“Controller” has the same meaning as “controller” in GDPR-modeled Data Protection Laws.

“Processor” has the same meaning as “processor” in GDPR-modeled Data Protection Laws, and includes any party that constitutes a “service provider” within the meaning of the CCPA.

“Data Protection Law” means all applicable federal, state, and foreign laws, directives, and regulations relating to the Processing, protection, security or privacy of Personal Information, including where applicable, the guidance and codes of practice issued by regulatory bodies in any relevant jurisdiction. This includes, but is not limited to, the California Consumer Privacy Act (“CCPA”) (Cal. Civ. Code §§1798.100 et seq.), the General Data Protection Regulation, Regulation (EU) 2016/679 ("GDPR"), equivalent requirements in the United Kingdom including the UK General Data Protection Regulation and the Data Protection Act 2018 (“UK Data Protection Law”), and the Swiss Federal Act on Data Protection (“FADP”).

“Data Subject” means an identified or identifiable natural person about whom Personal Information relates.

“Edge Platform” means the Edge software-as-a-service solution that allows Clients to seamlessly manage relationships with local and international independent contractors, including, the receipt of services from Consultants.

“Europe” means, for the purposes of this DPA, the European Union, the European Economic Area and/or their member states, Switzerland, and the United Kingdom.

“Restricted Transfer” means: (i) where the GDPR applies, a transfer of personal data from the European Economic Area or Switzerland to a country outside of the European Economic Area or Switzerland which is not subject to an adequacy determination by the European Commission; and (ii) where the UK Data Protection Law applies, a transfer of personal data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the UK Data Protection Law.

“Standard Contractual Clauses” means the standard contractual clauses annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021 currently found at https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc/standard-contractual-clauses-international-transfers_en, as may be amended, superseded or replaced.

“Sub-Processor” has the same meaning as “controller” in GDPR-modeled Data Protection Laws.

Capitalized terms used in this DPA shall have the same meaning given to them under Data Protection Laws or if not defined thereunder, the GDPR, unless a different meaning is specified herein. In regards to the CCPA, terms used in the applicable provisions of the DPA where the CCPA is the applicable law shall be replaced as follows: "Personal Data" shall mean "Personal Information"; "Controller" shall mean "Business"; "Processor" shall mean "Service Provider"; and "Data Subject" shall mean "Consumer".

• Contractual Documents

  This Addendum and its Appendixes constitute the entire Data Processing Agreement between the Parties. It replaces all previous agreements relating to its object. Any prior agreements between the Parties relating to personal data are not binding on the Parties.

  Some of the contractual documents may be amended or enriched during the fulfilment of the Addendum. In any event, these amendments or enrichments must be covered by an amendment signed by the Parties. No modifications may be made to the Addendum and its Appendixes without a document signed by both Parties.

• Duration of the DPA & Notice of Termination

  • The term of the DPA is coextensive with the term of the Agreement.

  • The termination of this DPA therefore depends on the provisions concerning the duration and the termination of the Agreement. Termination of the Agreement shall also have the effect of terminating this DPA.

  • Furthermore, the premature termination of this DPA upon written notice to the other Party shall be permissible in the event of such other Party’s serious breach of statutory or contractual data protection provisions under the Data Protection Laws, insofar as the contracting Party in question cannot reasonably be expected to continue this DPA.

  • The Parties acknowledge that the termination of the DPA at any time and for any reason, does not exempt them from their obligations under the Data Protection Laws relating to the collection, processing and use of Personal Data.

• Processing of Personal Data

  The Parties agree that Edge and Client are each independent Controllers with respect to the processing of such Personal Data under this DPA as described in Appendix 1. The purpose(s) and nature of operations carried out on the Personal Data is the one as described in the Agreement. To perform the Services covered herein, the Client shall provide Edge with all the necessary information. Each party shall comply with the obligations applicable to it under the Data Protection Laws with respect to the processing of Personal Data covered under this DPA.

• Processors

  Client acknowledges and agrees that Edge may engage third-party Processors in connection with the provision of the Services. Edge acknowledges and agrees that Client may engage third-party Processors in connection with the receipt of the Services. Both Parties shall have a written agreement with each Processor and agree that any agreement with a Processor shall include substantially the similar data protection obligations as set out in this DPA.
  Both Parties shall be liable for the acts and omissions of its respective Processors to the same extent such party would be liable under the terms of this DPA, except as otherwise set forth in the Agreement.

