Data Processing Addendum
This IChiba Data Processing Addendum (" DPA ") forms part of the Customer Agreement between IChiba and Customer and governs the processing by iChiba of Customer Data in connection with the Agreement. Unless indicated otherwise, if there is any conflict between the provisions of this DPA and the remainder of the Agreement, this DPA shall prevail to the extent of such conflict.
This DPA includes and incorporates the Standard Terms and Conditions and the Exhibits attached hereto. Capitalized terms not defined herein shall have the meaning set forth in Schedule 1 ( Definitions and Interpretation ).
Standard Terms and Conditions
1. Definitions
1.1 The following defined terms apply to this DPA:
" Customer Data " means any Personal Data that is Processed by iChiba Global on behalf of Customer in connection its provision of Services to Customer under the Agreement;
" Data Subject " means the identified or identifiable natural person to whom the Personal Data relates;
" Local Law Annexes " means the annexes attached hereto which set forth specific supplemental local law requirements relevant to the Processing hereunder;
" Personal Data Breach " means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed;
" Process ", " Processed " or " Processing " means any operation or set of operations which is performed on Personal Data, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
" Regulator " means any regulator with authority to enforce Data Protection Laws in any particular territory; and
" Relevant Data Transfer " means a transfer of Personal Data (from Customer to iChiba Global or from iChiba Global to a subcontractor or other party) which would be prohibited by Data Protection Law (or by the terms of data transfer agreements put in place to address the data transfer restrictions of Data Protection Law) in the absence of appropriate measures being followed by Customer and/or iChiba to demonstrate that the transfer shall not prevent or impede such data from being handled in accordance with Data Protection Law.
2. Local Law Annexes
2.1 Where and to the extent that any of the local law requirements set out in the Exhibit A ( Local Law Annexes ) apply to the Processing of Customer Data by Customer and/or iChiba (as applicable), the terms of that applicable Local Law Annex will apply to iChiba’s Processing of such Customer Data. If there is any conflict between the terms set forth in the DPA's Standard Terms and Conditions and the terms set forth in the Local Law Annexes incorporated herein, the terms of the Local Law Annexes shall prevail.
3. Conditions of Processing
3.1 This DPA, including the Local Law Annexes, governs the terms under which iChiba Global shall Process Customer Data in connection with its provision of the Services. The specific details of such Customer Data and Processing are further described in Exhibit B ( Processing Details ).
4. Customer obligations
4.1 Customer represents, warrants and undertakes that it has at all times complied and shall continue to comply with Data Protection Laws in respect of the Customer Data Processed in connection with the Agreement. In particular, it has served any necessary notices and obtained any necessary consents, or established legitimate grounds to disclose to, and/or permit the collection of Customer Data by, iChiba to enable the Processing of the Customer Data by iChiba for its provision of Services to Customer as set out in this DPA and as envisaged by the Agreement.
4.2 Customer shall at its own cost:
4.2.1 at all times ensure the accuracy, quality, completeness and legality of the Customer Data that is Processed by iChiba during the Term of the Agreement; and
4.2.2 maintain and keep up-to-date relevant records to demonstrate its compliance with Data Protection Laws, and provide iChiba Global with a copy of such records when requested by iChiba.
4.3 Without prejudice to any other provision in this DPA, Customer shall not do anything or omit to do anything that will cause iChiba to be in breach of any provision or requirement of any Data Protection Laws including regulations issued thereunder, whether now or in the future.
5. IChiba Global Obligations
5.1 IChiba shall only Process Customer Data in accordance with and for the purposes of performing the Services and its obligations as set out under this DPA and as envisaged by the Agreement and/or for diagnostics, security and improvement of the Services.
5.2 IChiba shall comply with Data Protection Laws including any such laws applicable to Relevant Data Transfers when performing its obligations under the Agreement (including this DPA).
5.3 IChiba Global shall, unless prohibited by Applicable Laws, notify Customer about any binding request for disclosure of Customer Data by a Regulator, government agency, or law enforcement authority.
5.4 IChiba shall implement appropriate technical and organisational measures to protect the Customer Data against accidental, unauthorised or unlawful processing, loss, alteration, destruction, disclosure or damage.
5.5 Upon becoming aware of a Personal Data Breach affecting Customer Data, unless specifically prohibited under Applicable Laws or any Regulator, iChiba Global will, without undue delay, notify Customer in writing of the Personal Data Breach.
