Data Processing Addendum
Exhibit 10.1
This Data Processing Addendum (“DPA”) is made a part of the Value-Added Reseller Agreement dated as of September 2, 2010, as amended as of March 3, 2014, between Veeva Systems Inc. (“Reseller”) and xxxxxxxxxx.xxx, inc. (“SFDC”) (the “Agreement”), to reflect the parties’ agreement with regard to the Processing of Reseller Customer Data, including Personal Data (as defined below), in accordance with the requirements of European Directive 95/46/EC (the “Directive”) and EU Member States’ national implementations thereof and Switzerland’s Federal Act on Data Protection (collectively, “European Data Protection Laws”). All capitalized terms not defined herein shall have the meaning set forth in the Agreement.
In the course of providing the OEM Services pursuant to the Agreement, SFDC may Process Reseller Customer Data. SFDC agrees to comply with the following provisions with respect to any Reseller Customer Data.
1. | Definitions |
“Data Controller” has the meaning specified for “controller” in European Data Protection Laws.
“Data Processor” has the meaning specified for “processor” in European Data Protection Laws.
“Data Subject” has the meaning specified for “data subject” in European Data Protection Laws.
“Personal Data” has the meaning specified for “personal data” in European Data Protection Laws where such data is submitted to the Services as Reseller Customer Data.
“Processing” has the meaning specified for “processing” in European Data Protection Laws.
“Third Party Processing” shall mean any Processing of Reseller Customer Data performed by a non-SFDC Affiliate third party engaged by SFDC to Process Reseller Customer Data on behalf of SFDC.
2. | Obligations of SFDC |
2.1 | SFDC’s obligations under this DPA shall apply to its Processing of Reseller Customer Data, including Personal Data. |
2.2 | Reseller and SFDC acknowledge that with regard to the Processing of Reseller Customer Data, Reseller Customer is the Data Controller, Reseller is a Data Processor and SFDC is a further Data Processor. |
2.3 | SFDC shall Process Reseller Customer Data in accordance with the requirements of European Data Protection Laws, as they apply to SFDC’s Processing of Reseller Customer Data, and Reseller Customer’s instructions as set forth in the Agreement and this DPA. The following is deemed an instruction by Reseller or Reseller Customer to Process Reseller Customer Data: (a) Processing necessary for the performance of SFDC’s rights and obligations under the Agreement and this DPA; and (b) Processing initiated by Reseller Customer Users in their use of the Combined Solution. |
2.4 | SFDC shall promptly comply with any commercially reasonable request from Reseller Customer or Reseller, as appropriate, requiring SFDC to amend or delete Reseller Customer Data, to the extent legally permitted, to the extent Reseller Customer or Reseller, as appropriate, does not have the ability to do so itself in its use of the Combined Solution or OEM Services, as appropriate. |
2.5 | If SFDC receives any complaint, notice, or communication in which Reseller or Reseller Customer is named that relates directly to (i) SFDC’s Processing of Reseller Customer Data or (ii) either party’s compliance with European Data Protection Laws in connection with SFDC’s Processing of Reseller Customer Data, it shall promptly notify Reseller or |
Page 1 of 4
Reseller Customer, as applicable, and it shall provide Reseller or Reseller Customer, as applicable, with commercially reasonable cooperation and assistance in relation to any such complaint, notice, or communication, to the extent legally permitted. |
2.6 | SFDC acknowledges that Reseller Customers, excluding Reseller Customers whose instance of the Combined Solution is hosted from SFDC’s data center in Japan, may submit Reseller Customer Data from around the world to SFDC data centers located in the United States or European Economic Area. SFDC represents that it is self-certified to the EU/US and Swiss/US Safe Harbor frameworks, as administered by the U.S. Department of Commerce, and that it will maintain its self-certification or any successor programs for the duration of the term of the Agreement. For the avoidance of doubt, SFDC will comply with the relevant Safe Harbor Privacy Principles in its Processing of Reseller Customer Data, including the Onward Transfer Principle. |
