SRS Acquiom Workspaces LLC Data Processing Addendum

This Data Processing Addendum (“DPA”) supplements the SRS Acquiom Workspaces Terms of Use (available at ws.acquiom.com/terms, as updated from time to time by SRSA) and the associated Order Form (together, the “Agreement”) governing Customer’s use of SRSA’s File Sharing Solutions (the “Services”). This DPA is an agreement between SRS Acquiom Workspaces LLC having its principal place of business at 950 17th Street, Suite 1400, Denver, Colorado 80202 (“Company” or “Processor”), and the customer entity defined as the “Customer” in the Agreement (“Customer” or “Controller”). This DPA is incorporated into and forms part of the Agreement, and except as expressly amended by the terms of this DPA, the terms and conditions of the Agreement remain unchanged and will continue in full force and effect. Capitalized terms used but not defined herein shall have the meaning set forth in the Agreement. This DPA applies solely with respect to personal data that may be contained within Workspace Content that is uploaded to the Online Room of the Controller and is regulated by Data Protection Laws.

Each party shall comply with the legal requirements under Data Protection Laws.  “Data Protection Laws” means all applicable laws, rules, regulations, or implementing legislation that relate to the data privacy or security of personal data of individuals, including, as applicable: (A) the General Data Protection Regulation 2016/679 (“GDPR”), as well as any other applicable national rule and legislation on the protection of personal data in the European Union or any Member State that is already in force or that will come into force during the term of this DPA; (B) the United Kingdom Data Protection Act of 2018 and the GDPR as it forms part of UK domestic law under the European Union (Withdrawal) Act 2018, as amended (“UK GDPR”); and (C) the California Consumer Privacy Act (“CCPA”), and any other data protection laws substantially amending, replacing, or superseding the CCPA. The terms “personal data,” “processing,” “personal data breach,” and “data subject”, or similar terms, have the meaning given in the Data Protection Laws.

1.  Controller hereby instructs Processor to process personal data for providing the Services described in the Agreement and Annex 1 to this DPA.  

Processor will process personal data only on behalf of Customer to deliver Services in accordance with the Agreement or Customer’s other documented instructions. Specifically, Customer is disclosing personal data solely for the limited and specified purpose of receiving the Services and Processor shall only process personal data for the limited and specified purpose of Processor providing the agreed upon Services under the Agreement.  Processor shall not (a) sell or share (each within the meaning of the CCPA) Customer’s personal data, (b) retain, use, or disclose any personal data  for any purpose other than for the Business Purposes (as defined in the CCPA) specified in the Agreement, including for any Commercial Purpose (as defined in the CCPA) other than the Business Purposes specified in the Agreement, (c) retain, use, or disclose the personal data outside of the direct business relationship between Customer and Processor; or (d) combine personal data that the Processor receives from, or on behalf of, Customer with personal data that it receives from, or on behalf of, another person or persons, or collects from its own interaction with the consumer, except to perform any Business Purpose required by the Agreement. Notwithstanding anything in the Agreement, the parties acknowledge and agree that Processor’s access to personal data does not constitute part of the consideration exchanged by the parties in respect of the Agreement. Processor certifies and acknowledges that (i) it understands the restrictions set forth in this section and will at all times comply with them; (ii) it will comply with the applicable  obligations under the CCPA, and shall provide the same level of privacy protection as is required by the CCPA; (iii) Controller shall be permitted to take reasonable and appropriate steps to help ensure that Processor uses personal data in a manner consistent with Controller’s obligations under the CCPA; (iv) it will notify Controller if it makes a determination that it can no longer meet its obligations under the CCPA; and (v) it will grant Controller the right, upon reasonable notice, to take reasonable and appropriate steps to stop and remediate any unauthorized use of Customer’s personal data. To the extent required by the CCPA, Controller shall inform Processor of any consumer requests made pursuant to the CCPA that they must comply with, and shall provide all information necessary for Processor to comply with such request.

