Digital Edict

Managed Digital Services

Personal Data Processing Addendum

This Personal Data Processing Addendum (“DPA”) is an addendum to the Digital Edict Inc Terms of Service Agreement (“Service Agreement” entered into by and between you (hereinafter referred to as “Customer”) and Digital Edict Inc, located at 23 Spectrum Pointe Drive #202, Lake Forest, CA 92630, on behalf of itself and its Affiliates (hereinafter referred to as “Digital Edict”). Customer and Digital Edict shall be referred to jointly as the “Parties” and individually as a “Party”. Pursuant to the Service Agreement, Processor provides to Controller certain website hosting and related services (the “Services”).

This DPA is effective, as applicable:

(A) January 01, 2018 to any Customer who has signed up for our Services on or before that date; or

(B) the date the date on which Customer signed up for our Services and this DPA, if such date is after January 01, 2018.

This DPA will only apply to the extent that the Data Protection Legislation applies to the processing of Customer Data (defined in the Terms of Service) that is Personal Data (referred to herein as “Customer Personal Data”), including if:

(A) the processing is in the context of the activities of an establishment of Customer in the EEA; and/or

(B) Personal Data relates to data subjects who are in the EEA and the processing relates to the offering to them of goods or services or the monitoring of their behavior in the EEA.

BACKGROUND

(A)  The Customer and Digital Edict entered into the Service Agreement that may require the Digital Edict to process Personal Data on behalf of the Customer.

(B)  This DPA sets out the additional terms, requirements and conditions on which the Processor will process Personal Data when providing services under the Service Agreement. This DPA contains the mandatory clauses required by Article 28(3) of the General Data Protection Regulation ((EU) 2016/679) for contracts between controllers and processors.

AGREED TERMS

  1. DEFINITIONS AND INTERPRETATION.The following definitions and rules of interpretation apply in this DPA; other definitions have the meaning given to them elsewhere in this DPA.

1.1  Definitions:

Adequate Country:  means a country or territory that the recognized under Data Protection Legislation from time to time as providing adequate protection for Customer Personal Data.

Data Subject, Special Categories, Controller, Processor, Sub-Processor, Personal Data, Process, and Processing:   have the meanings giving in the Data Protection Legislation.

Data Protection Legislation:  all applicable privacy and data protection laws including the General Data Protection Regulation ((EU) 2016/679) and any applicable national implementing laws, regulations and secondary legislation in England and Wales relating to the processing of Personal Data and the privacy of electronic communications, as amended, replaced or updated from time to time, including the Privacy and Electronic Communications Directive (2002/58/EC) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (SI 2003/2426).

Personal Data Breach:  a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data transmitted, stored or otherwise processed.

Standard Contractual Clauses (SCC):  the European Commission’s Standard Contractual Clauses for the transfer of Personal Data from the European Union to processors established in third countries (controller-to-processor transfers), as set out in the Annex to Commission Decision 2010/87/EU.

1.2  This DPA is subject to the terms of the Service Agreement and is incorporated into the Service Agreement. Interpretations and defined terms set forth in the Service Agreement apply to the interpretation of this DPA. Except as amended by this DPA, the Service Agreement will remain in full force and effect. Any claims brought under this DPA shall be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Service Agreement.

1.3  The Annex form part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Annex.

1.4  A reference to writing or written includes faxes and email.

1.5  In the case of conflict or ambiguity between:

(a)  any provision contained in the body of this DPA and any provision contained in the Annex, the provision in the body of this DPA will prevail;

(b)  the terms of any accompanying invoice or other documents annexed to this DPA and any provision contained in the Annex, the provision contained in the Annex will prevail;

(c)  any of the provisions of this DPA and the provisions of the Service Agreement, the provisions of this DPA will prevail; and

(d)  any of the provisions of this DPA and any executed SCC, the provisions of the executed SCC will prevail.

  1. PERSONAL DATA TYPES; PROCESSING PURPOSES; AND CUSTOMER’S INSTRUCTIONS

2.1 Relationship. The Customer and Digital Edict acknowledge that for the purpose of the Data Protection Legislation, the Customer is a Controller or Processor and Digital Edict is the Processor of Customer Personal Data. Customer retains control of the Customer Personal Data and remains responsible for its compliance obligations under the applicable Data Protection Legislation, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to Digital Edict.

2.2 Personal Data And Processing Purposes.  Annex A describes the subject matter, duration, nature and purpose of processing and the Personal Data categories and Data Subject types in respect of which Digital Edict may process to provide the Services pursuant to the Service Agreement. Customer acknowledges that it determines the categories of Personal Data, if any, that it processes through the Services.

2.3 Customer’s Instructions. Customer hereby instructs Digital Edict to (i) process Customer Personal Data for the purposes of providing services under the Service Agreement; and (ii) transfer Customer Personal Data to any country or territory, all as necessary for the provision of the Services, subject to the provisions in this DPA. Customer authorizes Digital Edict to instruct each Sub-Processor within the scope of the above or any other future instruction from Customer.

