Data Processing Addendum
Table of Contents
EFFECTIVE AS OF 8 FEBRUARY 2022.
This Data Processing Addendum and its Annexes (“DPA”) sets out the basis which Contour Ptd. Ltd. (“Contour”, “we”, “us”, or “our”) collects, uses, discloses and otherwise processes the personal data of our customers (“Customer” or “you”) in accordance with the GDPR. This DPA applies to Processed Personal Data in our possession or under our control, and in the possession of organisations which we have engaged to collect, use, disclose or process Processed Personal Data for our purposes.
1.1 Unless otherwise defined in the Contour Contracts, capitalised terms in this DPA shall have the following meanings:
1.1.1 the terms “controller“, “data subject“, “personal data“, “personal data breach“, “processing” and “processor” have the same meanings as given in the GDPR;
1.1.2 “Appropriate Measures” means the technical and organisational measures to protect Processed Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access which are described in Annex 2;
1.1.3 “GDPR” means General Data Protection Regulation (EU) 2016/679, including any applicable amendment, re-enactment or replacement of it from time to time; and
1.1.4 “Processed Personal Data” means personal data processed by Contour or any of its sub-processors in the course of providing the Contour Application and Licensed Software.
1.2 Controller and processor arrangements. The parties acknowledge that, where Contour or any of its subcontractors processes personal data, Contour or its subcontractor will act as a processor on behalf of the Customer as controller.
1.3 Description of processing. A description of the processing of personal data is set out in Annex 1. The Customer acknowledge and agree that the description of processing may be updated by Contour from time to time to reflect new products, features or functionality comprised within the Licensed Software.
1.4 Compliance with GDPR. Where applicable and without prejudice to any other obligations under the Contour Contracts:
1.4.1 Contour shall comply with its obligations under the GDPR as a data processor in respect of the Processed Personal Data; and
1.4.2 Customer shall comply with its obligations under the GDPR as a data controller in respect of the Processed Personal Data, and any processing instructions it issues to Contour.
1.5 Customer obligations. Customer acknowledges and agrees:
1.5.1 it has obtained all authorisations, consents and rights necessary under the GDPR for Contour to process personal data pursuant to this DPA and the Contour Contracts;
1.5.2 it shall be solely responsible for the accuracy, quality of all personal data provided to Contour; and
1.5.3 this DPA and the Contour Contracts constitute its complete instructions to Contour in relation to the processing of the Processed Personal Data.
1.6 Contour’s obligations in relation to Processed Personal Data. Contour shall:
1.6.1 only process the Processed Personal Data on the instructions of the Customer or as otherwise required by the GDPR, and only to the extent reasonably necessary for the performance of its obligations under the Contour Contracts and this DPA;
1.6.2 at all times have in place Appropriate Measures to protect the integrity, security and (where applicable) anonymity of the Processed Personal Data while it is in the possession or under the control of Contour or a sub-processor;
1.6.3 implement Appropriate Measures to protect the Processed Personal Data against accidental or unlawful destruction, accidental loss, unauthorised disclosure or access, and against all other unlawful forms of processing; and
1.6.4 ensure that all of its and its sub-processors’ employees authorised to have access to the Processed Personal Data have committed themselves to confidentiality on appropriate terms.
1.7 Compliance. Contour shall make all information reasonably necessary to demonstrate compliance with this DPA available to the Customer and allow for and contribute to audits, including inspections conducted by Customer or its auditor in order to assess compliance with this DPA. For the avoidance of doubt, Customer acknowledges such an audit cannot be exercised more than once per calendar year unless it has reasonable grounds to suspect non-compliance under this DPA.
1.8 Data subject requests.
1.8.1 Contour shall provide reasonable and timely assistance to Customer (at Customer’s expense) to enable Customer to respond to: (a) any request from a data subject to exercise any of its rights under the GDPR (including rights with respect to access, correction, objection, erasure and data portability); and (b) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party, in respect of the Processed Personal Data.
1.8.2 If any request, correspondence, enquiry or complaint is made directly to Contour, Contour shall promptly inform the Customer and advise the data subject to submit their request to Customer. Customer agrees that it is solely responsible for responding substantively to any request, correspondence, enquiry or complaint involving Processed Personal Data.
1.9.1 The Customer acknowledges and agrees that Contour engages various sub-processors to process the Processed Personal Data on the Customer’s behalf. For a full list of Contour’s sub-processors and their locations, please see: https://contour.network/privacy-policy/data-intermediaries/.
1.9.2 Contour shall impose data protection terms on its sub-processors that provide at least the same level of protection for Processed Personal Data as those in this DPA, to the extent applicable to the nature of the services provided by those sub-processors.
