Data Processing Agreement

Andela, Inc
Data Processing Agreement

Last Updated: 09/01/2022

 
 
This Data Processing Agreement (“DPA”) forms part of the Andela Agreement (including any associated Order Form, Statement of Work, or Master Service Agreement entered into therewith) by and between Client and Andela (the “Agreement”). All capitalized terms not defined in this DPA will have the meanings set forth in the Agreement.
  1. Definitions
      1. Controller,Data Subject”, “Personal Data”, “Personal Data Breach”, “Processing”, “Processor”, and “Supervisory Authority” will have the meanings given to them in the GDPR.
      2. Data Protection Laws” means the General Data Protection Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (“GDPR”), and the e-Privacy Directive 2002/58/EC (as amended by Directive 2009/136/EC), their national implementations in the European Economic Area (“EEA”), and all other data protection laws of the EEA including laws of the European Union (“EU”), the United Kingdom (“UK”) and Switzerland, each as applicable, and as may be amended or replaced from time to time.
      3. Data Subject Rights” means all rights granted to Data Subjects by Data Protection Laws, including the right to information, access, rectification, erasure, restriction, portability, objection, the right to withdraw consent, and the right not to be subject to automated individual decision-making.
      4. “International Data Transfer” means any transfer of Client Personal Data from the EEA, UK or Switzerland to an international organization or to a country outside of the EEA, UK, or Switzerland, and includes any onward disclosure of Client Personal Data to another recipient within that country, as well as any onward transfer of Client Personal Data from the international organization or the country outside of the EEA, UK, or Switzerland to another country outside of the EEA, UK, or Switzerland. 
      5. Client Personal Data” means any Personal Data that is subject to Data Protection Laws, for which Client or Third-Party Controller is the Controller, and which is Processed by Andela to provide the Services to Client.
      6. Personnel” means any natural person acting under the authority of Andela.
      7. Sensitive Data” means any type of Personal Data that is designated as a sensitive or special category of Personal Data or otherwise subject to additional restrictions under Data Protection Laws.
      8. Standard Contractual Clauses” or “SCCs” mean the clauses annexed to the EU Commission Implementing Decision 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (OJ L 199, 7.6.2021, p. 31-61), as amended or replaced from time to time.
      9. Sub-processor” means a Processor engaged by another Processor to carry out Processing on behalf of a Controller.
      10. Third-Party Controller” means a Controller for which Client is a Processor.
      11. UK Addendum” means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under Section 119A of the UK Data Protection Act 2018 (version B1.0, in force March 21, 2022), available at https://ico.org.uk/media/for-organisations/documents/4019483/international-data-transfer-addendum.pdf.

2. Scope and Applicability

      1. The DPA applies to Processing of Client Personal Data by Andela to provide the Services.
      2. The subject matter, nature, and purpose of the Processing, the types of Client Personal Data and categories of Data Subjects are set out in Appendix I and the Agreement.
      3. Client is a Controller and appoints Andela as a Processor on behalf of Client. Client is responsible for compliance with the requirements of Data Protection Laws applicable to Controllers.
      4. To the extent Client is a Processor on behalf of a Third-Party Controller, Client engages Andela as a Sub-processor to Process Client Personal Data on behalf of that Third-Party Controller. When Client is acting on behalf of Third-Party Controller(s), then Client: (i) is the single point of contact for Andela; (ii) must obtain all necessary authorizations from such Third-Party Controller(s); (iii) undertakes to issue all instructions and exercise all rights on behalf of such Third-Party Controller(s); and (iv) is responsible for compliance with the requirements of Data Protection Laws applicable to Processors.
      5. Client acknowledges that Andela may Process Personal Data relating to the operation, support, or use of the Services for its own business purposes, such as billing, account management, data analysis, benchmarking, technical support, and product development. Andela is the Controller for such Processing and will Process such data in accordance with Data Protection Laws

