Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Use between Eddy Works Limited ("Eddy Works", "Processor") and the Customer ("Controller") and is incorporated by reference into those Terms.

This DPA is accepted automatically when the Customer accepts the Terms of Use. No separate signed return or countersignature is required. The act of accepting the Terms of Use at signup (or for existing customers, continued use of the Service after this DPA takes effect) constitutes the Customer's acceptance of this DPA.

This DPA applies where Eddy Works processes personal data on behalf of the Customer in connection with the Service, and that processing is subject to GDPR, UK GDPR, the NZ Privacy Act 2020, or equivalent legislation.

In the event of any conflict between this DPA and the Terms of Use in relation to data-protection matters, this DPA takes precedence.

The parties acknowledge that Eddy Works acts in two roles simultaneously:

• Processor — for Customer Content, Map Configuration, and Process Execution State: the Customer is the controller and Eddy Works processes those data categories on behalf of the Customer.
• Controller — for account data, Usage Telemetry, Process Metadata, and Analytical Data: Eddy Works determines the purposes and means of processing and is the controller for those categories. The Privacy Policy governs Eddy Works' processing as controller.

This DPA governs Eddy Works' processing as Processor only. Each category of data and the applicable role are set out on the Data categories and subjects page.

Where Eddy Works is a Controller for any data category, it processes that data as described in the Privacy Policy and is not acting on the Customer's instructions for those categories.

Eddy Works will process Personal Data only on the documented instructions of the Customer, as set out in these Terms (including this DPA), unless required to process for other purposes by applicable law. In that case, Eddy Works will inform the Customer before processing, unless the law prohibits notification.

The Customer warrants that it has a lawful basis for each category of Personal Data it instructs Eddy Works to process, and that it has provided all required notices to data subjects.

If Eddy Works reasonably believes that an instruction from the Customer would breach Applicable Data Protection Law, it will notify the Customer promptly. Eddy Works may suspend processing of that instruction pending resolution.

Eddy Works will ensure that persons authorised to process Personal Data under this DPA are subject to confidentiality undertakings or professional or statutory obligations of confidentiality.

Eddy Works will limit access to Personal Data to persons who need it to perform the Service.

Eddy Works will implement and maintain appropriate technical and organisational measures ("TOMs") to protect the confidentiality, integrity and security of Personal Data (including protection against unauthorised or unlawful processing and against accidental or unlawful destruction, loss or alteration or damage, unauthorised disclosure of, or access to, Personal Data), and to manage Security Incidents affecting Personal Data, taking into account the nature of the processing and the risk to data subjects.

The TOMs in effect at the date of this DPA are described at Security. Eddy Works may update TOMs from time to time provided the updated measures do not materially reduce the level of protection.

Eddy Works will provide reasonable cooperation and assistance to the Customer in meeting its security obligations under Applicable Data Protection Law, including in completing data protection impact assessments (DPIAs) where required.

Eddy Works will notify the Customer without undue delay, and in any event within 72 hours of becoming aware of a Security Incident affecting Personal Data processed under this DPA.

The notification will include, to the extent then available: the nature of the Security Incident; the categories and approximate number of data subjects and records affected; the likely consequences; and the measures taken or proposed to address the incident.

Eddy Works will cooperate with the Customer's investigation and provide reasonable updates as further information becomes available. Eddy Works will make reasonable efforts to identify the cause of the Security Incident, cooperate with the Customer in good faith, and provide any assistance reasonably necessary for the Customer to comply with its obligations under Applicable Data Protection Law with respect to the Security Incident, including obligations to report, notify, or investigate. Eddy Works will take steps it considers necessary and reasonable to remediate the cause of the Security Incident, to the extent remediation is within its reasonable control.

The Customer remains responsible for notifying supervisory authorities and affected data subjects as required by Applicable Data Protection Law.

The Customer grants a general written authorisation for Eddy Works to engage Sub-processors to assist in providing the Service, subject to the conditions in this clause.

The current list of Sub-processors is maintained at Subprocessors. Eddy Works will keep this list up to date.

Eddy Works will give the Customer at least 30 days' notice of any intended addition or replacement of a Sub-processor (Change Notice). The Customer may object on reasonable data-protection grounds by notifying Eddy Works within 10 days of the Change Notice, explaining the grounds. The parties will discuss the objection in good faith with a view to resolving it in a commercially reasonable manner. If the objection cannot be resolved and Eddy Works does not revoke the Change Notice before it takes effect, the Customer may terminate the affected part of the Service without penalty. If the Customer does not terminate in accordance with this clause, it is deemed to have agreed to the new Sub-processor.

Eddy Works has entered into (and will, for any new Sub-processor, enter into) written agreements with each Sub-processor containing data-protection obligations which offer at least the same level of protection for Personal Data as set out in this DPA and that meet the requirements of Article 28(3) of the GDPR, Article 28(3) of the UK GDPR, and/or equivalent requirements of other Applicable Data Protection Law, as applicable to the nature of the services provided by that Sub-processor. Eddy Works is liable for the acts and omissions of its Sub-processors to the same extent it would be liable if performing the services of each Sub-processor directly under this DPA, except as otherwise set out in this DPA.

