This Data Protection Agreement (the “DPA”) is incorporated into and made part of the agreement for services (the “Agreement”) between Atomic Design Inc. (“Atomic Design”) and the customer identified in the Agreement (“Customer”) and pertains to Atomic Design’s protection of any Customer-provided personal data when Customer uses the Service, to the extent applicable. Capitalized terms have the meanings provided in the Agreement except as provided here.
1. Definitions. In this DPA, the following terms shall have the following meanings:
1.1 “controller”, “processor”, “data subject”, “personal data”, “processing” (and “process”) and “special categories of personal data” shall have the meanings given in Applicable Data Protection Law; and
1.2 “Applicable Data Protection Law” shall mean the GDPR, the UK Data Protection Laws, US Data Protection Laws and all other data protection and privacy laws and regulations of the United States, the United Kingdom and the EEA applicable to the processing of personal data under the Agreement.
1.3 “EEA” means the European Economic Area, which constitutes the member states of the European Union and Iceland, Liechtenstein, Norway and Switzerland.
1.4 “GDPR” means the General Data Protection Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC.
1.5 “Standard Contractual Clauses” means the Standard Contractual Clauses for the Transfer of Personal Data to Processors Established in Third Countries under GDPR, as approved by European Commission Implementing Decision 2021/914. Appendix 1 to this DPA contains certain interpretive and supplementary provisions regarding application of the Standard Contractual Clauses. The information required by Annexes 1 and 2 of the Standard Contractual Clauses is provided in Annexes 1 and 2 of this DPA.
1.6 “UK Data Protection Laws” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act of 2018 and the Data Protection Act 2018.
1.7 “US Data Protection Laws” means the California Consumer Privacy Act as amended by the California Privacy Rights Act and its associated regulations and their successors and all other US state and federal laws, regulations and rules applicable to the protection of personal data, which as of the date of publication of this DPA include the Colorado Privacy Act, Connecticut Personal Data Privacy and Online Monitoring Act, Indiana Consumer Data Protection Act, Iowa Consumer Data Protection Act, Montana Consumer Data Privacy Act, Tennessee Information Protection Act, Texas Data Privacy and Security Act, Utah Consumer Privacy Act and Virginia Consumer Data Protection Act.
2. Data Protection.
2.1 Relationship of the Parties. Atomic Design provides an infrastructure and application functionality but does not manage or modify data. As such, Atomic Design is not a data processor with regards to Customer’s Data. However, to the extent Atomic Design is deemed to a be a processor under Applicable Data Protection Law, Customer (the controller) appoints Atomic Design as a processor to process the personal data described in the Agreement (the “Data”) only for the limited and specific purpose of providing the data integrity management Service(s) identified in each Order Form executed by the parties or as otherwise agreed in writing by the parties (the “Permitted Purpose”). Each party shall comply with the obligations that apply to it under Applicable Data Protection Law. Atomic Design shall promptly inform Customer if it: (a) becomes aware that processing for the Permitted Purpose infringes Applicable Data Protection Law, or (b) determines it can no longer meet its obligations under this DPA or Applicable Data Protection Law.
2.2 Processing in Accordance with US Data Protection Law. With respect to personal data to which US Data Protection Law applies Atomic Design will not: (a) “sell” (as defined in applicable laws) any personal data; (b) collect, share, retain, use or disclose any personal data except as necessary to perform services for Customer; or (c) use personal data outside the direct business relationship between the parties. Customer has the right, upon notice to Atomic Design, to take reasonable and appropriate steps to ensure that Atomic Design uses personal data in a manner that is consistent with Customer’s obligations under Applicable Data Protection Law and to stop and remediate unauthorized use of personal data.
2.3 International transfers. Atomic Design shall not transfer the Data outside of the EEA unless it has taken such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law.
2.4 Confidentiality of processing: Atomic Design shall ensure that any person it authorises to process the Data (an “Authorised Person”) shall protect the Data in accordance with Atomic Design’s confidentiality obligations under the Agreement.
2.5 Security: Atomic Design shall implement technical and organisational measures as set out in the Annex to protect the Data (a) from accidental or unlawful destruction, and (b) loss, alteration, unauthorised disclosure of, or access to the Data (a “Security Incident”).
2.6 Subprocessors: Customer consents to Atomic Design engaging the third party subprocessors listed here to process the Data for the Permitted Purpose provided that it: (a) will inform Customer of any intended changes concerning the addition or replacement of other subprocessors, thereby giving Customer the opportunity to object to such changes; (b) imposes data protection terms on any subprocessor it appoints that require it to protect the Data to the standard required by Applicable Data Protection Law; and (c) remains liable for any breach of this Clause that is caused by an act, error or omission of its subprocessor. Customer may object to Atomic Design’s appointment or replacement of a subprocessor prior to its appointment or replacement, provided such objection is based on reasonable grounds relating to data protection. In such event, Atomic Design will either not appoint or replace the subprocessor or, if this is not possible, Customer may suspend or terminate the Agreement (without prejudice to any fees incurred by Customer prior to suspension or termination).
2.7 Cooperation and Data Subjects’ Rights. Atomic Design shall provide reasonable and timely assistance to Customer (at Customer’s expense) to enable Customer to respond to: (a) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (b) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data. In the event that any such request, correspondence, enquiry or complaint is made directly to Atomic Design, Atomic Design shall promptly inform Customer providing full details of the same.
2.8 Data Protection Impact Assessment. Atomic Design shall provide reasonable cooperation to Customer (at Customer’s expense) in connection with any data protection impact assessment that Customer may be required under Applicable Data Protection Law.
2.9 Security Incidents. If it becomes aware of a confirmed Security Incident, Atomic Design shall inform Customer without undue delay and shall provide reasonable information and cooperation to Customer so that Customer can fulfil any data breach reporting obligations it may have under (and in accordance with the timescales required by) Applicable Data Protection Law. Atomic Design shall further take such any reasonably necessary measures and actions to remedy or mitigate the effects of the Security Incident and shall keep Customer informed of all material developments in connection with the Security Incident.
2.10 Deletion or Return of Data. Upon termination or expiry of the Agreement, Atomic Design shall (at Customer’s election) destroy or return to Customer all Data in its possession or control. This requirement shall not apply to the extent that Atomic Design is required by applicable law to retain some or all of the Data, or to Data it has archived on back-up systems, in which event Atomic Design shall securely isolate and protect from any further processing except to the extent required by such law.
2.11 Audit. Atomic Design shall respond to any written audit questions submitted to it by Customer, provided that Customer shall not exercise this right more than once per year. In addition, Customer may contact Atomic Design to request an on-site audit, not more than once per year, of the procedures relevant to the protection of Customer’s personal data. Before the commencement of any such on-site audit, Customer and Atomic Design shall mutually agree upon the scope, timing, and duration of the audit and the reimbursement rate for any travel or other expenses Atomic Design incurs in the course of such audit. All reimbursement rates shall be reasonable, taking into account the resources expended by Atomic Design. Customer shall promptly notify Atomic Design with information regarding any non-compliance discovered during the course of an audit.
3. Miscellaneous.
3.1 Construction; Interpretation. This DPA is not a standalone agreement and is only effective if the Agreement is in effect between Customer and Atomic Design. This DPA is part of the Agreement and is governed by its terms and conditions, including the limitations of liability therein. This DPA and the Agreement are the complete and exclusive statement of the mutual understanding of the parties and supersede and cancel all previous written and oral agreements and communications relating to the subject matter hereof. Headings contained in this DPA are for convenience of reference only and do not form part of this DPA.
3.2 Severability. If any provision of this DPA is adjudicated invalid or unenforceable, this DPA will be amended to the minimum extent necessary to achieve, to the maximum extent possible, the same legal and commercial effect originally intended by the parties. To the extent permitted by applicable law, the parties waive any provision of law that would render any clause of this DPA prohibited or unenforceable in any respect.
3.3 Amendment; Enforcement of Rights. No modification of or amendment to this DPA, nor any waiver of any rights under this DPA, will be effective unless in writing signed by the parties to this DPA. The failure by either party to enforce any rights under this DPA will not be construed as a waiver of any rights of such party.
3.4 Assignment. This DPA may be assigned only in connection with a valid assignment pursuant to the Agreement. If the Agreement is assigned by a party in accordance with its terms, this DPA will be automatically assigned by the same party to the same assignee.
3.5 Governing Law. This DPA will be governed by and construed in accordance with the laws the jurisdiction governing the Agreement unless otherwise required by Applicable Data Protection Law, in which case this DPA will be governed by the laws of the Republic of Ireland.
The parties agree that the Standard Contractual Clauses are hereby incorporated by reference into this DPA as follows:
Where Atomic Design processes personal data as a processor pursuant to the terms of the Agreement, Atomic Design and its relevant subprocessor affiliates are located in non-adequacy approved third countries, and Customer and its relevant affiliates are established in the EEA, Module 2: Transfer controller to processor, Clauses 1 to 6 and 8 to 18 apply.
Where Atomic Design processes personal data as a processor pursuant to the terms of the Agreement, Atomic Design and its relevant subprocessor affiliates are located in non-adequacy approved third countries, and Customer and its relevant Affiliates are established in the EEA, Module 3: Transfer processor to processor, Clauses 1 to 6 and 8 to 18 apply.
Where the Standard Contractual Clauses identify optional provisions (or provisions with multiple options) the following shall apply in the following manner:
With respect to Personal Data transferred from Switzerland for which Swiss law governs:
Personal data transfers from the United Kingdom will be governed by the SCCs as conformed to UK law pursuant to the International Data Transfer Addendum (the “IDTA”) issued by the UK Information Commissioner’s Office (the “ICO”) and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022.
In Part 1 of the IDTA, the information required by Tables 1 – 3 is provided in the Agreement, the DPA and these SCCs.
The IDTA’s Mandatory Clauses are incorporated by reference into this DPA in accordance with IDTA Alternative Part 2.
References to the EU, member states and GDPR in the SCCs are amended mutatis mutandis to refer to the United Kingdom and UK GDPR.
In Clause 17 of the SCCs (Governing Law), the laws of England and Wales shall govern, and in Clause 18 (Choice of forum and jurisdiction), the courts in London, England shall have jurisdiction. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts in the UK.
Supplementary Measures. The following additional safeguards will be added as a new supplementary annex of the EU SCCs:
The full name, address and contact details for the Data Exporter and Data Importer (as defined below) are set out in the Agreement; and
The data processing activities carried out by Atomic Design under the Agreement may be described as follows:
The personal data transferred will be subject to the following basic processing activities:
The personal data transferred concern the following categories of data subjects:
The personal data transferred concern the following categories of data:
The personal data transferred concern the following special categories of data:
As above
Atomic Design will: