DATA PROCESSING ADDENDUM (DPA) FOR ZIPBOARD

 

1. Introduction

This Data Processing Addendum (“DPA”) forms part of the Agreement between Customer (“Data Controller”) and zipBoard (“Data Processor”) (collectively referred to as “Parties”) for the provision of services by zipBoard to the Data Controller.

 

2. Definitions

  • “Data Controller”: Refers to the entity that determines the purposes and means of the processing of Personal Data.
  • “Data Processor”: Refers to the entity that processes Personal Data on behalf of the Data Controller.
  • “Personal Data”: Refers to any information relating to an identified or identifiable natural person.
  • “Data Subject”: Refers to the individual to whom the Personal Data relates.
  • “Processing”: Refers to any operation or set of operations performed on Personal Data, whether by automated means or not, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction.
  • “GDPR”: Refers to the General Data Protection Regulation (Regulation (EU) 2016/679).
  • “Services”: Refers to the services provided by zipBoard to the Data Controller as outlined in the Agreement.

 

3. Scope of the DPA

This DPA applies to the Processing of Personal Data by zipBoard on behalf of the Data Controller in connection with the provision of the Services.

This DPA sets out the rights and obligations of the Parties with respect to the Processing of Personal Data in compliance with the GDPR.

 

4. Processing of Personal Data

zipBoard shall Process Personal Data only on behalf of and in accordance with the instructions of the Data Controller, unless required to do so by applicable law. Any Processing beyond the scope of the Data Controller’s instructions shall require prior written authorization from the Data Controller.

zipBoard shall ensure that persons authorized to Process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

 

5. Security Measures

zipBoard shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including but not limited to measures to protect against unauthorized or unlawful Processing and against accidental loss, destruction, or damage of Personal Data.

 

6. Subprocessing

zipBoard shall not engage any subprocessor for the Processing of Personal Data without the prior written consent of the Data Controller.

In the event zipBoard engages a subprocessor, zipBoard shall ensure that the subprocessor is bound by contractual obligations to provide sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the Processing will meet the requirements of applicable data protection laws.

 

7. Data Subject Rights

zipBoard shall assist the Data Controller in responding to requests from Data Subjects to exercise their rights under the GDPR, including but not limited to the rights of access, rectification, erasure, restriction of Processing, data portability, and objection.

 

8. Data Breach Notification

zipBoard shall notify the Data Controller without undue delay upon becoming aware of a Personal Data breach affecting the Data Controller’s Personal Data, providing sufficient information to allow the Data Controller to meet any obligations to report or inform Data Subjects of the Personal Data breach under the GDPR.

 

9. Data Protection Impact Assessments

zipBoard shall provide reasonable assistance to the Data Controller with any data protection impact assessments that may be required under the GDPR.

 

10. Data Transfer

Where Personal Data is transferred from the European Economic Area (EEA) to a country or territory outside the EEA, zipBoard shall ensure that appropriate safeguards are in place to protect the Personal Data in accordance with the requirements of the GDPR.

 

11. Term and Termination

This DPA shall remain in effect for the duration of the Agreement between the Parties and shall terminate upon termination of the Agreement, unless otherwise terminated in accordance with the terms herein.

 

12. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of Canada. Any disputes arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of British Columbia.