Transcription
DocuSign Envelope ID: 56F4DF82-87DC-4D09-BFA7-80A2FB4873B0DATA PROCESSING ADDENDUMThis Data Processing Addendum, including its Schedules and Appendices, (“DPA”) forms part of the Cloud Terms ofService or other written agreement between Aternity and the Customer for the purchase of Cloud Services from Aternity(hereinafter defined as “Cloud Services”) (the “Agreement”) to reflect the parties’ agreement with regard to theProcessing of Personal DataThis Addendum will be effective as of the date Aternity receives a completed and executed DPA from the Customer inaccordance with the instructions under Sections I (“Effective Date”).All capitalized terms not defined herein shall have the meaning set forth in the Agreement.I.INSTRUCTIONSA.This DPA consists of two parts: the main body of the DPA, the Schedules 1 and 2 (including Appendices1 and 2).B.This DPA has been pre-signed by Aternity LLC. The Standard Contractual Clauses in Schedule 2 havebeen pre-signed by Aternity LLC as the data importer.C.To complete this DPA, Customer must:1. Be a customer of the Cloud Services;2. Complete the information in the notification box on page 4; complete the information in thesignature box and sign on page 6; and complete the information as the data exporter on page 8and complete the information in the signature box and sign on pages 13, 15 and 16.3. Send the signed DPA to Aternity by email to contracts@aternity.com.II.DATA PROCESSING TERMS1.Definitions.a.“Affiliate” means any legal entity that controls, is controlled by, or is under common control with a party.b.“CCPA” means the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., and itsimplementing regulations.c.“Controller” means the entity which determines the purposes and means of the processing of PersonalData.d.“Customer Data” has the meaning given in the Agreement or, if no such meaning is given, means dataprovided by or on behalf of Customer to Aternity as part of the Cloud Services.e.“Customer Personal Data” means Personal Data contained within the Customer Data.f.“Data Breach means any breach of Aternity’s security leading to the accidental or unlawful destruction,loss, alteration, unauthorized disclosure of, or access to, Customer Data, including Customer PersonalData, on systems managed by or otherwise controlled by Aternity. “Data Breaches” will not includeunsuccessful attempts or activities that do not compromise the security of Customer Data, includingunsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks onfirewalls or networked systems.g.“Data Protection Laws and Regulations” means all laws and regulations, including laws and regulationsof the European Union, the European Economic Area and their member states, Switzerland, the UnitedKingdom and the United States including its states, applicable to the Processing of Personal Data underthe Agreement.h.“Data Subject” means an identified or identifiable natural person to whom Personal Data relates.i.“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April2016 on the protection of natural persons with regard to the processing of personal data and on the freemovement of such data, and repealing Directive 95/46/EC.j.“Personal Data” means any information relating to an identified or identifiable natural person.k.“Privacy and Security Documentation” means the Privacy and Security Documentation applicable tothe specific Cloud Services purchased by Customer, as may be updated from time to time, and accessiblevia Aternity’s Trust Center at www.aternity.com/trust-center, or otherwise made generally available byAternity.1Aternity Data Processing Addendum (Online), version 07 Jan 2020
DocuSign Envelope ID: g” means any operation or set of operations which is performed upon Personal Data, whetheror not by automatic means, such as collection, recording, organization, structuring, storage, adaptationor alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise makingavailable, alignment or combination, restriction, erasure or destruction.m. “Processor” means the entity which processes Personal Data on behalf of the Controller.2.n.“Standard Contractual Clauses” mean the standard data protection clauses for the transfer of personaldata to processors established in third countries which do not ensure an adequate level of data protectionwithin the meaning of the applicable Data Protection Laws and Regulations.o.“Subprocessor” means any Processor engaged by Aternity.p.“Supervisory Authority” means an independent public authority which is established by an EU MemberState pursuant to the GDPR.q.“Users” means the individuals Customer authorizes to use the Cloud Services.Processing of Personal Data.a.b.Roles of the Parties. In order to perform the Cloud Services, Aternity may be required to processCustomer Personal Data during the term of the Agreement. In that case and with respect to the CustomerPersonal Data, the parties acknowledge and agree that:i.Aternity is a Processor of the Customer Personal Data under the applicable Data ProtectionLaws and Regulations; andii.Customer is a Controller or Processor, as applicable, of the Customer Personal Data under theapplicable Data Protection Laws and Regulations.Customer Processing. Customer shall, in its use of the Cloud Services, Process Customer PersonalData in accordance with the requirements of applicable Data Protection Laws and Regulations. Customershall have sole responsibility for the accuracy, quality, and legality of Customer Personal Data and themeans by which Customer acquired Customer Personal Data, including providing any required noticesto, and obtaining any necessary consent from, its employees, agents or third parties to whom it extendsthe benefits of the Cloud Services.i.c.Aternity Processing. Aternity shall only Process Customer Personal Data on behalf of and inaccordance with instructions described in Section 2.b.i (Customer’s Instructions) unless Data ProtectionLaws and Regulations to which Aternity is subject requires other processing of Customer Personal Databy Aternity, in which case Aternity will inform Customer unless otherwise prohibited by law.i.d.3.Customer’s Instructions. By entering into this DPA, Customer instructs Aternity to processCustomer Personal Data only in accordance with applicable law: (a) to provide the CloudServices; and (b) as further documented in any other written instructions given by Customer andacknowledged by Aternity as constituting instructions for purposes of this DPA.Customer warrants it will secure and maintain all rights necessary in Customer Personal Data,including obtaining the necessary consents from third parties including Users, to permit it tolegally provide the Customer Personal Data to Aternity and permit Aternity to use such CustomerPersonal Data as contemplated by this DPA.Details of the Processing. The subject matter and details of the processing are described in Schedule1 (Details of the Processing) to this DPA.Aternity Personnel.a.Confidentiality. Aternity will ensure that all Aternity personnel authorized to process Customer PersonalData have committed themselves to confidentiality or are under an appropriate statutory obligation ofconfidentiality.b.Security Compliance. Aternity will take appropriate steps to ensure compliance with the SecurityMeasures by its personnel, contractors and Subprocessors to the extent applicable to their scope ofperformance.c.Access Limitation. Aternity shall ensure that Aternity’s access to Customer Personal Data is limited tothose personnel who require such access to perform the Cloud Services in accordance with theAgreement.2Aternity Data Processing Addendum (Online), version 07 Jan 2020
DocuSign Envelope ID: ternity’s Security Measures. Aternity will maintain appropriate technical and organizational measuresdesigned to ensure the security of the Customer Data (including Customer Personal Data) and to preventunauthorized or unlawful processing of Customer Data and against accidental loss or destruction of, ordamage to, Customer Data as set forth in the Privacy and Security Documentation (the “SecurityMeasures”). Aternity may update or modify the Security Measures from time to time provided that suchupdates and modifications do not result in the degradation of the overall security of the Cloud Services.b.Third-Party Certifications and Audits. Aternity has obtained the third-party certifications and audits setforth in Privacy and Security Documentation. Upon Customer’s written request at reasonable intervals,and subject to appropriate confidentiality obligations, Aternity will make available to Customer a copy ofAternity’s then most recent third-party audits or certifications, as applicable.c.Customer’s Security Responsibilities. Customer agrees that without prejudice to Aternity’s obligationsunder Section 4.a (Aternity’s Security Measures) and Section 7 (Data Breaches):i. Customer is solely responsible for its use of the Cloud Services, including:1.Making appropriate use of the Cloud Services to ensure a level of security appropriateto the risk in respect of the Customer Data;2.Securing the account authentication credentials, systems and devices Customer usesto access the Cloud Services;3.backing up its Customer Data; andii. Aternity has no obligation to protect Customer Data that Customer elects to store or transferoutside of Aternity’s or its Subprocessors’ systems (for example, offline or on-premises storage).5.Subprocessors.a.Consent to Subprocessor Engagement. Customer specifically authorizes the engagement asSubprocessors of (i) those third party entities and (ii) Aternity Affiliates listed as of DPA Effective Date atwww.aternity.com/legal/subprocessors. Customer acknowledges and expressly agrees that the aboveauthorizations constitute Customer’s prior written consent to the subcontracting by Aternity of theprocessing of Customer Personal Data as required under the Standard Contractual Clauses.b.Requirements for Subprocessor Engagement. When engaging any Subprocessor, Aternity shall:i. ensure via a written contract:1.the Subprocessor only accesses and uses Customer Personal Data to the extentrequired to perform the obligations subcontracted to it, and does so in accordance withthe Agreement (including this DPA) and any Standard Contractual Clauses asdescribed in Section 13.b; and2.if the GDPR applies to the processing of Customer Personal Data, the data protectionobligations set out in Article 28(3) of the GDPR, as described in this DPA, are imposedon the Subprocessor; andii. remain fully liable for all obligations subcontracted to, and all acts and omissions of, theSubprocessor.c.List of Current Subprocessors and Notification of New Subprocessors. A list of Aternity’s currentSubprocessors is available at www.aternity.com/legal/subprocessors. Aternity will inform Customer of theengagement (including the name and location of the relevant subprocessor and the activities it willperform) by sending an email to the notification email address set forth in Section 7.b below prior toauthorizing any new Subprocessor(s) to Process Customer Personal Data in connection with theprovision of the applicable Cloud Services.d.Opportunity to Object to New Subprocessor(s). Customer may object to Aternity’s use of a newSubprocessor by notifying Aternity promptly in writing within thirty (30) days after receipt of Aternity’snotice. In the event Customer objects to a new Subprocessor, as permitted in the preceding sentence,Aternity will use reasonable efforts to make available to Customer a change in the Cloud Services orrecommend a commercially reasonable change to Customer’s configuration or use of the Cloud Servicesto avoid Processing of Customer Personal Data by the objected-to new Subprocessor withoutunreasonably burdening the Customer. If Aternity is unable to make available such change within areasonable time period, which shall not exceed thirty (30) days, Customer may terminate the applicable3Aternity Data Processing Addendum (Online), version 07 Jan 2020
DocuSign Envelope ID: 56F4DF82-87DC-4D09-BFA7-80A2FB4873B0Agreement with respect to only those Cloud Services which cannot be provided by Aternity without theuse of the objected-to new Subprocessor by providing written notice to Aternity. This termination right isCustomer’s sole and exclusive remedy if Customer objects to any new Third Party Subprocessor.6.Data Subject Rights. During the Term, Aternity shall, to the extent legally permitted, promptly notify Customer ifAternity receives a request from a Data Subject to exercise the Data Subject’s right of access, right to rectification,restriction of Processing, erasure (“right to be forgotten”), data portability, object to the Processing, or its right notto be subject to an automated individual decision making (each a “Data Subject Request”). Taking into accountthe nature of the Processing, Aternity shall assist Customer by appropriate technical and organizational measures,insofar as this is possible, for the fulfillment of Customer’s obligations to respond to a Data Subject Request underData Protection Laws and Regulations. In addition, to the extent Customer, in its use of the Cloud Services, doesnot have the ability to address a Data Subject Request, Aternity shall upon Customer’s request providecommercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extentAternity is legally permitted to do so and the response to such Data Subject Request is required under DataProtection Laws and Regulations.7.Data Breaches. Aternity will: (a) notify Customer of a Data Breach promptly and without undue delay afterbecoming aware of such Data Breach; and (b) promptly take reasonable steps to minimize harm and secureCustomer Data.a.Details of Breach. Notifications made pursuant to this section will describe, to the extent possible, detailsof the Data Breach, including the steps Aternity deems necessary and reasonable in order to remediatethe cause of such a Data Breach to the extent the remediation is within Aternity’s reasonable control.b.Delivery of Notification. Notification(s) of any Data Breach(es) will be delivered to the email address(es)designated by Customer below by any means Aternity selects, including via email. Customer is solelyresponsible for ensuring its contact information remains current and valid.Contact Name:Email Address:c.Contact Name:Email Address:No Acknowledge of Fault by Aternity. Aternity’s notification of or response to a Data Breach under thisSection 7 (Data Breaches) will not be construed as an acknowledgement by Aternity of any fault or liabilitywith respect to the Data Breach.8.Customer Data Deletion. At the end of the provision of the Cloud Services relating to processing of CustomerData, Aternity shall, at the request of the Customer, delete all Customer Data and delete existing copies fromAternity systems to the extent reasonably practicable unless otherwise required by applicable law.9.Audits and