Hall

Data Processing Addendum

Last updated: 20 Mar 2024

This Data Processing Addendum (“DPA”) forms part of, and is incorporated into, the Customer Subscription Agreement (“Principal Agreement”) between Hall Technologies Pty. Ltd. ACN 669 790 738 (“Company”) and you or the entity you represent (“Customer”) (together as the “Parties”).

1. Definitions and Interpretation

Unless otherwise defined herein, capitalized terms and expressions used in this DPA shall have the meaning given to them in the Principal Agreement. The following terms shall have the meanings set out below:

“Agreement” means this Data Processing Addendum and all Schedules;

“Applicable Laws” means any and all governmental laws, rules, directives, regulations or orders that are applicable to a particular Party’s performance under this DPA, which may include, as applicable, EU Data Protection Laws, the California Consumer Privacy Act of 2018, the CCPA, Connecticut’s Data Privacy Act (“CTDPA”), Utah Code Ann. §§ 13-61-101 et seq. (the Utah Consumer Privacy Act) (“UCPA”), VA Code Ann. §§ 59.1-575 et seq. (the Virginia Consumer Data Protection Act) (“VCDPA”) (collectively “U.S. Privacy Laws”).

“CCPA” means Section 1798.100 et seq. of the California Civil Code and any attendant regulations issued thereunder as may be amended from time to time, including but not limited to the California Privacy Rights Act of 2020 (the “CPRA”) and its implementing regulations.

“Company Personal Data” means any Personal Data Processed by a Contracted Processor on behalf of Company pursuant to or in connection with the Principal Agreement;

“Contracted Processor” means a Subprocessor;

“Data Protection Laws” means EU Data Protection Laws and, to the extent applicable, the data protection or privacy laws of any other country;

“EEA” means the European Economic Area;

“EU Data Protection Laws” means EU Directive 95/46/EC, as transposed into domestic legislation of each Member State and as amended, replaced or superseded from time to time, including by the GDPR and laws implementing or supplementing the GDPR;

“GDPR” means EU General Data Protection Regulation 2016/679;

“Data Transfer” means:

  1. a transfer of Company Personal Data from the Company to a Contracted Processor; or
  2. an onward transfer of Company Personal Data from a Contracted Processor to a Subcontracted Processor, or between two establishments of a Contracted Processor, in each case, where such transfer would be prohibited by Data Protection Laws (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Laws);

“Services” means the services described in the Principal Agreement, including any Order Form thereunder;

“Standard Contractual Clauses” means:

  1. where the GDPR applies, the standard contractual clauses annexed to the European Commission’s Decision (EU) 2021/914 of 4 June 2021, available at eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0914&qid=1623940939861 (“EU SCCs”); and
  2. where the UK GDPR applies, the EU SCCs as amended and modified by the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, adopted pursuant to or permitted under Article 46 of the UK GDPR (“UK IDTA SCCs”);

in each case as may be amended, superseded or replaced from time to time.

“Subprocessor” means any person appointed by or on behalf of Processor to process Personal Data on behalf of the Company in connection with the Agreement.

The terms, “Commission”, “Controller”, “Data Subject”, “Member State”, “Personal Data”, “Personal Data Breach”, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR, and their cognate terms shall be construed accordingly.

2. Processing of Company Personal Data

The Parties acknowledge and agree that with regard to the Processing of Company Personal Data under applicable Data Protection Laws, Customer is the Controller and Company is the Processor. Each Party shall comply with their respective obligations under applicable Data Protection Laws.

Customer hereby instructs Processor to Process Company Personal Data only:

  1. to provide the Services in accordance with their documented features and functionality;
  2. to enable Customer’s authorized user-initiated actions through the Services;
  3. as necessary to perform Processor’s obligations under this Agreement; and
  4. in accordance with Customer’s documented instructions.

