Data Processing Agreement

ANDELA INC

DATA PROCESSING AGREEMENT

Last Updated: 05/25/2018

Between
The Controller, hereinafter referred to as Partner
&
Andela Inc.
The Processor and/or Subprocessor, hereinafter referred to as Andela

  1. This Data Processing Agreement (“DPA”) forms an addendum to the Andela Agreement, executed between Partner and Andela (including any associated Order Form, Statement of Work, or Master Service Agreement entered into therewith, the “Agreement”), and applies to the extent that Andela processes or subprocess Personal Data on behalf of Partner in the course of providing Services (as defined in the Agreement). This DPA does not apply where Andela is the Controller or where Andela does not serve as a Processor to Partner’s data. All capitalized terms not defined in this DPA will have the meanings set forth in the Agreement.
  2. Definitions – Capitalized terms used in this DPA are defined in this section or the section of the Agreement they were first used.
    1. “Controller” means entity that determines the purposes and means of the processing of Personal Data.
    2. “Data Protection Laws” means any data protection and privacy laws applicable to the processing of Personal Data under this Agreement including EU Data Protection Law.
    3. “EU Data Protection Law” means both (i) Directive 94/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of Personal Data and on the free movement of such data (“Directive”); and (ii) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (“GDPR”).
    4. “EU Model Clauses” means the standard contractual clauses for Processors as approved by the European Commission pursuant to Decision C (2010)593.
    5. “Personal Data” means any information relating to an identified or identifiable natural person.
    6. “Personal Data Breach” means a breach of security of the Services leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
    7. “Processor” means an entity that processes Personal Data on behalf of a Controller.
    8. “Services” means the services as defined in Agreement.
    9. “Sub-processor” means any Processor engaged by Andela or any member of its group of companies that processes Personal Data pursuant to the Agreement. Sub-processors may include third parties or any member of Andela’s group of companies.
    10. “Term” means the period from the DPA effective date until the end of Andela’s provision of the Services in the Agreement.
  3. Duration of this DPA
    1. The duration of this DPA will take effect on the DPA effective date and, notwithstanding expiry of the Term, will remain in effect until, and automatically expire upon, deletion of all Partner data by Andela as described in this DPA.
  4. Collecting, Processing and Subprocessing of Data under the DPA
    1. Titles
      1. Partner may act either as a Controller or as a Processor with respect to Personal Data. Andela will process Personal Data under the Agreement and this DPA only as a Processor or Subprocessor acting on behalf of Partner.
    2. Partner Data Collection and Processing
      1. Partner will comply with its obligations under the Data Protection Laws in respect of its collecting and processing of Personal Data and any processing instructions it issues to Andela. Partner represents that it has all rights, consents, and authorizations necessary for Andela to process Personal Data pursuant to Data Protection Laws and the Agreement.
      2. Partner authorizes Andela, in providing its Services, to process Personal Data in accordance with applicable laws.
      3. Upon notice in writing to Partner, Andela may terminate the Agreement if Andela has determined, or has reason to believe, that Partner is not in compliance with any data protection laws as a Controller or Processor.
    3. Andela Data Processing
      1. Andela will comply with its processor obligations under Data Protection Laws and will process Personal Data in accordance with Partner’s instruction. Partner agrees that this DPA is its complete and final agreement with Andela in relation to the processing or subprocessing of Personal Data.
      2. Andela will comply with instructions of Partner related to any processing or sub-processing of any Personal Data unless Andela has knowledge that an EU or EU Member state requires other processing of Partner Personal Data, in which case it will inform Partner.
      3. Upon notice in writing, Partner may terminate the Agreement if Andela declines to follow Partner’s reasonable instructions that are outside the scope of, or changed from, those given or agreed to in this DPA, to the extent such instructions are necessary to enable Andela to comply with Data Protection Laws.
    4. Andela Data Subprocessing
      1. Andela engages its subsidiaries as sub-processors to provide Services on its behalf. Partner consents to Andela engaging sub-processors to process Personal Data under the Agreement. Andela remains responsible for the acts, errors or omissions of its sub-processors in relation to Andela’s obligations under this DPA.
      2. Andela will ensure that each sub-processor is obligated to protect Personal Data in a manner consistent with the standards of this DPA.
      3. Andela will comply with its subprocessor obligations under Data Protection Laws, this DPA, and will subprocess Personal Data in accordance with Partner’s instruction.
  5. Technical and Organizational Security Measures
    1. Measures by Andela
      1. Prior to the commencement of any processing, Andela shall implement, establish and maintain all necessary technical and organizational security measures to protect against Personal Data Breaches and to preserve the security and confidentiality of Personal Data processed on behalf of Partner. Andela shall present and document these technical and organizational security measures for inspect by Partner. Such technical and organizational security measures shall become the foundation of the Services and are subject to technical progress and development. Andela may, from time to time, modify such technical and organizational security measures, so long as such measures are not reduced, and are appropriately documented.
