eBaoTech | eBaoTech - Eng-data-processing-addendum Site

DATA PROCESSING ADDENDUM

This Data Processing Addendum (“DPA”) supplements and forms part of the eBaoTech Subscription General Terms and Conditions available at https://www.ebaotech.com/general-clause, as updated from time to time between Client and Company, or other agreement(s) between Client and Company governing Client’s use of the Services (the “Agreement”).

This DPA is an agreement between you and the entity you represent (“Client”) and the eBaoTech Contracting Entity under the Agreement (“Company”). This DPA reflects the Parties’ agreement with regard to the Processing of Client Data (as defined below) by Company on behalf of Client in order to provide the Services pursuant to the Agreement.

1. Definitions.
All capitalized terms shall follow the definition under the Agreement unless otherwise defined specifically in this DPA as below:

Client Data  means the Personal Data that is uploaded to the Services under Client’s eBaoTech accounts, or otherwise provided by, or on behalf of Client to Company through the Use of the Services.
Controller  means the entity which, alone or jointly with others, determines the purposes and means of Processing of Personal Data.
Data Protection Laws  mean all legislations and regulations applicable to the Processing of Client Data under the Agreement, including GDPR (EU General Data Protection Regulation 2016/679) and other data protection legislations, as applicable.
Process or Processing  means any operation or set of operations performed on Client Data, including collection, storage, use, access, disclosure, erasure, destruction, and reading.
Processor  means the entity which Processes Personal Data on behalf of the Controller.
Security Incident  means a breach of Company’s security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Client Data.
Sub-processor  means the entity engaged by Processor to provide Processing activities on Personal Data on behalf of Controller. Supervisory Authority  means an independent public authority or national body responsible for monitoring the application of the applicable Data Protection Laws.

2. Data Processing.
2.1 Scope and Roles. This DPA applies when Client Data is Processed by Company as a Processor on behalf of Client as a Controller in order to provide Services pursuant to the Agreement.

For clarity, this DPA applies only to the Processing of Personal Data in environments controlled by Company and Company’s Sub-processors. For the avoidance of doubt, this includes Personal Data sent to Company through the Use of the Services but does not include Personal Data that remains on Client's premises or in any of Client’s selected third party operating environments.

2.2 Processing Details.

2.2.1  Subject matter.  The subject matter of the data processing under this DPA is Client Data.
2.2.2  Duration of the Processing.  The duration of the Processing of Client Data under this DPA corresponds to the duration of the Services unless otherwise agreed by the Parties in writing.
2.2.3  Purpose and Nature of the Processing.  Company will Process Personal Data as necessary to perform the Services pursuant to the Agreement, as further specified in the Documentation, and as further instructed by Client in its Use of the Services. The nature of the Processing is the performance of the Services pursuant to the Agreement.
2.2.4  Type of Personal Data.  Personal Data uploaded to the Services under Client’s eBaoTech accounts or otherwise provided by Client to Company.
2.2.5  Categories of Data Subjects.  The Data Subjects could include Client’s customers, employees, suppliers and End Users.
2.3  Compliance with Law.  Each party will comply with all Data Protection Laws applicable to and binding on it in the performance of this DPA. Client agrees that it shall comply with its obligations as a Controller under Data Protection Laws. Client will not use the Services in a way that would violate Data Protection Laws.

3. Client Instructions.
The Parties agree that this DPA and the Agreement constitute Client’s documented instructions regarding Company’s Processing of Client Data (“Documented Instructions”). Company will Process Client Data only in accordance with Documented Instructions from Client, unless otherwise required by Data Protection Laws. Additional instructions outside the scope of the Documented Instructions (if any) require prior written agreement between Company and Client, including agreement on any additional fees payable by Client to Company for carrying out such instructions. Client is entitled to terminate this DPA and the Agreement if Company declines to follow instructions requested by Client that are outside the scope of, or changed from, those given or agreed to be given in this DPA.

4. Confidentiality Commitment.
Company will take reasonable steps to ensure that its personnel engaged in the Processing of Client Data (i) will Process such data only on Documented Instructions from Client, and (ii) will be obligated to maintain the confidentiality and security of such data. Company imposes appropriate contractual obligations upon its personnel, including relevant obligations regarding confidentiality, data protection and data security.

5.  Security of Data Processing.
5.1  Security Measures.  Company has implemented and will maintain appropriate technical and organizational measures, as set out in Annex 1 (“Security Measures”), for protection of the security, confidentiality and integrity of Client Data.
5.2  Company regularly monitors compliance with the Security Measures. Client acknowledges that the Security Measures are subject to technical progress and development and that Company may update or modify the Security Measures from time to time provided that such updates and modifications will not materially decrease the overall security of the Services. Company will, at Client’s request, make available to Client corresponding information reasonably requested by Client regarding Company’s security practices and policies.