Taking into account the nature of the processing, Eddy Works will assist the Customer by implementing appropriate technical and organisational measures, to the extent possible, to fulfil the Customer's obligation to respond to data-subject requests under Applicable Data Protection Law (including, where applicable, rights of access, rectification, erasure, restriction, portability, and objection).

The Customer is the primary point of contact for data-subject requests relating to Customer Content. Eddy Works will forward to the Customer any requests it receives directly from data subjects within 5 business days.

Contact data-subject requests: A "Contact" is a person named in Customer Content (e.g. in a form response) who is not an Eddy user. Eddy Works has no direct mechanism to locate or act on data-subject requests from Contacts — Contact data appears as unstructured text in cell values with no foreign-key link to a user record. The Customer (as controller) is responsible for responding to Contact data-subject requests without independent instruction from Eddy Works.

Eddy Works will not respond to data-subject requests on behalf of the Customer except as instructed in writing by the Customer or if required by applicable law.

Eddy Works will provide the Customer with reasonable assistance in: (a) responding to data-subject requests; (b) notifying supervisory authorities; (c) completing DPIAs; (d) demonstrating compliance with this DPA.

Eddy Works will maintain records of processing activities as required by Article 30 GDPR and make them available to the Customer on request.

Upon the Customer's written request, Eddy Works will, at the Customer's cost, submit to the Customer's audits or inspections and provide all information necessary to demonstrate compliance with obligations under Applicable Data Protection Law (including obligations under Article 28 of the GDPR and/or Article 28 of the UK GDPR). The Customer must give reasonable advance notice (at least 30 days), conduct no more than one audit per calendar year during Eddy Works' business hours, and comply with Eddy Works' reasonable security and confidentiality requirements (and procure its auditor to do the same). Eddy Works may satisfy this obligation by providing a current third-party audit report (e.g. SOC 2 Type II) where available, except where an audit is required due to a confirmed Security Incident.

Eddy Works will not transfer Personal Data to a country outside the EEA or UK unless: (a) the transfer is to a country with an adequacy decision; (b) it is covered by EU Standard Contractual Clauses (SCCs) or UK International Data Transfer Agreement (IDTA); or (c) another lawful transfer mechanism applies.

For transfers within the Sub-processor list that occur outside the EEA/UK, Eddy Works will ensure that appropriate SCCs or equivalent safeguards are in place. The applicable Standard Contractual Clauses are incorporated into this DPA as follows:

• Module 2 (Controller to Processor) applies where the Customer is the Controller.
• Module 3 (Processor to Processor) applies where the Customer is itself a Processor on behalf of its own clients.
• The SCCs are pre-signed by Eddy Works. No countersignature is required (the Customer's acceptance of the Terms of Use constitutes acceptance of the SCCs).
• Option 2 (General Written Authorisation) applies to Clause 9 of the SCCs. Sub-processor changes are notified in accordance with clause 8.3 of this DPA.
• The optional provision at Clause 11(a) of the SCCs (independent dispute-resolution body) does not apply.

Copies of the fully populated SCCs (including Annexes) are available on request from legal@eddy.works.

NZ adequacy: New Zealand has an EU adequacy decision under GDPR. Transfers between the EU/EEA and NZ (Eddy Works' jurisdiction) are therefore covered by adequacy.

The governing law for the SCCs is the law of Ireland (Option 1).

On termination of the Terms of Use, or on the Customer's written request, Eddy Works will: (a) return or provide an export of Customer Content in a machine-readable format; and (b) delete Personal Data processed under this DPA, subject to any retention required by applicable law or for dispute resolution.

Eddy Works will confirm in writing when deletion is complete.

Eddy Works may retain anonymised or aggregated data derived from Customer processing after termination, provided it no longer constitutes Personal Data.

If Eddy Works cannot delete all Personal Data due to technical reasons, it will inform the Customer as soon as reasonably practicable and will take reasonably necessary steps to: (a) come as close as possible to a complete and permanent deletion of the Personal Data; (b) fully and effectively anonymise the remaining data; and (c) make the remaining Personal Data which is not deleted or effectively anonymised unavailable for future processing.

Each party's liability under this DPA is subject to the limitations set out in clause 17 of the Terms of Use.

Where both parties are responsible for a Security Incident or other data-protection breach, liability will be apportioned according to each party's degree of responsibility.

Eddy Works may, on at least 30 days' written notice to the Customer, make variations to this DPA (including to the construction of the Standard Contractual Clauses) which it reasonably considers are required as a result of any change in, or decision of a competent authority under, Applicable Data Protection Law, in order to allow transfers and processing of Personal Data to continue without breach of that law.

If the Customer objects to a variation under clause 14.1 on reasonable grounds, the Customer may terminate the Terms and its access to the Service without penalty on written notice, provided that notice is received before the effective date of the variation. If the Customer does not terminate in accordance with this clause, it is deemed to have agreed to the variation.