Data Processing Agreement (DPA)
Data Processing Addendum
This Data Processing Addendum (“DPA”) is entered into by and between [CUSTOMER_NAME] (“Customer”) and Quark Software, Inc. (“Quark”). This DPA is incorporated into and supplemental to the Quark Master Subscription Agreement entered into between the parties which governs the provision of the Quark services by Quark to the subscriber of Quark’s services (“Agreement”). Except as modified below, the terms of the Agreement shall remain in full force and effect.
1. Definitions
- Definitions: Capitalized terms not defined herein shall have the meaning given in the Agreement. In this DPA, the following terms (and derivations of such terms) shall have the following meanings:
- “Applicable Data Protection Law” means all privacy and data protection laws that apply to Quark’s processing of Data under the Agreement (including, where applicable, the California Consumer Privacy Act of 2018 including its associated regulations and as amended (the “CCPA”), and European Data Protection Law).
- Controller” means the entity that determines the purposes and means of the processing of Personal Data;
- “Data” means Personal Data provided by Customer (directly or indirectly) to Quark for processing under the Agreement as more particularly identified in Appendix A (Processing Particulars);
- “European Data Protection Law” means all EU and U.K. regulations or other legislation applicable (in whole or in part) to the processing of Personal Data under the Agreement (such as Regulation (EU) 2016/679 (the “GDPR“), the U.K. GDPR (defined below), and the Swiss Federal Data Protection Act on 19 June 1992 and its Ordinance (“Swiss Addendum”); the national laws of each EEA member state and the U.K. implementing any EU directive applicable (in whole or in part) to the processing of Personal Data (such as Directive 2002/58/EC); and any other national laws of each EEA member state and the U.K. applicable (in whole or in part) to the Processing of Personal Data; in each case as amended or superseded from time to time.
- “Model Clauses” means the standard contractual clauses attached to the European Commission’s Implementing Decision of 4 June 2021 under Article 28 (7) of Regulation (EU) 2016/679 of the European Parliament and of the Council and Article 29 (7) of Regulation (EU) 2018/1725 of the European Parliament and of the Council, on standard contractual clauses, selecting Module Two between controllers and processors in any case where Customer is a Controller, and Module Three between processors in any case where Customer is a Processor, and excluding optional clauses unless otherwise specified), and any replacement, amendment or restatement of the foregoing, as issued by the European Commission, on or after the effective date of this DPA.
- “Personal Data” means any information relating to an identified or identifiable natural person (a “Data Subject”), the processing of which is governed by Applicable Data Protection Law; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Where the CCPA applies, ‘Personal Data’ includes “personal information” as defined by the CCPA. Personal Data does not include anonymous or de-identified information or aggregated information derived from Personal Data.
- “processing” means any operation or set of operations performed on Personal Data, whether or not by automated means, such as collection, recording, organizing, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
- “Processor” means an entity that processes Personal Data on behalf of the Controller. Where applicable, Processor includes “service provider” as defined by the CCPA.
- “Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Data.
- “Sensitive Data” means any Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions or offences.
- “Sub-Processor” means an entity engaged by the Processor or any further sub-contractor to process Personal Data on behalf of and under the instructions of the Controller.
- “U.K. GDPR” means the GDPR, as it forms part of the domestic law of the United Kingdom by virtue of Section 3 of the European Union (Withdrawal) Act 2018.
2. Data Protection
- Relationship of the parties: As between the parties and for the purposes of this DPA, Customer appoints Quark as a Processor to process the Data on behalf of Customer. Where applicable, Quark is a “service provider” as defined in the CCPA. Customer shall comply with Applicable Data Protection law, including but not limited to providing notice to Data Subjects, and obtaining and periodically refreshing the consent of Data Subjects, where required, to Customer’s use of Quark’s Services and Customer’s own processing of Data. Customer represents and warrants it has and will continue to have the right to transfer Data to Quark for processing in accordance with the Agreement and this DPA. Quark shall comply with Applicable Data Protection Law and understands and shall comply with the prohibitions on Processors set forth in the CCPA with respect to such Data, including, without limitation and to the extent applicable in each case: (i) selling or sharing any Data (as the terms “sell” and “share” are each defined within the CCPA) where the sale or sharing of such Data is restricted by the CCPA, (ii) disclosing such Data to any party outside of the direct business relationship between Quark and Customer, or (iii) retaining, using or disclosing such Data for a commercial purpose other than performing the Services as set forth in the Agreement with Customer, or as otherwise expressly permitted under this DPA or the Agreement.
