This Data Processing Addendum ("DPA"), forms part of, and is subject to, the Dust Master Services Agreement or other written or electronic terms of service or subscription agreement between Dust ("Dust") and Customer that reference this DPA (the “Agreement”), and is effective on the Effective Date of the Agreement.
This DPA applies where, and to the extent that, Dust processes Customer Personal Data on behalf of Customer when providing Services under the Agreement. All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.
Without prejudice to the foregoing, Dust and the Customer may have access to personal data of natural persons acting as contact points, provided by the other party including employees, representatives or agents of the latter, which it may process as data controller in the context of the proper performance of this Agreement and compliance with their legal and regulatory obligations which are imposed on it. It is the responsibility of each party to inform the data subjects, whose personal data it has disclosed, of the processing carried out by the other party and of the provisions of this DPA.
| Term | Definition |
|---|---|
| Security Incident | means any unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Customer Personal Data. |
| Data Protection Laws | means all data protection and privacy laws applicable to the processing of Personal Data under the Agreement, including, where applicable, EU Data Protection Law. |
| Data Controller or Controller | means an entity that determines the purposes and means of the processing of Personal Data. |
| Data Processor | means an entity that processes Personal Data on behalf of a Data Controller. |
| EU Data Protection Laws | means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of Personal Data and on the free movement of such data (General Data Protection Regulation) ("GDPR"). |
| EEA | means the European Economic Area (including the United Kingdom). |
| Personal Data | means any information relating to an identified or identifiable natural person. |
| EU-U.S. Data Privacy Framework | means the EU-U.S. EU-U.S. Data Privacy Framework approved by the European Commission pursuant to Decision C(2023) 4745 of 10 July 2023. |
| Processing | has the meaning given to it in the GDPR and "process", "processes" and "processed" will be interpreted accordingly. |
| Sub-Processor | means any Data Processor engaged by Dust or its Affiliates to assist in fulfilling its obligations with respect to providing the Services pursuant to the Agreement or this DPA. Sub-Processors may include third parties or Dust’s Affiliates. |
2.1 The parties agree that this DPA shall replace any existing DPA or other data protection provisions the parties may have previously entered into in connection with the Services.
3.1 This DPA applies where and only to the extent that Dust processes Personal Data that originates from the EEA (including United Kingdom) and/or that is otherwise subject to EU Data Protection Law on behalf of Customer in the course of providing Services to the Customer pursuant to the Agreement.
In order to perform the Services provided under this Agreement, Dust may have access to personal data of natural persons acting as contact points provided by the Customer, including employees, representatives or agents of the latter (“Customer Relationship Management Personal Data” or “CRM Personal Data”). The persons concerned by this processing are the natural persons representing the Customer and whose last email received is still within its regulatory retention period.
The Customer is hereby informed and accepts that Dust may need to process such CRM Personal Data, provided by the Customer or the data subjects, on its own behalf. In the context of such data processing on its own behalf, Dust will then be qualified as a Data Controller within the meaning of the Data Protection Laws. Consequently, Dust undertakes to comply, at its own expense, with all the obligations imposed on any Data Controller, as set out in the Data Protection Laws. In this respect, it is specified that the legal basis for this processing is the performance of the Contract between Dust and the Customer entered into by means of the latter's acceptance of the Agreement. For information purposes, Dust hereby informs the Customer that the purpose and nature of the Personal Data processing carried out by Dust in its capacity as Data Controller is: