Data Processing Addendum

This Data Processing Addendum (“DPA”) is incorporated into, and is subject to the terms and conditions of the Edge Terms of Service found at onedge.co/terms-of-service which you (the “Client”) have accepted, unless Client has entered into a superseding written subscription agreement with Edge, in which case, it forms a part of such written agreement in addition to the Terms of Service (in either case, the “Agreement”).

This Data Processing Addendum (hereinafter “DPA” or “Addendum”) and its applicable DPA Appendixes apply to the Processing of Personal Data by Parties subject to the Data Protection Laws in order to provide services (“Services”) pursuant to the Agreement between Edge and Client(collectively, the “Parties”).

As part of their contractual relations, the Parties shall undertake to comply with the applicable Data Protection Laws on personal data processing.

Definitions

Affiliate means any person or entity that owns or controls, is owned or controlled by, or is under common control or ownership with, a party to this Agreement, where “control” is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract, or otherwise.

Controller has the same meaning as “controller” in GDPR-modeled Data Protection Laws.

Client means the individual or entity that has entered into the Agreement and agreed to the incorporation of this DPA into the Agreement.

Client Content means any data, file attachments, text, images, reports, personal information, or other content that is uploaded or submitted to an online Service by Client or users and is Processed by Edge on behalf of Client. For the avoidance of doubt, Client Content does not include usage, statistical, learned, or technical information that does not reveal the actual contents of Client Content.

Client Personal Data has the same meaning as “controller” in GDPR-modeled Data Protection Laws.

Data Breach means a breach of security resulting in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Client Content.

Data Protection Laws means, to the extent applicable to a Party, the data protection or privacy laws of any country regarding the Processing of Client Personal Data

Data Subject means an identified or identifiable natural person about whom Personal Information relates.

Edge Platform means the Edge software-as-a-service solution that allows Clients to seamlessly manage relationships with local and international independent contractors, including, the receipt of services from Consultants.

Europe means, for the purposes of this DPA, the European Union, the European Economic Area and/or their member states, Switzerland, and the United Kingdom.

Personal Data means any information relating to, identifying, describing, or capable of being associated with a Data Subject or a household.

Process means any operation or set of operations performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, alignment, combination, restriction, erasure, destruction or disclosure by transmission, dissemination or otherwise making available.

Processor has the same meaning as “processor” in GDPR-modeled Data Protection Laws, and includes any party that constitutes a “service provider” within the meaning of the CCPA.

Professional Services means implementation, configuration, integration, training, advisory, and other professional services related to the online Services that are provided or controlled by Edge.

Services means the services and software provided on Edge’s platform, any services, content, communications, and product features relating to the Edge platform and as set forth in this DPA and any other online service or application provided or controlled by Edge for use with Edge’s services.

Edge Personnel means any individual authorized by Edge to Process Client Personal Data.

Restricted Transfer means: (i) where the GDPR applies, a transfer of personal data from the European Economic Area or Switzerland to a country outside of the European Economic Area or Switzerland which is not subject to an adequacy determination by the European Commission; and (ii) where the UK Data Protection Law applies, a transfer of personal data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the UK Data Protection Law.

Standard Contractual Clauses means the standard contractual clauses annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021 currently found here as may be amended, superseded or replaced.

Sub-Processor means any Processor engaged by us or our affiliates to assist in fulfilling our obligations with respect to the provision of the Services under the Agreement. Sub-Processors may include third parties or our affiliates but will exclude any Edge employee or consultant.

Capitalized terms used in this DPA shall have the same meaning given to them under Data Protection Laws or if not defined thereunder, the GDPR, unless a different meaning is specified herein. In regards to the CCPA, terms used in the applicable provisions of the DPA where the CCPA is the applicable law shall be replaced as follows: "Personal Data" shall mean "Personal Information"; "Controller" shall mean "Business"; "Processor" shall mean "Service Provider"; and "Data Subject" shall mean "Consumer".

• Contractual Documents

  This Addendum and its Appendixes constitute the entire Data Processing Agreement between the Parties. It replaces all previous agreements relating to its object. Any prior agreements between the Parties relating to personal data are not binding on the Parties.
  
