EZSIGNAGE – DATA PROCESSOR DATA PROCESSING AGREEMENT
This Data Processing Agreement is made between:
(1) Smartzone Enterprises, whose trading address is 10/358 A, KAILASAM, CHUNAKKARA, ALLEPPY, Kerala, INDIA Kerala 690505 (“EZSignage”); and
(2) The Customer as defined in the EZSignage Main Agreement (as defined below) (“the Customer”).
And is entered into and dated the same date as the Main Agreement.
BACKGROUND
(A) EZSignage is a specialist provider of digital display software and other services including the EZSignage Content Management System (CMS), Xibo Message Relay (XMR) and EZSignage Player which it makes available as On-Premise products or as a software as a service on a subscription basis.
(B) EZSignage digital signage CMS, EZSignage Player is a white-labeled product of XIBO Signage, Xibo Signage Limited, whose trading address is Curtis House, 34 Third Avenue, Hove, United Kingdom BN3 2PD (“Xibo”); or Xibo Signage Netherlands BV, whose trading address is Blaak 520, 3011TA, Rotterdam, Netherlands – a wholly owned subsidiary of Xibo Signage Ltd.
(C) As part of the provision of its services to the Customer, including provided where referenced pursuant to a Main Agreement, EZSignage may process personal data on behalf of the Customer.
(D) This Data Processing Agreement sets out the terms, requirements and conditions on which EZSignage will process personal data when providing services to the Customer. The Terms of which are Agreed as follows:
AGREED TERMS
1. Data Protection
1.1 EZSignage has agreed to provide digital display software and other services (‘the Services’) to the Customer. In the performance of such Services, EZSignage may process Protected Data (defined below) on behalf of the Customer.
1.2 In consideration for the Customer engaging the services of EZSignage, EZSignage shall comply with the data security, confidentiality and other obligations imposed on it under this Data Processing Agreement.
1.3 For the purposes of this Data Processing Agreement: “Authorized Persons” the persons or categories of persons that the Customer authorizes to give EZSignage Administrators Personnel data processing instructions, being the signatories to this Data Processing Agreement.
“Business Purposes” the services described in this Data Processing Agreement or relevant Main Agreement or any other purpose specifically identified in Appendix A.
“Data Controller, Data Processor, Data Protection Officer, Data Subject, Personal Data, Personal Data Breach, Process, Processed and Processing” shall bear their respective meanings given in the Data Protection Legislation;
“Data Protection Legislation” means any legislation relating to the processing, privacy and use of personal data, as applicable to the Customer, EZSignage and/or the Services being provided including under any relevant Main Agreement, including: the Data Protection Regulations and all other applicable legislation as per the Indian Governing laws in relation to the protection of personal data and/or any corresponding or equivalent national legislation in any relevant jurisdiction (once in force and applicable).
“Data Subject Requests” a request made by a Data Subject to exercise any rights of Data Subjects under Data Protection Legislation relating to the Protected Data;
“Main Agreement” a commercial agreement/Commercial PO entered into by the parties for the provision of the Services to which this Data Processing Agreement attaches.
“Protected Data” any personal data received from or on behalf of the Customer or otherwise obtained, created, generated, transmitted, stored or processed in connection with the performance of the EZSignage’s obligations under this Data Processing Agreement or the Main Agreement.
“EZSignage Personnel” all employees, staff, other workers, agents and consultants of EZSignage and of any sub-contractors who are engaged in the provision of the Services under this Data Processing Agreement from time to time.
1.4 EZSignage and the Customer acknowledge that for the purposes of the Data Protection Legislation, the Customer is the Data Controller and the EZSignage is the Data Processor of any Protected Data in relation to which EZSignage is providing the Services.
1.5 Appendix 1 sets out the details of the processing of personal data. The Customer may make reasonable amendments to Appendix 1 by written notice to EZSignage from time to time as the Customer reasonably considers necessary to meet those requirements.
1.6 In the event of any conflict between the terms of this Data Processing Agreement and the Main Agreement, this Data Processing Agreement shall prevail.
2. Personal Data Types and Processing Purposes
2.1. The Customer and EZSignage acknowledge that for the purpose of the Data Protection Legislation, the Customer is the controller and EZSignage is the processor.
