This Truewind Data Processing Agreement (this “DPA”) is entered into as of the Effective Date by and between “Truewind” and “Customer” (each is a “Party”, together they are the “Parties”). This DPA shall apply where the provision of Services by Truewind to the Customer involves the processing of Personal Data which is subject to Data Protection Laws and Truewind acts as Processor on behalf of the Customer as the Controller. In the event of conflict between this DPA and the Agreement, this DPA shall control with respect to its subject matter.
Terms not defined herein have the meanings set forth in the Agreement. The following words in this DPA have the following meanings:
1.1 Agreement: the agreement executed between Parties in relation to the Services.
1.2 Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by Truewind on behalf of the Customer.
1.3 DPA: this data processing agreement, including its recitals and Schedules as amended or updated from time to time.
1.4 Data Protection Laws: means any data protection and privacy laws to which a party to the Agreement is subject and which are applicable to the Services, including where applicable, but not limited to, GDPR, UK GDPR and the Brazilian General Data Protection Law 13,709/2018, as well as any secondary national Laws adopted (all as amended, updated, replaced or re-enacted from time to time).
1.5 Employees: the employees and other persons engaged by Truewind for the performance of the Customer Agreement.
1.6 Personal Data: any data relating to an identified or identifiable living natural person, Processed by Truewind or its subcontractors on behalf of the Customer pursuant to the Agreement.
1.7 Schedule: an attachment to the DPA.
1.8 Services: the services to be performed by Truewind under the Agreement;
1.9 Standard Contractual Clauses: Standard Contractual Clauses annexed to the Commission Decision 2010/87/EU of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries, as may be amended or replaced from time to time.
1.10 Controller, Data Subject, Processor, Processing and Supervisory Authority shall have the meanings prescribed to them by the Data Protection Laws and Processed and Process shall be construed accordingly.
2. Processing of the Personal Data
2.1 Truewind may process Personal Data under the Agreement as a Processor acting on behalf of the Customer as the Controller.
2.2 Details of the subject matter of the Processing, its duration, nature and purpose, type of Personal Data and categories of data subjects are as specified in Schedule A to this DPA.
2.3 Truewind shall only Process the Personal Data on behalf of the Customer, in accordance with the Customer’s documented instructions and the applicable Data Protection Laws, including with regard to transfers of Personal Data to a country outside of the European Economic Area. Customer agrees that this DPA, Schedule A, the Agreement and any subsequent Orders, Change Orders, or statements of work and any configurations by Customer or its authorized users, comprise Customer’s complete instructions to Truewind regarding the Processing of Personal Data. Any additional or alternate instructions, including the costs (if any) associated with complying with such instructions, must be agreed between the parties in writing by the duly representatives of both Parties.
2.4 Truewind is not responsible for determining if Customer’s instructions are compliant with applicable law. However, if Truewind is of the opinion that a Customer instruction infringes applicable Data Protection Laws, Truewind shall notify Customer as soon as reasonably practicable and shall not be required to comply with such infringing instruction.
2.5 Customer and Truewind agree to comply with their respective obligations under Data Protection Laws applicable to the Personal Data that is processed in connection with the Services. The customer has sole responsibility for complying with Data Protection Laws regarding the lawfulness of the Processing of Personal Data prior to disclosing, transferring, or otherwise making available, any Personal Data to Truewind.
2.6 Truewind shall ensure that persons authorized to access the Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3.1 Truewind may use Sub-processors with the Customer’s general consent. Customer agrees that Truewind may appoint and use Sub-processors to process the Personal Data in connection with the Services provided that Truewind puts in place a contract in writing with each Sub-processor that imposes obligations that are: (i) relevant to the services to be provided by the Sub-processors and (ii) materially similar to the rights and/or obligations imposed on Truewind under this DPA. Sub-processors may include third parties or any member of the Truewind group of companies. Truewind may continue to use those Sub-processors already engaged by Truewind as of the date of this DPA, and a list of such Sub-processors is available in Schedule B attached hereunder. Where a Sub-processor fails to fulfil its data protection obligations as specified above, Truewind shall be liable to the Customer for the performance of the Sub-processor’s obligations.
3.2 Truewind shall notify the Customer of any changes to its list of Subprocessors. If Customer legitimately objects to the addition or removal of a Subprocessor on data protection grounds and Truewind cannot reasonably accommodate Customer’s objection, the parties will discuss Customer’s concerns in good faith with a view to resolving the matter.
