Data Processing Agreement
Data Processing Agreement
This Data Processing Agreement (“DPA”) forms an integral part of the Ecomlad Terms and Conditions, available at the website https://www.ecomlad.com/terms-of-service/ (“Ecomlad Terms and Conditions”), between: (i) applicable Ecomlad Company as described in the Terms and Conditions (“Ecomlad”) acting on its own behalf and as agent for each Ecomlad’s affiliate; and (ii) User, as defined in the Ecomlad Terms and Conditions. By using the Services, User accepts the terms of this DPA.
This DPA sets out the additional terms, requirements and conditions on which Ecomlad will process Personal Data when providing services under the Ecomlad Terms and Conditions and shall come into force simultaneously with Terms and Conditions whenever updated by Ecomlad accordingly. This DPA contains the mandatory clauses required by Article 28(3) of the General Data Protection Regulation ((EU) 2016/679) (“GDPR”) for contracts between controllers and processors.
This website is owned and operated by Ecomlad, LLC. (“Company,” “we,” or “us”).
Definitions and interpretation: The following definitions and rules of interpretation apply in this DPA. Definitions:
Affiliate: any entity controlling, controlled by, or under common control with a party, where “control” is defined as: (a) the ownership of at least fifty percent (50%) of the equity or beneficial interests of the entity; (b) the right to vote for or appoint a majority of the board of directors or other governing body of the entity; or (c) the power to exercise a controlling influence over the management or policies of the entity.
Alternative Transfer Solution: a solution, other than the Model Contract Clauses, that enables the lawful transfer of personal data to a third country in accordance with Article 45 or 46 of the GDPR (for example, the EU-U.S. Privacy Shield).
Authorised Persons: the persons or categories of persons that User authorises to give the Ecomlad personal data processing instructions either nominated by User or with ostensible or actual authority.
Business Purposes: the Services described in the Ecomlad Terms and Conditions.
Data Protection Legislation: all applicable privacy and data protection laws including the General Data Protection Regulation ((EU) 2016/679) and, to the extent applicable, the data protection or privacy laws of any other country.
Data Subject: an individual who is the subject of Personal Data.
Model Contract Clauses: the standard data protection clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, as described in Article 46 of the GDPR.
Personal Data: means any information relating to an identified or identifiable natural person that is processed by the Ecomlad as a result of, or in connection with, the provision of the services under the Ecomlad Terms and Conditions; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Processing, processes and process: either any activity that involves the use of Personal Data or as the Data Protection Legislation may otherwise define processing, processes or process. It includes any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing also includes transferring Personal Data to third parties.
Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
This DPA is subject to the terms of the Ecomlad Terms and Conditions and is incorporated into the Ecomlad Terms and Conditions. Interpretations and defined terms set forth in the Ecomlad Terms and Conditions apply to the interpretation of this DPA.
The Annexes form part of this DPA and will have effect as if set out in full in the body of this DPA. Any reference to this DPA includes the Annexes.
A reference to writing or written includes email.
In the case of conflict or ambiguity between any provision contained in the body of this DPA and any provision contained in the Annexes, the provision in the body of this DPA will prevail.
Duration of DPA
This DPA will take effect as stipulated in the recitals above and shall remain in effect until, and expire in accordance with clause 12.
Personal data types and processing purposes
The User retains control of the Personal Data and remains responsible for its compliance obligations under the applicable Data Protection Legislation, including providing any required notices and obtaining any required consents, and for the processing instructions it gives to the Ecomlad.
Annex 1 describes the subject matter, duration, nature and purpose of processing and the Personal Data categories and Data Subject types in respect of which the Ecomlad may process to fulfil the Business Purposes of the Ecomlad Terms and Conditions.
Processing of Data
Ecomlad and User Responsibilities. If the Data Protection Legislation applies to the processing of User Personal Data, the parties acknowledge and agree that:
- The subject matter and details of the processing are described in Annex 1;
- Ecomlad is a processor of that User Personal Data under the Data Protection Legislation;
- User is a controller or processor, as applicable, of that User Personal Data under the Data Protection Legislation; and
- User instructs Ecomlad (and authorises processor and each processor affiliate to instruct each subprocessor) to in particular, transfer User Personal Data to any country or territory, as reasonably necessary for the provision of the Services and consistent with Ecomlad Terms and Conditions; and
- each party will comply with the obligations applicable to it under the Data Protection Legislation with respect to the processing of that User Personal Data.