2.2. The Customer retains control of the Protected Data and remains responsible for its compliance obligations under the applicable Data Protection Legislation, including providing any required notices, and the Customer further warrants to EZSignage that:
2.2.1. it has obtained and will obtain any necessary consents and has a lawful basis for any processing instructions it gives to EZSignage; and
2.2.2. it has in place and will maintain in place appropriate technical and organizational measures against:
2.2.2.1. unauthorized or unlawful processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of Protected Data;
2.2.2.2. accidental or unlawful loss, destruction, alteration, disclosure or damage of Protected Data;
2.2.2.3. hacking, or unauthorized access or technical or physical disruption to its hosting, systems or services (including ensuring security, confidentiality, integrity, availability and resilience of its hosting, systems and services); and shall ensure that availability of and access to Protected Data can be restored in a timely manner after an incident, and shall regularly, test, assess and evaluate the effectiveness of its systems and the technical and organizational measures adopted by it, including as set out in this clause 2.2.2.
3. Obligations of EZSignage
3.1. EZSignage will only process the Protected Data to the extent, and in such a manner, as is necessary for the Business Purposes in accordance with the Customer’s instructions from Authorized Persons. EZSignage will not process the Protected Data in a way that does not comply with this Data Processing Agreement or Main Agreement or the Data Protection Legislation. EZSignage must promptly notify the Customer if, in its opinion, the Customer’s instruction would not comply with the Data Protection Legislation.
3.2. EZSignage must comply with any Customer request or instruction from Authorized Persons requiring EZSignage to amend, transfer, delete or otherwise process the Protected Data, or to stop, mitigate or remedy any unauthorized processing.
3.3. EZSignage will maintain the confidentiality of all Protected Data and will not disclose Protected Data to third parties unless the Customer or this Data Processing Agreement, or relevant Main Agreement, specifically authorizes the disclosure, or if the Protected Data is anonymized by EZSignage, or as required by law. If a law, court, regulator or supervisory authority requires EZSignage to process or disclose Protected Data, EZSignage will use reasonable endeavors to first inform the Customer of the legal or regulatory requirement and give the Customer an opportunity to object or challenge the requirement, unless the law prohibits such notice.
3.4. EZSignage will reasonably assist the Customer with meeting the Customer’s compliance obligations under the Data Protection Legislation, taking into account the nature of EZSignage’s processing and the information available to EZSignage, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with supervisory authorities under the Data Protection Legislation.
3.5. The Customer must promptly notify EZSignage of any changes to Data Protection Legislation that may adversely affect EZSignage ’s performance of this Data Processing Agreement, or relevant Main Agreement.
3.6. EZSignage will only collect Protected Data for the Customer using a notice or method that the Customer specifically pre-approves, the purpose or purposes for which their Protected Data will be processed, and any other information that, having regard to the specific circumstances of the collection and expected processing, is required to enable fair processing.
4. Security
4.1. EZSignage will implement and maintain in place appropriate technical and organizational measures against unauthorized or unlawful processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of Protected Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Protected Data.
4.2. EZSignage will implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:
4.2.1. the encryption of personal data;
4.2.2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
4.2.3. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
4.2.4. a process for regularly testing, assessing and evaluating the effectiveness of security measures; and
4.2.5. the anonymization of any Protected Data required for analytical data purposes.
5. Breach Notification
5.1. EZSignage shall:
5.1.1. notify the Customer if it becomes aware of any unauthorized or unlawful processing of, loss of, damage to or destruction or corruption of, the Protected Data, or any attempts to gain unauthorized access to Protected Data and any notification must, at the very least, contain the information required by Data Protection Legislation;
5.1.2. within forty-eight (48) hours, provide the Customer with sufficient information to allow the Customer to meet any notification obligations to report or inform Data Subjects and/or any other supervisory or regulatory body of any such breach under Data Protection Legislation;
5.1.3. except where required to do so by law, not notify a Data Subject, or any other supervisory or regulatory body or any other third party of an actual or suspected breach (and shall treat the existence and circumstances of such actual or suspected breach as confidential information) unless such notice by the Customer is required by applicable laws or is authorized in writing by the Customer;
5.1.4. following such breach or attempted breach of security, investigate and report on the cause of the breach, including proposed corrective action;
5.1.5. provide full co-operation to the Customer to assist the Customer with any investigation relating to security, mitigation, remediation or any other action which is carried out by or on behalf of the Customer in respect of such breach; and
5.1.6. where possible, restore, re-constitute and/or reconstruct such Protected Data unless the matter arose from the Customer’s specific instructions, negligence, willful default or breach of this agreement or the Agreement, in which case the Customer shall cover all reconstitution or reconstruction expenses.
