.svg)
Data Processing Addendum
The Alcatraz website is comprised of various web pages operated by Alcatraz. The Alcatraz website is offered to you conditioned on your acceptance without modification of the terms, conditions, and notices contained herein. Your use of the Alcatraz website constitutes your agreement to all such terms, conditions, and notices.
1. Definitions
Terms not otherwise defined in this DPA have the meaning as outlined in the Agreement.
Controller: Тhe natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of Processing Personal Data.
Data Protection Laws: All applicable worldwide legislation relating to data protection and privacy that applies to the respective party in the role of Processing Personal Data in question under the Agreement.
Data Subject: The individual to whom Personal Data relates.
Instructions: The written or documented instructions issued by a Controller to a Processor and directing the same to perform a specific or general action regarding Personal Data (including, but not limited to, depersonalizing, blocking, deletion, and providing of Personal Data).
Personal Data: means any information which alone or in combination with other information can be used to identify a living person and is Processed by Alcatraz on behalf of System Owner.
Personal Data Breach: A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted.
Processing: Any operation or set of operations which is performed on Personal Data, including storage, use, access and reading. The terms “Process,” “Processes,” and “Processed” will be construed accordingly.
Processor: A natural or legal person, public authority, agency, or other body that Processes Personal Data on behalf of the Controller.
Sub-Processor: Any Processor engaged by Alcatraz or our Affiliates to assist in fulfilling our obligations concerning the provision of the Services under the Agreement. Sub-processors may include third parties or Alcatraz Affiliates but will exclude any Alcatraz employee or consultant.
System Owner: The customer who enters into an Agreement with Alcatraz or an Alcatraz Partner to install, operate, and license the Alcatraz’s products. Depending on the relevant Agreement might be referred as Solution Owner, Client, Customer or equivalent.
2. Processing
2.1 When Processing Personal Data under System Owner Instructions, the parties acknowledge and agree that System Owner is acting as the Controller of Personal Data (either as the Controller or as a Processor on behalf of another Controller) and Alcatraz is the Processor under the Agreement
2.2 Each party will comply with its respective obligations under the applicable Data Protection Laws for the processing of the Personal Data and is responsible for determining the requirements of laws and regulations to its activities. System Owner will not use the Service in a manner that would violate applicable Data Protection Laws.
2.3 The parties agree that the Agreement (including this DPA), together with System Owner use of the service under the Agreement, are System Owner’s complete Instructions to Alcatraz about the Processing of Personal Data. If Alcatraz cannot Process Personal Data under System Owner instructions due to a legal requirement under any applicable law, Alcatraz will (i) promptly inform the System Owner about that legal requirement to the extent allowed by the applicable law; and (ii) where necessary, stop all Processing (other than merely storing and maintaining the security of the affected Personal Data) until System Owner issue new Instructions with which Alcatraz can comply. If this provision is invoked, the System Owner may terminate the affected Service as agreed in the applicable Agreement.
2.4 Details of categories of Data Subjects, types of Personal Data, duration of Processing, Purpose and Nature of Processing and Processing activities are specified in Annex 1.1 & Annex 1.2 (“Details of Processing”) for the specific Service. DPA is not typically required for on-premise (On -Prem) services because Alcatraz generally does not access the System Owner’s Personal Data. A DPA would only become relevant if the System Owner chooses to grant Alcatraz access to Personal Data for support purposes.
3. Technical and organizational measures
Alcatraz will implement and maintain technical and organizational measures to protect Personal Data from Personal Data Breaches, as described under Annex 2 to this DPA (“Technical and Organizational Measures”). Notwithstanding any provision to the contrary, Alcatraz may modify or update the Security Measures at our discretion if the modification or update does not result in a material degradation in the protection offered by the Security Measures.
