This Data Processing Agreement ("DPA") supplements the AWSsome Terms & Conditions (the "Agreement") between the customer signing this DPA ("Customer" or "Publisher") and AWSsome Inc. ("Company"). The Customer enters into this DPA on behalf of itself and, where required under applicable Data Protection Laws, its Affiliates. Terms not defined here have the meaning given in the Agreement.
1.1. Affiliate means an entity that controls, is controlled by, or is under common control with a party (50% or more ownership).
1.2. Authorized Sub-Processor means a third party who accesses Customer Personal Data to enable the Company to perform its obligations, and who is either listed in Exhibit B or subsequently authorized under Section 4.
1.3. Company Account Data means personal data relating to the Company's relationship with the Customer, including names/contact information of authorized individuals and billing information.
1.4. Company Usage Data means Service usage data collected and processed in connection with providing the Services, including data to identify source/destination of communications, activity logs, and data used to optimize and secure the Services.
1.5–1.6. "Data Exporter" means the Customer; "Data Importer" means the Company.
1.7. Data Protection Laws includes the CCPA, the EU GDPR and UK GDPR (together, the "GDPR"), the Swiss FADP, the UK Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003, as amended.
1.8. EU SCCs means the standard contractual clauses in Commission Decision 2021/914 of 4 June 2021, as modified by Section 6.2.
1.9–1.13. "ex-EEA Transfer" and "ex-UK Transfer" mean transfers outside the EEA / UK not covered by an adequacy decision; "Standard Contractual Clauses" means the EU SCCs and UK SCCs; "UK SCCs" means the EU SCCs as amended by the UK Addendum.
2.1. The Customer may act as controller or processor; except as set out here, the Company is a processor. The Customer must process Personal Data and provide instructions in compliance with Data Protection Laws, and is solely responsible for the accuracy, quality and legality of Personal Data and the means of its acquisition.
2.2. The Company shall not process Personal Data other than for the purposes set out in the Agreement and Exhibit A, inconsistently with the Customer's documented instructions, or in violation of Data Protection Laws, unless required by law (in which case it informs the Customer where permitted).
2.3. Subject matter, nature, purpose and duration of processing, and the types of Personal Data and categories of Data Subjects, are described in Exhibit A.
2.4. On completion of the Services, at the Customer's choice, the Company returns or deletes Customer Personal Data, unless further storage is legally required. Where return or destruction is impracticable or legally prohibited, the Company blocks the data from further processing and continues to protect it.
2.5. CCPA. Except for Company Account Data and Company Usage Data, the Company acts as a service provider under the CCPA, does not sell personal information, and only retains, uses or discloses it as necessary to perform the Services.
3.1. The Company ensures persons authorized to process Personal Data are bound by confidentiality. The Customer agrees the Company may disclose Personal Data to its advisers, auditors or other third parties as reasonably required to perform its obligations.
4.1. The Customer agrees the Company may engage its Affiliates and Authorized Sub-Processors, and from time to time additional third parties, to process Personal Data in connection with the Services. The Customer provides general written authorization to engage sub-processors as necessary.
A list of current Authorized Sub-Processors is available on request and may be updated from time to time. The Company provides a mechanism to subscribe to notifications of new sub-processors; if the Customer does not subscribe, it waives the right to prior notice. At least ten (10) days before enabling a new sub-processor to access Personal Data, the Company adds it to the List and notifies subscribers. The Customer may object in writing within ten (10) days on reasonable data-protection grounds.
5.1. If the Customer reasonably objects and the Company cannot provide a commercially reasonable alternative, the Customer may discontinue the affected Service; this does not relieve fees owed.
5.3. The Company enters into written agreements with Authorized Sub-Processors imposing comparable data protection obligations and remains liable for their performance.
6.1. Taking into account the state of the art, costs, and the nature, scope, context and purposes of processing, the Company maintains appropriate technical and organizational measures to ensure a level of security appropriate to the risk. Exhibit C sets out additional information.
7.1. The Company may transfer Personal Data outside the EEA, UK or Switzerland as necessary to provide the Services. Processing takes place in the region automatically selected by the Company's cloud provider (Azure, AWS or GCP) based on proximity or as chosen by the Customer. Transfers outside the EEA/UK/Switzerland occur only with appropriate safeguards under Data Protection Laws.
