Last updated: 28 August 2021
The customer agreeing to this addendum (the “Customer”) and BriskForce, Inc.(“BriskForce”) a company incorporated and registered in the USA (each a “Party”, together the “Parties”), have entered into an agreement which permits the Customer to use of the BriskForce business management software service (the “Service”), on the terms and subject to the conditions of the BriskForce Terms and Conditions as amended from time to time which can be found on the BriskForce website at https://briskforce.com/terms-of-service, (the “Terms and Conditions”).
This Data Processing Addendum (“DPA”) is an addendum to and forms part of the Terms and Conditions. All processing of Customer Personal Data (as defined below) by BriskForce on behalf of the Customer will be carried out in accordance with this DPA. The Customer’s continued usage of the Service after the Effective Date (as defined below) constitutes acceptance of this DPA.
1.1 This DPA is an addendum to and forms part of the Terms and Conditions.
1.2 This DPA contains all relevant terms relating to how BriskForce handles the personal data (data that can be used to identify, locate or contact a natural person) provided to it by the Customer about other natural persons—for example, the Customer’s users or employees (the “Customer Personal Data”). It does not cover how BriskForce processes personal data about the Customer themselves.
1.3 Save as set out explicitly in this DPA, the Terms and Conditions will remain unchanged.
1.4 In the event of any differences between the Terms and Conditions, the BriskForce Privacy Policy as amended from time to time, that can be found on the BriskForce at https://briskforce.com/privacy-policy (the “Privacy Policy”), and this DPA, the terms of this DPA take precedence.
2.1 This DPA will take effect on the last modified date or on the first day of the Customer’s subscription to the Service, whichever is later (the “Effective Date”).
2.2 This DPA will survive the end of the Customer’s subscription period or the termination of the Terms and Conditions. It will terminate when all the Customer Personal Data has been deleted as described in this DPA.
The European Union Regulation (EU) 2016/679 (General Data Protection Regulation) (“GDPR”) applies to the processing of Customer Personal Data by BriskForce if these processing activities relate to:
3.1 an establishment of the Customer in the European Union (“EU”), European Economic Area (“EEA”), Switzerland or the United Kingdom;
3.2 offering goods or services to data subjects in the EU, EEA, Switzerland or the United Kingdom; and/or
3.3 monitoring the behavior of data subjects in the EU, EEA, Switzerland or the United Kingdom as far as the behavior takes place within these areas,
3.4 (together with the “GDPR Activities”).
4.1 For the purposes of the PDPA and this DPA, BriskForce is a data intermediary.
4.2 In respect of any GDPR Activities, BriskForce is a data processor of the Customer Personal Data, while the Customer may be either a data controller or data processor.
4.3 If any other data protection or privacy law applies to any processing of Customer Personal Data, each Party will comply with their obligations under such law.
4.4 In respect of any GDPR Activities, if the Customer is a data processor, the Customer warrants to BriskForce that they have all necessary instructions and authorizations from the data controller to appoint BriskForce as a data sub-processor of the Customer Personal Data.
4.5 BriskForce will only process Customer Personal Data on the instructions of the Customer unless required by law to act without such instructions.
4.6 The Customer, by entering into this DPA, instructs BriskForce to process Customer Personal Data as follows:
4.6.1 to provide the Service to the Customer;
4.6.2 as further instructed by the Customer by its use of the Service, including by instructions given on the BriskForce user interface, by the uploading of CSV files to the BriskForce Service, or importing data from other services;
4.6.3 as set out in the Terms and Conditions and this DPA; and
4.6.4 as otherwise instructed in writing by the Customer which BriskForce acknowledges to be instructions for the purposes of this DPA.
4.7 BriskForce will process Customer Personal Data in accordance with the Customer’s instructions and in accordance with the following precise scope:
4.7.1 Subject matter: Providing the Service to the Customer pursuant to the Terms and Conditions, and as further instructed by the Customer in its use of the Service.
4.7.2 Duration: The length of the Customer’s subscription to the Service, and for a limited period afterward in accordance with the terms of this DPA, until this DPA is terminated after all Customer Personal Data has been deleted.
4.7.3 Nature and purpose: As necessary to provide the Service to the Customer, and as further instructed by the Customer in its use of the Service.
4.7.4 Types of personal data: The Customer may submit Customer Personal Data to the Service, the extent of which is determined and controlled by the Customer in its sole discretion, and which may include (but is not limited to) the following types of personal data:
a) name;
b) contact information;
c) position and organization, and
d) ID data.
