Data Protection Addendum

TERMS OF SERVICE

PRIVACY POLICY

 

REFINU INC.

DATA PROTECTION ADDENDUM

 

This Data Processing Addendum (the “Addendum”) is made as of the date last executed below and forms part of the agreement set forth at Terms of Service (the “Principal Agreement”) between Refinu Inc. (“Refinu”) and the “Client” identified below. All capitalized terms not defined herein shall have the meaning set forth in the Principal Agreement.

RECITALS

A.              While performing services for Client pursuant to the Principal Agreement, Refinu may collect and/or process personal data on behalf of Client; and

 

B.             The parties desire to enter into this Addendum with respect to such processing of personal data.

 

AGREEMENT

            NOW, THEREFORE, Refinu and Client agree as follows:

1.              Definitions.

1.1.         The following terms have the meanings set out below:

Applicable Law” means the California Consumer Privacy Act, the GDPR, and any applicable laws of (a) the United Sates, (b) any state, commonwealth or district located in the United States, and (c) any locality located in the United States.

 

Client Personal Data” means any Personal Data Processed by Refinu on behalf of Client pursuant to or in connection with the Principal Agreement;

 

GDPR” means EU General Data Protection Regulation 2016/679;

 

Permitted Purpose” means the performance of the Services by Refinu;

 

Services” means the services performed by or on behalf Refinu for Client pursuant to the Principal Agreement; and

 

Sub-processor” means any person appointed by or on behalf of Refinu to Process Client Personal Data in connection with the Principal Agreement.

 

1.2.         The terms “Data Subject”, “Personal Data”, “Personal Information, “Personal Data Breach”, and “Processing” shall have the same meaning as given under Applicable Law.

 

2.              Processing. Client instructs Refinu to Process Client Personal Data for the Permitted Purpose. Refinu will not Process Client Personal Data other than on the documented instructions of Client, unless Processing is required by Applicable Law, in which case Refinu shall (to the extent permitted by Applicable Law) inform Client of that legal requirement before the Processing of that Client Personal Data.

 

3.              Confidentiality. Refinu will treat Client Personal Data as Client’s Confidential Information (as that term is defined in the Principal Agreement) pursuant to the Principal Agreement.

 

4.              Security. Refinu and Client shall each, in relation to the Client Personal Data, implement appropriate technical and organizational measures to ensure a level of security appropriate to that risk.

 

5.              Cooperation. Refinu shall (at Client’s expense) provide reasonable and timely assistance, cooperation and information for Client to respond to any of the following in accordance with Client’s obligations under Applicable Law: (a) any request from a Data Subject to exercise any of their rights under the GDPR (including rights of access, correction, objection, erasure and data portability, as applicable); (b) any other correspondence, enquiry or complaint received from a Data Subject or governmental authority in connection with the Processing of the Client Personal Data; or (c) any Personal Data Breach with respect to Client Personal Data. If any such request, correspondence, inquiry or complaint is made directly to Refinu, or if Refinu becomes aware of a Personal Data Breach with respect to Client Personal Data, Refinu shall promptly notify Client of the same.

 

6.              Audit; Data Protection Impact Assessment. On reasonable prior written notice and subject to the confidentiality obligations of the Principal Agreement, Client will have the right to audit Refinu’s compliance with this Addendum. Refinu shall (at Client’s expense) reasonably cooperate with Client in connection with any data protection impact assessment that Client may be required to perform under Applicable Law.

 

7.              Deletion or Return of Client Personal Data. Upon termination or expiration of the Principal Agreement, Refinu shall, if directed to do so by Client, destroy or return to Client all Client Personal Data in its possession or control. This requirement shall not apply to the extent that Refinu is required by Applicable Law to retain Client Personal Data, or to Client Personal Data Refinu has archived on back-up systems, in which event Refinu shall securely isolate and protect such baked-up Client Personal Data from any further Processing.

 

8.              Principal Agreement. This Addendum is subject to the Principal Agreement; provided, that, any conflict between the terms of this Addendum and the Principal Agreement shall be resolved in favor of this Addendum.

 

9.              Sub-processors; Client Processors. Client consents to the Processing of their Customer’s Personal Data for the Permitted Purpose by the following Refinu Sub-processors: [e.g., Amazon Web Services, Google, Xero, Xelp].