    2. Measures by Partner
      1. Partner is responsible for using and configuring the Services to enable Partner to comply with Data Protection Laws, including implementing their own appropriate and adequate technical and organizational measures. Partner shall provide Andela with a copy of such measures and notify in writing of any modifications. In the event that Andela Developers use Partner devices, laptops, or computers, Partner shall present and document all technical and organizational security measure for inspection by Andela. Such technical and organizational security measures shall become the foundation of the Services and are subject to technical progress and development. Partner may, from time to time, modify such technical and organizational security measures, so long as such measures are not reduced, and are appropriately documented.
    3. Processing Personal Data
      1. Without written instructions and authorization from Partner, as outlined in this DPA, Andela restricts its personnel from processing Personal Data. Any person authorized by Andela to process Personal Data will be subject to the obligation of confidentiality as provided in the Agreement.
    4. Prohibited Data
      1. Partner acknowledges and agrees that the Agreement may prohibit the submission of certain types of Personal Data (such as financial or health information). Partner must not submit to Andela any Personal Data which is regulated under the Health Insurance Portability and Accountability Act without a separate Business Associate Agreement. In such events, Andela will take reasonable and appropriate steps to notify Partner of it’s receipt of any prohibited data.
  6. Notification
    1. Upon becoming aware, and no later than 72 hours after becoming aware, of a Personal Data Breach, Andela will notify Partner without undue delay and will provide information relating to the Personal Data Breach as reasonably requested by Partner. Andela will use reasonable efforts and methods to assist Partner in mitigating, where possible, the adverse effects of any Personal Data Breach.
    2. Andela shall assist Partner in complying with the obligations concerning the security of Personal Data, reporting requirements for data breaches, data protection impact assessments and prior consultations. These include:
      1. Ensuring an appropriate level of protection through Technical and Organizational Security Measures that take into account the circumstances and purposes of the processing as well as the projected probability and severity of a possible infringement of the law as a result of security vulnerabilities and that enable an immediate detection of relevant infringement events.
      2. The obligation to report a Personal Data Breach immediately to Partner
      3. The duty to assist Partner with regard to Partner’s obligation to provide information to the Data Subject concerned and to immediately provide Partner with all relevant information in this regard.
      4. Supporting Partner with its data protection impact assessment.
      5. Supporting Partner with regard to prior consultation of the supervisory authority.
    3. Andela may claim compensation for support services which are not included in the description of the Services and which are not attributable to failures on the part of Andela.
    4. Andela’s notification of or response to a Personal Data Breach under this section will not be construed as an acknowledgement by Andela of any fault or liability with respect to the incident.
  7. Deletion and Return of Data
    1. Pursuant to the Agreement, Andela will delete or return to Partner all Personal Data that may be in possession as provided in the Agreement except to the extent Andela is required by law to retain any Personal Data. Andela further agrees:
      1. Any copies or duplicates of Personal Data shall not be created without the knowledge or instruction of Partner or as described above.
      2. Upon completion of the Services, or upon request of Partner, Andela shall turn over to Partner or destroy all documents, processing, and utilization results, and data sets obtained in relation to the Agreement, as deemed appropriate by Data Protection Laws.
      3. Documentation which is used to demonstrate orderly data processing in accordance with the Agreement shall be stored beyond the contract duration by Partner in accordance with the respective retention periods. Andela may hand such documentation over to Partner at the end of the contract duration to relieve Andela of this contractual obligation.
  8. Cooperation, Supervision and Audit
    1. Request for Data Protection
      1. Upon notice from individuals or data protection authorities (including requests from individuals seeking to exercise their rights under EU Data Protection Law) as related to the processing of Personal Data under the Agreement, Andela will promptly forward such requests to Partner. Unless legally required to do so, Andela will not respond to such communication without Partner’s authorization. If Andela is required to respond to any request, Andela will notify Partner and provide Partner with a copy of the request, unless legally prohibited from doing so.
    2. Partner Requests
      1. Andela will cooperate with Partner, in their sole expense, to respond to any requests from individuals or data protection authorities relating to the processing of Personal Data under the Agreement to the extent that Partner may be unable to access relevant Personal Data.
      2. Andela shall inform Partner immediately if Andela believes any instruction or request violates Data Protection Laws.
      3. Partner shall confirm immediately any oral instructions in text form.
      4. To the extent required by EU Data Protection Laws, Andela will provide reasonably requested information regarding the Services to enable Partner to carry out data protection impact assessments and any consultations with data protection authorities.
    3. Audit Requests
