Data processing attachement

1. Babelway Services and Personal Data

This Data Processing Attachment (“DPA”) applies to Tradeshift Belgium’s Processing of Personal Data in Tradeshift Belgium’s capacity as a Processor for the Customer under the Agreement and this version of the DPA is incorporated into and subject to the terms of the Agreement. Where Babelway is a Controller, Tradeshift Belgium will comply with its own privacy policy in the handling of any applicable Personal Data. Except as expressly stated otherwise, in the event of any conflict between the terms of the Agreement and any other attachments thereto and the terms of this DPA, the relevant terms of this DPA shall take precedence.

2. Definitions

“Agreement” means the existing contract between Tradeshift Belgium and Customer.

“Controller” and “Processor” have the meaning set out in the Data Protection Regulations.

“Customer” means the entity on whose behalf the Agreement is executed.

“Data Subject” means an identified or identifiable living natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“Tradeshift Belgium’s Affiliates” means the subsidiaries, parent or Tradeshift Belgium group entities that may assist in the performance of the Data Exchange Services.

“Data Protection Regulations” means the General Data Protection Regulation (GDPR) Regulation (EU) 2016/679 and applicable laws by EU member states which either supplement or are necessary to implement the GDPR.

“Model Clauses” means the standard contractual clauses annexed to the EU Commission Decision 2021/914/EU of 4 June 2021 for the Transfer of Personal Data to Processors established in Third Countries under the Directive 95/46/EC, or any successor standard contractual clauses that may be adopted pursuant to an EU Commission decision.

“Personal Data” means any information that relates to a Data Subject that Customer, its Users or its Trading Partners provide to Tradeshift Belgium to Process under the Agreement.

“Process” or “Processing” means any operation or set of operations, whether or not by automated means, which is performed upon Personal Data that is stored on computers, servers, or mobile devices owned or maintained by Tradeshift Belgium, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination of otherwise making available, alignment or combination, blocking, erasure or destruction.

“Processor” means the Tradeshift Belgium entity listed in the Agreement.

“Processor List” means the list of Tradeshift Belgium’s Affiliates and/or Third Party Processors who may assist Tradeshift Belgium with some or all of the Processing of Personal Data of the Customer.

“Services” means the Software-as-a-Service data exchange application and services to be provided by Tradeshift Belgium pursuant to this Agreement.

“Third Party Processor” means a third party subcontractor, other than a Tradeshift Belgium’s Affiliate, engaged by Tradeshift Belgium, which, as a part of the subcontractor’s role in providing services under the Agreement, will Process Personal Data of the Customer.

“Trading Partner” means any entity or organization that the Customer exchanges data with using Babelway.
“Users” means individual users who are authorized by Customer to use the Services and who have been supplied Account access by Customer.

3. Controller and Processor of Personal Data

Customer shall remain the Controller of the Personal Data for the purposes of the Agreement, including this DPA. Customer is responsible for compliance with its obligations as a Controller under the Data Protection Regulations and, in particular, for the basis of any transmission of Personal Data to Tradeshift Belgium (including providing any required notices and obtaining any required consents and authorizations), and for its decisions and actions concerning the Processing and use of Personal Data. Customer acknowledges its responsibility in configuring the Services via the Babelway Self-Service Platform and selecting appropriate options to secure Personal Data, in choosing transfer protocols or retention periods for example. Customer will not provide Tradeshift Belgium with access to any special categories of Personal Data, as defined under the Data Protection Regulations, or any health, payment card, or similar information that imposes specific data security obligations for the processing of such Personal Data unless permitted in the Agreement.

Tradeshift Belgium is a Processor of the Personal Data for the purposes of the Agreement. Tradeshift Belgium will Process Personal Data as necessary and as instructed for the purposes of the Agreement in accordance with this DPA and will not disclose Personal Data to third parties other than to Tradeshift Belgium’s Affiliates or Third Party Processors for the aforementioned purposes or as required by law.