  Some of the contractual documents may be amended or enriched during the fulfilment of the Addendum. In any event, these amendments or enrichments must be covered by an amendment signed by the Parties. No modifications may be made to the Addendum and its Appendixes without a document signed by both Parties.




• Duration of the DPA & Notice of Termination

  • The term of the DPA is coextensive with the term of the Agreement.

  • The termination of this DPA therefore depends on the provisions concerning the duration and the termination of the Agreement. Termination of the Agreement shall also have the effect of terminating this DPA.

  • Furthermore, the premature termination of this DPA upon written notice to the other Party shall be permissible in the event of such other Party’s serious breach of statutory or contractual data protection provisions under the Data Protection Laws, insofar as the contracting Party in question cannot reasonably be expected to continue this DPA.

  • The Parties acknowledge that the termination of the DPA at any time and for any reason, does not exempt them from their obligations under the Data Protection Laws relating to the collection, processing and use of Personal Data.




• Processing of Personal Data

  The Parties agree that Edge and Client are each independent Controllers with respect to the processing of such Personal Data under this DPA as described in Appendix 1. The purpose(s) and nature of operations carried out on the Personal Data is the one as described in the Agreement. To perform the Services covered herein, the Client shall provide Edge with all the necessary information. Each party shall comply with the obligations applicable to it under the Data Protection Laws with respect to the processing of Personal Data covered under this DPA.




• Processors

  Client acknowledges and agrees that Edge may engage third-party Processors in connection with the provision of the Services. Edge acknowledges and agrees that Client may engage third-party Processors in connection with the receipt of the Services. Both Parties shall have a written agreement with each Processor and agree that any agreement with a Processor shall include substantially the similar data protection obligations as set out in this DPA.
  
  Both Parties shall be liable for the acts and omissions of its respective Processors to the same extent such party would be liable under the terms of this DPA, except as otherwise set forth in the Agreement.
  
  Client acknowledges that in the provision of some services, Edge, on receipt of instructions from Client, may transfer Personal Data to and otherwise interact with third party data processors. Client agrees that if and to the extent such transfers occur, Client is responsible for entering into separate contractual arrangements with such third-party data processors binding them to comply with obligations in accordance with the Data Protection Laws. For the avoidance of doubt, such third-party data processors are not Sub-Processors.




• Technical and organizational measures

  Edge shall take suitable technical and organizational measures appropriate to the risk to ensure for protection of the security, confidentiality and integrity of Personal Data it Processes under this DPA. Edge guarantees that it has carried out the technical and organizational measures specified in Appendix 2 to this DPA.
  The technical and organizational measures are subject to the current state of technology and technical progress. In this regard, Edge is permitted to implement adequate alternative measures, provided that these measures may not provide a lower level of security to Client data than the stipulated measures in Appendix 2.




• Sub-Processors

  Client agrees that Edge may engage Sub-Processors to Process Personal Data on its behalf. Edge has currently appointed, as Sub-Processors, the third parties listed in Appendix 3 to this DPA. Edge will notify Client if Edge adds or replaces any Sub-Processors listed in Appendix 3 at least 30 days prior to any such changes.
  Where Edge engages Sub-Processors, Edge will impose data protection terms on the Sub-Processors that provide at least the same level of protection for Personal Data as those in this DPA (including, where appropriate, the Standard Contractual Clauses), to the extent applicable to the nature of the services provided by such Sub-Processors. Edge will remain responsible for each Sub-Processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-Processor that cause Edge to breach any of its obligations under this DPA.




• Cross-Border Transfers of Personal Information

  Edge shall, at all times provide an adequate level of protection for the Personal Information, wherever Processed, in accordance with the requirements of the applicable Data Protection Law.
  
  If Personal Information originates from the UK, EEA or Switzerland and is transferred by Client to Edge for Processing in a country not subject to an adequacy decision in accordance with the GDPR (“UK/EEA/Switzerland Data Transfer”), the Parties will conduct such UK/EEA/Switzerland Data Transfer in accordance with all applicable laws. The Parties hereby agree to the Standard Contractual Clauses for EEA/Switzerland Data Transfers, together with the version as modified by the UK Information Commissioner's Office's international data transfer addendum ("IDTA") (together, "EU SCCs") (which will be deemed executed by the Parties upon the Client's acceptance of the Agreement.).
  