2.4 Warranty And Authorization. Customer warrants and represents that its use of the Services and Digital Edict’s use of the Customer Personal Data as permitted by this DPA will comply with the Data Protection Legislation. Customer further warrants and represents that it is and will at all relevant times remain duly and effectively authorized to give the instructions on behalf of each relevant Customer Affiliate, if applicable. If Customer is a Processor, Customer represents and warrants that Customer’s instructions and actions with respect to Customer Personal Data, including the appointment of Digital Edict as another Processor, have been authorized by the relevant Controller.

2.5 Customer’s Security Responsibilities And Assessment.

(a) Customer agrees that, without prejudice to Digital Edict’s obligations under Sections 4(Security) and 5 (Personal Data Breach): (i) Customer is solely responsible for its use of the Services, including: (1) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of Customer Personal Data that Customer chooses to process through the Services (e.g., choosing whether or not to encrypt the Customer Personal Data); and (2) securing the account authentication credentials, systems, and devices Customer uses to access the Processor Services; and (ii) Digital Edict has no obligation to protect Customer Personal Data that Customer elects to store or transfer outside of Digital Edict’s and its Sub-Processors’ systems (for example, if you use the Services in connection with Customer’s own hosting environment, whether provided by Customer directly or through a third party, Digital Edict is not responsible for that environment).

(b) Customer acknowledges and agrees that the security measures implemented and maintained by Digital Edict as described in Section 4 provide a level of security appropriate to the risk in respect to the Customer Personal Data that Customer chooses to process through the Service.

(c) If Customer uses the Services in connection with a cloud services provider, such as Amazon Web Services where Customer (and not Digital Edict) has a direct contractual relationship which that provider, then Customer must enter into a direct data processing agreement with that vendor, if required by the Data Protection Legislation, and this DPA does not apply to that processing.

  1. DIGITAL EDICT’S OBLIGATIONS

3.1  Processing Instructions. Digital Edict will only process the Customer Personal Data to the extent, and in such a manner, as is necessary for providing the Services in accordance with the Customer’s documented or written instructions (including as set forth in this DPA). Digital Edict will not process the Customer Personal Data for any other purpose or in a way that does not comply with this DPA or the Data Protection Legislation, unless required by applicable laws. Digital Edict shall notify Customer if, in its opinion, Customer’s instruction would not comply with the Data Protection Legislation. An instruction, approval, request or similar, given via the Digital Edict online platform is considered a documented or written data processing instruction from Customer.

3.2  Digital Edict shall use commercially reasonable efforts to promptly comply with any Customer request or instruction requiring the Digital Edict to amend, transfer, delete or otherwise process the Customer Personal Data, or to stop, mitigate or remedy any unauthorized processing, to the extent required by the Data Protection Legislation.

3.3  Assistance. Digital Edict will reasonably assist Customer, at Customer’s expense based on Digital Edict’s standard rates, with meeting Customer’s compliance obligations under the Data Protection Legislation, taking into account the nature of Digital Edict’s processing and the information available to Digital Edict, including in relation to Data Subject rights, data protection impact assessments and reporting to and consulting with supervisory authorities under the Data Protection Legislation. The scope of such assistance shall be limited to the processing of the Customer Personal Data by Digital Edict.

  1. SECURITY

4.1 Personnel. Digital Edict shall ensure that all employees or contractors (“Digital Edict Personnel”) of Digital Edict who may have access to the Customer Personal Data, have such access only as necessary for the purposes of providing the Services and complying with applicable laws. Furthermore, all Digital Edict Personnel shall be subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

4.2 Technical And Organizational Security Measures. Digital Edict shall in relation to the Customer Personal Data implement, or provide options for Customer to implement, appropriate technical and organizational measures to ensure a level of security appropriate to that risk, including, as appropriate, the measures referred to the GDPR. In assessing the appropriate level of security, each Party shall take into account the risks that are presented by processing, in particular from a Personal Data Breach. For the avoidance of doubt, Customer determines the categories of Personal Data, if any, that are processed by the Services, and where Digital Edict makes available different security options (e.g., whether or not to encrypt certain data), Customer is solely responsible for, and shall fully indemnify, defend, and hold Digital Edict harmless from such choices.

4.3 Confidentiality. Digital Edict will take appropriate steps to maintain the confidentiality of all Customer Personal Data and will not disclose Customer Personal Data to third parties unless Customer or this DPA specifically authorizes the disclosure, or as required by law. If a law, court, regulator or supervisory authority requires Digital Edict to process or disclose Customer Personal Data, Digital Edict shall first inform Customer of the legal or regulatory requirement and give the Customer an opportunity to object or challenge the requirement, unless the law prohibits such notice.

