Data Processing Agreement (“DPA”)
This Data Processing Agreement (this “DPA”) applies to the processing of Personal Data by PortOne SG Pte., Ltd. and its affiliates (“PortOne”) in accordance with the services provided as described in the Services Description pursuant to the Terms of Services (the “TOS”) between PortOne and its clients (“Client”). This DPA is incorporated by reference into the TOS. Client and PortOne are referred to individually as a “Party” and collectively as the “Parties”.
1 Purpose and Background:
a Client has agreed to the TOS, according to which PortOne has agreed to provide certain services to Client (the “Services”).
b When providing the Services, PortOne may collect, process, and gain access to all data, content, and information owned, held, used, or created by or on behalf of Client that is stored, inserted, or uploaded to the PortOner system for the use of the Servies (“Client Data”). From a data protection perspective, Client will be the Data Controller, and PortOne will be the Data Processor.
c If there is a conflict between the terms of the TOS and those of this DPA, the provisions of this DPA will prevail.
2 Processing of Personal Data
2.1 Client acknowledges and agrees that this DPA applies to the extent PortOne collects, stores, disseminates, transfers, uses, and processes any information relating to an identified or identifiable individual (“Personal Data”) where such information is contained within Client Data through use of the Services (“Process”, “Processes” and “Processing”). PorOne will collect and Process Personal Data in connection with the TOS only for the purposes of providing the Services and in compliance with any data protection and privacy laws applicable to the respective Party in its role in Processing of Personal Data under this DPA (the “Data Protection Laws”).
2.2 This DPA contains the Client’s initial instructions to PortOne. The Parties agree that the Client may communicate any change in its initial instructions to PortOne by way of amendment to this DPA, which shall be agreed in writing by the Parties.
2.3 For the avoidance of doubt, any instructions that would lead to Processing outside the scope of this DPA (e.g., due to introduction of a new Processing purpose) will require prior written agreement between the Parties.
2.4 The categories of the individual to whom Personal Data relates (“Data Subject”) to which Client Personal Data relates are determined and controlled by Client in its sole discretion, and may include, but are not limited to:
a Directors, officers, employees, agents, advisors. Customers and business partners of Client
b Any individuals working for third parties whom PortOne interacts or is requested to interact in connection with the provision, operation, or maintenance of the Services on behalf of Client; and
c Any other individuals for which Client enters Personal Data or information into the Services
2.5 The types of Client Personal Data are determined and controlled by Client in its sole discretion, and may include, but are not limited to:
a Name, title, address, email address, phone number, other contact information;
b Financial information (credit card details, account details, payment information);
c IT information (IP addresses, cookies data, location data); and
d Other data collected by Client and entered or uploaded into the Services by Client
3 Term and Termination
3.1 This DPA will become effective upon Client registering for the use of the Services by agreeing to the TOS and will continue to be in force and effect for the same term as the TOS or as long as PortOne is Processing Personal Data under the TOS.
4 Client’s Obligations
4.1 Within the scope of this DPA and in its use of the Services, Client acknowledges and agrees that it will be solely responsible for:
a The accuracy, quality, and legality of Personal Data and means by which it acquired Personal Data;
b Complying with all requirements under applicable Data Protection Laws for the collection and use of the Personal Data, including providing necessary notifications and obtaining any necessary consents and authorization from the relevant Data Subjects on the scope, use, disclose and transfer of the Personal Data;
c Ensuring Client has the right to transfer, or provide access to, the Personal Data to PortOne for Processing in accordance with the terms of the TOS and this DPA;
d Ensuring that Client’s instructions to PortOne regarding the Processing Personal Data comply with applicable laws, including Data Protection Laws; and
e Complying with all laws including Data Protection Laws applicable to any emails or other content created, sent or managed through the Services, including those relating to obtaining consents, if and when required, to send emails, the content of the emails and its email deployment practices.
4.2 Client will inform PortOne without undue delay if Client is not able to comply with its responsibilities under this Clause 4 or applicable Data Protection Laws.
4.3 Where a subject individual contacts PortOne to require PortOne to update, change or destroy the Personal Data, Client shall cooperate with PortOne in:
a fulfilling the requirement and notifying the subject individual thereof or providing the subject individual with rights to access, update, change or destroy the Personal Data; and
b taking appropriate measures to protect the personal data and notifying the subject individual in cases where PortOne or Client has not fulfilled the requirement due to technical factors or other factors.
5 PortOne’s Obligations
5.1 PortOne will commit to Process Personal Data received within the scope of the TOS and this DPA.
5.2 PortOne will ensure any person who is authorized by PortOne to Process Personal Data shall be under an appropriate obligation of confidentiality.
5.3 PortOne will notify Client without undue delay after becoming aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, stored or otherwise Processed by PortOne in connection with the provision of the Services (“Personal Data Breach”), and will provide reasonable information, cooperation, and assistance to Client with any action to be taken in response to a Personal Data Breach under Data Protection Laws.
