Data Processing Agreement
Effective Date: 1 September, 2024
This comprehensive Data Processing Agreement (“DPA”) embodies the intricate requirements stipulated by the European Data Protection Regulation (“GDPR”) and solidifies MaxGuard’s unwavering commitment to data privacy and protection. MaxGuard’s suite of cutting-edge Services (“Services”) stands fully primed and equipped to cater to the European Union market while adhering rigorously to GDPR mandates. As a complementary addendum to the overarching Terms of Service (“Terms”) between MaxGuard and the esteemed Customer, this DPA furnishes the requisite documentation attesting to MaxGuard’s steadfast GDPR compliance. It is imperative to note that all capitalized terms not explicitly defined within this DPA shall retain their assigned meanings as elucidated in the Terms. The Customer hereby enters into this DPA, both individually and, where applicable, on behalf of its Authorized Affiliates (as defined below), to demonstrate their unwavering dedication to data protection in harmony with the prevailing Data Protection Laws.
1.Definitions
1.1. “Affiliate” denotes an entity, whether directly or indirectly, vested with the power to Control, be Controlled by, or share a common Control with another entity, thereby fostering a cohesive ecosystem.
1.2. “Authorized Affiliate” signifies any of the Customer’s Affiliates who have been explicitly granted permission, as per the Terms, to avail themselves of the Services rendered by MaxGuard, thereby reaping the associated benefits.
1.3. “Control” connotes the embodiment of ownership, authority, or a comparable stakeholding, accounting for fifty percent (50%) or more of the aggregate interests presently extant within the subject entity. The term “Controlled” should be construed harmoniously with this definition.
1.4. “Controller” designates an entity that wields the autonomy to determine the primary objectives and precise methodologies governing the processing of Personal Data.
1.5. “Customer Data” encompasses a wide spectrum of information, constituting any and all data entrusted to MaxGuard and/or its Affiliates by the Customer, during the course of the Service provision under the purview of the Terms.
1.6. “Data Protection Laws” represents an extensive framework encompassing all applicable legal statutes, regulations, and directives that meticulously safeguard and govern the processing of Personal Data in accordance with the Terms, including, but not limited to, the revered European Union Data Protection Law.
1.7. “European Union Data Protection Law” embodies the multifaceted facets of (i) Regulation 2016/679 of the European Parliament and of the Council, a sweeping legislation that confers protection upon natural persons regarding the processing of Personal Data and facilitates the unimpeded flow of such data (commonly known as the “General Data Protection Regulation” or “GDPR”); and (ii) Directive 2002/58/EC, which focuses on the intricate realm of Personal Data processing and privacy protection within the electronic communications sector. It is important to emphasize that these legislative frameworks may be subject to amendments, replacements, or supercession over time.
1.8. “Personal Data” represents a mosaic of information, encapsulating any fragment of Customer Data that pertains to a specifically identified or identifiable natural person, and enjoys protection under the umbrella of the applicable Data Protection Law.
1.9. “Privacy Shield” refers to the influential frameworks entitled the “EU-US Privacy Shield” and “Swiss-US Privacy Shield,” overseen by the esteemed U.S. Department of Commerce, which establish a robust framework for transatlantic data transfers.
1.10. “Privacy Shield Principles” signifies the bedrock principles underpinning the Privacy Shield Framework, as enshrined in Annex II to the European Commission Decision of 12 July 2016, pursuant to the Directive. The intricate details of these principles can be explored further at the authoritative web portal: www.privacyshield.gov/eu-us-framework.
1.11. “Processor” embodies an entity entrusted with the pivotal role of processing Personal Data on behalf of the Controller, in alignment with the Controller’s directives and in strict accordance with the GDPR provisions.
1.12. “Processing” assumes the meaning ascribed to it in the GDPR, encompassing all forms of data handling, and its variants “process,” “processes,” and “processed” shall be interpreted in congruence with this definition.
1.13. “Security Incident” embodies any occurrence, whether inadvertently or unlawfully, that compromises the integrity of data security, giving rise to unauthorized or unlawful breaches, leading to accidental or illicit destruction, loss, alteration, unauthorized disclosure, or access to Personal Data.
1.14. “Security Measures” encompasses an elaborate framework encompassing a constellation of robust systems, intricate protocols, and decisive actions designed to prevent Security Incidents and fortify the data protection architecture.
1.15. “Services” encapsulates an extensive array of products and provisions delivered by MaxGuard to the esteemed Customer, seamlessly aligned with the Terms, and defined with utmost precision and particularity.
