Data Processing Agreement
1. Scope
This Data Processing Agreement (“DPA”) is an integral part of the Agreement between Web1 and the Customer.
If the Customer Data contains personal data, the provisions of this DPA shall govern the processing of that personal data by Web1.
2. Definitions
Unless otherwise defined, the capitalised terms defined in the Terms of Service shall have the same meaning when used herein. In this DPA the following terms shall have the meanings set out below:
“End-Customer” means an end-customer of the Customer, who has engaged the Customer to process personal data regarding which the End-Customer is data controller, in which case the Customer acts a data processor towards the End-Customer and Web1 acts as a subprocessor of the Customer:
“Data Breach” means a breach of security attributable to the acts or omissions of Web1 leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, the Relevant Personal Data;
“Data Protection Laws” means the data protection and privacy laws and regulations applicable to the processing of Relevant Personal Data under this DPA, including EU Regulation 2016/679 of the European Parliament and of the Council (“GDPR”);
“personal data”, “processing”, “data controller”, “data processor”, and “data subject” have the same meaning as in the Data Protection Laws;
“Relevant Personal Data” means the personal data controlled by the Customer, or, as the case may be, an End-Customer, and processed by Web1 on behalf of the Customer pursuant to the Agreement;
“Supervisory Authority” means (i) an independent public authority which is established by an EU/EEA member state pursuant to Article 51 of GDPR; and (ii) any similar regulatory authority responsible for the enforcement of Data Protection Laws.
3. Processing of Personal Data
Details of Processing:
a) Subject matter: Processing of Relevant Personal Data in order to provide the Service pursuant to the Agreement.
b) Duration: For as long as the Customer uses the Service in a manner that entails the processing of Relevant Personal Data by Web1.
c) Purpose: The provision of the Service ordered by the Customer.
d) Nature of the processing: Compute, storage and/or other Service described in the Agreement that the Customer may order under the Agreement.
e) Type of personal data: The Customer controls which types of personal data the Customer enters into the Service.
f) Categories of data subjects: The categories of data subjects may include the Customer’s, or, if applicable, End-Customers’ employees, job applicants, directors, agents, contractors, suppliers, customers, clients, and/or end-users.
Web1 processes certain personal data also as data controller. Such personal data may include, inter alia, data of the Customer’s contact persons, users of the Services, credit card information, and other personal data of the Customer’s personnel which Web1 processes in order to provide the Services, collect payments, and maintain and develop the customer relationship. Processing of this type of personal data is outside the scope of this DPA.
For more information on how Web1 processes personal data as data controller, please see Web1 Privacy Policy available on our website at https://web1.fi/privacy-policy/.
4. General Obligations of the Customer
The Customer shall comply with the Data Protection Laws and warrants that the Customer is, and for the duration of this DPA remains, in compliance with all responsibilities set for data controllers or data processors (as applicable) under Data Protection Laws towards data subjects, Web1, and, where applicable, the End-Customers.
If the Customer acts as data controller of the Relevant Personal Data, the Customer shall be responsible for the lawful collection, processing and use, and for the accuracy of the Relevant Personal Data, as well as for preserving the rights of the data subjects concerned, and the Customer shall be responsible for informing the data subjects about the processing of their personal data by Web1, and shall obtain the needed consents from the data subject, if necessary.
The Customer shall ensure that the Customer is entitled to process the Relevant Personal Data and to disclose, transfer or otherwise make it available to Web1 for lawful processing hereunder. The Customer acknowledges that due to the nature of the Service, Web1 cannot control and has no obligation to verify what types of personal data the Customer transfers to Web1 for processing in connection with the Service.
5. General Obligations of Web1
Web1 shall process the Relevant Personal Data in accordance with (i) the Data Protection Laws, (ii) this DPA, (iii) the Agreement, and (iv) the Customer’s documented processing instructions set out in this DPA or given otherwise, provided that any processing instructions issued by the Customer outside this DPA solely pertain to: (a) changes in the Data Protection Laws and/or guidance of the Supervisory Authority, European Data Protection Board or other similar competent authority, or (b) decision or court order issued by a competent court. Without prejudice to the above, further processing instructions may also be issued otherwise as mutually agreed in writing by the Parties.
Without prejudice to Article 28(3) of GDPR, Web1 shall not be obliged to verify whether any processing instructions issued by the Customer are compliant with the Data Protection Laws, as the Customer is responsible for such compliance verification of its processing instructions. Nonetheless, if Web1 detects that any processing instructions issued by the Customer are non-compliant with the Data Protection Laws, Web1 shall inform the Customer thereof.