Certifications. Upon Customer’s request, and subject to appropriate confidentiality obligations,Aternity will make available to Customer information regarding the Aternity’s compliance with the obligations setforth in this DPA, including the third-party certifications and audits set forth in the Privacy and SecurityDocumentation to the extent Aternity makes them generally available to its customers.a.Audits. Customer may no more than one time per year (unless (i) Aternity notifies Customer of a DataBreach, or (ii) such audit is required by a Supervisory Authority) request an audit of the proceduresrelevant to the protection of Customer Personal Data. Customer must contact Aternity atcontracts@aternity.com at least six (6) weeks in advance to request such an audit; any audit must beconducted in accordance with the procedures set forth in Section 9.b (Audit Procedures) below.b.Audit Procedures. Prior to beginning any audit, Aternity and Customer will mutually agree upon thereasonable start date, scope and duration of and security and confidentiality controls applicable to theaudit in addition to allocation of costs between the parties. Aternity may object in writing to an auditorappointed by Customer to conduct any audit if the auditor is, in Aternity’s reasonable opinion, not suitablyqualified or independent, a competitor of Aternity, or otherwise manifestly unsuitable. Customer shallpromptly notify Aternity with information regarding any noncompliance discovered during the course ofany audit.10. Processing Location. Customer Data that Aternity Processes on Customer’s behalf may be transferred to, andstored and processed in, the United States or any other country in which Aternity or its Affiliates or Subprocessorsmaintain facilities. Customer appoints Aternity to perform any such transfer of Customer Data to any such countryand to store and process Customer Data in order to provide the Cloud Services. If the storage and/or processingof Customer Data involves the transfer of Customer Personal Data out of the European Economic Area (“EEA”),and the GDPR applies to the transfers of such Customer Personal Data, Aternity will ensure that the transfers aresubject to appropriate safeguards as described in Section 13.b.4Aternity Data Processing Addendum (Online), version 07 Jan 2020
DocuSign Envelope ID: 56F4DF82-87DC-4D09-BFA7-80A2FB4873B011. Limitation of Liability. The total combined liability of either party and its Affiliates towards the other party and itsAffiliates whether in contract, tort or under any other theory of liability, is subject to the ‘Limitation of Liability’ sectionof the Agreement, and any reference in such section to the liability of a party means the aggregate liability of thatparty and all of its Affiliates under the Agreement and this DPA.12. Term; Termination. This DPA shall remain in effect from DPA Effective Date until the end of Aternity’s provisionof the Cloud Services (the “Term”) and will terminate when Aternity’s provision of the Cloud Services ends, withoutfurther action required by either party.13. European Specific Provisions.a.Impact Assessment and Prior Consultation. Upon Customer’s request, Aternity shall (taking intoaccount the nature of the Processing and the information available to Aternity) provide reasonableassistance to Customer in ensuring compliance with any obligations of Customer in respect of dataprotection impact assessments and prior consultation, including if applicable Customer’s obligationspursuant to Articles 35 and 36 of the GDPR.b.Transfers of Personal Data Out of the EEA. If Aternity’s Processing in the course of providing theCloud Services involves the transfer of Customer Personal Data from the European Economic Area (EEA)to outside the EEA, either directly or via onward transfer, to any country or recipient: (a) not recognizedby the European Commission as providing an adequate level of protection for Personal Data (asdescribed in the GDPR), and (b) not covered by a suitable framework recognized by the relevantauthorities or courts as providing adequate protection for personal data, then the Standard ContractualClauses set forth in Schedule 2 to this DPA will apply, to the extent such transfers are subject to theGDPR.i. Additional Terms for Transfer of Customer Personal Data From the EEA.1.Instructions. This DPA and the Agreement are Customer’s complete and finaldocumented instructions to Aternity for the Processing of Customer Personal Data. Anyadditional or alternate instructions must be agreed upon separately. For the purposesof Clause 5(a) of the Standard Contractual Clauses, the following is deemed aninstruction by the Customer to process Customer Personal Data: (a) Processing inaccordance with the Agreement and applicable orders; (b) Processing initiated byUsers in their use of the Cloud Services and (c) Processing to comply with otherreasonable documented instructions provided by Customer (e.g., via email) where suchinstructions