This Data Processing Addendum, including its Schedules (“DPA”) is supplemental to, and forms an integral part of, the agreement for the provision of Saas Subscriptions (hereafter the “Services”) between Tilia and the legal entity defined thereunder as Customer (the “Agreement”). This DPA shall be effective on the effective date of the Agreement, unless this DPA is separately executed in which case it shall be effective on the date upon which the Customer countersigns the DPA (“Effective Date”). Tilia and Customer shall each be referred to herein as a “Party” and collectively as the “Parties”. In the course of providing the Services to Customer pursuant to the Agreement, Tilia may Process Personal Data on behalf of Customer and the Parties agree to comply with the following provisions with respect to any Personal Data, each acting reasonably and in good faith. All capitalized terms not defined in this DPA shall have the meanings ascribed to them in the Agreement.
“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity, provided that as such definition pertains to Tilia, it is limited to those legal entities doing business under the “Tilia” trademark or tradename. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
“Applicable Data Protection Laws” means all data protection and privacy laws applicable to the respective party in its role in the Processing of Personal Data under the Agreement, including, where applicable, EU & UK Data Protection Law and the CCPA.
“California Consumer Privacy Act” or “CCPA” means the California Consumer Privacy Act of 2018, as may be amended from time to time.
“Controller”, “Processor”, “Data Subject”, “Personal Data”, “Process”, and “Processing” shall have the meanings ascribed to them under the Applicable Data Protection Laws.
“Customer” means the entity that executed the Agreement together with its Affiliates (for so long as they remain Affiliates) which have signed Order Forms.
“Customer Data” or “Your Data” bears the meaning ascribed to it in the Agreement, provided that such data is electronic data and information submitted by or for Customer to the Services.
“Data Breach” means (i) the loss or misuse (by any means) of Personal Data; (ii) the inadvertent, unauthorized, and/or unlawful disclosure, access, alteration, corruption, transfer, sale, rental, destruction, or use of Personal Data; or (iii) any other act or omission that compromises or may compromise the security, confidentiality, or integrity of Personal Data.
“Tilia” means the Tilia entity that is a Party to the Agreement and this DPA.
“Tilia Group” means Tilia and its Affiliates engaged in the Processing of Personal Data.
“EU/UK Data Protection Law” means (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation (“EU GDPR”); (ii) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (the “UK GDPR”); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iv) any and all applicable national data protection laws made under or pursuant to (i) or (ii), in each case as may be amended or superseded from time to time.
“Purposes” shall mean Tilia’s provision of the Services under the Agreement.
“Restricted Transfer” means (i) where the EU GDPR applies, a transfer of Personal Data to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of Personal data to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018.
“Standard Contractual Clauses” means (i) where the EU GDPR applies, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council as currently set out at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj (“EU SCCs”); and (ii) where the UK GDPR applies, the “International Data Transfer Addendum to the EU Commission Standard Contractual Clauses” issued by the Information Commissioner under s.119A(1) of the Data Protection Act 2018 (“UK Addendum”).
“Sub-processor” means any other Data Processor engaged by a member of the Tilia Group to Process Personal Data.
“Usage Data” means data gathered by Tilia from the Services reflecting Customer’s usage, behavior and activity within the Services and used to optimize Tilia’s provision of Services, at all times excluding Customer Data and Personal Data.
2. PROCESSING OF PERSONAL DATA
2.1. Roles of the Parties. The Parties acknowledge and agree that (i) with regard to the Processing of Personal Data, Customer is the Controller and Tilia is a Processor; (ii) with respect to CCPA, Tilia shall Process Personal Data as a “service provider” as defined therein; and (iii) to the extent any Usage Data is considered Personal Data under Applicable Data Protection Laws, Tilia is the Controller of such data and shall Process such data in accordance with the Agreement and Applicable Data Protection Laws.
2.2. Tilia’s Processing of Personal Data. Tilia will Process Personal Data only for the Purposes. Customer shall ensure its Processing instructions are lawful and that the Processing of Personal Data in accordance with such instructions will not violate Applicable Data Protection Laws. The Parties agree that the Agreement (including this DPA) sets out Customer’s complete and final instructions to Tilia for the Processing of Customer Personal Data. Any Processing outside the scope of these instructions will require prior written agreement between the Parties.
2.3. Customer’s Processing of Personal Data. Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Applicable Data Protection Laws, including any applicable requirement to provide notice to Data Subjects of the use of Tilia as Processor. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data. Customer specifically acknowledges and agrees that its use of the Services will not violate the rights of any Data Subject, including those that have opted-out from sales or other disclosures of Personal Data, to the extent applicable under Applicable Data Protection Laws.
2.4. Details of the Processing. The subject-matter of Processing of Personal Data by Tilia is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are further specified in Schedule 1 (Description of Processing/Transfer) hereto.
3.1 Authorized Sub-processors. The current list of Tilia’s Sub-processors engaged in Processing Personal Data for the performance of the Services, including a description of their processing activities and countries of location, is listed on the Sub-processor webpage which can be found at (https://tilialabs.com/terms-and-conditions/). Customer specifically consents to the use of the listed Sub-processors. For clarity, this Section 3.1 (Authorized Sub-Processors) constitutes Customer’s general consent for Tilia’s engagement of onward Sub-processors under the Standard Contractual Clauses.
