Last updated: 28 August 2018 The customer agreeing to this addendum (the “Customer”) and Intigra Technolab (“Intigra Technolab”) a company incorporated and registered in the USA (each a “Party”, together the “Parties”), have entered into an agreement which permits the Customer to use of the AeroHR employee management software service (the “Service”), on the terms and subject to the conditions of the Intigra Technolab Terms and Conditions as amended from time to time which can be found on the QA website at https://aerohr.com/terms-of-service, (the “Terms and Conditions”). This Data Processing Addendum (“DPA”) is an addendum to and forms part of the Terms and Conditions. All processing of Customer Personal Data (as defined below) by Intigra Technolab on behalf of the Customer will be carried out in accordance with this DPA. The Customer’s continued usage of the Service after the Effective Date (as defined below) constitutes acceptance of this DPA.
2.1 This DPA will take effect on the last modified date or on the first day of the Customer’s subscription to the Service, whichever is later (the “Effective Date”). 2.2 This DPA will survive the end of the Customer’s subscription period or the termination of the Terms and Conditions. It will terminate when all the Customer Personal Data has been deleted as described in this DPA.
The European Union Regulation (EU) 2016/679 (General Data Protection Regulation) (“GDPR”) applies to the processing of Customer Personal Data by Intigra Technolab if these processing activities relate to: 3.1 an establishment of the Customer in the European Union (“EU”), European Economic Area (“EEA”), Switzerland or the United Kingdom; 3.2 offering goods or services to data subjects in the EU, EEA, Switzerland or the United Kingdom; and/or 3.3 monitoring the behavior of data subjects in the EU, EEA, Switzerland or the United Kingdom as far as the behavior takes place within these areas, 3.4 (together with the “GDPR Activities”).
4.1 For the purposes of the PDPA and this DPA, Intigra Technolab is a data intermediary. 4.2 In respect of any GDPR Activities, Intigra Technolab is a data processor of the Customer Personal Data, while the Customer may be either a data controller or data processor. 4.3 If any other data protection or privacy law applies to any processing of Customer Personal Data, each Party will comply with their obligations under such law.
4.4 In respect of any GDPR Activities, if the Customer is a data processor, the Customer warrants to Intigra Technolab that they have all necessary instructions and authorizations from the data controller to appoint Intigra Technolab as a data sub-processor of the Customer Personal Data.
4.5 Intigra Technolab will only process Customer Personal Data on the instructions of the Customer unless required by law to act without such instructions. 4.6 The Customer, by entering into this DPA, instructs Intigra Technolab to process Customer Personal Data as follows:
4.6.1 to provide the Service to the Customer;
4.6.2 as further instructed by the Customer by its use of the Service, including by instructions given on the Intigra Technolab user interface, by the uploading of CSV files to the Intigra Technolab Service, or importing data from other services;
4.6.3 as set out in the Terms and Conditions and this DPA; and 4.6.4 as otherwise instructed in writing by the Customer which Intigra Technolab acknowledges to be instructions for the purposes of this DPA.
4.7 Intigra Technolab will process Customer Personal Data in accordance with the Customer’s instructions and in accordance with the following precise scope: 4.7.1 Subject matter: Providing the Service to the Customer pursuant to the Terms and Conditions, and as further instructed by the Customer in its use of the Service. 4.7.2 Duration: The length of the Customer’s subscription to the Service, and for a limited period afterward in accordance with the terms of this DPA, until this DPA is terminated after all Customer Personal Data has been deleted. 4.7.3 Nature and purpose: As necessary to provide the Service to the Customer, and as further instructed by the Customer in its use of the Service. 4.7.4 Types of personal data: The Customer may submit Customer Personal Data to the Service, the extent of which is determined and controlled by the Customer in its sole discretion, and which may include (but is not limited to) the following types of personal data: a) name; b) contact information; c) position and organization, and d) ID data. 4.7.5 Categories of data subjects: The Customer may submit Customer Personal Data to the Service, the extent of which is determined and controlled by the Customer in its sole discretion, and which may include (but is not limited to) personal data on to the following categories of data subjects, who are in all cases natural persons: a) the Customer’s end-users, customers, suppliers, and business partners; b) employees and points of contact of the Customer’s end-users, customers, suppliers, and business partners; c) the Customer’s employees, agents, advisors, and contractors; and d) the Customer’s authorized users of the Service. 4.8 All processing of Customer Personal Data will be carried out by trusted employees, staff, agents, contractors, service providers, and sub-processors who will be subject to a duty of confidence.