2.7 | Excluding Reseller Customers whose instance of the Combined Solution is hosted from SFDC’s data center based in Japan and subject to clause 2.8 below, SFDC shall not (a) store any Reseller Customer Data on a server located outside of the United States or European Economic Area, or (b) transfer for storage any Reseller Customer Data stored on a server located in the United States or European Economic Area to a server located outside the United States or European Economic Area, unless SFDC has received prior written consent from Reseller Customer. |
2.8 | Notwithstanding clause 2.7 above, SFDC may store on servers located in the jurisdictions where its data centers are, which may include jurisdictions outside the United States and European Economic Area, and transfer for storage to such servers identifying information about Reseller Customer’s instance(s) of the Services and Reseller Customer’s End Users for the purposes of operating the OEM Services, such as facilitating the login process and the provision of customer support. Such identifying information shall only include the following personal data about End Users, as provided by Reseller Customer or Reseller in its provision of End User accounts: first and last name, email address, username, phone number, and physical business address. For clarity, storage of the foregoing identifying information constituting personal data on servers outside of the European Economic Area shall be done pursuant to the relevant Safe Harbor principles, including the Onward Transfer Principle, and subject to a SFDC intracompany written agreement requiring the receiving party to provide at least the same level of privacy protection as is required by the relevant Safe Harbor principles. |
2.9 | In accordance with the Agreement, SFDC shall maintain appropriate administrative, physical, and technical safeguards for protection of security including confidentiality, integrity and availability of Reseller Customer Data, as least as stringent as the measures described at xxxx://xxxxx.xxxxxxxxxx.xxx/xxxxx/xxxxxxxx. |
2.10 | SFDC shall promptly notify Reseller or Reseller Customer, as appropriate, if SFDC becomes aware of any unauthorized disclosure of or unauthorized access to any Personal Data (“Security Breach”). In the event that SFDC or its agents (either singly or collectively) are the sole cause of any such Security Breach, SFDC will use commercially reasonable, good faith efforts to restore such Personal Data at its own expense. |
3. | Reseller’s and Reseller Customer’s Obligations |
Reseller shall, and shall contractually obligate Reseller Customers to, Process Reseller Customer Data in accordance with requirements of European Data Protection Laws, including those pertaining to transfers of or access to Reseller Customer Data initiated by Users of the Combined Solution.
4. | SFDC Personnel |
4.1 | SFDC shall ensure that SFDC’s access to Personal Data is limited to those personnel who need such access to meet SFDC’s obligations or rights under the Agreement. |
4.2 | SFDC shall ensure that its personnel who have access to Personal Data are informed of the confidential nature of the Personal Data and have received appropriate training on their responsibilities with respect to such access. |
4.3 | SFDC shall take commercially reasonable steps to ensure the reliability of any of SFDC’s personnel that have access to Personal Data. |
Page 2 of 4
5. | Subcontractors |
5.1 | Reseller acknowledges and agrees that SFDC engages non-SFDC Affiliate third parties, which may provide Reseller Customer support to Reseller or Reseller Customer, as applicable. Such provision of Reseller Customer support may include Third Party Processing. Such Third Party Processing will only occur with Reseller’s prior written consent, which consent may be made by a User via the Services. Except as otherwise described in this Section, SFDC shall not authorize Third Party Processing on behalf of SFDC without Reseller’s prior written consent, which may include consent via email. |
5.2 | SFDC will ensure that any third party engaging in Third Party Processing for support purposes agrees to maintain appropriate safeguards for protection of security including confidentiality, integrity, and availability of Reseller Customer Data and to comply with European Data Protection Laws. For the avoidance of doubt, contractual agreements between SFDC and any third party engaging in Third Party Processing for support purposes will meet the requirements of the Onward Transfer Principle as set out above at clause 2.6. |
6. | Rights of the Data Subject |
6.1 | SFDC shall promptly notify Reseller or Reseller Customer, as appropriate, if it receives a request from a Data Subject for access to that person’s Personal Data, to the extent legally permitted. SFDC shall provide Reseller or Reseller Customer, as appropriate, with commercially reasonable cooperation and assistance in relation to any request made by a Data Subject for access to that person’s Personal Data, to the extent legally permitted and to the extent Reseller or Reseller Customer, as applicable, does not have access to such Personal Data through its use of the Services. |
6.2 | SFDC shall not disclose the Data Subject’s Personal Data to the Data Subject or to a third party other than at the written instruction of Reseller or Reseller Customer, as appropriate, which may be provided via email, unless otherwise permitted in the Agreement or this DPA or as required by law. For clarity, SFDC’s disclosures of Personal Data to Users as contemplated under the Agreement shall be permitted and is not in violation of non-disclosure provisions set forth herein. |
7. | Third Party Certifications and Audit Rights |
7.1 | For the duration of the Agreement, SFDC will maintain an information security management system with respect to Processing Reseller Customer Data in accordance with the ISO 27001 international standard. |
7.2 | Upon Reseller’s written request at reasonable intervals, SFDC shall provide a copy of SFDC’s then most recent copy of the SSAE 16 Service Organization Controls report relating to SFDC’s compliance with information security obligations herein and the status of any open observations. |
7.3 | Upon Reseller’s request, Reseller or its industry-recognized third party auditor may audit or inspect the records, architecture, systems and procedures of SFDC used in connection with the OEM Services to confirm compliance with the terms and conditions of the Agreement relevant to the security and integrity of Customer Data. Reseller or a third-party independent representative performing such audit or inspection shall execute a nondisclosure agreement with SFDC in a form acceptable to SFDC and Reseller and containing confidentiality provisions substantially similar to those set forth in the Agreement with respect to the confidential treatment and restricted use of any proprietary or confidential SFDC information. Any access at SFDC’s facilities shall be subject to SFDC’s reasonable access requirements and security policies, and shall be of reasonable duration and shall not unreasonably interfere with SFDC’s day-to-day operations. Such audit or inspection shall be conducted up to one time per year; Reseller must give SFDC at least 4 weeks prior notice of an audit or site inspection, provided that if such audit or inspection is required by applicable law and Reseller is unable to give such advance notice, such audit may be conducted with one week prior notice. Veeva shall pay for all expenses for an audit or inspection described herein, and if an audit requires the equivalent of more than one business day of time expended by an SFDC employee, Reseller agrees to reimburse SFDC for any additional time expended at SFDC’s then current professional services rates. Reseller may share a summary of the results of its audit or inspection with a Reseller Customer, provided that prior to sharing such summary, the Reseller Customer has entered into a non-disclosure agreement containing confidentiality provisions substantially similar to those set forth in the Agreement to protect SFDC’s proprietary information. |
7.4 | The parties agree that this DPA may be shared with Reseller Customers upon request and will be designated as Reseller confidential information by Reseller. |
Page 3 of 4
8. | Effect of DPA. Subject to the above additions, the Agreement remains in full force and effect. |
9. | Execution. This DPA may be executed in counterparts and exchanged by facsimile or electronically scanned copy exchanged via email or via electronic signature. Each such counterpart shall be deemed to be an original and all such counterparts together shall constitute one and the same DPA. |
The authorized representatives of the parties have executed this DPA by their signatures below:
Veeva Systems Inc. | xxxxxxxxxx.xxx, inc. | |||||||
By: | /s/ Xxxx Xxxxxx | By: | /s/ Xxxxxxx Xxxxxx | |||||
Authorized Signature | Authorized Signature | |||||||
Name: | Xxxx Xxxxxx | Name: | Xxxxxxx Xxxxxx | |||||
Title: | Vice President & General Counsel | Title: | Manager, Sales Ops. – Commercial Sales | |||||
Date: | March 24, 2014 | Date: | April 4, 2014 |
Page 4 of 4