Web1 shall not use the Relevant Personal Data for any other purposes other than that of providing the Service, and shall not process, transfer, modify, amend, assert liens or other right over or alter the Relevant Personal Data. Web1 shall not disclose or permit the disclosure of the Relevant Personal Data to any third party without the Customer’s prior written approval, unless such disclosure is required by applicable laws or an order of Governmental Authority, in which case Web1 shall, to the extent legally permitted, inform the Customer of the disclosure.
6. Web1’s Assistance Obligations
Web1 agrees to reasonably and insofar as practically possible assist the Customer in the fulfilment of the Customer’s, and where applicable, End-Customer’s, obligations (as a data controller in each case) under the Data Protection Laws to respond to requests for exercising data subject rights established under the Data Protection Laws by implementing appropriate technical and organisational measures to facilitate the fulfilment of such obligations and by providing the Customer with necessary information relating to Web1’s processing of the Relevant Personal Data. However, the Customer shall primarily use the corresponding control functions of the Service in responding to such requests, such as the Control Panel.
Web1 shall further provide the Customer with commercially reasonable assistance in enabling compliance with the Customer’s, and where applicable, End-Customer’s (as a data controller in each case), obligations to perform data protection impact assessments, breach notifications and prior consultations of the competent Supervisory Authority, as set out in the applicable Data Protection Laws, taking into account the nature of the processing and the information available to Web1.
If the Customer requires assistance from Web1, Web1 shall be entitled to a reasonable remuneration for providing the assistance. The amount of remuneration will be agreed upon between the Parties in advance.
7. Web1’s Personnel
Web1 shall ensure that its personnel (including its subprocessors’ personnel) who process the Relevant Personal Data:
(i) process the Relevant Personal Data in accordance with the Customer’s written instructions and only for the purposes allowed under this DPA;
(ii) are informed of the confidential nature of the Relevant Personal Data and are aware of Web1’s obligations under this DPA;
(iii) are under confidentiality undertakings or an appropriate statutory obligation of confidentiality; and
(iv) have undertaken appropriate training in relation to the processing of the Relevant Personal Data.
8. Security Measures
Web1 and the Customer shall implement and maintain appropriate technical and organisational security measures to protect the Relevant Personal Data within their areas of responsibility, in order to safeguard the Relevant Personal Data against unauthorised or unlawful processing or access and against accidental loss, destruction or damage. Such measures include where necessary and appropriate, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons the following measures:
(i) access right controls to systems containing the Relevant Personal Data;
(ii) the pseudonymisation and encryption of the Relevant Personal Data;
(iii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(iv) the ability to restore the availability and access to the Relevant Personal Data in a timely manner in the event of a physical or technical incident; and
(v) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
9. Subprocessors
Web1 is entitled to use subprocessors in the provision of the Service. The subprocessors approved by the Customer are listed in Appendix 1 hereto. The subprocessors actually used by Web1 depend on the Services ordered by the Customer, as described in Appendix 1.
Web1 ensures that the engaged subprocessors are properly qualified, are under a data processing agreement with Web1, and comply with data processing obligations similar to the ones which apply to Web1 under this DPA. Web1 shall be liable towards the Customer for the processing of Relevant Personal Data carried out by Web1’s subprocessors.
Web1 is entitled to change its subprocessors. Web1 shall inform the Customer regarding changes (additions or replacements) in the subprocessors by providing at least 30 (thirty) days’ advance notice, giving the Customer the opportunity to object to such change. The Customer may object to the change by providing a written notice thereof to Web1 within thirty (30) days after being informed of the change. In such case, the Parties shall strive to find an alternative solution. If such a solution is not found, the Customer may terminate the Agreement without any liability to Web1.
10. International Transfers
The Customer may choose in which Web1 data centre(s) the Relevant Personal Data will be processed. Some of the data centres are located outside the European Economic Area (“EEA”). Web1 shall not move the Relevant Personal Data from the selected data centre unless explicitly instructed to do so by the Customer.
The Customer authorises Web1 to transfer the Relevant Personal Data outside the EEA to its subprocessors, if and only to the extent such transfers are necessary for the provision of the Service ordered by the Customer. If the Relevant Personal Data needs to be transferred outside the EEA in a country that is not recognised by the European Commission as providing adequate level of protection for personal data, then the Customer accepts that Web1 performs the international transfer of the Relevant Personal Data in accordance with the Standard Contractual Clauses adopted by the European Commission (processor-to-processor module) entered into by Web1 (as data exporter) and the relevant subprocessor (as data importer).