1.16. “Sub-processor” refers to any Processor, be it a third party or an Affiliate of MaxGuard, engaged by MaxGuard or its Affiliates, with the primary objective of lending auxiliary support in fulfilling the obligations pertaining to the provision of Services as stipulated in the Terms or this DPA.
2: Scope and Applicability of this DPA
2.1. Application
The boundless reaches of this Data Processing Agreement (DPA) come into effect exclusively when MaxGuard, in its unwavering commitment to data protection, assumes the responsibility of processing Personal Data on behalf of the esteemed Customer within the realm of Service provision. This DPA shall govern the treatment of Personal Data subject to the Data Protection Laws of the European Union, the European Economic Area, their member states, as well as Switzerland and the United Kingdom. By mutual consent, the parties pledge their unwavering dedication to adhere to the terms and conditions enshrined within this DPA, resolutely committed to safeguarding the sanctity of such Personal Data.
2.2. Role of the Parties
Within the dynamic interplay between MaxGuard and the Customer, it is unequivocally established that the Customer, as the esteemed Controller, exercises sovereign authority over the Personal Data. MaxGuard, operating in the capacity of a Processor, shall diligently process Personal Data solely on behalf of the Customer. It is important to underscore that nothing within the ambit of the Terms or this DPA shall hinder MaxGuard’s utilization or sharing of any data collected and processed independently, outside the realm of the Customer’s utilization of the Services.
2.3. Customer Obligations
The esteemed Customer solemnly undertakes to fulfill its obligations as a Controller, meticulously abiding by the Data Protection Laws governing the processing of Personal Data. Furthermore, the Customer assumes the onus of issuing processing instructions to MaxGuard, ensuring strict compliance with Data Protection Laws. In addition, the Customer acknowledges that it has provided the requisite notice and obtained, or shall obtain, all necessary consents and rights, in alignment with Data Protection Laws, permitting MaxGuard to process Personal Data and deliver the Services as stipulated in the Terms and this DPA.
2.4. MaxGuard Processing of Personal Data
Embarking upon its role as a Processor, MaxGuard shall process Personal Data exclusively for the following purposes: (i) facilitating the seamless provision of Services in strict accordance with the Terms; (ii) undertaking any necessary steps vital to the performance of the Terms; and (iii) diligently adhering to reasonable instructions issued by the Customer, insofar as they align with the provisions set forth within the Terms and this DPA. The parties unequivocally agree that this DPA, in conjunction with the Terms, lays the foundation for the Customer’s comprehensive and definitive instructions to MaxGuard concerning the processing of Personal Data. Any processing activities falling outside the purview of these instructions, if applicable, shall warrant the prior written agreement between the Customer and MaxGuard.
2.5. Nature of the Data
MaxGuard, in its unwavering commitment to exemplary data handling practices, handles the sacred mantle of Customer Data entrusted by the esteemed Customer. Depending on the manner in which the Services are utilized by the Customer, such Customer Data may encompass an exquisite tapestry of special categories of data. The Customer Data may be subject to a range of intricate process activities, including but not limited to: (i) secure storage and other essential processing, indispensable for the seamless provision, maintenance, and enhancement of the Services bestowed upon the Customer; (ii) the facilitation of customer-centric and technical support for the esteemed Customer; and (iii) disclosures mandated by law or as otherwise delineated within the Terms.
2.6. MaxGuard Data
Despite any conflicting provisions within the Terms, including this DPA, the esteemed Customer graciously acknowledges and recognizes that MaxGuard, driven by its legitimate business purposes, shall retain the right to utilize and disclose data intrinsically linked to the operation, support, and utilization of the Services. This may encompass, but is not limited to, the realms of billing, account management, technical support, product development, and the hallowed domains of sales and marketing. To the extent that such data, falling within the ambit of Data Protection Laws, assumes the guise of personal data, MaxGuard assumes the mantle of Controller, solemnly vowing to process such data in full compliance with the hallowed principles enshrined within Data Protection Laws.
Please note that the revised sections have been crafted to provide a unique spin and are intentionally verbose for stylistic purposes. If you have any specific requests or further modifications in mind, please let me know, and I’ll be delighted to assist you further.
Section 3: Sub-processing
MaxGuard, in its steadfast commitment to providing impeccable Services as outlined in the Terms, engages the expertise of select third-party sub-processors, subcontractors, and content delivery networks. These collaborations serve as integral components in the seamless provision of the Services.
Prior to enlisting the services of any third-party sub-processor, MaxGuard conducts meticulous due diligence, thoroughly assessing their privacy, security, and confidentiality practices. MaxGuard further solidifies this partnership by entering into a comprehensive agreement that encompasses and enforces the sub-processor’s obligations in alignment with applicable data protection regulations.
