Data Processing Addendum
This Data Processing Addendum ("DPA") supplements the XHR Software Inc. License Agreement and XHR Software Inc. Privacy Policy (the "Agreement") and is incorporated by reference. This DPA is made by and between XHR Software Inc., a Delaware C-Corp ("XHR Software"), and the Customer, defined as any entity or individual who has entered into an Agreement with XHR Software Inc.
This DPA contains terms to ensure that adequate safeguards are in place with respect to the protection of Personal Data to be processed by XHR Software in the delivery of the Service for the Purpose pursuant to the Agreement, as required by the Applicable Data Protection Laws.
1. Definitions
1.1. Terms not defined in this DPA shall have the meaning set forth in the Agreement.
1.2. Key definitions based on the XHR Software DPA:
"Data Protection Laws" means any applicable local, national, or international laws, rules, and regulations related to privacy, security, data protection, and/or the processing of Personal Data, as amended, replaced, or superseded from time to time, including but not limited to EU/UK Data Protection Laws and United States Data Protection Laws.
"EU/UK Data Protection Laws" means the GDPR and the UK GDPR and any legislation and/or regulation implementing or made pursuant to them, or which amends, replaces, re-enacts, or consolidates any of them.
"GDPR" means the General Data Protection Regulation (Regulation (EU) 2016/679).
"Personal Data" means all data that is defined and regulated as 'Personal Data' in the EU Data Protection Laws and that XHR Software processes on behalf of the Customer in connection with the Service.
"UK GDPR" means the United Kingdom General Data Protection Regulation.
"United States Data Protection Laws" means any United States state or federal data protection law as such law may be amended, replaced, or consolidated from time to time, including but not limited to the CCPA.
"CCPA" means the California Consumer Privacy Act of 2018 and any binding regulations promulgated thereunder.
"Processing," "Data Controller," "Data Subject," "Supervisory Authority," and "Data Processor" will have the meanings ascribed to them in the UK GDPR.
2. Status of the Parties
2.1 The Agreement determines the subject matter and duration of XHR Software's processing of Personal Data, as well as the nature and purpose of any collection, use, and other processing of Personal Data (collectively, the "Particulars") and the rights and obligations of the Customer.
2.2 In respect of the parties' rights and obligations under this DPA regarding Personal Data, the parties hereby acknowledge and agree that: (a) For Customer Personal Data, XHR Software is the Data Processor, and the Customer is the Data Controller. (b) For End User Personal Data, XHR Software acts as a Data Processor on behalf of the Customer or, in certain cases, as a Sub-processor.
2.3 XHR Software agrees that it will process all Personal Data in accordance with its obligations under this DPA and the Applicable Data Protection Laws.
3. General Obligations Relating to the Processing of Personal Data
3.1 As between the parties, the Customer is solely responsible for obtaining, and represents and covenants that it has obtained and will obtain, all necessary consents, licenses, and approvals for the processing or otherwise has a valid legal basis under Data Protection Laws for the Processing of any Personal Data as part of the Services (the "Customer Legal Basis Assurance"). Each of the Customer and XHR Software warrants that it will comply with (and will ensure that any of its staff and/or subcontractors comply with) the instructions and obligations determined in this Agreement and the Data Protection Laws. However, XHR Software's warranty is subject to the Customer Legal Basis Assurance.
3.2 To the extent that the Customer provides its Personal Data to XHR Software, the Customer is solely responsible for ensuring the accuracy, quality, and legality of the Personal Data processed by XHR Software, including the means by which the Personal Data was obtained.
3.3 The Customer undertakes that all instructions for the Processing of Personal Data under the Agreement or this DPA will comply with the Data Protection Laws and will not cause XHR Software to be in breach of any Data Protection Laws.
3.4 Each of the Customer and XHR Software agrees to notify the other immediately if it determines that it can no longer meet its obligations under applicable Data Protection Laws or this DPA.
3.5 With respect to all Personal Data, XHR Software agrees that it will:
(a) Process the Personal Data only in order to provide the Services and act only in accordance with this Agreement and the Customer's written instructions. The terms of the Agreement and this DPA constitute the Customer's written instructions to XHR Software in relation to the processing of Personal Data. The Customer may issue additional instructions for processing at any time, subject to XHR Software’s prior written agreement, unless required by applicable law.
(b) If applicable law requires XHR Software to process Personal Data other than per the Customer's instructions, it will immediately notify the Customer (unless prohibited by law).
(c) Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risks presented by the processing. These measures include encryption, access controls, regular security audits, and other safeguards specified in XHR Software’s information security policies, available at https://docs.xhr.dev/security.html.
(d) Ensure that its personnel access Personal Data only as necessary to perform the Service in accordance with the Agreement and this DPA, and that such persons are bound by confidentiality obligations.
(e) Notify the Customer within twenty-four (24) hours of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data in XHR Software's possession or under its control (a "Security Breach").
(f) Assist the Customer, upon request, in responding to data subjects' requests to exercise their rights under applicable Data Protection Laws.
(g) Return or delete, at the Customer's discretion, the Customer's Personal Data within the period specified in the Privacy Policy upon termination or expiration of the Agreement, unless retention is required by applicable law.
4. Obligations Relating to the Processing of Personal Data Subject to EU/UK Laws
4.1 With respect to all Personal Data subject to EU/UK Data Protection Laws, XHR Software agrees that it will:
(a) Inform the Customer as soon as possible if, in XHR Software's opinion, any instructions provided by the Customer under Section 3.5(a) infringe the GDPR or UK GDPR.
(b) Maintain records of its processing activities as required by EU/UK Data Protection Laws and make such records available to the applicable supervisory authority and/or the Customer upon request.
5. Obligations Relating to the Processing of Personal Data Subject to United States Data Protection Laws
5.1 XHR Software agrees that it will not:
- (a) Sell or share Personal Data for monetary or other valuable consideration.
- (b) Retain, use, or disclose Personal Data for any purpose other than providing the Services described in this DPA.
- (c) Combine Personal Data with other data unless necessary for the Services.
6. Sub-processing
6.1 The Customer authorizes XHR Software to appoint Sub-processors in accordance with this Section. XHR Software publishes a list of its Sub-processors in the Sub-processor Agreement.
6.2 XHR Software will provide the Customer with prior written notice of any changes to the Sub-processor List, including details of the processing to be undertaken by the Sub-processor, giving the Customer thirty (30) days to object.