation.
9.4. Model Contract Clause Procedures. Customer shall be deemed to have signed the Model Contract Clauses in its capacity of “data exporter” and LogicGate in its capacity as “data importer.” Module Two or Module Three of the Model Contract Clauses shall apply to the transfer depending on whether Customer is Data Controller of the Personal Data (for Module Two) or a Data Processor of the Personal Data on behalf of its customer (for Module Three). If Module Three applies, Customer hereby notifies LogicGate that it is a Processor and the instructions shall be as set forth in Section 3.3. For purposes of Clauses 17 and 18 of the Model Contract Clauses, the Parties select Portugal. Additional provisions applicable to Personal Data transferred pursuant to Model Contract Clauses are set forth in Schedule 2.
10. Deletion / return of Personal Data. Upon written request by Customer or within a reasonable time period after termination or expiry of the Agreement, LogicGate shall, at Customer's election, delete or make available to Customer in its then-current format, all relevant Personal Data (including copies) in LogicGate's possession. Upon Customer’s written request, LogicGate shall provide Customer with a written statement confirming it acted in accordance with the foregoing. LogicGate may retain Personal Data to the extent that required by any applicable law or regulation or as necessary to comply with legal and/or pre-existing auditing procedures.
11. California Consumer Privacy Act (“CCPA”). Generally, LogicGate processes Personal Data as a service provider for customers, many of whom are organizations who have the direct relationship with individual end users using the Services. To the extent the CCPA or other substantially similar state privacy laws apply to the Personal Data, LogicGate will perform as a Service Provider and shall not sell or share (as such terms are defined in the CCPA) Personal Data. The LogicGate Information Security Measures Overview and this DPA plus Schedule 1 provide the necessary information to address specified contractual requirements.
12. Miscellaneous
12.1. Except as amended by this DPA, the Agreement will remain in full force and effect.
12.2. If there is a conflict between the Agreement and this DPA, the terms of this DPA will control. If there is a conflict between the DPA and a data transfer mechanism identified in Section 9.2, the terms of the data transfer mechanism will control.
12.3. Any claims brought under this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement.
12.4. LogicGate may share and disclose Personal Data and other data of Customer in connection with, or during the negotiation of, any merger, sale of company assets, consolidation or restructuring, financing, or acquisition of all or a portion of LogicGate’s business by or to another company, including the transfer of contact information and data of customers, partners and end users.
12.5. The parties agree that the bundling of Customer’s data exporters, for example, if Customer is comprised of multiple global affiliates, as Data Controllers within this DPA is undertaken for efficiency purposes (i.e., to avoid a multitude of different contract documents) and (i) shall result in legally separate DPAs between the respective Customer entity and LogicGate solely for purposes of addressing any such obligations under Data Protection Legislation; (ii) shall not create any new or different legal or other relationship whatsoever between the “bundled” Customer entities; (iii) does not create any additional rights or remedies for such bundled Customer entities; (iv) all processing instructions must be provided by the Customer entity that is signatory to the Agreement and LogicGate is not responsible for consolidating or evaluating the validity of instructions received from other Customer entities; (v) any commercial terms not provided by the DPA are provided by the Agreement regardless of whether the bundled Customer entities signed or were consulted regarding the terms of the Agreement; and (vi) any audits conducted in accordance with the DPA shall be conducted only by and through the Customer entity that is signatory to the Agreement.
SCHEDULE 1 – DATA PROCESSING APPENDIX
ANNEX 1
A. LIST OF PARTIES
Data Exporter:
Name: The data exporter is the entity identified as “Customer” in the DPA.
Address: as set forth in the Agreement.
Contact person: as set forth in the Notices provision in the Agreement.
Activities relevant to the data transferred under these Clauses: as set forth in the Agreement.
Signature and date: refer to DPA.
Role: Controller, except when processing data on behalf of another entity, in which case data exporter is a processor.
Data Importer:
Name: The data importer is the entity identified as “LogicGate” in the DPA.
Address: as set forth in the Agreement.
Contact person: as set forth in the Notices provision in the Agreement.
Activities relevant to the data transferred under these Clauses: as set forth in the Agreement.
Signature and date: refer to DPA.
Role: processor, or sub-processor if data exporter is a processor.
B. DESCRIPTION OF TRANSFER
Categories of Data subjects whose personal data is transferred:
In LogicGate’s provision of the Service: LogicGate will collect the Personal Information of End users – individuals who interact with the Customer using the Service. In relation to Customer Data: LogicGate does not as a matter of course review Customer Data to determine if it contains Personal Data.
Customer intends to export information on the following categories of Data Subjects:
Categories of personal data transferred:
In LogicGate’s provision of the Service: User’s first and last names, password, email address, photo (optional), IP address, device data, usage data, location data, and interactions with End Users for the provision of the Service. In relation to Customer Data: LogicGate does not as a matter of course review Customer Data to determine if it contains Personal Data.
