This Data Processing Agreement, including its annexes (“DPA”), forms a part of the Agreement and shall apply where the provision of Dimely services (“Services”) by Kalo Technologies, Inc. or its Affiliates ("Dimely") to Customer involves the processing of Personal Data (as defined below) which is subject to Privacy Laws and Dimely acts as Processor on behalf of the Customer. This DPA does not apply where Dimely is the Controller.
By signing this DPA or executing an Agreement that explicitly states that this DPA is incorporated into the Agreement by reference, Customer enters into this DPA on behalf of itself and, to the extent required under Privacy Laws, in the name and on behalf of any Affiliates who are authorized to use the Services and have not signed their own separate Agreement with Dimely. If you are entering into this DPA on behalf of a company (such as your employer) or other legal entity, you represent and warrant that you have the authority to bind that company or legal entity to this DPA. All capitalized terms not defined in this DPA shall have the meaning set forth in the Agreement.
1. Definitions. Terms not defined have the meanings set forth in the Agreement. The following words in this DPA have the following meanings:
1.1 "Affiliate" means an entity that directly or indirectly Controls, is Controlled by or is under common Control with an entity. "Control" means an ownership, voting or similar interest representing fifty percent (50%) or more of the total interests (as measured on a fully-diluted basis) then outstanding of the entity in question. The term "Controlled" will be construed accordingly. For the purposes of Dimely, Affiliates shall mean Kalo Technologies, Inc.
1.2 “Agreement” means the agreement between Customer and Dimely for the provision of the Services to the Customer.
1.3 “Controller” means an entity which, alone or jointly with others, determines the purposes and means of the processing of the Personal Data.
1.4 “GDPR” means the General Data Protection Regulation (EU) 2016/679.
1.5 “Personal Data” means any information relating to an identified or identifiable natural person which Dimely processes in the performance of the Agreement as a Processor.
1.6 “Personal Data Breach” means a material breach of Dimely’s security obligations leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed under this DPA. A Personal Data Breach shall not include an unsuccessful attempt or activity that does not compromise the security of the Personal Data, including (without limitation) pings and other broadcast attacks of firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents.
1.7 “Privacy Laws” means any data protection and privacy laws and regulations applicable to Dimely's provision of the Services provided under the Agreement and this DPA including, where applicable, (a) the GDPR, (b) in respect of the UK, the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 ("UK GDPR") and the Data Protection Act 2018 (together, "UK Data Protection Laws"), (c) the Swiss Federal Data Protection Act and its implementing regulations ("Swiss DPA"), and (d) the California Consumer Privacy Act of 2018 or Cal. Civ. Code § 1798.100, et seq. (“CCPA”), in each case, as may be amended, superseded or replaced.
1.8 “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
1.9 “Processor” means an entity which processes the Personal Data on behalf of the Controller.
1.10 "Restricted Transfer" means: (i) where the GDPR applies, a transfer of Personal Data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of Personal Data from the UK to any other country which is not based on adequacy regulations pursuant to Section 17A of the Data Protection Act 2018; and (iii) where the Swiss DPA applies, a transfer of Personal Data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner.
1.11 “Sub-processor” means any Processor Dimely engages (including any Dimely Affiliate) for the provision of the Services, excluding any Dimely personnel.
1.12 The terms "data subject" and "supervisory authority" shall have the meanings given to them in applicable Privacy Laws. The term Controller includes 'businesses' (as defined in the CCPA), the term data subject includes 'consumers' (as defined in the CCPA), the term processor includes 'service providers' (as defined in the CCPA), and the term Personal Data includes 'personal information' (as defined in the CCPA) to the extent the rights and obligations in this DPA apply under the CCPA.
2. Processing of Personal Data. 2.1 Roles of the Parties. Dimely may process Personal Data under the Agreement as (A) a Processor acting on behalf of the Customer as the Controller or (B) a Processor acting on behalf of another third-party Controller.