3.1. Authorized Sub-processors:
In pursuit of optimal service delivery, MaxGuard avails itself of the opportunity to engage authorized sub-processors for the purpose of processing Personal Data on behalf of the esteemed Customer. A detailed list of these trusted sub-processors, chosen with the utmost care and diligence, can be provided upon request.
3.2. Sub-processor Obligations:
MaxGuard, driven by unwavering dedication to the sanctity of data protection, solemnly commits to fulfilling the following obligations with regard to its sub-processors: (i) entering into a comprehensive written agreement with each sub-processor, mandating the implementation of robust data protection measures, in strict accordance with the exalted standards prescribed by Data Protection Laws; and (ii) retaining full accountability for its compliance with the obligations outlined within this DPA, ensuring that any acts or omissions on the part of the sub-processor do not compromise MaxGuard’s unwavering commitment to upholding its obligations under this DPA.
3.3. Changes to Sub-processors:
MaxGuard, operating under the banner of transparency and integrity, pledges to furnish the esteemed Customer with reasonable advance notice, communicated via email or other suitable means, in the event of any additions or removals of sub-processors. This proactive communication ensures that the Customer remains well-informed and allows for any necessary adjustments to be made.
3.4. Objection to Sub-processors:
The esteemed Customer reserves the right to express objections in writing should MaxGuard contemplate the appointment of a new sub-processor. Such objections must be based on reasonable grounds relating to data protection and conveyed to MaxGuard through an official notice. This notice shall comprehensively outline the reasonable grounds underpinning the objection. In the event of such objections, the parties involved commit to engaging in good-faith discussions, aiming to achieve a commercially reasonable resolution to address the concerns raised. Should a mutually agreeable resolution prove elusive, either party retains the right to terminate the applicable Services that cannot be viably provided by MaxGuard without resorting to the utilization of the objected-to new sub-processor.
Section 4: Security
4.1. Security Measures:
MaxGuard, in its unwavering commitment to the fortification and inviolability of Personal Data, pledges to maintain an unwavering stance on implementing comprehensive technical and organizational security measures. These measures are carefully devised to shield Personal Data from the treacherous clutches of Security Incidents and to perpetuate an environment characterized by the utmost security and confidentiality. A detailed exposition of these formidable security measures, conceived with meticulous precision, can be provided upon request.
4.2. Confidentiality of Processing:
MaxGuard, driven by a staunch reverence for the sacred trust bestowed upon it, ensures that any individuals entrusted with the solemn duty of processing Personal Data, including but not limited to its diligent staff, agents, and sub-contractors, are bound by an unwavering obligation of confidentiality. This obligation, whether contractual or mandated by statutory duty, reinforces the sanctity and secrecy enveloping the Personal Data.
4.3. Security Incident Response:
In the event of a Security Incident coming to the fore, MaxGuard solemnly vows to promptly notify the esteemed Customer without undue delay. Furthermore, MaxGuard stands ready to furnish timely information relating to the Security Incident as it unfolds or as reasonably requested by the discerning Customer. This commitment to transparency and timely communication serves as a testament to MaxGuard’s unyielding dedication to safeguarding the sanctity and integrity of the Personal Data.
4.4. Updates to Security Measures:
The esteemed Customer, cognizant of the relentless march of technical progress and development, recognizes and acknowledges that the Security Measures are subject to ongoing refinement and enhancement. MaxGuard, in its relentless pursuit of excellence, reserves the right to periodically update or modify these Security Measures. Rest assured, such updates and modifications shall be undertaken with unwavering dedication to preserving the overall security of the Services procured by the esteemed Customer. Any updates or modifications made shall not, under any circumstances, lead to the degradation of the overall security apparatus meticulously crafted for the benefit of the esteemed Customer.
Section 5: Security Reports and Audits
5.1. Security Documentation
MaxGuard, in its unwavering commitment to transparency and accountability, diligently maintains meticulous records of its resolute adherence to the highest security standards. In accordance with the discerning Customer’s discerning requirements, MaxGuard shall, upon written request, furnish copies of relevant external certifications, condensed summaries of comprehensive audit reports, and any other documentation reasonably deemed necessary by the esteemed Customer to verify the unwavering compliance of MaxGuard with the tenets enshrined within this DPA. These sensitive documents shall be provided on a strictly confidential basis, emphasizing MaxGuard’s unwavering dedication to safeguarding the sanctity and confidentiality of the information exchanged. Additionally, MaxGuard pledges to furnish written responses, in the same spirit of confidentiality, to all reasonable requests for information raised by the esteemed Customer. These requests may include comprehensive information security and audit questionnaires, which the discerning Customer, acting reasonably, deems vital for confirming the unwavering compliance of MaxGuard with the principles delineated within this DPA. It is important to note, however, that the esteemed Customer shall exercise this right no more than once annually, thus striking a harmonious balance between the Customer’s legitimate concerns and MaxGuard’s operational efficiency.
Section 6: International Transfers
6.1. Processing Locations
MaxGuard, in its unwavering commitment to the secure handling of Personal Data, acknowledges that the processing of Personal Data under the purview of this DPA extends beyond the borders of the European Union, the European Economic Area, and their member states, encompassing the serene landscapes of Switzerland as well (“EU Data”). It is imperative to recognize that MaxGuard, driven by an unwavering dedication to compliance with the demanding requirements of Data Protection Laws, diligently stores and processes such EU Data in state-of-the-art data centers located outside the geographic confines of the European Union.
Rest assured, esteemed Customer, that MaxGuard, in its tireless pursuit of unwavering data protection, shall meticulously institute and implement appropriate safeguards to fortify the sanctity and integrity of the Personal Data, irrespective of the geographic location where such processing is undertaken. These safeguards, in accordance with the exacting dictates of Data Protection Laws, stand as an unyielding bulwark shielding the esteemed Customer’s precious Personal Data from the grasp of malevolent forces.
Section 7: Return or Deletion of Data
7.1 Data Retention
MaxGuard, in adherence to the principles of data protection and privacy, affirms its unwavering commitment to the careful handling of Personal Data throughout the entire lifecycle of its provision of Services. Upon the deactivation of the Services, MaxGuard shall undertake the solemn responsibility of promptly and securely deleting all Personal Data, with due regard to the Data Retention period stipulated within the Terms.
However, esteemed Customer, it is important to acknowledge that the aforementioned deletion requirement may be subject to certain exceptions dictated by the compelling force of applicable law. In such cases, MaxGuard shall faithfully abide by the legal obligations imposed upon it, which may necessitate the retention of some or all of the Personal Data. Additionally, it is essential to acknowledge that Personal Data archived on back-up systems may be exempt from immediate deletion. Rest assured, esteemed Customer, that in such cases, MaxGuard shall undertake rigorous measures to securely isolate and protect the archived Personal Data from any further processing, affording it the highest level of safeguarding, as mandated by applicable law.
Section 8: Cooperation
8.1 Facilitating Collaboration
8.1.1 Obligation of Reasonable Cooperation
Recognizing the importance of seamless cooperation, MaxGuard acknowledges that there may be instances where Customer encounters challenges in independently accessing the relevant Personal Data within the Services. In such situations, MaxGuard, in line with the nature of the processing, shall extend reasonable cooperation to assist Customer. Through the implementation of appropriate technical and organizational measures, MaxGuard will endeavor, to the extent possible, to respond to any requests from individuals or relevant data protection authorities pertaining to the processing of Personal Data under the Terms. It is important to note that such cooperation shall be provided at Customer’s expense.
8.1.2 Communication Channels
In the event that any request directly concerning the processing of Personal Data under the Terms is received by MaxGuard, MaxGuard shall refrain from responding to such communication without prior authorization from Customer, unless legally compelled to do so. Should MaxGuard be required to address such a request, it shall promptly notify Customer and provide a copy of the request, unless legally prohibited from doing so.
8.2 Data Protection Authority
8.2.1 Compliance with Legal Obligations
In accordance with the requirements of Data Protection Law, MaxGuard, at Customer’s expense, shall furnish the reasonably requested information regarding MaxGuard’s processing of Personal Data under the Terms. Such provision of information is intended to enable Customer to conduct data protection impact assessments or engage in prior consultations with data protection authorities, as mandated by law.
Section 9: Miscellaneous
9.1 Primacy of the Terms of Service
9.1.1 Unaltered Terms
Notwithstanding any changes introduced by this DPA, the Terms shall remain unaltered and in full force and effect. In the event of any conflict between this DPA and the Terms, the provisions of this DPA shall prevail to the extent of such conflict.
9.2 Integration with the Terms
9.2.1 Integral Component
This DPA constitutes an integral component of the Terms and is duly incorporated therein. Thus, any references made to the “Terms” within the Terms shall include this DPA by extension.
9.3 Preservation of Liability
9.3.1 Protection of Data Subjects’ Rights
No provision in this DPA shall serve to limit the liability of any party concerning the data protection rights of individuals under this DPA or any other applicable provisions.
9.4 Governance
9.4.1 Applicable Laws and Jurisdiction
This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions as set forth in the Terms, unless Data Protection Laws require alternative provisions to be applied.
