1. Babelway Services and Personal Data

This Data Processing Attachment (“DPA”) applies to Babelway’s Processing of Personal Data in Babelway’s capacity as a Processor for the Customer under the Agreement and this version of the DPA is incorporated into and subject to the terms of the Agreement. Where Babelway is a Controller, Babelway will comply with its own privacy policy in the handling of any applicable Personal Data. Except as expressly stated otherwise, in the event of any conflict between the terms of the Agreement and any other attachments thereto and the terms of this DPA, the relevant terms of this DPA shall take precedence.

2. Definitions

Agreement” means the existing contract between Babelway and Customer.
Controller” and “Processor” have the meaning set out in the Data Protection Regulations.
Customer” means the entity on whose behalf the Agreement is executed.
Data Subject” means an identified or identifiable living natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Babelway’s Affiliates” means the subsidiaries, parent or Babelway group entities that may assist in the performance of the Data Exchange Services.
Data Protection Regulations” means the General Data Protection Regulation (GDPR) Regulation (EU) 2016/679 and applicable laws by EU member states which either supplement or are necessary to implement the GDPR.
Model Clauses” means the standard contractual clauses annexed to the EU Commission Decision 2010/87/EU of 5 February 2010 for the Transfer of Personal Data to Processors established in Third Countries under the Directive 95/46/EC, or any successor standard contractual clauses that may be adopted pursuant to an EU Commission decision.
Personal Data” means any information that relates to a Data Subject that Customer, its Users or its Trading Partners provide to Babelway to Process under the Agreement.
Process” or “Processing” means any operation or set of operations, whether or not by automated means, which is performed upon Personal Data that is stored on computers, servers, or mobile devices owned or maintained by Babelway, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination of otherwise making available, alignment or combination, blocking, erasure or destruction.
Processor” means the Babelway entity listed in the Agreement.
Processor List” means the list of Babelway’s Affiliates and/or Third Party Processors who may assist Babelway with some or all of the Processing of Personal Data of the Customer.
Services” means the Software-as-a-Service data exchange application and services to be provided by Babelway pursuant to this Agreement.
Third Party Processor” means a third party subcontractor, other than a Babelway’s Affiliate, engaged by Babelway, which, as a part of the subcontractor’s role in providing services under the Agreement, will Process Personal Data of the Customer.
Trading Partner” means any entity or organization that the Customer exchanges data with using Babelway.
Users” means individual users who are authorized by Customer to use the Services and who have been supplied Account access by Customer.

3. Controller and Processor of Personal Data

Customer shall remain the Controller of the Personal Data for the purposes of the Agreement, including this DPA. Customer is responsible for compliance with its obligations as a Controller under the Data Protection Regulations and, in particular, for the basis of any transmission of Personal Data to Babelway (including providing any required notices and obtaining any required consents and authorizations), and for its decisions and actions concerning the Processing and use of Personal Data. Customer acknowledges its responsibility in configuring the Services via the Babelway Self-Service Platform and selecting appropriate options to secure Personal Data, in choosing transfer protocols or retention periods for example. Customer will not provide Babelway with access to any special categories of Personal Data, as defined under the Data Protection Regulations, or any health, payment card, or similar information that imposes specific data security obligations for the processing of such Personal Data unless permitted in the Agreement.

Babelway is a Processor of the Personal Data for the purposes of the Agreement. Babelway will Process Personal Data as necessary and as instructed for the purposes of the Agreement in accordance with this DPA and will not disclose Personal Data to third parties other than to Babelway’s Affiliates or Third Party Processors for the aforementioned purposes or as required by law.

4. Types of Personal Data

Customer authorizes and requests that Babelway Process the necessary types of Personal Data required to fulfill the Agreement. Personal Data may be included in the following types of data:

a) Files or data flows, in any format, submitted by Customers, its Users or its Trading Partners for transfers and/or archiving with Babelway;
b) Lookup table data populated automatically from data flows or manually by Users and stored within Babelway;
c) Any data provided by Users or generated as part of the service which are necessary to provide the service;

5. Processing Instructions

Customer authorizes Babelway to Process Personal Data for the following purposes only:

a) providing the requested Services under the Agreement;
b) providing support and assistance to Users and complying with Customer’s written instructions;
c) handling or preparing for disputes or litigation;
d) to comply with Babelway’s legal or regulatory obligations;
e) for no other reason unless provided for under the Data Protection Regulations.

To the extent Babelway receives additional instructions for the Processing of Personal Data, Babelway will comply with such instructions to the extent necessary for: (i) Babelway to comply with its Processor obligations under the Data Protection Regulations; and (ii) to assist Customer in complying with its Controller obligations under the Data Protection Regulations in relation to the Agreement. Without prejudice to Babelway’s obligations under this Section 5, the parties will negotiate in good faith with respect to any charges or fees that may be incurred by Babelway to comply with Customer’s instructions with regard to the Processing of Personal Data that require the use of resources different from, or in addition to, those required for the provision of the product or services under the Agreement.