4. Personal data breach
Alcatraz will inform System Owner without undue delay after Alcatraz becomes aware of any Personal Data Breach and will assist System Owner . Alcatraz will investigate the Personal Data Breach if it occurred on Alcatraz’s infrastructure or in an area of Alcatraz’s responsibility.
5. Deletion or return of personal data
Alcatraz will delete or return all System Owner’s data, including Personal Data (including copies thereof) Processed under this DPA, as per System Owner’s instructions or should System Owner discontinue using Alcatraz’s services unless required otherwise by applicable law.
6. Data subject requests
If a Data Subject Request or other communication regarding the Processing of Personal Data under the Agreement is made directly to Alcatraz, Alcatraz will promptly inform the System Owner and advise the Data Subject to submit their request to the System Owner. System Owner will be solely responsible for responding substantively to any such Data Subject Requests or communications involving Personal Data.
7. Sub-processors
7.1 System Owner agrees Alcatraz may engage Sub-Processors to Process Personal Data. Alcatraz has appointed, as Sub-Processors, the third parties and Alcatraz Affiliates listed in Annex 3 (“List with Alcatraz’s Sub-Processors”) to this DPA. Alcatraz will allow System Owner to object to the engagement of new Sub-Processors on reasonable grounds relating to the protection of Personal Data within 30 days of receipt of notification of change. Should System Owner object to the engagement of a new Sub-Processor, Alcatraz, and System Owner will discuss System Owner concerns in good faith to achieve a commercially reasonable resolution. If no such resolution can be reached, Alcatraz will, at its sole discretion, either not appoint the new Sub-Processor, or permit System Owner to suspend or terminate the affected service under the termination provisions of the Agreement without liability to either party (but without prejudice to any fees incurred by System Owner before suspension or termination).
7.2 Alcatraz will impose data protection terms on the Sub-Processors that provide at least the same level of protection for Personal Data as those in this DPA, to the extent applicable to the nature of the services provided by such Sub-Processors.
8. Demonstration of compliance
8.1 Subject of confidentiality Alcatraz will make all information reasonably necessary to demonstrate compliance with this DPA available to System Owner and allow for and contribute to audits. Alcatraz will supply (on a confidential basis) recent certifications and/or summary audit reports to System Owner so that System Owner can verify Alcatraz’s compliance with this DPA. Only to the extent strictly necessary System Owner may conduct an onsite audit during regular business hours and in a manner that causes minimal disruption to Alcatraz’s business. This Section will not affect System Owner’s statutory audit rights under Article 28 of the GDPR.
8.2 System Owner will make a written request for any assistance or additional instructions referred to in this DPA. Alcatraz may charge the System Owner no more than a reasonable charge to perform such assistance or reasonable instructions. If the System Owner does not agree with the proposed charges, the parties will reasonably cooperate to find a feasible solution.
9. Transfer mechanism for data transfers and country-specific terms.
9.1 Alcatraz will not transfer Personal Data to any country or recipient not recognized as providing an adequate level of protection for Personal Data (within the meaning of applicable European Data Protection Laws) unless it first takes all such measures as are necessary to ensure the transfer complies with applicable European Data Protection Laws. To the extent that Alcatraz receives European Data in the United States in connection with the performance of the Services, Alcatraz will follow Standard Contractual Clauses. If European Data Protection Laws require that safeguards are put in place, the Standard Contractual Clauses will be incorporated by reference as per Standard Contractual Clauses agreed between Alcatraz and Solution Owner and as available on the EU Commission website, and form part of the Agreement. If Alcatraz must adopt an alternative transfer mechanism for European Data, in addition to or other than the mechanisms described herein, such alternative transfer mechanism will apply automatically instead of the mechanisms described in this DPA (but only to the extent such alternative transfer mechanism follows with European Data Protection Laws), and System Owner agrees to execute such other documents or take such action as may be reasonably necessary to give legal effect such alternative transfer mechanism.
9.2 Depending on the applicable Data Protection Laws additional country specific terms (“Country Specific Terms”) can apply.
