Appendix 6-Data Processing Agreement
Service Eunoia Security Hub
SaaS Essential and Enterprise Offers
1. PREAMBLE
This Data Processing Agreement (“DPA”) forms an integral part of the Master Service Agreement (the “Agreement”) entered into between EUNOIA (“Processor”) and the Licensee (“Controller”), collectively referred to as the “Parties”.
The purpose of this DPA is to set out the terms and conditions under which EUNOIA processes Personal Data on behalf of the Licensee in connection with the provision of the EUNOIA Security Hub service (the “Service”).
In case of any inconsistency between this DPA and the provisions of the Agreement, this DPA shall prevail with respect to the Processing of Personal Data.
2. DEFINITIONS
For the purposes of this DPA, the following terms shall have the meanings set out below. Terms not otherwise defined shall have the meaning given to them in the Agreement.
-
“Personal Data” means any information relating to an identified or identifiable natural person as defined under applicable data protection laws.
-
“Controller” means the natural or legal person which determines the purposes and means of the processing of Personal Data. For this DPA, the Licensee acts as Controller.
-
“Processor” means the natural or legal person which processes Personal Data on behalf of the Controller. For this DPA, EUNOIA acts as Processor.
-
“Processing” means any operation performed on Personal Data, whether or not by automated means, such as collection, recording, organisation, storage, adaptation, alteration, retrieval, consultation, use, disclosure, erasure or destruction.
-
“Sub-processor” means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
-
“Data Subject” means an identified or identifiable natural person to whom the Personal Data relates.
-
“Data Protection Legislation” means all applicable laws and regulations relating to the protection of Personal Data, including but not limited to the GDPR.
3. SCOPE OF PROCESSING
EUNOIA shall process personal data solely for the purpose of delivering the Service to the Controller in accordance with the Agreement, this DPA, and the documented instructions of the Controller.
Processing shall include the hosting, storage, transmission and support of the Controller’s data within the EUNOIA Security Hub SaaS platform.
EUNOIA shall not process Personal Data for its own purposes, nor for the purposes of any third party, and shall not sell or disclose Personal Data except as strictly necessary to provide the Service or as required by law.
4. Obligations of the controller (Licensee)
4.1 Lawful basis and instructions
The Controller shall ensure that all Personal Data provided to EUNOIA for Processing has been collected and is processed in compliance with Data Protection Legislation. The Controller warrants that it has obtained all necessary consents or has established another valid legal basis for the Processing of Personal Data.
4.2 Accuracy and minimisation
The Controller shall ensure that Personal Data supplied to EUNOIA is accurate, relevant, and limited to what is necessary for the purposes of the Service.
4.3 Data subject rights
The Controller remains solely responsible for managing and responding to requests from Data Subjects (such as rights of access, rectification, erasure, restriction, portability and objection). The Controller may request EUNOIA’s reasonable assistance in fulfilling such requests, in accordance with section 7 of this DPA.
4.4 Security measures on controller’s side
The Controller is responsible for implementing appropriate organisational and technical measures within its own environment to ensure the protection of Personal Data before it is transmitted to EUNOIA. This includes, but is not limited to, user access controls, encryption of local devices where applicable, and ensuring secure communication with the Service.
4.5 Notification to processor
The Controller shall promptly notify EUNOIA if it becomes aware of any inaccuracy in the Personal Data, any unauthorised disclosure of Personal Data within its control, or any potential breach that may impact the Processing carried out by EUNOIA.
4.6 Indemnification
The Controller shall indemnify and hold harmless EUNOIA against any claim, complaint, or regulatory action arising from the Controller’s failure to comply with its obligations under this DPA and applicable Data Protection Legislation.
5. OBLIGATIONS OF THE PROCESSOR (EUNOIA)
5.1 Processing on documented Instructions
EUNOIA shall process Personal Data only on the documented instructions of the Controller, unless required to do so by applicable law. In such case, EUNOIA shall inform the Controller of that legal requirement before Processing, unless the law prohibits such information on important grounds of public interest.
5.2 Confidentiality
EUNOIA shall ensure that all persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
5.3 Technical and organisational measures
EUNOIA shall implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing. Such measures are described in Appendix 2 – Security Assurance Plan and Shared Responsibility Model, which forms an integral part of this Agreement.
5.4 Sub-processors
EUNOIA shall not engage another processor (“Sub-processor”) without prior general written authorisation from the Controller. The list of authorised Sub-processors is maintained and regularly updated by EUNOIA and made available to the Controller upon request.
Where EUNOIA engages a Sub-processor for carrying out specific processing activities, substantially the same data protection obligations as set out in this DPA shall be imposed on the Sub-processor by way of a written contract.
EUNOIA shall remain fully liable to the Controller for the performance of the Sub-processor’s obligations.
5.5 Assistance to the controller
EUNOIA shall, taking into account the nature of Processing and the information available to it, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligations to respond to requests for exercising Data Subject rights.