4. Security Measures
4.1 Truewind uses appropriate technical and organizational security measures to ensure a level of security appropriate to the risk and to protect the data supplied by the Customer and managed by us against loss, unauthorized access, disclosure, alteration, and destruction and against other forms of unlawful or abusive treatment. The ways Truewind do this include, but not limited to:
a) Using encryption methods, such as VPN IPsec and Secure Socket Layer (SSL).
b) Using secure data networks, with physical and logical access to servers and equipment, restricted, located in controlled facilities (protected by firewalls and intrusion detection systems, IDS e IPS).
c) Recording of all login activity.
d) Using Role-based access controls (RBAC).
e) Limiting physical access to our facilities.
f) Ensuring that Truewind business partners have appropriate technical and organizational security measures to keep personal data protected.
4.2 Where the Customer requires additional technical and organizational security measures to the ones provided by Truewind pursuant this DPA, the Customer shall inform Truewind of the additional technical and security measures it considers to be appropriate and shall be liable for any and all additional costs incurred by Truewind (on a time and materials basis at Truewind then-current applicable prices) in putting in place and maintaining such requested measures. Furthermore, the Customer shall notify Truewind of any specific legislation or risks affecting its business as may be relevant from time to time.
5. Data Breaches
Truewind will notify the Customer without undue delay after becoming aware of a Personal Data Breach in relation to the Services provided by Truewind under the Agreement and will use reasonable efforts to assist the Customer in mitigating, where possible, the adverse effects of any Data Breach.
6.Audit rights of the Customer
6.1 Truewind shall make available to the Customer all information reasonably necessary to demonstrate compliance with the Data Protection Laws and allow for and contribute to audits (no more than once in any calendar year), including inspections, conducted by the Customer or an auditor mandated by the Customer. Customer shall give Truewind a reasonable prior written notice of any audit or inspection to be conducted under this Section (which shall, in no event, be less than thirty (30) days’ notice, unless if required by a Supervisory Authority) and ensure that each of its mandated auditors uses its best efforts to avoid causing, and hereby undertakes to indemnify Truewind in respect of, any damage, injury or disruption to Truewind’ premises, equipment, Personnel, data, and business (including any interference with the confidentiality or security of the data of Truewind’s other Customers or the availability of Truewind’s Services to such other Customers) while its Personnel and/or its auditor’s personnel (if applicable) are on those premises in the course of any on premise inspection.
6.2 The Customer may engage a third party to perform its audit rights, provided that such third party is bound by an agreement of confidentiality with Truewind and gives 5 business days for Truewind to object to the appointed auditor, specifically if they are Truewind’s competitors or, in some other way, not independent. Truewind shall be entitled to invoice the Customer on a time and material basis at the then-current applicable prices for any time expended for any such audit.
7. International Transfers
Truewind is authorized, in connection with the provision of the Services, or in the normal course of business, to make worldwide transfers of Personal Data to its affiliates and/or Subprocessors. When making such transfers, Truewind shall ensure appropriate protection is in place to safeguard the Personal Data transferred under or in connection with this DPA. Where the provision of Services involves the transfer of Personal Data from the European Economic Areas (“EEA”) to countries outside the EEA (which are not subject to an adequacy decision under Data Protection Laws), Truewind shall execute and comply with its obligations under the EU Commission’s Standard Contractual Clauses (annexed to EU Commission Decision 2021/914/EU of 4 June 2021) (the “EU SCCs”), which shall be entered into and incorporated into this DPA by this reference and completed as follows:
(i) Module 2 (Controller to Processor) will apply where Customer is a controller of Personal Data and Truewind is a processor of Personal Data; Module 3 (Processor to Processor) will apply where Customer is a processor of Personal Data and Truewind is a processor of Personal Data. For each Module, where applicable:
(ii) in Clause 7, the optional docking clause will apply;
(iii) in Clause 12, any claims brought under the EU SCCs shall be subject to the terms and conditions set forth in the Agreement;
(iv) in Clause 17, Option 1 will apply, will be governed by Portuguese law;
(v) in Clause 18(b), disputes shall be resolved before the courts of Lisbon;
(vi) Annex I of the EU SCCs shall be deemed completed with the information set out in Schedule A to this DPA;
(vii) Annex II of the EU SCCs shall be deemed completed with the information set out in Section 4 of this DPA; and
(viii) Annex III of the EU SCCs shall be deemed completed with the information set out in Schedule B to this DPA.