6. EZSignage Personnel
6.1. EZSignage shall ensure that access to the Protected Data is strictly limited to:
6.1.1. such EZSignage Personnel who need access to the Protected Data to assist the Customer in meeting the Customer’s obligations under this Data Processing Agreement or relevant Main Agreement; and
6.1.2. in the case of any access by EZSignage Personnel, such part or parts of the Protected Data as is strictly necessary for performance of such person’s duties in delivering the Services.
6.2. EZSignage shall ensure that all EZSignage Personnel who have access to and/or process Protected Data:
6.2.1. are informed of the confidential nature of the Protected Data
6.2.2. have undertaken adequate training on compliance; and
6.2.3. are aware both of EZSignage ‘s duties and their personal duties and obligations under this Data Processing Agreement.
7. Rights of the Data Subject
7.1. At all times whilst it is engaged to provide the Services, EZSignage shall implement and maintain in place appropriate technical and organizational measures to assist the Customer in the fulfilment of the Customer’s obligation to respond to Data Subject Requests. EZSignage shall notify the Customer promptly (and in any event within twenty-four (48) hours) if it receives a Data Subject Request.
7.2. EZSignage shall provide the Customer with full co-operation, information and assistance in relation to any Data Subject Request.
7.3. Except where required to do so by law, EZSignage shall not disclose any Protected Data to any Data Subject or to a third party (except for declared sub-processors) other than at the request of, with the prior written consent of, and on the documented instructions of the Customer or as provided for in this Data Processing Agreement.
8. Rights of the Customer
8.1. EZSignage shall promptly make available to the Customer on request all information necessary to demonstrate compliance with this Data Processing Agreement and with Data Protection Legislation. The Customer is entitled, on giving at least five (5) working days’ notice to EZSignage, to inspect or appoint representatives to inspect all facilities, equipment, documents and electronic data relating to the processing of Protected Data under the control of EZSignage.
9. Liability
9.1. EZSignage will indemnify the Customer against loss or damage suffered or incurred by the Customer as a result of or arising out of any breach of EZSignage ‘s obligations under this Data Processing Agreement. EZSignage ‘s liability under this Data Processing Agreement shall not however exceed the subscription fees paid by the Customer to EZSignage in the preceding 6 months for the relevant services as part of the Services under this Data Processing Agreement or Main Agreement and shall in any event be capped at the maximum liability set out in the Main Agreement.
9.2. Neither party shall be liable to the other for loss of profits, sales or business, agreements or contracts; anticipated savings; loss of or damage to goodwill; loss of use or corruption of software, data or information; loss or damage to premises, installation or reinstallation costs, or any indirect or consequential loss.
10. General
10.1. Nothing in this Data Processing Agreement shall be construed as preventing a party from taking such steps as are necessary to comply with its own obligations under any Data Protection Legislation or any other applicable law.
10.2. Nothing in this Data Processing Agreement is intended to, or shall be deemed to, establish any partnership or joint venture between any of the parties, constitute any party the agent of another party, nor authorize any party to make or enter into any commitments for or on behalf of any other party.
10.3. This Data Processing Agreement shall continue in full force and effect for so long as EZSignage is processing Protected Data on behalf of Customer (including without limitation during the time EZSignage is providing the Services).
10.4. A person who is not a party to this Data Processing Agreement shall not have any rights to enforce any term of this Data Processing Agreement, but this does not affect any right or remedy of a third party which exists, or is available, other than in that Act.
10.5. A reference to a statute or statutory provision is a reference to it as amended, extended or re-enacted from time to time.
10.6. In the event of any inconsistency between the terms of the Main Agreement and the terms of this Data Processing Agreement, the terms of this Data Processing Agreement shall prevail.
10.7. This Data Processing Agreement and any dispute or claim arising out of or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by and construed in accordance with the law of India and the courts of Kerala shall have exclusive jurisdiction to settle any dispute or claim that arises out of or in connection with this Data Processing Agreement.
THIS DATA PROCESSING AGREEMENT IS ENTERED INTO BY EZSIGNAGE AND THE CUSTOMER ON THE DATE OF THE MAIN AGREEMENT AND IS EXPRESSLY INCORPORATED INTO THE MAIN AGREEMENT.