Customer will ensure that its instructions to Babelway for the Processing of Personal Data will, at all times, be lawful and in compliance with the Data Protection Regulations. Babelway will notify Customer if it reasonably believes any instruction or request from the Customer will require Babelway to take any action that Babelway reasonably believes will not be in compliance with the GDPR. Babelway shall have no other obligation to act beyond sending such notice to the Customer and is not responsible for performing legal research or providing legal advice.

6. Requests from Data Subjects

Babelway will use reasonable efforts to accommodate Customer’s detailed written instructions to access, delete, release, correct or block access to Personal Data provided that at no time shall Babelway have any obligation to alter any records that are maintained as system of record of past transactions, to make any change to any records maintained in a system that are inconsistent with the purpose for which the Personal Data was originally provided to Babelway for Processing, or to alter any record that Babelway is required to keep by any law or for any regulatory purposes. If Customer requires Babelway to develop or implement any additional or specific means or methods related to the access, deletion, release, correction, or blocking of access to Personal Data on behalf of Customer, Customer and Babelway will mutually agree on the scope of the work that Babelway may be willing to undertake and the reasonable fees for such work.

Babelway will pass on to the Customer any requests of an individual Data Subject to access, delete, release, correct or block Personal Data Processed under the Agreement. Babelway will not be responsible for responding directly to the Data Subject’s request, unless otherwise required by law. Babelway shall provide the Customer with assistance in responding to such requests in accordance with Section 5.

7. Cross-Border Transfers

Any transfers of Personal Data of Data Subjects received by Babelway from Customer in the EU to Babelway, Babelway’s Affiliates or Third Party Processors which are outside of the EU are subject to the terms of the Model Clauses and the terms of this DPA shall be read in conjunction with the Model Clauses; provided, however, that the Model Clauses shall not apply where the transfers of Personal Data are to any country or territory which is, at the time, subject to a current finding of adequacy by the European Commission as set out at http://ec.europa.eu/justice/data-protection/international-transfers/adequacy/index_en.html (as amended from time to time).

8. Additional Processors

Some or all of Babelway obligations under the Agreement may be performed by Babelway’s Affiliates and/or Third Party Subprocessors. Babelway maintains a Processor List, which lists all Babelway’s Affiliates and Third Party Subprocessors that may Process Personal Data on behalf of Babelway. Babelway will provide a copy of the Processor List to Customer upon request.

The Babelway’s Affiliates and Third Party Subprocessors are required to abide by substantially the same obligations as Babelway under this DPA as applicable to the Processing of the Customer’s Personal Data and, in any event, in a manner that is compliant with the Data Protection Regulations.

Babelway remains responsible at all times for compliance with the terms of this DPA by Babelway’s Affiliates and Third Party Subprocessors. Customer consents to Babelway use of Babelway’s Affiliates and Third Party Subprocessors in the performance of the Data Exchange Services in accordance with this DPA.

If additional Babelway’s Affiliates or Third Party Subprocessors are required to process Customer’s Personal Data in connection with Babelway’s performance under an Agreement, Customer will be notified in advance of changes to the Processor List. The Customer may refuse to consent to the involvement of a Babelway’s Affiliate or a Third Party Subprocessor under this DPA by sending written notice to Babelway of their refusal within ten (10) business days of receipt of notice and providing reasonable and justified, objective grounds relating to such Babelway’s Affiliate or Third Party Processor’s ability to adequately protect Personal Data in accordance with this DPA. In the event that the Customer’s objection is justified, Babelway and Customer will work together in good faith to find a mutually acceptable resolution to address Customer’s objection(s). If Babelway and Customer are unable to reach a mutually acceptable solution within a reasonable timeframe, Customer may immediately terminate the Agreement without obligation, if any is provided under the Agreement, for the payment of any further Fees that otherwise may be due as result of early termination of the Agreement.

9. Security Measures

Babelway shall implement appropriate physical, administrative, organizational, technical, and personal security measures based on the type and nature of the Personal Data being processed and the level of risk associated with it. Babelway shall retain all Personal Data, including Personal Data that is contained on back-up media, in a logically secure environment that protects it from unauthorized access, modification, theft, misuse and destruction. Babelway shall ensure that platforms hosting the Personal Data are configured to conform to industry standard security requirements and that hardened platforms are monitored for unauthorized change. Babelway’s security policy shall not allow electronic files containing Personal Data to be stored on personal desktops, laptops, or removable data storage devices, unless the device is password protected and the Personal Data is encrypted using industry standard encryption technology. Babelway shall ensure that all employees with access to Personal Data are subject to a duty of confidence and/or written confidentiality agreement.

