Join us for Summer Fridays - 20 minutes on Thursday to take back your weekend

On this day the Parties:


COMPANY NAME

COMPANY ADDRESS

VAT no.: 

(Hereafter referred to as “Data Controller”)


and 


Abacum Planning S.L.

Barcelona, Spain

B67619445

(Hereafter referred to as “Data Processor”)


have entered into the following Data Processor Agreement (DPA) in order to meet the requirements of the GDPR and to ensure the protection of the rights of the data subject. 

  1. Preamble 

    1.1 This DPA set out the rights and obligations of the Data Processor when processing personal data on behalf of the Data Controller.

    1.2 The content of the DPA has been designed to ensure the Parties’ compliance with Article 28 (3) of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) 

    1.3. In the context of the provision of the SUBSCRIPTION AGREEMENT, the Data Processor will process personal data on behalf of the Data Controller in accordance with this DPA. 

    1.4 This DPA will take priority over any similar provisions contained in other agreements between the parties.

    1.5 Three appendixes are attached to this DPA.

    1.5.1 Appendix A contains details about the processing of personal data, including the purpose and nature of the processing, type of personal data, categories of data subject and duration of the processing. 

    1.5.2 Appendix B contains the Data Controllers conditions for the Data Processors use of sub-processors and a list of sub processors authorised by the Data Controller. 

    1.5.3 Appendix C contains the Data Controllers instructions with regards to the processing of personal data, the minimum security measures to be implemented by the Data Processor and how audits of the Data Processor and any sub-processors are to be performed. 

    1.6 This DPA along with appendixes shall be retained in writing, including electronically, by both Parties.

    1.7 This DPA does not exempt the data processor from obligations to which the Data Processor is subject pursuant to the General Data Protection Regulation (the GDPR) or other legislation.


  2. The rights and obligations of the Data Controller

    2.1 The Data Controller is responsible for ensuring that the processing of personal data takes place in compliance with the GDPR (Article 24), the applicable EU or Member State data protection provisions and this DPA.

    2.2 The Data Controller has the right and obligation to make decisions about the purposes and means of the processing of personal data.

    2.3 The Data Controller shall be responsible, among other, for ensuring that the processing of personal data, which the Data Processor is instructed to perform, has a legal basis.


  3. The Data Processor acts according to instructions

    3.1 The Data Processor shall process personal data only on documented instructions from the data controller, unless required to do so by Union or Member State law to which the Data Processor is subject. Such instructions shall be specified in Appendix A and C. Subsequent instructions can also be given by the Data Controller throughout the durations of the processing of personal data, but such instructions shall always be documented and kept in writing, including electronically. 

    3.2 The Data Processor shall immediately inform the Data Controller of the instructions given by the Data Controller, in the opinion of the Data Processor, contravene the GDPR or the applicable EU or Member State data protection provisions.


  4. Confidentiality 

    4.1 The Data Processor shall only grant access to the personal data being processed on behalf of the Data Controller to persons under the Data Processors authority who have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and only on a need to know basis. The list of persons to whom access has been granted shall be kept under periodic review. On the basis of this review, such access to personal data can be withdrawn, if access is no longer necessary, and personal data shall consequently not be accessible anymore to those persons. 

    4.2 The Data Processor shall at the request of the Data Controller demonstrate that the concerned persons under the Data Processor’s authority are subject to the above mentioned confidentiality.


  5. Security of processing 

    5.1 Article 32 GDPR stipulates that, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity of the rights and freedoms of natural persons, the Data Controller and Data Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

    5.2 The Data Controller shall evaluate the risks to the rights and freedoms of natural persons inherent in the processing and implement measures to mitigate those risks. Depending on their relevance, the measures may include the following

    5.2.1 Pseudonymisation and encryption of personal data

    5.2.2 The ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services

    5.2.3 The ability to restore the availability and access to personal data in a timely manner in the event of a physical of technical incident

    5.2.4 A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

    5.3 According to Article 32 GDPR, the Data Processor shall also - independently from the Data Controller - evaluate the risks to the rights and freedoms of natural persons inherent in the processing and implement measures to mitigate those risks. To this effect, the Data Controller shall provide the Data Processor with all information necessary to identify and evaluate such risks. 

