Get Started
Contact Us
This Data Processing Agreement (“DPA”) reflects the parties’agreement with respect to the Processing of Personal Data by us on behalf ofyou in connection with CyLogic/CyDrive’s Services under the Terms andConditions between you and us (also referred to in this DPA as the “Agreement)
This DPA is supplemental to, and forms an integral part of,the Agreement as specified in the Agreement.
We may update the terms of the DPA from time to time. If youhave an active CyDrive subscription, we will let you know when we do via emailor via in-app notification.
1.1. This Data Processing Agreement applies to theprocessing of personal data subject to EU Data Protection Law for the Servicesto be provided by Data Controller
1.2 Any capitalized terms not otherwise defined in this DPAshall have the meaning given to them in the Agreement.
2.1. Terms used inthis Data Processing Agreement that have meanings ascribed to them in the EUData Protection law, including but not limited to “Processing”, “PersonalData”, “Data Controller” and “Processor,” shall carry the meanings set forthunder EU Data Protection Law (the “GDPR”).
2.2. “Controller”means the natural or legal person, public authority, agency or other bodywhich, alone or jointly with others, determines the purposes and means of theProcessing of Personal Data.
2.3. “DataProtection Laws” means all applicable worldwide legislation relating to dataprotection and privacy which applies to the respective party in the role ofProcessing Personal Data in question under the Agreement, including withoutlimitation European Data Protection Laws, the CCPA and the data protection andprivacy laws of Australia and Singapore; in each case as amended, repealed,consolidated or replaced from time to time.
2.4. “DataSubject” means the individual to whom Personal Data relates.
2.5. "Europe"means the European Union, the European Economic Area and/or their memberstates, Switzerland and the United Kingdom.
2.6. “EuropeanData” means Personal Data that is subject to the protection of European DataProtection Laws.
2.7. "EuropeanData Protection Laws" means data protection laws applicable in Europe,including: (i) Regulation 2016/679 of the European Parliament and of theCouncil on the protection of natural persons with regard to the processing ofpersonal data and on the free movement of such data (General Data ProtectionRegulation) ("GDPR"); (ii) Directive 2002/58/EC concerning theprocessing of personal data and the protection of privacy in the electroniccommunications sector; and (iii) applicable national implementations of (i) and(ii); or (iii) in respect of the United Kingdom, any applicable nationallegislation that replaces or converts in domestic law the GDPR or any other lawrelating to data and privacy as a consequence of the United Kingdom leaving theEuropean Union; and (iv) Swiss Federal Data Protection Act on 19 June 1992 andits Ordinance; in each case, as may be amended, superseded or replaced.
2.8. “Instructions”means the written, documented instructions issued by a Controller to aProcessor, and directing the same to perform a specific or general action withregard to Personal Data (including, but not limited to, depersonalizing, blocking,deletion, making available).
2.9. "PermittedAffiliates" means any of your Affiliates that (i) are permitted to use theSubscription Services pursuant to the Agreement, but have not signed their ownseparate agreement with us and are not a “Customer” as defined under theAgreement, (ii) qualify as a Controller of Personal Data Processed by us, and(iii) are subject to European Data Protection Laws.
2.10. “PersonalData” means any information relating to an identified or identifiableindividual where such information is contained within Customer Data and isprotected similarly as personal data, personal information or personallyidentifiable information under applicable Data Protection Laws.
2.11. “Personal DataBreach” means a breach of security leading to the accidental or unlawfuldestruction, loss, alteration, unauthorized disclosure of, or access to,Personal Data transmitted, stored or otherwise Processed by us and/or ourSub-Processors in connection with the provision of the Subscription Services."Personal Data Breach" will not include unsuccessful attempts oractivities that do not compromise the security of Personal Data, includingunsuccessful log-in attempts, pings, port scans, denial of service attacks, andother network attacks on firewalls or networked systems.
2.12. "PrivacyShield" means the EU-U.S. and Swiss-US Privacy Shield self-certificationprogram operated by the U.S. Department of Commerce and approved by theEuropean Commission pursuant to its Decision of July 12, 2016 and by the SwissFederal Council on January 11, 2017 respectively; as may be amended, supersededor replaced.
2.13. “Processing”means any operation or set of operations which is performed on Personal Data,encompassing the collection, recording, organization, structuring, storage,adaptation or alteration, retrieval, consultation, use, disclosure bytransmission, dissemination or otherwise making available, alignment orcombination, restriction or erasure of Personal Data.
2.14. The terms“Process”, “Processes” and “Processed” will be construed accordingly.
“Processor”means a natural or legal person, public authority, agency or other body whichProcesses Personal Data on behalf of the Controller.