10. Breach Management and Notification

For the purposes of this section, “Security Breach” means the misappropriation or unauthorized Processing of Personal Data located on Babelway’s systems, including by a Babelway employee, that compromises the security, confidentiality or integrity of such Personal Data. Unless prohibited by applicable law, upon becoming aware of the Security Breach, Babelway will: (i) within forty eight (48) hours, or sooner as required by applicable law, provide to Customer a notification of the occurrence of the Security Breach; (ii) within five (5) business days, provide to Customer a summary report of the Security Breach containing details of the Security Breach, its impact on the services under the Agreement and the Personal Data and the initial steps taken by Babelway to address the Security Breach; and (iii) within fifteen (15) business days, provide to Customer a detailed incident report analyzing the Security Breach and a rectification plan which sets out what steps, if any are appropriate, will be taken to stop and further prevent the Security Breach occurring in the future.

In investigating any Security Breach, Babelway will work to provide to Customer a root cause analysis in order to prevent a recurrence. In addition, unless prohibited by applicable law, Babelway will provide Customer with a summary of the Security Breach and share information about the Security Breach as it becomes available.

11. Security Breach Public Statements

In the event of a Security Breach, the parties agree to coordinate in good faith on developing the content of any related public statements or required notices for the affected Data Subjects and/or notices to the relevant data protection authorities.

12. Audit

During the Term of the Agreement, on an annual basis, Babelway will conduct, at no charge to Customer, an ISAE SOC 2, Type II and an ISO 27001 audit of controls relating to the network operations of Babelway through which Personal Data is processed by Babelway under an Agreement, which audit will be performed by an independent certified public accounting firm (or similarly qualified person). If a deficiency is identified as result of such audit, Babelway will remediate, as Babelway deems reasonable given the circumstances, within an agreed to and reasonable timeframe. All costs of remediation will be the responsibility of Babelway.

In the event Customer wishes to audit Babelway’s compliance with this DPA, an independent third party auditor mutually agreed to by the parties (the “Auditor”) may, on behalf of Customer and at the expense of Customer, audit Babelway’s compliance with the terms of this DPA up to once per year. The Auditor may perform more frequent audits of the data center facility that Processes Personal Data to the extent required by laws applicable to Customer. The Auditor must execute a written confidentiality agreement acceptable to Babelway before conducting the audit.

To request an audit, Customer must submit a detailed audit plan to Babelway at least four weeks in advance of the proposed audit date. The audit plan must describe the proposed scope, duration, and start date of the audit. Babelway will review the audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise Babelway’s security, privacy, employment or other relevant policies). Babelway will work cooperatively with Customer to agree on a final audit plan. If the requested audit scope is addressed in a SSAE SOC 1, Type II or ISO27001 report prepared for Babelway by a qualified third party auditor or another equivalent report within the prior twelve (12) months and Babelway confirms there are no known material changes in the controls audited, Customer agrees to accept those findings in lieu of requesting an audit of the controls covered by the report.

The audit must be conducted during regular business hours at the applicable facility, subject to Babelway’s policies, and may not unreasonably interfere with Babelway’s business activities.

Customer will provide Babelway any audit reports generated in connection with any audit under this section, unless prohibited by law. Customer agrees that Babelway may, at their discretion, release the audit report to a third party provided Customer is given a reasonable opportunity to redact any personal, confidential, or proprietary information that may be contained in the audit report. Customer may use the audit reports only for the purpose of confirming compliance with the requirements of this DPA. The audit reports are Confidential Information of the parties under the terms of the Agreement.

Any audits are at the Customer’s expense. Any request for Babelway to provide assistance with an audit is considered a separate service if such audit assistance requires the use of resources different from, or in addition to, those required for the provision services under the Agreement. Babelway will seek the Customer’s written approval and agreement to pay any related fees before performing such audit assistance.

13. Legally Required Disclosures

Except as otherwise required by law, Babelway will promptly notify Customer of any requirement of a governmental agency or by operation of law (a “Demand”) that it receives and which relates to the Processing of Personal Data. At Customer’s request, Babelway will provide Customer with reasonable information in its possession that may be responsive to the Demand and any assistance reasonably required for Customer to respond to the Demand in a timely manner. Customer acknowledges that Babelway has no responsibility to interact directly with the entity making the Demand.

14. Destruction of Personal Data

If requested by Customer, Babelway will, within a commercially reasonable period of time, destroy or render unreadable all Personal Data received by Babelway from Customer using appropriate methods of data destruction based on current industry standards, except where the Data Protection Regulations or local law provide for that Personal Data to be preserved or maintained. Written confirmation that the Personal Data was destroyed or rendered unreadable can be provided upon request.

Change Language To: English French