    5.4 Furthermore, the Data Processor shall assist the Data Controller in ensuring compliance with the Data Controller’s obligations pursuant Article 32 GDPR, by inter alia providing the Data Controller with information concerning the technical and organisational measures already implemented by the Data Processor pursuant to Article 32 GDPR along with all other information necessary for the Data Controller to comply with the Data Controllers obligations under Article 32 GDPR.


  6. Use of Sub-processors 

    6.1 The Data Processor shall meet the requirements specified in Article 28(2) and (4) GDPR in order to engage another processor (a sub-processor).

    6.2 The Data Processor has the Data Controllers general authorisation for the engagement of sub-processors. The Data Processor shall inform in writing the Data Controller of any intended changes concerning the addition or replacement of sub-processors at least 30 days in advance, thereby giving the Data Controller the opportunity to object to such changes prior to the engagement of the concerned sub-processor(s). The list of sub-processors already authorised by the Data Controller can be found in Appendix B.

    6.3 Where the Data Processor engages a sub-processor for carrying out specific processing activities on behalf of the Data Controller, the same data protection obligations as set out in this DPA shall be imposed on that sub-processor by way of a contract or other legal act under EU or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of this DPA and the GDPR. The Data Processor shall therefore be responsible for requiring that the sub-processor at least complies with the obligations to which the Data Processor is subject pursuant to this DPA and the GDPR.

    6.4 A copy of such a sub-processor agreement and subsequent amendments shall - at the Data Controllers request - be submitted to the Data Controller, thereby giving the Data Controller the opportunity to ensure that the same data protection obligations as set out in this DPA are imposed on the sub-processor. 

    6.5 If the sub-processor does not fulfil his data protection obligations, the Data Processor shall remain fully liable to the Data Controller as regards the fulfilment of the obligations of the sub-processor. This does not affect the rights of the data subjects under the GDPR – in particular those foreseen in Articles 79 and 82 GDPR – against the Data Controller and the Data Processor, including the sub-processor.


  7. Transfer of data to third countries or international organisations

    7.1 The Parties acknowledge and agree that the Data Processor may transfer Personal Data processed under this DPA outside the European Economic Area (“EEA”), the United Kingdom (“UK”), or Switzerland, including to the United States, where such transfer is necessary for the provision of the services under the Subscription Agreement and is carried out in accordance with the Data Controller’s documented instructions and applicable Data Protection Laws. 

    7.2 The Data Controller hereby instructs and authorises the Data Processor to make such transfers to Affiliates and Sub-processors engaged in connection with the Services, provided that the Data Processor ensures that an appropriate transfer mechanism under Chapter V GDPR (and, where applicable, the UK GDPR and Swiss data protection law) is in place before any such transfer takes place.

    7.3 Where Personal Data is transferred to a country or recipient that benefits from an adequacy decision by the European Commission, the UK Secretary of State, or the competent Swiss authority, the transfer may take place on the basis of such adequacy decision. 

    7.4 Where no adequacy decision applies, the Data Processor shall ensure that the transfer is subject to appropriate safeguards in accordance with Article 46 GDPR (and, where applicable, the UK GDPR and Swiss data protection law), including:

    (a) the EU Standard Contractual Clauses approved by European Commission Implementing Decision (EU) 2021/914 (“EU SCCs”);

    (b) in respect of transfers subject to the UK GDPR, the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner’s Office (the “UK Addendum”); and/or

    (c) such other lawful transfer mechanism as may be recognised under applicable Data Protection Laws from time to time.

    7.5 To the extent the Data Processor engages a Sub-processor located outside the EEA, the UK, or Switzerland, the Data Processor shall enter into and maintain in force with such Sub-processor a contract imposing data protection obligations substantially equivalent to those set out in this DPA and, where required, incorporating the applicable Standard Contractual Clauses and/or equivalent transfer mechanism.

    7.6 The Data Processor shall, upon request, provide the Data Controller with reasonable information regarding the applicable transfer mechanism relied upon for relevant onward transfers, including whether the recipient participates in a recognised data transfer framework or is bound by the applicable Standard Contractual Clauses, subject always to confidentiality and commercially sensitive information protections.

    7.7 If any transfer mechanism relied upon by the Data Processor ceases to be valid, becomes unavailable, or is held not to provide an adequate level of protection under applicable Data Protection Laws, the Data Processor shall, without undue delay, implement an alternative lawful transfer mechanism and, where required, notify the Data Controller accordingly.

    7.8 The Data Processor shall not voluntarily disclose Personal Data to any public authority, law enforcement body, or government agency except as required by applicable law. Where legally permitted, the Data Processor shall promptly notify the Data Controller of any legally binding request for access to Personal Data and shall use reasonable efforts to challenge or limit such request where grounds exist to do so.

    7.9 The Data Processorshall implement and maintain supplementary technical and organisational measures, where required, to ensure that transferred Personal Data benefits from a level of protection essentially equivalent to that guaranteed under applicable Data Protection Laws.


  8. Assistance to the Data Controller

    8.1 Taking into account the nature of the processing, the Data Processor shall assist the Data Controller by appropriate technical and organisational measures, insofar as this is possible, in the fulfilment of the Data Controllers obligations to respond to requests for exercising the data subjects rights laid down in Chapter 3 GDPR. 


  9. Notification of personal data breach 

    9.1 In case of any personal data breach, the data processor shall, without undue delay after having become aware of it, notify the Data Controller of the personal data breach. 

    9.2 The Data Processors notification to the Data Controller shall, if possible take place within 24 hours after the Data Processor has become aware of the personal data breach to enable the Data Controller to comply with the Data Controllers obligations


  10. Erasure and return of data

    10.1 On termination of the provision of personal data processing services, the Data Processor shall be under obligation to return all the personal data to the Data Controller and delete existing copies unless Union or Member State law requires storage of the personal data. 


  11. Audit and inspection

    11.1 The Data Processor shall make available to the data controller, all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR, this DPA and allow for and contribute to audits, including inspections, conducted by the Data Controller or another auditor mandated by the Data Controller. The procedures for inspection and audits are described in appendix c.


  12. The Parties agreement on other terms

    12.1 The parties may enter into other agreements about the processing of personal data, as long as they do not contradict directly or indirectly with the clauses set forth in this DPA or prejudice the fundamental rights or freedoms of the data subjects and the protection afforded by the GDPR.

    12.2 Commencement and termination

    12.2.1 This DPA shall become effective on the data of both parties signature.

    12.2.2 Both parties shall be entitled to require this DPA renegotiated if changes to the law or inexpediency of the clauses set forth herein should give rise to such negotiations. 

    12.2.3 This DPA shall apply for the duration of the provision of personal data processing services. For the duration of the provision of personal data processing services, this DPA cannot be terminated unless another agreement governing the provision of personal data processing services have been agreed between the parties. 

    12.2.4 If the provision of personal data processing services is terminated, and the personal data is deleted or returned to the Data Controller pursuant to clause 10.1, this agreement may be terminated by written notice by either party.

    12.2 Signature

A blank table with two columns, each labeled but without any content or data.

Appendix A 

Information about the processing

A.1 The purpose and nature of the Data Processors processing of personal data on behalf of the Data Controller is:

To provide the contracted services as described in the Master Subscription Agreement, such as the preparation of financial and management reporting. 

A.2: The processing potentially includes the following types/categories of personal data about the data subjects: 

Data subjects: employee data, customer data

Potential categories of personal data: name, salary, location, performance data (bonus attainment), personal financial information (account balance, loans, etc.), bank account number


Appendix B

Primary sub-processors: 

Optional sub-processors: 

In the event Artificial Intelligence (AI) technologies are used in the provision of the Services, any processing of Personal Data through such technologies shall be carried out in full compliance with Applicable Data Protection Laws. In particular, the Data Processor guarantees that:

  1. No Training Use: Personal Data provided by the Controller shall not, under any circumstances, be used for the training, fine-tuning, or improvement of any AI models, whether proprietary or provided by third parties.

  2. Private Environment: All Personal Data processed using AI tools or components shall be hosted and processed in a secure, segregated, and private environment, such that the data is not accessible to or shared with other users or customers of the AI solution.

