Last Updated : January 23rd, 2023
“Controller” has the same meaning as “controller” in GDPR-modeled Data Protection Laws.
“Processor” has the same meaning as “processor” in GDPR-modeled Data Protection Laws, and includes any party that constitutes a “service provider” within the meaning of the CCPA.
“Data Protection Law” means all applicable federal, state, and foreign laws, directives, and regulations relating to the Processing, protection, security or privacy of Personal Information, including where applicable, the guidance and codes of practice issued by regulatory bodies in any relevant jurisdiction. This includes, but is not limited to, the California Consumer Privacy Act (“CCPA”) (Cal. Civ. Code §§1798.100 et seq.), the General Data Protection Regulation, Regulation (EU) 2016/679 ("GDPR"), equivalent requirements in the United Kingdom including the UK General Data Protection Regulation and the Data Protection Act 2018 (“UK Data Protection Law”), and the Swiss Federal Act on Data Protection (“FADP”).
“Data Subject” means an identified or identifiable natural person about whom Personal Information relates.
“Edge Platform” means the Edge software-as-a-service solution that allows Clients to seamlessly manage relationships with local and international independent contractors, including, the receipt of services from Consultants.
“Europe” means, for the purposes of this DPA, the European Union, the European Economic Area and/or their member states, Switzerland, and the United Kingdom.
“Restricted Transfer” means: (i) where the GDPR applies, a transfer of personal data from the European Economic Area or Switzerland to a country outside of the European Economic Area or Switzerland which is not subject to an adequacy determination by the European Commission; and (ii) where the UK Data Protection Law applies, a transfer of personal data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the UK Data Protection Law.
“Standard Contractual Clauses” means the standard contractual clauses annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021 currently found at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en, as may be amended, superseded or replaced.
“Sub-Processor” has the same meaning as “controller” in GDPR-modeled Data Protection Laws.
Capitalized terms used in this DPA shall have the same meaning given to them under Data Protection Laws or if not defined thereunder, the GDPR, unless a different meaning is specified herein. In regards to the CCPA, terms used in the applicable provisions of the DPA where the CCPA is the applicable law shall be replaced as follows: "Personal Data" shall mean "Personal Information"; "Controller" shall mean "Business"; "Processor" shall mean "Service Provider"; and "Data Subject" shall mean "Consumer".
This Addendum and its Appendixes constitute the entire Data Processing Agreement between the Parties. It replaces all previous agreements relating to its object. Any prior agreements between the Parties relating to personal data are not binding on the Parties.
Some of the contractual documents may be amended or enriched during the fulfilment of the Addendum. In any event, these amendments or enrichments must be covered by an amendment signed by the Parties. No modifications may be made to the Addendum and its Appendixes without a document signed by both Parties.
The term of the DPA is coextensive with the term of the Agreement.
The termination of this DPA therefore depends on the provisions concerning the duration and the termination of the Agreement. Termination of the Agreement shall also have the effect of terminating this DPA.
Furthermore, the premature termination of this DPA upon written notice to the other Party shall be permissible in the event of such other Party’s serious breach of statutory or contractual data protection provisions under the Data Protection Laws, insofar as the contracting Party in question cannot reasonably be expected to continue this DPA.
The Parties acknowledge that the termination of the DPA at any time and for any reason, does not exempt them from their obligations under the Data Protection Laws relating to the collection, processing and use of Personal Data.
The Parties agree that Edge and Client are each independent Controllers with respect to the processing of such Personal Data under this DPA as described in Appendix 1. The purpose(s) and nature of operations carried out on the Personal Data is the one as described in the Agreement. To perform the Services covered herein, the Client shall provide Edge with all the necessary information. Each party shall comply with the obligations applicable to it under the Data Protection Laws with respect to the processing of Personal Data covered under this DPA.
Client acknowledges and agrees that Edge may engage third-party Processors in connection with the provision of the Services. Edge acknowledges and agrees that Client may engage third-party Processors in connection with the receipt of the Services. Both Parties shall have a written agreement with each Processor and agree that any agreement with a Processor shall include substantially the similar data protection obligations as set out in this DPA.
Both Parties shall be liable for the acts and omissions of its respective Processors to the same extent such party would be liable under the terms of this DPA, except as otherwise set forth in the Agreement.
Client acknowledges that in the provision of some services, Edge, on receipt of instructions from Client, may transfer Personal Data to and otherwise interact with third party data processors. Client agrees that if and to the extent such transfers occur, Client is responsible for entering into separate contractual arrangements with such third-party data processors binding them to comply with obligations in accordance with the Data Protection Laws. For the avoidance of doubt, such third-party data processors are not Sub-Processors.
Edge shall take suitable technical and organizational measures appropriate to the risk to ensure for protection of the security, confidentiality and integrity of Personal Data it Processes under this DPA. Edge guarantees that it has carried out the technical and organizational measures specified in Appendix 2 to this DPA.
The technical and organizational measures are subject to the current state of technology and technical progress. In this regard, Edge is permitted to implement adequate alternative measures, provided that these measures may not provide a lower level of security to Client data than the stipulated measures in Appendix 2.
Client agrees that Edge may engage Sub-Processors to Process Personal Data on its behalf. Edge has currently appointed, as Sub-Processors, the third parties listed in Appendix 3 to this DPA. Edge will notify Client if Edge adds or replaces any Sub-Processors listed in Appendix 3 at least 30 days prior to any such changes.
Where Edge engages Sub-Processors, Edge will impose data protection terms on the Sub-Processors that provide at least the same level of protection for Personal Data as those in this DPA (including, where appropriate, the Standard Contractual Clauses), to the extent applicable to the nature of the services provided by such Sub-Processors. Edge will remain responsible for each Sub-Processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-Processor that cause Edge to breach any of its obligations under this DPA.
Edge shall, at all times provide an adequate level of protection for the Personal Information, wherever Processed, in accordance with the requirements of the applicable Data Protection Law.
If Personal Information originates from the UK, EEA or Switzerland and is transferred by Client to Edge for Processing in a country not subject to an adequacy decision in accordance with the GDPR (“UK/EEA/Switzerland Data Transfer”), the Parties will conduct such UK/EEA/Switzerland Data Transfer in accordance with all applicable laws. The Parties hereby agree to the Standard Contractual Clauses for EEA/Switzerland Data Transfers, together with the version as modified by the UK Information Commissioner's Office's international data transfer addendum ("IDTA") (together, "EU SCCs") (which will be deemed executed by the Parties upon the Client's acceptance of the Agreement.). For the purpose of this Section 8 the EU SCCs means Module Two (Transfer controller to processor) of the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the text of which is available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en), and the IDTA means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses published by the UK Information Commissioner's Office (the text of which is available at: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/) (or any successor IDTA approved by the relevant UK authorities) in which Edge will be referred to as the “data exporter” and Supplier will be referred to as the “data importer.” For the purposes of this Section 8, the EU SCCs will come into effect upon commencement of an EEA/Switzerland Data Transfer. If there is any conflict between the Sections of this DPA or the sections of the Agreement and the EU SCCs, in so far as the conflict relates to an EEA/Switzerland Data Transfer the EU SCCs will prevail.
If individual provisions of this DPA should be or become ineffective, this shall not affect its remaining provisions. The Parties undertake to replace the ineffective provisions with a legally valid provision that comes closest to the purpose of the ineffective provisions.
In the event of contradictions between this DPA and any other agreements between the Parties, especially the Agreement, the provisions of this DPA shall take precedence.
Ancillary agreements, amendments and additions to this DPA must be made in writing. This also applies to the amendment of this requirement for written form.
This DPA shall be governed by local law of the country where the data exporter is established, unless otherwise expressly mandated by the Data Protection Laws.
The Parties agree to submit any claim or dispute arising from this DPA to the exclusive jurisdiction of the courts of jurisdiction of the data exporter, unless otherwise expressly mandated by the Data Protection Laws.
Any notice or other communication given to Edge under or in connection with this DPA must be in writing and delivered to [email protected] for privacy related matters, and [email protected] for security related matters.
The Client may submit Personal Data in the course of using the Services, the extent of which is determined and controlled by the Client in their sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of Data Subjects:
The Client’s contacts and other end users including their employees, contractors, collaborators, customers, prospects, suppliers and subcontractors. Data Subjects may also include individuals attempting to communicate with or transfer Personal Data to Client’s end users.
The personal data transferred concern the following categories of data subjects:
Client’s representatives and users of the Services as employees, contractors and collaborators of the Client.
You may submit Personal Data to the Services, the extent of which is determined and controlled by you in your sole discretion, and which may include but is not limited to the following categories of Personal Data:
Contact information: name, addresses, e-mail addresses, phone numbers and other ways in which Edge can contact the data subject
Identity verification data: To verify an individual’s identity, Edge may collect an individual’s date of birth, taxpayer or government identification number, or a copy of a government-issued identification. In this identification verification process, Edge also may collect a photograph in order to be able to verify someone’s identity by determining whether the photograph taken matches the photo in the government-issued identification. For this, the facial recognition technology collects information from the photos that may include biometric data. Edge also may collect information from third parties, such as credit bureaus, identity verification services, and other screening services to verify that the individual is eligible to use our Services.
Communications: any communication Client has with Edge, like emails and phone calls
Information regarding the usage of Edge, like payment transactions and technical connection data (IP address, location, logs, etc.)
The personal data transferred concern the following special categories of data:
Biometric data. To verify an individual’s identity, the photograph as present on the government issued identification may be processed by Edge's facial recognition technology to produce biometric data used to identify data subjects
Government identification number, as may be present on the copy of a government-issued identification.
The personal data transferred will be processed in accordance with the Agreement and may be subject to the following processing activities:
storage and other processing necessary to provide, maintain and update the Services provided to the Client
to provide technical support to the Client
disclosures in accordance with the Agreement, as compelled by law
Edge has implemented comprehensive organizational and technological measures to ensure the safety of the personal data as well as undisturbed operation in an optimal manner.
The following technical and organizational measures have been taken:
Measures to prevent unauthorized persons from gaining access to the data processing equipment used to process personal data.
Measures and procedures to prevent unauthorized persons from using the data processing equipment.
Measures to ensure that those authorized for data processing can only access the personal data subject to their access authorization.
Measures to ensure that personal data cannot be read, copied, altered or removed without authorization during electronic transmission, transport or storage on data carriers.
Measures to ensure authenticated entry of personal data.
Measures to ensure that personal data processed in within the boundaries and conditions as set out in this DPA
Measures to ensure that personal data is protected against accidental destruction or loss.
Measures to ensure that data collected for different purposes can be processed separately.
Procedures for periodic review and evaluation
Procedures for regular review, evaluation and evaluation of the effectiveness of technical and organizational measures