Data Transfer Agreement
Updated As Of: October 4, 2023
This Data Transfer Agreement (“DTA”) is entered into by and between Celartem, Inc. doing business as Extensis (“Extensis”) with customer of [Extensis Online Services] (“Customer”) to the extent Customer transfers personal data to Extensis or permits Extensis to access personal data located in a jurisdiction that requires special protections to transfer information across international borders, such as the European Economic Area (“EEA”).
- Generally. The parties agree that, for any jurisdiction not listed below that requires special protections for an international data transfer, they hereby enter into and agree to be bound by the EEA Standard Contractual Clauses for transfers of personal data from that jurisdiction unless the parties otherwise agree in writing.
- Description of Processing and Status of Parties. Schedule 1 lists the parties’ statuses under relevant data protection law for each processing activity relevant to the Services.
- European Economic Area.
- “EEA Standard Contractual Clauses” means the European Union standard contractual clauses for international transfers from the European Economic Area to third countries, Commission Implementing Decision (EU) 2021/914 of 4 June 2021.
- For transfers from the EEA that are not subject to an adequacy decision or exception, the parties hereby incorporate the EEA Standard Contractual Clauses by reference and also enter into and agree to be bound by the EEA Standard Contractual Clauses. The parties agree to select the following options made available by the EEA Standard Contractual Clauses.
- Controller-to-Controller Information for International Data Transfers
- Clause 11(a), Module 1: The parties do not select the independent dispute resolution option.
- Clause 17, Module 1: The parties select Option 1. The parties agree that the governing jurisdiction is Ireland.
- Clause 18(b), Module 1: The parties agree that the forum is the courts of Ireland.
- Annex I(A): The data exporter is the Customer and the data importer is Extensis.
- Annex I(B): The parties agree that Schedule 1 describes the transfer.
- Annex I(C): The competent supervisory authority is the Data Protection Commission of Ireland.
- Annex II: The parties agree that Schedule 2 describes the technical and organizational measures applicable to the transfer.
- Annex III: The parties agree that Schedule 1 describes the relevant subprocessors and their roles in processing personal data.
- Controller-to-Processor Information for International Data Transfers
- Clause 9, Module 2(a): The parties select Option 2. The time period is 30 days.
- Clause 11(a), Module 2: The parties do not select the independent dispute resolution option.
- Clause 17, Module 2: The parties select Option 1. The parties agree that the governing jurisdiction is Ireland.
- Clause 18, Module 2: The parties agree that the forum is the courts of Ireland.
- Annex I(A): The data exporter is the Customer and the data importer is Extensis. The statuses of the parties as Controllers or Processors is described in Schedule 1.
- Annex I(B): The parties agree that Schedule 1 describes the transfer.
- Annex I(C): The competent supervisory authority is the Data Protection Commission of Ireland.
- Annex II: The parties agree that Schedule 2 describes the technical and organizational measures applicable to the transfer.
- Annex III: The parties agree that Schedule 1 describes the relevant subprocessors and their roles in processing personal data.
- Controller-to-Controller Information for International Data Transfers
- Switzerland. The parties agree to the following modifications to the EEA Standard Contractual Clauses to make them applicable to transfers of personal data from Switzerland.
- The parties adopt the GDPR standard for all data transfers from Switzerland.
- Clause 13 and Annex I(C): The competent authorities under Clause 13, and in Annex I(C), are the Federal Data Protection and Information Commissioner and, concurrently, the EEA member state authority identified above.
- Clause 17: The parties agree that the governing jurisdiction is [Switzerland].
- Clause 18: The parties agree that the forum is [the courts of Switzerland]. The parties agree to interpret the EEA Standard Contractual Clauses so that data subjects in Switzerland are able to sue for their rights in Switzerland in accordance with Clause 18(c).
- The parties agree to interpret the EEA Standard Contractual Clauses so that “data subjects” includes information about Swiss legal entities until the revised Federal Act on Data Protection becomes operative.
- United Kingdom.
- “IDTA” means the International Data Transfer Agreement issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as modified by the UK Information Commissioner’s Office from time to time.
- For transfers from the United Kingdom that are not subject to an adequacy decision or exception, the parties hereby incorporate the IDTA by reference and, by signing this DTA, also enter into and agree to be bound by the Mandatory Clauses of the IDTA.
- Pursuant to Sections 5.2 and 5.3 of the IDTA, the parties agree that the following information is relevant to Tables 1 – 4 of the IDTA and that by changing the format and content of the Tables neither party intends to reduce the Appropriate Safeguards (as defined in the IDTA).
- Table 1: The parties’ details, key contacts, data subject contacts, and signatures are in the signature block of the DTA.
