Data Processing Addendum

The parties agree that this Data Processing Addendum (DPA) shall be incorporated into and form part of the Customer Agreement (the “Agreement”) and subject to the provisions therein. The limitations of liability in the Agreement shall not apply to any liability under this DPA. Terms defined in the Agreement shall have the same meaning when used in this DPA, unless defined otherwise herein.

1. Definitions and Interpretation

“Business” has the meaning given to it in the CCPA. 

“Conflicting Processing Obligation” means an obligation on Rentouch under applicable law, court order, subpoena, or other mandatory request by a court or governmental authority of competent jurisdiction to disclose or otherwise process Personal Data other than as instructed by Customer. 

“Controller” means the entity which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. 

“Data Protection Legislation” means all data protection and privacy legislation applicable to the parties, which for the avoidance of doubt shall include the EU General Data Protection Regulation 2016/679 (“GDPR”) and the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq. (“CCPA”). 

“Data Subject” means a natural person whose Personal Data is Processed by Rentouch in accordance with the context of the Agreement. 

“EU Commission Model Clauses” means standard contractual clauses, as approved by the European Commission in Commission Decision 2010/87/EU of 5th February 2010, which are incorporated herein by reference. 

“Personal Data Incident” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or exfiltration of, or access to, Personal Data. 

“Personal Data” means any Customer Data (i) relating to an identified or identifiable individual, within the meaning of the GDPR (regardless of whether the GDPR applies) and (ii) constituting 

“personal information” as such is defined in the CCPA. 

“Process” and “Processing” mean any operation or set of operations performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, creating, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 

“Processor” means the entity which Processes Personal Data on Controller’s behalf. Processor is also a Service Provider. 

“Service Provider” has the meaning given to in the CCPA.‍

‍

2. Roles and Ownership of Personal Data

2.1 For the purposes of processing Personal Data that is Customer Data under the Agreement, Customer (or a Customer Affiliate on whose behalf Customer is authorized to instruct Rentouch) shall be regarded as a Controller and Rentouch shall be regarded as a Processor. 

2.2 For purposes of Personal Data constituting “personal information” under the CCPA, Customer is a Business and Rentouch is a Service Provider. Customer’s transfer of Personal Data to Rentouch is not a sale, and Rentouch provides no monetary or other valuable consideration to Customer in exchange for Personal Data. 

2.3 Rentouch acknowledges that, between the parties, all rights, title and interest in the Personal Data in Customer Data processed under the Agreement is vested solely in Customer or a Customer Affiliate, as the case may be. 

2.4 If Customer is acting on behalf of another Controller (or on behalf of intermediaries such as other Processors of the Controller), then, to the extent legally permissible: (a) Customer will serve as the sole point of contact for Rentouch with regard to any such third parties; (b) Rentouch need not interact directly with any such third party (other than through regular provision of the Service to the extent required by the Agreement); and (c) where Rentouch would otherwise be required to provide information, assistance, cooperation, or anything else to such third party, Rentouch may provide it solely to Customer. Notwithstanding the foregoing, Rentouch is entitled to follow the instructions of such third party with respect to such third party’s Personal Data instead of Customer’s instructions if Rentouch reasonably believes this is legally required under the circumstances.

3. Special Undertakings of Customer

Customer undertakes to: 

3.1 Comply with all applicable requirements of the Data Protection Legislation; 

3.2 Advise Rentouch of any requirements under Data Protection Legislation applicable to Customer Data other than those provided in the GDPR or CCPA; 

3.3 Ensure that there is a legal ground for processing the Personal Data as envisioned under the Agreement; 

3.4 Not instruct Rentouch to Process Personal Data in violation of Data Protection Legislation. Rentouch has no obligation to monitor the compliance of Customer’s use of the Service with applicable Law, including Data Protection Legislation, though Rentouch will promptly inform Customer if, in Rentouch’s opinion, an instruction from Customer infringes Data Protection Legislation. 

3.5 Provide Rentouch with instructions regarding Rentouch’s processing of Personal Data as set out in this DPA and in any additional documented instructions provided by Customer, if applicable.

