DATA PROCESSING AGREEMENT

1 INTRODUCTION

This Data Processing agreement (”DPA”) is an inseparable part of the agreement signed between the Provider and the Company concerning the products and services offered by the Provider (”Agreement”). This DPA applies when the Provider Processes Personal Data in providing the Services under the Agreement to the Company and its Group Companies. If the Provider Processes Personal Data on behalf of the Company’s Group Company, the Company is entering this DPA on behalf of itself and such Group Company to the extent required under the Data Protection Legislation.
If the terms concerning the Processing of Personal Data of the DPA and the Agreement are in conflict, the terms of this DPA shall prevail.

2 DEFINITIONS

The following definitions shall be applied to this DPA. Any terms used but not defined herein shall be given the meaning allocated to them in the Data Protection Legislation.
“Allshares Group” means any entity within the group of companies having Allshares Oy as the ultimate parent company.
“Data Protection Legislation” means all applicable legislation and regulations, including regulations issued by relevant supervisory authorities, protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data that from time to time apply to the Controller and the Provider, including without limitation the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (the “GDPR”);
“Controller” means the one that determines the purposes and means of the Processing of Personal Data.
“Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
“Personal Data” means any information relating to an identified or identifiable natural person, hereinafter ”Data Subject”; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processing” means any operation or set of operation which is performed on Personal Data or sets of Personal Data using automated means or manually, such as data collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
“Processor” means the legal entity within Allshares Group indicated in the Agreement, who will Process Personal Data on behalf of the Controller based on the Agreement.
“Sub-processor” means a subcontractor or another Processor of Personal Data engaged by the Processor for carrying out specific processing activities on behalf of the Controller.

3 GENERAL RIGHTS AND OBLIGATIONS OF THE PARTIES

The Provider shall Process the Personal Data of the Company on behalf of, and per instructions issued by the Company, on the grounds of the Agreement. The Company shall be the Controller and the Provider shall be the Processor of the Personal Data Processed when the Provider provides the Services to the Company under the Agreement. The Parties undertake to Process Personal Data in compliance with the Data Protection Legislation.
The Company, acting as a Controller, is responsible for ensuring that the Processing of Personal Data is undertaken in compliance with Data Protection Legislation. Information regarding e.g. the purpose and nature of the Processing, types of Personal Data Processed and categories of Data Subjects whose Personal Data is Processed when providing the Services are listed in the Processing specification form (Annex 1 of this DPA).
The Provider is entitled to Process the Personal Data of the Company only on the grounds of the Agreement, this DPA and according to the written instructions of the Company and only to the extent and in a manner it is necessary in order to provide the Services. The Provider shall immediately inform the Company if, in its opinion, an instruction of the Company infringes Data Protection Legislation and in such event, the Provider may immediately decline and stop the application of such instruction.
The Provider may collect anonymous and statistical data of the use of the Services pursuant to the Agreement, that does not specify the Company nor Data Subjects and use it for analyzing and developing Allshares Group’s services. The Provider has also the right to anonymize the Personal Data Processed by it under this DPA and use that anonymized data within the Allshares Group a) as part of benchmark material used in the production of similar products and/or services, and/or b) in test environment of IT systems, provided that such anonymization is irreversible and renders the Data Subjects no longer identifiable. Such anonymized information is not Personal Data and is not subject to Data Protection Legislation.