      1. Andela audits its Technical and Organizational Security Measures against data protection and information security standards on a regular basis. Such audits are conducted by Andela’s internal team or a designated third party as engaged by Andela. Upon written request and subjects to the confidentiality provisions of the Agreement, Andela will make available to Partner a summary of the most recent audit report and any other documentation reasonably required by Partner to verify compliance with this DPA.
      2. Andela may request audits of Partner’s Technical and Organizational Security Methods to ensure compliance with this Agreement. Partner will make available to Andela a summary of the most recent audit report and any other document reasonably required by Andela.
      3. Either party requesting such audit information does so at their sole expense and obligation, and agrees to remunerate the other party of any costs associated with such audit requests.
      4. Partner’s request for an audit will not require Andela either to disclose to Partner or its third party auditor, or to allow Partner or its third party auditor to access:
        1. Any data of any other client of Andela;
        2. Andela’s internal accounting or financial information;
        3. Any trade secrets of Andela or any client of Andela;Any information that, in Andela’s reasonable opinion, could (i) compromise the security of Andela systems or premises; or (ii) cause Andela to breach its obligation under applicable law or its security and/or privacy obligations to any client or any third party; or
        4. Any information that Partner or its third party auditor seeks to access for any reason other than the good faith fulfillment of Partner’s obligation under any Data Protection Law.
  9. Data Transfers
    1. Andela may transfer and process Personal Data as requested by Partner in other locations around the world where Andela and it’s sub-processors maintain operations as necessary to provide services under the Agreement and this DPA.
    2. Where Personnel Data is transferred from the European Economic Area (“EEA”) and/or Switzerland to a member of Andela’s group of companies located in a country not recognized by the European Commission or the Swiss Federal Data Protection Authority as providing an adequate level of protection for Personal Data, Partner appoints Andela to enter into the EU Model Clauses on Partner’s behalf with such Andela entity based outside of the EEA and Switzerland and involved in the processing of Personal Data. Andela will provide a copy of those EU Model Clauses to Partner upon Partner’s written request. If Andela adopts Binding Corporate Rules or another alternative data export solution (as recognized under EU Data Protection Law), then the EU Model Clauses will cease to apply with effect from the date that Partner implements such new data export solution.
  10. Duties of Andela
    1. Andela is not obligated to appoint a Data Protection Officer. Andela’s primary contact for requests under this DPA are as follows:
      1. Mrs. Kirsten Canton at 129 W. 29th Street, 5th Floor, New York, NY, 10001 USA; Tel +19179134729; Email: Kirsten.Canton@andela.com
    2. Andela is located outside of the EU and EEA, and its designated representative within the EU is as follows:
      1. DPR Group, Place de L’Université 16, Louvain-La-Neuve, Waals Brabant, 1348, Belgium; Email: andela@dpr.eu.com
    3. Andela shall ensure that only such employees, and subcontractors, with regard to the data processing outlined in Sections 3 and 4 of this DPA, who have been bound to confidentiality and have previously been familiarised with the data protection provisions relevant to their work. Andela and any person acting under its authority who has access to personal data, shall not process that data unless on instructions from Partner, which includes the powers granted in this contract, unless required to do so by law.
  11. Processing Records
    1. Partner acknowledges that Partner is required under Data Protection Laws to (i) collect and maintain records of certain information, including the name and contact details of each processor and/or controller on behalf of which Andela is acting, and where applicable, of such Processor’s or Controller’s local representative and data protection officer; and (ii) make such information available to the supervising authorities.
    2. Accordingly, should GDPR apply to the processing of Partner Personal Data, Partner will, where requested, provide such information to ensure that all information provided is kept accurate and up-to-date.
  12. Limitations of Liability
    • Parties agree that the total combined liability limit (including indemnifications of any kind) to one another shall be set as provided under the terms of the Agreement as executed between the Parties.
  13. Miscellaneous
    1. Andela may modify the terms of this DPA as provided in the Agreement. Andela will notify Partner of any such changes and effectiveness of such changes in accordance with this DPA or the Agreement. Changes to this DPA include, but are not limited to, the following circumstances:
      1. If required or ordered to do so by any supervisory, judicial, governmental, or regulatory entity.
      2. As required to implement or adhere to standard contractual clauses, various codes of conducts, policies, rules, procedures and any other mechanisms as required under Data Protection Laws.
    2. Any conflicts between the Agreement and this DPA, the terms of this DPA shall prevail.
    3. Andela and Partner shall comply, cooperate, and collaborate, with any supervisory authority in performing any obligations under this DPA or the Agreement.
    4. Andela shall implement all necessary Technical and Organizational Security Measures necessary for this DPA as provided in the Appendix.
    5. Andela shall monitor and ensure that the Technical and Organizational Security Measures are in accordance with the requirements of applicable Data Protection Laws and the rights of the data subjects.
    6. Andela shall ensure that only such employees with the data processing outlined in this DPA and the Agreement who have bound themselves to confidentiality and have previously been familiarized with the data protection provisions relevant to their work.