1.9.3 Contour shall remain responsible for each sub-processor’s compliance with the obligations of this DPA and for any acts or omissions of such sub-processor that causes Contour to breach any of its obligations under this DPA.
1.10 Data transfers. Customer acknowledges and agrees that Contour may process Processed Personal Data on a global basis as necessary to provide the Licensed Software in accordance with the Membership Agreement, and in particular that Processed Personal Data may be transferred to jurisdictions where Contour’s sub-processors have operations. For a full list of Contour’s sub-processors and their locations, please see: https://contour.network/privacy-policy/data-intermediaries/
1.11 Notification of Data Security Incident.
1.11.1 Contour shall as soon as reasonably practicable notify the Customer if it becomes aware of the occurrence of any personal data breach affecting the Processed Personal Data while in its possession or under its control (“Data Security Incident”); and
1.11.2 Contour shall take reasonable steps to identify and correct the underlying cause of the Data Security Incident.
1.12 Changes to DPA. We may revise and update this DPA from time to time, in our sole discretion, without any prior notice to you. All such changes to the DPA are effective immediately when posted to the Website and apply immediately to our customers thereafter. Your continued use of our services constitutes your acknowledgement and acceptance of such changes.
Annex 1 - Data Processing Description
1. Subject matter and duration of processing.
The Customer must submit personal data in order to utilise the Contour Application and access the Contour Network. Contour will process the Processed Personal Data for the duration of Customer’s use of the Contour Application and the term of its Membership Agreement.
2. Nature and purpose of processing.
- On-boarding onto the Contour Platform: The Customer must submit personal data in order to create a user account and onboard onto the Contour Platform.
- The Customer is required to provide the contact details (e.g. name and email address) of an agreed number of admin users which are stored in the secure database of the Customer’s instance of Contour Application.
- Additional users: The Customer’s admin users can edit the submitted details and may input additional user information (e.g. name and email address) into its Contour Application database to provision access for other persons within Customer’s organisation (subject to agreed usage restrictions).
- Storage: All Processed Personal Data only resides in the Customer’s dedicated database on the Contour Application.
To provide tailored and authenticated access to the Customer’s instance of the Contour Application.
4. Types of Processed Personal Data.
- Customer employee data (e.g. name, email address, company and role); and
- Any other personal data submitted by the Customer to Contour via the Contour Application.
5. Sensitive Personal Data.
6. Categories of Data Subjects.
Customer employee data.
7. Recipients of the Processed Personal Data.
See a full list and description of Contour’s sub-processors available at: https://contour.network/privacy-policy/data-intermediaries/
8. Data Transfers.
See a full list of the locations of Contour’s sub-processors available at: https://contour.network/privacy-policy/data-intermediaries/
The Customer’s Processed Personal Data is held for the duration that the Customer remain active on the Contour Application. Upon deactivation of Customer’s accounts or termination or expiry of the Membership Agreement, the Processed Personal Data will be deleted.
Annex 2 - Appropriate Security Measures
1. Organizational Security Controls
Contour shall implement and maintain technical and organizational measures to protect Processed Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access as described below. Such measures include: (a) governance around access to systems storing Processed Personal Data; (b) helping restore timely access to Processed Personal Data following an incident; (c) regular testing of the effectiveness of systems; and (d) other technical and organizational measures described in Contour’s Support Handbook, available at https://docs.contour.network/home/#feedback
Contour shall maintain such Processed Personal Data according to the control framework defined by Contour’s information security and risk management frameworks, and as specified in the Support Handbook.
1.1 Security Compliance.
Contour will take appropriate steps to require compliance with this Annex 2 by its employees, subcontractors and sub-processors to the extent applicable to their scope of performance.
1.2 Security Responsibility.
Contour’s information security manager is responsible for ensuring that any technical solutions to the protection of Processed Personal Data meet the requirements of the controller, the information owner and applicable privacy laws.
2. Technical Security Controls
2.1 Access Policy.
Contour’s internal access control processes and policies are designed to prevent unauthorized persons and/or systems from gaining access to systems used to process Processed Personal Data. Contour’s information security manager provides only authorized users have access to Processed Personal Data and all users are allocated unique user IDs for access to systems processing Processed Personal Data.
Production systems containing Processed Personal Data will be logically segregated from development systems. Appropriate authentication schemes will be maintained for systems processing personal information. Systems processing Processed Personal Data will adequately protect that information at rest and in transit. Processed Personal Data will be deleted in accordance with the retention obligations in Annex 1.
2.3 Sub-processor Security.
Contour has reviewed the security and privacy practices of its sub-processors to ensure that they provide a level of security and privacy appropriate to their access to data and the scope of the services they are engaged to provide