  1. PERSONAL DATA BREACH

5.1 Notification. Digital Edict shall notify Customer without undue delay, and within 36 hours, upon Processor becoming aware of a Personal Data Breach affecting Customer Personal Data. Digital Edict shall provide Customer with sufficient information to the extent in the possession of Digital Edict to allow Customer to meet any obligations to report or inform Data Subjects or Data Protection authorities of the Personal Data Breach under the Data Protection Legislation. Customer shall not issue any public statements regarding Digital Edict unless Digital Edict has first agreed in writing to the issuance of the public statement.  Customer shall notify Digital Edict in advance of any written statements it makes to regulators or law enforcement regarding Digital Edict, unless otherwise prohibited by law. Digital Edict’s notification of or response to a Data Breach shall not be construed as acknowledgement by Digital Edict of any fault or liability with respect to the Data Breach.

5.2 Cooperation. Digital Edict shall cooperate with Customer and take such commercially reasonable steps as are directed by Customer to assist in the investigation, mitigation and remediation of each such Personal Data Breach, at Customer’s sole expense, to the extent required by Data Protection Legislation.

5.3 Remediation. Notwithstanding the above, Digital Edict may take any steps to remediate or respond to Personal Data Breach, as required by applicable law, including providing notifications to the data subjects and/or relevant authorities.

  1. CROSS-BORDER TRANSFERS OF PERSONAL DATA

Digital Edict is located in the United States and to the extent any processing of Customer Personal Data of Data Subjects located in the EEA by Digital Edict takes place in any country outside the EEA (other than exclusively in an Adequate Country), there must be a lawful basis for this transfer as required by the Data Protection Legislation. The Customer undertakes that it has received and can demonstrate that it has received the necessary consents and authorizations from the respective data subjects for the transfer of Customer Personal Data to a country outside the EEA (other than to an Adequate Country). To the extent that the Customer does not wish to rely on consent for the transfer, it may request Digital Edict [email protected] provide a draft of the Standard Contract Clauses. These Standard Contract Clauses, once agreed between the parties, will apply in respect of that processing. If, in the performance of the DPA, Digital Edict transfers any Customer Personal Data of Data Subjects located in the EU to a Sub-Processor (which shall include without limitation any affiliates of Digital Edict) and without prejudice to Section 7, where such Sub-Processor will process such Customer Personal Data outside the EEA (other than exclusively in an Adequate Country), Digital Edict shall ensure that a mechanism to achieve adequacy in respect of that processing is in place such as: (a) the requirement for Digital Edict to execute or procure that the third party execute on behalf of standard contractual clauses approved by the EU authorities under Data Protection Legislation; (b) the requirement for the third party to be certified under the Privacy Shield framework; or (c) the existence of any other specifically approved safeguard for data transfers (as recognized under the Data Protection Legislation) and/or a European Commission finding of adequacy.

  1. SUBCONTRACTORS

Customer grants Digital Edict general authorization to engage Sub-Processors to provide the Services (including without limitation data center operators, spam filtering, hosting services, providers of anti-fraud and reporting services and other outsourced providers), provided that Digital Edict and the Sub-Processor enter into a contract on terms that are materially at least as protective as this DPA.

From time to time, we may engage new Sub-Processors under and subject to the terms of this DPA. In such case, we will provide 30 days advance notice (via our website and email) prior to any new Sub-Processor obtaining any Customer Personal Data. If you do not approve of a new Sub-processor, then Customer may terminate any applicable Services without penalty by providing, within 10 days or receipt of notice from us, written notice of termination that includes an explanation of the reasons for your non-approval. If the Services are part of a bundle or bundled purchase, then any termination will apply to its entirety.  Subject to the terms of the applicable Service Agreement, Digital Edict shall remain fully liable to Customer for the performance of the Sub-Processor’s obligations.

  1. COMPLAINTS, DATA SUBJECT REQUESTS, AND OTHER REQUIRED ASSISTANCE

8.1 Customer Obligations. Customer is and shall be solely responsible for compliance with any statutory obligations concerning requests to exercise Data Subject rights under Data Protection Legislation (e.g., for access, rectification, deletion of Customer Personal Data, etc.) Digital Edict shall reasonably assist Customer to the extent feasible in responding to requests to exercise Data Subject rights under the EU Data Protection Laws. As part of the Services, Customer may download Customer’s Personal Data through the Services (“Data Portability Right“). This Data Portability Right shall be provided as part of the service at no additional charge for the Customer.

8.2 Digital Edict Obligations. Digital Edict shall:

(a) promptly notify Customer if it receives a request from a Data Subject under Data Protection Legislation in respect of Customer Personal Data; and

(b) ensure that it does not respond to that request except on the documented instructions of Customer or as required by applicable laws to which the Digital Edict is subject.

