Data Processing Agreement
This Version is Effective May 25, 2018
This Data Processing Agreement ("DPA") forms part of the agreement between Timesheets.com and customer ("Customer") for the purchase of Timesheets.com Services (as described at https://www.timesheets.com) (the "Services") and related technical support to Customer (as amended from time to time) (the "Agreement"). This DPA reflects the parties' agreement with respect to the terms governing Timesheets.com's processing and security of Timesheets.com Customer Data. For any other data from or about Customer or its users, Timesheets.com shall be a controller, and this DPA shall not apply.
How this DPA applies.
- If the Customer entity that is agreeing to this DPA is a party to the Agreement between Customer and Timesheets.com, this DPA is an addendum to and forms part of the Agreement.
- This DPA is not legally binding or valid for any person who is not a customer of Timesheets.com or who is not a party to the Agreement between Customer and Timesheets.com.
- This DPA shall not replace any additional or comparable rights relating to the processing of Customer Data in the Agreement.
- In the event of any discrepancies between the terms of this DPA and the Agreement with respect to the processing of Customer Data, this DPA shall control.
1. Definitions and Interpretation
1.1. Definitions: In this DPA, the following terms shall have the following meanings:
- "controller", "processor", "data subject", "personal data (also referred to as Personal Information in the Agreement)" and "processing" (and "process") shall have the meanings given in Applicable Data Protection Law.
- "Applicable Data Protection Law" means
- on and after 25 May 2018, Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the "GDPR") and
- any and all applicable national data protection laws made under or pursuant to (i); in each case as may be amended or superseded from time to time.
- "Account Data" means the Personal Data collected in connection with account-related data provided by you to Timesheets.com during the purchase, sign up, billing, or support of your account. Account Data includes contact information for Administrators, product feedback and surveys, information collected in connection with our events, training sessions, webinars, sales and marketing purposes, and de-identified technical data used for support and product maintenance.
- "Customer" means the customer entity that entered into the Agreement with Timesheets.com for Timesheets.com Service.
- "Customer Data" means the Personal Data (also referred to as Personal Information in the Agreement) contained in:
- any data you upload or input into the Service, and
- data generated or collected in the course of your configuration or use of the Service. Customer Data does not include Account Data.
- "Timesheets.com" means Timesheets.com or any other entity that directly or indirectly controls, is controlled by, or is under common control with Timesheets.com.
- "Privacy Shield" means the EU-US-UK Privacy Shield self-certification program operated by the U.S. Department of Commerce and approved by the European Commission pursuant to Decision C (2016)4176 of July 12, 2016.
- "Security Incident" means "Personal Data Breach" as defined under the GDPR.
- "Sub-processor" means any third-party Processors engaged directly by Timesheets.com to assist with Timesheets.com's processing of Customer Data.
1.2. Capitalized terms used but not defined in this DPA shall have the meanings given in the Agreement.
2. Data Protection
2.1. Relationship of the parties: Customer (the controller) appoints Timesheets.com as a processor to process the Customer Data on Customer's behalf. Timesheets.com shall be the controller of Account Data. Account Data will be handled in accordance with our Data Privacy Statement: https://www.timesheets.com/privacy. Each party shall comply with the obligations that apply to it under Applicable Data Protection Law
2.2. Purpose limitation: Timesheets.com shall process the Customer Data as a processor only as necessary to perform its obligations under the Agreement and strictly in accordance with the documented instructions of Customer (the "Permitted Purpose"), except where otherwise required by any EU (or any EU Member State or the UK) law applicable to Customer. In no event shall Timesheets.com process the Customer Data for its own purposes or those of any third party, save that Timesheets.com may de-identify and aggregate Customer Data ("Aggregated Data") and may process Aggregated Data to maintain and improve Timesheets.com's products and services.
2.3. International transfers: Timesheets.com shall not transfer the Customer Data (nor allow the Customer Data to be transferred) outside of the European Economic Area ("EEA") or the UK unless
- it has first obtained Customer's prior consent; or
- it takes such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law. Such measures may include (without limitation) transferring the Customer Data to a recipient in a country that the European Commission has decided provides adequate protection for personal data, to a recipient that has achieved binding corporate rules authorization in accordance with Applicable Data Protection Law, to a recipient in the United States that has certified its compliance with the EU-US-UK Privacy Shield, or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission.
