TASTE PROVENCE DATA PROCESSING ADDENDUM
This Data Processing Addendum ("DPA") forms part of the Terms of Service (the "Agreement") entered by and between you ("Customer") and Taste Provence Limited, a company registered in England and Wales whose registered office is at Europa House, Goldstone Villas, Hove BN3 3RQ, England ("Taste Provence").
a) "Controller" means the entity which determines the purposes and means of the Processing of Customer Personal Data.
b) "Data Protection Laws" means (i) the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 ("GDPR") and related data protection and privacy laws of the member states of the European Economic Area; (ii) the Data Protection Act 2018 of the United Kingdom ("UK GDPR"); and (iii) the Swiss Federal Act on Data Protection (1992) or the Swiss Federal Data Protection Act of 25 September 2020 when in full force and effect, as applicable, and its corresponding ordinances ("Swiss DPA"); each as applicable and as amended, repealed, consolidated, implemented or replaced from time to time.
c) "Data Subject" means an identified or identifiable person to whom Personal Data relates, or as otherwise termed and defined by Data Protection Laws.
d) "Personal Data" means any information relating to Data Subjects Processed through the Services by Taste Provence on behalf of Customer. Personal Data does not include information that Taste Provence processes in the context of services that it provides directly to a consumer, such as through its consumer-facing applications like Frenzy or its consumer-facing services like Taste Provence Pay.
e) "Process" or "Processing" means any operation or set of operations which is performed upon the Personal Data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction.
f) "Processor" means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller, including as applicable "service provider" as defined under the CCPA or "data intermediary" under the PDPA.
g) "Services" means the services provided by Taste Provence pursuant to the Agreement.
h) "Standard Contractual Clauses" means (i) where the GDPR or Swiss DPA applies, the standard contractual clauses for the transfer of Personal Data to third countries approved by the European Commission’s decision 2021/914/EC of June 4, 2021, as currently set out at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj (the "EU SCCs"); (ii) where the UK GDPR applies, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner, Version B1.0, as currently set out at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf, and as revised under Section 18 of the International Data Transfer Addendum (the "UK Addendum").
I)"Sub-Processor" means another Processor who processes Personal Data on behalf of the Processor.
j) "Supervisory Authority" means an independent public authority which is established under applicable Data Protection Laws.
2. Processing of Customer Personal Data
- a) Roles and Responsibilities. The Parties acknowledge and agree that with regard to the Processing of Customer Personal Data under the Data Protection Legislation and this DPA, Customer is the Controller and Taste Provence is the Processor. Each Party will comply with the obligations applicable to it under the Data Protection Legislation with respect to the Processing of Customer Personal Data.
- b) Customer's Instructions and Authorization to Process Customer Personal Data. By entering into this DPA, Customer instructs Taste Provence, subject to Customer's compliance with Data Protection Legislation, to Process Customer Personal Data to provide the Taste Provence Service in accordance with the features and functionality of the Taste Provence Service. For the avoidance of doubt, Customer's configuration and use of the service constitute documented instructions to Taste Provence. If Taste Provence is required by law to Process the Personal Data for any other purpose, Taste Provence will provide Customer with prior notice of this requirement, unless Taste Provence is prohibited by law from providing such notice. Customer is solely responsible for the accuracy and legality of Customer Personal Data provided to Taste Provence. If Customer is Processing Personal Data of a child, Customer acknowledges it has made reasonable efforts to verify that consent has been given or authorised by the holder of parental responsibility over the child. Customer further acknowledges that Taste Provence is not responsible for collecting consent or authorization for the Processing of such child's Personal Data.
- c) Scope of Processing. Taste Provence will Process Customer Personal Data as necessary to perform the Taste Provence Service pursuant to the Agreement and in accordance with this DPA. Where a Data Subject is located in the European Economic Area, that Data Subject's Personal Data will be processed by Taste Provence in the United Kingdom. Where a Data Subject is located outside the European Economic Area, that Data Subject's Personal Data will be processed by Taste Provence's affiliate in the United States of America. As part of providing the Services, Personal Data may be transferred to other regions, including outside the UK and the USA. Such transfers will be completed in compliance with relevant Data Protection Legislation. Taste Provence will Process Customer Personal Data for the period of the Agreement, unless otherwise agreed to by the Parties in writing.