2.2 Instructions. Dimely will process Personal Data in accordance with Customer’s configuration and/or documented instructions. Customer agrees that this DPA, the Agreement and any subsequent statements of work or services orders, and any configurations by Customer or its authorized users, comprise Customer’s complete instructions to Dimely regarding the Processing of Personal Data and include onward transfers to a third party located outside Europe for the purpose of the performance of the Services. The parties must agree in writing to any additional or alternate instructions, including the costs (if any) associated with complying with such instructions. Dimely is not responsible for determining if Customer’s instructions are compliant with applicable law, however, if Dimely is of the opinion that a Customer instruction infringes on applicable Privacy Laws, Dimely shall notify Customer as soon as reasonably practicable and shall not be required to comply with such infringing instruction.
2.3 Where Customer is itself a Processor of the Personal Data acting on behalf of another third party Controller (or on behalf of other intermediaries of the ultimate Controller): (i) Customer represents and warrants to Dimely that the Processing instructions and actions with respect to the Personal Data, including its appointment of Dimely as a Processor or sub-processor pursuant to this DPA, reflect and do not conflict with the instructions of such third parties; (ii) Customer agrees to serve as the sole point of contact for Dimely with regard to such third parties; (iii) Dimely need not interact directly with (including seeking authorizations directly from) any such third party (other than through the regular provision of the Services to the extent required by the Agreement); and (iv) where Dimely would otherwise be required to provide information, assistance, co-operation or anything else to such third party, Dimely may provide it solely to Customer as the sole point of contact. Notwithstanding the foregoing, Dimely shall be entitled to follow the instructions of such third party with respect to the Personal Data for which they are Controller instead of Customer's if Dimely's reasonably believes this is legally required in the circumstances.
2.4 Individuals have the opportunity to choose (opt out) whether their personal information is (i) to be disclosed to a third party or (ii) to be used for a purpose that is materially different from the purpose(s) for which it was originally collected or subsequently authorized by the individuals. Individuals must be provided with clear, conspicuous, and readily available mechanisms to exercise choice.
2.5 Details of Processing. Details of the subject matter of the Processing, its duration, nature and purpose and the type of Personal Data and data subjects are as specified in the Agreement and set out in Annex 1 to this DPA.
2.6 Compliance. Customer and Dimely agree to comply with their respective obligations under Privacy Laws applicable to the Personal Data that is Processed in connection with the Services. Customer has sole responsibility for complying with Privacy Laws regarding the lawfulness of the Processing of Personal Data prior to disclosing, transferring, transmitting through or otherwise making available, any Personal Data to Dimely.
2.7 Customer Controls. Customer understands that if Customer configures Dimely Services to move data from one point to another, that Customer is responsible to ensure that Customer is rightfully integrating data among connected systems, whether Customer transmits data outside of a particular cloud or system, outside of a particular geography, or otherwise. Customers are responsible to set applicable purge data settings and to configure Dimely Services in a manner that best fits Customer’s security needs. If Dimely is configuring the Services on behalf of the Customer, Customer is responsible for instructing Dimely to configure Dimely Services in a manner that best fits Customer’s security needs. Taking into account the nature of the Processing, Customer agrees that it is unlikely that Dimely would become aware of Customer data processed by Dimely is inaccurate or outdated. To the extent Dimely becomes aware of such inaccurate or outdated data, Dimely will inform the Customer.
3. Sub-processors. 3.1 Authorization. Customer provides a general authorization for Dimely to appoint and engage onward Sub-processors to process the Personal Data, including those Sub-processors listed in the
Dimely Trust Center (list available upon request).
3.2 Dimely's Sub-processor Obligations. Dimely shall put in place a contract in writing with each Sub-processor that imposes obligations that are: (a) relevant to the services Sub-processors are to provide and (b) in Dimely’s best estimations, similar to the rights and/or obligations imposed on Dimely under this DPA.
3.3 Sub-processor changes. Prior to the addition of any new Sub-processor, Dimely shall provide notice to Customer, which may include updating the Sub-processor List, not less than 10 calendar days prior to the date on which the Sub-processor shall commence processing the Personal Data.