- Purpose limitation: Each party acknowledges and agrees that all Data is disclosed by Customer hereunder only for those limited and specified purposes set forth in the Agreement and this DPA. Quark shall process the Data as a Processor only as necessary to perform the Services for Customer under the Agreement, and strictly in accordance with the documented instructions of Customer (including those in this DPA and the Agreement). In no event shall Quark process the Data for its own purposes or those of any third party. Quark may also anonymize or deidentify Data in accordance with Applicable Data Protection Law. Customer shall only give lawful instructions that comply with Applicable Data Protection Law and shall ensure that Quark’s processing of Data, when done in accordance with Customer’s instructions, will not cause Quark to violate Applicable Data Protection Law. Quark shall inform Customer if, in its opinion, an instruction infringes Applicable Data Protection Law. In any case where confirmation of a Controller’s instructions is required by Applicable Data Protection Law, the parties agree that the Agreement, together with this DPA, represents the complete and final documented instructions from the Controller of the Data to Quark as of the date of this DPA for the processing of Data. Nothing in this DPA shall be read to limit any obligations of Quark to assist Customer with Customer’s reasonable and appropriate efforts to ensure that Quark processes such Data in a manner consistent with each party’s obligations under the CCPA, including (i) the obligation to immediately notify Customer if Quark determines it can no longer meet its obligations under the CCPA with respect to such Data, and (ii) the obligation not to combine any such Data relating to a specific consumer with any other data about the same consumer in Quark’s possession and/or control, whether received from or on behalf of another person or persons or collected by Quark from its own interaction(s) with the consumer.
- International transfers of Data: Quark is located in the United States and processes the Data in the United States and such other territories as Customer selects. For Quark to perform Services for Customer pursuant to the Agreement, Customer transfers (directly or indirectly) Personal Data to Quark in the United States, and Customer’s selected option. For Personal Data subject to European Data Protection Law, Quark agrees to abide by and process the Data in compliance with the Model Clauses, which are incorporated in full by reference and form an integral part of this DPA. For the purposes of the Model Clauses, the parties agree that:
- Quark is the “data importer” and Customer is the “data exporter” (notwithstanding that Customer may itself be located outside the EEA/UK and/or a Processor acting on behalf of a third-party Controller);
- Appendix A (Processing Particulars), Appendix B (Specific Security Measures), and Appendix C (Sub-processor List) of this DPA shall form Annex I, Annex II, and Annex III of the Model Clauses, respectively;
- Option 2 under clause 9 of the Model Clauses will apply with respect to Sub-Processors. Annex III of the Model Clauses shall be subject to General Written Authorization, where “General Written Authorization” means that Quark has Customer’s general authorization (or the general authorization of the Controller of the Data) for the engagement of sub-processor(s) from the list set forth in Appendix C, which shall be amended from time to time in accordance with the terms of the Agreement, this DPA, and all Applicable Data Protection Law;
- Audits described in clause 8.9 of the Model Clauses shall be carried out in accordance with the audit provisions detailed in Section 2.12 of this DPA;
- The option under clause 11 of the Model Clauses shall not apply;
- For purposes of clauses 17 and 18 of the Model Clauses, this DPA shall be governed by the laws of the Republic of Ireland. Any dispute arising from this DPA shall be resolved by the courts of the Republic of Ireland, and each party agrees to submit themselves to the jurisdiction of the same; and
- It is not the intention of either party, nor the effect of this DPA, to contradict or restrict any of the provisions set forth in the Model Clauses. Accordingly, if and to the extent the Model Clauses conflict with any provision of this DPA, the Model Clauses shall prevail to the extent of such conflict with respect to Personal Data processed pursuant to the Model Clauses. Customer warrants it will not transfer any Sensitive Data to Quark.