3. Duration of this DPA

      1. This DPA is effective for as long as Andela Processes Client Personal Data on behalf of Client. 

4. Collecting, Processing and Subprocessing of Client Personal Data 

      1. Client Data Collection and Processing
        1. Client will comply with its obligations under the Data Protection Laws in respect of its collecting and processing of Client Personal Data and any processing instructions it issues to Andela. Client represents that it has all rights, consents, and authorizations necessary for Andela to process Client Personal Data pursuant to Data Protection Laws and the Agreement.
        2. Client authorizes Andela, in providing the Services, to Process Client Personal Data in accordance with applicable laws.
        3. Upon notice in writing to Client, Andela may terminate the Agreement if Andela has determined, or has reason to believe, that Client is not in compliance with Data Protection Laws as a Controller or Processor.
      2. Andela Data Processing
        1. Andela will comply with its obligations as a Processor under applicable Data Protection Laws and will process Client Personal Data to provide Services and in accordance with Client’s documented instructions. Client’s instructions are documented in this DPA and the Agreement. Client agrees that this DPA is its complete and final agreement with Andela in relation to the Processing or sub-processing of Client Personal Data.
        2. Andela will comply with documented instructions of Client related to Processing Client Personal Data. Unless prohibited by applicable law, Andela will inform Client if Andela is subject to a legal obligation that requires Andela to Process Client Personal Data in contravention of Client ’s documented instructions. 
        3. Client may reasonably issue additional instructions as necessary to comply with Data Protection Laws. Andela may charge a reasonable fee to comply with any additional instructions.
        4. Upon notice in writing, Client may terminate the Agreement if Andela declines to follow Client’s reasonable instructions that are outside the scope of, or changed from, those given or agreed to in this DPA, to the extent such instructions are necessary to enable Andela to comply with Data Protection Laws.
      3. Sub-processing
        1. Client hereby authorizes Andela to engage Sub-processors, including its subsidiaries. A list of Andela’s current Sub-processors is available upon request to privacy@andela.com. Subject to any applicable disclaimers or limitations of liability, Andela remains responsible for the acts, errors, or omissions of its sub-processors to the extent applicable to Andela’s obligations under this DPA.
        2. Andela will enter into a written agreement with Sub-processors which imposes the same obligations as required by Data Protection Laws. 
        3. Andela will inform Client prior to any intended change to Sub-processors. Client may object to the addition of a Sub-processor based on reasonable grounds relating to a potential or actual violation of Data Protection Laws by providing written notice detailing the grounds of such objection within thirty (30) days following Andela’s notification of the intended change. Client and Andela will work together in good faith to address Client’s objection. If Andela chooses to retain the Sub-processor, Andela will inform Client at least thirty (30) days before authorizing the Sub-processor to Process Client Personal Data, and Client may immediately discontinue using the relevant parts of the Services, and may terminate the relevant parts of the Services within thirty (30) days.

5. Technical and Organizational Security Measures

      1. Measures by Andela
        1. Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, prior to the commencement of any processing, Andela shall implement, establish and maintain commercially reasonable technical and organizational security measures. Andela shall present and document such technical and organizational security measures for review by Client. Such technical and organizational security measures shall become the foundation of the Services and are subject to technical progress and development. Andela may, from time to time, modify such technical and organizational security measures, so long as such measures do not materially reduce the protection afforded to Client Personal Data, and are reasonably documented.
      2. Measures by Client
        1. Client is responsible for using and configuring the Services to enable Client to comply with Data Protection Laws, including implementing Client’s own appropriate and adequate technical and organizational measures. Client shall provide Andela with a copy of such measures and notify Andela in writing of any modifications. If Andela Developers use Client devices, laptops, or computers, Client shall present and document all technical and organizational security measure for review by Andela. Such technical and organizational security measures shall become the foundation of the Services and are subject to technical progress and development. Client may, from time to time, modify such technical and organizational security measures, so long as such measures are not reduced, and are appropriately documented.
      3. Personnel
        1. Andela will take steps to ensure that all Personnel authorized Andela to Process Client Personal Data are subject to an obligation of confidentiality.
      4. Prohibited Data
        1. Client acknowledges and agrees that the Agreement may prohibit the submission of certain types of Personal Data (such as financial or health information). Client represents and warrants that neither Client nor any entity acting for or on behalf of Client will submit to Andela any Client Personal Data which is regulated under the Health Insurance Portability and Accountability Act without a separate Business Associate Agreement. In such events, Andela will take reasonable and appropriate steps to notify Client of its receipt of any prohibited data.

