Updated September 03, 2020
This Data Processing Addendum (“DPA”) is incorporated into and forms a part of the agreement between Oyster HR, Inc. (“Oyster“) and Customer Company that governs Customer Company’s access to and use of the Oyster’s Services (“Agreement”). All capitalized terms that are not expressly defined in this DPA will have the meanings given to them in the Agreement.
In this DPA, the following terms (and derivations thereof) have the meanings set out below:
“Controller” means the individual or entity that determines the purposes and means of the Processing of Personal Data.
“Customer Company Personal Data” means Personal Data pertaining to Customer’s users, employees, or Colleagues Processed by Oyster. The Customer Company Personal Data and the specific uses of the Customer Company Personal Data are detailed in Exhibit 1 attached hereto, as required by the GDPR.
“Data Protection Laws” means, to the extent applicable to a Party, the data protection or privacy laws of any country regarding the Processing of Customer Company Personal Data.
“Personal Data” shall have the meaning assigned to the terms “personal data” or “personal information” under applicable Data Protection Law(s).
“Process” means any operation or set of operations performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, alignment, combination, restriction, erasure, destruction or disclosure by transmission, dissemination or otherwise making available.
“Processor” means the individual or entity that Processes Customer Company Personal Data on behalf of Controller subject to this addendum.
“Security Incident(s)” means the breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Company Personal Data Processed by Oyster.
“Services” means any and all services or applications provided or controlled by Oyster.
“Third Party(ies)” means Oyster’s authorized contractors, agents, vendors and third party service providers that Process Customer Company Personal Data.
“Subprocessor” means any individual or entity (including any third party but excluding Oyster Personnel) appointed by or on behalf of Oyster to Process Customer Company Personal Data in connection with the Agreement.
“Supervisory Authority” means an independent competent public authority established or recognized under Data Protection Laws.
“User” means any individual authorized or invited by Customer Company or another User to access and use the online Services under the terms of the Agreement.
Customer Company and Oyster agree that, as between the Parties, Customer Company is a Controller and Oyster is a Processor of Customer Company and User’s Personal Data, and that each Party is solely responsible for its compliance with Data Protection Laws applicable to it and for fulfilling any of its related obligations to third parties, including Data Subjects and Supervisory Authorities.
Customer Company as Controller. Customer Company is solely responsible for the accuracy of and the legality of the means by which Customer Company acquires and transfers Personal Data. The Customer will ensure that it has all necessary appropriate consents and notices in place to enable lawful transfer of the Personal Data to Oyster or lawful collection of the Personal Data by the Provider on behalf of the Customer for the duration and purposes of this agreement.
Oyster will ensure that Oyster Personnel:
Oyster will not disclose Customer Company Personal Data to a third party for monetary or other consideration except as otherwise permitted under this DPA or the Agreement.
Oyster agrees to provide reasonable assistance at Customer’s expense to where in the Customer’s judgment a data protection impact assessment and/or consultation with Supervisory Authorities is necessary.
Oyster will implement and maintain technical, physical, and organizational measures and controls designed to protect and secure Customer Company Personal Data. Such measures shall be designed to include:
Customer Company acknowledges that, through its Users, Customer Company: (a) controls the type and substance of Customer Company Personal Data; and (b) sets User permissions to access Customer Company Personal Data; and therefore, Customer Company is responsible for reviewing and evaluating whether the documented functionality of an online Service meets Customer Company’s required security obligations relating to Customer Company Personal Data under Data Protection Laws.
Oyster will investigate and, as necessary, mitigate or remediate a Security Incident in accordance with Oyster’s security incident policies and procedures.
Oyster agrees to provide prompt written notice without undue delay and within the time frame required under Applicable Data Protection Law(s) to Customer Company upon becoming aware that a Security Incident has taken place. Such notice will include all available details required under applicable Data Protection Law(s) for Customer Company to comply with its own notification obligations to regulatory authorities or individuals affected by the Security Incident.
In the course of providing the Services, you authorize Oyster to use Third Parties to Process the Personal Data, and additionally, you authorize the Third Parties to engage Subprocessors to Process the Personal Data. Oyster’s use of any specific Third Party or Subprocessor to process the Personal Data must be in compliance with Data Protection Legislation and must be governed by a contract between Oyster and Third Party (and their Subprocessors) that requires comparable protections to this Data Processing Addendum.
Oyster will provide upon written request a copy of Oyster’s agreements with Third Parties that Process your Personal Data. Please note all terms unrelated to the Standard Contractual Clauses will be stricken. If after review, you object to the appointment of a particular Third Party (or Subprocessor), you may terminate this agreement in accordance with our Terms of Service, if applicable.
Oyster will provide Customer Company access to Customer Company Personal Data via the online Services to allow Customer Company to respond to Data Subject requests relating to Customer Company Personal Data.
To the extent needed, Oyster agrees to provide reasonable assistance to Customer related to any requests from individuals exercising their rights in Personal Data granted to them under Applicable Data Protection Laws. At Customer’s request and without undue delay, Oyster agrees to assist Customer in answering or complying with any request in so far as it is possible.
Should Oyster receive a request directly from a Data Subject relating to Customer Company Personal Data, Oyster will notify Customer Company in writing without undue delay.
Oyster will not store or retain any Customer Personal Data except as necessary to perform the Services under the Assignment Agreement. You understand and agree that as of the Effective Date, Oyster stores Personal Data in the following countries to which you hereby consent: United States; and United Kingdom.