7.2. Ex-EEA Transfers are made pursuant to the EU SCCs, incorporated by reference: Module One (controller-to-controller) where the Company processes as a controller; Module Two (controller-to-processor) where the Customer is controller and the Company processor; Module Three (processor-to-sub-processor) where the Customer is a processor.
7.3. For each module: the optional docking clause in Clause 7 does not apply; Clause 9 Option 2 (general written authorization) applies; Clause 11 optional language does not apply; in Clause 17 the EU SCCs are governed by French law; in Clause 18(b) disputes are resolved before the courts of France; Exhibit B contains Annex I/III information and Exhibit C contains Annex II information.
7.4. Ex-UK Transfers are made pursuant to the UK SCCs as amended by the UK Addendum (Exhibit D).
7.5. Transfers from Switzerland are made pursuant to the EU SCCs with FADP modifications, including FDPIC authority over FADP-governed transfers.
7.6. Supplementary Measures. The Data Importer has not received Government Agency Requests as of the date of this DPA; if it receives one, it attempts to redirect the agency to the Customer, gives reasonable notice where lawful, does not voluntarily disclose Personal Data, and the Parties consider whether transfers should be suspended.
8.1. The Company notifies the Customer of Data Subject Requests (access, rectification, erasure, portability, restriction, withdrawal of consent, objection to automated decision-making) and advises the Data Subject to submit the request to the Customer, who is responsible for responding.
8.2. At the Customer's request, the Company applies appropriate measures to assist the Customer in responding, where the Customer cannot do so itself; the Customer is responsible for costs to the extent legally permitted.
9.1–9.2. The Company provides reasonable assistance for data protection impact assessments and consultations with Supervisory Authorities, where required by the GDPR.
9.3. The Company maintains records demonstrating compliance for three (3) years after termination; the Customer may review/audit on reasonable notice during business hours.
9.4. On written request at reasonable intervals, the Company makes available compliance certifications/reports or, where insufficient, allows an independent third-party audit, no more than once per calendar year, restricted to data relevant to the Customer, at the Customer's cost.
9.6. In the event of a Personal Data Breach, the Company informs the Customer without undue delay and within seventy-two (72) hours of becoming aware, and takes reasonable steps to remedy or mitigate.
9.7–9.8. The Company provides reasonable assistance for the Customer's notification obligations. These obligations do not apply where the breach results from the Customer's actions or omissions, and reporting is not an acknowledgement of fault.
With respect to Company Account Data and Company Usage Data, the Company is an independent controller (not a joint controller). It processes such data to manage the relationship, carry out core business operations (accounting, audits, tax, compliance), prevent fraud and security incidents, verify identity, comply with legal obligations, and as otherwise permitted. Processing as a controller is per the Company's Privacy Policy.
Order of precedence: (1) the Standard Contractual Clauses; (2) this DPA; (3) the Agreement; (4) the Company's Privacy Policy. Claims under this DPA are subject to the exclusions and limitations in the Agreement.
The Company has pre-signed this DPA. To complete it, the Customer must complete and sign the signature block, complete the "data exporter" information on Exhibit B, and send the completed Agreement to legal@awssome.io. On receipt, the DPA becomes legally binding.
AWSsome processes Customer Personal Data only to operate the AWSsome platform and fulfil Marketplace orders, as instructed by the Customer. Activities include: receiving data (collection from AWS Marketplace APIs, retrieval, recording); protecting data (encryption, access control, security testing); holding data (cloud storage, organisation); erasing data (secure deletion on request or at contract end); analysing data (usage metrics, billing reports); and sharing data (disclosure to authorised Sub-processors under this DPA).
For the life of the Agreement plus any retention required by law or documented by the Customer.
The Customer is prohibited from submitting special-category data (GDPR Art. 9) or sensitive personal data (including criminal-history data) to AWSsome.
The Parties: Data exporter (Controller) is the Customer/Publisher as named on the Agreement; Data importer is AWSsome Inc. Annex I (parties, description of transfer, competent supervisory authority), Annex II (technical and organizational measures, see Exhibit C) and Annex III (sub-processors) are completed by reference to this DPA and the information provided on signature.
AWSsome maintains an ISO/IEC 27001-certified Information Security Management System. Measures include encryption of data at rest (256-bit AES via AWS KMS) and in transit, access control on a need-to-know basis via AWS IAM, automatic key rotation, audit logging via AWS CloudTrail, SSO via AWS IAM Identity Center, and vendor security assessments prior to engaging sub-processors.