Objectives and Guiding Principles
- The objective of these Data Protection Terms (“DPA”) is to establish the rules governing our collection, use, storage, protection and disclosure of Customer Data on your behalf in order to provide the Services to you.
- The guiding principles of this DPA are those found in applicable privacy laws including the collection, use and disclosure of the least amount of Personal Information necessary to provide the Services.
Appointment and Duties
- You hereby appoint us as your service provider for the purposes of providing you with the Services in accordance with the Terms, including this DPA, and we hereby accept such appointment.
- We may collect Customer Data from you, your employees and representatives, and Funders as necessary for the purposes of providing the Services.
- We acknowledge and agree that Customer Data shall at all times remain in your control and that we acquire no independent right to the Customer Data.
Protection of Customer Data
- We agree that in respect of the Customer Data, we shall:
- not use the Customer Data for any purpose other than as necessary to perform the Services;
- not disclose the Customer Data to any person except as necessary to provide the Services, as expressly permitted or instructed you or as required by applicable laws;
- use reasonable physical, organizational and technological security measures in accordance with requirements of privacy laws to protect Customer Data against loss or theft and unauthorized access, use or disclosure;
- restrict access to Customer Data to only those authorized employees and permitted agents and subcontractors that require access to such information to fulfil their job requirements and that are subject to obligations of confidentiality and data protection consistent with those of this DPA; and
- inform you as soon as practical after becoming aware of any unauthorized access to, or use or disclosure of, Customer Data (“Incident”), provide you with relevant particulars of the Incident, and work with you to take reasonable steps to contain and remediate the Incident.
- We will work with you to promote and demonstrate compliance with privacy laws and this DPA.
- We will provide reasonable information and co-operation to you and to any regulatory or other governmental bodies or authorities with jurisdiction over you in connection with any investigations, audits or inquiries.
- We will provide reasonable information and documentation to you to allow you to verify our compliance with this DPA.
- We will designate and identify to you an individual to be accountable for our compliance with this DPA.
- We will not subcontract, assign or delegate to any third party our obligations with respect to the processing of Customer Data in connection with the Services without obtaining written contractual commitments of such third party substantially the same as those of this DPA.
Data Subject Requests and Inquiries
- We will refer all requests for access, correction or consent withdrawal or variation to you and will provide reasonable assistance to you to allow you to respond to such requests in accordance with the requirements of privacy laws.
Retention and Destruction of Customer Data
- Upon termination of the Agreement or upon your request, whichever comes first, we will return, dispose of or destroy, all Customer Data.
- We will comply with privacy laws in providing the Services.
- To the extent of any inconsistency between a provision in the Terms and in the DPA in respect of Customer Data, the provision in this DPA shall prevail.
- This DPA shall survive termination of the Terms until the Customer Data is returned, disposed of, destroyed or anonymized.