Nothing in the interpretations in this Section 7 is intended to conflict with either Party’s rights or responsibilities under the EU SCCs and, in the event of any such conflict, the EU SCCs shall prevail.
8. Requests of Data Subjects
Truewind shall promptly inform the Customer of any requests from individuals exercising their data subject rights under Privacy Laws. The customer is responsible for responding to such requests. Truewind will reasonably assist the Customer to respond to data subject requests to the extent that the Customer is unable to access the relevant Personal Data in the use of the Services. Truewind reserves the right to charge the Customer a reasonable fee for the provision of such assistance.
Upon termination of the Services (for any reason) and if requested by the Customer in writing, Truewind shall, as soon as reasonably practicable, return or delete the Personal Data on Truewind systems unless applicable law requires storage of the Personal Data. Truewind may defer the deletion of the Personal Data to the extent and for the duration that any Personal Data or copies thereof cannot reasonably and practically be expunged from Truewind’s systems. For To the extent required by Data Protection Laws, Truewind shall provide reasonable assistance to Customer to carry out a data protection impact assessment in relation to the Processing of Personal Data undertaken by Truewind and/or any required prior consultation(s) with Supervisory Authorities. Truewind reserves the right to charge the Customer a reasonable fee for the provision of such assistance.
10. Deletion of Personal Data
Upon termination of the Services (for any reason) and if requested by the Customer in writing, Truewind shall, as soon as reasonably practicable, return or delete the Personal Data on Truewind systems unless applicable law requires storage of the Personal Data. Truewind may defer the deletion of the Personal Data to the extent and for the duration that any Personal Data or copies thereof cannot reasonably and practically be expunged from Truewind’s systems. For such retention the provisions of this DPA shall continue to apply to such Personal Data. Truewind reserves the right to charge the Customer for any reasonable costs and expenses incurred by Truewind in deleting the Personal Data pursuant to this clause.
11.1 This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.
11.2 Any claims against Truewind under this DPA will be brought solely against the entity that is a party to the Agreement and will be subject to the terms and conditions, including but not limited to, the exclusions and limitations set forth in the Agreement.
11.3 The DPA is severable. If one or more provisions that do not affect the essence of the DPA are declared fully or partially invalid, void or unenforceable, this shall not affect the validity and enforceability of the remaining provisions of this DPA and of the Agreement. The DPA will remain in force between the Parties, as if the invalid, void or unenforceable provision never existed. In the aforementioned case, the Parties undertake to renegotiate in good faith the DPA in order to modify or replace the (fully or partially) void, invalid or unenforceable provision by a provision that most closely matches the purpose of the invalid, void or unenforceable provision.
Schedule A – Description of data processing activities
|Data Exporter: Customer or as otherwise provided in the DPA signature block.
Data Importer: The data importer is Truewind as provided in the DPA signature block.
Contact Details: Provided in the DPA signature block. Regarding Truewind, in addition: firstname.lastname@example.org
|Truewind will process Personal Data in its provision of the Services pursuant to the Agreement between Truewind and Customer.
|Duration of the processing
|Truewind will Process Personal Data for the duration of the Agreement and on a continuous basis.
|Nature and purposes of the processing
|Customer may transfer Personal Data to Truewind, the extent of which is determined and controlled by the Customer in its sole discretion. Truewind will Process Personal Data as necessary to perform the Services pursuant to the Agreement and as further instructed by the Customer in its use of the Services. The Agreement and the relevant service descriptions, Orders, Change Orders and statements of work shall apply for the specifics and possible additional services.
|Type of Personal Data that are processed
|Customer may transfer Personal Data to Truewind, the extent of which is determined and controlled by the Customer at its sole discretion, and which include the following categories of Personal Data: first and last name; title; position, employer, contact information (company, email, phone numbers, physical business address), customer service information, connection data and localisation data.
|Special Categories of Data (if appropriate)
|Categories of Data Subjects
|The data subjects are Customer’s end users, employees, contractors, suppliers and other third parties relevant to the Services.
|The Personal Data will be retained at least as long as any applicable legally mandated minimum retention period, that is consistent with applicable statutes of limitations and meets good business practices.
|Competent Supervisory Authority
|Portuguese National Data Protection Commission (CNPD)
|Transfers to Subprocessors
|For transfers to processors, the subject matter, nature and duration of the processing are the same as above defined
Schedule B – List of Sub-processors
|Deliver the Services
|Business process support for service management
Helpdesk inquiries for customer support
|Business Process Support for Customer Relationship Management (CRM)
Last updated: April 21, 2022.