2.  Processor undertakes to take the technical, organizational and structural measures necessary to ensure the security, integrity and confidentiality of the personal data it processes in connection with this DPA as described in Annex 2 to the DPA and this Section 2. In particular, Processor will take security measures to prevent any personal data breach, including with respect to:

a. destruction, alteration, misuse or loss of the personal data made accidentally or without authorization of the Controller;

b. disclosure of or access to the personal data in an accidental or non-authorized manner; or

c. any form or purpose of processing of the personal data which would be unlawful, unauthorized or not provided for in this DPA.

Security measures shall provide in particular that:

a. premises where personal data is processed are secured;

b. authentication/identification mechanisms to access personal data on information systems are in place;

c. a password policy is implemented and enforced;

d. the network and the information systems are protected against intrusions and other attacks;

e. backups of personal data are regularly performed; and

f. the personnel and the staff of the third party processors processing personal data are properly trained on confidentiality, integrity, and availability measures.


3.  Controller agrees that Processor may use sub-processors to fulfill its contractual obligations under this DPA or to provide certain services on its behalf. Annex 3 to the DPA lists sub-processors that are currently engaged by Processor or its affiliates to carry out processing activities with respect to Customer’s personal data. Processor shall notify Controller if it adds or removes sub-processors at least 10 days prior to any such changes if Controller opts in to receive such notifications by notifying Processor of such intent. Controller reserves the right to object (with reasonable cause) to a sub-processor, or the appointment of a new sub-processor who processes any Controller personal data. Prior to engaging any sub-processor, Processor shall enter into a written contract with such sub-processor containing data protection obligations at least equivalent in substance to those in this DPA.  Processor shall be liable for all acts and omissions of the sub-processor as if they were Processor’s acts and omissions.

4.  Processor will comply with all requirements of this DPA and Data Protection Laws to which it is subject with respect to all personal data received from or processed for Controller. Without limiting the generality of the foregoing, Processor will:

a. ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;

b. take all measures required to protect Customer’s personal data, including, without limitation, implementing and maintaining reasonable safeguards appropriate to protect Customer’s personal data;

c. process Customer’s personal data only on documented instructions from Customer, unless required to do so by law to which Processor is subject; in such a case, the Processor will inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;

d. taking into account the nature of the processing, assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the data subject’s rights under Data Protection Laws; and

e. assist the Controller in ensuring compliance with Articles 32 to 36 of the GDPR taking into account the nature of processing and the information available to the Processor.

Processor will immediately inform the Controller if, in its opinion, an instruction from Controller infringes Data Protection Laws, or if Processor believes that it cannot comply with any instruction or any requirements under this DPA.

5.  Processor will, to the extent required under the applicable Data Protection Laws, without undue delay, and within the period specified by applicable law, inform the Controller of any personal data breach.

Processor will promptly investigate such personal data breach and will, to the extent required under the applicable Data Protection Laws, provide Controller with reasonable assistance to satisfy any legal obligations (including obligations to notify data protection authorities or data subjects) of Controller in relation to such personal data breach.

6.  Upon termination of the Agreement (in whole or in part) or earlier upon Controller’s request, and at Controller’s choice, Processor will, unless any applicable law, competent court, or supervisory or regulatory body prevents Processor from returning or destroying the personal data transferred:

a. destroy all personal data processed and any copies thereof and certify to Controller on request that Processor has done so; or

b. in accordance with Controller’s instructions, return all personal data processed and the copies thereof to Controller or other recipient identified by Controller.

7.  Processor may monitor and audit (either through self-audit or third-party audit) its own compliance with its obligations under Data Protection Laws and this DPA (“Company Audit”) and will provide Controller with such Company Audit (if one is performed) upon Controller’s written request (except that Processor will provide such Company Audit no more than once per calendar year).