2.4. Confidentiality of processing: Timesheets.com shall ensure that any person that it authorizes to process the Customer Data (including Timesheets.com's staff, agents and subcontractors) (an "Authorized Person") shall be subject to a strict duty of confidentiality (whether a duty under internal policy, contractual duty or a statutory duty), and shall not permit any person to process the Customer Data who is not under such a duty of confidentiality. Timesheets.com shall ensure that all Authorized Persons process the Customer Data only as necessary for the Permitted Purpose.
2.5. Security: Timesheets.com shall implement appropriate technical and organizational measures to protect the Customer Data from a Security Incident. Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures shall include, as appropriate:
- the pseudonymization or encryption of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
- the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
For more information about our technical and organizational measures to protect the Data from a Security Incident please see:
2.6. Sub-processing: Customer consents to Timesheets.com engaging third-party sub-processors to process the Customer Data provided that:
- Timesheets.com provides notice of the addition or removal of any sub-processor (including details of the processing it performs or will perform), which may be given by posting details of such addition or removal which can be found in your Timesheets.com account under "My Account".
- Timesheets.com imposes data protection terms on any sub-processor it appoints that are consistent with the terms of this DPA; and
- Timesheets.com remains fully liable for any breach of this Clause that is caused by an act, error or omission of its sub-processor that is acting on its behalf under this DPA. Timesheets.com shall maintain and provide updated copies of this list which can be found in your Timesheets.com account under "My Account".
If Customer refuses to consent to Timesheets.com's appointment of a third-party sub-processor relating to the protection of the Customer Data, Customer may elect to suspend or terminate the Agreement, including this DPA, subject to all fees and payment due for services rendered and with the right to maintain all funds previously paid to Timesheets.com.
2.7. Cooperation and data subjects' rights:
2.7.1. During the Term, Timesheets.com shall, in a manner consistent with the functionality of the Services and taking into account the nature of the processing, provide reasonable assistance to enable Customer to respond to:
- any request from a data subject to exercise any of its rights under GDPR (including its rights of access, deletion, restriction, correction, objection, erasure and data portability, as applicable); and
- any other correspondence, inquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data as required under the GDPR.
2.7.2. If Timesheets.com receives any requests from a data subject related to Customer Personal Data, Timesheets.com shall advise the data subject to provide such request directly to the Customer and Customer shall be responsible for responding to such request.
2.8. Data Protection Impact Assessment: Upon Customer's written request and to the extent that Customer does not otherwise have access to the relevant information and the information is available to Timesheets.com, Timesheets.com shall provide Customer with reasonable assistance required to fulfill the Customers obligations under the GDPR to carry out a data protection impact assessment related to Customer's use of the Service. To the extent necessary, Timesheets.com shall provide reasonable assistance, to the Customer in the consultation with its relevant data protection authority.
2.9. Security incidents:
2.9.1. If Timesheets.com becomes aware of an actual Security Incident that involves Customer Data, Timesheets.com will:
- notify Customer of the Security Incident without undue delay;
- take appropriate steps to identify the cause of the Security Incident and minimize harm and secure the Customer Data, to the extent remediation is within Timesheets.com's reasonable control; and
- provide Customer with information, subject to our privacy and data security policies, confidentiality and legal requirements, as may be reasonably necessary to assist Customer with its notification and reporting responsibilities. Timesheets.com will not assess the contents of the Customer Data to identify any specific reporting or other legal obligations that are applicable to the Customer. Any and all regulatory and/or data subject reporting obligations related to the Security Incident are the sole responsibility of the Customer.
2.9.2. Timesheets.com's notification of or response to a Security Incident under this DPA will not be construed as an acknowledgement by Timesheets.com of any liability, responsibility, or fault with respect to the Security Incident.