If the Data Protection Legislation applies to the processing of User Personal Data and User is a processor, User warrants to Ecomlad that User’s instructions and actions with respect to that User Personal Data, including its appointment of Ecomlad as another processor, have been authorized by the relevant controller.
Ecomlad will take into account the nature of the processing, assists the User by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Data Protection Legislation.
Ecomlad will assist the controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of GDPR taking into account the nature of processing and the information available to the processor.
Scope of Processing
User’s Instructions. By entering into this DPA, User instructs Ecomlad to process User Personal Data only in accordance with applicable law: (a) to provide the Services and related technical support; (b) as documented in the form of the Ecomlad Terms and Conditions, including this DPA; and (d) as further documented in any other written instructions given by User and acknowledged by Ecomlad as constituting instructions for purposes of this DPA.
Ecomlad’s Compliance with Instructions. Ecomlad will comply with the instructions described in Section 5.1 (User’s Instructions) (including with regard to data transfers) unless EU or EU Member State law to which Ecomlad is subject requires other processing of User Personal Data by Ecomlad, in which case Ecomlad will inform User (unless that law prohibits Ecomlad from doing so on important grounds of public interest) via the User email address.
Ecomlad will ensure that all employees:
- Are informed of the confidential nature of the Personal Data and are bound by confidentiality obligations and use restrictions in respect of the Personal Data;
- Have undertaken training on the Data Protection Legislation relating to handling Personal Data and how it applies to their particular duties; and
- Are aware both of the Ecomlad’s duties and their personal duties and obligations under the Data Protection Legislation and this DPA.
Ecomlad must at all times implement appropriate technical and organisational measures against unauthorised or unlawful processing, access, disclosure, copying, modification, storage, reproduction, display or distribution of Personal Data, and against accidental or unlawful loss, destruction, alteration, disclosure or damage of Personal Data. Technical and organisational measure are specified in the Annex 2.
Ecomlad must implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:
- The pseudonymisation and encryption of personal data;
- The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- The ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and
- Process for regularly testing, assessing and evaluating the effectiveness of security measures.
Personal Data Breach
Ecomlad will promptly and without undue delay notify User if any Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable. The Ecomlad will restore such Personal Data at its own expense.
Ecomlad will immediately and without undue delay notify User if it becomes aware of:
- Any accidental, unauthorised or unlawful processing of the Personal Data; or
- Any Personal Data Breach.
Where Ecomlad becomes aware of (a) and/or (b) above, it shall, without undue delay, also provide User with the following information:
- Description of the nature of (a) and/or (b), including the categories and approximate number of both Data Subjects and Personal Data records concerned;
- The likely consequences; and
- Description of the measures taken, or proposed to be taken to address (a) and/or (b), including measures to mitigate its possible adverse effects.
Immediately following any unauthorised or unlawful Personal Data processing or Personal Data Breach, the parties will co-ordinate with each other to investigate the matter. Ecomlad will reasonably co-operate with User in User’s handling of the matter in accordacne with Data Protection Legislation.
Ecomlad will not inform any third party of any Personal Data Breach without first obtaining User’s prior written consent, except when required to do so by law.
Ecomlad agrees that User has the sole right to determine:
- Whether to provide notice of the Personal Data Breach to any Data Subjects, supervisory authorities, regulators, law enforcement agencies or others, as required by law or regulation or in User’s discretion, including the contents and delivery method of the notice; and
- Whether to offer any type of remedy to affected Data Subjects, including the nature and extent of such remedy.
Cross-border transfers of personal data
Data storage and processing facilities. User agrees that Ecomlad may, subject to Section 9.2 (Transfers of Data out of the EEA), store and process User Data in the United States of America and any other country in which Ecomlad or any of its subprocessors maintains facilities.
Transfers of Data out of the EEA.
- Ecomlad’s Transfer Obligations. If the storage and/or processing of User Personal Data (as set out in Section 9.1 (Data storage and processing facilities)) involves transfers of User Personal Data out of the EEA and the Data Protection Legislation applies to the transfers of such data (“Transferred Personal Data”), Ecomlad will:
- If requested to do so by User, ensure that Ecomlad as the data importer of the Transferred Personal Data enters into Model Contract Clauses with User as the data exporter of such data, and that the transfers are made in accordance with such Model Contract Clauses; and/or
- Offer an Alternative Transfer Solution, ensure that the transfers are made in accordance with such Alternative Transfer Solution, and make information available to User about such Alternative Transfer Solution.