4 SUB-PROCESSORS

The Provider is entitled to engage Sub-processors for the Processing the Company’s Personal Data and is hereby given a general authorization by the Company to do so.
With respect to each Sub-processor, the Provider ensures that the Sub-processor is capable of providing the level of protection for the Personal Data required under this DPA, and the arrangement between the Provider and the Sub-processor is governed by a written contract including terms which offer at least the same level of protection for the Personal Data as those set out in this DPA and impose materially the same obligations on the Sub-processor as this DPA.
The Provider remains fully liable to the Company for the performance of the Sub-processor’s obligations and for any acts or omissions of the Sub-processor in relation to the Processing of Personal Data.
The currently authorized and engaged Sub-processors are listed in Allshares’ Sub-processor list (https://www.allshares.com/allshares-subprocessors). The Provider shall inform the Company in advance of any changes concerning the addition or replacement of Sub-processors with thirty (30) days prior written notice by e-mail to the contact person of the Company. The Company may object to such engagement of a Sub-processor by written notice to the Provider within twenty (20) days of the Company’s receipt of the notice from the Provider. The Provider may satisfy the objection by not using the Sub-processor to Process the Company’s Personal Data, taking corrective steps requested by the Company, or ceasing to provide the part of the Services that involve the Sub-processor, Subject to a mutual agreement of the Parties to adjust the fees for the Services considering their reduced scope. If none of these options are reasonably available, either Party may terminate the Agreement for the Services that cannot be reasonably provided without the Sub-processor. In the absence of any written objection from the Company, the Company shall be deemed to have consented to such change.

5 PROVIDER’S OBLIGATION TO PROVIDE ASSISTANCE

The Provider shall immediately forward all requests to inspect, rectify, erase or object to the Processing of Personal Data or other requests received from the Data Subjects under GDPR to the Company. If requested by the Company, the Provider shall support the Company in fulfilling the requests of the Data Subjects.
The Provider is obligated, taking into account the nature of the Processing of Personal Data and the information available to the Provider, to assist the Company in ensuring that the Company complies with Articles 32–36 of the GDPR, including assisting the Company in data protection impact assessments and prior consultations related to the Services. The Provider is obligated to assist the Company only in relation to Processing of the Company’s Personal Data by the Provider. The Provider has the right to invoice the Company for such assistance if the Company’s requests are exceptionally extensive or frequently repeated.
The Provider shall forward all inquiries made by the data protection authorities or other authorities directly to the Company and await further guidance from the Company. Unless otherwise agreed, the Provider is not authorized to represent the Company or act on behalf of the Company in relation to any authorities.

6 TRANSFERS OF PERSONAL DATA OUTSIDE THE EU/EEA

The Provider and its Sub-processors may from time to time Process Personal Data outside the EU/EEA when providing the Services within the Agreement.
Where Personal Data is Processed or transferred outside the EU/EEA, the Provider shall ensure that the transfer is either (a) to countries for which the European Commission has issued an adequacy decision, according to which the country offers an adequate level of data protection, or (b) subject to standard contractual clauses approved by the European Commission or other appropriate transfer mechanism as per Article 46 of the GDPR. Upon request, the Provider shall give information on the protective measures used in accordance with Chapter V of the GDPR and how adequate data protection has been ensured when Personal Data is Processed outside of the EU/EEA.

7 AUDIT RIGHTS

The Provider shall make available to the Company all information reasonably necessary to demonstrate compliance with its obligations under Article 28 of the GDPR and this DPA.
The Provider shall allow for and contribute to audits, including inspections, conducted by the Company or an auditor mandated by the Company (however, not a competitor of the Provider) in relation to the Processing of the Company’s Personal Data by the Provider or its Sub-processors. Such audits are limited to one (1) per calendar year, unless otherwise required by a competent supervisory authority or in the event of a Personal Data breach. Unless otherwise required by a supervisory authority, the Parties shall agree on the time of the audit and other details ahead of time and at least fourteen (14) days before the audit. The audits must be conducted during normal business hours (unless there is a weighty reason to conduct the audit outside those hours, or if so required by the supervisory authority), in a manner that minimises disruption to the Provider’s business operations. The representatives of the Company and the auditor must sign conventional non-disclosure commitments.
Each Party shall bear its own costs associated with the audit. If the audit reveals the Provider being in a material breach of this DPA, the Provider shall compensate the Company for the costs and expenses of the audit.

