Data Processing Addendum

Our Data Processing Addendum (“DPA”) outlines the terms under which the company processes personal data on behalf of its clients, ensuring compliance with data protection regulations. It defines responsibilities, security measures, and data handling procedures to safeguard user information.

DEFINITIONS.

1. Customer Personal Data: Customer Data that is Personal Data owned or controlled by Customer and processed by Adonexus or its affiliates/subcontractors.
2. Data Protection Laws: Laws and regulations applicable to the processing of Customer Personal Data under the DPA, including GDPR, CCPA, and other relevant laws.
3. Data Subject: The person to whom Personal Data relates.
4. GDPR: The General Data Protection Regulation of the European Union and the UK GDPR.
5. Personal Data: Any information related to an identified or identifiable natural person.
6. Processor: The entity processing Customer Personal Data on behalf of the Controller (Adonexus).
7. Process/Processing: Any operation performed on Customer Personal Data such as collection, use, storage, disclosure, etc.
8. Subprocessor: A party engaged by the Processor to process Customer Personal Data.

ADONEXUS OÜ’S OBLIGATIONS

Adonexus shall limit access to Customer Personal Data to only those persons authorized by Adonexus to Process Customer Personal Data and who have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Customer shall only provide necessary Customer Personal Data for Adonexus to perform the Adonexus Service. Adonexus will protect confidentiality through technical and organizational security measures. Adonexus provides additional safeguards under GDPR and redress mechanisms for Data Subjects. Adonexus shall notify Customer of any Personal Data Breach within seventy-two (72) hours and take reasonable steps to address it.

CUSTOMER’S OBLIGATIONS

Customer is solely responsible for the accuracy and legality of Customer Personal Data provided to Adonexus. Customer represents and warrants compliance with all applicable Data Protection Laws and has the necessary rights to provide the data for Processing. Customer must obtain all necessary consents and provide required notices to Data Subjects. Customer is responsible for determining the suitability of the Adonexus Service for its data storage and Processing needs. Customer shall defend and indemnify Adonexus against third-party claims alleging a breach of these obligations.

AUDITS AND ASSISTANCE.

Adonexus will conduct regular audits to verify its technical and organizational security measures, following SOC 2 or ISO 27001 standards, at least annually, conducted by an independent third party. The audit will result in a report available to the Customer upon written request, subject to confidentiality obligations.

Adonexus will provide reasonable assistance to Customer for performing data protection impact assessments and complying with obligations under the GDPR, including assisting with cooperation or consultation with the Supervisory Authority and supporting obligations under Articles 32 to 36 of the GDPR, depending on the nature of the Processing.

DATA ERASURE

Upon Customer’s written request, Adonexus will return or delete all Customer Personal Data following the termination of the Agreement, unless such Customer Personal Data is required to be maintained by Data Protection Laws, in which case it shall be held in accordance with the terms of this DPA.

SUBJECT ACCESS REQUESTS

Adonexus will reasonably assist the Customer with Data Subject requests, considering the nature of the Processing. However, Adonexus will not respond directly to these requests. If legally permissible, Adonexus will advise the Data Subject to submit their request to the Customer, who will be responsible for responding.

SUBPROCESSORS

Adonexus may engage its Affiliates and third parties as Subprocessors to provide the Adonexus Service. A current list of Subprocessors is maintained by Adonexus and can be found at this link. New Subprocessors will be appointed according to Article 28(2) of the GDPR. The Customer can subscribe to receive notifications of new Subprocessors. Adonexus will notify the Customer of any new Subprocessors before authorizing them to process Customer Personal Data.

If the Customer does not object within 30 days, consent is considered granted. If the Customer objects to a new Subprocessor, Adonexus will make reasonable efforts to modify the Adonexus Service to avoid processing by the new Subprocessor, without unreasonably burdening the Customer. If Adonexus cannot make the necessary changes within 30 days, the Customer may terminate the Agreement for the affected service. Adonexus will ensure Subprocessors comply with Data Protection Laws and restrict access to Customer Personal Data. Adonexus remains responsible for its compliance and the actions of Subprocessors.

DATA TRANSFERS

Any transfer of Customer Personal Data outside the EEA to a non-adequate third country will be governed by module two of the Standard Contractual Clauses (controller to processor) or other valid transfer mechanisms under the GDPR. Adonexus will be the data importer, and the Customer will be the data exporter under these clauses. For transfers from the UK, the UK Addendum (Annex IV to the SCCs) will apply. For transfers from Switzerland, the EU SCCs apply with specific references to Swiss Data Protection Laws, and the Swiss FDPIC will be the supervisory authority. Disputes may be resolved in Swiss courts.

LAW ENFORCEMENT ACCESS

Adonexus will not disclose or provide access to Customer Personal Data to law enforcement unless required by law. If approached by law enforcement, Adonexus will try to redirect the request to the Customer. If disclosure is required, Adonexus will promptly notify the Customer unless prohibited by law. Adonexus certifies that it has not created back doors or unauthorized access mechanisms to Customer Personal Data or systems, nor will it facilitate such access. Adonexus is not obligated to create or maintain back doors or provide third-party encryption keys for decrypting Customer Personal Data.

CHANGES IN LAWS

If new Data Protection Laws, changes to existing laws, or emerging cybersecurity threats require changes to how Adonexus delivers the service, the Parties will agree on the impact and make adjustments to the Agreement and service terms.