6. Notification and Assistance

      1. Andela will notify Client without undue delay after Andela becomes aware of a Personal Data Breach involving Client Personal Data. 
      2. Andela will provide information relating to the Personal Data Breach as reasonably requested by Client to the extent such information is available to Andela. Andela will use reasonable efforts to assist Client in mitigating, where commercially reasonable and technically feasible, the adverse effects of a Personal Data Breach.
      3. Taking into account the nature of the Processing, and the information available to Andela, Andela will assist Client, including, as appropriate, by implementing technical and organizational measures, with the fulfilment of Client ’s own obligations under Data Protection Laws to: (i) comply with requests to exercise Data Subject Rights; (ii) conduct data protection impact assessments and prior consultations with Supervisory Authorities; and (iii) notify a Personal Data Breach. Andela may charge a reasonable fee to Client for support services rendered in connection with this Section 7, which are not included in the description of the Services, and which are not attributable to failures on the part of Andela. If such support services reveal the failure of Andela to materially comply with its obligations under applicable Data Protection Laws or as otherwise set forth in this DPA, Andela and Client shall each bear their own costs related to assistance.
      4. Andela’s notification of or response to a Personal Data Breach pursuant to this Section 7 will not be construed as an acknowledgement by Andela of any fault or liability with respect to the such Personal Data Breach.

7. Deletion or Return 

      1. Pursuant to the Agreement, Andela will delete or return Client Personal Data that in its possession and control as set forth in the Agreement except to the extent Andela is required by law to retain any Client Personal Data. Client may request return of Client Personal Data up to thirty (30) days after termination of the Agreement. Unless required or permitted by applicable law, Andela will delete all remaining copies of Client Personal Data within thirty (30) days after returning Client Personal Data to Client. Andela will notify Client prior to deletion.

8. Cooperation, Supervision and Audit

      1. Request for Data Protection
        1. Upon notice from data subjects or data protection authorities (including requests from individuals seeking to exercise their rights under Data Protection Laws) to the extent regarding the Processing of Client Personal Data by Andela pursuant to the Agreement, Andela will forward such requests to Client. Unless legally required to do so, Andela will not respond to such communication without Client’s authorization. If Andela is required to respond to any request, Andela will notify Client and provide Client with a copy of the request, unless legally prohibited from doing so.
      2. Client Requests
        1. Andela will cooperate with Client, at Client’s sole cost and expense, to respond to any requests from individuals or data protection authorities relating to the processing of Client Personal Data under this DPA to the extent that Client may be unable to access relevant Client Personal Data.
        2. Andela shall inform Client if Andela believes any instruction or request violates Data Protection Laws.
        3. Client shall document immediately any oral instructions in text form.
      3. Audit Requests
        1. Andela audits its Technical and Organizational Security Measures against data protection and information security standards on a regular basis. Such audits are conducted by Andela’s internal team or a designated third party as engaged by Andela. Upon written request and subject to the confidentiality provisions of the Agreement, Andela will make available to Client all information necessary to demonstrate compliance with the obligations of this DPA and allow for and contribute to audits, including inspections, as mandated by a Supervisory Authority or reasonably requested by Client and performed by an independent auditor as agreed upon by Client and Andela.
        2. Andela may request audits of Client’s Technical and Organizational Security Methods to ensure compliance with this DPA. Client will make available to Andela a summary of the most recent audit report and any other document reasonably required by Andela.
        3. Either party requesting such audit information does so at their sole expense, and agrees to remunerate the other party of any costs associated with such audit requests.
        4. Client’s request for an audit will not require Andela either to disclose to Client or its third-party auditor, or to allow Client or its third-party auditor to access:
          1. Any data of any other client of Andela;
          2. Andela’s internal accounting or financial information;
          3. Any trade secrets of Andela or any client of Andela; 
          4. Any information that, in Andela’s reasonable opinion, could (i) compromise the security of Andela systems or premises; or (ii) cause Andela to breach its obligation under applicable law or its security and/or privacy obligations to any client or any third party; or
          5. Any information that Client or its third-party auditor seeks to access for any reason other than the good faith fulfillment of Client’s obligation under Data Protection Laws.