- d) Data Protection Impact Assessment and Prior Consultation Assistance. Taste Provence will provide reasonable assistance to Customer, as required by law and applicable to Taste Provence's role as a Processor, for Customer to comply with Customer's obligations to perform a data protection impact assessment. Further, in such situations where Customer's processing of Customer Personal Data results in a high risk to the rights and freedoms of natural persons, Taste Provence will provide reasonable assistance to Customer as it seeks prior consultation from a supervisory authority.
- e) Updates/Amendments to DPA. Taste Provence retains the right to make changes, revise or replace this DPA, including any new version of the Standard Contractual Clauses for the transfer of European Economic Area and/or UK Customer Personal Data as required by applicable Data Protection Legislation, including but not limited to, regulatory and policy changes, standards and/or case law. Taste Provence will provide customer with notice of any required changes at least 30 days in advance via an announcement on the Taste Provence website and/or notice provided within the Taste Provence platform.
a) Consent to Subprocessors. In the course of providing the Services, Customer acknowledges and agrees that Taste Provence may use Subprocessors to process the Personal Data. Taste Provence's use of any specific Subprocessor to process the Personal Data will be in compliance with Data Protection Legislation and be governed by a contract between Taste Provence and Subprocessor.
b) Details of Subprocessors. The following subprocessors are integral to Taste Provence's BikeRentalManager service:
i) The Google Cloud Platform and Google Firebase from Google. This is the principle data store used by BikeRentalManager. Data is encrypted at rest and in transit within the Google infrastructure;
ii) Mandrill, part of Intuit's MailChimp, is used to send transactional emails to Customers. Outgoing emails are temporarily stored on the Mandrill platform. Data is encrypted in transit, where the receiving system supports encryption.
iii) FreshDesk from Freshworks Inc is used for managing customer support and contains personal data necessary to provide the support requires, typically email address and name but may contain additional information to support other means of communication. It may also have a record of some personal data if supplied as part of customer support enquiry. (https://www.freshworks.com/data-processing-addendum/ )
iv) Intuit's Mailchimp is used for used for marketing and messaging users of its Services (https://mailchimp.com/en-gb/legal/data-processing-addendum/ ). Data is encrypted in transit, where receiving system supports encryption.
v) Chargebee is used for billing and payments for BikeRentalManager services and personal data of subscribers is retained where required by law, e.g. who was invoiced and who paid for subscriptions. (https://www.chargebee.com/privacy/dpa/ )
vi) Beamer is used for outward communication about the Services and does not process personal data.
c) Subprocessor Commitments. Taste Provence undertakes to enter into a written agreement with any applicable Subprocessors and ensures such obligations will in no event be less protective than this DPA. Taste Provence will restrict the Subprocessor's access to only what is necessary to maintain the Taste Provence Service or to provide the Taste Provence Service to Customer and any of its Users. Customer hereby consents to Taste Provence's use of Subprocessors as described in this Section. Taste Provence will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Subprocessors.
d) Changes to Subprocessors. Taste Provence will provide Customer with notice at least 30 days in advance before a new Subprocessor Processes any Customer Personal Data. Customer may object to any new Subprocessor by terminating the applicable Order(s) by a written notice to Taste Provence sent within 20 days of being informed of the engagement of the new Subprocessor.
e) Integration with third-party Services. Taste Provence also offers optional integration with third-party services, provided (i) these third-party services are not a subprocessors of Taste Provence and (ii) the contractual arrangement with these services is between the Customer and the third-party service. The list of third-party integrations changes over time and is periodically updated at https://bikerentalmanager.com/integrations/. Details of each integration can be found in the BikeRentalManager Support Centre, https://brm2.bikerentalmanager.com/support/home. Subscribers will need to have appropriate agreements in place with the third-party services they want to use.