At the termination of the Assignment Agreement and the expiration of any required retention period, Oyster will securely destroy or remove identifying data from all copies of Customer Personal Data (including automatically created archival copies). Upon Customer’s request, Oyster will provide Customer a “Certificate of Deletion.”
Right to Audit. Oyster shall make available to Customer and its regulators all information necessary to demonstrate compliance with Applicable Data Protection Laws and this Addendum. Customer and its regulators shall have the right to inspect Oyster’s architecture, systems, and documentation which are relevant to the security and integrity of Customer Company Personal Data, or as otherwise required by a governmental regulator.
Customer Company Initiated Audit. Oyster will allow for and cooperate with a Customer Company initiated audit by a third party auditor in relation to the Oyster’s Processing of Customer Company Personal Data (“Customer Company Audit”), provided that:
Audit Results. After conducting an audit, Customer Company shall provide Oyster the complete audit report. To the extent, the report identifies areas Oyster does not comply with any of the applicable security, confidentiality or privacy obligations or Applicable Data Protection Laws herein, Oyster shall make any necessary changes to ensure compliance with such obligations at its own expense and without unreasonable delay and shall notify Customer Company when such changes are complete.
Cross-Border Transfers of Personal Data. Customer authorizes Oyster and its Third Parties to transfer Customer Company Personal Data across international borders, including from the European Economic Area to the United States. Any cross-border transfer of Customer Company Personal Data must be supported by an approved adequacy mechanism.
Standard Contractual Clauses. Oyster and Customer Company will use the European Commission Decision C(2010)593 Standard Contractual Clauses for Controllers to Processors (“Model Clauses”) as the adequacy mechanism supporting the transfer and Processing of Customer Personal Data, the terms of which are herein incorporated by reference and made part hereto.
For the purposes of Model Clauses 5(h),(j), and 11, Company agrees that Oyster may engage new Third Parties in accordance with Section(s) 3(c) – 3(e) of this Addendum. The Parties agree that the Illustrative Clause (Optional) is expressly not included in the Model Clauses.
For the purposes of Model Clauses 5(f) and 12(2) of the Model Clauses, the Audit Rights Section of this DPA satisfies Oyster’s obligations;
For the purposes of Model Clause 12(1), Oyster will provide certification of deletion only upon Customer Company’s written request;
For the purposes of Appendix 1 to the Model Clauses, the “data exporter” is Customer, the “data importer” is Oyster, and the information required by Appendix 1 can be found in Annex 1.
For the purposes of Appendix 2 to the Model Clauses, the technical and organizational measures set forth in the DPA will meet the requirements of that Appendix.
Each party’s signature to the Assignment Agreement which incorporates this Addendum by reference shall be considered a signature to the Model Clauses. If required by the laws or regulatory procedures of any jurisdiction, the Parties shall execute or re-execute the Model Clauses as separate documents.
Duration and Survival. This Addendum will become legally binding upon the Effective Date of the Assignment Agreement. Oyster’s obligations and Customer’s rights under this Addendum will continue in effect so long as Oyster Processes Customer Personal Data. Oyster will Process Customer Personal Data until the relationship terminates as specified in the Assignment Agreement.
Construction. In the event of any conflict between this DPA and any other written agreement between the Parties, this DPA will govern and control. Any data processing agreements that may already exist between Parties are superseded and replaced by this DPA in their entirety. Unless otherwise expressly stated herein, this DPA may be modified only by a written agreement executed by an authorized representative of each Party. The waiver of any breach of this DPA will be effective only if in writing, and no such waiver will operate or be construed as a waiver of any subsequent breach.
Enforcement. Regardless of whether Customer Company or its affiliate(s) or a third-party is a Controller of Customer Company Personal Data, unless otherwise required by law: (a) only Customer Company will have any right to enforce any of the terms of this DPA against Oyster; and (b) Oyster’s obligations under this DPA, including any applicable notifications, will be to only Customer Company.
Liability. As between the Parties to this DPA, each Party’s liability and remedies under this DPA are subject to the aggregate liability limitations and damages exclusions set forth in the Agreement.
Variations in Data Protection Laws. If any variation is required to this DPA as a result of a change in or subsequently applicable Data Protection Law, then either Party may provide written notice to the other Party of that change in law. The Parties will then discuss and negotiate in good faith any variations to this DPA necessary to address such changes, with a view to agreeing and implementing those or alternative variations as soon as practicable, provided that such variations are reasonable with regard to the functionality and performance of the Services and Oyster’s business operations.
Reservation of Rights. Notwithstanding anything to the contrary in this DPA: (a) Oyster reserves the right to withhold information the disclosure of which would pose a security risk to Oyster or its Customer Companys or is prohibited by applicable law or contractual obligation; and (b) Oyster’s notifications, responses, or provision of information or cooperation under this DPA are not an acknowledgement by Oyster of any fault or liability.
Date: ______________________ Signature: ____________________________________________
Subject Matter of Processing
Services pursuant to the Assignment Agreement.
Nature and Purpose of Processing
Processing employment and payroll related data provided or uploaded by Customer to Oyster’s employment management SaaS application, in order for Oyster to perform the Services pursuant to the Placement Agreement.
Duration of Processing
Processing will continue until the expiration or termination of the Agreement.
Categories of Data Subjects
Types of Personal Information
For any questions contact: firstname.lastname@example.org.