5.1 The Customer may delete Customer Personal Data in a manner consistent with the functionality of the Service during the term of service. If the Customer uses the Service to delete any Customer Personal Data such that it cannot be recovered by the Customer, this will constitute an instruction to Intigra Technolab to delete the relevant Customer Personal Data from its systems in accordance with applicable law. Intigra Technolab will comply with this instruction as soon as reasonably practicable unless required by law to retain the data. 5.2 If the Customer wishes to delete Customer Personal Data that cannot be deleted via the Service, the Customer should send a deletion request to [email protected]. Intigra Technolab will strive to respond to all such requests as soon as reasonably practicable.
5.3 If the Customer ceases to subscribe to and use the Service, the Customer’s account will be suspended until such time that: 5.3.1 the Customer resumes their subscription to the Service; 5.3.2 the Customer otherwise informs Intigra Technolab that they wish to permanently terminate their relationship with Intigra Technolab; or 5.3.3 Intigra Technolab, at its sole discretion, permanently discontinues access to the Customer’s account in accordance with the Terms and Conditions. 5.4 If the Customer informs Intigra Technolab that they wish to permanently terminate their relationship with Intigra Technolab pursuant to clause 5.3.2, they will be taken to have instructed Intigra Technolab to delete or anonymize all Customer Personal Data (including existing copies) from Intigra Technolab’s systems in accordance with applicable law. Intigra Technolab will comply with this instruction as soon as reasonably practicable unless required by the applicable law to retain the data. 5.5 If Intigra Technolab permanently discontinues access to the Customer’s account, all Customer Personal Data will be deleted or anonymized unless Intigra Technolab is required by the applicable law to retain the data.
6.1 Intigra Technolab will take reasonable steps to ensure that Customer Personal Data is treated securely and to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks, and to meet its obligations as set out in Article 32 of the GDPR. 6.2 Intigra Technolab cannot guarantee that unauthorized parties will not gain access to Customer Personal Data. To the extent permitted by applicable law, Intigra Technolab expressly excludes any liability arising from any unauthorized access to Customer Personal Data.
6.3 In respect of any GDPR Activities only, Intigra Technolab will provide the Customer with available information on its security processes as necessary to ensure that both Parties are meeting their obligations under this DPA and as set out in Article 28 of the GDPR.
6.4 In respect of any GDPR Activities only, Intigra Technolab will permit the Customer or an independent auditor appointed by the Customer to conduct reasonable audits and inspections, who must be approved by Intigra Technolab in accordance with clause 10, to verify compliance with its obligations under this DPA and as set out in Article 28 of the GDPR.
6.5 The Customer agrees and acknowledges that Intigra Technolab will assist the Customer in conducting any DPIAs by providing them with this DPA and available information on security processes in accordance with clause 6.3 for review.
7.1 Intigra Technolab will inform the Customer as soon as reasonably practicable if it is asked to engage in any activity that may infringe the PDPA, GDPR or other applicable law. 7.2 If Intigra Technolab becomes aware of any data breaches or security incidents that impact Customer Personal Data, except for data breaches or security incidents caused by the Customer’s own actions, it will notify the Customer as soon as reasonably practicable and without undue delay. Intigra Technolab will take reasonable steps to mitigate the consequences of any data breaches or security incidents so as to minimize the impact to Customer Personal Data. 7.3 Notice of any data breaches or security incidents pursuant to this clause 7 does not constitute an admission of responsibility by Intigra Technolab.
8.1 Intigra Technolab will pass on to the Customer, any requests they receive from data subjects and the Customer’s end users to exercise any data rights. The Customer accepts and acknowledges that it is the Customer’s responsibility to respond to any data rights requests with the data subjects and end-users directly, or to instruct the relevant data controller to respond to these requests, as the case may be. 8.2 Intigra Technolab will, taking into account the nature of the processing activity, assist the Customer in responding to such data rights requests by building appropriate functionality into the Service—such as the ability to delete and amend Customer Personal Data. The Customer agrees to exhaust all possible means of responding to a data subject’s data rights request using the Service’s functionality before contacting Intigra Technolab for help to respond to such requests by email at [email protected]. Intigra Technolab reserves the right to refuse assistance if, in its sole discretion, the Customer is able to respond to the data rights request using the Service’s functionality. Intigra Technolab reserves the right to reimbursement from the Customer of reasonable costs incurred by Intigra Technolab in providing assistance to the Customer under this clause 8.2.