8.  Upon Controller’s request, Processor shall, no more than once per calendar year make available for Controller’s review copies of certifications or reports demonstrating Processor’s compliance with prevailing data security standards applicable to the processing of Controller’s personal data.  To the extent required by Data Protection Laws and if Controller requires information in addition to such reports, Processor shall make available to Controller on request all information reasonably necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections by Controller or an auditor mandated by Controller, not being competitors of Processor (“Mandated Auditor”) of any premises where the processing of Customer’s personal data takes place in order to assess compliance with this DPA (a “Customer Audit”).  Processor shall provide reasonable cooperation to Controller with respect to a Customer Audit.  Controller agrees that: (a) a Customer Audit may only occur during normal business hours, and where possible only after reasonable notice to Processor (not less than 20 days’ advance written notice); (b) a Customer Audit will be conducted in a manner that does not have any adverse impact on Processor’s normal business operations; (c) Controller and any Mandated Auditor will comply with Processor’s standard safety, confidentiality, and security procedures in conducting any Customer Audit; (d) any records, data, or information accessed by Controller or any Mandated Auditor in the performance of any Customer Audit will be deemed to be the Confidential Information of Processor; and (e) a Customer Audit shall be at the Customer’s sole cost and expense.  If the controls or measures to be assessed in a request for a Customer Audit are addressed in a Company Audit, Controller agrees to accept such Company Audit in lieu of requesting a Customer Audit.

9.  Processor will assist Controller, to the extent reasonably possible, to comply with applicable law in a reasonable time. Without limiting the generality of the foregoing, Processor will assist Controller, at the Controller’s cost, in responding to any request from a data subject and in ensuring compliance with its obligations under Data Protections Laws with respect to security, breach notifications, impact assessments and consultations with supervisory authorities or regulators, if any that relate to the Services provided by Processor to Controller and the personal data that Processor handles for Controller.

10.  Processor will, to the extent required by applicable Data Protection Laws, notify Controller without undue delay:

a. about any legally binding request for disclosure of personal data by a law enforcement authority, unless otherwise prohibited, such as a prohibition under criminal law to preserve the confidentiality of a law enforcement investigation; and

b. about any complaints and requests received directly from data subjects (e.g., regarding access, rectification, erasure, data portability, objection to processing of data, automated decision-making), and assist Controller with a response and resolution of the request, but not respond until Controller provides instructions.

11.  In connection with the performance of the Agreement, Processor may be a recipient of personal data in the United States originating from the European Economic Area, Switzerland or the UK (“European, Swiss or UK Data”).  In such case, Processor will comply with the following:

a.    The EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework self-certification programs (as applicable) operated by the U.S. Department of Commerce; as may be amended, superseded or replaced (the “Data Privacy Framework”).  Processor will use the Data Privacy Framework to lawfully receive European, Swiss or UK Data in the United States and ensure that it provides at least the same level of protection to such data as is required by the means the Principles and Supplemental Principles contained in the relevant Data Privacy Framework; as may be amended, superseded or replaced (collectively, the “Data Privacy Framework Principles”) and will let Customer know if it is unable to comply with this requirement.

b. Standard Contractual Clauses. If Data Protection Laws require that appropriate safeguards are put in place (for example, if the Data Privacy Framework does not cover the transfer to Processor and/or the Data Privacy Framework is invalidated), the Standard Contractual Clauses described in Sections 12 and 13 below, as applicable, shall apply to the transfer. 

12.  With respect to any transfers of personal data originating from the European Economic Area or Switzerland to Processor in a country whose laws have not been deemed by the European Commission to provide an adequate level of protection for personal data, and such transfer is not subject to an alternative adequate transfer mechanism under Data Protection Laws or the Data Privacy Framework described in Section 11(a) above, the parties agree to comply with the relevant terms of the European Commission’s decision (C(2021)3972) of 4 June 2021 on Standard Contractual Clauses (Module Two: Transfer controller to processor) for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/678 (available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj?uri=CELEX:32021D0914&locale=en), which are incorporated into this DPA by reference (the “EU SCCs”).  The parties hereby agree that details in Annex 1 to this DPA will be used to complete Annex I of the EU SCCs, and details in Annex 2 to this DPA will be used to complete Annex II of the EU SCCs.  In accordance with Clause 2 of the EU SCCs, the parties wish to supplement the EU SCCs with additional commercial clauses, which shall neither be interpreted nor applied in such a way as to contradict the EU SCCs (whether directly or indirectly) or to prejudice the fundamental rights and freedoms of data subjects.  Processor (as “data importer”) and Controller (as “data exporter”) therefore agree that the applicable terms of the Agreement and this DPA shall apply if, and to the extent that, they are permitted under the EU SCCs, including without limitation the following:

a. The instructions described in Clause 8.1(a) are as set forth in Sections 1 and 4(c) of this DPA.

