For the purposes of this Data Processing Policy, the following terms and those defined within the body of this Data Processing Policy apply.
The terms "controller", "data subject", "personal data", "process", "processing" and "processor" have the meanings assigned to these terms in the Data Protection Laws.
"Adequate Country" means (a) for data processed subject to the GDPR: the European Economic Area, or a country or territory recognized as ensuring adequate protection under the GDPR; (b) for data processed subject to the UK Data Protection Laws: the UK, or a country or territory recognized as ensuring adequate protection under the UK Data Protection Laws and the Data Protection Act 2018; (c) for data processed subject to the Swiss Data Protection Laws: Switzerland, or a country or territory that is: (i) included in the list of the states whose legislation ensures adequate protection as published by the Swiss Federal Data Protection and Information Commissioner, or (ii) recognized as ensuring adequate protection by the Swiss Federal Council under the Swiss FDPA; in each case, other than on the basis of an optional data protection framework.
"Alternative Transfer Solution" means a solution, other than SCCs, that enables the lawful transfer of personal data to a third country in accordance with the GDPR, for example a data protection framework recognized as ensuring that participating entities provide adequate protection.
"Breach" means a breach of the Security Measures resulting in access to enabley’s equipment or facilities storing Your Controlled Data and the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Your Controlled Data transmitted, stored or processed by enabley on your behalf and instructions through our website or enabley's platform.
"Content" means any content provided to enabley from you or your end users, including without limitation text, photos, images, audio, video, code, and any other materials.
"Data Protection Laws" means the relevant data protection and data privacy laws, rules or regulations applicable to Your Controlled Data. "Data Protection Laws" shall include, but not be limited to, the GDPR and the e-Privacy Directive 2002/58/EC.
"GDPR" means the EU General Data Protection Regulation 2016/679. "SCC" means as available here and incorporated herein by reference.
"Security Measures" means the technical and organizational security measures that we implement with respect to our services as they are described herein.
"Sub-Processor" means any entity engaged by us to process Your Controlled Data.
"Your Controlled Data" means the personal data in the Content, enabley processes on your behalf and instructions as part of the services enabley provides to you. Your Controlled Data does not include personal data when controlled by us, including without limitation data we collect (including IP address, device/browser details and web pages visited prior to coming to your Portfolios) with respect to your end users’ interactions with your platform through their browser and technologies like cookies.
2. Details of Data Processing
Subject Matter. The subject matter of the data processing under this Data Processing Policy is Your Controlled Data.
Duration. The duration of the data processing under this Data Processing Policy is determined by you.
Purpose. The purpose of the data processing under this Data Processing Policy is the provision of the services by enabley as initiated by you, from time to time.
Nature of the Processing. The services as described in the agreement entered between enabley and you and initiated by you, from time to time.
Type of Personal Data. Your Controlled Data relating to you, your end users or other individuals whose personal data is included in Content which is processed as part of the services or the platforms provided by enabley, in accordance with the agreement entered between enabley and you.
Categories of Data Subjects. You, your end users and any other individuals whose personal data is included in Content.
You agree that enabley is not responsible for personal data that you have elected to process through third party services or outside of the services or the platforms enabley provides to you, including the systems of any other third-party cloud services, offline or on-premises storage.
4. Processing Roles and Activities
Enabley as Processor and You as Controller. You are the controller and enabley is the processor of Your Controlled Data.
Description of Processing Activities. We will process Your Controlled Data for the purpose of providing you with the services, as may be used, configured or modified as per provided in the agreement entered between enabley and you (the "Purpose"). For example, depending on how you use the services, we may process Your Controlled Data in order to: (a) enable your end users access to content within our platform; or (b) email end users about new content or notifications that are relevant to them.
Compliance with Laws. You will ensure that any instructions you will provide enabley, if any, comply with all laws, regulations and rules applicable in relation to Your Controlled Data and that Your Controlled Data is collected lawfully by you or on your behalf and provided to enabley by you in accordance with such laws, rules and regulations. You will also ensure that the processing of Your Controlled Data in accordance with the agreement entered between enabley and you, will not cause or result in us or you breaching any laws, rules or regulations (including Data Protection Laws). You are responsible for reviewing the information available from us relating to data security and making an independent determination as to whether our services meet your requirements and legal obligations as well as your obligations under this Data Processing Policy. Enabley will not access or use Your Controlled Data except as provided herein, as necessary to maintain or provide the services or as necessary to comply with the law or binding order of a governmental, law enforcement or regulatory body.
5. Our Processing Responsibilities
How We Process. We will process Your Controlled Data for the Purpose and in accordance with this Data Processing Policy or instructions you give us. We will promptly inform you if, in our opinion, your instructions infringe applicable Data Protection Law(s), or if we are unable to comply with your instructions. We will notify you when applicable laws prevent us from complying with your instructions, except if such disclosure is prohibited by applicable law on important grounds of public interest, such as a prohibition under law to preserve the confidentiality of a law enforcement investigation or request.
Security Measures. We will maintain the Security Measures. We may change these Security Measures but will not do so in a way that adversely affects the security of Your Controlled Data. We will take steps to ensure that any natural person acting under our authority who has access to Your Controlled Data does not process it except on our instructions, unless such person is required to do so under applicable law, and that personnel authorized by us to process Your Controlled Data have committed themselves to relevant confidentiality obligations or are under an appropriate statutory obligation of confidentiality.