- User’s Transfer Obligations. In respect of Transferred Personal Data, User agrees that:
- If under the Data Protection Legislation Ecomlad reasonably requires User to enter into Model Contract Clauses in respect of such transfers, User will do so; and
- If under the Data Protection Legislation Ecomlad reasonably requires User to use an Alternative Transfer Solution offered by Ecomlad, and reasonably requests that User take any action (which may include execution of documents) strictly required to give full effect to such solution, User will do so.
Disclosure of Confidential Information containing Personal Data. If User has entered into Model Contract Clauses as described in Section 9.2 (Transfers of Data out of the EEA), Ecomlad will, notwithstanding any term to the contrary in the applicable agreement, ensure that any disclosure of User’s Confidential Information containing personal data, and any notifications relating to any such disclosures, will be made in accordance with such Model Contract Clauses.
Consent to subprocessor engagement. User specifically authorizes the engagement of Ecomlad’s Affiliates as subprocessors. In addition, Ecomlad generally authorizes the engagement of any other third parties as subprocessors (“Third Party Subprocessors”). If User has entered into Model Contract Clauses as described in Section 10.2 (Transfers of Data out of the EEA), the above authorizations will constitute User’s prior written consent to the subcontracting by Ecomlad of the processing of User Data if such consent is required under the Model Contract Clauses.
Information about subprocessors. Information about subprocessors is available in Annex 1 (as may be updated by Ecomlad from time to time in accordance with this DPA).
Requirements for subprocessor engagement. When engaging any subprocessor, Ecomlad will:
- Ensure via a written contract that:
- The subprocessor only accesses and uses User Data to the extent required to perform the obligations subcontracted to it, and does so in accordance with the applicable agreement (including this DPA) and any Model Contract Clauses entered into or Alternative Transfer Solution adopted by Ecomlad as described in Section 9.2 (Transfers of Data out of the EEA); and
- If the Data Protection Legislation applies to the processing of User Personal Data, the data protection obligations set out in Article 28(3) of the GDPR, as described in this DPA, are imposed on the subprocessor; and
- Remain fully liable for all obligations subcontracted to, and all acts and omissions of, the subprocessor.
Opportunity to object to subprocessor changes:
- When any new Third Party Subprocessor is engaged during the applicable term, Ecomlad will, at least 30 days before the new Third Party Subprocessor processes any User Data, inform User of the engagement (including the name and location of the relevant subprocessor and the activities it will perform) by sending an email to the email address.
- User may object to any new Third Party Subprocessor by terminating the applicable agreement immediately upon written notice to Ecomlad, on condition that User provides such notice within 90 days of being informed of the engagement of the subprocessor as described in Section 10.4(a). This termination right is User’s sole and exclusive remedy if User objects to any new Third Party Subprocessor.
Complaints, data subject requests and third party rights
Ecomlad shall take such technical and organisational measures as may be appropriate, and promptly provide such information to User as User may reasonably require, to enable User to comply with:
- The rights of Data Subjects under the Data Protection Legislation, including subject access rights, the rights to rectify and erase personal data, object to the processing and automated processing of personal data, and restrict the processing of personal data; and
- Information or assessment notices served on User by any supervisory authority under the Data Protection Legislation.
Ecomlad shall notify User immediately if it receives any complaint, notice or communication that relates directly or indirectly to the processing of the Personal Data or to either party’s compliance with the Data Protection Legislation.
Ecomlad must notify User within 24 hours if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their related rights under the Data Protection Legislation.
Ecomlad will give User its full co-operation and assistance in responding to any complaint, notice, communication or Data Subject request.
Ecomlad must not disclose the Personal Data to any Data Subject or to a third party other than at User’s request or instruction, as provided for in this Agreement or as required by law.
Term and termination
This DPA will remain in full force and effect so long as:
- Ecomlad Terms and Conditions remains in effect, or
- Ecomlad retains any Personal Data related to the Ecomlad Terms and Conditions in its possession or control (Term).
Any provision of this DPA that expressly or by implication should come into or continue in force on or after termination of the Ecomlad Terms and Conditions in order to protect Personal Data will remain in full force and effect.
Ecomlad’s failure to comply with the terms of this DPA is a material breach of the Ecomlad Terms and Conditions. In such event, User may terminate the Ecomlad Terms and Conditions effective immediately on written notice to the Ecomlad without further liability or obligation.
If a change in any Data Protection Legislation prevents either party from fulfilling all or part of its Ecomlad Terms and Conditions obligations, the parties will suspend the processing of Personal Data until that processing complies with the new requirements. If the parties are unable to bring the Personal Data processing into compliance with the Data Protection Legislation, they may terminate relations with Ecomlad Terms and Conditions on written notice to Ecomlad.