APPENDIX 1: EZSIGNAGE DETAILS OF PROCESSING
This Appendix includes certain details of the processing of the Protected Data
Data Controller: The Customer
Data Processor: Smartzone Enterprises, whose trading address is 10/358 A, KAILASAM, CHUNAKKARA, ALLEPPY, Kerala, INDIA Kerala 690505 (“EZSignage”). EZSignage’s sub-processors are:
Servers and Storage
EZSignage uses these subprocessors to provide the service to you
• Redswitch LLC
• Leaseweb Global B.V.*
Optional APIs
You may at your option configure the service to consume data from these services. The service may pass personal information to these for the purposes of authentication, or as the Controller directs the system to do.
• Twitter Inc
Other web services that the customer may configure the service to connect to and consume data from.
The obligations and rights of Data Controller: The obligations and rights of the Customer are set out in this Data Processing Agreement or relevant Main Agreement.
Subject matter of the processing: The subject matter and duration of the processing of the Protected Data are set out in this Appendix and the Data Processing Agreement or relevant Main Agreement.
Duration of the processing: For the duration of the Data Processing Agreement, or relevant Main Agreement, subject to periodic review, or termination of the Data processing Agreement on reasonable notice by either party.
Nature and purposes of the processing: To provide the services to the Controller as set out in the Main Agreement.
Type of Personal Data: To provide the core service, the following data may be processed:
Identity Data includes: first name, last name, maiden name, username or similar identifier, title, photos or other images.
Contact Data includes: address, email address and telephone numbers, and any social media accounts used.
Technical Data includes: device ID, internet protocol (IP) address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices used.
Profile Data includes: any username and password, purchases or orders made, interests, preferences, feedback and survey responses.
Usage Data includes: information about how you sites or services are used.
Marketing and Communications Data includes: preferences in receiving marketing and communication preferences.
Categories of Data Subject: The categories of data subjects:
• Customer Personnel and other contacts
Plan for return and destruction of the Protected Data once the processing is complete UNLESS requirement under law to preserve that type of data:
Personal Data will be processed for the duration of the Data Processing Agreement or relevant Main Agreement and then returned to the Customer as set out in this Agreement or as made known to EZSignage, or destroyed within 30 days from termination of the contract as in the Main Agreement or Purchase order. A certificate will be provided to the customer after the successful deletion of the data by EZSignage.
ANNEX A – To the Standard Contractual Clauses
ANNEX A – To the Standard Contractual Clauses
This Annex forms part of the Clauses and must be completed, where the relevant information is not already set out in the Data Processing Agreement to which this Appendix 2 and Annex A attached.
The Member States may complete or specify, according to their national procedures, any additional necessary information to be contained in this ANNEX A:
Description | Details |
Data Exporter | [Specified in the Data Processing Agreement] |
Data Importer | [Specified in the Data Processing Agreement] |
Data Subjects | [Specified in the Data Processing Agreement] |
Categories of Data | [Specified in the Data Processing Agreement] |
Special Categories of Data (if appropriate) | [Specified in the Data Processing Agreement if Relevant] |
Processing Operations | [Specified in the Data Processing Agreement and/or Main Agreement] |
Type of Personal Data | To provide the core service, the following data may be processed: Identity Data Includes: first name, last name, maiden name, username or similar identifier, title, photos or other images. Contact Data Includes: address, email address and telephone numbers, and any social media accounts used. Technical Data Includes: device ID, internet protocol (IP) address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform and other technology on the devices used. Profile Data Includes: any username and password, purchases or orders made, interests, preferences, feedback and survey responses. Usage Data Includes: information about how you sites or services are used. Marketing and Communications Data Includes: preferences in receiving marketing and communication preferences. |
Categories of Data Subject | The categories of data subjects: Customer Personnel and other contacts |
Plan for return and destruction of the Protected Data once the processing is complete UNLESS requirement under law to preserve that type of data | Personal Data will be processed for the duration of the Data Processing Agreement or relevant Main Agreement and then returned to the Customer as set out in this Agreement or as made known to EZSignage, or destroyed within 30 days from termination of contract as in the Main agreement or Purchase order. A certificate will be provided to the customer after successful deletion of the data by EZSignage. |
ANNEX B – To the Standard Contractual Clauses
This Appendix forms part of the Clauses and has been entered into and agreed by the data exporter and data importer on the date of the Main Agreement.
Where required, and in so much as the information is not already available to the Data Exporter via the Data Processing Agreement or Main Agreement, the data importer shall set out the technical and organizational security measures implemented by the data importer in accordance with the Data Processing Agreement.