3.4 Sub-processor Objections. Customer may reasonably object on data protection grounds to Dimely's use of a new Sub-processor by notifying Dimely in writing within 10 calendar days after notice has been provided by Dimely. In the event of Customer's timely objection on such reasonable grounds relating to data protection, Dimely will: (i) work with Customer within reason to address Customer's objections to its reasonable satisfaction; (ii) notify Customer of its option to terminate this DPA and the Agreement with respect only to those Services which cannot be provided by Dimely without the use of the objected-to new Sub-processor. Customer shall have 14 calendar days in which to exercise its option to terminate the Agreement after receiving notice of a right to terminate. If the Customer timely exercises its right to terminate, Dimely will provide Customer with a pro rata reimbursement of any prepaid, but unused, fees relating to the affected Services as of the date Customer notifies Dimely of its choice to exercise such right.
4. Security. 4.1 Technical and Organisational Measures. Taking into account industry standards, the costs of implementation, the nature, scope, context and purposes of the Processing and any other relevant circumstances relating to the Processing of the Personal Data on Dimely systems, Dimely shall implement appropriate technical and organizational security measures to ensure the security, confidentiality, integrity, availability and resilience of processing systems and services involved in the Processing of the Personal Data. The parties agree that the technical and organisational security measures described in the
Dimely Trust Center provide an appropriate level of security for the protection of Personal Data. Customer must review the Trust Center prior to providing Dimely with access to the Personal Data to determine that the Security Measures meet the Customer's requirements and obligations under Privacy Laws.
4.2 Technical Progress. The Trust Center is subject to technical progress and development and Dimely may modify these provided that such modifications do not degrade the overall security of the Services Dimely provides under the Agreement.
4.3 Access. Dimely shall ensure that persons authorized to access the Personal Data (a) commit themselves to confidentiality or are under an appropriate obligation of confidentiality, and (b) access the Personal Data only upon instructions from Dimely, unless required to do so by applicable law.
5. Personal Data Breach. Dimely will notify the Customer without undue delay after becoming aware of a Personal Data Breach in relation to the Services Dimely provides under the Agreement and will use reasonable efforts to assist the Customer in mitigating, where possible, the adverse effects of any Personal Data Breach.
6. International Transfers. Customer acknowledges that Dimely and its Sub-processors may maintain data processing operations in countries that are outside of the country in which the Services are deployed, including the United States and other locations in which Dimely or its Sub-processors maintain data processing operations.
7. Deletion of Personal Data. Upon termination of the Services (for any reason) and if Customer requests in writing, Dimely shall as soon as reasonably practicable, return or delete the Personal Data on Dimely systems, except to the extent retention is permitted by applicable law. In such event, Dimely will (i) to the extent practical, isolate such data; and (ii) protect such data from any further processing, except to the extent permitted by applicable law. Dimely may defer the deletion of the Personal Data to the extent and for the duration that any Personal Data or copies thereof cannot reasonably and practically be expunged from Dimely’s systems. The provisions of this DPA shall continue to apply for retention of such Personal Data. Dimely reserves the right to charge Customer for any reasonable, incremental costs or expenses Dimely incurs in deleting Personal Data pursuant to this clause beyond deletions that occur based on customer settings in the ordinary course of business.
8. Cooperation.
8.1 Data Subject Requests. Dimely shall promptly inform Customer of any requests received by Dimely from individuals exercising their data subject rights under Privacy Laws. Customer is responsible for responding to such requests. Dimely will reasonably assist Customer to respond to data subject requests to the extent that Customer is unable to access the relevant Personal Data in the use of the Services. Dimely reserves the right to charge Customer for such assistance if the cost of assisting exceeds a nominal amount.
8.2 Third Party Requests. If Dimely receives any requests from third parties or an order of any court, tribunal, regulator or government agency with competent jurisdiction to which Dimely is subject, relating to the Processing of Personal Data under the Agreement, Dimely will promptly redirect the request to the Customer. Dimely will, unless legally prohibited from doing so, inform the Customer in advance of making any disclosure of Personal Data and will reasonably cooperate with Customer to limit the scope of such disclosure to what is legally required.
