DATA PROCESSING AGREEMENT
The Customer has subscribed to certain software-as-a-service (SaaS) products (“Subscription Items”) and/or ordered performance of Professional Services from CNTXT. The Customer is also referred to as the "Controller" and CNTXT as the "Processing Party".
This Data Processing Agreement is an integrated part of the MSA and/or PSA, and/or such other agreement entered into between the Controller and Processor Party pertaining to the subscription to the Subscription Items and/or performance by CNTXT of Professional Services (the “Agreement”). Any capitalized terms not specifically defined in this Data Processing Agreement shall have the meaning as set forth in the Agreement.
This Data Processing Agreement is subject to the Saudi Arabian Personal Data Protection Law (“PDPL”) and the Applicable Laws of the Kingdom of Saudi Arabia.
In this Data Processing Agreement:
- the Controller shall be a “controller” for the purposes of the PDPL;
- the Processor Party shall be a “processor” for the purposes of the PDPL;
- "Personal Data" has the meaning given to the term “personal data” in the PDPL;
- “Competent Authority” means the relevant authority for regulation of the PDPL;
- “Owner of the Personal Data” has the meaning given to the term “owner of the personal data” in the PDPL;
- "Processing" has the meaning given to that word in the PDPL, and its cognates shall be construed accordingly; and
- “Sub-processor” means a third party engaged by the Processor Party for carrying out processing activities on behalf of the Processor.
The Processor Party’s performance of the Subscription Items and Professional Services may include the processing of Personal Data on behalf of the Controller.
In accordance with the PDPL, the obligations of the Processor Party are set out in this Data Processing Agreement.
If Customer has entered into an agreement with a reseller or another party offering Subscription Items or Professional Services from CNTXT, such reseller shall be referred to as the "Processor Party" and CNTXT shall be referred to as Sub-processor for the purpose of this Data Processing Agreement. Customer has consented to CNTXT as Sub-processor. This Data Processing Agreement applies equally between reseller as Processor Party and CNTXT as Sub-processor.
1. SCOPE OF DATA PROCESSING
This Data Processing Agreement governs and defines the legal limits of the Processor Party’s processing of Personal Data on behalf of the Controller. The limits and obligations set out in this Data Processing Agreement shall be in addition to those imposed by Applicable Law, including the PDPL.
The Processor Party’s performance of the Subscription Items and Professional Services may entail processing of Personal Data relating to the Controller’s employees, consultants, customers, and clients, including but not limited to names, national identity numbers, addresses, e-mail addresses, IP addresses, dates of birth, telephone numbers, invoice information, tax information, and bank account details.
The Controller acknowledges that the Processor Party may Process Personal Data relating to the operation, support, or use of the Subscription Items for its own business purposes, such as billing, account management, data analysis, benchmarking, technical support, product development, and compliance with law. The Processor Party is the Controller for such Processing and will Process such data in accordance with PDPL.
2. THE CONTROLLER'S OBLIGATIONS
The Controller confirms that:
- Processing of Personal Data is permitted and in accordance with Applicable Laws.
- There is appropriate legal basis for processing Personal Data;
- The Controller is entitled to and is responsible for the legality of transfer of Personal Data to the Processing Party;
- The Controller is responsible for the accuracy, integrity, content, reliability and legality of the Personal Data being processed; and
- The Controller has notified the Owner of the Personal Data in accordance with the current legal requirements.
3. THE PROCESSOR PARTY'S OBLIGATIONS
The Processor Party shall process Personal Data on behalf of the Controller in accordance with the obligations set out in this Data Processing Agreement and specifically in accordance with written instructions from the Controller, as stipulated by the PDPL.
Personal Data processed by the Processor Party on behalf of the Controller shall not be disclosed or transferred to third parties in any form, without a written approval from the Controller. Personal Data processed by the Processor Party on behalf of the Controller shall not be exported to third countries, without a written approval from the Controller and in compliance with Applicable Laws.
The Processor Party shall by means of planned, systematic measures ensure satisfactory data security with regard to confidentiality, integrity and accessibility in connection with the processing of Personal Data, including:
- ensuring that IT systems and other systems used in the processing of Personal Data in relation to this Data Processing Agreement, and any connections between such systems, are configured in a way that secures appropriate information security;
- ensuring that any storage medium, data medium and/or data equipment used to process Personal Data are protected against destruction and against access by unauthorized persons;
- ensuring that measures are implemented to protect against destructive and/or malicious software and/or hacking of the systems used by the Processor Party in the processing of Personal Data on behalf of the Controller;
- ensuring that Personal Data processed according to this Data Processing Agreement is kept separate from the Processor Party’s own information, information of third parties and/or other information; and
- ensuring that no unauthorized persons obtain access to the premises, files or systems where Personal Data which the Processor Party receives access under this Data Processing Agreement are stored, kept or processed.
The Processor Party shall ensure that satisfactory information security is established through planned and systematic measures, and shall regularly, and at least once per year, perform security reviews of the systems used to process any Personal Data pursuant to this Data Processing Agreement and the Agreement.