5.6 Data breach notification
EUNOIA shall notify the Controller without undue delay, and in any case within 72 hours, after becoming aware of a Personal Data Breach. The notification shall include all information reasonably available to EUNOIA to enable the Controller to comply with its own legal obligations to notify the competent supervisory authority and affected Data Subjects.
5.7 Data Protection Impact Assessment (PIA)
EUNOIA shall provide reasonable assistance to the Controller in carrying out data protection impact assessments and prior consultations with supervisory authorities, taking into account the nature of Processing and the information available to EUNOIA.
5.8 Return or deletion of data
At the choice of the Controller, and upon termination or expiry of the Agreement, EUNOIA shall return all Personal Data to the Controller and/or securely delete all existing copies, unless retention of the Personal Data is required by law. Unless otherwise agreed, such return or deletion shall take place within thirty (30) days of the termination or expiry date.
5.9 Return or deletion of data
EUNOIA shall maintain records of all categories of Processing activities carried out on behalf of the Controller and shall make them available to the Controller upon request.
6. INTERNATIONAL DATA TRANSFERS
6.1 Restriction on transfers
EUNOIA shall not transfer Personal Data to a country outside the European Economic Area (“EEA”) or to an international organisation, unless such transfer complies with applicable Data Protection Law.
6.2 Adequacy decisions and safeguard
Where Personal Data is transferred outside the EEA, EUNOIA shall ensure that:
-
the destination country is subject to an adequacy decision of the European Commission; or
-
appropriate safeguards are provided, such as Standard Contractual Clauses approved by the European Commission, binding corporate rules, or other lawful mechanisms.
6.3 Notification to the controller
EUNOIA shall inform the Controller of any intended transfer of Personal Data outside the EEA, specifying the legal mechanism relied upon.
6.4 Sub-processors located outside the EEA
Where a Sub-processor processes Personal Data outside the EEA, EUNOIA shall ensure that such Sub-processor is bound by data protection obligations consistent with this DPA and that adequate transfer safeguards are in place.
7. DATA OWNERSHIP AND RESPONSIBILITY
7.1 Ownership of personal data
All Personal Data processed under this DPA remains the property of the Controller and/or the Data Subjects. Nothing in this Agreement shall confer to EUNOIA any rights or interest in such Personal Data.
7.2 Responsibility of the controller
The Controller remains solely responsible for:
-
the lawfulness of the collection and Processing of Personal Data;
-
ensuring that Data Subjects are duly informed and, where required, have given valid consent;
-
the accuracy, quality, and legality of the Personal Data provided to EUNOIA.
7.3 Indemnification
The Controller shall indemnify and hold harmless EUNOIA against any claim, complaint, action or proceeding brought by a Data Subject or a third party arising from the Controller’s failure to comply with its legal obligations in relation to Personal Data.
7.4No liability for disputes with data subjects
EUNOIA shall not be a party to, nor held liable for, any disputes between the Controller and Data Subjects concerning the collection, processing, or sharing of Personal Data by the Controller.
8. LIABILITY AND LIMITATION OF LIBABILITY
8.1 General liability
Each Party shall be liable for the damages caused by any breach of its obligations under this DPA.
8.2 Processor’s liability
EUNOIA shall only be liable for damages caused by Processing where it has not complied with obligations specifically directed to processors under Data Protection Law, or where it has acted outside or contrary to the lawful instructions of the Controller.
8.3 Controller’s liability
The Controller shall be liable for ensuring that Personal Data is processed lawfully, fairly, and transparently, and for providing accurate and lawful instructions to EUNOIA.
8.4 Limitation of liability
The liability of each Party under this DPA shall be subject to the limitation of liability provisions set out in the Main Agreement.
9 AUTHORIZED SUB-PROCESSORS AND SERVICE PROVIDERS
In the course of providing its services, EUNOIA engages certain technical sub-processors acting on its behalf in the processing of personal data.
These sub-processors act solely on EUNOIA’s instructions, within the limits necessary for the performance of the services, and are bound by contractual obligations equivalent to those set forth in this DPA, in accordance with Article 28 of Regulation (EU) 2016/679 (GDPR).
The current list of authorized sub-processors is provided in Annex 2 of this document – List of Sub-Processors Involved in Data Processing.
EUNOIA undertakes to:
engage only sub-processors that demonstrate appropriate certifications or attestations regarding information security and compliance;
keep this list up to date and inform the Client of any material changes;
ensure that personal data processing takes place within the European Economic Area (EEA), or, where an international transfer is necessary, that it relies on a mechanism recognized under the GDPR (such as the Standard Contractual Clauses (SCCs) or the EU–US Data Privacy Framework (DPF)).
In the event of any change in the European regulatory framework governing international data transfers, EUNOIA will take all reasonable and appropriate measures to maintain compliance.
However, EUNOIA shall not be held liable for any legal or technical consequences arising from the termination, suspension, or invalidation of the DPF, or of any other adequacy agreement between the European Union and third countries, provided that it applies a recognized and valid mechanism at the time of processing.