Data return and destruction
Where it is applicable under legislation at User’s request, the Ecomlad will give User a copy of or access to all or part of User’s Personal Data in its possession or control in the format and on the media reasonably specified by User.
On termination of relations with Ecomlad for any reason Ecomlad will securely delete or destroy or, if directed in writing by User, return and not retain, all or any Personal Data related to this DPA in its possession or control.
If any law, regulation, or government or regulatory body requires the Ecomlad to retain any documents or materials that the Ecomlad would otherwise be required to return or destroy, it will notify User in writing of that retention requirement, giving details of the documents or materials that it must retain, the legal basis for retention, and establishing a specific timeline for destruction once the retention requirement ends.
Ecomlad will certify in writing that it has destroyed the Personal Data within no more than 90 (ninety) days after it completes the destruction, unless Data Protection Legislation requires storage.
Where it is applicable under legislation Ecomlad will keep detailed, accurate and up-to-date written records regarding any processing of Personal Data it carries out for User in accordance with Data Protection Legislation, including but not limited to, the access, control and security of the Personal Data, the processing purposes, categories of processing, any transfers of personal data to a third country and related safeguards, and a general description of the technical and organisational security measures (Records).
Ecomlad will ensure that the Records are sufficient to enable User to verify the Ecomlad’s compliance with its obligations under this DPA and the Ecomlad will provide User with copies of the Records upon request.
User may, prior to the commencement of processing, and at regular intervals thereafter, audit the technical and organizational measures taken by Ecomlad. For such purpose, User may:
- Obtain information from Ecomlad,
- Request Ecomlad to submit to User an existing attestation or certificate by an independent professional expert.
Ecomlad shall, upon User’s written request and within a reasonable period of time, provide User with all information necessary for such audit, to the extent that such information is within User’s control and User is not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party.
Ecomlad may object in writing to an auditor appointed by User to conduct any audit under this clause if the auditor is, in Ecomlad’s reasonable opinion, not suitably qualified or independent, a competitor of Ecomlad, or otherwise manifestly unsuitable. Any such objection by Ecomlad will require User to appoint another auditor or conduct the audit itself.
The User warrants and represents that the Ecomlad’s expected use of the Personal Data for the Business Purposes and as specifically instructed by User will comply with the Data Protection Legislation.
Any notice or other communication given to a party under or in connection with this DPA must be in writing and delivered to: email@example.com
Clause 17.1 does not apply to the service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.
Annex 1 - Personal Data Processing Purposes and Details
Subject matter of processing: Ecomlad’s provision of the Services and related technical support to User.
Duration of Processing: Personal Data will be Processed for the duration of the DPA.
Nature of Processing: Ecomlad will process User Personal Data submitted, stored, sent or received by User via the Services for the purposes of providing the Services and related technical support to Ecomlad in accordance with the DPA.
Personal Data Categories: Contact Information, the extent of which is determined and controlled by the User in its sole discretion, and other Personal Data such as navigational data (including website usage information), email data, system usage data, application integration data, and other electronic data submitted, stored, sent, or received by end users via the Service.
Data Subject Types: Personal data submitted, stored, sent or received via the Services may concern the following categories of data subjects: end users including User’s employees; and any other person who transmits data via the Services.
Ecomlad and Ecomlad Affiliates may engage third party suppliers to provide other services such as facilities management, maintenance and security services from time to time.
Annex 2 - Security Measures
This Annex forms an integral part of the DPA and describes the technical and organizational security measures implemented by Ecomlad. Ecomlad may update or modify these security measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services.
- Ecomlad stores all production data in physically secure data centers.
- Infrastructure systems have been designed to eliminate single points of failure and minimize the impact of anticipated environmental risks. Dual circuits, switches, networks or other necessary devices help provide this redundancy. The Services are designed to allow Ecomlad to perform certain types of preventative and corrective maintenance without interruption. All environmental equipment and facilities have documented preventative maintenance procedures that detail the process for and frequency of performance in accordance with the manufacturer’s or internal specifications. Preventative and corrective maintenance of the data center equipment is scheduled through a standard change process according to documented procedures.