b. In the event a data subject requests a copy of the EU SCCs or this DPA in accordance with Clause 8.3 of the EU SCCs, data exporter shall make all redactions reasonably necessary to protect business secrets or other confidential information of data importer.

c. Certification of deletion of personal data under Clause 8.5 and Clause 16(d) of the EU SCCs shall be provided upon the written request of data exporter.

d. Data importer shall be deemed in compliance with Clause 8.8 of the EU SCCs to the extent such onward transfers occur in accordance with Article 4 of the Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

e. Any information requests or audits provided for in Clause 8.9 of the EU SCCs shall be fulfilled in accordance with Sections 7 and 8 of this DPA.

f. Pursuant to Clause 9(a) Option 2 of the EU SCCs, data exporter agrees that data importer may engage new sub-processors as described in Section 3 of this DPA.  With respect to Clause 9 of the EU SCCs, the parties select the time period set forth in Section 3 of this DPA.

g. The relevant sections of the Agreement, which govern indemnification and limitation of liability, shall apply to data importer’s liability under Clause 12(a), 12(d), and 12(f) of the EU SCCs.

h. The parties agree that, for purposes of Clause 13 of the EU SCCs, the data exporter’s competent supervisory authority will be determined in accordance with the GDPR EU SCCs, the data exporter’s competent supervisory authority will be determined in accordance with the GDPR.

i. Section 6 of this DPA, which governs termination, shall apply to a termination pursuant to Clause 14(f) or Clause 16 of the EU SCCs. 

j. With respect to Clause 17 of the EU SCCs, the parties select the law of Ireland.

k. With respect to Clause 18 of the EU SCCs, the parties agree that any dispute arising from the EU SCCs shall be resolved by the courts of Ireland.

l. With respect to transfers of personal data originating from Switzerland: (i) the term “member state” as used in the EU SCCs shall not be interpreted in such a way as to exclude data subjects in Switzerland of suing for their rights in their place of habitual residence in accordance with Clause 18(c) of the EU SCCs; (ii) the EU SCCs shall also protect the data of legal entities until the entry into force of the revised Swiss Federal Act of Data Protection (FADP) on or about 1 January 2023; (iii) references to the GDPR or other governing law contained in the EU SCCs shall also be interpreted to include the FADP; and (iv) the parties agree that the supervisory authority as indicated in Clause 13 and Annex I.C of the EU SCCs shall be the Federal Data Protection and Information Commissioner (FDPIC) of Switzerland.

In the event of a direct conflict between the terms of this DPA and the terms of the EU SCCs, the EU SCCs will control.  The EU SCCs shall automatically terminate once the Customer’s personal data transfer governed thereby becomes lawful under Data Protection Laws in the absence of such EU SCCs on any other basis and acknowledged by the parties.

13.  With respect to any transfers of personal data originating from the United Kingdom to Processor in a country whose laws have not been deemed by the government of the United Kingdom to provide an  adequate level of protection for personal data, and such transfer is not subject to an alternative adequate transfer mechanism under Data Protection Laws or the Data Privacy Framework described in Section 11(a) above, the parties agree to comply with the relevant terms of the United Kingdom’s standard contractual clauses for international transfers from controllers to processors (available at: https://ico.org.uk/media/for-organisations/documents/2620100/uk-sccs-c-p-202107.docx), which are incorporated into this DPA by reference (the “UK SCCs”).  The parties hereby agree that details in Annex 1 to this DPA will be used to complete Appendix 1 of the UK SCCs, and details in Annex 2 to this DPA will be used to complete Appendix 2 of the UK SCCs.  In accordance with Clause 10 of the UK SCCs, the parties wish to supplement the UK SCCs with additional commercial clauses, which shall neither be interpreted nor applied in such a way as to overlap or contradict the UK SCCs (whether directly or indirectly), reduce the level of protection that the data importer is required to provide for personal data, or to reduce the rights of data subjects or make it more difficult for them to exercise their rights.  Processor (as “data importer”) and Controller (as “data exporter”) therefore agree that the applicable terms of the Agreement and this DPA shall apply if, and to the extent that, they are permitted under the UK SCCs, including without limitation the following:

a. In the event a data subject requests a copy of the UK SCCs or this DPA in accordance with Clause 4(h) of the UK SCCs, data exporter data exporter shall make all redactions reasonably necessary to protect business secrets or other confidential information of data importer.

b. The instructions described in Clause 5(a) are as set forth in Section 1 of this DPA.

c. Any information requests or audits provided for in Clauses 5(f) and 12(2) of the UK SCCs shall be fulfilled in accordance with Sections 7 and 8 of this DPA.

d. Pursuant to Clause 5(h) of the UK SCCs, data exporter acknowledges and expressly agrees that data importer may engage new sub-processors as described in Section 3 of this DPA.

e. Copies of any sub-processor agreements required to be sent to data exporter under Clause 5(j) of the UK SCCs shall only be sent upon data exporter’s written request.  The parties agree that data importer may remove or redact all commercial information unrelated to the UK SCCs or their equivalent beforehand.

f. Certification of deletion of personal data as described in Clause 12(1) of the UK SCCs shall be provided upon the written request of data exporter.

g. Section 6 of this DPA, which governs termination, shall apply to a termination pursuant to Clauses 5(a) and 5(b) of the UK SCCs.

h. The relevant sections of the Agreement, which govern indemnification and limitation of liability, shall apply to data importer’s liability under Clause 6(2) of the UK SCCs.

In the event of a direct conflict between the terms of this DPA and the terms of the UK SCCs, the UK SCCs will control.  The UK SCCs shall automatically terminate once the Customer’s personal data transfer governed thereby becomes lawful under Data Protection Laws in the absence of such UK SCCs on any other basis and acknowledged by the parties.

14.  All obligations under this DPA apply in addition to, not in lieu of, any other contractual, statutory and other obligations of Processor.

15.  In case of any conflict or inconsistency, the order of precedence in respect of the processing of personal data shall be: the Annexes to this DPA, this DPA, and then the Agreement.

16.  This DPA shall not restrict the Data Protection Laws. If any provision in this DPA is ineffective or void, this shall not affect the remaining provisions. The parties shall replace the ineffective or void provision with a lawful provision that reflects the business purpose of the ineffective or void provision.  In case a necessary provision is missing, the parties shall add an appropriate one in good faith.

17.  This DPA shall commence on the date that the Agreement is deemed agreed to by the Customer.


Annex 1: Subject Matter and Details of the Data Processing

Full description of the Services provided by the ProcessorProcessor provides Controller hosted data storage, sharing, and collaboration services during the term of the Controller’s subscription for Services.
Types of data subject whose personal data is ProcessedThe data subjects may include Controller or third party’s customers, employees, suppliers, end-users, and other third-parties.
Types of personal data processedWorkspace Content (to the extent to which in contains “personal data”) that is uploaded by Controller or its invited End Users to Controller’s Online Room created using the Services.
The purpose, nature and subject matter of the processingThe purpose, nature and subject matter of the processing of personal data by Processor, under this DPA, are those processing operations which are necessary to provide the Services which are referred to herein.
Duration of processingThe term of the Controller’s subscription to the Services.
Frequency of the transferContinuous basis during the term of the Agreement.
The period for which the personal data will be retainedDuration of performance of the Services, except as required by applicable law or if related Workspace Content is earlier deleted by Controller or authorized end-user.
Sensitive DataNo sensitive data expected by the parties.