2.9.3. Notification(s) of any Security Incident(s) by Timesheets.com shall be delivered to the notification email or address provided in the Agreement or, at Timesheets.com's discretion, by phone or in-person meeting. Customer is solely responsible for ensuring that the notification contact details (e.g., phone and email) are valid and accurate.
2.10. Deletion or return of Data: At Customer's election, Timesheets.com shall return or destroy all Customer Data in its possession or control (including in the possession of any Sub-processor) in accordance with Timesheets.com's data retention and destruction procedures and timeframes unless otherwise agreed with Customer. This requirement shall not apply:
- to the extent that Timesheets.com is required by any EU (or any EU Member State or the UK) law to retain some or all of the Data, in which event Timesheets.com shall isolate and protect Customer Data from any further processing except to the extent required by such law or
- to any data stored on back-ups such data will be destroyed in accordance with our standard destruction policies for back-up data due to the cost and technical difficult of deleting back-ups.
2.11. Audit: Timesheets.com shall respond to any written audit questions related to Timesheets.com's security practices that submitted to it by Customer, provided that Customer shall not exercise this right more than once per year.
2.12. Biometric Data. Certain parts of the Service may make use of biometric personal information ("Biometric Data"), such as photographs collected through the Service. Biometric Data can be subject to additional laws and regulations. Accordingly, in connection with the collection, retention, and use of Biometric Data, you agree that:
2.12.1. Customer is the Controller of any Biometric Data collected through the Service. Customer agrees to provide appropriate notice and obtain all consents and rights necessary for Timesheets.com to Process the Biometric Data on Customer’s behalf. Customer recognizes and agrees that there are various laws that specifically govern the collection, use, and retention of Biometric Data, and understands that it is Customer’s responsibility to comply with all applicable laws. From time to time, Timesheets.com may provide reasonable assistance to Customer with certain obligations, when applicable, such as reasonable assistance in responding to data subject requests and in providing relevant consent and disclosure language. Concerning assistance with consent and disclosure language, Customer agrees that any such assistance does not constitute legal advice, that it is for informational purposes only, and that it is Customer’s ultimate responsibility to ensure compliance with all applicable law.
2.12.2. Customer agrees to adopt a retention and destruction schedule applicable to Biometric Data and will make such schedule available to users of the Service.
2.12.3. Customer will use Biometric Data through the Service exclusively for identity verification and authentication purposes only. Any other use shall constitute a breach of this Agreement.
3. Privacy Shield
3.1. Timesheets.com will provide at least the same level of protection for the Data as is required under the Privacy Shield and shall promptly notify Customer if it makes a determination that it can no longer provide this level of protection. In such event, or if Customer otherwise reasonably believes that Timesheets.com is not protecting the Data to the standard required under the Privacy Shield, Customer may either:
- instruct Timesheets.com to take reasonable and appropriate steps to stop and remediate any unauthorized processing, in which event Timesheets.com shall promptly cooperate with Customer in good faith to identify, agree and implement such steps; or
- terminate this DPA and the Agreement without penalty by giving notice to Timesheets.com.
3.2. Timesheets.com acknowledges that Customer may disclose this Agreement and any relevant privacy provisions in the Agreement to the US Department of Commerce, the Federal Trade Commission, European data protection authority, or any other US, UK, or EU judicial or regulatory body upon their request and that any such disclosure shall not be deemed a breach of confidentiality.
3.3. Legal Disclosures: If Timesheets.com reasonably believes it is required by a subpoena, court order, agency action, or any other legal or regulatory requirement, to disclose any Customer Data, it will provide Customer with notice and a copy of the demand as soon as practicable, unless it is prohibited from doing so pursuant to applicable law or regulation.
4.1. This version of the DPA will go into effect on May 25, 2018.
4.2. This DPA, including the terms of the underlying Agreement, is the entire agreement between you and Timesheets.com and replaces all prior understandings, communications and agreements, oral or written, regarding its subject matter. If any court of law, having jurisdiction, rules that any part of this DPA is invalid, that section will be removed without affecting the remainder of the DPA. The remaining terms will be valid and enforceable.