Review Our Data Processing Agreement

Transparency and compliance for your data protection.

Data Processing Agreement (DPA)

Updated: January 21, 2023

 

This Data Processing Agreement (DPA) reflects the requirements of the European Data Protection Regulation ("GDPR"), which came into effect on May 25, 2018. The products and services offered by SC Xstudios Creative Solutions SRL ("Hosting-Shop") within the European Union comply with GDPR, and this DPA provides you with the necessary documentation regarding this compliance.

 

This Data Processing Agreement ("DPA") is an addendum to the Terms of Service ("Agreement") between SC Xstudios Creative Solutions SRL ("Hosting-Shop") and the Client. All capitalized terms not defined in this DPA will have the meaning given in the Agreement. The Client enters into this agreement (DPA) on its own behalf and, to the extent required by Data Protection Laws, on behalf of and representing its Authorized Affiliates (defined below).

 

The parties agree as follows:

  1. Definitions

    1. AFFILIATE - any entity that Controls, is Controlled by, or is under common Control with an entity, directly or indirectly.

    2. AUTHORIZED AFFILIATE - any of the Client's Affiliates that are permitted to or otherwise benefit from the Services, according to the Agreement.

    3. CONTROL - ownership, voting rights, or other similar rights representing fifty percent (50%) or more of the total outstanding rights of the respective entity. The term "Controlled" will be interpreted accordingly.

    4. CONTROLLER - an entity that determines the purposes and means of processing Personal Data.

    5. CLIENT DATA - any data that Hosting-Shop and/or its Affiliates process on behalf of the Client in the course of providing the Services, in accordance with the Agreement.

    6. Data Protection Laws - all data protection and privacy laws and regulations applicable to the processing of Personal Data, in accordance with the Agreement, including, where applicable, the EU Data Protection Law.

    7. EU Data Protection Law - (i) before May 25, 2018, Directive 95/46/EC of the European Parliament and Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data ("Directive") and on and after May 25, 2018, Regulation 2016/679 of the European Parliament and Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) ("GDPR"); and (ii) Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and its applicable national implementations (in each case, as amended or replaced).

    8. PERSONAL DATA - any Client Data relating to an identified or identifiable natural person, to the extent that such information is protected as personal data under applicable Data Protection Law.

    9. PRIVACY SHIELD - the EU-US and Swiss-US Privacy Shield frameworks, as administered by the US Department of Commerce.

    10. Privacy Shield Principles - the Privacy Shield Framework Principles (including the Supplemental Principles) contained in Annex II to the European Commission's decision of July 12, 2016, pursuant to the Directive, details of which can be found at www.privacyshield.gov/eu-us-framework.

    11. PROCESSOR - an entity that processes Personal Data on behalf of the Controller.

    12. PROCESSING - has the meaning given to it in GDPR.

    13. SECURITY INCIDENT - any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

    14. SERVICES - any product or service provided by Hosting-Shop to the Client, in accordance with and as detailed in the Agreement.

    15. SUB-PROCESSOR - any Processor engaged by Hosting-Shop or its Affiliates to assist in fulfilling its obligations regarding the provision of the Services, in accordance with the Agreement or this DPA. Sub-processors may include third parties or any Hosting-Shop Affiliate.

  2. Scope and Applicability of this DPA

    1. This DPA applies only to the extent that Hosting-Shop processes Personal Data on behalf of the Client, in the course of providing the Services, and such Personal Data is subject to the data protection laws of the European Union, the European Economic Area and/or their member states, Switzerland, and/or the United Kingdom. The parties agree to comply with the terms and conditions of this DPA in relation to such Personal Data.

    2. Roles of the Parties. Between Hosting-Shop and the Client, the Client is the Controller of Personal Data, and Hosting-Shop will process Personal Data only as a Processor on behalf of the Client. Nothing in the Agreement or this DPA will prevent Hosting-Shop from using or sharing any data it collects and processes independently of the Client's use of the Services.

    3. Client's Obligations. The Client agrees to (i) comply with its obligations as a Controller under Data Protection Laws, in respect of the processing of Personal Data and all processing instructions it issues to Hosting-Shop; and (ii) has informed and obtained (or will obtain) all necessary consents and rights required under Data Protection Laws for Hosting-Shop to process Personal Data and provide the Services, in accordance with the Agreement and this DPA.

    4. Processing of Data by Hosting-Shop. As a Processor, Hosting-Shop will process Personal Data solely for the following purposes: (i) processing to provide the Services in accordance with the Agreement; (ii) processing to perform any steps necessary to implement the Agreement; and (iii) to comply with any other reasonable instructions provided by the Client, to the extent they are consistent with the terms of this Agreement and only in accordance with the Client's lawful and documented instructions. The parties agree that this DPA and the Agreement set out the Client's complete and final instructions to Hosting-Shop regarding the processing of Personal Data, and any processing outside the scope of these instructions (if any) will require prior written agreement between the Client and Hosting-Shop.

    5. Type of Data. Hosting-Shop manages Client Data provided by the Client. Such Client Data may contain special categories of data, depending on how the Services are used by the Client. Client Data may be subject to the following processing activities: (i) storage and other processing necessary to provide, maintain, and improve the Services provided to the Client; (ii) providing technical support and assistance to the Client; and (iii) disclosures required by law or other provisions set out in the Agreement.

    6. Hosting-Shop Data. Without prejudice to the Agreement (including this DPA), the Client acknowledges that Hosting-Shop will have the right to use and disclose data related to and/or obtained in connection with the operation, support, and/or use of the Services for its legitimate business purposes, such as billing, account management, technical support, product development, and sales or marketing. To the extent any such data is considered personal data under Data Protection Laws, Hosting-Shop is the Controller of such data and will process it accordingly, in compliance with Data Protection Laws.

  3. Sub-processing

    1. Authorized Sub-processors. The Client agrees that Hosting-Shop may engage Sub-processors to process Personal Data on behalf of the Client. The Sub-processors currently engaged by Hosting-Shop and authorized by Clients are listed in Annex A.

    2. Sub-processor Obligations. Hosting-Shop: (i) will enter into a written agreement with Sub-processors, imposing data protection terms that require Sub-processors to protect Personal Data to the standard required by Data Protection Laws; and (ii) retains responsibility for compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause Hosting-Shop to breach any of its obligations under this DPA.

    3. Changes to Sub-processors. Hosting-Shop will inform Clients in advance (email notification is sufficient) if it adds or removes Sub-processors.

    4. Objections to Sub-processors. The Client may object in writing to Hosting-Shop's appointment of a new Sub-processor, based on reasonable data protection grounds, by notifying Hosting-Shop promptly in writing within five (5) calendar days of receiving Hosting-Shop's notice in accordance with Section 3.3. Such notice will explain the reasonable grounds for the objection. In such a situation, the parties will discuss these concerns in good faith with the aim of achieving a commercially reasonable resolution. If this is not possible, either party may terminate the provision of the applicable Services that cannot be provided by Hosting-Shop without the involvement of the contested new Sub-processor.

  4. Security

    1. Security Measures. Hosting-Shop will implement and maintain appropriate technical and organizational security measures to protect Personal Data against Security Incidents and to preserve the security and confidentiality of Personal Data, in accordance with Hosting-Shop's security standards described in Annex B ("Security Measures").

    2. Confidentiality of Processing. Hosting-Shop will ensure that any person authorized by Hosting-Shop to process Personal Data (including its employees, agents, or subcontractors) will be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).

    3. Response to a Security Incident. Upon becoming aware of a Security Incident, Hosting-Shop will notify the Client without undue delay and will provide timely information regarding the Security Incident as it becomes known or as is reasonably requested by the Client.

    4. Updates to Security Measures. The Client acknowledges that Security Measures are subject to technical progress and development and that Hosting-Shop may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by the Client.

  5. Security Reports and Audits

    1. Hosting-Shop will maintain records of its security standards. Upon the Client's written request, Hosting-Shop will provide (confidentially) copies of relevant external ISMS certifications, audit report summaries, and/or other documentation reasonably requested by the Client to verify Hosting-Shop's compliance with this DPA. Hosting-Shop will further provide written responses (confidentially) to all reasonable requests for information made by the Client, including responses to information security and audit questionnaires, that the Client (acting reasonably) considers necessary to confirm Hosting-Shop's compliance with this DPA, provided that the Client will not exercise this right more than once per year.

  6. International Transfers

    1. Processing Locations. Hosting-Shop stores and processes EU Data (defined below) in data centers located within and outside the European Union. All other Client Data may be transferred and processed in Romania and anywhere in the world where the Client, its Affiliates, and/or its Sub-processors maintain data processing operations. Hosting-Shop will implement appropriate safeguards to protect Personal Data, wherever it is processed, in accordance with the requirements of Data Protection Laws.

    2. Transfer Mechanism: Notwithstanding Section 6.1, to the extent Hosting-Shop processes or transfers (directly or via onward transfer) Personal Data under this DPA from the European Union, the European Economic Area and/or their member states, and Switzerland ("EU Data") to countries that do not ensure an adequate level of data protection within the meaning of the applicable Data Protection Laws of the above territories, the parties agree that Hosting-Shop will be deemed to provide adequate protection for such data by virtue of its self-certification to the Privacy Shield, and Hosting-Shop will process such data in compliance with the Privacy Shield Principles. The Client hereby authorizes any transfer of EU Data to, or access to EU Data from, such destinations outside the EU, subject to any of these measures having been taken.

  7. Return or Deletion of Data

    1. Upon deactivation of the Services, all Personal Data will be deleted, except to the extent Hosting-Shop is required by applicable law to retain some or all of the Personal Data or Personal Data it has archived on backup systems, which Hosting-Shop will securely isolate and protect from any further processing, except to the extent required by law.

  8. Cooperation

    1. To the extent the Client is unable to independently access the relevant Personal Data within the Services, Hosting-Shop will, taking into account the nature of the processing, provide reasonable cooperation to assist the Client (at the Client's expense) by implementing appropriate technical and organizational measures, insofar as this is possible, to respond to any requests from individuals or data protection authorities relating to the processing of Personal Data under the Agreement. In the event any such request is made directly to Hosting-Shop, Hosting-Shop will not respond to such communication directly without the Client's prior authorization, except as legally required. If Hosting-Shop is required to respond to such a request, Hosting-Shop will promptly notify the Client and provide it with a copy of the request, unless legally prohibited from doing so.

    2. To the extent Hosting-Shop is required under Data Protection Laws, Hosting-Shop will provide (at the Client's expense) reasonably requested information regarding Hosting-Shop's processing of Personal Data under the Agreement to enable the Client to conduct data protection impact assessments or prior consultations with data protection authorities, as required by law.

  9. Miscellaneous

    1. Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA will prevail to the extent of that conflict.

    2. This DPA is part of and incorporated into the Agreement, so references to "Agreement" in the Agreement include this DPA.

    3. In no event will either party limit its liability with respect to any individual's rights under this DPA or otherwise.

    4. This DPA will be governed and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless otherwise required by Data Protection Laws.