2.1. Scope and Purpose of Processing. This DPA applies only where and to the extent Data Protection Legislation governs Autom Mate’s Processing of Customer Personal Data on behalf of Customer in the course of providing the Solution pursuant to the Agreement, including Autom Mate’s Processing of Customer Personal Data for the nature, purposes, and duration set forth in Appendix I. Autom Mate will not collect, use, disclose, release, disseminate, transfer, or otherwise communicate or make available to a third-party Customer Personal Data except to provide the Solution or as expressly
permitted by the Agreement or this DPA.
2.2. Processor and Controller Responsibilities. The parties acknowledge and agree that: (a) Autom Mate is a Processor of Customer Personal Data under the Data Protection Legislation; (b) Customer is a Controller or Processor, as applicable, of Customer Personal Data under the Data Protection Legislation; and (c) each party will comply with the obligations applicable to it under the Data Protection Legislation regarding the Processing of Customer Personal Data.
2.3. Authorization by Third-Party Controller. If Customer is a Processor, Customer warrants to Autom Mate that Customer’s instructions and actions with respect to Customer Personal Data, including its appointment of Autom Mate as another Processor, have been authorized by the relevant Controller.
2.4. Customer Instructions. Customer instructs Autom Mate to Process Customer Personal Data: (a) in accordance with the Agreement, this DPA, any applicable order, and Customer’s use of the Solution; and (b) to comply with other reasonable instructions provided by Customer or a user where such instructions are consistent with the terms of the Agreement. Customer will ensure that its instructions for the Processing of Customer Personal Data comply with the Data Protection Legislation. Customer has sole responsibility for the accuracy, quality, and legality of Customer Personal Data and the means by which Customer obtained the Customer Personal Data. Customer will disclose Customer Personal Data to Autom Mate solely pursuant to a valid business purpose.
2.5. Autom Mate’s Compliance with Customer Instructions. Autom Mate will only Process Customer Personal Data in accordance with Customer’s instructions and will treat Customer Personal Data as Confidential Information. Autom Mate may Process Customer Personal Data other than on the written instructions of Customer if it is required under applicable law to which Autom Mate is subject. In this situation, Autom Mate will inform Customer of such requirement before Autom Mate Processes the Customer Personal Data unless prohibited by applicable law.
2.6. Assistance with Customer’s Obligations. Customer may request Autom Mate to, correct, amend, restrict, block or delete Customer Personal Data contained in the Solution. Autom Mate will promptly comply with reasonable requests by Customer to assist with such actions to the extent Autom Mate is legally permitted and able to do so. Autom Mate may charge a reasonable fee for any assistance not strictly required by Data Protection Legislation.
2.7. Notification Obligations. Autom Mate will, to the extent legally permitted, promptly notify Customer if it receives a request from a Data Subject for access to, correction, amendment, deletion of or objection to the Processing of Customer Personal Data relating to such individual. Autom Mate will forward such Data Subject request relating to Customer Personal Data to Customer and Customer will be responsible for responding to any such request. Autom Mate will provide Customer with commercially reasonable cooperation and assistance in relation to handling of a Data Subject request, to the extent legally permitted and to the extent Customer does not have access to such Customer Personal Data through its use or receipt of the Solution.
2.8. General Authorization for Subprocessors. Customer generally authorizes the use of subprocessors to process Customer Personal Data in connection with fulfilling Autom Mate’s obligations under the Agreement and/or this DPA and explicitly approves the list of subprocessors located at https://www.autommate.com/privacy-policy/.
2.9. New Subprocessors. When Autom Mate engages a new subprocessor to Process Customer Personal Data, Autom Mate will, at least thirty (30) days before the new subprocessor Processes any Customer Personal Data, notify Customer and give Customer the opportunity to object to such subprocessor. If Customer has reasonable grounds to object to Autom Mate’s change in subprocessors related to data protection concerns, Customer shall notify Autom Mate promptly within no more than thirty (30) days after receipt of Autom Mate’s notice. Autom Mate will use reasonable efforts find an acceptable, reasonable, alternate solution; otherwise, Customer may suspend or terminate the Solution. If Customer terminates, Autom Mate will promptly refund any fees paid in advance by Customer to Autom Mate pro rata.
2.10. Autom Mate Obligations. Autom Mate will remain liable for the acts and omissions of its subprocessors to the same extent Autom Mate would be liable if performing the service provided by the subprocessor directly. Autom Mate will contractually impose data protection obligations on its subprocessors that are at least equivalent to those data protection obligations imposed on Autom Mate under this DPA.
2.11. Audit Rights. Upon Customer’s written request by email to [email protected] no more than once per year, Autom Mate will provide a copy of any recent third-party audits or certifications, as applicable, or any summaries thereof, such that Customer may reasonably verify Autom Mate’s compliance with the technical and organizational measures required under this DPA. Where required by the applicable Data Protection Legislation, Autom Mate will allow Customer or a mutually agreed upon independent auditor appointed by Customer to conduct an audit (including inspection), no more than once per year upon eight weeks’ notice sent to [email protected] complete with a detailed audit plan describing the proposed scope, duration, and start date of the audit. Autom Mate will contribute to such audits whose sole purpose will be to verify Autom Mate’s compliance with its obligations under this DPA. The auditor must execute a written confidentiality agreement reasonably acceptable to Autom Mate before conducting the audit. The audit must be conducted during Autom Mate’s normal business hours, subject to Autom Mate’s policies, and may not unreasonably interfere with Autom Mate’s business activities. Any audits are at Customer’s sole cost and expense.
2.12. Separate Service. Any request for Autom Mate to provide assistance with an audit is considered a separate service if such audit assistance requires the use of resources different from or in addition to those required by law. Customer will reimburse Autom Mate for any time spent for such separate services for any such audit at rates mutually agreed to by the parties, taking into account the resources expended by Autom Mate. Customer will promptly notify Autom Mate with
2.13. Limits on Auditing Party. Nothing in this DPA will require Autom Mate to disclose to an independent auditor or Customer, or to allow an independent auditor or Customer to access: (a) any data of any other user or customer of Autom Mate; (b) Autom Mate’s internal accounting or financial information; (c) any trade secret of Autom Mate; (d) any premises or equipment not controlled by Autom Mate; or (e) any information that, in Autom Mate’s reasonable opinion, could: (i) compromise the security of Autom Mate’s systems or premises; (ii) cause Autom Mate to breach its obligations under Data Protection Legislation or the rights of any third-party; or (iii) any information that an independent auditor seeks to access for any reason other than the good faith fulfilment of Customer’s rights under the Data Protection
Legislation. Customer will contractually impose, and designate Autom Mate as a third-party beneficiary of, any contractual terms that prohibit any independent auditor from disclosing the existence, nature, or results of any audit to any party other than Customer unless such disclosure is required by applicable law.