Data Processing Agreement

This Data Processing Agreement is incorporated into the Services Agreement and forms part of the written agreement between you and Edsembli.  This Data Processing Agreement applies to Personal Information processed by Edsembli in connection with its provision of the Hosted Services.

Terms not otherwise defined herein shall have the meaning ascribed to such term in the General Terms and Conditions.

1. Definitions

“Controller” means you in your capacity as the organization that is responsible for the protection of Personal Information that it collected, used or, in certain circumstances, disclosed. 

“MFOIPOP” means the Municipal Freedom of Information and Protection of Privacy Act, R.S.O., 1990, c.M-56

“Personal Information” means information about an identifiable individual where there is a serious possibility that an individual could be identified through the use of the information, alone or in combination with other available information. 

“PIPEDA” means the Personal Information Protection and Electronic Documents Act, S.C. 2000, c.5.

“Privacy Breach” means the improper or unauthorized collection, use, disclosure, retention or disposal of Personal Information, resulting from a breach of the Controller’s security safeguards, where it is reasonable to believe that the breach creates a real risk of significant harm to the individual to whom the Personal Information relates.

“Privacy Legislation” means PIPEDA, MFOIPOP and any other privacy and personal information statutes, rules or regulations applicable to the Data Processing Agreement or the relationship between the Parties.

“Processing” means the Edsembli’s use of Personal Information, collected by the Controller, for the provision of the Hosted Services.

“Processor” means Edsembli Inc.

“Terms of Service” means the Terms of Service between Edsembli and yourself.

“Third Party Subprocessor” means a third party which Edsembli subcontracts with and which may Process Personal Information as set forth in Section 6. 

“You” means the person accepting the Services Agreement of which this Data Processing Agreement forms a part of, provided that if such acceptance is on behalf of a company or other legal entity then: (i) the signatory represents that he/she has the authority to bind such entity to the terms of the Service Agreement; “you” and “your” refers to such entity; and (iii) you may be referred to as “Company” in Orders.

2. Conflict Between Data Processing Agreement and Services Agreement

If there is any inconsistency between the Data Processing Agreement and the Services Agreement, the applicable provisions of the Data Processing Agreement will prevail.

3. Term

This Data Processing Agreement shall be effective and remain in force for the term of the Services Agreement.

4. Responsibility for Processing of Personal Information and Your Instructions

4.1. you are a Controller and Edsembli is a Processor for the Processing of Personal Information as part of the provision of the Hosted Services. Each party is responsible for compliance with its respective obligations under Privacy Legislation. 

4.2. Edsembli will Process Personal Information solely for the purpose of providing the Hosted Services in accordance with the Services Agreement and this Data Processing Agreement. 

4.3. In addition to your instructions incorporated into the Services Agreement, you may provide additional instructions in writing to Edsembli with regard to Processing of Personal Information in accordance with Privacy Legislation. Edsembli will promptly comply with all such instructions to the extent necessary for Edsembli to: (i) comply with its Processor obligations under Privacy Legislation; or (ii) assist you to comply with Your Controller obligations under Privacy Legislation relevant to your use of the Hosted Services. 

4.4. Edsembli will follow your instructions at no additional cost to you and within the timeframes reasonably necessary for you to comply with your obligations under Privacy Legislation.  To the extent Edsembli expects to incur additional charges or fees not covered by the fees for Hosted Services payable under the Services Agreement, such as additional license or third party contractor fees, it will promptly inform you thereof upon receiving your instructions. Without prejudice to Edsembli’s obligation to comply with your instructions, the parties will then negotiate in good faith with respect to any such charges or fees. 

4.5. Unless otherwise specified in the Services Agreement, you may not provide Edsembli with any sensitive or special Personal Information that imposes specific data security or data protection obligations on Edsembli in addition to or different from those specified in the Data Processing Agreement or Services Agreement.

5. Privacy Inquiries and Requests from Individuals

5.1. If you receive a request or inquiry from an Individual related to Personal Information processed by Edsembli for the provision of Hosted Services, you can either: (i) securely access the Hosted Services which hold Personal Information to address the request; or (ii) to the extent such access is not available to you, submit a “service request” to Edsembli with detailed written instructions to Edsembli on how to assist you with such request. 

5.2. If Edsembli directly receives any requests or inquiries from Individuals that have identified you as the Controller, it will promptly pass on such requests to you without responding to the Individual. Otherwise, Edsembli will advise the Individual to identify and contact the relevant controller(s). 

