1. Subject Matter and Duration
Tines and Customer are parties to a SaaS Services Agreement, Terms of Service (and its exhibits), Order Form(s) and/or other services/ordering documents which may be amended from time to time (together, the “Agreement”) and which may involve Tines processing personal data (as a processor) for and on behalf of the Customer (as a controller).
This Data Processing Agreement (“DPA”) (including its appendices and, where applicable, the standard contractual clauses (as defined in Clause 2.1)), forms part of the Agreement and is intended to reflect the parties’ agreement with respect to the processing of personal data under the Agreement in accordance with the Applicable Data Protection Legislation (and, where applicable, the SCCs).
This DPA is effective on the date each of Tines and the Customer sign the Agreement and will continue in force until the expiration or termination of the Agreement in accordance with its terms.
2. Definitions
For the purposes of this DPA:
The terms "controller", "data subject", “personal data breach”, "processing" (including "processed" and "process"), "processor" and "supervisory authority" have the meanings given to those terms in the GDPR;
"Applicable Data Protection Legislation" means any laws or regulations applicable to the processing of Customer Personal Data under the Agreement including without limitation the Data Protection Acts of Ireland 1988 to 2018 and the General Data Protection Regulation (EU) 2016/679 (the "GDPR"), the United Kingdom Data Protection Act 2018 and the California Consumer Privacy Act 2018 (in each case, as amended from time to time);
"Customer" means the party identified as the "Customer" in the Agreement;
"Customer Personal Data" means the Personal Data received or generated by Tines, acting as a processor, from or on behalf of the Customer in connection with the performance of the Services. The Customer Personal Data and the specific uses of the Customer Personal Data are detailed in the Schedule attached hereto, as required under GDPR;
“Personal Data” shall have the meaning given to the terms “personal data” or “personal information” under Applicable Data Protection Law(s);
“Security Measures” means the security measures set out in the Agreement;
“Services” means the services performed by Tines under the Agreement;
“SCCs” means the standard contractual clauses of Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council [2021] OJ L 199/31 and which are available at: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914&from=EN; and
"Tines" means Tines Security Services Limited with a registered address at The Academy, 42 Pearse Street, Dublin, D02 YX88, Ireland.
Unless the context otherwise requires, words in the singular shall include the plural and in the plural shall include the singular. A reference to a statute or statutory provision is a reference to it as amended, extended, re-enacted or superseded from time to time and shall include all subordinate legislation made from time to time under that statute or statutory provision. A reference to supervisory authority shall include a reference to any replacement or successor bodies from time to time. A reference to "writing" or "written" includes e-mail.
3. Status
In respect of any Customer Personal Data processed by Tines under this DPA, the parties acknowledge that the Customer is the controller and Tines is a processor.
4. Customer's Obligations
Customer, as the controller of Customer Personal Data, is the sole party responsible for establishing the lawful basis for the processing of Customer Personal Data by Tines under this DPA and will ensure that it has all necessary and appropriate legal bases and notices in place to enable the lawful processing of Customer Personal Data by Tines for the duration and purposes of the Agreement.
Customer, as the controller of Customer Personal Data, is further the sole party responsible for the accuracy and quality of Customer Personal Data.
Customer acknowledges that sensitive data is not to be processed under this DPA. Customer will not upload any sensitive data during its use of the Services without prior written agreement with Tines.
5. Tines’ Obligations
To the extent that Tines processes Customer Personal Data pursuant to this DPA, Tines will:
process the Customer Personal Data only on the documented instructions of the Customer as set out in the Agreement, this DPA and as otherwise necessary for Tines to provide the Services to the Customer or to comply with Applicable Data Protection Legislation unless Tines is required to process the Customer Personal Data for other legitimate purposes pursuant to applicable European Union (“EU”) or EU Member State law or another particular non-EU applicable law, in which case Tines shall notify the Customer of that legal requirement before such processing occurs or is permitted except where that law prohibits such notification on important grounds of public interest. Each of the parties agree that any additional instructions outside the scope of the Agreement or this DPA will be mutually agreed between the parties in writing;
ensure that all personnel authorised to process Customer Personal Data are subject to confidentiality obligations in respect of Customer Personal Data;
taking into account the nature of the processing, assist the Customer (at the Customer’s expense) by appropriate, technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer’s obligations to respond to data subject data protection rights requests;
taking into account the nature of the processing and the information available to Tines, assist the Customer in ensuring compliance with its obligations under Articles 32 to 36 GDPR;
notify the Customer if Tines receives a request from a data subject in relation to that data subject’s personal data. Tines shall not respond directly to such data subject;
implement and maintain appropriate technical and organisational Security Measures (as set out in the Agreement) to ensure the security of the Customer Personal Data taking into account: (a) the state of the art; (b) the costs of implementation; (c) the nature, scope, context and purposes of the processing; and (d) the inherent risk of the processing activities to data subjects;
Where a Customer is on the Community Edition plan, Customer Personal Data may remain in inactive status for up to 180 days. After such period, Customer Personal Data may be deleted from production. Community Edition is the Tines’ free plan.
Where a Customer is on the Tines Paid plan, and the Agreement including all Order Forms expires or terminates, Customer Personal Data will be deleted from production within 180 days.
notify the Customer without undue delay (and in any event not later than 72 (seventy-two hours) upon becoming aware of any personal data breach.
6. International Transfers
If and to the extent that the Customer is located in a jurisdiction which is outside of the European Economic Area ("EEA"), the Customer hereby acknowledges that Tines will transfer Customer Personal Data outside of the European Economic Area ("EEA") (as "data exporter") to the Customer (as "data importer") in connection with the Services. In effecting any such international transfer, Tines shall ensure that:
to the extent that such a transfer is pursuant to the SCCs, that such transfer is subject to Module 4 of the SCCs, where Tines acts as a processor of Customer Personal Data for the purposes of the Services; or
the transfer otherwise complies with Applicable Data Protection Legislation (for example, carried out to a country in respect of which the European Commission has issued a finding of adequacy for the protection of personal data including, without limitation, the UK, Japan, Switzerland and Canada).
In relation to international transfers of Customer Personal Data effected in accordance with clause 6.1.1(a) of this DPA:
Module 4 of the SCCs will apply and be completed as follows:
Clause 7, the optional docking clause will apply;
Clause 11(a), optional data subject redress mechanism, shall not apply;
Clause 14, processing which involves combining personal data, shall not apply;
Clause 15, processing which involves combining personal data, shall not apply;
Clause 17, the SCCs will be governed by the laws of Ireland;
Clause 18, any disputes arising from the SCCs shall be resolved by the courts of Ireland;
Annex I of the SCCs shall be deemed completed with the information set out in the Schedule to this DPA (which is deemed incorporated into and forms part of the SCCs);
Annex II of the SCCs shall be deemed completed with the information provided by the Customer to Tines or set out in the Agreement by the Customer; and
Annex III of the SCCs is not used, and
all relevant terms in this DPA shall be deemed to supplement the provisions of the SCCs to the extent that they relate to each party's compliance with Article 28 of the GDPR.
If and to the extent Tines adopts any alternative transfer mechanism(s) to legitimise the international transfer of Customer Personal Data from outside the EEA (as "data exporter") (including without limitation any EU-US transatlantic data privacy framework, approved certification or derogation under the GDPR) ("Replacement Transfer Mechanism"), the Replacement Transfer Mechanism will, on Tines giving reasonable notice to the Customer to object to any such mechanism, apply to any transfer of Customer Personal Data by Tines pursuant to this DPA (but only to the extent that a Replacement Transfer Mechanism complies with Applicable Data Protection Legislation and extends to territories to which Customer Personal Data are transferred outside the EEA by Tines).
7. Sub-processors
The Customer provides a general authorisation to Tines to use third parties (“Sub-processors”) to process Customer Personal Data and perform the Services including the Sub-processors listed at www.tines.com/sub-processors (“Tines Sub-processor Document”) (which may be updated from time to time).
If and to the extent that the Customer is established in the EEA, the United Kingdom or Switzerland (or where otherwise required by data protection law applicable to the Customer), Tines will impose on such Sub-processors data protection obligations that protect Customer Personal Data to the same standard provided for by this DPA and, at a minimum, compliant with the requirements of the Data Protection Legislation and shall remain liable for a breach caused by a Sub-processor but only to the same extent that Tines would be liable if it had provided the Services of the Sub-processor directly under the terms of this DPA.
Tines may, by giving reasonable notice to the Customer, add or make changes to the Sub-processors in the Tines Sub-Processor Document. If the Customer objects to the appointment of an additional Sub-processor within thirty (30) calendar days of such notice on reasonable grounds relating to the protection of Customer Personal Data, then Tines will work in good faith with the Customer to find an alternative solution. In the event that the parties are unable to find such a solution, either party may terminate the Agreement.
8. Customer’s Audit Rights
Tines shall make available all information reasonably requested by the Customer to satisfy itself that Tines is complying with its data protection obligations under this DPA.
Customer (and/or via its third-party representatives, a data protection authority or any other regulatory body) shall be permitted to audit Tines' premises, systems, and facilities during normal business hours provided that:
Customer shall provide at least 14 days' prior written notice of its intention to carry out an audit;
all expenses incurred by Tines shall be promptly discharged by Customer;
Tines may request that any third-party representative performing an audit on behalf of Customer shall provide written confidentiality undertakings to the reasonable satisfaction of Tines and Tines shall be entitled to refuse access to any of its premises or records (in any form) until such time as it has received such undertakings; and
nothing in this DPA shall entitle Customer to access or inspect any records which contain information relating to any other customers of Tines and Tines shall be entitled to restrict or prevent access to any part of its premises (including, without limitation its server farms or data centres) which it considers in its sole discretion could compromise the security of any information or data relating to such other customers.