3. Processor Personnel

Processor shall take reasonable steps to ensure the reliability of any employee, agent or contractor of any Contracted Processor who may have access to the Company Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know / access the relevant Company Personal Data, as strictly necessary for the purposes of the Principal Agreement, and to comply with Applicable Laws in the context of that individual’s duties to the Contracted Processor, ensuring that all such individuals are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

4. Security

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Processor shall in relation to the Company Personal Data implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to in Article 32(1) of the GDPR. In assessing the appropriate level of security, Processor shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.

5. Subprocessing

5.1. Authorization for Subprocessor Engagement

Customer provides general authorization for Processor to engage Subprocessors, provided that Processor:

  1. maintains an up-to-date list of its Subprocessors at usehall.com/legal/data-subprocessors;
  2. implements appropriate contractual controls and safeguards with each Subprocessor; and
  3. remain’s fully liable for any breach of this Agreement caused by a Subprocessor.

5.2. Subprocessor Obligations

Processor shall:

  1. enter into a written agreement with each Subprocessor containing data protection obligations that provide at least the same level of protection for Company Personal Data as those in this Agreement;
  2. conduct appropriate due diligence on each Subprocessor;
  3. provide Company with prior written notice of any changes to its Subprocessors as described in section 5.3.

5.3. Objection Right for New Subprocessors

Processor shall notify Customer of any new Subprocessor(s) by updating the Subprocessor List at least fourteen (14) days before authorizing such Subprocessor(s) to Process Company Personal Data. Customermay object to Processor’s appointment of a new Subprocessor within fourteen (14) days of such notice, provided that such objection:

  1. is made in writing; and
  2. includes documentary evidence that reasonably demonstrates the proposed Subprocessor does not or cannot comply with the requirements of this DPA or Applicable Laws.

If Customer provides a timely objection notice meeting these requirements, Processor will work with Customer in good faith to make available a commercially reasonable change in the provision of the Services which avoids the use of that proposed Subprocessor. If Processor determines in its sole discretion that it cannot reasonably make such a change available, either party may terminate the Principal Agreement with respect to only those Services which cannot be provided by Processor without the use of the objected-to Subprocessor, by providing written notice to the other party. Processor will refund to Customer any prepaid Fees covering the remainder of the term following the effective date of termination with respect to such terminated Services. The parties agree that any objection notice that does not meet the requirements above and/or is not received by Processor within the fourteen (14) day period shall not be valid, and thereafter Customer shall be deemed to have approved the new Subprocessor.

6. Data Subject Rights

Taking into account the nature of the Processing, Processor shall assist the Customer by implementing appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer obligations, as reasonably understood by Company, to respond to requests to exercise Data Subject rights under the Data Protection Laws. Processor shall:

  1. promptly notify Customer if it receives a request from a Data Subject under any Data Protection Law in respect of Company Personal Data; and
  2. ensure that it does not respond to that request except on the documented instructions of Customers or as required by Applicable Laws to which the Processor is subject, in which case Processor shall to the extent permitted by Applicable Laws inform Customer of that legal requirement before the Contracted Processor responds to the request.

7. Company Personal Data Breach

Processor shall notify Customer without undue delay upon Processor becoming aware of a Personal Data Breach affecting Company Personal Data, providing Customer with sufficient information to allow the Customer to meet any obligations to report or inform Data Subjects of the Personal Data Breach under the Data Protection Laws.

8. Data Protection Impact Assessment and Prior Consultation

Processor shall provide reasonable assistance to the Customer with any data protection impact assessments, and prior consultations with Supervising Authorities or other competent data privacy authorities, which Customer reasonably considers to be required by article 35 or 36 of the GDPR or equivalent provisions of any other Data Protection Law, in each case solely in relation to Processing of Company Personal Data by, and taking into account the nature of the Processing and information available to, the Contracted Processors.

9. Deletion or return of Company Personal Data

Upon termination or expiration of the Services, Customer shall have thirty (30) days to request either return or deletion of Company Personal Data (“Deletion Election Period”). If Customer requests return of Company Personal Data during the Deletion Election Period, Processor shall make such data available for download in a machine-readable format through the Services. If Customer requests deletion, or makes no request during the Deletion Election Period, Processor shall delete Company Personal Data from live systems within ten (10) business days, provided that:

  1. Processor may retain Company Personal Data in backup or archival systems for up to fourteen (14) days following deletion from live systems for disaster recovery purposes; and
  2. where specific regulatory or legal obligations require longer retention of certain data, Processor may retain such data strictly as required by such obligations.