  3. Access Controls and Confidentiality: Appropriate technical and organizational measures shall be implemented to ensure that access to Personal Data is strictly limited to authorized personnel bound by confidentiality obligations.

  4. Transparency and Auditability: Upon request, the Data Processor shall provide the Controller with documentation describing the AI systems involved, their purpose, and the safeguards in place to ensure data isolation and compliance with this clause.

Appendix C 

Instructions pertaining to the use of personal data 

C.1: The instruction for the processing

The Data Processor shall process the personal data only on documented instructions from the Data Controller. The Data Controller may give such instructions throughout the duration of the contract.

The Data Processor shall immediately inform the data controller if it is unable to follow those instructions.

C.2: Security of processing

The Data Processor shall at all times during the term of this DPA maintain information security, data governance and other controls designed to protect information shared by the Data Controller with the Data Processor from unauthorized access, acquisition, use, disclosure, theft, or compromise, including for any purpose other than providing the Services. In this regard, the Data Processor agrees to comply with the AICPA’s SOC 2 framework. Data Processor’s documentation about its information security practices and controls shall be made available to the Data Controller upon the Data Controller’s written request; provided that the Data Controller agrees to keep such policies confidential.

C.3: Assistance to the data controller

The data processor shall insofar as this is possible – within the scope and the extent of the assistance specified below – assist the data controller in accordance with Clause 9.1. and 9.2. by implementing the following technical and organisational measures:

Please refer to Abacum SOC 2 Compliance documentation provided to the Data Controller via email. 

C.4. Storage period/erasure procedures 

Processing by the data processor shall only take place for the duration of the contractual agreement. After the end of the provision of the processing services, the data processor shall, at the choice of the data controller, delete all personal data processed on behalf of the data controller and certify to the data controller that it has done so, or return to the data controller all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data processor shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data processor that prohibit return or deletion of the personal data, the data processor warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law.

C.5. Processing location

Processing of Personal Data under this DPA shall primarily take place within the European Economic Area, including the following locations unless otherwise authorised in writing by the Data Controller:

  • AWS EU-West-1 Region (Ireland)

  • AWS EU-Central-1 Region (Frankfurt)

The Data Controller acknowledges and agrees that certain authorised Sub-processors or service providers used by the Data Processor may process Personal Data outside the EEA, the UK, or Switzerland, including in the United States, where such processing is necessary for the provision of the Services and is carried out in accordance with Clause [Transfer of data to third countries or international organisations], Appendix B, and applicable Data Protection Laws.

C.6. Instruction on the transfer of personal data to third countries

The Data Controller instructs the Data Processor to transfer Personal Data to third countries, including the United States, only where such transfer is necessary for the provision of the Services and only where the Data Processor has ensured that the relevant recipient is subject to an adequate transfer mechanism under applicable Data Protection Laws.

In particular, onward transfers may take place where:
(a) the recipient is located in a country recognised as adequate by the European Commission, the UK Secretary of State, or the competent Swiss authority;
(b) the recipient participates in a recognised data transfer framework that lawfully covers the transfer;
(c) the recipient is contractually bound by the applicable Standard Contractual Clauses and, where relevant, the UK Addendum and/or Swiss law modifications; or
(d) another valid transfer mechanism under applicable Data Protection Laws applies.

Any onward transfer shall remain subject to the data protection obligations set out in this DPA, including purpose limitation, confidentiality, security, and audit rights. The Data Processor shall conduct and document an appropriate assessment of the legal and practical circumstances of the transfer where required by applicable Data Protection Laws and shall adopt supplementary measures where necessary.

C.7. Procedures for the data controller’s audits, including inspections, of the processing of personal data being performed by the data processor

  1. The data processor shall promptly and adequately deal with enquiries from the data controller that relate to the processing under these Clauses.

  2. The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data processor shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.

  3. The data processor shall make available to the data controller all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data controller’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or audit, the data controller may take into account relevant certifications held by the data processor.

  4. The data controller may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data processor and shall, where appropriate, be carried out with reasonable notice.

  5. The Parties shall make the information referred to in paragraphs (b) and (c), including the results of any audits, available to the competent supervisory authority on request.