  Client acknowledges that in the provision of some services, Edge, on receipt of instructions from Client, may transfer Personal Data to and otherwise interact with third party data processors. Client agrees that if and to the extent such transfers occur, Client is responsible for entering into separate contractual arrangements with such third-party data processors binding them to comply with obligations in accordance with the Data Protection Laws. For the avoidance of doubt, such third-party data processors are not Sub-Processors.

• Technical and organizational measures

  Edge shall take suitable technical and organizational measures appropriate to the risk to ensure for protection of the security, confidentiality and integrity of Personal Data it Processes under this DPA. Edge guarantees that it has carried out the technical and organizational measures specified in Appendix 2 to this DPA.
  The technical and organizational measures are subject to the current state of technology and technical progress. In this regard, Edge is permitted to implement adequate alternative measures, provided that these measures may not provide a lower level of security to Client data than the stipulated measures in Appendix 2.

• Sub-Processors

  Client agrees that Edge may engage Sub-Processors to Process Personal Data on its behalf. Edge has currently appointed, as Sub-Processors, the third parties listed in Appendix 3 to this DPA. Edge will notify Client if Edge adds or replaces any Sub-Processors listed in Appendix 3 at least 30 days prior to any such changes.
  Where Edge engages Sub-Processors, Edge will impose data protection terms on the Sub-Processors that provide at least the same level of protection for Personal Data as those in this DPA (including, where appropriate, the Standard Contractual Clauses), to the extent applicable to the nature of the services provided by such Sub-Processors. Edge will remain responsible for each Sub-Processor’s compliance with the obligations of this DPA and for any acts or omissions of such Sub-Processor that cause Edge to breach any of its obligations under this DPA.

• Cross-Border Transfers of Personal Information

  Edge shall, at all times provide an adequate level of protection for the Personal Information, wherever Processed, in accordance with the requirements of the applicable Data Protection Law.
  If Personal Information originates from the UK, EEA or Switzerland and is transferred by Client to Edge for Processing in a country not subject to an adequacy decision in accordance with the GDPR (“UK/EEA/Switzerland Data Transfer”), the Parties will conduct such UK/EEA/Switzerland Data Transfer in accordance with all applicable laws. The Parties hereby agree to the Standard Contractual Clauses for EEA/Switzerland Data Transfers, together with the version as modified by the UK Information Commissioner's Office's international data transfer addendum ("IDTA") (together, "EU SCCs") (which will be deemed executed by the Parties upon the Client's acceptance of the Agreement.). For the purpose of this Section 8 the EU SCCs means Module Two (Transfer controller to processor) of the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (the text of which is available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en), and the IDTA means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses published by the UK Information Commissioner's Office (the text of which is available at: https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/) (or any successor IDTA approved by the relevant UK authorities) in which Edge will be referred to as the “data exporter” and Supplier will be referred to as the “data importer.” For the purposes of this Section 8, the EU SCCs will come into effect upon commencement of an EEA/Switzerland Data Transfer. If there is any conflict between the Sections of this DPA or the sections of the Agreement and the EU SCCs, in so far as the conflict relates to an EEA/Switzerland Data Transfer the EU SCCs will prevail.

• Final Provisions

  • If individual provisions of this DPA should be or become ineffective, this shall not affect its remaining provisions. The Parties undertake to replace the ineffective provisions with a legally valid provision that comes closest to the purpose of the ineffective provisions.

  • In the event of contradictions between this DPA and any other agreements between the Parties, especially the Agreement, the provisions of this DPA shall take precedence.

  • Ancillary agreements, amendments and additions to this DPA must be made in writing. This also applies to the amendment of this requirement for written form.

  • This DPA shall be governed by local law of the country where the data exporter is established, unless otherwise expressly mandated by the Data Protection Laws.

  • The Parties agree to submit any claim or dispute arising from this DPA to the exclusive jurisdiction of the courts of jurisdiction of the data exporter, unless otherwise expressly mandated by the Data Protection Laws.

  • Any notice or other communication given to Edge under or in connection with this DPA must be in writing and delivered to [email protected] for privacy related matters, and [email protected] for security related matters.