  1. AUDIT RIGHTS

9.1 Digital Edict shall make available to Customer, upon prior written request, all information necessary to reasonably demonstrate compliance with this DPA to the extent required by the EU Data Protection Laws. Digital Edict may provide industry-standard third-party audit certifications to demonstrate compliance.

9.2 Digital Edict shall allow for and contribute to audits, including inspections, by a reputable auditor mandated by Customer. The scope, duration and methods of such audit will be determined by both Parties in good faith. In any event, a third-party auditor shall be subject to confidentiality obligations. Digital Edict may object to the selection of the auditor if it reasonably believes that an auditor does not guarantee confidentiality, security or otherwise puts at risk the Digital Edict business.

9.3 Provisions of information and audits are at Customer’s sole expense, including fees charged by third party auditors appointed by Customer.

10 TERM AND TERMINATION

10.1  This DPA will remain in full force and effect so long as:

(a)  the Service Agreement remains in effect, or

(b)  Digital Edict retains any Customer Personal Data related to the Service Agreement in its possession or control (“Term”).

10.2  Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Service Agreement in order to protect Customer Personal Data will remain in full force and effect.

10.3  Either Party’s failure to comply with the terms of this DPA is a material breach of the Service Agreement. In such event, the non-breaching Party may terminate the Service Agreement effective immediately on written notice to the non-breaching Party without further liability or obligation.

10.4  If a change in any Data Protection Legislation prevents either party from fulfilling all or part of its Service Agreement obligations, the parties will suspend the processing of Customer Personal Data until that processing complies with the new requirements. If the parties are unable to bring the Customer Personal Data processing into compliance with the Data Protection Legislation within 30 days, they may terminate the Service Agreement on written notice to the other party.

  1. DATA RETURN AND DESTRUCTION

11.1 Customer may be provided controls that to retrieve or delete Customer Personal Data. Where Digital Edict does not provide such tools for the applicable Service, upon termination of the provision of Services, Digital Edict shall delete or return all copies of Customer Personal Data upon request, except as authorized or required to be retained in accordance with applicable law.

11.2 Upon Customer’s prior written request, Digital Edict shall provide written certification to Customer that it has fully complied with this section.

  1. NOTICE

12.1  Any notice or other communication given to a party under or in connection with this DPA must be in writing and delivered to:

For Customer: The contact information on file for Customer, including via email.

For Digital Edict: 20872 Raintree Lane, Trabuco Canyon, CA 92679

Email: [email protected]

12.2  Section 12.1 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.

12.3  A notice given to Digital Edict under this DPA is not valid if sent by email unless the receipt of such email has been confirmed.

CHANGES TO THIS DPA.

13.1 Digital Edict may change this DPA if the change:

(a) reflects a change in the name or form of a legal entity;

(b) is required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency; or

(c) does not: (i) result in a degradation of the overall security of the Services; (ii) expand the scope of, or remove any restrictions on, Digital Edict’s processing of Customer Personal Data; and (iii) otherwise have a material adverse impact on Customer’s rights under this DPA, as reasonably determined by Digital Edict.

13.2 Notification of Changes. If Digital Edict intends to change this DPA under Section 13.1(b) or (c), Digital Edict will inform Customer at least 30 days (or such shorter period as may be required to comply with applicable law, applicable regulation, a court order or guidance issued by a governmental regulator or agency) before the change will take effect by either: (a) sending an email to the Notification Email Address; or (b) alerting Customer via the user interface for the Services. If Customer objects to any such change, Customer may terminate the DPA by giving written notice to Digital Edict within 90 days of being informed by Digital Edict of the change.

ANNEX A

PERSONAL DATA PROCESSING PURPOSES AND DETAILS

Subject matter of processing:

Digital Edict’s provision of website hosting services and any related technical support to Customer.

Duration of Processing:

The Term plus the period from the expiration of the Term until the deletion of all Customer Personal Data by Digital Edict in accordance with this DPA.

Nature of Processing:

Digital Edict provides website hosting services to assist its customers manage their own websites, including computing, storage, reporting, deleting.

Personal Data Categories:

Customer determines the categories of personal data that it processes through the Services.

Data Subject Types:

Data subject about whom personal data is transferred to Digital Edict in connection with the Services by, at the direction of, or on behalf of Customer.

Updated: October 09, 2020

 

Sign up to receive periodic updates about changes to common business technology, website development and ownership, and our best and most current offers!

About

Founded in 2017 and based in Southern California, Digital Edict provides Wordpress maintenance and development, high speed cloud web hosting, and business technology support to individuals and organizations that value their digital strategy.

Learn More

Navigation

Get your free site audit!

Get our free audit report today and know where to make the quickest gains.

Our comprehensive audit covers more than your site speed or SEO results. We dig deep to see if there are any issues with your domain registration, webhost, or email provider.