GDPR: Data Processing Adendum

Our commitment to your data privacy

Last updated: June 22nd, 2019

The customer agreeing to this addendum (the "Customer") and WholeCell, Inc. ("WholeCell") a company incorporated and registered in Delaware (each a "Party", together the "Parties"), have entered into an agreement which permits the Customer to use the WholeCell inventory management software (the "Software"), on the terms and subject to the conditions of the WholeCell Terms of Service which can be found at https://www.wholecell.io/terms_of_service ("Terms of Service").

This Data Processing Addendum ("DPA") is an addendum to and forms part of the Terms of Service. All processing of personally identifiable information (as defined below) by WholeCell on behalf of the Customer will be carried out in accordance with this DPA. The Customer's continued usage of the Software after the Effective Date (as defined below) constitutes acceptance of this DPA.

1.1  This DPA is an addendum to and forms part of the Terms of Service.

1.2  This DPA contains all relevant terms relating to how WholeCell handles the personally identifiable information ("PII")(data that can be used to identify, locate or contact a natural person) provided to it by the Customer about other natural persons.

1.3  Except as set out explicitly in this DPA, the Terms of Service remain unchanged.

1.4  In the event of any differences between the Terms of Service, the WholeCell Privacy Policy as amended from time to time, that can be found on the WholeCell website at https://www.wholecell.io/privacy_policy (the "Privacy Policy"), and this DPA, the terms of this DPA take precedence.

2.1 This DPA will take effect on the last modified date, or on the first day of the Customer’s subscription to the Software, whichever is later (the "Effective Date").

2.2 This DPA will survive the end of the Customer’s subscription period or the termination of the Terms of Service. It will terminate when all of the PII has been deleted as described in this DPA.

3.2  The European Union Regulation (EU) 2016/679 (General Data Protection Regulation) ("GDPR") applies to the processing of PII by WholeCell if these processing activities relate to:

3.2.1  an establishment of the Customer in the European Union ("EU"), European Economic Area ("EEA"), Switzerland or the United Kingdom;

3.2.2  offering goods or services to data subjects in the EU, EEA, Switzerland or the United Kingdom; and/or

3.2.3  monitoring the behaviour of data subjects in the EU, EEA, Switzerland or the United Kingdom as far as the behaviour takes place within these areas,

3.2.4  (together the "GDPR Activities").

Roles

4.1  For the purposes of this DPA, WholeCell is a data intermediary.

4.2  In respect to any GDPR Activities, WholeCell is a data processor of the PII, while the Customer may be either a data controller or data processor.

4.3  If any other data protection or privacy law applies to any processing of PII, each Party will comply with their obligations under such law.

Warranty

4.4  In respect to any GDPR Activities, if the Customer is a data processor, the Customer warrants to WholeCell that they have all necessary instructions and authorisations from the data controller to appoint WholeCell as a data sub-processor of the PII.

Customer's instructions

4.5  WholeCell will only process PII on the instructions of the Customer unless required by law to act without such instructions.

4.6  The Customer, by entering into this DPA, instructs WholeCell to process PII as follows:

4.6.1  to provide the Software to the Customer;

4.6.2  as further instructed by the Customer by its use of the Software, including by instructions given on the WholeCell user interface, by the uploading of CSV files to the WholeCell Software, or importing data from other services;

4.6.3  as set out in the Terms of Service and this DPA; and

4.6.4  as otherwise instructed in writing by the Customer which WholeCell acknowledges to be instructions for the purposes of this DPA.

Processing details

4.7  WholeCell will process PII in accordance with the Customer’s instructions and in accordance with the following precise scope:

4.7.1  Subject matter: Providing the Software to the Customer pursuant to the Terms of Service, and as further instructed by the Customer in its use of the Software.

4.7.2  Duration: The length of the Customer’s subscription to the Software, and for a limited period afterwards in accordance with the terms of this DPA, until this DPA is terminated after all PII has been deleted.

4.7.3  Nature and purpose: As necessary to provide the Software to the Customer, and as further instructed by the Customer in its use of the Software.

4.7.4  Types of personal data: The Customer may submit PII to the Software, the extent of which is determined and controlled by the Customer in its sole discretion, and which may include (but is not limited to) the following types of personal data:

a) name;
b) contact information;
c) position and organization; and
d) ID data.

4.7.5  Categories of data subjects: The Customer may submit PII to the Software, the extent of which is determined and controlled by the Customer in its sole discretion, and which may include (but is not limited to) personal data on to the following categories of data subjects, who are in all cases natural persons:

a) the Customer’s end users, customers, suppliers and business partners;
b) employees and points of contact of the Customer’s end users, customers, suppliers and business partners;
c) the Customer’s employees, agents, advisors, and contractors; and
d) the Customer’s authorised users of the Software.