4. Special Undertakings of Rentouch

Rentouch undertakes to: 

4.1 Comply with all applicable requirements of the GDPR, CCPA, and if and to the extent agreed between Customer and Rentouch in writing, Data Protection Legislation in other jurisdictions to the extent Customer and Rentouch have agreed such legislation is applicable and the Service is able to comply; 

4.2 Only process the Personal Data in accordance with instructions from Customer unless obligated to do otherwise by applicable Law. In such a case, Rentouch will inform the Customer of that legal requirement before the Processing unless legally prohibited from doing so. Without limiting the foregoing: (a) Rentouch will not collect, retain, use, disclose, or otherwise Process the Personal Data in a manner inconsistent with Rentouch’s role as Customer’s Service Provider (regardless of whether the CCPA applies); (b) Rentouch will not “sell” the Personal Data, as such term is defined in the CCPA; and (c) Rentouch hereby certifies that it understands the restrictions and obligations set forth in this DPA and that it will comply with them. The Agreement, including this DPA, along with Customer’s configuration of any settings or options in the Service (as Customer may be able to modify from time to time), constitute Customer’s complete and final instructions to Rentouch regarding the Processing of Personal Data, including for purposes of the EU Commission Model Clauses; 

4.3 Ensure that: (a) only employees which must have access to the Personal Data in order to meet Rentouch’s obligations under the Agreement have access to the Personal Data, (b) such employees have received appropriate training and instructions regarding processing of Personal Data, and (c) such employees are subject to written agreements of confidentiality or are under an appropriate statutory obligation of confidentiality regarding Customer Data and other Customer Confidential Information; 

4.4 Ensure that it has in place appropriate technical and organizational measures, without prejudice to Rentouch’s right to make future replacements or updates to the measures that do not lower the level of protection of Personal Data, to protection against unauthorized or unlawful processing of Personal Data and against accidental loss or destruction of, or damage to, Personal Data, in each case as described in the Security Policy.; 

4.5 As applicable to the Service, reasonably assist Customer in responding (at Customer’s expense) to any request from a Data Subject (including “verifiable consumer requests”, as such term is defined in the CCPA), relating to the Processing of Personal Data under the Agreement; 

4.6 Upon becoming aware of a Personal Data Incident, Rentouch shall use reasonable efforts to notify Customer without undue delay and shall provide timely information relating to the Personal Data Incident as it becomes known or as is reasonably requested by Customer; 

4.7 Taking into account the nature of the Processing and the information available to Rentouch, Rentouch will provide reasonable assistance to and cooperation with Customer for Customer’s performance of any legally required data protection impact assessment of the Processing or proposed Processing of the Personal Data involving Rentouch, and with related consultation with supervisory authorities, by providing Customer with any publicly available documentation for the relevant Service or by complying with Section 9 (Audit Rights). Additional support for data protection impact assessments or relations with regulators may be available and would require mutual agreement on fees, the scope of Rentouch involvement, and any other terms that the parties deem appropriate; 

4.8 Maintain complete and accurate records and information to demonstrate its compliance with this DPA; and 

4.9 Make available to Customer the information necessary to demonstrate compliance with Rentouch’s obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by Customer or another third party mandated by it, as set forth in Section 9 (Audit Rights). Rentouch shall promptly inform Customer if, in its opinion, Customer’s instructions infringe Data Protection Legislation.

5. Conflicting Processing Obligations

If Rentouch is faced with a Conflicting Processing Obligation, Rentouch shall (a) inform Customer of that Conflicting Process Obligation before processing the Personal Data in accordance therewith, unless such information is prohibited by applicable Laws; (b) give Customer reasonable opportunity to take any steps it considers necessary to protect the integrity of the Personal Data and the rights of the relevant Data Subjects and (c) provide any assistance reasonably requested by Customer to take such steps.

