STANDARD TERMS FOR PROCESSING AGREEMENT
1. Definitions
1.1 For the purposes of this Agreement, the following expressions bear the following meanings unless the context otherwise requires:
-
“Applicable Data Protection Laws” means (a) the Applicable EU Data Protection Laws, and (b) the California Consumer Privacy Act of 2018 and its corresponding regulations (“CCPA”); in each case as may be amended, consolidated, re-enacted or replaced from time to time;
-
“Applicable EU Data Protection Laws” means (a) the General Data Protection Regulation 2016/679 (the “GDPR”); (b) the Privacy and Electronic Communications Directive 2002/58/EC; (c) the UK Data Protection Act 2018 (“DPA”), the UK General Data Protection Regulation as defined by the DPA as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (“UK GDPR"), and the Privacy and Electronic Communications Regulations 2003; and (d) any relevant law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding instrument which implements any of the above or which otherwise relates to data protection, privacy or the use of personal data, in each case as applicable and in force from time to time, and as amended, consolidated, re-enacted or replaced from time to time;
-
“Controller to Processor Clauses” means (i) in respect of transfers of Personal Data subject to the GDPR, the standard contractual clauses for the transfer of Personal Data to third countries set out in Commission Decision 2021/914 of 4 June 2021, specifically including Module 2 (Controller to Processor) (“EU SCCs”); and (ii) in respect of transfers of Personal Data subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B.1.0) issued by the UK Information Commissioner (“UK Addendum”), in each case as amended, updated or replaced from time to time;
-
“Data Subject” shall have the meaning given in the relevant Applicable EU Data Protection Laws;
-
“Personal Data” shall have the meaning given to “personal data” or “personal information” in the relevant Applicable Data Protection Laws;
-
“Process”, “Processed” or “Processing” shall have the meaning given in the relevant Applicable Data Protection Laws;
-
“Processor to Processor Clauses” means (i) in respect of transfers of Personal Data subject to the GDPR, the standard contractual clauses for the transfer of personal data to third countries set out in Commission Decision 2021/914 of 4 June 2021, specifically including Module 3 (Processor to Processor); and (ii) in respect of transfers of Personal Data subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B.1.0) issued by the UK Information Commissioner, in each case as amended, updated or replaced from time to time;
-
“Regulator” means a data protection supervisory authority which has jurisdiction over a Client’s Processing of Personal Data;
-
“Service Provider” has the meaning given in the CCPA; and
-
“Third Country” means (i) in relation to Personal Data transfers from the European Economic Area (“EEA”), any country outside of the scope of the data protection laws of the EEA, excluding countries approved as providing adequate protection for Personal Data by the European Commission from time to time; and (ii) in relation to Personal Data transfers from the UK, any country outside of the scope of the data protection laws of the UK, excluding countries approved as providing adequate protection for Personal Data by the relevant competent authority of the UK from time to time.
2. Conditions of Processing
2.1 This Agreement governs the terms under which LiquidSpace is required to Process Personal Data on behalf of the Client.
3. LIQUIDSPACE’s obligations under the CCPA
3.1 To the extent that the Personal Data shared by Client with LiquidSpace includes Personal Data about California residents (“California Data”):
(a) For the purposes of the CCPA, LiquidSpace shall be a Service Provider with respect to California Data.
(b) LiquidSpace shall not retain, use, or disclose the California Data for any purpose other than for performing the Services, or as otherwise permitted by the CCPA.
4. Liquidspace’s Obligations UNDER APPLICABLE EU DATA PROTECTION LAWS
4.1 To the extent the Processing of Personal Data under this Agreement is subject to Applicable EU Data Protection Laws:
(a) LiquidSpace shall only Process Personal Data on behalf of the Client and in accordance with, and for the purposes set out in the documented instructions received from the Client unless required to Process such Personal Data by applicable law to which LiquidSpace is subject; in such a case, LiquidSpace shall inform the Client of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
(b) LiquidSpace shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation and the nature, scope, context and purpose of the Processing as set out in Schedule 3.
(c) LiquidSpace shall without undue delay notify the Client about any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, the Personal Data belonging to the Client or any accidental or unauthorised access or any other event affecting the integrity, availability or confidentiality of the Personal Data belonging to the Client (with further information about the breach provided in phases as more details become available).
(d) LiquidSpace shall upon written request from Client from time to time provide Client with such information as is reasonably necessary to demonstrate compliance with the obligations laid down in this Agreement.
4.2 LiquidSpace shall permit the Client at any time upon seven (7) days’ notice, to be given in writing, to have access to the appropriate part of LiquidSpace’s premises, systems, equipment, and other materials and data Processing facilities to enable the Client to inspect or audit the same for the purposes of monitoring compliance with LiquidSpace’s obligations under this Agreement. Such inspection shall:
(a) be carried out by the Client or an inspection body composed of independent members and in possession of the required professional qualifications and bound by a duty of confidentiality, selected by the Client, where applicable, in agreement with the Regulator; and
(b) not relieve LiquidSpace of any of its obligations under this Agreement.
4.3 Where:
(a) a Data Subject exercises his or her rights under the Applicable EU Data Protection Law in respect of Personal Data Processed by LiquidSpace on behalf of the Client, including Data Subjects exercising rights under Applicable EU Data Protection Laws (such as rights to rectification, erasure, blocking, access their personal data, objection, restriction of processing, data portability, and the right not to be subject to automated decision making); or
(b) the Client is required to deal or comply with any assessment, enquiry, notice or investigation by the Regulator; or
(c) the Client is required under the Applicable EU Data Protection Laws to carry out a mandatory data protection impact assessment or consult with the Regulator prior to Processing Personal Data entrusted to the Data Processer under this Agreement,
(d) then LiquidSpace will provide reasonable assistance to the Client to enable the Client to comply with obligations which arise as a result thereof.
4.4 To the extent LiquidSpace Processes Personal Data in a Third Country, and it is acting as data importer, LiquidSpace shall comply with the data importer’s obligations and Client shall comply with the data exporter’s obligations set out in the Controller to Processor Clauses, which are hereby incorporated into and form part of this Agreement, and:
(a) for the purposes of Annex I or Part 1 (as relevant), Client is a controller and LiquidSpace is a processor, and the parties, contact person’s details and processing details set out in the Services Agreement and Schedule 2 shall apply and the Start Date is the effective date of the Agreement;
(b) if applicable, for the purposes of Part 1 of the UK Addendum, the relevant Addendum EU SCCs (as such term is defined in the UK Addendum) are the EU SCCs as incorporated into this DPA by virtue of this Section 4.4;
(c) for the purposes of Annex II or Part 1 (as relevant), the technical and organizational security measures, and the technical and organizational measures taken by LiquidSpace to assist Client, as each are set out in Section 4.1(b), shall apply; and
(d) if applicable, for the purposes of: (i) Clause 9, Option 2 (“General written authorization”) is deemed to be selected and the notice period specified in Section 7 shall apply; (ii) Clause 11(a), the optional wording in relation to independent dispute resolution is deemed to be omitted; (iii) Clause 13 and Annex I.C, the competent supervisory authority shall be the supervisory authority with responsibility for ensuring compliance by Client with Applicable EU Data Protection Laws; (iv) Clauses 17 and 18, Option 1 is deemed to be selected and the governing law and the competent courts shall be Irish Law and Irish courts ; (vi) Part 1, Vendor as importer may terminate the UK Addendum pursuant to Section 19 of such UK Addendum.
(e) Client acknowledges and agrees that LiquidSpace may appoint an affiliate or third-party subcontractor to process the Personal Data in a Third Country, in which case, Vendor shall execute the Processor to Processor Clauses with any relevant subcontractor (including affiliates) it appoints on behalf of Client.
5. Client’s Obligations
5.1 The Client warrants that: (i) the legislation applicable to it does not prevent LiquidSpace from fulfilling the instructions received from the Client and performing LiquidSpace’s obligations under this Agreement; and (ii) it has complied and continues to comply with the Applicable Data Protection Laws, in particular that it has obtained any necessary consents or given any necessary notices, and otherwise has a legitimate ground to disclose the data to LiquidSpace and enable the Processing of the Personal Data by LiquidSpace as set out in this Agreement and as envisaged by any services agreement in place between the parties.
5.2 The Client agrees that it will indemnify and hold harmless LiquidSpace on demand from and against all claims, liabilities, costs, expenses, loss or damage (including consequential losses, loss of profit and loss of reputation and all interest, penalties and legal and other professional costs and expenses) incurred by LiquidSpace arising directly or indirectly from a breach of this Clause 5.
6. Changes in Applicable Data Protection Laws
6.1 The parties agree to negotiate in good faith modifications to this Agreement if changes are required for LiquidSpace to continue to process the Personal Data as contemplated by this Agreement in compliance with the Applicable Data Protection Laws or to address the legal interpretation of the Applicable Data Protection Laws, including (i) any pending or new data protection laws such as the California Privacy Rights Act, Virginia Consumer Data Protection Act, and the Colorado Privacy Act; (ii) to comply with the GDPR or any national legislation implementing it, or the UK General Data Protection Regulation or the DPA, and any guidance on the interpretation of any of their respective provisions; (iii) the Standard Contractual Clauses or any other mechanisms or findings of adequacy are invalidated or amended, or (iv) if changes to the membership status of a country in the European Union or the European Economic Area require such modification.
7. Sub-Contracting
7.1 The Client hereby grants LiquidSpace general written authorisation to engage the sub-processors set out in Schedule 4 (Authorised Subcontractors) for the purposes further described in Schedule 4 (Authorised Subcontractors) and subject to this Clause 7.
7.2 To the extent the applicable Processing of Personal Data is subject to Applicable EU Data Protection Laws, if LiquidSpace appoints a new Subcontractor or intends to make any changes concerning the addition or replacement of the Subcontractors set out in Schedule 4 (Authorised Subcontractors), it shall provide the Client with ten (10) business days’ prior written notice, during which the Client can object against the appointment or replacement. If the Client objects, LiquidSpace may proceed with the appointment or replacement. LiquidSpace shall ensure that it has a written agreement in place with all Subcontractors which contains obligations on the Subcontractor which are no less onerous on the relevant Subcontractor than the obligations on LiquidSpace under this Agreement.
8. Confidentiality
8.1 In addition to any other applicable confidentiality agreement between the parties, each party (the “Recipient”) undertakes to the other party (the “Discloser”) to:
(a) hold all Personal Data of the Discloser which it obtains in relation to this Agreement, in strict confidence; and
(b) ensure that employees, agents, officers, consultants, sub-processors, subcontractors, and advisers authorised to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
8.2 The obligation in Clause 8.1 will not apply to a disclosure of Personal Data that is:
(a) required by any law or regulation of any country with jurisdiction over the affairs of LiquidSpace; and
(b) required by any order of any court of competent jurisdiction.
9. Termination
9.1 Termination of this Agreement shall be governed by each Client’s Enterprise Service Agreement (the “Services Agreement”).
10. Consequences of Termination
10.1 Upon termination of this Agreement in accordance with Clause 9 (Termination), LiquidSpace shall, at the choice of the Client:
(a) return to the Client all of the Personal Data and any copies thereof which it is Processing or has Processed upon behalf of that Client; or
(b) destroy all Personal Data it has Processed on behalf of the Client after the end of the provision of services relating to the Processing, and destroy all copies of the Personal Data unless applicable law requires storage of such Personal Data; and
(c) in each case cease Processing Personal Data on behalf of the Client.
11. Law and Jurisdiction
11.1 This Agreement and any dispute or claim (including non-contractual disputes or claims) arising out of or in connection with it or its subject matter or formation shall be governed by and construed in all respects in accordance with the laws of the State of California and shall be deemed to have been made in the state of California, and each party hereby submits to the jurisdiction of the courts of San Mateo, California.
12. Conflict or inconsistency
12.1 In the event of any conflict or inconsistency between the terms and provisions of this Agreement and the terms and provisions of any other contract, instrument or agreement between the parties, including without limitation the Services Agreement, this Agreement shall prevail.
SCHEDULE 2
DETAILS OF PROCESSING
Nature of the processing
- Access, use, disclosure, storage and deletion of Personal Data by LiquidSpace in connection within its provision of the Services to Client as set out in the Agreement
Purpose(s) of the processing
- The provision of the Services by LiquidSpace to Client as set out in the Agreement
Categories of individuals whose Personal Data is processed
- employees, contractors and other personnel of Client
Categories of Personal Data processed
- name, email address, User ID, account information, usage of LiquidSpace services (including bookings and reservation).
Types of Personal Data subject to the processing that are considered “sensitive” or “special category” under Privacy Laws
- Not applicable
Frequency (e.g. one-off or continuous) and duration of the processing
- Relevant Personal Data is processed on a continuous basis, for the duration of the term of the Agreement and any post-termination retention period as set out in the Agreement
The subject matter, nature and duration of processing carried out by any sub-processors authorized pursuant to Section 4.2 is as set out in this Schedule 2.
SCHEDULE 3
TECHNICAL AND ORGANISATIONAL SECURITY MEASURES
1. System Entry Management
LiquidSpace shall take, among others, the following technical and organizational measures in order to prevent unauthorized access to the data processing systems:
Unique user authentication via user name and password for each network and system access required (default passwords changed at 1st login)
Use of state-of-the-art anti-virus software
Use of firewalls
During idle times, user and administrator PCs are automatically locked
Concept of least privilege, allowing only the necessary access for users to accomplish their job function. Access above these least privileges requires appropriate authorization
Starter, mover & leaver housekeeping processes in place which covers role-based access rights
IT access privileges are reviewed regularly (at least every quarter) by appropriate personnel
RSA 2-factor authentication in place for remote connections
Network monitoring services in place 24 x 7 x 365 to detect unauthorized activities
Vulnerability scanning and remediation in place
Website penetration testing programme in place
2. Data Access Management
LiquidSpace shall take, among others, the following technical and organizational measures in order to prevent unauthorized activities in the data processing systems outside the scope of any granted authorizations:
User and administrator access to the network is based on a role based access rights model. There is an authorization concept in place that grants access rights to data only on a “need to know” basis
Administration of user rights through system administrators
Number of administrators is reduced to the absolute minimum
IT governance & controls audits undertaken annually by external 3rd party
Internal control audits undertaken regularly
Network monitoring services in place 24 x 7 x 365 to detect unauthorized activities
3. Onward Data Transfer
LiquidSpace shall take, among others, the following technical and organizational measures in order to ensure that Personal Data cannot be read, copied, altered or removed by unauthorized persons under their electronic transmission or during their transport or recording on data carriers and to guarantee that it is possible to examine and establish where Personal Data are or have had to be transmitted by data transmission equipment:
Remote access (including during remote maintenance or service procedures) to the IT systems only via VPN tunnels or other state-of-the-art secure, encrypted connections
Access requires user identification and authorisation
Data transferred by LiquidSpace is transported and saved in encrypted form. The relevant areas of the data carriers are encrypted using data and hard drive encryption software
Secure destruction processes in place to industry standards utilising specialised 3rd party with disposal certificates produced to ensure limited data retention
The secure transfer modes and encryption methods are regularly updated, tested and kept state-of-the-art (e.g., according to the recommendations in the data protection manual issued by the BSI (Federal Office for Information Security)) to ensure the ongoing confidentiality, integrity, availability and resilience of systems and services
Secure communication session established via HTTPS and SFTP protocols across all applications / services
Encrypted certificates utilised for authentication between the web client and the web server across all websites
Measures for ensuring the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident and in general, for data portability
Measures for ensuring events logging
Measures for ensuring internal IT and IT security governance and management and measures for ensuring accountability
Measures for ensuring data quality
Measures for ensuring data minimisation
4. Input Management
LiquidSpace shall take, among others, the following technical and organizational measures in order to ensure that it is subsequently possible to verify and establish whether and by whom Personal Data have been entered into data processing systems, altered or removed:
Access to electronic documents / applications is documented via auditable log files
Protocolling input, modification and deletion of data by use of individual user names
5. Instructions
LiquidSpace shall take, among others, the following technical and organizational measures in order to ensure that Personal Data which are processed on behalf of the Controller can only be processed in compliance with the Controller’s instructions:
Clear and binding internal policies contain formalized instructions for data processing procedures
Unambiguous language in the underlying contracts
Careful selection of contractors, especially with regard to data security aspects
Internal monitoring of quality of service includes compliance with contractual arrangements
Regular audits by 3rd parties include compliance with contractual arrangements
Regular staff training to ensure compliance with contractual arrangements and maintain awareness regarding data protection requirements
Secure destruction processes in place to industry standards utilising specialised 3rd party with disposal certificates produced
Periodic risk assessments focus on how insider access is controlled and monitored
6. Availability
LiquidSpace shall take, among others, the following technical and organizational measures in order to protect the data from accidental destruction or loss:
State of the art firewall
Use of state-of-the-art anti-virus software that includes malware detection
Data recovery measures and emergency plan in place and regularly tested
Implementation of state-of-the-art backup methods such as: tape backup, data mirroring, and so on. Physical separation of the backup data. Data stored in the archive is saved using redundant systems.
Uses a combination of full, differential, and cumulative backups to ensure data integrity and timely restoration
To ensure an uninterrupted supply of power to the system, redundant power supply units are built into the systems wherever possible.
Data is stored redundantly on multiple devices
Integrity of stored data regularly verified using checksums
Automated processes move data traffic away from affected area to uncompromised area in case of failure
Preventative maintenance is performed to ensure continued operability of equipment
7. Separation and Purpose
LiquidSpace shall take, among others, the following technical and organizational measures in order to ensure that data collected for different purposes are processed separately:
Implementation of an authorization concept
SCHEDULE 4
LIST OF SUB-PROCESSORS
Last Modified: September 12, 2023
The controller has authorised the use of the following sub-processors:
Name of Subprocessor | Description of Processing | Location of Processing | Corporate Location |
Azure (Microsoft) | Infrastructure and data hosting | United States | United States |
Braintree (PayPal) | Subscription credit card payment processor | United States | United States |
Clearbit | Marketing data enrichment service | United States | United States |
Google Apps | Internal company infrastructure and data reporting | United States | United States |
MailChimp | Transactional mail services provider | United States | United States |
Hubspot | Customer relations management | United States | United States |
Stripe | Payment provider | United States | United States |
Twilio & Twilio Sendgrid | SMS notification provider & transactional mail service provider | United States | United States |
Zendesk | Customer support ticketing system | United States | United States |