6.  Sub-processing.
6.1  General Authorization. Client acknowledges and agrees that Company may appoint its Affiliates, Amazon Web Services, Microsoft Azure, Google Cloud Platform and Oracle Cloud Infrastructure as Sub-processors to provide Processing activities on Client Data on behalf of Client.
6.2  Company shall not engage a Sub-processor to carry out specific Processing activities which fall outside the general authorization granted above without Client’s prior written authorization and, where such other Sub-processor is so engaged, Company shall ensure that the same contractual obligations set out in this DPA be imposed on that Sub-processor.
6.3  Company is responsible for its Sub-processors’ compliance with Company’s obligations in this DPA.
6.4  The Parties agree that if copies of Company’s agreements with a Sub-processor must be sent by Company to Client as required by Data Protection Laws, such copies will be provided only upon reasonable request by Client and all commercial information and provisions unrelated to this DPA will be redacted beforehand.

7.  Security Incident Notification.
7.1  Company will (i) notify Client of a Security Incident without undue delay after becoming aware of the Security Incident, and (ii) take reasonable steps to mitigate any adverse effects resulting from the Security Incident.
7.2  Notification(s) of Security Incidents will be delivered to Client by any means Company selects, including via email. It is Client’s sole responsibility to ensure Client maintains accurate contact information with Company for each applicable Service.
7.3  lient is solely responsible for complying with its third-party notification obligations related to any Security Incident as required under Data Protection Laws.
7.4  Company shall make reasonable efforts to assist Client in fulfilling Client’s obligation, as required under Data Protection Laws, to notify the relevant Supervisory Authority and Data Subjects about such Security Incident.

8.  Audit.
Subject to Client’s commitment in confidentiality, Company shall allow for, and contribute to, audits conducted by Client or another auditor designated by Client, who shall not be a direct competitor of Company, including inspections to the extent required by Data Protection Laws, during Company’s normal business hours without interference to Company’s daily operations, in accordance with the following procedures:
(a)  Company will provide Client or its designated auditor with the most recent certifications and/or summary audit report(s), which Company has procured to regularly test, assess and evaluate the effectiveness of the security measures.
(b)  If further information is needed by Client to comply with its own or other Controllers audit obligations or a competent Supervisory Authority’s request, Client shall inform Company in writing to enable Company to provide such information or to grant access to it.
(c)  To the extent that it is not possible to satisfy Client’s audit rights as stipulated in Data Protection Laws or as required by a competent Supervisory Authority unless by way of onsite visit in Company’s premise or facilities, Company shall allow the onsite visit provided that Client gives Company reasonable prior written notice of such onsite visit and such onsite visit shall be conducted on a Working Day during normal business hours mutually selected by the Parties to reduce any risk to Company’s other clients, and only in a manner that causes minimal disruption to Company’s business.

9. Transfers of Client Data.
Client Data relating to the Services of the Agreement will be stored in a location as agreed with the Client. Company will not transfer Client Data to other locations/countries. In the event of a documented instruction from Client on international transfer of Client Data for purposes of performance of the Agreement or for Company to provide the Services initiated by Client, Client shall ensure its instructions will not breach the requirements under Data Protection Laws, and each Party will ensure such transfer is made in compliance with the requirements of Data Protection Laws.

10.  Company Assistance.
10.1  Company will assist Client, when reasonably requested by Client, by technical and organizational measures for the fulfillment of Client’s obligation to comply with the rights of Data Subjects and in compliance with Client’s obligations relating to the security of Processing, the notification to Supervisory Authorities and/or communication of a Security Incident to Data Subjects, as and when required by Data Protection Laws, taking into account the nature of the Processing and the information available to Company, subject to reasonable additional charges as mutually agreed by the Parties in advance for the efforts incurred based on the then-current charging standard of Company. If Client does not agree to the quote of Company, the Parties agree to reasonably cooperate to find a feasible solution.
10.2  Data Protection Impact Assessment. Taking into account the nature of the Processing and the information available to Company, Company will assist Client in complying with Client’s obligations in respect of data protection impact assessments and prior consultation with the responsible Supervisory Authority as and when required by the Data Protection Laws, by providing the necessary information reasonably requested by Client.

11. Termination of the DPA.
This DPA will continue in force and effect until the expiry or termination of the Agreement.

12. Deletion or Return of Client Data.
Upon termination of the Agreement, Company will, subject to the terms and conditions of the Agreement or otherwise agreed with the Client, delete or return Client Data in its possessions, unless otherwise required by applicable laws.

13. Limitation of Liability.
EACH PARTY’S AND ALL OF ITS AFFILIATES’ TOTAL AND AGGREGATE LIABILITIES ARISING OUT OF OR IN CONNECTION WITH THIS DPA, WHETHER IN CONTRACT, TORT OR UNDER ANY OTHER THEORY OF LIABILITY, ARE SUBJECT TO THE LIMITATION OF LIABILITY SET OUT IN THE AGREEMENT.

14.  Miscellaneous.
14.1  In the event and to the extent of a conflict between the Agreement and this DPA, the terms of this DPA will prevail.
14.2  Company has a Data Security Committee that includes a Data Protection Officer responsible for overseeing data protection and security measures. The Data Security Committee may be contacted at security-committee@ebaotech.com.