8.3 Privacy Impact Assessment and Prior Consultation. To the extent Privacy Laws require, Dimely shall provide reasonable assistance to Customer to carry out a data protection impact assessment in relation to the Processing of Personal Data undertaken and/or any required prior consultation(s) with supervisory authorities. Dimely reserves the right to charge Customer a reasonable fee for the provision of such assistance.
9. Demonstrating Compliance. Dimely shall, upon reasonable prior written request from Customer (such request to be made in accordance with the terms of the Agreement and not more frequently than once in any 12-month period), provide to Customer such information as may be reasonably necessary to demonstrate compliance with Dimely’s obligations under this DPA.
10. CCPA. If Dimely is Processing Personal Data within the scope of the CCPA, Dimely will Process Personal Data on behalf of Customer and will not retain, use, or disclose that Personal Data for any purpose other than for the purposes set out in the Agreement and/or this DPA and as permitted under the CCPA. In no event will Dimely sell any Personal Data.
11. Liability and Costs. Neither Dimely nor any Sub-processor shall be liable for any claim Customer or any third party brings arising from any action or omission by Dimely and/or Sub-processors to the extent such action or omission resulted from compliance with Customer’s instructions or security practices, policies or processes. To the extent that such liability may not be limited as a matter of law, nothing herein limits any party’s liability.
12. General. 12.1 The parties agree that this DPA shall replace any existing DPA the parties may have previously entered into in connection with the Services.
12.2 In no event does this DPA restrict or limit the rights of any data subject or of any competent supervisory authority.
12.3 If any part of this DPA is held unenforceable, the validity of all remaining parts will not be affected.
12.4 In the event of any conflict between this DPA and any data privacy provisions set out in any agreements between the parties relating to the Services, the parties agree that the terms of this DPA shall prevail.
12.5 Notwithstanding anything to the contrary in the Agreement or this DPA, each party's and all of its Affiliates' liability, taken together in the aggregate, arising out of or related to this DPA (including all annexes hereto), or any agreement, whether in contract, tort or under any other theory of liability, shall remain subject to the limitation of liability section of the Agreement and any reference in such section to the liability of a party means the aggregate liability of that party and all of its Affiliates under the Agreement and this DPA, including all annexes hereto. Customer agrees that any regulatory penalties incurred by Dimely that arise in connection with Customer's failure to comply with its obligations under this DPA or any laws or regulations including Privacy Laws shall reduce Dimely's liability under the Agreement as if such penalties were liabilities to the Customer under the Agreement.
12.6 This DPA will be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by Privacy Laws.
---
Annex 1: Data Transfer/Processing Description
1. Subject matter and nature of the Processing. Dimely will Process Personal Data for the subject matter specified under the Agreement and as necessary to perform the Services pursuant to the Agreement and as further instructed by Customer in its use of the Service. In particular, the subject matter is determined by the Service to which Customer subscribes and the data which Customer uploads to the Service.
2. Purpose of the Transfer and Further Processing. Personal Data will be Processed for the purpose of providing Services, as subscribed by the Customer including the selected service levels and support options. The Agreement and the relevant service descriptions and statements of work shall apply for the specifics and possible additional services.
3. Duration of the Processing. The duration is until the termination of the Agreement in accordance with its terms plus the period from the expiry of the Agreement until deletion of the Personal Data by Dimely in accordance with the terms of the Agreement and this DPA.
4. Categories of Data Subjects. The data subjects are Customer’s end users, employees, contractors, suppliers and other third parties relevant to the Services.
5. Types of Personal Data. The type of personal data that may be submitted by the Customer is determined and controlled by Customer in its sole discretion and may include, but are not limited to the following categories of personal data: name, address, email address, telephone, fax, other contact details, emergency contact details, associated local time zone information. Unless otherwise specified, Dimely does not Process Special Categories of Data, and Customer shall not provide Special Categories of Data, Personal Health Information, or other similar Personal Data.
6. Sub-processors Dimely engages onward Sub-processors to process the Personal Data as necessary to perform the Services pursuant to the Agreement. The relevant Sub-processors are set out at our Sub-processor List, which can be found in the
Dimely Trust Center (list available upon request).
