Data Protection Addendum (DPA)
Updated: February 28, 2022
This Data Protection Addendum (“DPA”) applies to the Processing of Customer Personal Data (defined below) by Cape related to the Agreement.
1.1. In this DPA, the following capitalized terms will have the following meanings:
(a) "Affiliate" means an entity that owns or controls, is owned or controlled by or is under common control or ownership with a Party, where control is defined as the possession, directly or indirectly, of the power to direct or cause the direction of the management and policies of an entity, whether through ownership of voting securities, by contract or otherwise.
(b) "Cape" means the Cape Entity specified in the Agreement. If not so specified, Cape means “Cape (US) Inc., a Delaware corporation, and its Affiliates.
(c) "Authorized Affiliate" means an Affiliate of Customer that is authorized to use the Service pursuant to the Agreement but is not a direct party to the Agreement.
(d) "Agreement" means the existing Terms of Service, Agreement, adoption agreement, order form or other written agreement between a Cape Affiliate and Customer pursuant to which Cape provides the Service, including any exhibits, statements of work, addenda and amendments thereto (including this DPA).
(e) "Applicable Laws" means Data Protection Laws, EU Data Protection Laws, and UK Data Protection Laws.
(f) "Controller" means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
(g) "Customer Personal Data" means any Personal Data that is Processed by Cape (or any Subprocessor) on behalf of Customer or an Authorized Affiliate, pursuant to Cape’s performance of Service under the Agreement.
(h) "Data Protection Laws" means the applicable data protection, privacy and cyber security laws or regulations, including (to the extent applicable) EU and UK Data Protection Laws and California Civil Code Sec. 1798.100 et seq. (“CCPA,” the California Consumer Privacy Act of 2018).
(i) "Data Subject" means the individual to whom the Customer Personal Data relates.
(j) “EU Data Protection Laws” means the GDPR and the laws implementing or supplementing the GDPR.
(k) "GDPR" means General Data Protection Regulation (EU) 2016/679.
(l) "Personal Data" means any information that identifies, could be used to identify or is otherwise linked or reasonably linkable with a particular individual or household, as well as any information defined as "personal data," "personal information" or equivalent term under applicable Data Protection Laws.
(m) "Process" or "Processing" means any operation or set of operations which is performed on Customer Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of the data.
(n) "Processor" means the "processor", "service provider" or equivalent term under applicable Data Protection Laws.
(o) "Restricted Transfer" means a transfer of Customer Personal Data by or to Cape or a Subprocessor, in each case, where such transfer would be prohibited by Data Protection Laws in the absence of the Standard Contractual Clauses.
(p) "Security Incident" means any unauthorized access to, or use, disclosure of Customer Personal Data while such data is being Processed by Cape, as well as any loss, theft or acquisition of such Customer Personal Data.
(q) "Service" means the products, services and other activities to be supplied to or carried out by or on behalf of Cape for Customer under the Agreement, or has the meaning given to it by the Agreement.
(r) "Standard Contractual Clauses" means the standard contractual clauses for the transfer of personal data to third countries pursuant to regulation (EU) 2016/679, as approved by the Commission Implementing Decision (EU) 2021/914 of 4 June 2021, or the analogous standard contractual clauses approved by the UK Supervisory Authority.
(s) "Subprocessor" means any person or entity (excluding an employee of Cape) appointed by or on behalf of Cape that Processes Customer Personal Data.
(t) "Supervisory Authority" means the relevant regulatory authority with regard to applicable Data Protection Laws, including where applicable a supervisory authority as defined under the GDPR.
(u) "UK Data Protection Laws" means the GDPR as transposed into United Kingdom national law by operation of section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR"), together with the Data Protection Act 2018, the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 and other data protection or privacy legislation in force from time to time in the United Kingdom. In this Agreement, in circumstances where the UK Data Protection Laws apply, references to the GDPR and its provisions will be construed as references to the UK Data Protection Laws and its corresponding provisions, and references to "EU or Member State laws" will be construed as references to UK laws.
1.2. Capitalized terms used but not otherwise defined in this DPA will have the meaning set forth in the Agreement.
2. Processing of Customer Personal Data
2.1. The Parties agree that Customer or any Authorized Affiliate is a Controller and that Cape is a Processor, with respect to the Customer Personal Data processed pursuant to the Service, and that each will comply with their respective obligations under applicable Data Protection Laws.
