Data Processing Agreement

Version 1, 18th January 2023

  1. Definitions and Interpretation

    1. This Data Processing Agreement (together with its annexes, appendices and schedules, as the context requires) (“DPA”), applies to the processing of personal data as set out in the Master Services Agreement (“MSA”) and is incorporated by reference into the MSA. For the purposes of this DPA the following terms have the same meaning as set out in the MSA: “Wazoku”, “Client”, “party”.
    2. In the event of any inconsistency among the following documents, the order of precedence will be: (a) the terms of this DPA; and (b) the Agreement.
    3. For the purposes of this DPA, unless otherwise defined herein or in the MSA, capitalised terms used in this DPA will have the meaning set out below:
      1. “Applicable Data Protection Laws” means the implementation of Regulation (EU) 2016/679 of the European Parliament on the protection of natural persons with regard to the processing of personal data (“GDPR”) and any act of parliament of any country within the European Economic Area (EEA) which brings this into force, UK GDPR, the CPRA and any other applicable laws and regulations for the protection of Personal Data;
      2. the terms “data controller”, “data processor” “personal data”, “process” and “processing” shall have the meaning set out in the Applicable Data Protection Laws; and “data subjects” means the individual to whom the personal data related and as detailed in Appendix A to this DPA.
      3. “CPRA” means the California Privacy Rights Act.
      4. “Documented Instructions” has the meaning given in clause 6.1 of this DPA.
      5. “EU SCCs” means the agreement pursuant to the Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
      6. “SCCs” means, as applicable, the EU SCCs, the UK SCCs and/or any other applicable standard contractual clauses for the transfer of personal data to third countries.
      7. “Security Policy” means Wazoku’s then current Security Policy found here – https://www.wazoku.com/security-policy/.
      8. “Services” means the Platform Services, Supplemental Services and Support Services, as applicable.
      9. “Sub-processor” means any processor engaged by Wazoku and involved in the processing of personal data.
      10. “UK SCCs” means the International Data Transfer Addendum to the EU SCCs, issued by the Information Commissioner’s Office under s.119A (1) of the United Kingdom Data Protection Act 2018.
      11. “UK GDPR” means GDPR as it applies under UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018.
  2. Compliance with Laws. Each party warrants and agrees that it shall process personal data in compliance with the Applicable Data Protection Laws, and, without limiting the generality of the foregoing, each party shall not process personal data without obtaining proper consent or first identifying the appropriate lawful basis for processing and providing appropriate notices and/or disclosures (to the extent required).
  3. Controller Status. Each party acknowledges and agrees that, depending on Services being provided and related processing activities, the data controller and/or data processor status of the parties will differ along with the relevant terms and conditions of this DPA which will apply in each case. In the case of the Wazoku Platform Service (and any related Supplemental Services and Support Services), Wazoku will be considered a Data Processor and for the Wazoku Crowd Service (and any related Supplemental Services and Support Services), each party may either be a joint controller with the other party or, act as a sole controller as the case may be under applicable laws, and in each case as further detailed in Appendix A to this DPA. Depending on such controller and/or Processor status of the parties in each such case, the specific terms in sections 4, 5 and/or 6, as applicable, will apply to the parties.
  4. Sole Controllers. When the parties are separate sole controllers, each party will comply with Applicable Data Protection Laws accepting their own separate responsibilities for ensuring compliance with those laws as a Data Controller.
  5. Joint Controllers. When the parties operate as a joint controllers, the parties agree:
    1. Responsibility for processing. Both parties are responsible for their processing of the personal data as a Data Controller, as set out in part 1 of Appendix A ensuring they are compliant with the requirements of the Applicable Data Protection Laws, such as, but not limited to those set out in this clause 5, implementing Data Protection by Design and Default, maintaining the required records of processing activities, and ensuring any international data transfers are compliant and lawful.
    2. Lawful basis. Each party shall ensure it has a lawful basis as defined in Applicable Data Protection Laws for the processing of the personal data.
    3. Data Subject Transparency. Each party shall be responsible and liable for informing all data subjects of its personal data collection and processing activities for which it is responsible in accordance with all Applicable Data Protection Laws, including without limitation, Article 13 and 14 of the GDPR, and if applicable, make reference to the other Controller.
    4. Data Sharing. Each party may share, transfer, or otherwise make available personal data to the other party for the purposes of performing each party’s rights and obligations under the MSA and this DPA, and may only share with third party processors appointed by a party. Each party shall ensure that for any such transfer it shall have adequate and equivalent protections, including without limitations any requirements under Applicable Data Protection laws and this arrangement between the parties, afforded to such personal data.
    5. Security of personal data. Each party shall, in accordance with applicable laws, implement appropriate security measures, including without limitation appropriate administrative, technical, and physical measures, designed to ensure the security, confidentiality, and integrity of personal data prior to and during processing of any personal data. Such safeguards shall be commensurate with the type and amount of personal data being processed and should, at a minimum, protect personal data against reasonably anticipated threats or hazards, including without limitation from unauthorized access, loss, destruction, use, modification, or disclosure.
    6. Data Security Breach. Each party shall (to the extent permitted under applicable law) provide to the other party written notice of any Data Security Breach affecting personal data provided to or received from such other party without undue delay upon becoming aware of the occurrence of such Data Security Breach. Such notice, where available at the time of such notice, shall summarise in reasonable detail the impact of such Data Security Breach upon the other party and data subjects whose personal data is affected by such Data Security Breach and the corrective action to be taken and shall follow up without undue delay with any such details not available at the time of such notice. For the purposes of this paragraph, “Data Security Breach” mean (i) the loss or unlawful use (by any means) of personal data; (ii) the unauthorized, and/or unlawful Processing of personal data; or (iii) any other acts or omissions that compromise the security, confidentiality, or integrity of personal data. The responsibility of reporting the Data Security Breach to the relevant regulatory authorities shall be the party which has first suffered such breach provided that, where not prohibited by applicable Data Protection Law, such party first will not disclose to any third party, including such relevant regulatory authorities, without the other party’s prior written approval (not to be unreasonably withheld or delayed).
    7. Data Subject Rights. In the event the parties are deemed joint controllers, Wazoku will be mainly responsible for responding to data subject requests for any personal data collected and processed by Wazoku up to the date Wazoku makes the Award to the relevant Solvers. Thereafter the Seeker will be responsible for all data subject requests regarding its collection and processing of personal data in connection with its receipt, use and/or implementation of the Solution(s) and/or any interactions with the relevant Solvers. Up until the date that the Seeker has received the Solution, it will ensure it promptly notifies Wazoku upon receiving any data subject requests for which Wazoku will need to respond.
  6. Client as Controller and Wazoku as Processor.Where the Client is a Data Controller and Wazoku is a Data Processor for the processing of personal data contained in the Client Data processed through or in connection with such Wazoku Platform Services, the parties agree as follows:
    1. Documented Instructions. This DPA and the Agreement (including any related order form) make up the complete set of instructions to Wazoku in relation to the processing of personal data by Wazoku (“Documented Instructions”) and part 2 of Appendix A of this DPA details the subject matter, durations of processing, the type of personal data and related categories of data subjects, in connection with the standard use of the Wazoku Platform Service (as amended from time to time by Wazoku by notification in accordance with clause 7 of this DPA). Wazoku will only process the personal data according to such Documented Instructions, unless required by Applicable Data Protection Law to do otherwise.
    2. Changes to Documented Instructions. The Client acknowledges and agrees that (i) Wazoku is not able or required to verify the residency of each data subject, and (ii) the Client solely determines whether to submit for processing by the Services any personal data, and (iii) except as otherwise expressly contemplated under this DPA, the Client is solely responsible for determining, and ensuring it has entered into the necessary agreements with, any third parties who may have access to personal data as part of any services linked to the Services. The Client is solely responsible for, and shall ensure that:
      1. the Documented Instructions comply at all times with the Applicable Data Protection Laws, and that all personal data may be processed by the Services in compliance with such laws. In the event either party is or becomes aware that those instructions are in conflict with any applicable privacy law, including any Applicable Data Protection Law, it will promptly notify the other party in writing and the parties will work together to resolve any such conflict, provided that Wazoku shall be entitled to: (i) charge the Client for any agreed changes reasonably required to the Services, related procedures and/or this DPA; or (ii) terminate the relevant Order Form and/or the MSA (1) where the required changes impose an excessive burden on Wazoku, make the platform or services substantially different to the existing ones or are not technically feasible, or (2) after the Client has become aware that its instructions infringe applicable legal requirements, the Client insists on compliance with those instructions; and
      2. it has all the necessary rights and/or consents required to allow Wazoku to process the personal data as intended by the Services and share personal data accordingly in accordance with the Documented Instructions, including, without limit, making sure, where required, the appropriate consent has been given by data subjects.
    3. Processing of personal data. Wazoku will only process the personal data in accordance with the Documented Instructions and will not, subject to the rights to use anonymised Client Data in accordance with the Agreement, use the personal data for its own purposes, unless required to do so by law or if it is lawful for them to do so.
    4. Confidentiality. Wazoku will ensure that those of Wazoku’s personnel and Sub-processors who need access to the personal data to enable performance in accordance with the Documented Instructions are subject to obligations of confidentiality.
    5. Compliance with data laws. All Processing of personal data as part of the provision of the agreed Services will be processed in accordance with the requirements of Applicable Data Protection Laws;
    6. Security measures. Wazoku will implement the technical and organisational measures as set out in its Security Policy (as amended from time to time by notification in accordance with clause 7 of this DPA) to protect against unauthorised and unlawful processing and against accidental loss, destruction or damage to the personal data which the Client has reviewed and confirms are appropriate to the harm that might result from the unauthorised or unlawful processing or accidental loss, destruction or damage and the nature of the data to be protected, having regard to the state of technological development and the cost of implementing any measures;
    7. Retrieval of Data. If the Client requires retrieval of the personal data it may do so by using the appropriate API’s of the Services. The Client will be responsible that appropriate security protocols are in place for the secure transfer of such data.
    8. Sub-processors. The Client acknowledges the provision of the agreed Services may require Wazoku to engage or make use of Sub-processors to process the personal data. Appendix B of this agreement sets out the Sub-processors Wazoku shall be using as of the effective date of the MSA, and the Client hereby agrees to the use of these Sub-processors. Wazoku will notify the Client, in accordance with clause 7 of this DPA of any new or replacement Sub-processor at least 30 days in advance, thereby giving the Client sufficient time to be able to object to such changes prior to the engagement of the relevant Sub-processor provided that such objection is based on reasonable grounds relating to data protection. If no objection is received by Wazoku within 30 days of the date of the notice from Wazoku, the Client will be deemed to have consented to the changes. The parties agree to act reasonably and in good faith to resolve any objection by the Client received within the objection period. Any Processing of personal data by a Sub-processor will be governed by a written agreement with the Sub-processor, and to the extent required under applicable Data Protection Law(s), that agreement shall include terms that are similar in substance to those set-out herein. Where, and to the extent, required under applicable Data Protection Law(s), Wazoku shall be liable for the performance of its Sub-processors to the same extent Wazoku would be liable if Processing personal data itself. To the extent any audit undertaken by the Client pursuant to clause 6.14 requires information relating to a Sub-processor, the Client acknowledges that such information may only be obtained in accordance with the terms of the relevant Sub-processor agreement.
    9. Cross Border Transfers. The Client hereby gives Wazoku its prior, general authorisation for Wazoku to transfer personal data outside of the European Economic Area and/or the UK as required for the purposes of processing personal data hereunder, provided that Wazoku shall ensure that all such transfers are effected in accordance with applicable Data Protection Laws. For these purposes, the Client shall promptly comply with any reasonable request of Wazoku, including any request to enter into the applicable SCCs where no alternative mechanism, such as an adequacy decision, is available or applicable.
    10. Data subject obligations assistance. Wazoku, when relevant, will assist the Client to fulfil its obligations to data subjects pertaining to the exercising of rights of such Data Subjects under Applicable Data Protection Laws.
    11. Data breach. Wazoku will notify the Client without undue delay of any actual unauthorised disclosure of, or accidental or unlawful destruction, loss, compromise, damage or theft of personal data or any incident or set of events, including any that give rise to a ‘personal data breach’ (as such term or any analogous terms, are defined under Applicable Data Protection Laws) providing the necessary information and assistance to the Client to the extent reasonably necessary to enable the Client to meet the Client’s obligations under Applicable Data Protection Laws in connection with such personal data breach.
    12. DPIAs. Wazoku shall assist the Client, at the Client’s expense, if required, in fulfilling any obligations relating to any requirement to carry out Data Protection Impact Assessments or other duties required by Applicable Data Protection Legislation.
    13. Personal data deletion. After completing the agreed Services (or where this DPA or any other service agreement is terminated before completion of the agreed services), Wazoku will securely and permanently delete all copies of the personal data from its systems, unless required by any law or regulation which requires the Client, or Wazoku, to continue to store a copy of the personal data and subject to any rights in the MSA to continue to use anonymised data post termination. Where law or regulation does require retention of the personal data then it will be stored securely and according to the Applicable Data Protection Legislation. Deletion of personal data shall be completed within 30 days after completing the termination or expiry of the MSA or this DPA or any other service agreement terminates. The Client may retrieve its personal data at any point during the term of the MSA by using the functionalities of the Services, but for any personal data which cannot be retrieved in this way, and/or if the Client requires Wazoku to return its Personal Data, it will notify Wazoku by giving at least 30 days prior written notice of the termination or expiration of the MSA.
    14. Compliance and Audit rights. Wazoku will, if required, provide the Client with all information reasonably necessary in order show compliance by Wazoku with the terms of this DPA and allow for and contribute to any related audit conducted by the Client, it’s mandated third party auditor or a supervisory authority under applicable Data Protection Laws; provided that (i) except where an audit is mandated by a regulatory authority, such an audit is limited to no more than once per year, (ii) the audit is subject to reasonable confidentiality controls, (iii) the Client gives at least 30 days prior written notice to Wazoku of the audit and the notice details the scope of the audit and the information requested, and (iv) the Client pays Wazoku’s reasonable costs and expenses incurred in connection with such audit. Client shall ensure that such audits do not unreasonably interfere with Client’s day-to-day business activities and shall comply with Client’s reasonable security requirements.
    15. Data subject and regulatory authority communications. Wazoku will promptly (subject to Applicable Data Protection Law), refer to Client any requests, notices or other communication from data subjects, the regulatory authority in the relevant local jurisdiction or any other law enforcement authority in connection with the processing of Personal data by Wazoku;
    16. No altering personal data. Wazoku will not modify, amend, alter or disclose the contents of the personal data otherwise than as required under the Documented Instructions or unless specifically authorized in writing by the Client.
    17. No disclosure of personal data. Subject to applicable laws, regulations or if legally compelled, Wazoku will not publish, disclose or divulge any of the personal data to any person (including a data subject) except in accordance with the Documented Instructions.
  7. Notifications and Amendments. Where Wazoku is required under this DPA or the MSA to notify the Client of any changes relevant to the processing of personal data, the Client will be notified by sending an e-mail to the Client’s nominated representative(s). Except as otherwise expressly contemplated under this DPA, this DPA may only be amended by the agreement of the parties in writing signed by authorised representatives of the parties.
  8. CPRA. Where the CPRA applies to any personal data processed by Wazoku under this DPA, in addition to the above terms and conditions, the parties agree that: (i) Wazoku is a “service provider” (as defined in the CPRA) for the purposes of the MSA and this DPA; and (ii) nothing in the Documented Instructions, the MSA or this DPA involves the ‘sale’ (as that term is defined in the CPRA) of any personal data.
  9. Limitations of Liability. This DPA is subject to the indemnification and limitation of liability provisions of the MSA.

Appendix A to DPA

Part 1 – Wazoku Crowd Platform Service (and related Supplemental Services and Support Services)

Subject Matter: the proposal of finding solutions to the challenges of the Seeker, verifying the identity and the solution rights of the winners and awarding winners on behalf of the Seeker.

Purpose of processing: providing the Crowd Platform Services to the Seeker

Types of Data: Name, Email address, Address, Phone number, Passport or Government Identification number, Account Routing or Iban numbers, Account numbers

Categories of Data Subjects: Solvers

Controller Status:

Depending on the facts of each case, the parties agree that:

(i) where they jointly determine the Challenges and Wazoku supports the Seeker with suggestions of which Solutions will move to the next stages of assessment, the parties will be deemed joint controllers until the final selection of the Solution(s) by the Seeker. Upon receipt of the Solution(s), the Seeker shall be deemed a sole controller for the continued processing and collection of personal data;

(ii) where the Seeker solely determines the Challenges and the selection process, the parties will be deemed separate controllers.

Part 2 – Wazoku Platform Service (and related Supplemental Services and Support Services)

Controller / processor status: The Client is the controller and Wazoku is the processor.

  1. Subject Matter:

    processing of personal data submitted through and/or provided in connection with the Wazoku Platform Service (Idea Management) Service.

  2. Type of personal data Processed:

    The types of personal data which Wazoku may process in the provision of the Wazoku Platform Service and related Supplemental Services and Support Services will depend on the data fields activated by the Client for its Users use of the Wazoku Service. Wazoku will process any personal data which is submitted by the Client’s Users through their use of such services depending on the data fields activated, which may include for example name, phone number, address.

  3. Categories of Individuals

    The Client’s Users.

  4. Purpose:

    Wazoku processes such personal data solely for the purposes of providing the Wazoku Platform Service and related Supplemental Services and Support Services to the Client and in accordance with the MSA and the DPA.

  5. Duration:

    Wazoku will process such personal data for the duration of the Wazoku Platform Service and related Supplemental Services and Support Services and for a period of up to 30 days after termination of the Agreement to allow for the deletion and/or return of personal data to the Client and will only retain anonymized data after the expiry or earlier termination of the Agreement as permitted in the MSA.

Appendix B to DPA – Sub-processors

List of Sub-processors Wazoku will be using to deliver the Services

Microsoft Azure

  • For Customers in Europe, data location is Germany
  • For Customers in the UK, data location is UK
  • For Customers in the US, data location is US

Amazon Web Services (for backups)

  • For Customers in Europe, data location is Germany
  • For Customers in the UK, data location is UK
  • For Customers in the US, data location is US

Hubspot (for the purposes of support ticketing)

  • For all Customers who submit a support ticket, and associated data will be stored by Hubspot in US