6. Third Party Subprocessors

To the extent Edsembli engages Third Party Subprocessors to Process Personal Information, such entities shall be subject to the same level of data protection and security as Edsembli under the terms of the Services Agreement.  Edsembli is responsible for the performance of the Third Party Subprocessors’ obligations in compliance with the terms of this Data Processing Agreement and Privacy Legislation.

7. Cross-border data transfers

7.1. Without prejudice to any applicable regional data center restrictions for Hosted Services specified in your Services Agreement, Edsembli may Process Personal Information globally as necessary to perform the Hosted Services. 

7.2. To the extent such global access involves a transfer of Personal Information subject to cross-border transfer restrictions under Privacy Legislation, such transfers shall be subject to security and data privacy requirements consistent with the relevant requirements of this Data Processing Agreement and Privacy Legislation.

8. Security and Confidentiality

8.1. Edsembli has implemented and will maintain appropriate technical and organizational security measures for the Processing of Personal Information designed to prevent accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Information. These security measures govern all areas of security applicable to the Hosted Services, including physical access, system access, data access, transmission and encryption, input, data backup, data segregation and security oversight, enforcement and other security controls and measures.  Additional details regarding the specific privacy and security measures that apply to the Hosted Services are set out in the following policies: 

(i)     Edsembli’s Cloud Security Policy, which is available at https://edsembli.wpengine.com/cloud-security-policy/

(ii)    Edsembli’s Privacy Policy, which is available at http://www.esembli.com/privacy-policy/

8.2. All Edsembli employees, as well as any Third Party Subprocessors that Process Personal Information, are subject to appropriate written confidentiality arrangements, including confidentiality agreements, regular training on information protection, and compliance with Edsembli policies concerning protection of confidential information.

9. Audit Rights

9.1. To provide you with confidence in Edsembli’s security and confidentiality measures, Edsembli will engage a qualified third party auditor (“Auditor”), on an annual basis, to audit Edsembli’s compliance with its obligations under the: (i) Data Processing Agreement; (ii) Privacy Policy; and (iii) Cloud Security Policy.

9.2. The Auditor shall prepare an audit report using one of the following standards: (i) SOC; (ii) ISO; (iii) NIST; (iv) PCI DSS; or (v) HIPAA.

9.3. Upon completion of the audit, Edsembli will provide you with a copy of the audit report, which shall be subject to the confidentiality terms of the Services Agreement.

9.4. If the audit report confirms that the controls are satisfactory, you agree to accept  the findings presented in the audit report in lieu of requesting your own audit of the same controls covered by the audit report.

10. Incident Management and Breach Notification

10.1. Edsembli has implemented controls and policies designed to detect and promptly respond to incidents that create suspicion of or indicate destruction, loss, alteration, unauthorized disclosure or access to Personal Information transmitted, stored or otherwise Processed. Edsembli will promptly define escalation paths to investigate such incidents in order to confirm if a Privacy Breach has occurred, and to take reasonable measures designed to identify the root cause(s) of the Privacy Breach, mitigate any possible adverse effects and prevent a recurrence. 

10.2. Edsembli will notify you of a confirmed Privacy Breach without undue delay but at the latest within 24 hours. As information regarding the Privacy Breach is collected or otherwise reasonably becomes available to Edsembli, Edsembli will also provide you with: (i) a description of the nature and reasonably anticipated consequences of the Privacy Breach; (ii) the measures taken to mitigate any possible adverse effects and prevent a recurrence; and (iii) where possible, information about the types of Personal Information that were the subject of the Privacy Breach.  you agree to coordinate with Edsembli on the content of your intended public statements or required notices for the affected Individuals and/or notices to the relevant regulatory authorities regarding the Privacy Breach.

11. Return and Deletion of Personal Information

11.1. Upon termination of the Hosted Services, Edsembli will promptly return, including by providing available data retrieval functionality, or delete any remaining copies of Personal Information on Edsembli systems or the Hosted Services environment, except as otherwise stated in the Services Agreement. 

11.2. For Personal Information held on your systems or environments, or for Hosted Services for which no data retrieval functionality is provided by Edsembli as part of the Hosted Services, you are advised to take appropriate action to back up or otherwise separately store any Personal Information while the Hosted Services environment are still active prior to termination.

12. Legal Requirements

12.1. Edsembli may be required by law to provide access to Personal Information, such as to comply with a subpoena or other legal process, or to respond to government requests, including public and government authorities for national security and/or law enforcement purposes. 

12.2. Edsembli will promptly inform you of requests to provide access to Personal Information, unless otherwise required by law.