This Data Processing Addendum (the "Addendum") is made by and between Wesat, Inc. ("Wesat") and you. This Addendum is incorporated into the Terms of Service or other written agreement ("Agreement") between Wesat and you that incorporates this Addendum. Your use of the Service constitutes your acceptance of the Agreement and this Addendum. This Addendum applies in respect of Wesat's provision of the Services to you if the Processing of Customer Personal Data (as defined below) is subject to the GDPR, only to the extent you are a Controller and Wesat is a Processor of Customer Personal Data. This Addendum is intended to satisfy the requirements of Article 28(3) of the GDPR. This Addendum shall be effective for the term of the Agreement.
1.1. For the purposes of the Addendum:
1.1.1. Customer Personal Data means the Personal Data described under Section 2 of this Addendum, in respect of which you are the Controller;
1.1.2. Data Protection Legislation means the GDPR, together with any national implementing laws in any Member State of the European Union or, to the extent applicable, in any other country, as amended, repealed, consolidated or replaced from time to time;
1.1.3. GDPR means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data; and
1.1.4. Personal Data , Data Subject , Personal Data Breach , Process , Processor and Controller will each have the meaning given to them in the GDPR.
2. Details of The Processing
2.1. Categories of Data Subjects. This Addendum applies to the Processing of Customer Personal Data relating to the clients that you interact with through the Services.
2.2. Types of Personal Data. Customer Personal Data includes Personal Data, the extent of which is determined and controlled by you in your sole discretion, such as names, contact information, and financial information.
2.3. Subject-Matter and Nature of the Processing. The subject-matter of Processing of Customer Personal Data by Wesat is the provision of the Services to you that involves the Processing of Customer Personal Data. Customer Personal Data will be subject to those Processing activities which Wesat needs to perform in order to provide the Services pursuant to the Agreement.
2.4. Purpose of the Processing. Customer Personal Data will be Processed by Wesat for purposes of providing the Services set out into the Agreement.
2.5. Duration of the Processing. Customer Personal Data will be Processed for the duration of the Agreement, subject to Section 11 of this Addendum.
3. Processing of Customer Personal Data
3.1. The parties acknowledge and agree that you are the Controller of Customer Personal Data and Wesat is the Processor of that data. Wesat will only Process Customer Personal Data as a Processor on behalf of and in accordance with this Addendum and your prior written instructions, including with respect to transfers of personal data. You hereby instruct Wesat to Process Customer Personal Data to the extent necessary to enable Wesat to provide the Services in accordance with the Agreement.
3.2. If Wesat cannot process Customer Personal Data in accordance with your instructions due to a legal requirement under any applicable European Union or Member State law, Wesat will (i) promptly notify you of such inability, providing a reasonable level of detail as to the instructions with which it cannot comply and the reasons why it cannot comply, to the greatest extent permitted by applicable law; and (ii) cease all Processing of the affected Customer Personal Data (other than merely storing and maintaining the security of the affected Customer Personal Data) until such time as you issue new instructions with which Wesat is able to comply. If this provision is invoked, Wesat will not be liable to you under the Agreement for failure to perform the Services until such time as you issue new instructions.
3.3. The parties will comply with their respective obligations under the Data Protection Legislation. You shall ensure that you have obtained (or will obtain) all rights and consents (if required) which are necessary for Wesat to Process Customer Personal Data in accordance with this Addendum.
4. Data Transfers
4.1. In connection with the performance of the Agreement, Customer authorizes Wesat to Process Customer Personal Data associated with Data Subjects from the European Economic Area and/or Switzerland (collectively "EEA") in the United States, whether Wesat transfers Customer Personal Data from the EEA or whether receives Customer Personal Data from the EEA that was already transferred by Customer.
4.2. Wesat has certified to the Privacy Shield framework as administered by the U.S. Department of Commerce (the "Privacy Shield") and commits to comply with its obligations for the Customer Personal Data transferred under the Privacy Shield throughout the term of this Addendum.