5.4 PortOne will keep confidential and will not make available any Personal Data received in connection with the Services to any third party except in accordance with the TOS or this DPA or as required by applicable law.
5.5 PortOne will use reasonable efforts to fully cooperate and to comply with any instructions, guidelines, and orders received from the relevant supervisory authority when such instructions, guidelines, and orders pertain to the Personal Data.
5.6 Upon termination of the Services under the TOS, PortOne may delete or return all Personal Data to Client unless PortOne is under a legal obligation to retain the Personal Data.
5.7 To the extent that the required information is reasonably available to PortOne, and Client does not otherwise have access to the required information, PortOne will provide reasonable assistance to Client with any data protection impact assessments, and prior consultations with data protection authorities as required by Data Protection Laws.
6 Sub-Processor
6.1 Client grants PortOne with a general authorization to engage sub-processors. PortOne shall enter into a written agreement with each sub-processor imposing data protection obligations no less protective of Client Personal Data as PortOne’s obligations under this DPA to the extent applicable to the services provided by the sub-processor, and remain liable for each sub-processor’s compliance with the obligations under this DPA.
7 Data Transfer
7.1 Client acknowledges and agrees that PortOne may access and Process Personal Data on a global basis as necessary to provide the Services in accordance with the TOS, and in particular that Personal Data may be transferred to and Processed by PortOne entities in the Republic of Korea and to any other jurisdictions where PortOne affiliates, agents, and authorized sub-processors locate and have operations. PortOne shall ensure that such transfers are made in compliance with the Data Protection Laws and this DPA.
7.2 Any transfer of Client’s Personal Data made subject to this DPA from states of the European Union (“EU”), the European Economic Area (“EEA”), Switzerland or the United Kingdom to any country that does not ensure an adequate level of protection according to the EU, Data Protection and Information Commissioner (“FDPIC”) or the UK’s Commissioner’s Office (as applicable), shall be undertaken through the standard contractual clauses or other requirements of the Data Protection Laws including, but not limited to, data transfer impact assessments, third country assessments and agreeing additional safeguards as necessary.
8 Technical and Organizational Measures
8.1 PortOne shall implement and maintain, at its own cost and expense and in relation to the Processing of Personal Data by PortOne, technical and organizational security measures to ensure a level of security appropriate to the risk to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and services. Client acknowledges that such security measures are subject to technical progress and development and that PortOne may update or modify the security measures from time to time.
9 Information and Audits
9.1 PortOne shall, per Data Protection Laws, make available to Client on request promptly such information as is necessary to demonstrate compliance by PortOne with its obligations under the Data Protection Laws.
9.2 PortOne shall, upon reasonable notice, allow for and contribute to audits of its Processing of Personal Data, during regular business hours and with minimal interruption to its business operations. Such audits shall be conducted by Client, its affiliates or an independent third party on its behalf (which will not be a competitor of the PortOne’s business) that is subject to reasonable confidentiality obligations.
9.3 Client shall pay PortOne reasonable costs of allowing or contributing to audits or inspections on-site, calculated on a time at PortOne’s then-current professional services rates. Client shall promptly notify PortOne and provide information about any actual or suspected non-compliance discovered during an audit.
10 Liability
10.1 The limitations of liability set forth in the TOS will apply to all claims made pursuant to any breach of the terms of this DPA.
10.2 The Parties agree that PortOne shall be liable for any breaches of this DPA caused by the acts and omissions o or negligence of its sub-processors to the same extent the PortOne would be liable if performing the services of each sub-processor directly under the terms of this DPA, subject to any limitations of liability set out in the terms of the TOS.
10.3 The Parties agree that you shall be liable for any breaches of this DPA caused by acts and omissions or negligence of your affiliates as if such acts, omissions or negligence has been committed by you.
10.4 Client shall indemnify PortOne with respect to any claims and damages from a Data Subject or a third party and administrative penalties from an authority not caused by PortOne.
10.5 Client shall not be entitled to recover more than once in respect of the same loss.
11 General
11.1 This DPA may be executed counterparts, each of which will be deemed an original, but all of which together will constitute one and the same instrument.
11.2 The provisions of this DPA are severable. If any phrase, clause or provision is invalid or unenforceable in whole or in part, such invalidity or unenforceability shall affect such phrase, clause or provision, and the rest of this DPA shall remain in full force and effect.
11.3 This DPA is governed by the laws stipulated in the TOS with respect to any disputes or claims arising under this DPA.
11.4 All terms of this DPA are hereby incorporated into the TOS. In the event of a conflict between a term in the TOS and a term in the DPA, the term contained in this DPA shall prevail.
11.5 Where this DPA requires a “written notice” such notice can also be communicated per email to the other Party.
11.6 Any supplementary agreements or amendments to this DA shall be made in writing and signed by both Parties.