  For the purpose of this Section 8 the EU SCCs means Module Two (Transfer controller to processor) of the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the text of which is available here), and the IDTA means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses published by the UK Information Commissioner's Office (the text of which is available here) (or any successor IDTA approved by the relevant UK authorities) in which Edge will be referred to as the “data exporter” and Supplier will be referred to as the “data importer.” For the purposes of this Section 8, the EU SCCs will come into effect upon commencement of an EEA/Switzerland Data Transfer. If there is any conflict between the Sections of this DPA or the sections of the Agreement and the EU SCCs, in so far as the conflict relates to an EEA/Switzerland Data Transfer the EU SCCs will prevail.




• Variations in Data Protection Laws

  If any variation is required to this DPA as a result of a change in or subsequently applicable Data Protection Law, then either Party may provide written notice to the other Party of that change in law. The Parties will then discuss and negotiate in good faith any variations to this DPA necessary to address such changes, with a view to agreeing and implementing those or alternative variations as soon as practicable, provided that such variations are reasonable with regard to the functionality and performance of the Services and Edge’s business operations.




• Reservation of Rights

  Notwithstanding anything to the contrary in this DPA: (a) Edge reserves the right to withhold information the disclosure of which would pose a security risk to Edge or its customers or is prohibited by applicable law or contractual obligation; and (b) Edge’s notifications, responses, or provision of information or cooperation under this DPA are not an acknowledgement by Edge of any fault or liability.




• Edge as Controller

  Edge may collect Personal Data directly from Data Subject (which may be duplicative of Customer Personal Data) in accordance with Edge’s internal policies and publicly posted Privacy Policy available at https://onedge.co/privacy, and nothing in this DPA will prohibit Edge from Processing such Personal Data as a Controller under Data Protection Laws, provided that Edge conspicuously notifies such Data Subjects that such information will be handled in accordance with Edge’s Privacy Policy.




• Final Provisions

  • If individual provisions of this DPA should be or become ineffective, this shall not affect its remaining provisions. The Parties undertake to replace the ineffective provisions with a legally valid provision that comes closest to the purpose of the ineffective provisions.

  • In the event of contradictions between this DPA and any other agreements between the Parties, especially the Agreement, the provisions of this DPA shall take precedence.

  • Ancillary agreements, amendments and additions to this DPA must be made in writing. This also applies to the amendment of this requirement for written form.

  • This DPA shall be governed by local law of the country where the data exporter is established, unless otherwise expressly mandated by the Data Protection Laws.

  • The Parties agree to submit any claim or dispute arising from this DPA to the exclusive jurisdiction of the courts of jurisdiction of the data exporter, unless otherwise expressly mandated by the Data Protection Laws.

  • Any notice or other communication given to Edge under or in connection with this DPA must be in writing and delivered to [email protected] for privacy related matters, and [email protected] for security related matters.

Description of Transfer

The Client may submit Personal Data in the course of using the Services, the extent of which is determined and controlled by the Client in their sole discretion, and which may include, but is not limited to Personal Data relating to the following categories of Data Subjects:

The Client’s contacts and other end users including their employees, contractors, collaborators, clientss, prospects, suppliers and subcontractors. Data Subjects may also include individuals attempting to communicate with or transfer Personal Data to Client’s end users.

Categories of data subjects

The personal data transferred concern the following categories of data subjects:

• Client’s representatives and users of the Services as employees, contractors and collaborators of the Client.

Categories of Personal Data Transferred

You may submit Personal Data to the Services, the extent of which is determined and controlled by you in your sole discretion, and which may include but is not limited to the following categories of Personal Data:

• Contact information: name, addresses, e-mail addresses, phone numbers and other ways in which Edge can contact the data subject

• Identity verification data: To verify an individual’s identity, Edge may collect an individual’s date of birth, taxpayer or government identification number, or a copy of a government-issued identification. In this identification verification process, Edge also may collect a photograph in order to be able to verify someone’s identity by determining whether the photograph taken matches the photo in the government-issued identification. For this, the facial recognition technology collects information from the photos that may include biometric data. Edge also may collect information from third parties, such as credit bureaus, identity verification services, and other screening services to verify that the individual is eligible to use our Services.