4. Types of Personal Data

Customer authorizes and requests that Tradeshift Belgium Process the necessary types of Personal Data required to fulfill the Agreement. Personal Data may be included in the following types of data:

a) Files or data flows, in any format, submitted by Customers, its Users or its Trading Partners for transfers and/or archiving with Babelway;
b) Lookup table data populated automatically from data flows or manually by Users and stored within Babelway;
c) Any data provided by Users or generated as part of the service which are necessary to provide the service;

5. Processing Instructions

Customer authorizes Tradeshift Belgium to Process Personal Data for the following purposes only:

a) providing the requested Services under the Agreement;
b) providing support and assistance to Users and complying with Customer’s written instructions;
c) handling or preparing for disputes or litigation;
d) to comply with Tradeshift Belgium’s legal or regulatory obligations;
e) for no other reason unless provided for under the Data Protection Regulations.

To the extent Tradeshift Belgium receives additional instructions for the Processing of Personal Data, Tradeshift Belgium will comply with such instructions to the extent necessary for: (i) Tradeshift Belgium to comply with its Processor obligations under the Data Protection Regulations; and (ii) to assist Customer in complying with its Controller obligations under the Data Protection Regulations in relation to the Agreement. Without prejudice to Tradeshift Belgium’s obligations under this Section 5, the parties will negotiate in good faith with respect to any charges or fees that may be incurred by Tradeshift Belgium to comply with Customer’s instructions with regard to the Processing of Personal Data that require the use of resources different from, or in addition to, those required for the provision of the product or services under the Agreement.

Customer will ensure that its instructions to Tradeshift Belgium for the Processing of Personal Data will, at all times, be lawful and in compliance with the Data Protection Regulations. Tradeshift Belgium will notify Customer if it reasonably believes any instruction or request from the Customer will require Tradeshift Belgium to take any action that Tradeshift Belgium reasonably believes will not be in compliance with the GDPR. Tradeshift Belgium shall have no other obligation to act beyond sending such notice to the Customer and is not responsible for performing legal research or providing legal advice.

6. Requests from Data Subjects

Tradeshift Belgium will use reasonable efforts to accommodate Customer’s detailed written instructions to access, delete, release, correct or block access to Personal Data provided that at no time shall Tradeshift Belgium have any obligation to alter any records that are maintained as system of record of past transactions, to make any change to any records maintained in a system that are inconsistent with the purpose for which the Personal Data was originally provided to Babelway for Processing, or to alter any record that Babelway is required to keep by any law or for any regulatory purposes. If Customer requires Tradeshift Belgium to develop or implement any additional or specific means or methods related to the access, deletion, release, correction, or blocking of access to Personal Data on behalf of Customer, Customer and Tradeshift Belgium will mutually agree on the scope of the work that Tradeshift Belgium may be willing to undertake and the reasonable fees for such work.

Tradeshift Belgium will pass on to the Customer any requests of an individual Data Subject to access, delete, release, correct or block Personal Data Processed under the Agreement. Tradeshift Belgium will not be responsible for responding directly to the Data Subject’s request, unless otherwise required by law. Tradeshift Belgium shall provide the Customer with assistance in responding to such requests in accordance with Section 5.

7. Cross-Border Transfers

Any transfers of Personal Data of Data Subjects received by Tradeshift Belgium from Customer in the EU to Babelway, Tradeshift Belgium’s Affiliates or Third Party Processors which are outside of the EU are subject to the terms of the Model Clauses and the terms of this DPA shall be read in conjunction with the Model Clauses; provided, however, that the Model Clauses shall not apply where the transfers of Personal Data are to any country or territory which is, at the time, subject to a current finding of adequacy by the European Commission as set out at (as amended from time to time).