9. International Data Transfers

      1. Andela may transfer and process Client Personal Data as requested by Client in other locations around the world where Andela and its Sub-processors maintain operations as necessary to provide Services.
      2. Client hereby authorizes Andela to perform International Data Transfers:
        1. to any country subject to a valid adequacy decision of the EU Commission or the competent authorities, as appropriate;
        2. to the extent authorized by Supervisory Authorities or by the competent authority on the basis of an organization’s binding corporate rules;
        3. to any data importer with whom Andela has entered into SCCs.
      3. By signing this DPA, Client and Andela hereby agree to include the provisions of module two (Controller to Processor) and, to the extent Client is a Processor on behalf of a Third-Party Controller, module three (Processor to Sub-processor) of the Standard Contractual Clauses, which are hereby incorporated into this DPA and completed as follows: the “data exporter” is Client ; the “data importer” is Andela; the optional docking clause in Clause 7 is implemented; Clause 9(a) option 2 is implemented and the time period therein is specified as thirty (30) days; the optional redress clause in Clause 11(a) is struck; Clause 17 option 1 is implemented and the governing law is the law of Belgium; the courts in Clause 18(b) are the Courts of Belgium; Annexes I and II to the SCCs are Appendixes I and II to this DPA respectively. 
      4. By signing this DPA, Client and Andela conclude the UK Addendum, which applies to International Data Transfers out of the UK in addition to the Standard Contractual Clauses, and which is hereby incorporated, and Part 1 of the UK Addendum is completed as follows: (i) in Table 1, the “Exporter” is Client and the “Importer” is Andela, their details and signatures are set forth in the Agreement; (ii) in Table 2, the first option is selected and the “Approved EU SCCs” are the Standard Contractual Clauses referred to in section 10.3 of this DPA; (iii) in Table 3, “Annex 1A” and “Annex 1B” to the “Approved EU SCCs” is Appendix I to this DPA and “Annex II” to the “Approved EU SCCs” is Appendix II to this DPA; and (iv) in Table 4, both the “Importer” and the “Exporter” can terminate the UK Addendum. 
      5. If Andela’s compliance with Data Protection Laws applicable to International Data Transfers is affected by circumstances outside of Andela’s control, including if a legal instrument for International Data Transfers is invalidated, amended, or replaced, then Client and Andela will work together in good faith to reasonably resolve such non-compliance. In the event that additional, replacement or alternative SCCs are approved by the Supervisory Authorities or the new version of UK Addendum is approved, Andela reserves the right to amend the Agreement and this DPA by adding to or replacing, the SCCs or UK Addendum that form part of it at the date of signature in order to ensure continued compliance with Data Protection Laws.

10. Notifications

      1. Client will send all notifications, requests, and instructions under this DPA to Andela via email to: legal@andela.com.
      2. Andela will send all notifications under this DPA to Client’s contact indicated in the Agreement.

11. Limitations of Liability

  1. To the extent permitted by applicable law, where Andela has paid compensation, damages, or fines, Andela is entitled to claim back from Client that part of the compensation, damages, or fines, corresponding to Client ’s part of responsibility for the compensation, damages or fines.
  2. Parties agree that the total combined liability limit (including indemnifications of any kind) to one another shall be set as provided under the terms of the Agreement as executed between the Parties.

12. Miscellaneous

  1. Andela may modify the terms of this DPA as provided in the Agreement. Andela will notify Client of any such changes and effectiveness of such changes in accordance with this DPA or the Agreement. Changes to this DPA include, but are not limited to, the following circumstances:
    1. If required or ordered to do so by any supervisory, judicial, governmental, or regulatory entity.
    2. As required to implement or adhere to standard contractual clauses, various codes of conducts, policies, rules, procedures and any other mechanisms as required under Data Protection Laws.
  2. In the event of a conflict between the Agreement and this DPA with respect to the subject matter of this DPA, the terms of this DPA shall control to the extent of such conflict.
  3. If any provision of this DPA is found by any court or administrative body of competent jurisdiction to be invalid or unenforceable, then the invalidity or unenforceability of such provision does not affect any other provision of this DPA, and all provisions not affected by such invalidity or unenforceability will remain in full force and effect.

APPENDIX I

DESCRIPTION OF THE TRANSFER

A. LIST OF PARTIES

Data exporter:

  • Name: Client
  • Contact person’s name, position and contact details
  • Activities relevant to the data transferred under these Clauses: Providing the Services as described in the Agreement.
  • Role (controller/processor): Controller, or Processor on behalf of Third-Party Controller

Data importer:

  • Name: Andela Inc.
  • Address:  580 Fifth Avenue, Suite 820, New York, NY 10036
  • Contact person’s name, position and contact details: Mrs. Kirsten Canton, General Counsel, privacy@andela.com
  • Activities relevant to the data transferred under these Clauses: Providing the Services as described in the Agreement.
  • Role (controller/processor): Processor on behalf of data exporter, or Sub-processor on behalf of Third-Party Controller


B. DESCRIPTION OF TRANSFER

Categories of Data Subjects whose Personal Data is transferred:

Data subjects include Clients and the individuals about whom data is provided to Andela via the Services by (or at the direction of) Client.