4.3. If Wesat is not able to comply with its Privacy Shield obligations, it will nevertheless provide an adequate level of protection for Customer Personal Data, wherever processed, in accordance with the requirements of applicable data protection law.
5.1. Wesat will ensure that any person whom Wesat authorizes to Process Customer Personal Data on its behalf is subject to confidentiality obligations in respect of that Customer Personal Data.
6. Security Measures
6.1. Wesat will implement appropriate technical and organizational measures to protect against accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.
6.2. Wesat will, at your request and subject to you paying all of Wesat's fees at prevailing rates, and all expenses, provide you with reasonable assistance as necessary for the fulfilment of your obligation to keep Customer Personal Data secure.
7.1. You authorize Wesat to appoint sub-Processors to perform specific services on Wesat's behalf which may require such sub-Processors to Process Customer Personal Data. Wesat will inform you of any intended changes concerning the addition or replacement of any sub- Processors and You will have an opportunity to object to such changes on reasonable grounds within fifteen (15) business days after being notified. If the parties are unable to resolve such objection, either party may terminate the Agreement by providing written notice to the other party.
7.2. Wesat will enter into a binding written agreement with the sub-Processor that imposes on the sub-Processor the same obligations that apply to Wesat under this Addendum. Where any of its sub-Processors fails to fulfil its data protection obligations, Wesat will be liable to you for the performance of its sub-Processors' obligations.
8. Data Subject Rights
8.1. Wesat will, at your request and subject to you paying all of Wesat's fees at prevailing rates, and all expenses, provide you with assistance necessary for the fulfilment of your obligation to respond to requests for the exercise of Data Subjects' rights. Wesat shall not respond to such requests without your prior written consent and written instructions. You shall be solely responsible for responding to such requests.
9. Personal Data Breaches
9.1. Wesat will notify you as soon as practicable after it becomes aware of any of any Personal Data Breach affecting any Customer Personal Data. At your request and subject to you paying all of Wesat's fees at prevailing rates, and all expenses, Wesat will promptly provide you with all reasonable assistance necessary to enable you to notify relevant security breaches to the competent data protection authorities and/or affected Data Subjects, if you is required to do so under the GDPR. You are solely responsible for complying with data incident notification requirements applicable to you and fulfilling any third-party notification obligations related to any data incidents.
10. Data Protection Impact Assessment; Prior Consultation
10.1. Wesat will, at your request and subject to you paying all of Wesat's fees at prevailing rates, and all expenses, provide you with reasonable assistance to facilitate conducting data protection impact assessments and consultation with data protection authorities, if you are required to engage in such activities under the GDPR, and solely to the extent that such assistance is necessary and relates to the Processing by Wesat of the Customer Personal Data, taking into account the nature of the Processing and the information available to Wesat.
11. Return or Deletion of Customer Personal Data
11.1. Wesat will return or delete, at your choice, Customer Personal Data to you after the end of the provision of Services relating to the Processing, and delete existing copies unless the applicable European Union or member state law requires storage of the data.
12.1. Wesat will, at your request and subject to you paying all of Wesat's fees at prevailing rates, and all expenses, provide you with all information necessary to enable you to demonstrate compliance with your obligations under the GDPR, and allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you, to the extent that such information is within Wesat's control and Wesat is not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party, and provided that such audits shall be carried out with reasonable notice during regular business hours not more often than once per year. Wesat will immediately inform you if, in its opinion, an instruction from you infringes the Data Protection Legislation.
13.1. Each party's liability towards the other party under or in connection with this Addendum will be limited in accordance with the provisions of the Agreement.
13.2. You acknowledge that Wesat is reliant on you for direction as to the extent to which Wesat is entitled to Process Customer Personal Data on behalf of you in performance of the Services. Consequently, Wesat will not be liable under the Agreement for any claim brought by a Data Subject arising from any action or omission by Wesat, to the extent that such action or omission resulted directly from your instructions or from your failure to comply with your obligations under the Data Protection Legislation.
14. General Provisions
14.1. With regard to the subject matter of this Addendum, in the event of inconsistencies between the provisions of this Addendum and the Agreement, the provisions of this Addendum shall prevail.