Data Processor Agreement

Effective day 25 May 2018


1. Introduction

This data processor agreement sets forth Customer’s rights and obligations as the data controller (“Data Controller”) and Liveforce’s rights and obligations as the data processor (“Data Processor”) when Liveforce processes personal data on the Customer’s behalf when providing the Services.

2. Processing of personal data

2.1 Data Processor undertakes to only process personal data in accordance with documented instructions from the Data Controller. The Data Controller’s initial instructions to the Data Processor regarding the subject-matter and duration of the processing, the nature and purpose of the processing, the type of personal data and categories of data subjects are set forth in this data processor agreement and in Appendix 1.

2.2 The Data Processor confirms that all personal data is processed, whether by the Data Processor or via a pre-approved sub-processor, within the European Union.

2.3 The Data Controller confirms that, except for any written instruction provided in specific cases according to clause 2.3, the obligations of Data Processor set out in this data processor agreement, including Appendix 1, constitutes the full and complete instructions to be carried out by Data Processor. Any changes to the Data Controller’s instructions shall be negotiated separately and, to be valid, documented in writing in Appendix 1, and duly signed by both parties.

2.4 The Data Processor shall, to the extent required under applicable data protection laws and in accordance with the Data Controller’s written instruction in each case, assist the Data Controller in fulfilling its legal obligations under such laws.

3. Exercise of access rights etc

3.1 If data subjects, competent authorities or any other third parties request information from Data Processor regarding the processing of personal data, Data Processor shall refer such request to the Data Controller. Data Processor may not in any way act on behalf of or as a representative of the Data Controller and may not, without prior instructions from the Data Controller, transfer or in any other way disclose personal data or any other information relating to the processing of personal data to any third party.

3.2 In the event Data Processor, according to applicable laws and regulations, is required to disclose personal data that Data Processor processes on behalf of the Data Controller, Data Processor shall be obliged to inform the Data Controller thereof immediately and request confidentiality in conjunction with the disclosure of requested information.

4. Sub-processors and third country transfers

4.1 The Data Processor may engage sub-processors without the Data Controller’s prior approval. The Data Processor shall ensure that sub-processors are bound by written agreements that require them to comply with the same data processing obligations to those contained in this data processor agreement. Appendix 2 contains a list of pre-approved sub-processors as of the date of entry into force of the data processor agreement.

4.2 The Data Controller recognises and accepts that Data Processor, in accordance with what is stated in Appendix 2, is engaging various pre-approved sub-processors (as described in Third Parties). Provided that and to the extent it does not cause Data Controller or Data Processor to be in breach of applicable data protection laws, Data Processor shall not be obliged to enforce on these Third Parties other obligations regarding the processing of personal data than what is regulated in the Third Parties own data processing agreement that been entered into between a Third Party and the Data Processor.

4.3 The Data Processor shall not, save for the Data Controller’s prior approval, transfer any personal data outside of the EU/EES. If any personal data is transferred to outside of the European Union the Data Processor shall ensure that there is a legal basis in accordance with applicable data protection laws for these transfers. Such legal basis can consist of, e.g., the European Commission’s model clauses, which grant legal basis for Data Controllers within the EU/EES to transfer personal data to Data Processors outside of the EU/EES. The Data Controllers authorises the Data Processor to on behalf of the Data Controller enter into the European Union’s model clauses with such sub-processors which the Data Processor may engage in accordance with clause 4.1 (2017/87/EU). 

5. Information security and confidentiality

5.1 Data Processor shall be obligated to fulfil any legal obligations imposed on it regarding information security under applicable data protection laws and shall, in any case, take appropriate technical and organisational measures to protect the personal data which is processed.

5.2 Liveforce’s current security procedures are described in Security Policy section.

5.3 The Data Processor undertakes not to, without the Data Controller’s prior written consent, disclose or otherwise make personal data processed under this data processor agreement available to any third party, except for sub-processors engaged in accordance with this data processor agreement.