4.8  All processing of PII will be carried out by trusted employees, staff, agents, contractors, service providers, and sub-processors who will be subject to a duty of confidence.

Deletion by the customer

5.1  The Customer may delete PII in a manner consistent with the functionality of the Software during the term of service. If the Customer uses the Software to delete any PII such that it cannot be recovered by the Customer, this will constitute an instruction to WholeCell to delete the relevant PII from its systems in accordance with applicable law. WholeCell will comply with this instruction as soon as reasonably practicable unless required by law to retain the data.

5.2  If the Customer wishes to delete PII that cannot be deleted via the Software, the Customer should send a deletion request to support@wholecell.io. WholeCell will strive to respond to all such requests as soon as reasonably practicable.

Deletion on termination

5.3  If the Customer ceases to subscribe to and use the Software, the Customer’s account will be suspended until such time that:

5.3.1  the Customer resumes their subscription to the Software;

5.3.2  the Customer otherwise informs WholeCell that they wish to permanently terminate their relationship with WholeCell; or

5.3.3  WholeCell, at its sole discretion, permanently discontinues access to the Customer’s account in accordance with the Terms of Service.

5.4  If the Customer informs WholeCell that they wish to permanently terminate their relationship with WholeCell pursuant to clause 5.3.2, they will be taken to have instructed WholeCell to delete or anonymise all PII (including existing copies) from WholeCell’s systems in accordance with applicable law. WholeCell will comply with this instruction as soon as reasonably practicable unless required by applicable law to retain the data.

5.5  If WholeCell permanently discontinues access to the Customer’s account, all PII will be deleted or anonymised unless WholeCell is required by applicable law to retain the data.

Security measures

6.1  WholeCell will take reasonable steps to ensure that PII is treated securely and to prevent unauthorized access, collection, use, disclosure, copying, modification, disposal or similar risks, and to meet its obligations as set out in Article 32 of the GDPR.

6.2  WholeCell cannot guarantee that unauthorized parties will not gain access to PII. To the extent permitted by applicable law, WholeCell expressly excludes any liability arising from any unauthorized access to PII.

Review of security documentation

6.3  In respect to any GDPR Activities only, WholeCell will provide the Customer with available information on its security processes as necessary to ensure that both Parties are meeting their obligations under this DPA and as set out in Article 28 of the GDPR.

Security audits and inspections

6.4 In respect to any GDPR Activities only, WholeCell will permit the Customer or an independent auditor appointed by the Customer to conduct reasonable audits and inspections, who must be approved by WholeCell in accordance with clause 10, to verify compliance with its obligations under this DPA and as set out in Article 28 of the GDPR.

Data Protection Impact Assessments (“DPIA”)

6.5  The Customer agrees and acknowledges that WholeCell will assist the Customer in conducting any DPIAs by providing them with this DPA and available information on security processes in accordance with clause 6.3 for review.

7.1  WholeCell will inform the Customer as soon as reasonably practicable if it is asked to engage in any activity that may infringe the GDPR or other applicable law.

7.2  If WholeCell becomes aware of any data breaches or security incidents that impact PII, except for data breaches or security incidents caused by the Customer’s own actions, it will notify the Customer as soon as reasonably practicable and without undue delay. WholeCell will take reasonable steps to mitigate the consequences of any data breaches or security incidents so as to minimize the impact to PII.

7.3  Notice of any data breaches or security incidents pursuant to this clause 7 do not constitute an admission of responsibility by WholeCell.

8.1  WholeCell will pass on to the Customer, any requests they receive from data subjects and the Customer’s end users to exercise any data rights. The Customer accepts and acknowledges that it is the Customer’s responsibility to respond to any data rights requests with the data subjects and end-users directly, or to instruct the relevant data controller to respond to these requests, as the case may be.

8.2  WholeCell will, taking into account the nature of the processing activity, assist the Customer in responding to such data rights requests by building appropriate functionality into the Software — such as the ability to delete and amend PII. The Customer agrees to exhaust all possible means of responding to a data subject’s data rights request using the Software functionality before contacting WholeCell for help to respond to such requests by email at support@wholecell.io. WholeCell reserves the right to refuse assistance if, in its sole discretion, the Customer is able to respond to the data rights request using the Software's functionality. WholeCell reserves the right to reimbursement from the Customer of reasonable costs incurred by WholeCell in providing assistance to the Customer under this clause 8.2.

