Data Processing Addendum

Insofar as Customer provides to Ordoro personal data, including e-mail addresses, names, mailing addresses, telephone numbers, social security numbers, credit card numbers, or other information that relates to an identified or identifiable natural person, and Ordoro (the “Data Processor”) processes such personal data on behalf of the Customer (the “Data Controller”) in the course of providing the Service, the terms of this Data Processing Addendum (“DPA”) shall apply. Any capitalized terms not otherwise defined in this DPA shall have the meaning given to them in the agreement or terms that reference this DPA (the “Agreement”). This DPA is subject to and governed by the Agreement; however, in the event of a conflict between any provisions of the Agreement and this DPA, the provisions of this DPA shall govern and control with regard to the processing of personal data. References to “Data Protection Laws” shall mean any law applicable to Data Processor’s processing or use of personal data, including (to the extent applicable), Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (“GDPR”).

  1. Processing.
    1. Data Processor will only process and use the personal data it receives from the Data Controller as necessary to provide the Service or as otherwise set forth in the Agreement or Data Controller’s prior written instructions. The Data Processor shall never process the Personal Data in a manner inconsistent with the Data Controller’s documented instructions.
    2. The Data Controller has all necessary rights to provide the personal data to the Data Processor for the processing to be performed in connection with the Services. To the extent required by Data Protection Laws, the Data Controller is responsible for providing all necessary privacy notices to data subjects, and unless another legal basis set forth in the Data Protection Laws supports the lawfulness of the processing, and for obtaining any necessary consents from data subject to the processing required under the Agreement. Should such a consent be revoked by a data subject, the Data Controller will inform the Data Processor of such revocation, and the Data Processor will be responsible for implementing Data Controller’s instruction with respect to the processing of such personal data.
  2. Confidentiality.
    The Data Processor shall treat all personal data as Confidential Information under the Agreement, and it shall inform all its employees, agents and sub-processors engaged in processing the personal data of the confidential nature of the personal data. The Data Processor shall cause all such persons or parties to sign confidentiality agreements with obligations no less restrictive in the use and protection of Confidential Information than those in the Agreement.
  3. Security Measures.
    1. Considering the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Data Processor shall implement appropriate technical and organizational measures to ensure a level of security of the processing of personal data appropriate to the risk. The Data Processor shall maintain and follow security policies that are fully implemented and applicable to the processing of personal data. At a minimum, such policies will include assignment of internal responsibility for information security management, devoting adequate personnel resources to information security, carrying out verification checks on permanent staff who will have access to the personal data, conducting appropriate background checks, requiring employees, vendors and others with access to personal data to enter into written confidentiality agreements, and conducting training to make employees and others with access to the personal data aware of information security risks presented by the processing.
    2. At the request of the Data Controller, the Data Processor shall demonstrate the measures it has taken pursuant to this Article 3 and shall allow the Data Controller to audit and test such measures. The Data Processor shall cooperate with such audits carried out by or on behalf of the Data Controller and shall grant the Data Controller´s auditors reasonable access to any premises and devices involved with the processing of the personal data, provided that such access does not expose the personal data of other parties. The Data Processor shall provide the Data Controller with access to any information relating to the processing of the personal data as may be reasonably required by the Data Controller to ascertain the Data Processor´s compliance with this DPA, but only to the extent it does not provide access to the personal data of other parties.
  4. Data Transfers.
    The Data Controller shall notify the Data Processor prior to transferring to Data Processor any personal data across the border from a country outside the United States. The Data Processor shall promptly notify the Data Controller of any planned permanent or temporary transfers of personal data across the border to a country outside of the United States, and shall only perform such a transfer after obtaining authorization from the Data Controller, which may be withheld at its sole discretion.
  5. Security Breach.
    The Data Processor will notify the Data Controller without undue delay upon discovery of any suspected or actual security or confidentiality breach or other compromise of personal data, describing the breach in reasonable detail, the status of any investigation or mitigation taken by the Data Processor, and if applicable, the potential number of data subjects affected. Data Processor will not communicate with any third party regarding any security breach except as specified by other party or by applicable law.
  6. Subprocessors.
    The Data Processor shall not subcontract any of its Services-related activities to the extent such activities involve any processing of personal data received from the Data Controller or allow any personal data to be processed by a third party, without notice to the Data Controller.
  7. Data Subject Rights.
    The Data Processor shall assist the Data Controller by appropriate technical and organizational measures, insofar as it is possible, for the fulfilment of the Data Controller’s obligation to respond to requests for exercising the data subject’s rights under the Data Protection Laws, and will otherwise reasonably assist the Data Controller in complying with its obligations under the GDPR.