- Law enforcement requests.
- If Quark becomes aware that any law enforcement, regulatory, judicial or governmental authority (an “Authority”) wishes to obtain access to or a copy of some or all Data, whether on a voluntary or a mandatory basis, then unless legally prohibited as part of a mandatory legal compulsion that requires disclosure of Data to such Authority, Quark shall:
- promptly notify Customer of such Authority’s data access request;
- inform the Authority that any and all requests or demands for access to Data should be notified to or served upon Customer in writing; and
- not provide the Authority with access to Data unless and until authorized by Customer.
- If Quark is under a legal prohibition that prevents it from complying with Section 2.4.1(a)-(c) in full, Quark shall use reasonable and lawful efforts to challenge such prohibition (and Customer acknowledges that such challenge may not always be reasonable or possible in light of the nature, scope, context and purposes of the intended Authority access request). If Quark makes a disclosure of Data to an Authority (whether with Customer’s authorization or due to a mandatory legal compulsion), Quark shall only disclose such Data to the extent Quark is legally required to do so.
- Section 2.4.1 shall not apply in the event that, taking into account the nature, scope, context and purposes of the intended Authority’s access to the Data, Quark has a reasonable and good-faith belief that urgent access is necessary to prevent an imminent risk of serious harm to any individual. In such event, Quark shall notify Customer as soon as possible following such Authority’s access and provide Customer with full details of the same, unless and to the extent that Quark is legally prohibited from doing so;
- Solely with respect to Data that is subject to the GDPR, and/or where Data whose disclosure is otherwise restricted by Applicable Data Protection Law, Quark shall not knowingly disclose Data to an Authority in a massive, disproportionate and indiscriminate manner that goes beyond what is necessary in a democratic society. Quark shall have in place, maintain and comply with a policy governing Personal Data access requests from Authorities which at minimum prohibits:
- massive, disproportionate or indiscriminate disclosure of Personal Data relating to Data Subjects in the EEA and the United Kingdom; and
- disclosure of Personal Data relating to data subjects in the EEA, and the United Kingdom to an Authority without a subpoena, warrant, writ, decree, summons or other legally binding order that compels disclosure of such Personal Data.
- Confidentiality of processing: Quark shall ensure that any person that it authorizes to process the Data (including Quark’s staff, agents and subcontractors) shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty) and shall not permit any person to process the Data who is not under such a duty of confidentiality.
- Security: Quark shall implement appropriate technical and organizational measures to protect the Data from (i) accidental or unlawful destruction, and (ii) loss, alteration, unauthorised disclosure of, or access to the Data. At a minimum, such measures shall include the security measures identified in Appendix B. With respect to evaluation of the appropriate level of security for the processing of the Data, each party represents and warrants that:
- It has taken due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the Data; and
- It has evaluated the use of encryption and/or pseudonymization for the Data and has determined that the level provided by Quark is appropriate for the Data.
- To the extent that the CCPA applies to the processing of the Data, the party has determined that the technical and organizational measures provided by Quark is no less than the level of security required by the CCPA.
- Subcontracting: Quark shall not subcontract any processing of the Data to a third-party Sub-Processor unless: (i) Quark provides to Customer an up-to-date list of its then-current Sub-Processors upon request; and (ii) Quark provides at least thirty (30) days’ prior notice of the addition or removal of any Sub-Processor (including the details of the processing it performs or will perform, and the location of such processing). If Customer objects to Quark’s appointment of a third-party Sub-Processor on reasonable grounds relating to the protection of the Data, then either Quark will not appoint the Sub-Processor, or Customer may elect to suspend or discontinue the affected Services by providing written notice to Quark. Customer shall notify Quark of its objection within ten (10) business days after its receipt of Quark’s notice, and Customer’s objection shall be sent to and explain the reasonable grounds for Customer’s objection. If a timely objection is not made, Quark will be deemed to have been authorized by Customer (or, if Customer is a Processor of the Data, by the Controller of the Data) to appoint the new Sub-Processor. Quark shall impose the data protection terms consistent with the obligations set forth herein on any Sub-Processor it appoints as those provided for by this DPA, provided however the Customer’s acknowledges that Quark’s cloud service providers may not offer the audit rights and access described in this DPA, and that Quark’s obligations with respect to such audit and access rights are limited to those that the cloud service providers make available to Quark.