9.1 WholeCell, Inc. is a company incorporated and registered in the United States of America. Most PII is stored in the United States of America, however some data sub-processors might have data centres and storage facilities in other jurisdictions.

9.2 If the storage and/or processing of PII involves transfers of PII out of the EU, EEA, Switzerland, and/or the United Kingdom, WholeCell will if requested to do so by the Customer, ensure that WholeCell, Inc. as the data importer of the transferred PII enters into model contract clauses (being the standard data protection clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, as described in Article 46 of the GDPR) with the Customer as the data exporter of such personal data, and that the transfers are made in accordance with such model contract clauses.

9.3 The Customer agrees that if the storage and/or processing of PII involves transfers of PII out of the EU, EEA, Switzerland, and/or the United Kingdom and if under the GDPR WholeCell reasonably requires the Customer to enter into model contract clauses (being the standard data protection clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, as described in Article 46 of the GDPR) in respect to such transfers, the Customer will do so, failing which WholeCell reserves the right to terminate the Customer’s subscription.

Roles

10.1  If the Customer wishes to carry out an audit and/or inspection in accordance with clause 6.4, it must notify WholeCell by sending an audit and/or inspection request to support@wholecell.io.

10.2  On receipt by WholeCell of a request under clause 10.1, WholeCell and the Customer will discuss and agree in advance on:

10.2.1  the identities of the auditors and/or inspectors, be they the Customer’s own personnel or parties appointed by the Customer;

10.2.2  a reasonable date and time to carry out the audit and/or inspection;

10.2.3  the scope and duration of the audit and/or inspection;

10.2.4  confidentiality obligations of the Customer that are a pre-condition for carrying out any audit and/or inspection; and

10.2.5  the amount of any reasonable fees and charges to be borne by the Customer to cover WholeCell’s costs of the audit and/or inspection.

10.3  The Customer is responsible for all of their own costs in relation to any audit and/or inspection, including the cost of any third-party auditor appointed by the Customer.

10.4  WholeCell may object to the appointment of any auditor appointed by the Customer if the auditor is, in WholeCell’s reasonable opinion, not suitably qualified or independent, a competitor of WholeCell, or otherwise unsuitable.

11.1  The Customer acknowledges and accepts that some processing of PII may be carried out by trusted sub-processors.

11.2  The Customer specifically authorises WholeCell to engage the following sub-processors:

11.2.1  all WholeCell entities, including entities directly or indirectly controlled by, or under common control with WholeCell, Inc.; and

11.2.2  the sub-processors listed below as at the Effective Date.

11.3  WholeCell will engage new sub-processors from time to time. When it does, WholeCell will ensure that it enters into written contracts with these sub-processors. The written contract will stipulate, among other things, that:

11.3.1  the sub-processor only has access to PII necessary to perform its obligations under their agreement with WholeCell;

11.3.2  the sub-processor will carry out all processing activity in accordance with this DPA, the Privacy Policy, the Terms of Service, any model contract clauses entered into pursuant to clauses 9.2 and 9.3, and any applicable law; and

11.3.3  in respect to any GDPR Activities only, that the data protection obligations set out in Article 28(3) of the GDPR are imposed on the sub-processor.

11.4  WholeCell will notify all Customers when it engages a new sub-processor at least 14 days before any PII is handed to the sub-processor for processing. If the Customer wishes to object to the engagement of any sub-processor, the Customer must terminate their subscription and stop using the Software permanently. The Customer acknowledges and accepts that this is their sole and exclusive remedy to object to WholeCell’s engagement of any new sub-processor. If this remedy is exercised, WholeCell’s provision of the Software to the Customer will terminate on the eve of the date where the sub-processor begins to process PII or the last date of the Customer’s existing commitment period, whichever is earlier. The Customer remains responsible for payment of all subscription charges up to the last day of Software use, to be calculated pro rata.

12.1  WholeCell and all WholeCell entities’ aggregate liability to the Customer, arising out of or related to this DPA, shall be subject to the “Limitation of Liability” section of the Terms of Service. Any reference in such section of the Terms of Service to the liability of WholeCell means the aggregate liability of WholeCell and all WholeCell entities under the Terms of Service and this DPA.

13.1  The terms “personal data”, “data subject”, “processing”, “controller” and “processor” as used in this DPA have the meanings given in the GDPR.

Last updated: June 22nd, 2019

  • Salesforce Heroku (Cloud Service Provider)
  • Google Analytics (Analytics)
  • Postmark, Wildbit, LLC (Email Delivery Service)
  • Intercom (Customer Support)
  • Stripe, Inc (Payment Gateway)
  • Hotjar Ltd. (Behaviour Tracking)