3.2. Sub-processor Obligations. Tilia shall: (i) enter into a written agreement with each Sub-processor imposing data protection obligations no less protective of Personal Data than Tilia’s obligations hereunder to the extent applicable to the nature of the services provided by such Sub-processor; and (ii) remain liable for each Sub-processor’s compliance with the obligations hereunder. Upon written request, Tilia shall provide Customer all relevant information it reasonably can in connection with its applicable Sub-processor agreements where required to satisfy Customer’s obligations under Applicable Data Protection Laws.
3.3. Changes to Sub-processors. In the event Tilia wishes to make a change to its list of Sub-processors, Tilia shall notify Customer in writing of any intended changes to that list through the addition or replacement of Sub-processors at least thirty (30) days in advance, thereby giving the Customer sufficient time to be able to object to such changes prior to the engagement of a new Sub-processor (the “Objection Period”). During the Objection Period, Customer may object in writing to Tilia’s appointment of the new Sub-processor, provided that such objection is based on reasonable grounds relating to data protection. In such event, the Parties will discuss Customer’s concerns in good faith with a view to achieving resolution. If Customer can reasonably demonstrate that the new Sub-processor is unable to Process Personal Data in compliance with the terms of this DPA and Tilia cannot provide an alternative Sub-processor, or the Parties are not otherwise able to achieve resolution, Customer, as its sole and exclusive remedy, may terminate any order forms with respect only to those aspects of the Services which cannot be provided by Tilia without the use of the new Sub-processor by providing written notice to In such an event, Tilia will refund Customer any prepaid unused fees associated with the order forms following the effective date of termination for the terminated Services.
4.1. Controls for the Protection of Customer Data. Tilia shall maintain appropriate technical and organizational measures for protection of the security (including protection against unauthorized or unlawful Processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorized disclosure of, or access to, Customer Data), confidentiality and integrity of Customer Data, as set forth at https://tilialabs.com/terms-and-conditions/ (“Tilia Technical and Operational Minimum Security Measures”). Tilia regularly monitors compliance with these measures. Tilia will not materially decrease the overall security of the Services during a Subscription Term. Further, Tilia shall ensure that any person it authorizes to Process Personal Data (including its staff, agents and subcontractors) is bound by appropriate confidentiality obligations, whether contractual or statutory in nature.
4.2. Reports. Tilia shall maintain an audit program to help ensure compliance with the obligations set out in this DPA and shall make available to Customer information to demonstrate compliance with such obligations. Upon written request and at no additional cost to Customer, Tilia shall provide Customer, or its appropriately qualified third-party representative (collectively, the “Auditor”), access to reasonably requested documentation evidencing Tilia’s compliance with its obligations hereunder (the “Reports”).
4.3. On-Site Audit. Customer may contact Tilia to request an on-site audit of Tilia’s Processing activities covered by this DPA (“On-Site Audit”). An On-Site Audit may be conducted by Customer either itself or through a qualified Third-Party Auditor selected by the Customer when:
(i) the information available pursuant to section 4.2 (Reports) is insufficient to demonstrate compliance with the obligations set out in this DPA;
(ii) Customer has received a notice from Tilia of a Data Breach; or
(iii) such an audit is required by Applicable Data Protection Laws or by Customer’s competent supervisory authority.
Following receipt by Tilia of such request, Tilia and Customer shall mutually agree in advance in writing on the details of the audit, including reasonable start date, scope and duration of, and security and confidentiality controls applicable to, any such audit. Tilia may charge a fee (rates shall be reasonable, taking into account the resources expended by Tilia) for any such audit. The Reports, audit, and any information arising therefrom shall be Tilia’s Confidential Information.
Where the Auditor is a third-party, the Auditor may be required to execute a separate confidentiality agreement with Tilia prior to any review of Reports or an audit of Tilia, and Tilia may object in writing to such Auditor, if in Tilia’s reasonable opinion, the Auditor is not suitably qualified or is a direct competitor of Tilia. Any such objection by Tilia will require Customer to either appoint another Auditor or conduct the audit itself. Expenses incurred by Auditor in connection with any review of Reports or an audit, shall be borne exclusively by the Auditor. For clarity, the exercise of audit rights under the Standard Contractual Clauses shall be as described in this Section 4 (Security).
5. Restricted Data Transfers.
For any transfers by Customer of Personal Data from the European Economic Area and/or its member states, United Kingdom and/or Switzerland (collectively, “Restricted Countries”) to Tilia in a country which does not ensure an adequate level of protection (within the meaning of and to the extent governed by the Applicable Data Protection Laws of the Restricted Countries) (collectively, “Third Country”), such transfers shall be governed by the Standard Contractual Clauses in the manner set out in Schedule 2, which are incorporated herein by reference, and for these purposes Tilia shall be the “data importer” and Customer is the “data exporter” (notwithstanding that Customer may be an entity located outside of a Restricted Country). Notwithstanding the foregoing, if Tilia has adopted Binding Corporate Rules (BCRs) for Processors that cover the transfer of Personal Data to a Third Country, then such BCRs shall govern the transfer of Personal Data.
6. Return or Deletion of Personal Data.
Customer may retrieve or delete all Personal Data upon expiration or termination of the Agreement as set forth in the Agreement. Subject to Section 8.3 (Government, Law Enforcement, and/or Third Party Inquiries) hereof, any Personal Data not deleted by Customer shall be deleted by Tilia promptly upon the later of (i) expiration or termination of the Agreement and (ii) expiration of any post-termination “retrieval period” set forth in the Agreement.
7. Data Breach Notification.
Should Tilia become aware that a Data Breach has occurred, Tilia shall:
i. provide Customer written notice of the same without undue delay and in no event later than forty-eight (48) hours after becoming aware of such Data Breach;
ii. provide Customer with information to allow it to report or inform Data Subjects of the Data Breach, as necessary;
iii. undertake an investigation of such Data Breach and reasonably cooperate with Customer, regulators and law enforcement agencies;
iv. refrain from making any public announcements relating to such Data Breach without Customer’s prior written approval, which shall not be unreasonably withheld; and
v. take reasonable corrective action in a timely manner to assist in the investigation, mitigation and remediation of a Data Breach, to remediate and mitigate the risk of a recurrence of such Data Breach.
8.1. Data Subject Requests. To the extent legally permitted, Tilia shall promptly notify Customer if Tilia receives a request from a Data Subject that identifies Customer and seeks to exercise the Data Subject’s right to access, rectify, erase, transfer or port Customer Personal Data, or to restrict the Processing of Personal Data (“Data Subject Request”). The Services provide Customer with a number of controls that Customer may use to assist it in responding to a Data Subject Request and Customer will be responsible for responding to any such Data Subject Request. To the extent Customer is unable to access the relevant Personal Data within the Services using such controls or otherwise, taking into account the nature of the Processing, Tilia shall (upon Customer’s written request) provide commercially reasonable cooperation to assist Customer in responding to any Data Subject Requests.
8.2. Data Protection Impact Assessments. Upon Customer’s request, Tilia shall provide Customer with reasonable cooperation and assistance needed to fulfil Customer’s obligation under Applicable Data Protection Laws to carry out a data protection impact assessment related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Tilia.
8.3. Government, Law Enforcement, and/or Third Party Inquiries. If Tilia receives a demand to retain, disclose, or otherwise Process Personal Data for any third party, including, but not limited to law enforcement or a government authority (“Third-Party Demand”), then Tilia shall attempt to redirect the Third-Party Demand to Customer. Customer agrees that Tilia may provide information to such third party as reasonably necessary to redirect the Third-Party Demand. If Tilia cannot redirect the Third-Party Demand to Customer, then Tilia shall, to the extent legally permissible, provide Customer reasonable notice of the Third-Party Demand as promptly as feasible under the circumstances to allow Customer to seek a protective order or other appropriate remedy.
9. RELATIONSHIP WITH THE AGREEMENT
9.1. The Parties agree that this DPA shall replace and supersede any existing data processing addendum, attachment or exhibit (including the Standard Contractual Clauses, as applicable) that the Parties may have previously entered into in connection with the Services.
9.2. Except as provided by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict in connection with the Processing of Personal Data.
9.3. Notwithstanding anything to the contrary in the Agreement or this DPA, each Party’s and all of its Affiliates’ liability, taken together in the aggregate, arising out of or relating to this DPA, the Standard Contractual Clauses, and any other data protection agreements in connection with the Agreement (if any), shall be subject to any aggregate limitations on liability set out in the Agreement. Without limiting either of the Parties’ obligations hereunder, each Party agrees that any regulatory penalties incurred by one Party (the “Incurring Party”) in relation to the Personal Data that arise as a result of, or in connection with, the other Party’s failure to comply with its obligations hereunder or any Applicable Data Protection Laws shall count toward and reduce the Incurring Party’s liability under the Agreement as if it were liability to the other Party under the Agreement.
9.4. In no event shall this DPA or any party restrict or limit the rights of any Data Subject or of any competent supervisory authority.
10. LEGAL EFFECT AND COUNTER-SIGNATURE INSTRUCTIONS
10.1. This DPA consists of two parts: the main body of the DPA, and Schedules 1 and 2.
10.2. This DPA shall only become legally binding between the Parties when the formalities set out in this section 10 have been completed by Customer evidenced by Tilia’s receipt of the validly completed and countersigned DPA at the email address designated in Section 10.4 below.
10.3. This DPA has been pre-signed on behalf of Tilia. Schedule 1, section 1 has been pre-signed by Tilia-Graphics Inc. as the data importer. Please note that the contracting entity under the Agreement may be a different entity to Tilia-Graphics Inc.
10.4. To complete this DPA, Customer must:
a. Complete the information and sign in the signature box below on page 6.
b. Send the signed DPA to Tilia via email to privacy@Tilia.com.
10.5. For the avoidance of doubt, signature of the DPA on page 6 shall be deemed to constitute signature and acceptance of the Standard Contractual Clauses, including Schedule 2.