4. Transfers of Personal Data
a) G DPR. Any transfer of Personal Data made from member states of the European Union, Iceland, Liechtenstein, or Norway to any countries which do not ensure an adequate level of data protection within the meaning of the laws and regulations of these countries shall, to the extent such transfer is subject to such laws and regulations, be undertaken by Taste Provence through the EU SCCs, which are automatically incorporated by reference and form an integral part of the DPA, as follows:
i) where Customer is a Controller and Taste Provence is a Processor under the Agreement, Module Two (Controller to Processor) will apply; or where Customer is a Processor and Taste Provence is a sub-Processor under the Agreement, Module Three (Processor to Processor) will apply;
ii) Clause 7, the optional docking clause will not apply;
iii) Clause 9, Option 2 will apply, and the time period for prior notice is thirty (30) days;
iv) Clause 11, the optional language will not apply;
v) Clause 13, the supervisory authority with responsibility for ensuring compliance by the Data Exporter with Regulation (EU) 2016/679 as regards the data transfers shall be the supervisory authority of Ireland;
vi) Clause 17, Option 1 will apply, and the EU SCCs will be governed by Irish law;
vii) Clause 18(b), disputes shall be resolved before the courts of the Ireland;
viii) Annex I of the EU SCCs shall be deemed completed with the information set out in Schedule 1 to this DPA; and
ix) Annex II of the EU SCCs shall be deemed completed with the information set out in Schedule 2 to this DPA.
b) UK GDPR. With respect to transfer to which the UK GDPR applies, the parties agree to Process such Personal Data in compliance with the UK Addendum, which is automatically incorporated by reference and form an integral part of the DPA, as follows:
i) the EU SCCs as implemented under Sections 6(a)(i) and 6(a)(ii) of this DPA shall be deemed amended as specified by Part 2 of the UK Addendum;
ii) Tables 1 to 3 in Part 1 of the UK Addendum shall be deemed completed respectively with the information set out in Schedules 1 and 2 of this DPA (as applicable); and
iii) Table 4 in Part 1 of the UK Addendum shall be deemed completed by selecting "Importer" and "Exporter".
c) Swiss DPA. With respect to transfer to which the Swiss DPA applies, the parties agree to Process such Personal Data in compliance with the EU SCCs as implemented under Sections 6(a)(i) and 6(a)(ii) of this DPA with the following modifications:
i) references to "Regulation (EU) 2016/679" shall be interpreted as reference to Swiss DPA;
ii) references to "Regulation (EU) 2016/679" shall be replaced with the equivalent article or section of the Swiss DPA;
iii) references to the "competent supervisory authority" and "competent courts" shall be replaced with references to the "Swiss Federal Data Protection and Information Commissioner" and "applicable courts of Switzerland" for transfers from Switzerland;
iv) Clause 17, the EU SCCs shall be governed by the laws of Switzerland; and
v) Clause 18(b), disputes shall be resolved before the applicable courts of Switzerland.
5. Data Breach Notification
- a) Data Breach Notification. After becoming aware of an accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to Customer Personal Data transmitted, stored or otherwise Processed by Taste Provence or its Sub-processors ("Data Breach"), Taste Provence will notify Customer not later than 72 hours after having become aware of it ("Data Breach Notification"). Taste Provence will take reasonable steps to: (i) identify the cause of such Data Breach; and (ii) take the steps necessary and reasonable to remediate the cause of such Data Breach to the extent such remediation is within Taste Provence's reasonable control. Data Breach Notification will be delivered to the Administrator(s) of Customer's Taste Provence Service account ("Notification Email Address"). Customer is solely responsible for ensuring that the Notification Email Address associated with Customer's account is current and valid.
- b) Other Notification. When Taste Provence processes Customer Personal Data in the course of providing the Services, Taste Provence will notify Cusomer upon receiving an inquiry or complaint from a Data Subject or Supervisory Authority relating to Taste Provence's Processing of the Personal Data, or if, in Taste Provence's opinion, Customer's instruction for the processing of Personal Data infringes applicable Data Protection Legislation.
6. Deletion and Return of Customer Data
- a) Deletion and Return. Taste Provence and its Subprocessors shall promptly, and in any event within 5 days of the date of cessation of any Taste Provence Service involving the Processing of Customer Personal Data (the "Cessation Date"), delete and/or return any and all copies of the relevant Customer Personal Data. Customer may, in its absolute discretion, require Taste Provence to (i) return a complete copy of all Customer Personal Data to Customer by secure file transfer in such format as is reasonably notified by Customer to Taste Provence; and (ii) delete and procure the record of deletion of all other copies of Customer Personal Data Processed held by any Subprocessor. For avoidance of doubt, to delete shall mean to remove or obliterate Customer Personal Data in such a manner that it cannot be recovered or reconstructed in future in any mode or medium, electronic or otherwise.
- b) Retention for Legal Compliance. Taste Provence and its Subprocessors may store Customer Personal Data to the extent required by any applicable Data Protection Legislation, only to the extent and for such period as required by such Data Protection Legislation, ensuring at all times that such Customer Personal Data is kept fully secured and confidential and only retained as necessary for the purpose(s) specified in the applicable Data Protection Legislation requiring its storage and for no other purpose.
7. Technical and Organisational Measures
- a) Taste Provence only uses Customers' Personal Data where it is necessary in order to provide the service as configured by the Stores or address issues raised by Stores.
b) Taste Provence implements and maintains appropriate technical and organizational measures to protect the Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorized or unlawful processing, accidental loss, destruction, damage or theft of Personal Data and appropriate to the nature of the Personal Data which is to be protected.
c) The general Technical and Organisational Measures include measures to encrypt Customer Personal Data; to help ensure ongoing confidentiality, integrity, availability and resilience of Taste Provence's systems and services; to help restore timely access to Customer Personal Data following an incident; and for regular testing of effectiveness.
d) The specific Technical and Organisation Measures taken in the provision of Taste Provence's BikeRentalManager service are described more fully in Schedule 2 of the DPA.
8. Audit Rights
a) Customer Audit. Customer may audit Taste Provence's compliance with the terms of this DPA (no more often than once a year). If a third-party is to conduct the audit, the third-party must be mutually agreed to by Customer and Taste Provence and such third-party must execute a confidentiality agreement with Taste Provence before the audit is conducted.
b) Audit Plan. To request an audit, Customer must submit a detailed proposed audit plan to Taste Provence at least thirty (30) days in advance of the proposed audit date. The proposed audit plan must describe the proposed scope, duration, and start date of the audit. Taste Provence will review the proposed audit plan and communicate any concerns or questions to Customer. Taste Provence will cooperate with Customer to agree on a final audit plan.
c) Audit Time. The audit must be conducted during Taste Provence's regular business hours and subject to applicable Taste Provence policies. The audit may not unreasonably interfere with Taste Provence's business operations.
d) Audit Report. Customer will provide Taste Provence any audit reports generated in connection with any audit under this section, unless prohibited by law. Customer may use the audit reports only for the purposes of meeting its regulatory requirements and/or confirming compliance with the requirements of the Agreement and this DPA. The audit report(s) and any information obtained by Customer under this section are Taste Provence's Confidential Information under the terms of the Agreement. If the parties have entered into Standard Contractual Clauses as described in Section 6 (Transfers of Personal Data), the parties agree that the audits described in Clause 8.9 of the EU SCCs shall be conducted in accordance with this section.
e) Audit Expense. Any audits conducted shall be at Customer's expense. Any request for Taste Provence to provide assistance with an audit is considered a separate service if such audit assistance requires the use of additional or different resources than those Taste Provence would typically utilize when providing such audit assistance. Taste Provence will seek Customer's prior written approval and agreement to pay any related fees before performing such audit assistance.
9. Data Subject Rights
- a) Access, Portability and Rectification. Taste Provence acknowledges that it has certain obligations to respond to requests of a Data Subject whose Personal Data is being processed under this DPA, and who wishes to exercise any of their legal rights under the applicable Data Protection Legislation, including, but not limited to: (i) right of access and update; (ii) right to data portability; (iii) right to erasure; (iv) right to rectification; (v) right to object to automated decision-making; or (vi) right to object to processing. Accordingly, Taste Provence will, in a manner consistent with the functionality of the Taste Provence Service, enable Customer to access, update, port, erase, rectify, block, object and restrict processing of Customer Personal Data, including via the deletion functionality provided by the Taste Provence Service.
- b) Data Subject Requests. If Taste Provence receives a request from a Data Subject in relation to Customer Personal Data, to the extent legally permissible, Taste Provence will advise the Data Subject to submit their request to Customer and Customer will be responsible for responding to any such request including, where necessary, by using the functionality of the Taste Provence Service. To the extent Customer, in its use of the Taste Provence Service, does not have the ability to address a Data Subject request, Taste Provence shall upon Customer's request provide commercially reasonable assistance to facilitate such Data Subject request to the extent that Taste Provence is legally permitted to do so and provided that such Data Subject request is exercised in accordance with the Data Protection Legislation. To the extent legally permitted, Customer shall be responsible for any costs arising from Taste Provence's provision of such assistance.