5.6 IChiba will, taking into account the nature of the Processing, provide technical and organizational measures, insofar as this is possible, to assist the Customer to fulfill its obligations to respond to requests for the exercise of rights by a Data Subject.
5.7 The liability of iChiba under or for a breach of any of the obligations set forth in this DPA shall not exceed the liability cap as set out in the Agreement.
5.8 IChiba shall, upon written request from the Customer, provide the Customer with the most recent certifications and/or corresponding summary audit report(s) to demonstrate compliance with the obligations detailed in this DPA. If further information is needed by Customer to comply with its own audit obligations or a competent Regulator's request, Customer will inform iChiba in writing to enable iChiba to provide such information or to grant access to it.
5.9 To the extent that the information provided in accordance with paragraph 5.8 above is insufficient to satisfy an audit right mandated by applicable law or expressly agreed by the Parties , iChiba shall permit Customer upon thirty (30) days' written notice, to procure an independent third-party auditor chosen by the Customer, on the condition that such auditor shall be bound to an obligation of confidentiality required by ịChiba, to audit iChiba's compliance with iChiba's obligations under this DPA. Such audits shall (i) be at Customer's cost; (ii) be conducted between 9am-5pm on business days (excluding, for the avoidance of doubt, weekends and public holidays); (iii) not be conducted by any competitor of iChiba; (iv) not interfere with iChiba's day-to-day business; and (v) to the extent an inspection is required, be limited to an inspection of iChiba's processing facilities for providing the Service .
6. Sub-processing
6.1 Customer hereby grants iChiba general written authorisation to engage sub-processors for the Processing of Customer Data under the Agreement. Customer hereby authorises iChiba's engagement of the sub-processors listed in Exhibit D and Ichiba Affiliates ( iChiba Sub-Processors ) provided that: (i) iChiba agrees to provide at least seven (7) days' prior notice of the addition or removal of any sub-processor (including details of the processing it performs or will perform) through updating the list of such sub-processors at https://docs.ichiba.net/en/legal/docs/data-processing-addendum; and (ii) iChiba imposes data protection terms on any sub-processor it appoints that require it to protect the Customer Data to the standard required by Data Protection Laws.
6.2 In the event that IChiba engages a sub-processor for carrying out specific Processing activities on behalf of Customer, where that sub-processor fails to fulfil its obligations, iChiba shall remain fully liable under the Data Protection Laws to Customer for the performance of that sub-processor's obligations.
7. Indemnity
7.1 Each Party shall, on demand, defend, indemnify and keep indemnified the other Party and its Affiliates and sub-processors and all of their respective directors, officers, employees, contractors, stockholders, agents and representatives (the " Indemnified Parties "), during the Term and thereafter during any limitation period allowed under Applicable Law from and against any of the following and hold harmless the Indemnified Parties in respect of: any settlement amounts or amounts (including interest) awarded by a court or tribunal of competent jurisdiction or arbitrator to a third party, costs of investigation, litigation, settlement and external legal fees (on a solicitor-client basis), disbursements, administrative costs directly incurred by the Indemnified Parties in respect of a claim; and any other costs, losses or damages suffered by the Indemnified Parties to the extent the same are assessed against, or incurred by the Indemnified Parties in respect of the following:
7.1.1 any breach by the other Party of its respective obligations under this DPA; and/or
7.1.2 any action or omission by the other Party or (in the case of the Customer) its Authorized Users that causes the Indemnified Parties to be in breach of any Data Protection Laws.
8. Termination
8.1 This DPA will remain in force for the Term of the Agreement or for so long as iChiba Processes Customer Data, whichever term is longer.
8.2 Following termination of the Agreement or after the end of the provision of any Services under the Agreement, whichever is later, Customer shall be responsible for exporting any Customer Data it wishes to retain from the Services within 30 days. Notwithstanding the foregoing, Customer hereby instructs iChiba to delete any Customer Data from its systems following the expiry of 60 days (unless Data Protection Laws requires the Customer Data to be retained by iChiba beyond this period) following the termination of the Agreement or the end of the provision of any Services under the Agreement (whichever is later).
9. Governing Law and Jurisdiction
This DPA and any dispute or claim in connection with it shall be governed by and be construed in accordance with the laws as set out in the Customer Agreement. Each Party hereby submits to the jurisdiction of the dispute resolution venue(s) as set out in the Customer Agreement.