8. Additional Processors

Some or all of Tradeshift Belgium obligations under the Agreement may be performed by Tradeshift Belgium’s Affiliates and/or Third Party Subprocessors. Babelway maintains a Processor List, which lists all Tradeshift Belgium’s Affiliates and Third Party Subprocessors that may Process Personal Data on behalf of Tradeshift Belgium. Tradeshift Belgium will provide a copy of the Processor List to Customer upon request.

The Tradeshift Belgium’s Affiliates and Third Party Subprocessors are required to abide by substantially the same obligations as Tradeshift Belgium under this DPA as applicable to the Processing of the Customer’s Personal Data and, in any event, in a manner that is compliant with the Data Protection Regulations.

Tradeshift Belgium remains responsible at all times for compliance with the terms of this DPA by Tradeshift Belgium’s Affiliates and Third Party Subprocessors. Customer consents to Tradeshift Belgium use of Tradeshift Belgium’s Affiliates and Third Party Subprocessors in the performance of the Data Exchange Services in accordance with this DPA.

If additional Tradeshift Belgium’s Affiliates or Third Party Subprocessors are required to process Customer’s Personal Data in connection with Babelway’s performance under an Agreement, Customer will be notified in advance of changes to the Processor List. The Customer may refuse to consent to the involvement of a Tradeshift Belgium’s Affiliate or a Third Party Subprocessor under this DPA by sending written notice to Babelway of their refusal within ten (10) business days of receipt of notice and providing reasonable and justified, objective grounds relating to such Babelway’s Affiliate or Third Party Processor’s ability to adequately protect Personal Data in accordance with this DPA. In the event that the Customer’s objection is justified, Babelway and Customer will work together in good faith to find a mutually acceptable resolution to address Customer’s objection(s). If Babelway and Customer are unable to reach a mutually acceptable solution within a reasonable timeframe, Customer may immediately terminate the Agreement without obligation, if any is provided under the Agreement, for the payment of any further Fees that otherwise may be due as result of early termination of the Agreement.

9. Security Measures

Tradeshift Belgium shall implement appropriate physical, administrative, organizational, technical, and personal security measures based on the type and nature of the Personal Data being processed and the level of risk associated with it. Tradeshift Belgium shall retain all Personal Data, including Personal Data that is contained on back-up media, in a logically secure environment that protects it from unauthorized access, modification, theft, misuse and destruction. Tradeshift Belgium shall ensure that platforms hosting the Personal Data are configured to conform to industry standard security requirements and that hardened platforms are monitored for unauthorized change. Tradeshift Belgium’s security policy shall not allow electronic files containing Personal Data to be stored on personal desktops, laptops, or removable data storage devices, unless the device is password protected and the Personal Data is encrypted using industry standard encryption technology. Tradeshift Belgium shall ensure that all employees with access to Personal Data are subject to a duty of confidence and/or written confidentiality agreement.

10. Breach Management and Notification

For the purposes of this section, “Security Breach” means the misappropriation or unauthorized Processing of Personal Data located on Babelway’s systems, including by a Tradeshift Belgium employee, that compromises the security, confidentiality or integrity of such Personal Data. Unless prohibited by applicable law, upon becoming aware of the Security Breach, Tradeshift Belgium will: (i) within forty eight (48) hours, or sooner as required by applicable law, provide to Customer a notification of the occurrence of the Security Breach; (ii) within five (5) business days, provide to Customer a summary report of the Security Breach containing details of the Security Breach, its impact on the services under the Agreement and the Personal Data and the initial steps taken by Tradeshift Belgium to address the Security Breach; and (iii) within fifteen (15) business days, provide to Customer a detailed incident report analyzing the Security Breach and a rectification plan which sets out what steps, if any are appropriate, will be taken to stop and further prevent the Security Breach occurring in the future.

In investigating any Security Breach, Tradeshift Belgium will work to provide to Customer a root cause analysis in order to prevent a recurrence. In addition, unless prohibited by applicable law, Tradeshift Belgium will provide Customer with a summary of the Security Breach and share information about the Security Breach as it becomes available.