- Table 2:
- The law that governs the IDTA is England and Wales.
- The primary place for legal claims to be made by the parties is the courts of England.
- The statuses of the Data Exporter and Data Importer are described in Exhibit 1.
- The Data Importer represents and warrants that the UK GDPR does not apply to its processing of personal data under the Agreement.
- The relationship among the agreements setting forth data protection terms among the parties, including this Section, the DTA, and the Agreement, is described in Section 1 of the DTA.
- The duration that the parties may process personal data is set forth in the DTA.
- The IDTA is coterminous with the DTA. Neither party may terminate the IDTA before the DTA ends unless one of the parties breaches the IDTA or the parties agree in writing.
- The Data Importer may transfer personal data to another organization or person (who is a different legal entity) if such transfer complies with the IDTA’s applicable Mandatory Clauses.
- The parties will review the Security Requirements listed in Table 4, and the supplementary measures described in Schedule 3, to this DTA every twelve (12) months.
- Table 3:
- The categories of personal data, Sensitive Data, data subjects, and purposes of processing are described in Exhibit 1. Such description may only be updated by written agreement of the parties.
- Table 4:
- The security measures adopted by the parties are described in Schedule 2 of this DTA. Such security measures may only be updated by written agreement of the parties.
Schedule 1: Description of the Processing
Processing Activity (nature and purpose of the processing; categories of data subjects) |
Status of the Parties as Controllers or Processors |
Status of the Parties as Data Exporters or Importers |
Categories of Personal Data Processed |
Categories of Sensitive Data Processed |
Frequency of Transfer |
Extensis’s Subprocessors that support the processing activity |
Applicable SCCs Module |
Extensis processes personal data to provide the Services, or in connection with the Services receives personal data from Customer, or collects personal data on Customer’s behalf. |
Customer is a Controller. Extensis is a Processor.
|
Customer is the Data Exporter. Extensis is the Data Importer, and imports data into the United States. |
Any personal data Customer discloses to Extensis or that Extensis collects on Customer’s behalf. |
None |
Continuous |
Amazon Web Services Avalara Azure BlueSnap Calendy ChurnZero Clarifai Datadog DoubleClick Dynamics NAV Gong google-analytics.com HotJar Hubspot keylight Subscription Suite Linkedin Sales Navigator Mailchimp/Mandrill Microsoft Corporation Mimecast Mission Cloud NachoNacho Okta PartnerStack Pendo Revulytics (Revenera) Salesforce SendGrid Slack Surveymonkey Zendesk Zenduty Zoom Zuora |
Module 2 |
Extensis collects personal data of Customer’s employees, personnel, contractors, or agents to provide professional services in support of the Services. |
Customer is a Controller. Extensis is a Controller. |
Customer is the Data Exporter. Extensis is the Data Importer, and imports data into the United States. |
Name, email address, other contact information, and end-user unique ID. For clarity, Extensis is a Processor with respect to any personal data that Customer provides about its customers or end-users. |
None |
Continuous |
Module 1 |
|
Extensis processes account data in support of its obligations under the Software as a Service Agreement. |
Customer is a Controller. Extensis is a Controller. |
Customer is the Data Exporter. Extensis is the Data Importer, and imports data into the United States. |
Data that relates to the accounts that Customer’s personnel may create in connection with using the Services, including the names or contact information of individuals authorized by Customer to access Customer’s account and billing information of individuals that Customer has associated with its account. Analytical, usage, telemetry, data, and logs that Extensis generates when Customer’s personnel use the Services. Data that Extensis may need to collect for the purpose of identity verification. |
None |
Continuous |
Module 1 |
|
The parties process personal data of their respective personnel to, e.g., (a) administer and provide the Services; (b) manage invoices; (c) manage the Agreement and resolve any disputes relating to it; (d) respond and/or raise general queries; and (e) comply with their respective regulatory obligations. |
Customer is a Controller. Extensis is a Controller. |
Customer is the Data Exporter. Extensis is the Data Importer, and imports data into the United States. |
Name, title, and contact information of the parties’ personnel. |
None |
Continuous |
Module 1 |
Schedule 2: Technical and Organizational Security Measures
In its capacity as a Processor, Extensis has implemented a written information security policy that addresses:
- Roles and responsibilities for managing security controls.
- Employee disciplinary measures.
- Exceptions management.
- Risk assessments.
- Employee training.
- Asset management and encryption.
- Physical and environmental security.
- Access controls.
- Logging and monitoring.
- Incident response.
- Business continuity and disaster recovery.
- Mobile devices and telework.
Extensis uses a secure solution to facilitate transfers of personal data with customers.