Technical and Organizational Security Measures Appendix

  1. Confidentiality
    1. Physical Access Control
      1. No unauthorized access to Andela facilities in Kenya, Nigeria and Uganda where developers are present e.g.: magnetic or chip cards, keys, electronic door openers, facility security services and/or entrance security staff, video/CCTV Systems
      2. No unauthorized access to Andela server rooms. Access limited to Andela IT Teams and those so authorized.
    2. Electronic Access Control
      1. No unauthorized use of the Data Processing and Data Storage Systems, e.g.: (secure) passwords, automatic blocking/locking mechanisms, two-factor authentication, encryption of data carriers/storage media
    3. Internal Access Control (permissions for user rights of access to and amendment of data)
      1. No unauthorized Reading, Copying, Changes or Deletions of Data within the system as approvals are managed centrally, e.g. rights authorization concept, need-based rights of access, logging of system access events
    4. Isolation Control
      1. The isolated Processing of Data, which is collected for differing purposes, e.g. multiple Partner support, sandboxing;
    5. Employee Control
      1. Employees are bound by written confidentiality agreements
      2. Employees receive training on data privacy and data security
    6. Pseudonymisation (Article 32 Paragraph 1 Point a GDPR; Article 25 Paragraph 1 GDPR)
      1. The processing of personal data in such a method/way, that the data cannot be associated with a specific Data Subject without the assistance of additional Information, provided that this additional information is stored separately, and is subject to appropriate technical and organizational measures.
  2. Integrity
    1. Data Transfer Control
      1. No unauthorized Reading, Copying, Changes or Deletions of Data with electronic transfer or transport, e.g.: Encryption, Virtual Private Networks (VPN), electronic signature;
    2. Data Entry Control
      1. Verification, whether and by whom personal data is entered into a Data Processing System, is changed or deleted, e.g.: Logging, Document Management
    3. Job Control
      1. Andela’s employees and contractors may only process Partner and personal data strictly in accordance with the Agreement’s obligations and Partner instructions.
  3. Availability and Resilience
    1. Availability Control
      1. Prevention of accidental or willful destruction or loss, e.g.: Backup Strategy (online/offline; on-site/off-site), Uninterruptible Power Supply (UPS), virus protection, firewall, reporting procedures and contingency planning
    2. Rapid Recovery
  4. Procedures for Regular Testing, Assessment and Evaluation
    1. Data Protection Management
    2. Incident Response Management;
    3. Data Protection by Design and Default (Article 25 Paragraph 2 GDPR)
    4. Order or Contract Control
    5. No third party data processing as per Article 28 GDPR without corresponding instructions from Partner, e.g.: clear and unambiguous contractual arrangements, formalized order management, strict controls, duty of pre-evaluation, supervisory follow-up check.