5.4 The Data Processor shall be obliged to ensure that only such staff and other Data Processor representatives that directly require access to personal data in order to fulfil the Data Processor’s obligations in accordance with this data processor agreement have access to such information. The Data Processor shall ensure that such staff and other

Data Processor representatives are bound by a confidentiality obligation concerning this information to the same extent as the Data Processor in accordance with this data processor agreement.

6. Data breach notifications

6.1 Data Processor shall inform the Data Controller without undue delay after becoming aware of any accidental or unauthorised access to personal data or any other security incidents (personal data breach).

6.2 Data Processor shall assist Data Controller with any information reasonably required to fulfil its data breach notification requirements.

7. Audit rights

7.1 The Data Controller shall be entitled to take measures necessary to verify that Data Processor is able to comply with its obligations under this data processor agreement and that Data Processor has in fact undertaken the measures to ensure such compliance. Data Processor undertakes to make available to the Data Controller all information and all assistance necessary to demonstrate compliance with the obligations laid down in this data processor agreement and allow for and contribute to audits, including on-site inspections, conducted by the Data Controller or another auditor mandated by the Data Controller.

7.2 The Data Processor shall immediately inform the Data Controller if, in its opinion, an instruction provided to Data Processor when Data Controller exercises its rights under section 7.1 above, infringes applicable data protection laws.

8. Measures upon completion of processing of personal data

8.1 Upon expiry of this data processor agreement, the Data Processor will, if not instructed otherwise in writing by the Data Controller, erase any personal data processed under this data processor agreement ninety (90) days after the expiry date.

8.2 Upon request by the Data Controller, Data Processor shall provide a written notice of the measures taken regarding the personal data set out in clause 8.1.

9. Compensation

9.1 In light of the formulation of the Services. the Data Processor shall be entitled to compensation for processing of personal data required by the Data Controller in accordance with what is stated in this clause 9.

9.2 The Data Processor will be entitled to reasonable compensation to the extent the Data Controller i) requires the Data Processor to assist the Data Controller in accordance with clauses 2.3, 3.1 and/or 6.2, ii) requires an audit in accordance with clause 7, and/or iii) requires measures to be made following upon completion of processing in accordance with clause 8. The right to compensation only applies to the extent the measure is not already part of the Services or the Services’ functionality. The Data Processor shall be entitled to compensation on a time and material basis, applying Data Processor’s at the time applicable hourly rates.

9.3 In case of changed instructions in accordance with clause 2.1 the Data Processor shall be entitled to compensation for any documented additional costs for the performance of the Services which are due to the change, unless the change is caused by general demands on the Services that cannot be specifically attributed to the Data Controller, e.g. amendments or changes to applicable legislation or industry standards. The Data Processor shall further not be entitled to compensation to the extent the change otherwise corresponds to the obligations that a supplier of similar services as the Services normally can be expected to offer to its customers on reasonable terms and conditions.

Appendix 1

Data processing instructions

Purposes

  1. Provisioning of automated personnel administrative and on-demand workforce management services such as scheduling of jobs, timesheet and expense management, task management and preparation of input for salary calculations etc relating to payments.
  2. System development and testing to ensure the quality of Services provided in accordance with above.

Categories of data

Name, Profile images, ID number, Date of birth, Gender, Address, Phone number, Email address, Employment classification, Identity validation, Tags, Ratings, Internal notes, Next of kin, Roles, Skills and certifications, Experience, Work history, Schedule details, Task details, Salary and expenses details, Absence and other situation details, Customer agreement details, Job and Company application details, Attributes, and Chat/Notification messages.

Categories of Data Subjects

Customers, Customer Employees and Workers.

Processing Operations

Collection, registration, storing, processing and distribution.

Location of Processing Operations

Processing operations are located in EU with hosting in Frankfurt and Dublin through AWS.

Information Security

Please refer to Liveforce’s Security Policy.

Appendix 2

Pre-approved sub-processors are detailed in the Third Parties Policy.