are consistent with the terms of the Agreement.2.Subprocessors. Pursuant to Clause 5(h) of the Standard Contractual Clauses,Customer acknowledges and expressly agrees that Aternity may engage newSubprocessors as described in Sections 5.c and 5.d of this DPA. Aternity shall makeavailable to Customer a list of current Subprocessors in accordance with Section 5.c ofthis DPA.3.Copies of Subprocessor Agreements. The parties agree that the copies of theSubprocessor Agreements that must be provided by Aternity to Customer pursuant toClause 5(j) of the Standard Contractual Clauses may have all commercial information,or clauses unrelated to the Standard Contractual Clauses or their equivalent, removedby Aternity beforehand; and, that such copies will be provided by Aternity, in a mannerto be determined in its discretion, only upon request by Customer.4.Audits and Certifications. The parties agree that the audits described in Clause 5(f)and Clause 12(2) of the Standard Contractual Clauses shall be carried out as describedin Sections 9.a and 9.b of this DPA.5.Certification of Deletion. The parties agree that the certification of deletion ofCustomer Personal Data that is described in Clause 12(1) of the Standard ContractualClauses shall be provided by Aternity to Customer only upon Customer’s request.ii. Conflict. In the event of any conflict or inconsistency between the body of this DPA andSchedule 1 and the Standard Contractual Clauses in Schedule 2, the Standard ContractualClauses shall prevail.5Aternity Data Processing Addendum (Online), version 07 Jan 2020
DocuSign Envelope ID: 56F4DF82-87DC-4D09-BFA7-80A2FB4873B0List of SchedulesSchedule 1: Details of the ProcessingSchedule 2: Standard Contractual ClausesAGREED AND ACCEPTED:Customer:Aternity LLC:Signature:Signature:Name:Name: Sean LannanTitle:Title: Chief Financial Officer07-Jan-2020Date:Date:6Aternity Data Processing Addendum (Online), version 07 Jan 2020
DocuSign Envelope ID: 56F4DF82-87DC-4D09-BFA7-80A2FB4873B0SCHEDULE 1 – DETAILS OF THE PROCESSINGNature and Purpose of ProcessingAternity will Process Customer Personal Data as necessary to perform the Cloud Services pursuant to the Agreement,as further specified in the Documentation, and as further instructed by Customer (in accordance with Section 2.b.i ofthe DPA) in its use of the Cloud Services.Duration of ProcessingSubject to Section 8 of the DPA, Aternity will Process Personal Data for the duration of the Agreement, unless otherwiseagreed upon in writing.Categories of Data Subjects Employees of CustomerCustomer’s UsersCategories of Personal DataCategoryDescriptionFull NameFull name – as defined in corporate LDAP – of the user accessing the device(e.g., Jane Doe)UsernameUsername of the user signed into the device’s operating system(e.g., jdoe)EmailEmail address of the currently logged-in user(e.g., jane.doe@aternity.com)TitleJob title – as defined in corporate LDAP – of the user currently logged into thedevice(e.g., VP, Sales)RoleRole descriptions defined by customer(e.g., Sale Management)DepartmentDepartment – as defined in the corporate LDAP – of the user or device(e.g., Sales)OfficeCustomer-defined office location where user is currently logged into device*(e.g., Cambridge Office)LocationCustomer-defined location from which user is currently logged into device*(e.g., Cambridge, MA)IP AddressDevice Name / HostnameIP address of:-Windows and/or Mac device connected to Aternity-WiFi connection of the mobile device connected via WiFiThe hostname or computer name(e.g., ADFC123 PC)Client Device NameHostname of the device connected to a VDI or virtual application server(e.g., AFRC123 PC)7Aternity Data Processing Addendum (Online), version 07 Jan 2020
DocuSign Envelope ID: 56F4DF82-87DC-4D09-BFA7-80A2FB4873B0SCHEDULE 2 – STANDARD CONTRACTUAL CLAUSESStandard Contractual Clauses (processors)For the purposes of Article 26(2) of Directive 95/46/EC for the transfer of personal data to processors established inthird countries which do not ensure an adequate level of data protection.Name of the data exporting organisation:Address:Tel.:; fax:; e-mail:Other information needed to identify the organisation: (the data exporter)AndName of the data importing organisation: Aternity LLCAddress: 125 Cambridge Park Drive, Cambridge, MA 02140, USATel.: 1 617 250 5300; fax: 1 617 250 5310; e-mail: contracts@aternity.comOther information needed to identify the organisation: Not applicable(the data importer)each a “party”; together “the parties”HAVE AGREED on the following Contractual Clauses (the Clauses) in order to adduce adequate safeguards withrespect to the protection of privacy and fundamental rights and freedoms of individuals for the transfer by the dataexporter to the data importer of the personal data specified in Appendix 1.8Aternity Data Processing Addendum (Online), version 07 Jan 2020
