Data Processing Addendum (“DPA”) forms part of IDrive Inc.'s Terms of Service Agreement or other electronic agreements or mutually executed agreement between RemotePC and Customer (“you” and “your”) applicable to Customer’s use of RemotePC Services (the “Agreement”) and reflects the Parties’ agreement with regard to Processing Customer Personal Data. Capitalized terms used but not defined in this DPA have the meanings given to them in the Agreement.
1. Purpose and Scope
In the course of providing RemotePC Service to Customer pursuant to the Agreement, RemotePC will Process Customer Data on your behalf. Customer Data may include Personal Data. This DPA reflects the parties’ agreement relating to the Processing of Customer Data in accordance with the requirements of Data Protection Laws and Regulations. This DPA will control in the event of any conflict with the Agreement.
2. Definitions
"Data Controller" means the entity that determines the purposes and means of Processing of Personal Data.
"Data Processor" means the entity that Processes Personal Data on behalf of the Data Controller.
"Data Protection Laws and Regulations" means any applicable data protection laws and regulations applicable to the Processing of Personal Data under the Agreement, including the applicable laws and regulations of the European Union, the European Economic Area and their member states, and Switzerland.
"Data Subject" means the individual to whom Personal Data relates.
"Personal Data" means any information relating to an identifiable or identified individual.
"Processing", "Processes" or "Process" means any operation or set of operations performed upon Personal Data whether or not by automated means, such as collection, recording, organization, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, erasure, or destruction.
"Sub-processor" means RemotePC’s Affiliates or other third-party service providers that Process Customer Data for RemotePC.
3. Processing of Customer Data
Data Processing Roles. The Parties acknowledge and agree that with regard to the Processing of Customer Data under the Data Protection Laws and Regulations and this DPA, Customer is the Controller and RemotePC is the Processor. Each Party will comply with the obligations applicable to it under the Data Protection Laws and Regulations with respect to the Processing of Customer Personal Data. RemotePC has no knowledge of, or control over, the Personal Data that you provide for Processing. You are solely responsible for the accuracy, quality, and legality of the Customer Data and the means by which you acquired the Customer Data.
Data Processing Instructions. This DPA and the Agreement are your complete and final instructions to RemotePC for the Processing of Customer Data. You and RemotePC must agree on any additional or alternate instructions. RemotePC will inform you if, in RemotePC's opinion, your instructions violate Data Protection Laws and Regulations. RemotePC will process Customer Data: (1) in accordance with the Agreement (including all documents incorporated in the Agreement), and (2) to comply with other reasonable instructions you provide to RemotePC (including by email) where your instructions are consistent with the Agreement. RemotePC will not otherwise disclose Customer Data to third parties unless required to do so by applicable law, in which case RemotePC will inform you in advance unless RemotePC is prohibited from doing so. RemotePC will not Process Customer Data for any other purpose unless you instruct RemotePC.
Scope and Duration of Processing. RemotePC will Process Customer Personal Data as necessary to perform the RemotePC Service pursuant to the Agreement and in accordance with this DPA. The types of Customer Personal Data and categories of Data Subjects that may be Processed under this DPA are set forth in Exhibit 1 ("Scope of Processing"). RemotePC will Process Customer Personal Data for the period of the Agreement unless otherwise agreed to by the Parties in writing.
4. Rights of Data Subjects
Access, Rectification, Restriction and Deletion. RemotePC will enable Customer to access, rectify, restrict processing of and delete Customer Personal Data as far as consistent with RemotePC Service functionality.
Data Subject Requests. If RemotePC receives a request from a Data Subject in relation to Customer Personal Data then, to the extent legally permissible, RemotePC will advise the Data Subject to submit their request to Customer and Customer will be responsible for responding to any such requests including, where necessary, by using the functionality of the RemotePC Service. If you do not have the ability to access, rectify, restrict, or delete Customer Personal Data as required by Data Protection Laws and Regulations, you can provide written instructions to RemotePC to act on your behalf. RemotePC will follow your instructions to the extent they are technically feasible and legally permissible. You will pay RemotePC’s costs of providing this assistance.
Cooperation and Assistance. RemotePC will assist you to address any request, complaint, notice, or communication you receive relating to RemotePC’s Processing of Customer Data received from (i) a Data Subject whose Personal Data is contained within the Customer Data, or (ii) any applicable data protection authority. RemotePC will also assist you with your reasonable requests for information to confirm compliance with this DPA or to conduct a privacy impact assessment. You will pay RemotePC’s costs of providing assistance if the assistance exceeds the services provided under the Agreement.
5. Data Security and Confidentiality
Security Controls. RemotePC maintains appropriate administrative, technical and organizational safeguards to protect Customer Data from unauthorized or unlawful Processing, from accidental loss, destruction, or damage. As described in Exhibit 2, the Security Controls include measures to help ensure ongoing confidentiality, integrity, availability and resilience of RemotePC’s systems and services and for regular testing and effectiveness of controls.
RemotePC Personnel. RemotePC ensures that access to Customer Data is limited to those personnel who require access to Process Customer Data under the Agreement. RemotePC informs its personnel engaged in the Processing of Customer Data about the confidential nature of such Customer Data. RemotePC will take appropriate steps to ensure compliance with the Security Controls by its employees, contractors, and Sub-processors to the extent applicable to their scope of performance, including ensuring that all persons authorized to Process Customer Data have agreed to an appropriate obligation of confidentiality.
6. Sub-processors
Authorization and Commitments. You expressly authorize RemotePC to use Sub-processors to perform specific services on RemotePC’s behalf to enable RemotePC to perform its obligations under the Agreement and this DPA and to provide certain services on RemotePC’s behalf, such as support services. RemotePC has written agreements with its Sub-processors that contain obligations substantially similar to RemotePC’s obligations under this DPA. RemotePC will remain responsible for its compliance with the obligations of this DPA and for any acts or omissions of the Sub-processors. RemotePC's current Sub-processors including their location and services are listed at: http://www.remotepc.com/authorized-sub-processor. RemotePC will continue to publish changes to its Sub-processors on this website.
Notice and Objection. You have a right to reasonably object to RemotePC’s use of a new Sub-processor by notifying RemotePC in writing within 10 business days after RemotePC publishes notice of a new Sub-processor. If you do so, RemotePC will use reasonable efforts to change the affected Software or Cloud Service, or recommend a commercially reasonable change to your configuration or use of the affected Software or Cloud Service, to avoid Processing of Customer Data by the new Sub-processor. If RemotePC is unable to make or recommend such a change within a reasonable period of time, not to exceed 60 days, you may terminate only the Subscription Term for the Software and Cloud Service that RemotePC cannot provide without using the new Sub-processor. You must provide written notice of termination to RemotePC in accordance with the Agreement.
7. Audit and Reports
Reports. RemotePC uses external auditors to verify its security measure for various security and compliance control standards and certifications. RemotePC has completed the necessary audits and, upon Customer’s written request, can provide supporting documentation to demonstrate that it meets the standards defined by SSAE 16.
Audit Rights. RemotePC will provide you with additional information beyond that which is stated in the Report—and will allow and contribute to audits, including inspections—reasonably necessary to demonstrate compliance with Data Protection Laws and Regulations. You will reimburse RemotePC for any time taken for an audit or inspection at RemotePC's then-current professional service rates. RemotePC will provide those rates to you on request. You and RemotePC will agree in advance on the timing, scope, duration and reimbursement rates for any audit or inspection. Customer shall promptly notify RemotePC with information regarding any non-compliance discovered during the course of the audit.
8. Incident Management and Notification.
RemotePC will notify you without undue delay after becoming aware of a breach of your Customer Data. To the extent known, the notice will include (i) a description of the nature of the personal data breach; (ii) the measures RemotePC is taking to address the breach to the extent such measures are within RemotePC’s reasonable control, including measures to mitigate its possible adverse effects.
9. Return and Deletion of Customer Data
RemotePC Service provides Customer with controls to enable Customer to retrieve Customer Data at any time prior to the end of a Subscription Term. Following your Subscription Term, RemotePC will delete your Customer Data in accordance with the Agreement.
10. Data Privacy Framework Program and Swiss-US Privacy Framework
RemotePC aligns with the EU-U.S. Data Privacy Framework and the Swiss – U.S. Privacy Shield Framework.
The EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. Data Privacy Framework (UK Extension to the EU-U.S. DPF), and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) were established to streamline transatlantic commerce. These frameworks offer U.S. organizations dependable mechanisms for personal data transfers from the European Union / European Economic Area, the United Kingdom (including Gibraltar), and Switzerland to the United States, ensuring consistency with EU, UK, and Swiss law. An organization needs to self-certify its commitment to the DPF Principles with the ITA. This involves being listed on the Data Privacy Framework List, which the ITA updates yearly based on organizations' annual re-certification submissions.
RemotePC aligns with the EU-U.S. Data Privacy Framework and the Swiss – U.S. Privacy Shield Framework as established by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States, respectively. RemotePC has certified to the Department of Commerce that it adheres to the Privacy Shield Principles.
If RemotePC determines it can no longer meet these obligations, RemotePC will promptly notify you and will cease Processing your Personal Data or take reasonable and appropriate steps to remediate.