Data Processing Addendum

Preamble

For Enterprise Tier Customers - This Data Processing Addendum (“Addendum”) forms part of the Subscription Service Terms and Conditions (“Agreement”) between Customer and Permit Inc. ; Customer may request to sign this as a seperate agreement.

Data Processing Addendum

WHEREAS, Customer has engaged in a services agreement (the “Agreement”) with Permit Inc. (“Permit”);

WHEREAS, pursuant to the Agreement, Permit provides Customer access to use Permit’s proprietary application management software that helps organizations to build access-control, permissions management, backoffice, and control interfaces into their software products (the “Platform”);

WHEREAS, the Platform involves processing certain personal data of employees and other data subjects of Customer, and the parties wish to regulate Permit’s processing of such personal data, through this Data Processing Addendum (the “Addendum”).

THEREFORE, the parties have agreed as follows:

1. Customer commissions, authorizes and requests that Permit provide Customer the Platform, which involves Processing Personal Data (as these capitalized terms are defined and used in the General Data Protection Regulation ("GDPR") (Regulation (EU) 2016/679), or the California Consumer Privacy Act of 2018 (as amended by the California Privacy Rights Act) ("CCPA") referred to as “Data Protection Law”).  

2. With respect to those activities of Permit as a ‘Data Processor’ (as this term is defined and used in Data Protection Law), Permit will Process the Personal Data only on Customer’s behalf and for as long as Customer instructs Permit to do so. Permit shall not Process the Personal Data for any purpose other than the purpose set forth in the next section.

3. The subject matter and purposes of the Processing activities are the provision of the Platform, including maintenance, support, enhancement and deployment of the same. The Personal Data Processed may include, without limitation:

   1. Names, titles and contact information of Customer’s employees;

   2. Authorisation logs assigned to each user, also Customer’s employees.

4. The Data Subjects, as defined in the Data Protection Law, about whom Personal Data is Processed are:

   1. Data subjects relating to Customer’s production environment.

5. With respect to those activities of Permit as a Data Processor, Permit will Process the Personal Data only as set forth in this Addendum. Customer and Permit are each responsible for complying with the Data Protection Law applicable to them in their roles as Data Controller (as this term is defined and used in Data Protection Law) and Data Processor, respectively. 

6. Customer shall at a minimum – 

   1. Substantiate the legal basis of and legitimize the Processing of Personal Data through the Platform, as necessary under Data Protection Law. Customer may only use the Platform to process personal data pursuant to a recognized and applicable lawful basis under Data Protection Law, such as (by way of example only) consent or legitimate basis.

   2. Have, properly publish and abide by an appropriate privacy policy that complies with all Data Protection Law relating to Personal Data and its Processing through the Platform.

7. With respect to those activities of Permit as a Data Processor, Permit will Process the Personal Data only on documented instructions from Customer that are provided through the Platform’s various control and configuration options, unless Permit is otherwise required to do so by law to which it is subject (and in such a case, Permit shall inform Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest). Permit shall immediately inform Customer if, in Permit's opinion, an instruction is in violation of Data Protection Law. Customer may use the Platform’s various control and configuration options to assist it in connection with its obligations under the GDPR. 

8. Customer is solely responsible for determining the lawfulness of the data processing instructions it provides to Permit and shall provide Permit only instructions that are lawful under Data Protection Law. 

9. Permit, through the Platform’s various control and configuration options available to Customer, will follow Customer’s instructions to accommodate Data Subjects’ requests to exercise their rights in relation to their Personal Data, including accessing their data, correcting it, restricting its processing or deleting it. Permit will pass on to Customer requests that it receives from Data Subjects regarding their Personal Data Processed by Permit.

10. Additional instructions of the Customer outside the scope of the Platform’s control and configuration options require prior and separate agreement between Customer and Permit, including agreement on additional fees (if any) payable to Permit for executing such instructions. If Permit declines to follow Customer’s reasonable instructions outside the scope of the Platform’s control and configuration options, then Customer may terminate this Addendum and the Agreement, without liability for such premature termination.

11. Customer acknowledges and agrees that Permit uses the sub-processors listed in Appendix 1 to Process Personal Data. 

12. Customer authorizes Permit to engage another sub-processor for carrying out specific processing activities of the Platform, provided that Permit informs Customer at least 14 days in advance of any new or substitute sub-processor, in which case Customer shall have the right to object, on reasoned grounds, to that new or replaced sub-processor. If Customer so objects, and Permit notifies Customer in writing that it nevertheless opts to use that new or replaced sub-processor, then Customer may terminate the Agreement for convenience, without liability to Permit for such premature termination.

13. Permit and its sub-processors will only Process the Personal Data in member states of the European Economic Area, in territories or territorial sectors (e.g., Privacy Shield) recognized by an adequacy decision of the European Commission, as providing an adequate level of protection for Personal Data pursuant to Articles 45 or 46 of the GDPR, or using adequate safeguards as required under Data Protection Law governing cross-border data transfers (e.g., Model Clauses). To this end, Customer authorizes Permit to enter on Customer’s behalf into Model Clauses agreements with sub-processors.

14. Permit will procure that the sub-processors Process the Personal Data in a manner consistent with Permit’s obligations under this Addendum and Data Protection Law, particularly Article 28 of the GDPR, with such obligations imposed on that sub-processor by way of law or contract, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR.

15. In Processing Personal Data, Permit will implement appropriate technical and organizational measures to protect the Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access in accordance with Permit's IT Security Policy. 

16. Permit will ensure that its staff authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

17. Permit shall allow for and contribute to audits, including carrying out inspections on Permit's business premises conducted by Customer or another auditor mandated by Customer during normal business hours and subject to a prior notice to Permit of at least 30 days as well as appropriate confidentiality undertakings by Customer covering such inspections in order to establish Permit's compliance with this Addendum and the provisions of the applicable Data Protection Law as regards the Personal Data that Permit processes on behalf of Customer. If such audits entail material costs or expenses to Permit, the parties shall first come to agreement on Customer reimbursing Permit for such costs and expenses.

18. At Customer’s request, Permit shall provide to Customer a copy of an annual an audit report from an independent reputable third party regarding Permit's data processing and data protection measures. The audit report shall be obtained based on a recognized standard for such audit reports (e.g. ISAE 3000 or SSAE-SOC 2). 

19. Permit shall without undue delay notify Customer of any ‘Personal Data Breach’ (as this term is defined and used in Data Protection Law) that it becomes aware of regarding Personal Data of Data Subjects that Permit Processes. Permit will use commercial efforts to mitigate the breach and prevent its recurrence. Customer and Permit will cooperate in good-faith on issuing any statements or notices regarding such breaches, to authorities and Data Subjects.

20. Permit will assist Customer with the eventual preparation of data privacy impact assessments and prior consultation as appropriate, provided, however, that if such assistance entails material costs or expenses to Permit, the parties shall first come to agreement on Customer reimbursing Permit for such costs and expenses.

21. Permit will provide Customer prompt notice of any request it receives from authorities to produce or disclose Personal Data it has Processed on Customer’s behalf, so that Customer may contest or attempt to limit the scope of production or disclosure request, unless Permit is prohibited by law to provide this notice.

22. All notices required or contemplated under this Addendum to be sent by Permit will be sent either by electronic mail to Customer to the email address that Permit has on file for the Customer’s main contact person, or, at Permit’s choice, through In-app notices.

23. Upon Customer’s request, Permit will delete the Personal Data it has Processed on Customer’s behalf under this Addendum from its own and its sub-processor’s systems, or, at Customer’s choice, use the Platform’s tools to obtain the data before its deletion, and upon Customer’s request, will furnish written confirmation that the Personal Data has been deleted pursuant to this section. 

24. The duration of Processing that Permit performs on the Personal Data is for the period set out in the Agreement between the parties. This Addendum shall prevail in the event of inconsistencies between it and the Agreement between the parties or subsequent agreements entered into or purported to be entered into by the parties after the date of this Addendum – except where explicitly agreed otherwise in writing.

25. The parties’ liability under this Addendum shall be pursuant to the liability clauses in the various parts of the Agreement.

Appendix 1 – Sub-processors

Last updated: 2024-08-11