8 TECHNICAL AND ORGANIZATIONAL MEASURES

The Provider implements and maintains appropriate technical and organizational measures, including the measures outlined in Annex 2 of this DPA, to protect the Personal Data of the Company, taking into account all the risks of Processing, especially the unintentional or illegal destruction, loss, alteration, unauthorized disclosure or access to Personal Data that has been transferred, saved or otherwise Processed, and other requirements of the GDPR. When organizing the security measures, the technical options and their costs will be assessed in relation to the special risks of the Processing at hand and the sensitivity of the Personal Data.
The Provider shall ensure that the personnel of the Provider and the Sub-processors of the Provider are bound by appropriate non-disclosure and confidentiality commitments.

9 DATA BREACHES

The Provider must notify the Company of all Data Breaches without undue delay, and in any event within forty-eight (48) hours, after becoming aware of the Data Breach. The Provider shall, without undue delay, give the Company all relevant information concerning the Data Breach. The Provider shall describe at least the following to the Company:
    (a)   the occurred Data Breach,
    (b)   the nature of the personal data including, where if possible, the sets of Data Subjects and the             number thereof, as well as the sets of Personal Data types and estimated numbers,
    (c)   a description of the likely consequences caused by the Data Breach, and
    (d)   a description of reparative measures that the Provider has implemented or will implement in            order to prevent Data Breaches in the future, and if necessary, the measures to minimize the            harmful effects of the Data Breach.
Where, and in so far as, it is not possible to provide the information at the same time, the Provider may provide the information in phases without undue further delay.
The Provider shall promptly take corrective actions that it deems necessary and advisable to identify and remediate the cause of the Data Breach, and work in cooperation with the Company to mitigate the harmful effects of the Data Breach. The Provider shall document the Data Breaches and the consequences thereof, along with the corrective actions it has taken or plans to take.

10 LIABILITY

The Provider shall be liable for the damage only insofar that it has not abided by the obligations directed to Processors in the GDPR or this DPA. Both Parties are obligated to pay only the part of the damages or administrative fine that corresponds to the liability for damage imposed on the Party in breach of its obligations in the final decision of a data protection authority or a court of law, and, in consequence, neither Party shall bear the other Party’s administrative fines to the extent that it is not the Party’s contractual breach that has given rise to the circumstances for which the administrative fine has been imposed.
In all cases the Parties’ liability for damages under the DPA shall be limited in scope and to the maximum amounts set out in the Agreement. The limitations of liability shall not apply to damages caused by gross negligence or willful misconduct, or to other damages for which liability cannot be limited under applicable mandatory law.

11 OTHER PROVISIONS

The Provider notifies the Company in writing of all changes that may affect its ability or chances to abide by this DPA and the written guidance of the Company. The Parties shall agree on all additions and amendments to this DPA in writing. If the Data Protection Legislation changes, the Parties shall agree on required amendments to this DPA to comply with the Data Protection Legislation.
The DPA shall remain in force as long as (i) the Agreement is in force or (ii) the Provider Processes Personal Data on behalf of the Company.
Upon termination of the Agreement, the Provider shall either: (i) delete or irreversibly anonymize the Personal Data, or (ii) return the Personal Data to the Company, if the Company requests the Provider to return the data. Unless otherwise instructed by the Company, the Personal Data shall be deleted or anonymized within thirty (30) days of the termination of the Agreement. However, the Provider may continue to retain the Personal Data if required to comply with Data Protection Legislation.
Those obligations that due to their nature are meant to survive the expiry of this DPA shall remain in force after the expiry of the DPA.
This DPA shall be governed by the same laws as the Agreement, and disputes arising out of this DPA shall be subject to the dispute resolution procedure applicable to the Agreement.

12 ANNEXES

The following annexes form an integral part of this DPA:
(a) Annex 1 Data Processing Specification Form (attached to the Agreement)
(b) Annex 2 Technical and Organizational Security Measures

ANNEX 2: TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

The purpose of this annex is to describe the principles of the technical and organizational data security measures that the Provider has implemented, in accordance with the GDPR.