9. Suspension of Processing
Tines will notify the Customer if it comes to its attention that any instructions received in respect of this DPA infringe the provisions of the Data Protection Legislation or other EU or EU Member State data protection provisions. Notwithstanding the foregoing, Tines shall have no obligation to review the lawfulness of any instruction received from the Customer.
Tines will notify the Customer if it is no longer able to comply with its obligations pursuant to the Data Protection Legislation and/or this DPA (including the SCCs). Where Tines can no longer comply with such obligations, it reserves the right to suspend all processing in relation to Customer Personal Data (including any transfers of Customer Personal Data) and seek to resolve its non-compliance or terminate this DPA in accordance with the terms of the Agreement.
10. Liability
Any claims brought in connection with this DPA will be subject to the terms including, but not limited to, the exclusions and limitations set out in the Agreement.
11. General Provisions
In the event of inconsistencies between the provisions of this DPA and the Agreement, the provisions of this DPA shall prevail with regard to the processing of Customer Personal Data. In the event of any conflict or inconsistency between this DPA and the SCCs, the SCCs shall prevail.
Any notice to be given by either party for the purposes of this DPA shall be sent by e-mail using the details set out in the Schedule to this DPA. A notice delivered will be deemed received if by e-mail, on the next working day (being a day other than a Saturday, Sunday or bank holiday when banks in Ireland are open for business) after transmission.
In the event that any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties' intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained in this DPA.
This DPA shall enure to the benefit of and be binding upon the respective the parties to this DPA and their respective successor's personal representatives and assigns.
No modification of any provision of this DPA shall be binding unless it is evidenced in writing and duly executed by or on behalf of each of the parties to this DPA.
This DPA and all disputes arising from this DPA whether contractual or non-contractual in nature shall be governed by and construed in accordance with the laws of Ireland. The parties irrevocably submit to the exclusive jurisdiction of the Irish courts in relation to all matters arising out of or in connection with this DPA.
Schedule
Details of Tines’ Processing of personal data for the purposes of Clause 3.2 of the DPA and, if and to the extent applicable to the Customer, the SCCs:
Annex 1 of the SCCs
A. List of Parties
Data Exporter: Tines Security Systems Limited
Address: The Academy, 42 Pearse Street, Dublin , D02 YX88, Ireland
Contact Person's name, position and contact details: Tines Legal (legal@tines.io)
Activities relevant to the data transferred under the SCCs: See Part B of the Schedule to this DPA
Signature and date: This Annex shall automatically be deemed executed when the Agreement is executed by Tines
Role: Processor
Data Importer: "Customer" as detailed in the Agreement
Address: As detailed in the Agreement
Contact Person's name, position and contact details: As detailed in the Agreement
Activities relevant to the data transferred under the SCCs: See Part B of the Schedule to this DPA
Signature and date: This Annex shall automatically be deemed executed when the Agreement is executed by the Customer
Role: Controller
B. Description of Processing and, only to the extent applicable to the Customer, the transfer of Customer Personal Data under the SCCs
Categories of data subjects: Clients of the Customer and/or staff/employees/personnel of the Customer.
Categories of personal data: The types of Customer Personal Data collected are dependent on Customer's use of and interaction with the Services. Examples can include: first name, last name, e-mail address and issues or queries. Any further Customer Personal Data which may be processed is entirely dependant on what information is uploaded by Customer during its use of the Services.
Categories of sensitive data: None. Tines requires that Customer does not upload any sensitive data during its use of the Services. Customer acknowledges that sensitive data is not to be processed under this DPA and accepts full responsibility to notify Tines in writing prior to uploading any sensitive data.
Frequency of processing and transfer: Incidental (processing occurs on an ad hoc basis depending on Customer's use of and interaction with the Services).
Nature and subject matter of the processing and transfer:
The nature of the processing of Customer Personal Data is carried out using computers and/or IT enabled tools, following organisational procedures and modes strictly related to the purposes indicated. The nature of the processing of Customer Personal Data includes the following (by automated means):
collecting;
organising/structuring;
recording;
storing;
consulting/using;
disclosing; and
erasing.
Purposes of the processing and transfer:
Customer Personal Data are collected and transferred by Tines for the purposes of providing the Services to the Customer which includes:
detecting any malicious or fraudulent activity;
contacting the Customer;
managing the Customer database;
managing contacts and sending messages; and
conducting analytics, heat mapping and session recording.
Duration of Processing: The duration of the Agreement.
Annex 2 of the SCCs
Technical and Organisational Measures Including Technical and Organisational Measures to Ensure the Security of Data
Data Importer: The technical and organisational measures of the data importer as shared by the Customer with Tines.