During the Term of the Services, Customer may delete Company Personal Data using the functionality provided by the Services, and Processor shall maintain a thirty (30) day recovery period for accidental deletions unless Customer specifically requests immediate permanent deletion.

10. Audit Rights

Processor shall make available to the Customer information necessary to demonstrate compliance with this Agreement primarily through providing confidential third-party security audit reports (“Audit Reports”) prepared by qualified security professionals selected and commissioned by Processor at Processor’s expense. If Customer demonstrates that additional verification is required to comply with mandatory Data Protection Law requirements that are not reasonably satisfied by Audit Reports, Customer may at its own expense request to conduct an audit subject to the following conditions:

  1. the audit scope shall be limited to matters specific to Customer and agreed in advance with Processor, restricted to information directly relevant to Processor’s processing of Company Personal Data, and conducted in a manner that does not risk disclosure of other customers’ data, Processor’s confidential information, or trade secrets; and
  2. the audit shall be conducted during Processor’s normal business hours, with at least 4 weeks’ advance written notice, unless there has been a confirmed Personal Data Breach, in a manner that does not unreasonably disrupt Processor’s operations, no more than once per twelve (12) month period, unless required by a Supervisory Authority or in response to a Personal Data Breach, and by Customer directly or through an auditor bound by written confidentiality obligations acceptable to Processor.

Prior to any such audit, the parties shall mutually agree in writing on audit scope, timing, and duration, security and confidentiality controls, and reimbursement of Processor’s reasonable costs at standard professional service rates. Customer shall promptly provide Processor with any audit findings related to non-compliance, treat all information obtained during the audit as Processor’s Confidential Information, and ensure auditors comply with Processor’s security requirements while on premises. Nothing in this section requires Processor to provide access to data centers, systems, or infrastructure, disclose information about other customers, or share Subprocessor information beyond what Subprocessors make available for disclosure.

11. Data Transfer

The Parties acknowledge that Company may transfer Personal Data to and Process Personal Data in jurisdictions outside of Australia, including but not limited to the United States. Where Company engages in such transfers, it shall ensure appropriate safeguards are in place to protect the Personal Data and comply with applicable Data Protection Laws, which may include:

  1. entering into Standard Contractual Clauses or other valid transfer mechanisms;
  2. implementing appropriate technical and organizational security measures; and
  3. ensuring the jurisdiction to which Personal Data is transferred provides an adequate level of data protection as determined by applicable Data Protection Laws or regulatory authorities.

12. Customer Data Subject to U.S. Privacy Laws

As used in this Section 12, “Business Purpose”, “Collects”, “Consumer”, “Sell”, “Share” and “Service Provider” have the meanings assigned to them in the U.S. Privacy Laws. If Company Personal Data subject to U.S. Privacy Laws (“U.S. Privacy Law Personal Data”), the parties agree as follows with respect to such U.S. Privacy Law Personal Data to the extent required under U.S. Privacy Laws:

  1. U.S. Privacy Law Personal Data is disclosed by Customer only for limited and specified purposes of providing Services to Customer pursuant to the terms of the Agreement. Each party agrees to comply with applicable obligations under U.S. Privacy Laws and shall provide the same level of privacy protection to U.S. Privacy Law Personal Data as required by U.S. Privacy Laws.
  2. Company will not Sell or Share any U.S. Privacy Law Personal Data it Collects pursuant to the Agreement.
  3. Company agrees not to retain, use or disclose U.S. Privacy Law Personal Data Collected pursuant to the Agreement for any commercial purpose other than for the Business Purposes specified in the Agreement or as otherwise permitted by the U.S. Privacy Law.
  4. Company will not retain, use or disclose U.S. Privacy Law Personal Data Collected pursuant to the Agreement outside of the direct business relationship between Company and Customer, unless expressly permitted by U.S. Privacy Law.
  5. Customer shall have the right to take reasonable and appropriate steps to help ensure that Company uses the U.S. Privacy Law Personal Data Collected pursuant to the Agreement in a manner consistent with its obligations under U.S. Privacy Law.
  6. Company shall notify Customer if it makes a determination that it can no longer meet its obligations under U.S. Privacy Laws. Upon such notice, Customer may take reasonable and appropriate steps to stop and remediate unauthorized use of U.S. Privacy Law Personal Data.
  7. Company will enable Customer to comply with Consumer requests made pursuant to U.S. Privacy Laws. Customer will inform Company of any Consumer request pursuant to U.S. Privacy Laws that Company must comply with and provide information necessary for Company to comply with the request. If Company receives a request to know or a request to delete from a consumer with respect to U.S. Privacy Law Personal Data, Company shall either act on behalf of Customer in responding to the request or inform the consumer that the request cannot be acted upon because the request has been sent to a service provider.
  8. Company will within five (5) business days of receipt by Company, notify Customer of any opt-out or other Data Subject request with respect to U.S. Privacy Law Personal Data.
  9. Notwithstanding the foregoing, as permitted under U.S. Privacy Laws, Company may retain, use or disclose U.S. Privacy Law Personal Data Collected pursuant to the Agreement:
  1. for the specific Business Purpose(s) set forth in the Agreement that is required by U.S. Privacy Laws,
  2. to retain and employ another service provider or contractor as a subcontractor, where the subcontractor meets the requirements for a Service Provider under U.S. Privacy Laws,
  3. for internal use by Company to build or improve the quality of its services it is providing to Customer, even if this Business Purpose is not specified in the Agreement, provided that Company does not use the U.S. Privacy Law Personal Data to perform services on behalf of another person,
  4. to prevent, detect or investigate data security incidents or protect against malicious, deceptive, fraudulent or illegal activity, even if this Business Purpose is not specified in the Agreement; or
  5. for the purposes enumerated in U.S. Privacy Laws.

13. Customer Responsibilities

Without limiting its obligations under the Principal Agreement, Customer shall be solely responsible for:

  1. all Company Personal Data, including its accuracy, quality, and legality, subject to Processor’s obligations under this Agreement;
  2. providing all notices to, and obtaining all necessary consents and authorizations from, Data Subjects as required by Applicable Laws for the Processing of their Personal Data under this Agreement;
  3. ensuring that no Personal Data relating to criminal convictions and offenses or special categories of Personal Data (as defined in GDPR Articles 9 and 10) are submitted for Processing by the Services unless explicitly agreed in writing by Processor; and
  4. ensuring that access to and use of the Services is limited to Authorized Users and in accordance with the Principal Agreement.

Customer shall not use the Services in any manner that would violate Applicable Laws or the rights of any Data Subjects.

14. General Terms

14.1. Notices

All notices and communications given under this Agreement must be in writing and will be delivered personally or sent by email to the relevant Party’s address as specified in Schedule 1: Notice Details, or to such other address as may be notified in writing by that Party in accordance with this section.

14.2. Liability

Each Party’s liability taken together in the aggregate, arising out of or related to this DPA, including without limitation under the Standard Contractual Clauses, whether in contract, tort, or under any other theory of liability, is subject to the limitation of liability provisions of the Principal Agreement, except to the extent such liability cannot be limited under Applicable Law.

14.3. Term and Termination

Unless earlier terminated as provided herein, this Agreement shall terminate automatically together with termination or expiry of the Principal Agreement.

14.4. Governing Law and Jurisdiction

This Agreement takes effect, and any disputes arising out of or related hereto, will be governed by, and will be construed in accordance with the laws from time to time in force in the state of New South Wales in the Commonwealth of Australia. The Parties submit to the exclusive jurisdiction of the courts of New South Wales in the Commonwealth of Australia.