Where applicable, this Data Processing Addendum (“DPA”) is hereby incorporated in the Polydom Terms of Service (the “Terms”), unless you (“Customer”) have entered into a superseding written agreement with Polydom Inc., a corporation with its principal place of business located at 700 7th Street SW #506, Washington, DC 20024, USA (“Polydom”, “we”, or “us”), in which case, it forms a part of such written agreement. Polydom may amend this DPA from time to time on its website as its business evolves. Any revisions will become effective on the date Polydom publishes the changes.
This DPA specifies the data protection obligations of the parties, which arise from the processing of Personal Data on behalf of the Customer as stipulated in the Terms. It applies to all activities performed in connection with the Terms in which the staff of Polydom or a third party acting on behalf of Polydom may come into contact with Customer Data. This DPA contains the mandatory clauses required by Article 28(3) of the General Data Protection Regulation ((EU) 2016/679) (“GDPR”).
“Customer” means the entity which determines the purposes and means of the Processing of Customer Data (the Data Controller).
“Customer Data” means any “Personal Data” (as defined in GDPR) that is provided by or on behalf of Customer in the course of using the Services and Processed by Polydom pursuant to this DPA.
“Data Subject” means the Customer’s guest or end-user whose Personal Data is Processed.
“Data Controller” and “Data Processor” shall have the meanings set out in GDPR.
“Instruction” means the written instruction issued by Customer to Data Processor to perform a specific action with regard to Customer Data.
“Privacy Laws” means all applicable data protection and privacy legislation, regulations, and guidance, including but not limited to GDPR.
“Process”, “Processing”, or “Processed” shall have the meanings set out in GDPR.
“Personal Data Breach” shall have the meaning set out in GDPR.
The parties acknowledge that Customer is the Data Controller and Polydom is the Data Processor of Customer Data. In some circumstances, Customer may be a Processor, in which case Customer appoints Polydom as its sub-processor. This shall not change the obligations of either party under this DPA.
Customer warrants that Customer Data has been obtained fairly and lawfully and, in all respects, in compliance with the Privacy Laws.
Polydom shall:
2.3.1. Process Customer Data only within the scope of Customer’s written Instructions as set out in this DPA. Polydom shall inform the Customer if, in its opinion, an Instruction infringes Privacy Laws. Polydom is not obligated to follow an Instruction where it would cause Polydom to breach its own legal obligations.
2.3.2. Ensure that all Polydom personnel who are involved in the Processing of Customer Data have committed themselves to confidentiality.
2.3.3. Implement and maintain appropriate technical and organizational security measures to protect Customer Data against unauthorized or unlawful Processing and against accidental loss, destruction, or damage. These measures shall include, at a minimum:
2.3.4. Notify the Customer without undue delay, and where feasible, no later than 72 hours after becoming aware of a Personal Data Breach.
2.3.5. Taking into account the nature of the Processing, assist the Customer by appropriate technical and organizational measures with meeting its compliance obligations, including responding to Data Subject rights requests and ensuring compliance with obligations pursuant to Articles 32 to 36 of the GDPR.
2.3.6. Upon Customer’s request following the termination or expiry of the Terms, delete or anonymize all Customer Data. Data shall be deleted from production servers within ninety (90) days and from backup systems within twelve (12) months.
Customers agree that Polydom may engage third-party sub-processors to fulfill its obligations. Polydom shall enter into a written agreement with each sub-processor imposing data protection obligations that are no less protective than those in this DPA. Polydom shall remain fully liable for any acts or omissions of its sub-processors.
Polydom may, by giving no less than thirty (30) days’ notice to the Customer, add or make changes to its sub-processors. Customers may object to the appointment of an additional sub-processor within fourteen (14) calendar days of such notice on reasonable grounds relating to the protection of Customer Data. If the objection cannot be reasonably resolved, Polydom may (at its sole discretion) (a) cancel its plans to use the sub-processor, (b) take corrective steps to remove the objection, or (c) cease to provide the aspect of the Services involving that sub-processor. If no option is reasonably available, either party may terminate the applicable Terms.
The list of current sub-processors for Polydom Inc. is as follows:
Polydom processes Customer Data in data centers located in the United States (New York, NYC1 region). When transferring Personal Data from the European Economic Area (EEA) or other regions with comprehensive data protection laws, Polydom relies on Standard Contractual Clauses (SCCs) or other appropriate transfer mechanisms to ensure the lawfulness of such transfers.
Upon reasonable request, Polydom shall make available to the Customer all information necessary to demonstrate compliance with its obligations under this DPA. Polydom shall allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer (who is not a competitor of Polydom), at the Customer's expense, no more than once per year, provided that such audit is not unreasonably burdensome.
The form has been successfully submitted.