6. Subprocessors

Customer hereby consents to Rentouch’s appointment of certain third-party processors of Personal Data under this Agreement (“Subprocessors”). Rentouch’s current Sub Processors are listed here. Rentouch confirms that it: (a) has entered (or, for future appointments, will enter) into a written agreement with each Subprocessor incorporating terms which are substantially similar to those set out in this DPA; and (b) will inform Customer of any intended changes concerning the addition or replacement of other Subprocessors, thereby giving Customer the opportunity to object to such changes. Customer’s sole recourse if it objects to a Subprocessor will be to terminate Customer’s subscription to the Service. Following such termination, Customer will be entitled to a refund of unused prepaid fees only if (a) Rentouch breached its obligation to maintain the requisite contract provisions with the Subprocessor, or (b) the Agreement otherwise provides for a refund.

7. Transfer of Personal Data Outside of the EU/EEA/EFTA

7.1 Rentouch may not transfer Personal Data to, or process such data in, a location outside of the EU/EEA/EFTA without Customer’s prior written consent, except in compliance with Sections 7.2 and 7.3 below (in each case a “Transfer”). 

7.2 Without prejudice to the foregoing, Customer consents to Transfers where Rentouch has implemented a Transfer solution compliant with Data Protection Legislation, which for example may include: (a) where such transfer is subject to an adequacy decision by the European Commission; (b) the EU Commission Model Clauses for the transfer of Personal Data to Processors established in third countries; (c) another appropriate safeguard pursuant to Article 46 of the GDPR applies; or (d) a derogation pursuant to Article 49 of the GDPR applies. 

7.3 Customer will comply with all applicable Law, including Data Protection Legislation, relevant to use of the Service, including by obtaining any consents and providing any notices required under Data Protection Legislation for Rentouch to provide the Service. Customer will ensure that Customer and Users are entitled to transfer the Personal Data to Rentouch so that Rentouch and its Sub Processors may lawfully Process the Personal Data in accordance with this DPA. 

7.4 EU Commission Model Clauses. For purposes of the EU Commission Model Clauses: (1) the audit rights in Section 9 (Audit Rights) will satisfy Section 5(f) of the EU Commission Model Clauses, (2) the Subprocessor authorization and procedures in Section 6 (Subprocessors) serves as consent for subprocessing under Section 5(h) of the EU Commission Model Clauses (and Rentouch may disclose copies of subprocessing agreements with redacted commercial information for purposes of Section 5(j) of the EU Commission Model Clauses) and (3) instructions referenced in Section 4.2 are Customer’s instructions for purposes of the EU Commission Model Clauses.

8. Obligation to Rectify, Update and Restrict Processing of Personal Data

During the term of the Agreement, Rentouch will: (a) ensure that the Personal Data is, where necessary, kept up to date in accordance with Customer’s instructions; and (b) restrict the processing of Personal Data identified by Customer so that except for storage and changes made by Users or upon instructions from Customer, it is not subject to further processing operations and cannot be changed. 

9. Audit Rights

On written request from Customer, Rentouch shall provide written responses (on a confidential basis) to all reasonable requests for information made by Customer related to its processing of Personal Data, including responses to information security and audit questionnaires that are strictly necessary to confirm Rentouch’s compliance with this DPA, provided that Customer shall not exercise this right more than once in any 12 month rolling period. Notwithstanding the foregoing, Customer may also exercise such audit right in the event Customer is expressly requested or required to provide this information to a data protection authority, or Rentouch has experienced a Personal Data Incident, or other reasonably similar basis.

10. General Terms

10.1 Except for the changes made by this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of that conflict, as it relates to the subject matter of this DPA. 

10.2 This DPA shall be deemed a part of and incorporated into the Agreement so that references in the Agreement to "Agreement" shall be interpreted to include this DPA. 

10.3 This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement unless required otherwise by Data Protection Legislation, in which case this DPA will be governed by the laws of Switzerland. 

10.4 In the event of inconsistencies between this DPA and the EU Commission Model Clauses, this DPA shall prevail to the extent this DPA offers a stronger privacy protection for data subjects. Otherwise the EU Commission Model Clauses shall apply.