9.1 Intigra Technolab is a company incorporated and registered in USA. Most Customer Personal Data is stored in India of America, however, some data sub-processors might have data centers and storage facilities in other jurisdictions. 9.2 If the storage and/or processing of Customer Personal Data involves transfers of Customer Personal Data out of the EU, EEA, Switzerland, and/or the United Kingdom, Intigra Technolab will if requested to do so by the Customer, ensure that Intigra Technolab as the data importer of the transferred Customer Personal Data enters into model contract clauses (being the standard data protection clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, as described in Article 46 of the GDPR) with the Customer as to the data exporter of such personal data, and that the transfers are made in accordance with such model contract clauses. 9.3 The Customer agrees that if the storage and/or processing of Customer Personal Data involves transfers of Customer Personal Data out of the EU, EEA, Switzerland, and/or the United Kingdom and if under the GDPR Intigra Technolab reasonably requires the Customer to enter into model contract clauses (being the standard data protection clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, as described in Article 46 of the GDPR) in respect of such transfers, the Customer will do so, failing which Intigra Technolab reserves the right to terminate the Customer’s subscription.
10.1 If the Customer wishes to carry out an audit and/or inspection in accordance with clause 6.4, it must notify Intigra Technolab by sending an audit and/or inspection request to firstname.lastname@example.org. 10.2 On receipt by Intigra Technolab of a request under clause
10.1, Intigra Technolab and the Customer will discuss and agree in advance on:
10.2.1 the identities of the auditors and/or inspectors, be they the Customer’s own personnel or parties appointed by the Customer;
10.2.2 a reasonable date and time to carry out the audit and/or inspection;
10.2.3 the scope and duration of the audit and/or inspection;
10.2.4 confidentiality obligations of the Customer that are a pre-condition for carrying out any audit and/or inspection; and
10.2.5 the amount of any reasonable fees and charges to be borne by the Customer to cover Intigra Technolab’s costs of the audit and/or inspection.
10.3 The Customer is responsible for all of their own costs in relation to any audit and/or inspection, including the cost of any third-party auditor appointed by the Customer.
10.4 Intigra Technolab may object to the appointment of any auditor appointed by the Customer if the auditor is, in Intigra Technolab’s reasonable opinion, not suitably qualified or independent, a competitor of Intigra Technolab, or otherwise unsuitable.
11.1 The Customer acknowledges and accepts that some processing of Customer Personal Data may be carried out by trusted sub-processors.
11.2 The Customer specifically authorizes Intigra Technolab to engage the following sub-processors:
11.2.1 all Intigra Technolab entities, including entities directly or indirectly controlled by, or under common control with Intigra Technolab; and
11.2.2 the sub-processors listed below as at the Effective Date.
11.3 Intigra Technolab will engage new sub-processors from time to time. When it does, Intigra Technolab will ensure that it enters into written contracts with these sub-processors. The written contract will stipulate, among other things, that:
11.3.1 the sub-processor only has access to Customer Personal Data necessary to perform its obligations under their agreement with Intigra Technolab;
11.3.3 in respect of any GDPR Activities only, that the data protection obligations set out in Article 28(3) of the GDPR are imposed on the sub-processor.
11.4 Intigra Technolab will notify all Customers when it engages a new sub-processor at least 14 days before any Customer Personal Data is handed to the sub-processor for processing. If the Customer wishes to object to the engagement of any sub-processor, the Customer must terminate their subscription and stop using the Service permanently. The Customer acknowledges and accepts that this is their sole and exclusive remedy to object to Intigra Technolab’s engagement of any new sub-processor. If this remedy is exercised, Intigra Technolab’s provision of the service to the Customer will terminate on the eve of the date where the sub-processor begins to process Customer Personal Data or the last date of the Customer’s existing commitment period, whichever is earlier. The Customer remains responsible for payment of all subscription charges up to the last day of Service, to be calculated pro-rata.
12.1 Intigra Technolab and all Intigra Technolab entities’ aggregate liability to the Customer, arising out of or related to this DPA, shall be subject to the “Limitation of Liability” section of the Terms and Conditions. Any reference in such section of the Terms and Conditions to the liability of Intigra Technolab means the aggregate liability of Intigra Technolab and all Intigra Technolab entities under the Terms and Conditions and this DPA.
13.1 The term “data intermediary” as used in this DPA has the meaning given in the PDPA. 13.2 The terms “personal data”, “data subject”, “processing”, “controller” and “processor” as used in this DPA have the meanings given in the GDPR. 13.3 This DPA, and this clause, is governed by the laws of Gujarat, USA. The Parties agree to submit to the exclusive jurisdiction of the courts of Gujarat, USA. List of Subprocessors Last updated: 20 August 2020