ANNEX 1 - Security Measures
Company has implemented and will maintain for Client Data the following Security Measures, which are in conjunction with the security commitments in this DPA, and the following are Company’s only responsibility with respect to the security of Client Data.

Category	Practices
Asset Management	Assets Security. Company identifies and manages data assets, and implements appropriate operating procedures to manage such assets according to the characteristics of different types of assets.
Access Control	Access Control Policy. Company has set up a set of access control policies which standardizes user management, password management and system configuration, to ensure proper authority control. User Access Management. Company implements a formal user access provisioning process to assign or revoke access rights for all user types to each system. Company ensures that only relevant personnel can obtain appropriate access to their duties, and forms a list of user access and implements regular review of it. Company also adjusts and cancels the employee's user access right when the employee leaves post or departs from the company.
Cryptography	Cryptographic Controls. Company has formulated regulations on the management of using cryptographic control, including identification of the protection level based on risk assessment and considering the type, intensity and quality of encryption algorithm. Cryptographic Management. Company has formulated regulations on the cryptographic management so as to the whole process from the application, use, custody to destruction of key is under secure control.
Physical and Environmental Security Control	Secure Areas. Company specifies the boundaries of secure areas and takes appropriate control measures, such as physical isolation, access control systems, video surveillance, etc. Equipment and Facilities Security. Company ensures all kinds of equipment and facilities are placed in the appropriate area and appropriate protective measures are taken to reduce the risks from environmental threats and hazards, and opportunities for unauthorized access.
Operational Security Control	Operating Procedures. Company has established necessary management, operating responsibilities and procedures for all data processing facilities. Company controls the changes of data processing facilities and systems, and all system activities are under documented specification. Company also implements a clear allocation of responsibilities in accordance with the basic requirements of secure operations to reduce risks due to negligence or misuse of the system. Individuals unauthorized or unmonitored shall not be able to access, modify or use system. Planning and Management of Capacity. Company ensures that each controlled information system is able to identify capacity requirements so as to guarantee timely assessment and improvement of the availability and efficiency when necessary. Separation of Development, Testing and Operational Environments. Company identifies the separation level among the operation, testing and developing environment of the controlled information system to prevent overstepping or unauthorized operations. Protection from Malware. Company has established effective computer virus prevention, detection and killing mechanism, implements the detection and protection control to prevent malware, and improves employees’ sense of prevention. Backup. Company implements backup procedures and implements effective test on the backup data. Audit Logging and Logging Protection. Company has established logging management regulations to prevent logging storage facilities from unauthorized tempering and operational problems. Important audit loggings are archived, including details such as user ID, date, time and key events, as well as system configuration, special access rights, the use of system utilities and applications. Control of Operational Software. Company implements management procedures on software installations, and designates special personnel who have the skills that meet the requirements of daily software installation to install software on operating systems according the procedures. Clock Synchronization. Company synchronizes the clocks to ensure the accuracy of the system loggings. Technical Vulnerability Control. Company timely obtains the technical vulnerability information of controlled information systems to assess the protection of this kind of technical vulnerability and take appropriate control measures. Information Systems Audit Control. Company implements information systems audit strictly in accordance with relevant audit procedures and policies. Company makes detailed planning and assesses the risks associated with information systems audit when doing the audits.
Communications Security Control	Network Security Management. Company implements network security management, divides the network secure areas, monitors and manages the network equipment and activities, develops network security policies and operating procedures, and protects the network information and supporting facilities. Information Processing Procedures. Company has established a management procedure that handles, processes, stores and classifies information consistent with its communications, and dispose and mark all the media according to the classification standard.
System Security Control	Prevention of Data Disclosure. Company limits the risk of data disclosure, regularly assesses the external communications security of data, conceals and adjusts the communication behavior of the system to reduce the possibility that third parties will infer information from these actions. Company also regularly monitors the activities of individuals and system as well as the use of resources in computer systems under the existing laws and regulations. System Security Testing. Company implements security testing on information system regularly and take a comprehensive testing before the information system gets online. System Acceptance Testing. The requirements and principles of the acceptance of new system will be clearly defined, formed into documents and through testing before the construction of new information system. The upgrade of new system and the update of new version will be operated online as a product only after formal testing and acceptance.
Security Incident Control	Policy on Information Security Incident. Company has established the monitoring, reporting, warning, disposal, rectification mechanism of information security incident. Company maintains a record of security incident, and knowledge gained from analyzing and resolving such incidents will be used to reduce the likelihood or impact of future incidents.
Business Continuity Control	Business Continuity Management. Company has established the mechanism of identifying potential hazards that could lead to interruptions of business, as well as the possibility and impact of such interruptions and the security consequences due to the interruptions. Company has formulated continual planning and implements emergency drills to ensure timely recovery upon interruptions or failure in critical business processes and to guarantee the availability of information.