Categories of Personal Data transferred:

Data relating to Clients or other individuals provided to Andela via the Services, by (or at the direction of) Clients. The personal data transferred may include: name, username, password, email address, telephone and fax number, title and other business information, general information about interest in and use of Andela’s services, and demographic information.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers or additional security measures. Sensitive data is pseudonymized.

  • None anticipated.

The frequency of the transfer (e.g., whether the data is transferred on a one-off or continuous basis):

  • On a continuous basis during the duration of the Services.

Nature of the processing:

  • The Personal Data will be processed and transferred as described in the Agreement. 

Purpose(s) of the data transfer and further processing:

  • The Personal Data will be transferred and further processed for the provision of the Services as described in the Agreement.

The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period:

  • Personal Data will be retained for as long as necessary taking into account the purpose of the Processing, and in compliance with applicable laws, including laws on the statute of limitations and Data Protection Law.  

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:

  • For the subject matter and nature of the Processing, reference is made to the Agreement and this DPA. The Processing will take place for the duration of the Agreement.

C. COMPETENT SUPERVISORY AUTHORITY

Pursuant to Clause 13, the supervisory authority of the EEA country where (i) Client is established; or where (ii) the EU representative of Client is established; or where (iii) the data subjects whose personal data are transferred under the SCCs in relation to the offering of goods or services to them, or whose behaviour is monitored, are located.

APPENDIX II

TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA 

    1. Confidentiality
      1. Electronic Access Control
        1. No unauthorized use of the Data Processing and Data Storage Systems, e.g.: (secure) passwords, automatic blocking/locking mechanisms, two-factor authentication, encryption of data carriers/storage media
      2. Internal Access Control (permissions for user rights of access to and amendment of data)
        1. No unauthorized Reading, Copying, Changes or Deletions of Data within the system as approvals are managed centrally, e.g., rights authorization concept, need-based rights of access, logging of system access events
      3. Isolation Control
        1. The isolated Processing of Personal Data, which is collected for differing purposes, e.g., multiple Client support, sandboxing;
      4. Employee Control
        1. Employees are bound by written confidentiality agreements
        2. Employees receive training on data privacy and data security
      5. Pseudonymisation (Article 32 Paragraph 1 Point a GDPR; Article 25 Paragraph 1 GDPR)
        1. The processing of Personal Data in such a method/way, that the data cannot be associated with a specific Data Subject without the assistance of additional Information, provided that this additional information is stored separately, and is subject to appropriate technical and organizational measures.
    2. Integrity
      1. Data Transfer Control
        1. No unauthorized Reading, Copying, Changes or Deletions of Data with electronic transfer or transport, e.g.: Encryption, Virtual Private Networks (VPN), electronic signature;
      2. Data Entry Control
        1. Verification, whether and by whom personal data is entered into a Data Processing System, is changed or deleted, e.g.: Logging, Document Management
      3. Job Control
        1. Andela’s employees and contractors may only process Client and personal data strictly in accordance with the Agreement’s obligations and Client instructions.
    3. Availability and Resilience
      1. Availability Control
        1. Prevention of accidental or willful destruction or loss, e.g.: Backup Strategy (online/offline; on-site/off-site), Uninterruptible Power Supply (UPS), virus protection, firewall, reporting procedures and contingency planning
      2. Rapid Recovery
    4. Procedures for Regular Testing, Assessment and Evaluation
      1. Data Protection Management
      2. Incident Response Management;
      3. Data Protection by Design and Default (Article 25 Paragraph 2 GDPR)
      4. Order or Contract Control
    5. No third-party data processing as per Article 28 GDPR without corresponding instructions from Client, e.g.: clear and unambiguous contractual arrangements, formalized order management, strict controls, duty of pre-evaluation, supervisory follow-up check.
    1.  

Information related to the California Data Processing Agreement can be found here: https://andela.com/ccpa