• Communications: any communication Client has with Edge, like emails and phone calls

• Information regarding the usage of Edge, like payment transactions and technical connection data (IP address, location, logs, etc.)

Sensitive Categories

The personal data transferred concern the following special categories of data:

• Biometric data. To verify an individual’s identity, the photograph as present on the government issued identification may be processed by Edge's facial recognition technology to produce biometric data used to identify data subjects

• Government identification number, as may be present on the copy of a government-issued identification.

Processing operations

The personal data transferred will be processed in accordance with the Agreement and may be subject to the following processing activities:

• storage and other processing necessary to provide, maintain and update the Services provided to the Client

• to provide technical support to the Client

• disclosures in accordance with the Agreement, as compelled by law

Appendix 2: Technical and organizational measures

Edge has implemented comprehensive organizational and technological measures to ensure the safety of the personal data as well as undisturbed operation in an optimal manner. The following technical and organizational measures have been taken:

• Admission control:

  • Measures to prevent unauthorized persons from gaining access to the data processing equipment used to process personal data.
  • Access control guidelines and regulations
  • Security areas are clearly defined
  • Appropriate implementation of measures to secure Datacenter Access
  • Security also outside working hours by alarm system and/or plant security
  • Access only for authorized persons (company employees and external persons)
  • Regulation for external parties
  • Implementation of locks
  • External staff is accompanied by Edge staff



• Access monitoring:

  • Measures and procedures to prevent unauthorized persons from using the data processing equipment.
  • Regulation of user authorizations (administration incl. assignment of rights, assignment of special rights, revocation of authorizations, regular reviews).
  • Password policy (secure passwords, regular changes, regular reviews).
  • Use of encryption routines for mobile data carriers (incl. notebooks, USB sticks)
  • Remote user authentication (cryptographic techniques, hardware identification, VPN solutions)
  • Obligation to maintain data secrecy in accordance with Art. 28 Para. 3 lit. b GDPR
  • Role based authorization
  • Controlled destruction of data carriers
  • Regular security audit



• Admission control:

  • Measures to ensure that those authorized for data processing can only access the personal data subject to their access authorization.
  • Control of access authorization (differentiated authorizations via profiles, roles, time limit).
  • Provision of appropriate authentication technologies
  • Security Logs (ex: unsuccessful and successful authentication attempts).
  • Guidelines for the pseudonymization/anonymization of personal data



• Transfer control:

  • Measures to ensure that personal data cannot be read, copied, altered or removed without authorization during electronic transmission, transport or storage on data carriers.
  • Guidelines for the exchange of information of all kinds
  • Encryption during data transmission (network encryption, TLS)
  • Logging during the transmission of data
  • Method for detecting and protecting malware
  • Access Control
  • Encryption of data carriers before transport
  • Handover of data carriers to authorized persons only
  • Controlled destruction of data carriers



• Input control:

  • Measures to ensure authenticated entry of personal data.
  • Access control
  • Data security policy
  • Process, program and workflow organization



• Order control:

  • Measures to ensure that personal data processed in within the boundaries and conditions as set out in this DPA
  • Contract in writing with determination of the data protection agreements
  • Formalized order placement
  • Careful selection of the subcontractor
  • Separation of duty



• Availability control:

  • Measures to ensure that personal data is protected against accidental destruction or loss.
  • Controlled process to ensure business operations (BCM)/IT-SCM
  • Contingency plans
  • Regular back-ups according to backup plan
  • Protection of systems against database failure, service level agreements with IT service providers
  • Mirroring of data
  • Antivirus/Firewall
  • Redundant hardware



• Separation control:

  • Measures to ensure that data collected for different purposes can be processed separately.
  • Customer separation
  • Functional separations



• Procedures for periodic review and evaluation:

  • Procedures for regular review, evaluation and evaluation of the effectiveness of technical and organizational measures
  • Data Protection Management
  • Incident response management