11. Security Breach Public Statements

In the event of a Security Breach, the parties agree to coordinate in good faith on developing the content of any related public statements or required notices for the affected Data Subjects and/or notices to the relevant data protection authorities.

12. Audit

During the Term of the Agreement, on an annual basis, Tradeshift Belgium will conduct, at no charge to Customer, an ISAE SOC 2, Type II and an ISO 27001 audit of controls relating to the network operations of Babelway through which Personal Data is processed by Babelway under an Agreement, which audit will be performed by an independent certified public accounting firm (or similarly qualified person). If a deficiency is identified as result of such audit, Tradeshift Belgium will remediate, as Tradeshift Belgium deems reasonable given the circumstances, within an agreed to and reasonable timeframe. All costs of remediation will be the responsibility of Tradeshift Belgium.

In the event Customer wishes to audit Tradeshift Belgium’s compliance with this DPA, an independent third party auditor mutually agreed to by the parties (the “Auditor”) may, on behalf of Customer and at the expense of Customer, audit Tradeshift Belgium’s compliance with the terms of this DPA up to once per year. The Auditor may perform more frequent audits of the data center facility that Processes Personal Data to the extent required by laws applicable to Customer. The Auditor must execute a written confidentiality agreement acceptable to Tradeshift Belgium before conducting the audit.

To request an audit, Customer must submit a detailed audit plan to Tradeshift Belgium at least four weeks in advance of the proposed audit date. The audit plan must describe the proposed scope, duration, and start date of the audit. Tradeshift Belgium will review the audit plan and provide Customer with any concerns or questions (for example, any request for information that could compromise Babelway’s security, privacy, employment or other relevant policies). Tradeshift Belgium will work cooperatively with Customer to agree on a final audit plan. If the requested audit scope is addressed in a SSAE SOC 1, Type II or ISO27001 report prepared for Tradeshift Belgium by a qualified third party auditor or another equivalent report within the prior twelve (12) months and Tradeshift Belgium confirms there are no known material changes in the controls audited, Customer agrees to accept those findings in lieu of requesting an audit of the controls covered by the report.

The audit must be conducted during regular business hours at the applicable facility, subject to Tradeshift Belgium’s policies, and may not unreasonably interfere with Tradeshift Belgium’s business activities.

Customer will provide Tradeshift Belgium any audit reports generated in connection with any audit under this section, unless prohibited by law. Customer agrees that Tradeshift Belgium may, at their discretion, release the audit report to a third party provided Customer is given a reasonable opportunity to redact any personal, confidential, or proprietary information that may be contained in the audit report. Customer may use the audit reports only for the purpose of confirming compliance with the requirements of this DPA. The audit reports are Confidential Information of the parties under the terms of the Agreement.

Any audits are at the Customer’s expense. Any request for Tradeshift Belgium to provide assistance with an audit is considered a separate service if such audit assistance requires the use of resources different from, or in addition to, those required for the provision services under the Agreement. Tradeshift Belgium will seek the Customer’s written approval and agreement to pay any related fees before performing such audit assistance.

13. Legally Required Disclosures

Except as otherwise required by law, Tradeshift Belgium will promptly notify Customer of any requirement of a governmental agency or by operation of law (a “Demand”) that it receives and which relates to the Processing of Personal Data. At Customer’s request, Tradeshift Belgium will provide Customer with reasonable information in its possession that may be responsive to the Demand and any assistance reasonably required for Customer to respond to the Demand in a timely manner. Customer acknowledges that Tradeshift Belgium has no responsibility to interact directly with the entity making the Demand.

14. Destruction of Personal Data

If requested by Customer, Tradeshift Belgium will, within a commercially reasonable period of time, destroy or render unreadable all Personal Data received by Tradeshift Belgium from Customer using appropriate methods of data destruction based on current industry standards, except where the Data Protection Regulations or local law provide for that Personal Data to be preserved or maintained. Written confirmation that the Personal Data was destroyed or rendered unreadable can be provided upon request.