The Provider implements appropriate technical and organizational data security measures which are designed to meet the data protection principles in an effective manner and ensures that appropriate safeguards are integrated into the personal data processing in order to meet the requirements of the GDPR and to protect the rights of data subjects as described below.

1 DATA PROTECTION RISK ASSESSMENT

The Provider executes a risk assessment for each product or service. The Provider executes the data protection risk assessment in order to decide which data security measures are implemented. The aim is to define the appropriate level of data security measures for each product or service. In all cases, the Provider has implemented at least the security measures described in chapters below.

2 SECURITY MEASURES

The Provider maintains security and privacy policies. The policies comply with applicable rules on data protection and information security. Said policies are subject to regular internal review process and may be reviewed by third parties, in accordance with applicable laws and regulations.

The published ISO2700 standards related to information security, cybersecurity and privacy protection are used internally as a guiding framework, however, the Provider is not ISO certified. The cloud hosting service providers are ISO certified and undergo regular independent third-party audits for ISO compliance.

3 SECURITY OF PERSONAL DATA

The Provider is implementing the following measures based on article 32 of the General Data Protection Regulation (Security of processing).

3.1 Pseudonymizing and Encryption of Personal Data

Provider is utilizing encryption and/or pseudonymizing in its operations to mitigate data protection risks where appropriate. Encryption and pseudonymizing techniques may vary between services upon the service requirements and data protection risk assessment. Details of the used measures are available upon request by adequate authority.

3.2 Ability to Ensure the Ongoing Confidentiality, Integrity, Availability and Resilience of Processing Systems and Services

Protection of personal data requires implementation of multiple security controls. Operational processes follow good industry practice and help to secure quality of service and safeguards personal data processing.

The Provider has a centralized system to manage administrative access to customer environments. To access a customer system, the employee must have a valid reason and access is only approved by utilizing a jointly agreed process with the customer. At minimum all access to customer environments requires an encrypted tunnel within Provider’s network. Connections to customer environments are logged to provide full audit trail on administrative operations in customer environments. All remote access to the Provider’s services requires an encrypted connection and other possible measures (e.g. MFA, strong authentication, or IP-verification) as required by the data protection risk assessment.

Unauthorized persons are prevented from gaining physical access to data processing facilities. Datacenters are designed, built and operated in a way that strictly controls physical access to the areas where the personal data is stored. Datacenter service providers conduct periodical security reviews of facilities. Personal data is protected against accidental and unlawful destruction utilizing physical and environmental controls.

The Provider controls, monitors and audits all administrative connections, third party access and file transfers which are deployed within the Provider’s infrastructure.

The Provider executes a framework for planning, executing and controlling customer business related operations. The organizational structure assigns roles and responsibilities to provide for adequate staffing and efficiency of operative capabilities. The Provider management establishes authority and appropriate lines of reporting for key personnel. As a part of the hiring processes education verification and background checks are conducted based on the employee's position and level of access to the Provider’s processing facilities and systems.The Provider maintains and controls the execution of the Provider’s security policy, provides security training to employees, and performs application security reviews. These reviews assess the confidentiality, integrity, and availability of data, as well as conformance to the Provider information security policy.

3.3 Ability to Restore the Availability and Access to Personal Data in a Timely Manner in the Event of a Physical or Technical Incident

To restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, the Provider has backup and business continuity management processes and strategies which ensure rapid restoration of business-critical systems as and when necessary.

The Provider has defined continuity and disaster recovery plans for the Provider infrastructure supporting service delivery to customers. These plans are regularly updated and tested and are subject to auditing.

3.4 A Process for Regularly Testing, Assessing and Evaluating the Effectiveness of Technical and Organizational Measures for Ensuring the Security of the Process

The Provider emergency processes, plans and systems are regularly tested to assess and evaluate the effectiveness of technical and organizational measures for ensuring the security of personal data processing. Customer specific disaster recovery testing is agreed separately.

The Provider conducts internal security testing and vulnerability scanning.