Customer intends to export the following categories of Personal Information:
Sensitive categories of data (if appropriate):
In LogicGate’s provision of the Service: None.
In relation to Customer Data: None. Please reference Section 7 of the Agreement for further information.The frequency of the transfer: As set forth in the Agreement.
Nature of the processing: The processing activities defined in the DPA and the Agreement.
Purposes of the data transfer and further Processing:
- Personal Data will be transferred by or on behalf of the Customer to LogicGate for LogicGate to provide the Service.
- This Service consists of providing a software-as-a-service platform for the Customer to use to run their internal processes by collecting business-related information, automating workflow between end users, and reporting on status of the process.
Full details about the Service can be found at https://www.logicgate.com/
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: As set forth in the DPA and the Agreement.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing: As set forth in the DPA, this Appendix, and in the Agreement.
C. COMPETENT SUPERVISORY AUTHORITY
If Customer is established in an EU Member state, the competent supervisory authority shall be the supervisory authority applicable to the establishment location of Customer. If Customer is not established in an EU Member state, the competent supervisory authority shall be the supervisory authority located where Customer has appointed its EU Representative. If Customer is not established in an EU Member state and is not required to appoint an EU Representative, the competent supervisory authority shall be the supervisory authority applicable to the location of the Data Subject whose data is at issue.
ANNEX II
Technical and organizational measures including technical and organizational measures to ensure the security of the data:
Refer to the information security measures agreed to by the Parties within the Agreement.
ANNEX III
List of LogicGate Sub-processors
- Amazon Web Services
- Datadog, Inc.
- io, Inc.
- Zendesk, Inc.
SCHEDULE 2 – ADDITIONAL MODEL CONTRACT CLAUSE PROVISIONS
BASED ON EUROPEAN DATA PROTECTION BOARD RECOMMENDATIONS 01/2020
- LogicGate shall, unless otherwise prohibited by law or a legally binding order of an applicable government body or agency, promptly notify Customer of any request for the disclosure of Personal Data by a governmental or regulatory body or law enforcement authority (including any Supervisory Authority) (“Disclosure Request”) and without responding to such request, unless otherwise required by applicable law (including to provide acknowledgement of receipt of the request). LogicGate will review applicable law to evaluate any Disclosure Request, for example the ability of the requesting authority to make the Disclosure Request, and to challenge the Disclosure Request if, after a careful assessment, it concludes that there are grounds under applicable law to do so. When challenging a Disclosure Request, LogicGate shall seek interim measures to suspend the effects of the Disclosure Request until an applicable court or other authority has decided on the merits. LogicGate shall not disclose Personal Data requested until required to do so under applicable law. LogicGate shall only provide the minimum amount of Personal Data permissible when responding to the Disclosure Request, based on a reasonable interpretation of the Disclosure Request. If the Disclosure Request is incompatible with the SCCs or other data transfer mechanism utilized in accordance with Section 9 in this DPA, LogicGate will so notify the requesting authority and, if permitted by applicable law, notify the competent EEA government authority with jurisdiction over the Personal Data subject to the Disclosure Request. LogicGate will maintain a record of Disclosure Requests and its evaluation, response, and handling of the requests. LogicGate will provide Customer with such records relevant to Personal Data except as prohibited by applicable law or legal process or in the interest in protecting LogicGate’s legal rights in connection with threatened, pending, or current litigation.
- LogicGate has not purposefully created “back doors” or similar programming in its systems that provide Services that could be used to access the systems and/or Personal Data, nor has LogicGate purposefully created or changed its business processes in a manner that facilitates access to Personal Data or its systems that provide the Services. To the best of LogicGate’s knowledge, United States Data Protection Legislation does not require LogicGate to create or maintain “back doors” or to facilitate access to Personal Data or systems that provide Services or for LogicGate to possess or provide the encryption key in connection with a United States Disclosure Request.
- LogicGate shall use reasonable efforts to assist Customer and its Data Subjects, as instructed by Customer (in accordance with Section 4 of the DPA), regarding Disclosure Requests, unless prohibited by applicable law, provided LogicGate shall not be required to provide Customer or Data Subjects with legal advice.
- LogicGate has established an internal procedure regarding handling of Disclosure Requests and applicable transfers of Personal Data of customers. LogicGate has procedures for applicable personnel to receive, as appropriate, information regarding applicable transfers of Personal Data, where such information may include an explanation of the necessity of the transfer and any data protection safeguards in scope.
- In the event LogicGate receives a request to voluntarily disclose unencrypted Personal Data to a government authority, LogicGate will use reasonable efforts to first obtain Customer’s consent, either on its behalf or on behalf of the relevant Data Subject.
Last Updated: August 2023