DocuSign Envelope ID: 56F4DF82-87DC-4D09-BFA7-80A2FB4873B0Clause 1DefinitionsFor the purposes of the Clauses:(a)'personal data', 'special categories of data', 'process/processing', 'controller', 'processor', 'data subject' and'supervisory authority' shall have the same meaning as in Directive 95/46/EC of the European Parliament and of theCouncil of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on thefree movement of such data;(b)'the data exporter' means the controller who transfers the personal data;(c)'the data importer' means the processor who agrees to receive from the data exporter personal data intendedfor processing on his behalf after the transfer in accordance with his instructions and the terms of the Clauses and whois not subject to a third country's system ensuring adequate protection within the meaning of Article 25(1) of Directive95/46/EC;(d)'the subprocessor' means any processor engaged by the data importer or by any other subprocessor of thedata importer who agrees to receive from the data importer or from any other subprocessor of the data importer personaldata exclusively intended for processing activities to be carried out on behalf of the data exporter after the transfer inaccordance with his instructions, the terms of the Clauses and the terms of the written subcontract;(e)'the applicable data protection law' means the legislation protecting the fundamental rights and freedoms ofindividuals and, in particular, their right to privacy with respect to the processing of personal data applicable to a datacontroller in the Member State in which the data exporter is established;(f)'technical and organisational security measures' means those measures aimed at protecting personal dataagainst accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, in particularwhere the processing involves the transmission of data over a network, and against all other unlawful forms ofprocessing.Clause 2Details of the transferThe details of the transfer and in particular the special categories of personal data where applicable are specified inAppendix 1 which forms an integral part of the Clauses.Clause 3Third-party beneficiary clause1.The data subject can enforce against the data exporter this Clause, Clause 4(b) to (i), Clause 5(a) to (e), and(g) to (j), Clause 6(1) and (2), Clause 7, Clause 8(2), and Clauses 9 to 12 as third-party beneficiary.2.The data subject can enforce against the data importer this Clause, Clause 5(a) to (e) and (g), Clause 6,Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where the data exporter has factually disappeared or has ceasedto exist in law unless any successor entity has assumed the entire legal obligations of the data exporter by contract orby operation of law, as a result of which it takes on the rights and obligations of the data exporter, in which case thedata subject can enforce them against such entity.3.The data subject can enforce against the subprocessor this Clause, Clause 5(a) to (e) and (g), Clause 6,Clause 7, Clause 8(2), and Clauses 9 to 12, in cases where both the data exporter and the data importer have factuallydisappeared or ceased to exist in law or have become insolvent, unless any successor entity has assumed the entirelegal obligations of the data exporter by contract or by operation of law as a result of which it takes on the rights andobligations of the data exporter, in which case the data subject can enforce them against such entity. Such third-partyliability of the subprocessor shall be limited to its own processing operations under the Clauses.4.The parties do not object to a data subject being represented by an association or other body if the datasubject so expressly wishes and if permitted by national law.Clause 4Obligations of the data exporterThe data exporter agrees and warrants:(a)that the processing, including the transfer itself, of the personal data has been and will continue to be carriedout in accordance with the relevant provisions of the applicable data protection law (and, where applicable, has been9Aternity Data Processing Addendum (Online), version 07 Jan 2020
DocuSign Envelope ID: 56F4DF82-87DC-4D09-BFA7-80A2FB4873B0notified to the relevant authorities of the Member State where the data exporter is established) and does not violate therelevant provisions of that State;(b)that it has instructed and throughout the duration of the personal data processing services will instruct the dataimporter to process the personal data transferred only on the data exporter's behalf and in accordance with theapplicable data protection law and the Clauses;(c)that the data importer will provide sufficient guarantees in respect of the technical and organisational securitymeasures specified in Appendix 2 to this contract;(d)that after asses
Aternity Data Processing Addendum (Online), version 07 Jan 2020 . This DPA has been pre-signed by Aternity LLC. The Standard Contractual Clauses in Schedule 2 have . "Processing" means any operation or set of operations which is performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization .
