Data Processing Addendum
The following definitions apply solely to this Data Processing Addendum:
(a) “Data Protection Legislation” means European Directives 95/46/EC and 2002/58/EC, and any legislation and/or regulation implementing or made pursuant to them, or which amends or replaces any of them (including the General Data Protection Regulation, Regulation (EU) 2016/679).
(b) “Data Processor”, “Data Subject”, “Processor”, “Processing”, “Sub-Processor” and “Supervisory Authority” be interpreted in accordance with applicable Data Protection Legislation.
(c) “Your Controlled Data” as used in this Addendum means information relating to an identifiable or identified Data Subject, which Cryptlex Processes as a Data Processor in the course of providing you with the Services.
(d). “Breach” means a breach of the security measures resulting in access to Cryptlex's equipment or facilities storing Your Controlled Data and the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Your Controlled Data transmitted, stored, or processed by Cryptlex on your behalf and instructions through the Services.
This Data Processing Addendum only applies to you if you or your customers are data subjects located within the EU and only applies in respect of Your Controlled Data. You agree that Cryptlex is not responsible for personal data that you have elected to process through Third Party Services or outside of the Services, including the systems of any other third-party cloud services, offline or on-premises storage.
When Cryptlex Processes Personal Data in the course of providing the Services, Cryptlex will:
- 3.1. implement and maintain appropriate technical and organizational measures to protect the Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorized or unlawful processing, accidental loss, destruction, damage or theft of Personal Data and appropriate to the nature of the Personal Data which is to be protected;
- 3.2. notify you promptly, to the extent permitted by law, upon receiving an inquiry or complaint from a Data Subject or Supervisory Authority relating to Cryptlex’s Processing of the Personal Data;
- 3.3. notify you promptly upon becoming aware of and confirming any accidental, unauthorized, or unlawful processing of, disclosure of, or access to the Personal Data;
- 3.4. ensure that its personnel who access the Personal Data are subject to confidentiality obligations that restrict their ability to disclose the Customer Personal Data; and
- 3.5. upon the termination of the Agreement, Cryptlex will promptly initiate its purge process to delete or anonymize the Personal Data.
You are the controller and Cryptlex is the processor of Your Controlled Data.
We will process Your Controlled Data for the purpose of providing you with the Services, as may be used, configured, or modified from within your Account (the “Purpose”).
You will ensure that your instructions comply with all laws, regulations, and rules applicable in relation to Your Controlled Data and that Your Controlled Data is collected lawfully by you or on your behalf and provided to us by you in accordance with such laws, rules, and regulations. You will also ensure that the processing of Your Controlled Data in accordance with your instructions will not cause or result in us or you breaching any laws, rules, or regulations. You are responsible for reviewing the information available from us relating to data security pursuant to the Agreement and making an independent determination as to whether the Services meet your requirements and legal obligations as well as your obligations under this Data Processing Addendum. Cryptlex will not access or use Your Controlled Data except as provided in the Agreement, as necessary to maintain or provide the Services or as necessary to comply with the law or binding order of a governmental, law enforcement, or regulatory body.
We will process Your Controlled Data for the Purpose and in accordance with the Agreement or instructions you give us through your Account. You agree that the Agreement and the instructions given through your Account are your complete and final documented instructions to us in relation to your Controlled Data. Additional instructions outside the scope of this Data Processing Addendum require a prior written agreement between you and us, including the agreement on any additional fees payable by you to us for carrying out such instructions.
If personal data processed under this Agreement is transferred from a country within the European Economic Area to a country outside the European Economic Area, the parties shall ensure that the personal data are adequately protected. To achieve this, the parties shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of personal data.
We will provide you notice without undue delay after becoming aware of and confirming the occurrence of a Breach for which notification to you is required under applicable Data Protection Legislation. We will, to assist you in complying with your notification obligations under Articles 33 and 34 of the GDPR, provide you with such information about the Breach as we are reasonably able to disclose to you, taking into account the nature of the Services, the information available to us and any restrictions on disclosing the information such as for confidentiality. Our obligation to report or respond to a Breach under this Section is not and will not be construed as an acknowledgment by Cryptlex of any fault or liability of Cryptlex with respect to the Breach. Despite the foregoing, Cryptlex's obligations under this Section do not apply to incidents that are caused by you, any activity on your Account, and/or Third-Party Services.
In the course of providing the Services, you acknowledge and agree that Cryptlex may use Sub-Processors to Process the Personal Data. Cryptlex’s use of any specific Sub-Processor to process the Personal Data must be in compliance with Data Protection Legislation and must be governed by a contract between Cryptlex and Sub-Processor.
The liability of each party under this Data Processing Addendum is subject to the exclusions and limitations of liability set out in the Agreement. You agree that any regulatory penalties or claims by data subjects or others incurred by Cryptlex in relation to Your Controlled Data that arise as a result of, or in connection with, your failure to comply with your obligations under this Data Processing Addendum or Data Protection Legislation shall reduce Cryptlex's maximum aggregate liability to you under the Agreement in the same amount as the fine and/or liability incurred by us as a result.
In the event of any conflict or inconsistency between the provisions of the Agreement and this Addendum, the provisions of this Addendum shall prevail. For the avoidance of doubt and to the extent allowed by applicable law, any and all liability under this Addendum, including limitations thereof, will be governed by the relevant provisions of the Agreement. You acknowledge and agree that Cryptlex may amend this Addendum from time to time by posting the relevant amended and restated Addendum and such amendments to the Addendum are effective as of the date of posting. Your continued use of the Services after the amended Addendum is posted to Cryptlex’s website constitutes your agreement to, and acceptance of, the amended Addendum. If you do not agree to any changes to the Addendum, do not continue to use the Service.
You are responsible for any costs and expenses arising from Cryptlex’s compliance with your instructions or requests pursuant to the Agreement (including this Data Processing Addendum) which fall outside the standard functionality made available by Cryptlex generally through the Services.
Save as specifically modified and amended in this Addendum, all of the terms, provisions, and requirements contained in the Agreement shall remain in full force and effect and govern this Addendum. If any provision of the Addendum is held illegal or unenforceable in a judicial proceeding, such provision shall be severed and shall be inoperative, and the remainder of this Addendum shall remain operative and binding on the parties.