- Cooperation and individuals’ rights: Customer is responsible for responding to Data Subject requests using Customer’s own access to the relevant Data. Quark shall provide all reasonable and timely assistance to enable Customer to respond to: (i) any request from an individual to exercise any of its rights under Applicable Data Protection Law, and (ii) any other correspondence received from a regulator or public authority in connection with the processing of the Data. In the event that any such communication is made directly to Quark, Quark shall promptly (and in any event, no later than within forty-eight (48) hours of receiving such communication) inform Customer providing full details of the same and shall not respond to the communication unless specifically required by law or authorized by Customer.
- Data Protection Impact Assessment: Taking into account the nature of the processing and the information available to Quark, Quark shall provide Customer with reasonable and timely assistance with any data protection impact assessments as required by Applicable Data Protection Law and, where necessary, consultations with data protection authorities.
- Security Incidents: Upon becoming aware of a Security Incident, Quark shall inform Customer without undue delay and shall provide all such timely information and cooperation to enable Customer to fulfil its data breach reporting obligations under (and in accordance with the timescales required by) Applicable Data Protection Law. Quark shall further take such measures and actions as are necessary to remedy or mitigate the effects of the Security Incident and shall keep Customer informed of all material developments in connection with the Security Incident. Quark shall not notify any third parties of a Security Incident affecting the Data unless and to the extent that: (a) Customer has agreed to such notification, and/or (b) notification is required to be made by Quark under Applicable Data Protection Law.
- Deletion or return of Data: Upon termination or expiry of the Agreement, Quark shall (at Customer’s election) delete or return all Data, including copies in Quark’s possession or control no later than within sixty (60) days of Customer’s election. This requirement shall not apply to the extent that Quark is required by applicable laws to retain some or all of the Data, in which event Quark shall isolate and protect the Data from any further processing except to the extent required by such law, shall only retain such Data for as long as it is required under applicable laws, and shall continue to ensure compliance with all Applicable Data Protection Law during such retention.
- Audit: Quark uses an external auditor to verify the adequacy of its security measures and controls for its Services. The audit is conducted annually by an independent third-party in accordance with ISO 27001 standards and results in the generation of a audit report (“Audit Report”) which is Quark’s confidential information. Upon written request, Quark shall provide Customer with a copy of the most recent Audit Report subject to confidentiality obligations of the Agreement or a non-disclosure agreement covering the Audit Report.
- If Quark becomes aware that any law enforcement, regulatory, judicial or governmental authority (an “Authority”) wishes to obtain access to or a copy of some or all Data, whether on a voluntary or a mandatory basis, then unless legally prohibited as part of a mandatory legal compulsion that requires disclosure of Data to such Authority, Quark shall:
- Miscellaneous
- The obligations placed upon each party under this DPA shall survive so long as Quark and/or its Sub-Processors process Data on behalf of Customer.
- Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict.
- It is not the intention of either party, nor shall it be the effect of this DPA, to contradict or restrict any provision of the Model Clauses and/or any Applicable Data Protection Law. To the extent that any provision of the Model Clauses conflicts with this DPA, the Model Clauses shall prevail to the extent of such conflict with respect to Personal Data which is subject to the Model Clauses. In no event shall this DPA restrict or limit the rights of any Data Subject or of any Authority. If there is a change in law requiring any change to this DPA to enable either party to continue to comply with Applicable Data Protection Law, the parties will negotiate in good faith to amend this DPA to the extent reasonably necessary to comply with Applicable Data Protection Law.
- If any provision of this DPA is deemed invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended to ensure its validity and enforceability while preserving the parties’ intentions as closely as possible; or (ii) if that is not possible, then construed in a manner as if the invalid or unenforceable part had never been included herein.
- The term of this DPA will terminate automatically without requiring any further action by either party upon the later of (i) the termination of the Agreement, or (ii) when all Personal Data is removed from Quark’s systems and records, and/or is otherwise rendered unavailable to Quark for further Processing.
SIGNED by the parties or their duly authorized representatives:
QUARK SOFTWARE INC. | [CUSTOMER_NAME] |
---|---|
Name |
Name |
Title |
Title |
Signature |
Signature |
Date |
Date |
APPENDIX A – PROCESSING PARTICULARS
- LIST OF PARTIES
Data exporter(s): [Identity and contact details of the data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]
1. |
Name: Customer set forth in Agreement Address: As set forth in the Agreement, or as set forth below. Role: Controller or Processor |
Data importer(s):
1. |
Name: Quark Software Inc. Address: 1600 East Beltline Ave., N.E., Suite 210, Grand Rapids, MI 49525 Role: Processor |
- DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
Customer may submit Personal Data, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to, Personal Data relating to the following categories of data subjects:
● Employees, agents, advisors, freelancers of Customer (who are natural persons); and
● Customer’s users, partners, and customers and the users and employees of those entities.
Categories of personal data transferred
Customer may submit Personal Data, the extent of which is determined and controlled by Customer (including Customer’s users, partners, and customers, in each case as applicable) in its sole discretion, and which may include, but is not limited to, the following types of Personal Data:
- Identification and contact data (name, address, phone number, email address);
- IT information (computer ID, user ID and password, domain name, IP address, log files, software usage pattern tracking information (i.e. cookies and information recorded for operation and training purposes); and
- If the parties mutually agree on expanded use case, financial information (account details, payment information.
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
No sensitive data is transferred.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
Data is transferred on a continuous basis during the term of the Quark Master Subscription Agreement and this DPA.
Nature of the processing
The nature of the processing of Customer Data is set out in the Quark Master Subscription Agreement and this DPA.
Purpose(s) of the data transfer and further processing
The purpose of the processing of Customer Data are set out in the Quark Master Subscription Agreement and this DPA.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
Personal Data shall be retained by Quark for no longer than necessary to effect the services set out in the Quark Master Subscription Agreement and this DPA, subject to exemptions as set forth in Section 2.11 of this DPA.
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
Quark transfers the Personal Data listed above to certain Sub-Processors (listed in Appendix C) for the sole purpose of facilitating Quark’s provision of services under the Quark Master Subscription Agreement. Sub-Processors have been instructed to retain any Personal Data processed by Quark for no longer than necessary to render sub-processing services for Quark.
APPENDIX B – SPECIFIC SECURITY MEASURES
TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA
Security Controls
Quark’s information technology systems, which include those owned by them or those owned and operated by a third party for the benefit and use by Quark (“System”) includes a variety of security controls. These controls include:
- Unique User identifiers (User IDs) to ensure that activities can be attributed to the responsible individual.
- The ability to accept logins to the System from only authorized IP address ranges.
- Controls to revoke access after several consecutive failed login attempts.
- Controls on the number of invalid login requests before locking out a User.
- Password controls, via SAML2 integration can be delegated and controlled by the customer IDP
Quark has achieved ISO27001 certification and the Information Security Management System (ISMS) that runs the SaaS service is now subject to an annual independent audit. If customer has purchased Platinum Support package, Quark will support an annual customer audit by security questionnaire, providing evidence of controls where possible, for customer to assess if controls comply with any needed industry or country specific information security requirements. More frequent review, or findings meaning that additional controls may be required to be implemented, may require additional commercial discussions between the parties, to come to a mutually agreed upon action plan.
Intrusion Detection
Quark, or an authorized third party, will monitor the System for unauthorized intrusions using network-based intrusion detection mechanisms.