The Processor Party shall maintain records demonstrating an adequate level of information security for personal data, systems and routines which are relevant for the performance of the obligations under this Data Processing Agreement and shall make such records available to the Controller on request. As part of such record keeping, the Processor Party shall document its routines for authorizing the use of its data processing systems by individuals, in addition to technical and organizational security measures. The documentation shall be kept in a format which may be accessed by the Controller and/or the Competent Authority on request. The Processor Party shall make such documentation and, if requested, its premises accessible for any audits and site visit by the Controller (or by a suitable qualified person nominated by the Controller) and/or the Competent Authority under the PDPL. The Controller shall be entitled to undertake such audits and site visits once per year during the term of the Agreement (but for the avoidance of doubt if material deficiencies are identified the Controller shall be entitled to undertake such additional audits and/or site visits as may be required to satisfy the Controller that such deficiencies have been remedied).
Records of unauthorized use of information systems and attempts of unauthorized use shall be stored for at least three months. This also applies to all registrations and other events of significance to the level of security.
In the event that system and/or data security measures are not sufficient to allow the Processor Party to meet is statutory and contractual obligations, the Processor Party shall, upon identifying such deficiency (or being notified of this by the Controller, the Competent Authority or any other competent person), make the necessary changes to the system or the routines as soon as reasonably practicable and in any event within a reasonable period of time taking account of the level of risk to the security and integrity of Personal Data.
The Processor Party shall promptly notify the Controller of any use of the information system in breach of the established routines and any Personal Data Breach. The Controller shall decide whether the Competent Authority shall be notified in accordance with the PDLP.
The Processor Party shall assist the Controller in fulfilling the obligations arising pursuant to PDLP, taking into account the nature of the processing required and the information available to the Processor Party.
The Processor Party shall assist the Controller in taking appropriate technical and organizational measures for the fulfilment of the Controller's obligations to respond to requests arising from the exercise of the owner of Personal Data rights laid down in PDLP.
4. DELETION OF PERSONAL DATA
Personal Data processed by the Processor Party on behalf of the Controller shall be deleted by the Processor Party as soon as access to the Personal Data is no longer necessary in order to fulfil the purpose of processing, as required by PDLP. The Controller shall define routines for deletion of such Personal Data, while the Processor Party shall be responsible for the execution of such routines.
This Data Processing Agreement shall remain effective for as long as the Processor Party processes Personal Data on behalf of the Controller under the Agreement.
Upon termination of this Data Processing Agreement, Processor Party shall, upon the Controller’s request, delete or destroy all copies of Personal Data stored on any computer or other device or which are otherwise in the Processor Party’s possession or control, except to the extent the Processor Party is required to retain such Personal Data by Applicable Law. The Processor Party shall, upon the Controller's request, at any time during the Term, make any and all Personal Data available to the Controller in a format reasonably requested by the Controller.
The Processor Party shall upon written request issue a written confirmation to the Controller, stating that either (a) all Personal Data has been returned and that Processor Party has not kept any copies, transcripts etc. of any Personal Data in any form, or (b) where Processor Party is required by Applicable Law to retain a copy of any Personal Data, the Personal Data to be retained, and the Applicable Law.
The Processor Party shall maintain secrecy concerning the Personal Data received from the Controller. This obligation shall apply also after the termination of this Data Processing Agreement.
The Processor Party shall therefore:
a) limit the disclosure of, and access to, Personal Data to those of its personnel to whom such disclosure is necessary for processing Personal Data in accordance with this Data Processing Agreement;
b) ensure that such personnel acknowledge that Personal Data shall be treated as confidential before it is imparted to them and ensure that such personnel are bound by obligations restricting use and disclosure of Personal Data equivalent to, but in any event no less strict, those set out in this Data Processing Agreement;
c) instruct all such personnel that they shall not use such Personal Data for any purpose other than the fulfilment of this Data Processing Agreement and not to disclose Personal Data to third parties, without the prior written consent of the Controller; and
d) use its best efforts to ensure that such personnel abide by such obligations.
In the event that use of Sub-processors involves transfer of Personal Data outside of Saudi Arabia, the Processor Party shall be responsible for ensuring that this transfer is in accordance with the PDLP.
Sub-processing under this provision shall not include ancillary services ordered by the Processor Party from third parties to assist in the performance of the Processor Party's day to day business, e.g. telecommunications services, maintenance, user support, auditing, disposal of media, etc.
APPENDIX 1 – INFORMATION ABOUT THE PROCESSING OF PERSONAL DATA
SERVICES PERFORMED BY PROCESSOR
Professional Services (including consultancy services), reselling and selling SaaS
PURPOSE AND NATURE OF THE PROCESSING
Processing personal data in the act of providing the Professional Services,, during a collaboration or partnership, providing access to CNTXT products or technology and/or providing Cognite Products or Google Products.
CATEGORIES OF PERSONAL DATA
Personal Data transferred by the Controller to enable reselling of SaaS;
Personal Data transferred by the Controller during a collaboration or partnership;
Personal Data made accessible by Controller to enable Processor Party to perform Professional Services;
Personal data pertaining to the use of CNTXT products or technology (e.g. log data, IP address and correspondence);
Contact info, name, email and job title.
CATEGORIES OF DATA SUBJECTS
Controller’s employees and consultants.
For the duration of the Agreement, unless otherwise agreed.
THE FREQUENCY OF THE TRANSFER (E.G.WHETHER THE DATA IS TRANSFERRED ON A ONE-OFF OR CONTINUOUS BASIS)
Personal Data will be transferred on a continuous basis.
IDENTIFY THE COMPETENT SUPERVISORY/AUTHORITY/IES
Competent Authority in Saudi Arabia as defined by the PDPL.