- Inconsistency and Limitation of Liability. In the event of any conflict or inconsistency between the provisions of the Agreement and this DPA, the provisions of this DPA shall prevail. For avoidance of doubt and to the extent allowed by applicable law, any and all liability under this DPA, including limitations thereof, will be governed by the relevant provisions of the Agreement.
- Severability. Save as specifically modified and amended in this DPA, all of the terms, provisions and requirements contained in the Agreement shall remain in full force and effect and govern this DPA. If any provision of the DPA is held illegal or unenforceable in a judicial proceeding, such provision shall be severed and shall be inoperative, and the remainder of this DPA shall remain operative and binding on the parties.
- Governing Law and Jurisdiction. The terms of this DPA shall be governed by and interpreted in accordance with the laws of England and Wales. The parties irrevocably and unconditionally submit to the exclusive jurisdiction of the courts of England and Wales with respect to any dispute or claim arising out of or in connection with this DPA.
Schedule 1 - Description of Processing/Transfer
Categories of Data Subjects: Customer may submit Personal Data including but not limited to the following categories of Data Subjects:
- Customer's employees, agents, independent contractors, subscribers, business partners and vendors
- First Name and Last Name
- Date of Birth
- Phone Number
- Email Address
- Postal Address
- IP Address
- Domain Name
- Contact Information
- Membership Information
- Contractual Information
- Analytics and Usage Data
- Any other type of personal data related to the above
Categories of Personal Data: The following categories of Personal Data are processed under this DPA:
Sensitive data transferred (if applicable): The contents of the Personal Data are varied and under the data exporter's control, but may, from time to time, include sensitive data under the relevant Data Protection Laws. Data exporter acknowledges and agrees that Taste Provence provides facilities for special handling of sensitive data, including data retention periods and data masking.
The frequency of the transfer: Frequency of the transfer is configurable in a self-service manner by the data exporter and is a continuous basis for the duration of the Agreement.
Nature and Purpose of Processing: Taste Provence will Process Personal Data as necessary to perform the Services pursuant to the Agreement.
Frequency and Duration of Processing: Taste Provence will Process Personal Data for the duration of the Agreement unless as otherwise required by law. Personal Data submitted to Taste Provence is retained for a limited period of time, in accordance with its published data retention policies. In general, the retention period is 30 days unless otherwise configured by the data exporter, and in no case exceeds 90 days.
Schedule 2 - Data Security Measures
As part of the specific Technical and Organisational Measures, Taste Provence:
- i) Allows access to Personal Data to their authorized personnels after such personnels provide multifactor authentication that uniquely identifies them.
- ii) Reviews access and authorization rights for authorized personnels regularly. Access or authorization rights are withdrawn or modified, as appropriate, promptly upon termination or change of role for such personnels.
- iii) Ensures that physical access to systems storing or Processing Personal Data is appropriately secured and monitored.
- iv) Encrypts Personal Data both at rest and in transit, using industry standard protocols and encryption algorithms.
- v) Has implemented and maintains secure coding and development standards, incorporating security and privacy considerations.
- vi) Ensures that its personnel receive regular security and privacy training so that they are aware of their roles and responsibilities with regard to the treatment and protection of Personal Data.
- vii) Segregates internal systems storing or processing Personal Data from public networks.
- viii) Ensures interactions with the Services being secured by using Transport Layer Security (TLS).
- ix) Ensures logical separation of each subscription, building on the namespace feature of Google Cloud Platform features
- x) Has implemented anti-malware on systems that do or may Process Personal Data.
- xi) Has implemented monitoring and alerting capabilities on its systems.
- xii) Evaluates the security and privacy practices of all authorized Sub-Processors. All Authorized Sub- Processors are required to implement and maintain the same or substantially similar technical and organizational measures and assume the same responsibilities and obligations as those required of Processor under this DPA.
- xiii) Maintains systems and processes for complying with data privacy requirements including limited retention and processing of requests from Data Subjects.
- xiv) The payments for the Services and related data personal data are not stored by or in the BikeRentalManager service.