User Authentication
Access to the Service requires a valid User ID and password combination, which are encrypted via SSL while in transmission. An encrypted session ID cookie is used to uniquely identify each User.
Security Logs
Quark shall ensure that log information for all Quark cloud systems, including applications, services, servers and other equipment is logged to their respective system log facility or a centralized logging account, in order to protect the logs from tampering and ensure investigations can be performed as needed. Logging will be kept for a minimum of 90 days and if there is suspicion of inappropriate access, Quark has the ability to review log entry records to assist in forensic analysis.
Incident Management
Quark maintains security incident management policies and procedures, including detailed security incident escalation procedures.
Quark will promptly notify Subscriber in the event Quark becomes aware of an actual or reasonably suspected unauthorized disclosure of Subscriber data.
Training and Awareness of Employees
All employees go through annual Information Security, Data Privacy and Compliance Training, delivered by a 3rd party training solution. Training is also completed during the onboarding process for new hires. Other role specific training is provided as needed.
All employees have to review and attest annually to a Code of Conduct and an Acceptable Use Policy.
Physical Security
Quark’s production data centers are provided by AWS and have an access system that controls access to the data center. This system permits only authorized personnel to have access to secure areas. The facility is designed to withstand adverse weather and other reasonably predictable natural conditions, is secured by around-the-clock guards, biometric access screening and escort-controlled access, and is also supported by on-site back-up generators in the event of a power failure.
Data Encryption
Quark uses industry accepted encryption products to protect Subscriber Data and communications during transmissions between Subscriber’s network and the Service, including 256-bit GoDaddy SSL Certification and 1024-bit RSA public keys.
Encryption at Rest (EBS Volumes, S3 and RDS, via AWS KMS)
System Changes and Enhancements
Quark plans to enhance and maintain the System during the term of the Agreement. Security controls, procedures, policies and features may change or be added.
Quark will provide security controls that deliver a level of security protection that is not materially lower than that provided as of the Effective Date and that meet the financial industry laws and regulations
Vendor Management
Quark performs due diligence on its critical vendors at purchase, at renewal, including getting an NDA, a contract and DPA’s in place, to ensure vendors only process data in order to provide Quark the purchased services and have the technical and organizational measures needed, to fully protect the data, based on its classification.
Vulnerability Management
Quark’s SaaS systems undergo an annual Independent PEN Test of a standard deployment
Base container and OS scanning is performed by Amazon Inspector
AWS security Hub is used for tracking of compliance with CIS Security Controls
Open-Source Vulnerability scanning, SAST and DAST scanning are performed as part of the System Development Lifecycle
Monitoring
SaaS Infrastructure, assets and resources are monitored by AWS Config, CloudWatch and CloudTrail
Backups
Backups encrypted and copied to second region
APPENDIX C – LIST OF SUB-PROCESSORS
The controller has authorized the use of the following sub-processors:
Name |
Processing |
Territory(ies) |
---|---|---|
Amazon Web Services, Inc. |
Cloud service provider and associated infrastructure services (analytics, compute, database, security, networking, and storage) |
Headquartered in United States (not the location of processing activities) Multi-tenant SaaS systems – QPP NextGen and Quark Docurated: • Deployed in AWS data centers in the United States, EU and Australia (Data Controller choice as to which will be used for primary data location) Single-tenant SaaS systems – QPP NextGen and Quark Docurated: • Deployed in any of the AWS data center locations, selected by the Data Controller Single-tenant cloud-hosting systems – QPP hosting: • Deployed in any of the AWS data center locations, selected by the Data Controller |
Service Cloud (Salesforce) |
Technical product support ticketing |
United States |
Nalpeiron |
Quark Product Licensing |
United States |
APPENDIX D – COMPETENT SUPERVISORY AUTHORITY
For the purposes of any Personal Data subject to the GDPR and/or the GDPR as implemented in the domestic law of the United Kingdom by virtue of Section 3 of the European Union (Withdrawal) Act 2018, where such personal data processed in accordance with the Model Clauses, the competent supervisory authority shall be as follows:
- where Customer is established in an EU member state, the supervisory authority with responsibility for ensuring Customer’s compliance with the GDPR shall act as competent supervisory authority;
- where Customer is not established in an EU member state, but falls within the extra-territorial scope of the GDPR and has appointed a representative, the supervisory authority of the EU member state in which Customer’s representative is established shall act as competent supervisory authority; or
- where Customer is not established in an EU member state but falls within the extra-territorial scope of the GDPR without however having to appoint a representative, the supervisory authority of the EU member state in which the Data Subjects are predominantly located shall act as competent supervisory authority.