Notification of Breach. We will provide you notice without undue delay after becoming aware of and confirming the occurrence of a Breach for which notification to you is required under applicable Data Protection Law(s). We will, to assist you in complying with your notification obligations under Articles 33 and 34 of the GDPR, provide you with such information about the Breach as we are reasonably able to disclose to you, taking into account the nature of the services we provide, the information available to us and any restrictions on disclosing the information such as for confidentiality. Our obligation to report or respond to a Breach is not and will not be construed as an acknowledgement by enabley of any fault or liability of enabley with respect to the Breach. Despite the foregoing, enabley’s obligations under this section do not apply to incidents that are caused by you and/or third-parties.
Notification of Inquiry or Complaint. We will provide you notice, if permitted by applicable law, upon receiving an inquiry or complaint from an end user, or other individual whose personal data is included in your Content, or a binding demand (such as a court order or subpoena) from a government, law enforcement, regulatory or other body in respect of Your Controlled Data that we process on your behalf.
Reasonable Assistance with Compliance. We will, to the extent that you cannot reasonably do so, provide reasonable assistance to you in respect of your fulfillment of your obligation as controller to respond to requests by data subjects under Chapter 3 of the GDPR, taking into account the nature of our services and information available to us. You will be responsible for our reasonable costs arising from our provision of such assistance.
Sub-Processors. You agree that we can share Your Controlled Data with Sub-Processors in order to provide you the services. We will impose contractual obligations on our Sub-Processors, and contractually obligate our Sub-Processors to impose contractual obligations on any further sub-contractors which they engage to process Your Controlled Data, which provide the same level of data protection for Your Controlled Data in all material respects as the contractual obligations imposed in this Data Processing Policy, to the extent applicable to the nature of the services provided by such Sub-Processor. A list of our current Sub-Processors is available upon request by sending an email to firstname.lastname@example.org. Provided that your objection is reasonable and related to data protection concerns, you may object to any Sub-Processor by sending an email to email@example.com. If you object to any Sub-Processor and your objection is reasonable and related to data protection concerns, we will use commercially reasonable efforts to make available to you a means of avoiding the processing of Your Controlled Data by the objected-to Sub-Processor. If we are unable to make available such suggested change within a reasonable period of time, we will notify you and if you still object to our use of such Sub-Processor, you may cancel or terminate our agreement or, if possible, the portions of the services that involve use of such Sub-Processor. If you object to any Sub-Processors, you may not use or access the services. Except as set forth in this Section or as you may otherwise authorize, we will not permit any Sub-Processor to access Your Controlled Data. Enabley will remain responsible for Sub-Processor compliance with the obligations of this Data Processing Policy and for any acts or omissions of any Sub-Processor or their further sub-contractors that process Your Controlled Data and cause enabley to breach any of enabley’s obligations under this Data Processing Policy, solely to the extent that enabley would be liable if the act or omission was enabley’s own.
Audits and Information Requests. Upon request from you and at your expense, enabley agrees to reasonably cooperate and share information with you for the purpose of verifying our compliance with Applicable Data Protection Law(s). You agree that you may be required to enter into a non-disclosure agreement before we share any information upon your request.
Personal Data Inquiries and Requests. Enabley agrees to comply with all reasonable instructions given by you related to any requests from individuals exercising their rights in Personal Data granted to them under Applicable Data Protection Law(s) ("Privacy Request"). At your request, enabley agrees to reasonably assist you in answering or complying with any Privacy Request.
6. Data Transfers
GDPR do not require SCCs or an Alternative Transfer Solution in order for personal data to be processed in or transferred to an Adequate Country. If your Controlled Data is transferred to any other country and GDPR applies to the transfers ("Restricted European Transfers"), then: (a) if enabley has adopted an Alternative Transfer Solution for any Restricted European Transfers, then we will inform you of the relevant solution and ensure that such Restricted European Transfers are made in accordance with it; (b) if enabley has not adopted, or informs
you that we are no longer adopting, an Alternative Transfer Solution for any Restricted European Transfers, then:
(1) the SCCs (Processor-to-Processor) will apply with respect to such Restricted European Transfers from enabley to Subprocessors; and
(2) in addition, if your billing address is not in an Adequate Country, the SCCs (Processor-to Controller) will apply (regardless of you are a controller and/or processor) with respect to such Restricted European Transfers.
7. Data Retention and Deletion upon Termination
Upon termination of the services by enabley, you will be able to (with enabley’s assistance if needed) delete Your Controlled Data in enabley’s possession or control by removing all Content from enabley platform. At your discretion, either directly, or with the assistance of enabley, you shall have the opportunity to first export all Your Controlled Data before it is being deleted from enabley platform. The foregoing requirement will not apply to the extent enabley is required by applicable law to retain some or all Your Controlled Data, or to Your Controlled Data that is archived on enabley’s back-up systems. With regards to Your Controlled Data on enabley’s back-up systems, enabley will stop Processing and destroy or de-identify such data according to its data retention policies, except to the extent required by applicable law.
You are responsible for any costs and expenses arising from enabley’s compliance with your instructions or requests pursuant to this Data Processing Policy which fall outside the standard functionality made available by enabley generally through its services.
If you have any questions about this Data Processing Policy please contact us at: firstname.lastname@example.org.
Last Update: January 17, 2023