Annex 2: Security Measures 

"Security Measures" shall be defined as:
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:

  • the encryption of Customer’s personal data;
  • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
  • the ability to restore the availability and access to Customer’s personal data in a timely manner in the event of a physical or technical incident;
  • a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.

In furtherance  of the above definition and the measures described in Section 2 of the DPA, Processor shall take the following specific Security Measures set forth below.

1. Physical access control
Measures to prevent unauthorized persons from gaining access to data processing systems for processing or using Customer’s personal data:

  • Definition of persons who are granted physical access;
  • Electronic access control;
  • Issuance of access IDs;
  • Implementation of policy for external individuals;
  • Security doors (electronic door opener, ID reader); and
  • Implementation of measures for on-premise security (e.g. intruder alert/notification).

2. Logical access control
Measures to prevent unauthorized persons from using data processing equipment and procedures:

  • Definition of persons who may access data processing equipment;
  • Implementation of policy for external individuals; and
  • Password protection of personal computers. 

3. Data access control
Measures that ensure that persons entitled to use a data processing system gain access only to such Customer’s personal data as they are entitled to accessing in accordance with their access rights:

  • Allocation of separate terminals/work stations and of ID-parameters exclusively to specific functions;
  • Implementation of partial access rights for respective data and functions;
  • Requirement of identification vis-à-vis the data processing system (e.g. via ID and authentication)
  • Implementation of policy on access- and user-roles; and
  • Evaluation of protocols in case of damaging incidents.


4. Data transfer control
Measures to ensure that Customer’s personal data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media, and that the target entities for any transfer of Customer’s personal data by means of data transmission facilities can be established and verified.

5. Entry control
Measures to ensure that it is possible to check and ascertain whether Customer’s personal data have been entered into, altered or removed from data processing systems and if so, by whom:

  • Logging of data entry. 

6. Control of instructions
Measures to ensure that Customer’s personal data are processed strictly in compliance with Customer’s instructions:

  • Documentation of distinction of competences and obligations between Customer and Processor;
  • Formal assignment process; and
  • Control of work results.

7. Availability control
Measures to ensure that Customer’s personal data is protected against accidental destruction or loss:

  • Realization of a regular backup schedule;
  • Control of condition and respective labelling of data carriers for data backup purposes; 
  • Implementation and regular control of emergency power systems and overvoltage protection systems;
  • Implementation of an emergency plan; and
  • Protocol on the initiation of crisis- and/or emergency management.

8. Control of data set separation
Logical separation of data of each of Processor’s customers.

9. Strong encryption
Strong encryption for the transport and storage of personal data (transport encryption and data-at-rest encryption). Strong encryption includes:

  • Transport encryption is used for which it is ensured that the encryption protocols employed are state-of-the-art and provide effective protection against active and passive attacks with resources known to be available to the public authorities of the third country;
  • Encryption algorithm and its parameterization (e.g., key length, operating mode, if applicable) conform to the state-of-the-art and to be considered robust against cryptanalysis performed by the public authorities in the recipient country taking into account the resources and technical capabilities (e.g., computing power for brute-force attacks) available to them;
  • Strength of the encryption takes into account the specific time period during which the confidentiality of the encrypted personal data must be preserved; and
  • Encryption algorithm is implemented by properly maintained software in accordance with industry standards.
    Processor: (a) has not purposefully created back doors or similar programming that could be used to access the system and/or personal data, except as required for Processor’s regular management of the system or personal data; (b) has not purposefully created or changed its business processes in a manner that facilitates access to personal data or systems, except as required for Processor’s regular management of the system or personal data; and (c) is not aware of any national law or government policy that would require the importer to create or maintain back doors or to facilitate access to personal data or systems or for the Processor to hand over the encryption key.


Annex 3: Subprocessors 

Processor uses the following subprocessors in the performance of the Service.

SubprocessorsLocation
Amazon AWSSeattle, WA USA
BrightcoveBoston, MA USA
Google WorkspacesMountain View, CA USA
Microsoft CorporationRedmond, WA USA