11. Audits
Upon written request of the Customer, Web1 agrees to make available to the Customer and, where relevant, to the End-Customer, the information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits by the Customer or an established third-party auditor approved by Web1 (such approval not to be unreasonably withheld) and agreed by both Parties (“Mandated Auditor”), of Web1’s systems and premises where the processing of Relevant Personal Data takes place, in order to assess Web1’s compliance with this DPA. Web1 shall permit the Customer, or, where relevant, a Mandated Auditor to inspect and audit Web1’s relevant records solely pertaining to the Relevant Personal Data, and to inspect and audit processes and systems related to the processing of the Relevant Personal Data. Web1 agrees to co-operate in respect of such audits. All audits by the Customer, or, where relevant, by Mandated Auditor are subject to a thirty (30) days’ prior written notice.
Where an audit may lead to the disclosure of business or trade secrets of Web1 (or its Affiliates or other customers) or otherwise pose a threat to intellectual property rights of Web1, the Customer shall employ a Mandated Auditor to carry out such audit. Whenever a Mandated Auditor is used, the Customer shall procure such Mandated Auditor’s acceptance to be bound to confidentiality to Web1’s benefit by way of such confidentiality undertaking as accepted by Web1.
Unless otherwise agreed between the Parties, the Customer is allowed to conduct one (1) audit in every twelve (12) months. Any audit must be conducted during the normal business hours of Web1 and in a way that does not cause substantial disturbance to Web1’s business operations. The Customer shall bear all costs and expenses relating to the audits conducted hereunder and pay a reasonable compensation to Web1 for the work required to assist in the audits.
12. Data Breaches
Web1 shall notify the Customer without undue delay after becoming aware of any Data Breach, providing the Customer with sufficient information which allows the Customer to meet its obligations to report a Data Breach under the Data Protection Laws. Such notification shall at a minimum:
(i) describe of the nature of the Data Breach, including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Relevant Personal Data records concerned;
(ii) communicate the name and contact details of Web1’s contact point where more information can be obtained; and
(iii) description of the measures taken by Web1 to address the Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
Web1 shall cooperate with the Customer and, where relevant, the End-Customer, and take commercially reasonable steps to assist in the investigation, mitigation and remediation of the Data Breach.
13. Deletion and Return of Personal Data
For deletion and return of the Relevant Personal Data, the Customer shall primarily use the functionalities of the Service through the Control Panel.
The Customer agrees that within a reasonable time after the termination or expiry of the Agreement, or after the Customer has permanently ceased to use the Services, Web1 shall delete and procure deletion of all copies of the Relevant Personal Data processed by Web1 or any subprocessor, unless Web1 is obliged to retain copies of the Relevant Personal Data pursuant to applicable laws or orders of Governmental Authority.
14. Liability
Each Party’s liability for: (i) damages incurred by a data subject and (ii) administrative fines imposed by a Supervisory Authority, in connection with the processing of the Relevant Personal Data under this DPA shall be defined in accordance with Articles 82 and 83, respectively, of the GDPR, or another corresponding and applicable provision of compulsory Data Protection Laws.
Otherwise the Parties’ liability for a breach of the DPA shall be subject to Limitation of Liability of the main body of the Terms of Service.
15. Term
This DPA remains in force until Web1 ceases to process the Relevant Personal Data pursuant to the Agreement, whereafter this DPA shall automatically expire
Appendix 1 – Web1 subprocessors
Web1 may utilise its Affiliates (some of which are located outside the EEA) in the provision of the Service, as may be necessary for the provision of the Services ordered by the Customer.
Web1’s Operations Team members may need to work with or handle resources containing Customer Data when maintaining Web1’s data centre infrastructure or resolving issues reported by the Customer (e.g. moving storages from one physical host machine to another physical host machine in the same data centre). As the Article 4 of the GDPR provides a very extensive definition for ‘processing‘, such actions can be deemed as processing under the GDPR even though they do not entail accessing the Customer Data. Therefore Web1 considers some of its Affiliates as subprocessors regardless of the data centre(s) the Customer has selected. However, Web1 personnel will never take actions to access the Customer Data, unless specifically requested by and agreed in advance with the Customer.