2.15“Sub-Processor” means any Processor engaged by us or ourAffiliates to assist in fulfilling our obligations with respect to theprovision of the Subscription Services under the Agreement. Sub-Processors may include third parties orour Affiliates but will exclude any HubSpot employee or consultant.
3.1. Insofar as the Data Processor will beprocessing Personal Data subject to EU Data Protection Law in the course of theperformance of Agreement with the Data Controller, the terms of this DataProcessing Agreement shall apply.
3.2. In the eventof a conflict between any provisions of the Agreement and the provisions ofthis DPA, the provisions of this DPA shall govern and control.
3.3. Subject tothe provisions of the Agreement, to the extent that the Data Processor’s dataprocessing activities are not adequately described in the Agreement, the DataController will determine the scope, purposes, and manner by which the PersonalData may be accessed or processed by the Data Processor. Data Processor will process the Personal Dataonly as set forth in Data Controller’s written instructions and no PersonalData will be processed unless explicitly instructed by the Controller.
3.4. The DataProcessor will only process the Personal Data to the extent that this isrequired for the provision of the Services. Should the Data Processorreasonably believe that a specific processing activity beyond the scope of theData Controller’s instructions is required to comply with a legal obligation towhich the Data Processor is subject, the Data Processor shall inform the DataController of that legal obligation and seek explicit authorization from theData Controller before undertaking such processing. The Data Processor shallnever process the Personal Data in a manner inconsistent with the DataController’s documented instructions. The Data Processor shall immediatelynotify the Data Controller if, in its 3 opinion, any instruction infringes thisRegulation or other Union or Member State data protection provisions. Suchnotification will not constitute a general obligation on the part of the DataProcessor to monitor or interpret the laws applicable to the Data Controller,and such notification will not constitute legal advice to the Data Controller.
3.5. The Partieshave entered into an Agreement in order to benefit from the capabilities of theProcessor in securing and processing the Personal Data. The Data Processorshall be allowed to exercise its own discretion in the selection and use ofsuch means as it considers necessary to pursue those purposes, provided thatall such discretion is compatible with the requirements of this Data ProcessingAgreement, in particular the Data Controller’s written instructions.
3.6. The DataController warrants that it has all necessary rights to provide the PersonalData to the Data Processor for the Processing to be performed in relation tothe Services, and that one or more lawful bases set forth in EU Data ProtectionLaw support the lawfulness of the Processing. To the extent required by EU DataProtection Law, the Data Controller is responsible for ensuring that allnecessary privacy notices are provided to data subjects, and unless anotherlegal basis set forth in EU Data Protection Law supports the lawfulness of theprocessing, that any necessary data subject consents to the Processing areobtained, and for ensuring that a record of such consents is maintained. Shouldsuch a consent be revoked by a data subject, the Data Controller is responsiblefor communicating the fact of such revocation to the Data Processor, and the DataProcessor remains responsible for implementing Data Controller’s instructionwith respect to the processing of that Personal Data.
4.1. Withoutprejudice to any existing contractual arrangements between the Parties, theData Processor shall treat all Personal Data as confidential and it shallinform all its employees, agents and/ or approved sub-processors engaged inprocessing the Personal Data of the confidential nature of the Personal Data.The Data Processor shall ensure that all such persons or parties have signed anappropriate confidentiality agreement, are otherwise bound to a duty ofconfidentiality, or are under an appropriate statutory obligation ofconfidentiality.
5.1. Taking intoaccount the state of the art, the costs of implementation and the nature,scope, context and purposes of processing as well as the risk of varyinglikelihood and severity for the rights and freedoms of natural persons, theData Controller and Data Processor shall implement appropriate technical andorganizational measures to ensure a level of security of the processing ofPersonal Data appropriate to the risk.
5.2. Both partiesshall maintain all necessary written security policies that are fullyimplemented and applicable to the processing of Personal Data. At a minimum,such policies should include assignment of internal responsibility forinformation security management, devoting adequate personnel resources toinformation security, carrying out verification checks on permanent staff whowill have access to the Personal Data, conducting appropriate backgroundchecks, requiring employees, vendors and others with access to Personal Data toenter into written confidentiality agreements, and conducting training to makeemployees and others with access to the Personal Data aware of informationsecurity risks presented by the Processing.
5.3. At therequest of the Data Controller, the Data Processor shall demonstrate themeasures it has taken pursuant to this Article 5 and shall allow the DataController to audit and test such measures. Unless otherwise required by aSupervisory Authority of competent jurisdiction, the Data Controller shall beentitled on giving at least 30 days’ notice to the Data Processor to carry outor have carried out by a third party who has entered into a confidentialityagreement with the Data Processor, audits of the Data Processor´s premises andoperations as these relate to the Personal Data. The Data Processor shallcooperate with such audits carried out by or on behalf of the Data Controllerand shall grant the Data Controller´s auditors’ reasonable access to anypremises and devices involved with the Processing of the Personal Data. TheData Processor shall provide the Data Controller and/or the Data Controller´sauditors with access to any information relating to the Processing of thePersonal Data as may be reasonably required by the Data Controller to ascertainthe Data Processor´s compliance with this Data Processing Agreement, and/or toascertain the Data Processor’s compliance with any approved code of conduct orapproved certification mechanism referenced in Article 5.4.
5.4. The DataProcessor’s adherence to either an approved code of conduct or to an approvedcertification mechanism recognized under EU Data Protection Law may be used asan element by which the Data Processor may demonstrate compliance with therequirements set out in Article 5.1.
6.1. The Partiesacknowledge that security requirements are constantly changing, and thateffective security requires frequent evaluation and regular improvements ofoutdated security measures. The Data Processor will therefore evaluate themeasures as implemented in accordance with Article 5 on an on-going basis inorder to maintain compliance with the requirements set out in Article 5. The Parties will negotiate in good faith thecost, if any, to implement material changes required by specific updatedsecurity requirements set forth in EU Data Protection Law or by data protectionauthorities of competent jurisdiction.
6.2. Where anamendment to the Agreement is necessary in order to execute a Data Controllerinstruction to the Data Processor to improve security measures as may berequired by changes in EU Data Protection Law from time to time, the Partiesshall negotiate an amendment to the Agreement in good faith.
7.1. The DataProcessor shall promptly notify the Data Controller of any planned permanent ortemporary transfers of Personal Data to a third country, including a countryoutside of the European Economic Area without an adequate level of protection,and shall only perform such a transfer after obtaining authorization from theData Controller, which may be refused at its own discretion. Annex 4 provides alist of transfers for which the Data Controller grants its authorization uponthe conclusion of this DPA.
7.2. To the extentthat the Data Controller or the Data Processor are relying on a specificstatutory mechanism to normalize international data transfers and thatmechanism is subsequently modified, revoked, or held in a court of competentjurisdiction to be invalid, the Data Controller and the Data Processor agree tocooperate in good faith 6 to promptly suspend the transfer or to pursue asuitable alternate mechanism that can lawfully support the transfer.
8.1. When the DataProcessor becomes aware of an incident that has a material impact on theProcessing of the Personal Data that is the subject of the Agreement, it shallpromptly notify the Data Controller about the incident, shall at all times cooperatewith the Data Controller, and shall follow the Data Controller’s instructionswith regard to such incidents, in order to enable the Data Controller toperform a thorough investigation into the incident, to formulate a correctresponse, and to take suitable further steps in respect of the incident.
8.2. The term“incident” used in Article 8.1 shall be understood to mean in any case: (a) acomplaint or a request with respect to the exercise of a data subject’s rightsunder EU Data Protection Law; (b) an investigation into or seizure of thePersonal Data by government officials, or a specific indication that such aninvestigation or seizure is imminent; (c) any unauthorized or accidentalaccess, processing, deletion, loss or any form of unlawful processing of thePersonal Data; (d) any breach of the security and/or confidentiality as set outin Articles 4 and 5 of this DPA leading to the accidental or unlawfuldestruction, loss, alteration, unauthorized disclosure of, or access to, thePersonal Data, or any indication of such breach having taken place or beingabout to take place; (e) where, in the opinion of the Data Processor,implementing an instruction received from the Data Controller would violateapplicable laws to which the Data Controller or the Data Processor are subject.
8.3. The DataProcessor shall at all times have in place written procedures which enable itto promptly respond to the Data Controller about an incident. Where theincident is reasonably likely to require a data breach notification by the DataController under EU Data Protection Law, the Data Processor shall implement itswritten procedures in such a way that it is in a position to notify the DataController without undue delay after the Data Processor becomes aware of such anincident.
8.4. Anynotifications made to the Data Controller pursuant to this Article 8 shall bemade by sending an email tolegal@CyLogic.com (executive) of the Data Controller whose contact details areprovided below and, in order to assist the Data Controller in fulfilling itsobligations under EU Data Protection Law, should contain: (a) a description ofthe nature of the incident, including where possible the categories andapproximate number of data subjects concerned and the categories and approximatenumber of Personal Data records concerned; (b) the name and contact details ofthe Data Processor’s data protection officer or another contact point wheremore information can be obtained; (c) a description of the likely consequencesof the incident; and (d) a description of the measures taken or proposed to betaken by the Data Processor to address the incident including, whereappropriate, measures to mitigate its possible adverse effects.
9.1. The DataProcessor shall not subcontract any of its Service-related activitiesconsisting (partly) of the processing of the Personal Data or requiringPersonal Data to be processed by any third party without the prior writtenauthorization of the Data Controller.
9.2. The DataController authorizes the Data Processor to engage sub processors for theservice-related Data Processing activities. Data Processor shall inform theData Controller of any addition or replacement of such sub-processors givingthe Data Controller an opportunity to object to such changes. If the DataController timely sends the Processor a written objection notice, setting fortha reasonable basis for objection, the Parties will make a good-faith effort toresolve Data Controller’s objection. In the absence of a resolution, the DataProcessor will make commercially reasonable efforts to provide Data Controllerwith the same level of service described in the Agreement, without using thesub processor to process Data Controller’s Personal Data. If the DataProcessor’s efforts are not successful within a reasonable time, each Party mayterminate the portion of the service which cannot be provided without thesub-processor, and the Data Controller will be entitled to a pro-rated refundof the applicable service fees.
9.3. Notwithstanding any authorization by the Data Controller within the meaning ofthe preceding paragraph, the Data Processor shall remain fully liable vis-à-visthe Data Controller for the performance of any such sub-processor that fails tofulfill its data protection obligations.
9.4. The DataProcessor shall ensure that the sub-processor is bound by data protectionobligations compatible with those of the Data Processor under this DPA, shallsupervise compliance thereof, and must in particular impose on its subprocessors the obligation to implement appropriate technical and organizationalmeasures in such a manner that the processing will meet the requirements of EUData Protection Law.
9.5. The DataController may request that the Data Processor audit a Third-PartySub-processor or provide confirmation that such an audit has occurred (or,where available, obtain or assist customer in obtaining a third-party auditreport concerning the Third-Party Sub-processor’s operations) to ensure compliancewith its obligations imposed by the Data Processor in conformity with this DPA.
10.1. Upontermination of this DPA, upon the Data Controller’s written request, or uponfulfillment of all purposes agreed in the context of the Services whereby nofurther processing is required, the Data Processor shall, at the discretion ofthe Data Controller, either delete, destroy or return all Personal Data to theData Controller and destroy or return any existing copies.
10.2. The DataProcessor shall notify all third parties supporting its own processing of thePersonal Data of the termination of the Data Processing Agreement and shallensure that all such third parties shall either destroy the Personal Data orreturn the Personal Data to the Data Controller, at the discretion of the DataController.
11.1. The DataProcessor shall assist the Data Controller by appropriate technical andorganizational measures, insofar as this is possible, for the fulfilment of theData Controller’s obligation to respond to requests for exercising the datasubject’s rights under the EU Data Protection Law.
11.2. Taking intoaccount the nature of processing and the information available to the DataProcessor, the Data Processor shall assist the Data Controller in ensuringcompliance with obligations pursuant to Section 5 (Security), as well as otherData Controller obligations under EU Data Protection Law that are relevant tothe Data Processing, including notifications to a supervisory authority or toData Subjects, the process of undertaking a Data Protection Impact Assessment,and with prior consultations with supervisory authorities.
11.3. The DataProcessor shall make available to the Data Controller all information necessaryto demonstrate compliance with the Data Processor’s obligations and allow forand contribute to audits, including inspections, conducted by the DataController or another auditor mandated by the Data Controller.
12.1. The DataProcessor indemnifies the Data Controller and holds the Data Controllerharmless against all claims, actions, third party claims, losses, damages andexpenses incurred by the Data Controller arising out of a breach of this DataProcessing Agreement and/or the EU Data Protection Law by the Data Processor.The Data Controller indemnifies the Data Processor and holds the Data Processorharmless against all claims, actions, third party claims, losses, damages andexpenses incurred by the Data Processor arising out of a breach of this DataProcessing Agreement and/or the EU Data Law by the Data Controller.
13.1. This DPA shallcome into effect on the effective date of the Agreement.
13.2. Termination orexpiration of this DPA shall not discharge the Data Processor from itsconfidentiality obligations pursuant to Article 4.
13.3. The DataProcessor shall process Personal Data until the date of expiration ortermination of the Agreement between the parties, unless instructed otherwiseby the Data Controller, or until such data is returned or destroyed oninstruction of the Data Controller.
14.1. In the eventof any inconsistency between the provisions of this DPA and the provisions ofthe Agreement, the provisions of this DPA shall prevail.
14.2. This DataProcessing Agreement is governed by the laws of [Country]. Any disputes arisingfrom or in connection with this Data Processing Agreement shall be broughtexclusively before the competent court of [Jurisdiction].