This is template language and not legal advice, review with counsel before publishing.
This Data Processing Addendum ("DPA") forms part of the agreement between the customer ("Controller") and Rivane ("Processor") governing the provision of the Service.
It applies where Rivane processes personal data on behalf of the Controller in the course of providing the Service. Where Rivane determines the purposes and means of processing, it acts as a controller under its Privacy Policy rather than under this DPA.
In the event of a conflict between this DPA and the agreement, this DPA controls with respect to the processing of personal data.
Subject matter: the provision of the Service. Duration: the term of the agreement plus any period during which data is retained under agreed retention terms.
Nature and purpose: hosting, storing, and processing personal data to deliver accounting, reporting, and related functionality selected by the Controller.
Categories of data subjects and data: as determined by the Controller through its use of the Service, which may include the Controller's personnel, customers, and vendors, and business contact and financial records.
The Controller authorizes Rivane to engage sub-processors to support the delivery of the Service, subject to the safeguards in this DPA.
Rivane imposes data protection obligations on each sub-processor that are no less protective than those in this DPA and remains responsible for its sub-processors' performance.
Rivane maintains a list of current sub-processors and will provide notice of intended changes so the Controller has the opportunity to object on reasonable data protection grounds.
Rivane implements appropriate technical and organizational measures designed to protect personal data against unauthorized access, disclosure, alteration, or loss.
These measures include encryption in transit and at rest, access controls, network protections, logging and monitoring, and regular review of security practices.
Rivane will notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller's data and will provide information reasonably necessary for the Controller to meet its obligations.
Taking into account the nature of the processing, Rivane will assist the Controller by appropriate technical and organizational measures, insofar as possible, in responding to requests from data subjects to exercise their rights.
Where Rivane receives a request directly from a data subject relating to the Controller's data, it will, unless legally required to act, refer the request to the Controller.
Where processing involves the transfer of personal data across borders, Rivane will ensure appropriate safeguards are in place, such as standard contractual clauses or another lawful transfer mechanism.
Rivane will make available information reasonably necessary to demonstrate compliance with applicable cross-border transfer requirements.
This DPA remains in effect for as long as Rivane processes personal data on behalf of the Controller under the agreement.
Upon termination or expiry of the agreement, Rivane will, at the Controller's choice, delete or return the personal data it processes on the Controller's behalf, unless retention is required by applicable law.
Questions about this policy? Contact us at our contact page.