Data Processor Agreement.
Agreement: The contract signed between you and Biff Bang Pow Limited
Data Protection Laws: all data protection and privacy laws and regulations applicable to the processing of Personal Data under the Agreement, including, where applicable, EU Data Protection Law.
DPA: Data Processing Agreement: this document.
Controller: an entity that determines the purposes and means of the processing of Personal Data.
Customer: a person or entity purchasing Services from Biff Bang Pow Limited.
Customer Data: any data that Biff Bang Pow Limited and/or its Sub-processors processes on behalf of Customer in the course of providing the Services under the Agreement.
Personal Data: any Customer Data relating to an identified or identifiable natural person to the extent that such information is protected as personal data under applicable Data Protection Law.
Processor: an entity that processes Personal Data on behalf of the Controller.
Processing: defined in the GDPR, “process”, “processes” and “processed” shall be interpreted accordingly.
Security Incidents: any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data.
Security Measures: systems, protocols and action put in place to prevent Security Incidents.
Services: any product or service provided by Biff Bang Pow Limited to a Customer
Sub-processor: any Processor engaged by Biff Bang Pow Limited to assist in fulfilling its obligations with respect to providing the Services defined in the Agreement or this DPA. Sub-processors may include third parties.
This DPA applies where Biff Bang Pow Limited processes Personal Data on behalf of the Customer during the course of providing them with the Services and where the data is subject to Data Protection Laws of the European Union, the European Economic Area and/or their member states, Switzerland and/or the United Kingdom. The parties agree to comply with the terms and conditions set out in this DPA in connection with this Personal Data
Roles of Biff Bang Pow Limited and the Customer. The Customer will act as the Controller of the Personal Data and Biff Bang Pow Limited will act as the Processor of the Personal Data on behalf of the Customer. Nothing in the Agreement or this DPA shall prevent Biff Bang Pow Limited from using or sharing data that they would otherwise collect or process independently of their Services to the Customer.
Customers obligations. The Customer agrees that it shall comply with its obligation under Data Protection Laws including but not limited to the GDPR, and it has provided notice and obtained consent (or will obtain consent prior to deadlines) and all rights necessary under Data Protection Laws for Biff Bang Pow Limited to process Personal Data and provide the Services in accordance with the Agreement and this DPA.
Biff Bang Pow Limited Processing of Personal Data. Acting as a Processor, Biff Bang Pow Limited shall only process Personal Data for the following purposes: in order to perform the Services in accordance with the Agreement, in order to comply with any other reasonable instructions from the Customer to the extent they are consistent with the terms of this Agreement and only in accordance with the Customer’s documented lawful instructions. Biff Bang Pow Limited and the Customer agree that this DPA and the Agreement set out the Customer’s complete and final instructions to Biff Bang Pow Limited in relation to the processing of Personal Data, any processing outside the scope of these instructions shall require prior written agreement between the Customer and Digital Ocean.
Nature of the data. Biff Bang Pow Limited handles Customer Data provided by the Customer. Such Customer Data may contain special categories of data depending on the Services required by the Customer. This Customer Data may be subject to storage and other processing needed to provide, maintain and improve the Services provided to the Customer, to provide the Customer with support, or disclosures required by law or otherwise defined in the Agreement.
Processing of data for business reasons. Unless otherwise stated in the Agreement or this DPA the Customer acknowledges that Biff Bang Pow Limited have a right to use, process and disclose data relating to and obtained in the operation, support and use of the Services for legitimate business purposes such as billing, account management, support, product development, sales and marketing. In the case that this data is considered Personal Data under Data Protection Laws then Biff Bang Pow Limited will act as the Controller of this data and shal process in accordance with Data Protection Laws.
Authorised Sub-processors. The Customer agrees that Biff Bang Pow Limited may engage Sub-processors to process Personal Data on the Customer’s behalf. A list of Sub-processors currently engaged by Biff Bang Pow Limited is available on request.
Sub-processor obligations. Biff Bang Pow Limited shall enter into a written agreement with the Sub-processor imposing data protection terms that require the Sub-processor to protect the Personal Data to the standard required by Data Protection Laws. The agreement will also state the Sub-processor remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause Biff Bang Pow Limited to breach any of its obligations under this DPA.
Changes to Sub-processors. Biff Bang Pow Limited shall provide the Customer with reasonable advance notice (via email or other means) if it adds or removed Sub-processors.
Objection to Sub-processors. The Customer may object to Biff Bang Pow Limited’s appointment of a new Sub-processor on reasonable grounds relating to data protection by notifying Biff Bang Pow Limited in writing (via email or other means) within 5 working days. This notice shall explain the reasonable grounds for the objection. In this even Biff Bang Pow Limited and the Customer shall discuss the matter in good faith with a view to achieving a commercially reasonable response. If this is not possible, the Customer or Biff Bang Pow Limited may terminate the Services that cannot be provided by Biff Bang Pow Limited without the use of the newly appointed Sub-processor.
Security measures. Biff Bang Pow Limited shall maintain and implement appropriate technical and organisational security measures in order to protect Personal Data from Security Incidents and to preserve the security and confidentiality of the Personal Data. A breakdown of these security measures is available on request.
Confidentiality of Processing. Biff Bang Pow Limited shall ensure that any person who is authorised by Biff Bang Pow Limited to process Personal Data (including its staff, agents and subcontractors) shall be under and appropriate obligation of confidentiality (whether a contractual or statutory duty).
Security Incident Response. Upon discovery of a Security Incident, Biff Bang Pow Limited shall notify the Customer without unwarranted delay and shall provide timely information to the Customer relating to the Security Incident as it becomes available.
Security Updates. The Customer acknowledges that the Security Measures are subject to development and Biff Bang Pow Limited may update, modify or remove Security Measures from time to time provided that this does not result in the degradation of the overall security of the Services provided to the Customer.
Deletion of data. Upon cancellation of the Services provided to the Customer all Personal Data held by Biff Bang Pow Limited for or about the Customer shall be deleted. This deletion will only be limited when Biff Bang Pow Limited is required to retain some or all of the Personal Data by law, such as for accounting purposes.
Data in backup systems. Data that is archived in backup systems will not immediately be deleted, but will be protected from any further processing except to the extent required by applicable law. The data in the backups will be permanently deleted when the backup is deleted as part of routine rotation.
Cooperation in obtaining Personal Data. To the extent that the Customer, their Customers or applicable data protection authorities are not able to independently access the relevant Personal Data within their Services then Biff Bang Pow Limited will (at Customer’s expense) provide reasonable cooperation to assist in obtaining this information by providing appropriate technical and organisational measures, taking into account the nature of the processing. If a request is made directly to Biff Bang Pow Limited and not through the Customer, then Biff Bang Pow Limited will notify the Customer of this request providing them with a copy of the original request and obtain authorisation to respond before doing so, unless legally prohibited from doing so, or legally obligated to do otherwise.
Providing information of Biff Bang Pow Limited’s processing. To the extent Biff Bang Pow Limited is required under Data Protection Law, Biff Bang Pow Limited shall (at Customer's expense) provide reasonably requested information regarding Biff Bang Pow Limited’s processing of Personal Data under the Agreement to enable the Customer to carry out data protection impact assessments or prior consultations with data protection authorities as required by law.
Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict.
This DPA is a part of and incorporated into the Agreement so references to "Agreement" in the Agreement shall include this DPA.
In no event shall any party limit its liability with respect to any individual's data protection rights under this DPA or otherwise.
This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by Data Protection Laws.