In relation to Personal Data that is subject to the U.K. GDPR, the competent supervisory authority is the United Kingdom Information Commissioner’s Office, subject to the additional terms set forth in the International Data Transfer Addendum to the EU Model Clauses attached hereto as “Appendix E”.
In relation to Personal Data that is subject to the data privacy laws of Switzerland, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.
APPENDIX E – U.K. INTERNATIONAL DATA TRANSFER ADDENDUM
This U.K. INTERNATIONAL DATA TRANSFER ADDENDUM (“IDTA”) forms a part of the Data Processing Addendum (“DPA”) entered into by and between Quark, Inc. (“Quark”) and the party identified as the Customer in the DPA (“Customer”). Unless otherwise specified, all capitalized terms used in this IDTA have the meanings provided in the DPA.
- Scope of IDTA. The obligations set forth in this IDTA apply solely to Personal Data subject to the U.K. GDPR that is processed under the DPA (“K. Personal Data”).
- Incorporation of the U.K. Addendum. The parties agree that the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, as issued by the U.K. Information Commissioner’s Office under s.119A (1) of the U.K. Data Protection Act 2018 (“K. Addendum”) is incorporated by reference into and forms a part of this IDTA as if fully set forth herein. Each party agrees that execution of the DPA (to which this IDTA is attached as an appendix and incorporated by reference) shall have the same effect as if the parties had simultaneously executed a copy of the U.K. Addendum.
- Interpretation of the Model Clauses. For purposes of Processing U.K. Personal Data, any references in the DPA to the Model Clauses shall be read to incorporate the mandatory amendments to the Model Clauses set forth in the K. Addendum.
- Addendum Terms. Tables 1 through 4 of the U.K. Addendum shall be completed as follows:
- In Table 1 of the U.K. Addendum, the “Start Date” shall be the Effective Date of the DPA, and the details and contact information for the “data exporter” and the “data importer” shall be as specified in Appendix I of the DPA.
- In Table 2 of the U.K. Addendum:
- The version of the Model Clauses incorporated by reference into the DPA shall be the version applicable to this IDTA.
- Those provisions of the Model Clauses applicable under Module Two shall apply to this IDTA.
- The optional clauses and provisions of the Model Clauses applicable to this IDTA shall be those clauses and provisions specified in Section 2.3 of the DPA.
- In Table 3 of the U.K. Addendum, the information required in Annexes I (both 1A and 1B), II, and III shall be as provided in Appendices A, B, and C of the DPA, respectively.
- In Table 4 of the U.K. Addendum, if the ICO issues any revisions to the U.K. Addendum after the Effective Date (“ICO Revision”), Customer and Quark shall each have the right to terminate this IDTA in accordance with the U.K. Addendum, the DPA, and the Agreement.. Upon such termination of this IDTA:
- Quark shall cease its Processing of the U.K. Personal Data; and
- Each party shall follow the processes described in Section 2.11 of the DPA with respect to the U.K. Personal Data.
Notwithstanding the foregoing, termination of this IDTA in the event of an ICO Revision shall not terminate the DPA, the Agreement, and/or the obligations of either party arising thereunder with respect to Personal Data other than U.K. Personal Data, except and unless expressly agreed by and between the parties.
- No Amendments. The terms of the U.K. Addendum have not been amended in any way except as expressly stated herein.