- The data center electrical power systems are designed to be redundant and maintainable without impact to continuous operations, 24 hours a day, and 7 days a week. In most cases, a primary as well as an alternate power source, each with equal capacity, is provided for critical infrastructure components in the data center. Backup power is provided by various mechanisms such as uninterruptible power supplies (UPS) batteries, which supply consistently reliable power protection during utility brownouts, blackouts, over voltage, under voltage, and out-of-tolerance frequency conditions. If utility power is interrupted, backup power is designed to provide transitory power to the data center, at full capacity, for up to 10 minutes until the diesel generator systems take over. The diesel generators are capable of automatically starting up within seconds to provide enough emergency electrical power to run the data center at full capacity typically for a period of days.
- Ecomlad has designed and regularly plans and tests its business continuity planning/disaster recovery checks.
- Preventing Unauthorized Services Access:
- Ecomlad hosts its Service with outsourced cloud infrastructure providers.
- Additionally, Ecomlad maintains contractual relationships with vendors in order to provide the Service in accordance with DPA. Ecomlad relies on contractual agreements, privacy policies, and vendor compliance procedures in order to protect data processed or stored by these vendors.
- Ecomlad hosts its Services infrastructure with multi-tenant, outsourced infrastructure providers.
- Ecomlad implemented a uniform password policy for its Services and correspondent tools and features. Users who interact with the Services via the user interface must authenticate before accessing non-public user data.
- User data is stored in multi-tenant storage systems accessible to User via only application user interfaces and application programming interfaces. Users are not allowed direct access to the underlying application infrastructure. The authorization model in each of tools and features of Ecomlad Services is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions.
- Public Services APIs may be accessed using an API key.
- Preventing Unauthorized Services Use.Ecomlad implements industry standard access controls and detection capabilities for the internal networks that support its Services:
- Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the Services infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignment, and traditional firewall rules.
- Ecomlad implemented a Web Application Firewall (WAF) solution to protect internet-accessible applications. The WAF is designed to identify and prevent attacks against publicly available network services.
- Security reviews parts of code stored in Ecomlad source code repositories is performed, checking for coding best practices and identifiable software flaws.
- Ecomlad conducts penetration tests annually. The intent of the penetration tests is to identify and resolve foreseeable attack vectors and potential abuse scenarios.
- A bug bounty program invites and incentivizes independent security researchers to ethically discover and disclose security flaws. Ecomlad implemented a bug bounty program in an effort to widen the available opportunities to engage with the security community and improve the Services defenses against sophisticated attacks.
- Authorization Requirements:A subset of Ecomlad and Ecomlad affiliates’ employees have access to User data via controlled interfaces. The intent of providing access to a subset of employees is to provide effective customer support, to troubleshoot potential problems, to detect and respond to security incidents and implement data security. Ecomlad and Ecomlad affiliates’ employees are required to conduct themselves in a manner consistent with the Ecomlad guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards.
Transmission Control : Ecomlad makes HTTPS encryption (also referred to as SSL or TLS) available on every one of its login interfaces. Ecomlad HTTPS implementation uses industry standard algorithms and certificates.
- Ecomlad designed its infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests partly. Internal systems aggregated log data and alert appropriate employees of malicious, unintended, or anomalous activities. Ecomlad personnel, including security are responsive to known incidents.
- Ecomlad maintains a record of known security incidents that includes description, dates and times of relevant activities, and incident disposition. Suspected and confirmed security incidents are investigated by security, operations, or support personnel; and appropriate resolution steps are identified and documented. For any confirmed incidents, Ecomlad will take appropriate steps to minimize User damage or unauthorized disclosure.
- If Ecomlad becomes aware of unlawful access to Ecomlad data stored within its Services, Ecomlad will:
- notify the affected Users of the incident;
- provide a description of the steps Ecomlad is taking to resolve the incident; and
- provide status updates to the User contact, as Ecomlad deems necessary.
- Notification(s) of incidents, if any, will be delivered to one or more of the User’s contacts in a form Ecomlad selects, which may include via email or telephone.
- The infrastructure providers use commercially reasonable efforts to ensure a minimum of 99.9% uptime. The providers maintain a minimum of N+1 redundancy to power, network, and HVAC services.
- Backup and replication strategies are designed to ensure redundancy and fail-over protections during a significant processing failure. Ecomlad data is backed up to multiple durable data stores and replicated across multiple availability zones.
- Where feasible, production databases are designed to replicate data between no less than 1 primary and 1 secondary database. All databases are backed up and maintained using at least industry standard methods.
Ecomlad Services are designed to ensure redundancy and seamless failover. The server instances that support the Services are also architected with a goal to prevent single points of failure. This design assists Ecomlad operations in maintaining and updating the Services applications and backend while limiting downtime.