2.2. Customer represents and warrants that it has the authority and right to enter into this DPA and to instruct Cape to Process Customer Personal Data as set forth hereunder, on behalf of itself and each Authorized Affiliate, as applicable. Customer will not instruct Cape to Process Customer Personal Data in violation of applicable Data Protection Laws. Customer will provide of all necessary notices to and obtain all necessary consents from Data Subjects, pursuant to Data Protection Laws.
2.3. Cape will Process Customer Personal Data only in accordance with the documented instructions of Customer (which includes this DPA, the Agreement and any further written agreement or documentation through which Customer instructs Cape to perform specific Processing of Customer Personal Data), or where otherwise required by Applicable Laws. Customer hereby instructs the Cape to Process Customer Personal Data to provide the Service or otherwise perform the Agreement, including by engaging Subprocessors and transferring Customer Personal Data to international jurisdictions provided such complies with Sections 5 (Subprocessing) and 12 (General Terms) herein, respectively. Cape will notify Customer if it is or believes it will be unable to comply with the terms of this DPA or applicable Data Protection Laws.
2.5. The subject matter and duration of the Processing, the nature and purpose of the Processing, the type of Customer Personal Data and the categories of Data Subjects, as required by applicable Data Protection Laws, including Article 28(3) of the GDPR, are as follows:
(a) Subject matter: The subject matter of the Processing under this DPA is Customer Personal Data.
(b) Duration: As between Cape and Customer, the duration of the Processing under this DPA is determined by Customer.
(c) Purpose of the Processing: The purpose of the Processing under this DPA is the provision of the Service as initiated by Customer from time to time.
(d) Nature of the Processing: Compute, storage, and such other Service as described in the Agreement and initiated by Customer from time to time.
(e) Type of Customer Personal Data: Customer Personal Data uploaded to the Services under Customer’s Cape accounts.
(f) Categories of Data Subjects. The Data Subjects may include Customer’s customers, employees, suppliers and end users, and those of the Customer’s suppliers and end users.
2.6. Cape may not disclose, transfer, or sell any Customer Personal Data for any purpose other than for the specific purposes set forth in Section 2.4, and not outside of its direct business relationship with Customer; Cape certifies that it understands and will comply with the foregoing restrictions.
3.1. Cape will take reasonable steps to (a) ensure the reliability of any individual who may have access to Customer Personal Data; and (b) ensure that each such individual is informed of the confidential nature of Customer Personal Data and the restrictions on Processing of Customer Personal Data hereunder, and subject to confidentiality undertakings or professional or statutory obligations of confidentiality.
4.1 Cape will, in relation to the Customer Personal Data, implement technical and organizational measures, as set forth in Annex 1 to this DPA, which are designed to ensure a level of security appropriate to the risks presented by Processing, taking into account in particular the risks from a Security Incident.
5.1. Customer expressly consents to Cape’s engagement of Subprocessors as of the data of the DPA. Further, Customer agrees that Cape may engage Subprocessors, subject to Cape’s compliance with this Section 5. Without limiting the foregoing, Customer specifically authorizes Cape to engage as Subprocessors: (i) Cape Affiliates; and (ii) those Subprocessors currently engaged by Cape as of the Effective Date as set forth at https://capeprivacy.com/subprocessors/; and (iii) additional or new Subprocessors. Cape will provide Customer with notice at least 30 days prior to appointing any additional or new Subprocessor. Upon receiving such notice, Customer may reasonably and in good faith object to Cape’s appointment of a new Subprocessor by notifying Cape in writing within 30 days of receiving notice of the new Subprocessor; the Parties will work together in good faith to resolve Customer’s objection. If the Parties are unable to resolve the Customer’s objection within 30 days of Customer’s notice of objection, Cape may terminate the Agreement by notifying Customer in writing.
5.2. With respect to each Subprocessor, Cape will:
(a) carry out adequate due diligence to ensure that the Subprocessor is capable of providing an equivalent level of protection for Customer Personal Data required by this DPA;
(b) ensure that the arrangement with the Subprocessor is governed by a written contract including terms which include an equivalent level of protection for Customer Personal Data as those set out in this DPA;
(c) if that arrangement involves a Restricted Transfer, ensure that the Standard Contractual Clauses are at all relevant times incorporated into the agreement with Subprocessor; and
(d) remain fully liable to Customer for the performance of each Subprocessor’s obligations.
6. Reasonable Assistance
6.1. With respect to any request, enquiry, or complaint received by Cape or any Subprocessor from a Data Subject regarding Customer Personal Data, including any request to exercise rights under the Data Protection Laws, (hereafter, a "Data Subject Request"), Cape will:
(a) promptly notify Customer of such Data Subject Request;
(b) not respond to such Data Subject Request, except on the documented instructions of Customer or as required by applicable Laws, in which case Cape will to the extent permitted by such Applicable Laws provide prior notice to Customer of such legal requirement prior to responding to such Third-Party Request; and
(c) provide reasonable assistance as necessary to the Customer to enable Customer to limit, seek to limit, or respond to such Data Subject Request. Such assistance will include, to the extent Customer does not already have access to the relevant information, and where required and practicable, appropriate technical and organizational measures, to allow Customer to effectively respond to requests from Data Subjects to exercise their rights under the Data Protection Laws.
6.2. Upon request and taking into account the information available to Cape, Cape will provide reasonable assistance to Customer as necessary to enable Customer to conduct any required data protection impact assessments and prior consultations with Supervisory Authorities as required by Data Protection Law.
7. Third Party Requests
7.1. With respect to any request, enquiry, or complaint received by Cape or any Subprocessor from a Supervisory Authority or other third-party regarding Customer Personal Data, including any request to exercise rights under the Data Protection Laws, (hereafter, a "Third Party Request"), Cape will, unless prohibited from doing so by Applicable Laws:
(a) promptly notify Customer of such Third-Party Request;
(b) not respond to such Third-Party Request, except on the documented instructions of Customer or as required by Applicable Laws, in which case Cape will to the extent permitted by such Applicable Laws provide prior notice to Customer of such legal requirement prior to responding to such Third-Party Request; and
(c) provide reasonable assistance as necessary to the Customer to enable Customer to seek to limit, quash or respond to such Third-Party Request. Such assistance will include, where practicable, appropriate technical and organizational measures to allow Customer to effectively respond to requests from Data Subjects to exercise their rights under the Data Protection Laws.
8. Security Incident
8.1. Cape will notify Customer without undue delay upon Cape becoming aware of a Security Incident affecting Customer Personal Data, providing Customer with sufficient information to allow Customer to meet any obligations to notify a Supervisory Authority, Data Subjects or other third party of the Security Incident under the Data Protection Laws.
8.2. Cape will co-operate with Customer as necessary and take such reasonable commercial steps as are requested by Customer to assist in the investigation, mitigation and remediation of each such Security Incident. Unless required by Applicable Laws, Cape will not inform any third party of such a Security Incident without the prior, written consent of Customer.
9. Deletion or return of Customer Personal Data
9.1. Cape will destroy or securely delete, or otherwise render permanently inaccessible the Customer Personal Data within 30 days after the termination or expiration of the Agreement, unless prohibited by Applicable Laws, and will upon request certify in writing to Customer that such Customer Personal Data has been deleted in accordance with this DPA. If Cape is required by Applicable Laws to retain any Customer Personal Data, Cape will takes steps to (i) ensure the continued confidentiality and security of the Customer Personal Data; (ii) securely delete or destroy the Customer Personal Data when the legal retention period has expired, and (iii) not actively Process the Customer Personal Data other than as needed for to comply with such applicable law.
10. Audit rights
10.1. Cape will make available to Customer on request information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to, and cooperate with, audits, including inspections, by Customer or an auditor mandated by Customer in relation to the Processing of Customer Personal Data and associated privacy and security controls, subject to the following conditions:
(a) Customer will give Cape reasonable notice of any audit or inspection to be conducted under this Section 10.1, and will take (and ensure that each of its mandated auditors takes) reasonable measures to avoid or minimize any damage, injury or disruption to the Cape’s or a Subprocessors premises, equipment, personnel and business during the course of such audit or inspection; and
(b) an audit or inspection will be conducted no more than once annually, except to the extent conducted in response to a Security Incident or where required by a Supervisory Authority or Data Protection Laws].
10.2. Customer must bear the full costs of any such audit, unless an audit is triggered by a Security Incident for which Cape is responsible.
11. Restricted Transfers
11.1. Customer hereby expressly consents to Restricted Transfers, subject to compliance with the obligations set out in this Section 11 and the DPA.
11.2. Customer for itself and each Authorized Affiliate as relevant (each a "data exporter") and Cape for itself and its Affiliates as relevant, (each a "data importer") hereby enter into the Standard Contractual Clauses in respect of any Restricted Transfer, which will take effect upon the commencement of a Restricted Transfer and the execution of the Standard Contractual Clauses by the data importer.
11.3. Prior to any Restricted Transfer to a Subprocessor, Cape will ensure that in its written agreement with Subprocessor, the Standard Contractual Clauses have been incorporated and duly and effectively executed as required herein. Customer hereby authorizes Cape to enter into the Standard Contractual Clauses with Subprocessors for and on its behalf.
12. General Terms
12.1. Governing Law. Without prejudice to clauses 7 (Mediation and Jurisdiction) and 9 (Governing Law) of the Standard Contractual Clauses, the Parties hereby agree to submit to the choice of jurisdiction and venue set forth in the Agreement, with respect to any disputes or claims arising under this DPA.
12.2. Order of precedence. Conflicts or inconsistencies will be resolved as follows: (i) in any conflict between the terms of the Agreement and this DPA, this DPA will control; and (ii) the Standard Contractual Clauses will control in any conflict with the other terms of this DPA.
12.3. Changes in Data Protection Laws. If any amendment to this DPA is required as a result of a change in Data Protection Laws, including any variation which is required to the Standard Contractual Clauses, then either Party may provide written notice to the other Party of that change in law. The Parties will discuss and negotiate in good faith any necessary variations to this DPA, including the Standard Contractual Clauses, to address such changes. Parties will not unreasonably withhold consent or approval to amend this DPA pursuant to this Section 12.3 or otherwise.
12.4. Severance. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA will remain valid and in force. The invalid or unenforceable provision will be either (i) amended as necessary to ensure its validity and enforceability, while preserving the Parties' intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.
Annex 1: technical and organizational measures
This Annex 1 (“Security Controls”) sets forth the minimum security requirements applicable to the Agreement, the Service and the Processing of Customer Personal Data pursuant to the DPA.
1. Any Processing of Customer Personal Data will take place on data processing systems for which commercially reasonable technical and organizational measures for protecting Customer Personal Data have been implemented. Cape will maintain reasonable and appropriate technical, physical, and administrative measures to protect Customer Personal Data under its possession or control against unauthorized or unlawful Processing or accidental loss, destruction or damage, taking into account the harm that might result from unauthorized or unlawful processing or accidental loss, destruction or damage and the sensitivity of the Customer Personal Data.
2. Security measures will be designed to:
(a) deny unauthorized persons access to data-processing equipment used for processing Customer Personal Data (equipment access control);
(b) prevent the unauthorized reading, copying, modification or removal of media (data media control);
(c) prevent the unauthorized input of Customer Personal Data and the unauthorized inspection, modification or deletion of stored Personal Data (storage control);
(d) prevent the use of automated data-processing systems by unauthorized persons using data communication equipment (user control);
(e) provide that persons authorized to use an automated data-processing system only have access to the Customer Personal Data covered by their access authorization (data access control);
(f) enable Cape to verify and establish to which individuals Customer Personal Data have been or may be transmitted or made available using data communication equipment (communication control);
(g) enable identification of which Customer Personal Data have been put into automated data-processing systems and when and by whom the input was made (input control);
(h) prevent the unauthorized reading, copying, modification or deletion of Customer Personal Data during transfers of those data or during transportation of storage media (transport control);
(i) include commercially reasonable disaster recovery procedures to provide for the continuation of services under the Agreement and backup of Customer Personal Data; and
(j) include appropriate technical security solutions are implemented and managed to protect the confidentiality, integrity and availability of Customer Personal Data.
3. Where appropriate, data will be encrypted in transmission and at rest, using industry-standard cryptographic techniques and secure management of keys.
4. Cape will take reasonable steps to ensure the reliability of its employees and other personnel having access to Customer Personal Data, and will limit access to Customer Personal Data to those personnel who have a business need to have access to such Customer Personal Data, and have received reasonable training regarding the handling of Personal Data and Data Protection Laws.