4.7.5 Categories of data subjects: The Customer may submit Customer Personal Data to the Service, the extent of which is determined and controlled by the Customer in its sole discretion, and which may include (but is not limited to) personal data on to the following categories of data subjects, who are in all cases natural persons:
a) the Customer’s end-users, customers, suppliers, and business partners;
b) employees and points of contact of the Customer’s end-users, customers, suppliers, and business partners;
c) the Customer’s employees, agents, advisors, and contractors; and
d) the Customer’s authorized users of the Service.
4.8 All processing of Customer Personal Data will be carried out by trusted employees, staff, agents, contractors, service providers, and sub-processors who will be subject to a duty of confidence.
5.1 The Customer may delete Customer Personal Data in a manner consistent with the functionality of the Service during the term of service. If the Customer uses the Service to delete any Customer Personal Data such that it cannot be recovered by the Customer, this will constitute an instruction to BriskForce to delete the relevant Customer Personal Data from its systems in accordance with applicable law. BriskForce will comply with this instruction as soon as reasonably practicable unless required by law to retain the data.
5.2 If the Customer wishes to delete Customer Personal Data that cannot be deleted via the Service, the Customer should send a deletion request to [email protected]. BriskForce will strive to respond to all such requests as soon as reasonably practicable.
5.3 If the Customer ceases to subscribe to and use the Service, the Customer’s account will be suspended until such time that:
5.3.1 the Customer resumes their subscription to the Service;
5.3.2 the Customer otherwise informs BriskForce that they wish to permanently terminate their relationship with BriskForce; or
5.3.3 BriskForce, at its sole discretion, permanently discontinues access to the Customer’s account in accordance with the Terms and Conditions.
5.4 If the Customer informs BriskForce that they wish to permanently terminate their relationship with BriskForce pursuant to clause 5.3.2, they will be taken to have instructed BriskForce to delete or anonymize all Customer Personal Data (including existing copies) from BriskForce’s systems in accordance with applicable law. BriskForce will comply with this instruction as soon as reasonably practicable unless required by the applicable law to retain the data.
5.5 If BriskForce permanently discontinues access to the Customer’s account, all Customer Personal Data will be deleted or anonymized unless BriskForce is required by the applicable law to retain the data.
6.1 BriskForce will take reasonable steps to ensure that Customer Personal Data is treated securely and to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks, and to meet its obligations as set out in Article 32 of the GDPR.
6.2 BriskForce cannot guarantee that unauthorized parties will not gain access to Customer Personal Data. To the extent permitted by applicable law, BriskForce expressly excludes any liability arising from any unauthorized access to Customer Personal Data.
6.3 In respect of any GDPR Activities only, BriskForce will provide the Customer with available information on its security processes as necessary to ensure that both Parties are meeting their obligations under this DPA and as set out in Article 28 of the GDPR.
6.4 In respect of any GDPR Activities only, BriskForce will permit the Customer or an independent auditor appointed by the Customer to conduct reasonable audits and inspections, who must be approved by BriskForce in accordance with clause 10, to verify compliance with its obligations under this DPA and as set out in Article 28 of the GDPR.
6.5 The Customer agrees and acknowledges that BriskForce will assist the Customer in conducting any DPIAs by providing them with this DPA and available information on security processes in accordance with clause 6.3 for review.
7.1 BriskForce will inform the Customer as soon as reasonably practicable if it is asked to engage in any activity that may infringe the PDPA, GDPR or other applicable law.
7.2 If BriskForce becomes aware of any data breaches or security incidents that impact Customer Personal Data, except for data breaches or security incidents caused by the Customer’s own actions, it will notify the Customer as soon as reasonably practicable and without undue delay. BriskForce will take reasonable steps to mitigate the consequences of any data breaches or security incidents so as to minimize the impact to Customer Personal Data.
7.3 Notice of any data breaches or security incidents pursuant to this clause 7 does not constitute an admission of responsibility by BriskForce.
8.1 BriskForce will pass on to the Customer, any requests they receive from data subjects and the Customer’s end users to exercise any data rights. The Customer accepts and acknowledges that it is the Customer’s responsibility to respond to any data rights requests with the data subjects and end-users directly, or to instruct the relevant data controller to respond to these requests, as the case may be.
8.2 BriskForce will, taking into account the nature of the processing activity, assist the Customer in responding to such data rights requests by building appropriate functionality into the Service—such as the ability to delete and amend Customer Personal Data. The Customer agrees to exhaust all possible means of responding to a data subject’s data rights request using the Service’s functionality before contacting BriskForce for help to respond to such requests by email at [email protected]. BriskForce reserves the right to refuse assistance if, in its sole discretion, the Customer is able to respond to the data rights request using the Service’s functionality. BriskForce reserves the right to reimbursement from the Customer of reasonable costs incurred by BriskForce in providing assistance to the Customer under this clause 8.2.
9.1 BriskForce, Inc. is a company incorporated and registered in USA. Most Customer Personal Data is stored in United States of America, however, some data sub-processors might have data centers and storage facilities in other jurisdictions.
9.2 If the storage and/or processing of Customer Personal Data involves transfers of Customer Personal Data out of the EU, EEA, Switzerland, and/or the United Kingdom, BriskForce will if requested to do so by the Customer, ensure that BriskForce, Inc. as the data importer of the transferred Customer Personal Data enters into model contract clauses (being the standard data protection clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, as described in Article 46 of the GDPR) with the Customer as to the data exporter of such personal data, and that the transfers are made in accordance with such model contract clauses.
9.3 The Customer agrees that if the storage and/or processing of Customer Personal Data involves transfers of Customer Personal Data out of the EU, EEA, Switzerland, and/or the United Kingdom and if under the GDPR BriskForce reasonably requires the Customer to enter into model contract clauses (being the standard data protection clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, as described in Article 46 of the GDPR) in respect of such transfers, the Customer will do so, failing which BriskForce reserves the right to terminate the Customer’s subscription.
10.1 If the Customer wishes to carry out an audit and/or inspection in accordance with clause 6.4, it must notify BriskForce by sending an audit and/or inspection request to admin@briskforce.com.
10.2 On receipt by BriskForce of a request under clause 10.1, BriskForce and the Customer will discuss and agree in advance on:
10.2.1 the identities of the auditors and/or inspectors, be they the Customer’s own personnel or parties appointed by the Customer;
10.2.2 a reasonable date and time to carry out the audit and/or inspection;
10.2.3 the scope and duration of the audit and/or inspection;
10.2.4 confidentiality obligations of the Customer that are a pre-condition for carrying out any audit and/or inspection; and
10.2.5 the amount of any reasonable fees and charges to be borne by the Customer to cover BriskForce’s costs of the audit and/or inspection.
10.3 The Customer is responsible for all of their own costs in relation to any audit and/or inspection, including the cost of any third-party auditor appointed by the Customer.
10.4 BriskForce may object to the appointment of any auditor appointed by the Customer if the auditor is, in BriskForce’s reasonable opinion, not suitably qualified or independent, a competitor of BriskForce, or otherwise unsuitable.
11.1 The Customer acknowledges and accepts that some processing of Customer Personal Data may be carried out by trusted sub-processors.
11.2 The Customer specifically authorizes BriskForce to engage the following sub-processors:
11.2.1 all BriskForce entities, including entities directly or indirectly controlled by, or under common control with BriskForce, Inc.; and
11.2.2 the sub-processors listed below as at the Effective Date.
11.3 BriskForce will engage new sub-processors from time to time. When it does, BriskForce will ensure that it enters into written contracts with these sub-processors. The written contract will stipulate, among other things, that:
11.3.1 the sub-processor only has access to Customer Personal Data necessary to perform its obligations under their agreement with BriskForce;
11.3.2 the sub-processor will carry out all processing activity in accordance with this DPA, the Privacy Policy, the Terms, and Conditions, any model contract clauses entered into pursuant to clauses 9.2 and 9.3, and any applicable law; and
11.3.3 in respect of any GDPR Activities only, that the data protection obligations set out in Article 28(3) of the GDPR are imposed on the sub-processor.
11.4 BriskForce will notify all Customers when it engages a new sub-processor at least 14 days before any Customer Personal Data is handed to the sub-processor for processing. If the Customer wishes to object to the engagement of any sub-processor, the Customer must terminate their subscription and stop using the Service permanently. The Customer acknowledges and accepts that this is their sole and exclusive remedy to object to BriskForce’s engagement of any new sub-processor. If this remedy is exercised, BriskForce’s provision of the service to the Customer will terminate on the eve of the date where the sub-processor begins to process Customer Personal Data or the last date of the Customer’s existing commitment period, whichever is earlier. The Customer remains responsible for payment of all subscription charges up to the last day of Service, to be calculated pro-rata.
12.1 BriskForce and all BriskForce entities’ aggregate liability to the Customer, arising out of or related to this DPA, shall be subject to the “Limitation of Liability” section of the Terms and Conditions. Any reference in such section of the Terms and Conditions to the liability of BriskForce means the aggregate liability of BriskForce and all BriskForce entities under the Terms and Conditions and this DPA.
13.1 The term “data intermediary” as used in this DPA has the meaning given in the PDPA.
13.2 The terms “personal data”, “data subject”, “processing”, “controller” and “processor” as used in this DPA have the meanings given in the GDPR.
13.3 This DPA, and this clause, is governed by the laws of Delaware, USA. The Parties agree to submit to the exclusive jurisdiction of the courts of Delaware, USA.
List of Subprocessors
Last updated: 20 August 2020