Please update the form to fix the errors and resubmit.
Test the basic functions of the teroGO mobile app with your colleagues.
Effective as of July 20, 2023
This Data Processing Agreement (including any terms set forth in a schedule, appendix or addendum hereto, “DPA”), dated as of the effective date of the Service Agreement (“Effective Date”), is by and between the customer identified in the Service Agreement (“Customer”), and Atlas Unlimited Inc., a Delaware public benefit corporation (“Vendor”). Customer and Vendor may be referred to herein together as the “Parties”, and each may be referred to herein as a “Party”. To the extent that the Parties have entered into a prior agreement governing the processing of personal data (the “Prior Agreement”), the Parties understand and agree that this DPA shall supersede and replace such Prior Agreement. For good and valuable consideration, the receipt and sufficiency of which is hereby acknowledged, Customer and Vendor hereby agree as follows:
1. Definitions.
2. Data Processing Obligations.
2.1. General.
2.2. Standard Contractual Clauses.
If Vendor Processes Personal Data relating to an EEA, United Kingdom, or Switzerland data subject (including, without limitation, the transfer of such Personal Data from the EEA, United Kingdom, or Switzerland to a third country not providing an adequate level of protection) outside of the EEA, United Kingdom, and Switzerland, the Processing will be further governed by Schedule I to this DPA, with Customer as data exporter and Vendor as data importer (together with all Appendixes and Annexes thereto, and as the same may be amended, supplemented, or otherwise modified from time to time, “Personal Data SCCs”), which is incorporated by reference into this DPA solely with respect to Personal Data relating to EEA, United Kingdom and/or Switzerland data subjects. If there is any conflict between (x) the terms and conditions of either this DPA or the applicable Service Agreement(s), on the one hand, and (y) the terms and conditions of the Personal Data SCCs, on the other hand, then, with respect to Personal Data relating to an EEA, United Kingdom and/or Switzerland data subject(s), the terms and conditions of the Personal Data SCCs will prevail and control. Vendor may only transfer Personal Data relating to an EEA, United Kingdom, or Switzerland data subject outside the EEA, United Kingdom, and Switzerland in compliance with Applicable Laws and the Personal Data SCCs.
2.3. CCPA.
Without limiting any of the restrictions on or obligations of Vendor under this DPA, under any of the Service Agreements, or under Applicable Laws, with respect to Personal Data relating to a California “consumer” (as defined by CCPA) or household (“CCPA Personal Data”):
2.4. Changes in Applicable Laws.
If, due to any change in Applicable Laws, a Party reasonably believes that (a) Vendor ceases to be able to provide a Service(s) in whole or in part (e.g., with respect to a particular jurisdiction) and/or Customer ceases to be able to use a Service(s) in whole or in part under the then-current terms and conditions of the applicable Service Agreement(s) and this DPA, each Party may terminate the applicable Service Agreement(s) (in whole or, if reasonably practicable, in part).
3. Security.
3.1. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Vendor will implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risks. Such measures will include reasonable administrative, physical, and technical security controls (including those required by Applicable Laws) that prevent the collection, use, disclosure, or access to Personal Data and Customer confidential information that the Service Agreements do not expressly authorize, including maintaining a comprehensive information security program that safeguards Personal Data and Customer confidential information. These security measures include, but are not limited to: (i) the pseudonymization and encryption of personal data; (ii) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; and (iii) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
3.2. When assessing the appropriate level of security, account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data transmitted, stored or otherwise processed.
4. Supplementary Measures and Safeguards.
4.1. Assistance; Risk Assessment.
4.2. Orders.
Vendor shall notify Customer in writing of any subpoena or other judicial or administrative order by a government authority or proceeding seeking access to or disclosure of Personal Data. Customer shall have the right to defend such action in lieu of and/or on behalf of Vendor. Customer may, if it so chooses, seek a protective order. Vendor shall reasonably cooperate with Customer in such defense.
5. Notifications.
5.1. Security Incidents.
Vendor has and will maintain a security incident response plan that includes procedures to be followed in the event of a Security Incident. Vendor will provide Customer with written notice promptly after discovering a Security Incident (including those affecting Vendor or its Sub-Processors), including any information that Customer is required by law to provide to an applicable regulatory agency or to the individuals whose personal data was involved in the Security Incident.
5.2. Data Subject Requests.
Vendor shall (i) promptly notify Customer about any request under Applicable Law(s) with respect to Personal Data received from or on behalf of the applicable data subject and (ii) reasonably cooperate with Customer’s reasonable requests in connection with data subject requests with respect to Personal Data. Vendor shall assist Customer, through appropriate technical and organizational measures, to fulfill its obligations with respect to requests of data subjects seeking to exercise rights under Applicable Law with respect to Personal Data.
6. Sub-Processors.
6.1. Vendor shall not have Personal Data Processed by a Sub-Processor unless such Sub-Processor is bound by a written agreement with Vendor that includes data protection obligations at least as protective as those contained in this DPA and the applicable Service Agreement(s) and that meet the requirements of Applicable Laws. Vendor is and shall remain fully liable to Customer for any failure by any Sub-Processor to fulfill Vendor’s data protection obligations under Applicable Laws.
6.2. Vendor’s list of all Sub-Processors who access Personal Data is available at Annex III to Exhibit A (the “Sub-Processor List”). Customer specifically authorizes and instructs Vendor to engage the Sub-Processors listed in the Sub-Processor List. Vendor will notify Customer of any changes to the Sub-Processors listed on the Sub-Processor List and grant Customer the opportunity to object to such change. Upon Customer’s request, Vendor will provide all information necessary to demonstrate that the Sub-Processors will meet all requirements pursuant to Section 6.1. If Customer objects to any Sub-Processor, Vendor can choose to either not engage the Sub-Processor or to terminate this DPA with thirty (30) days’ prior written notice.
6.3. Third-party providers that maintain IT systems whereby access to Personal Data is not needed but can technically also not be excluded do not qualify as Sub-Processors within the meaning of this Section 6. They can be engaged based on regular confidentiality undertakings and subject to Vendor’s reasonable monitoring.
7. Deletion.
Vendor shall, at the choice of Customer: (i) delete or return all Customer Data to Customer after such Customer Data is no longer necessary for the provision of the Services, and (ii) delete existing copies of such Customer Data.
8. Documentation.
8.1. Vendor shall, upon Customer’s request, provide Customer (a) comprehensive documentation of Vendor’s technical and organizational security measures, (b) any and all third-party audits and certifications available with respect to such security measures, and (c) and all other information reasonably necessary to demonstrate compliance with the Vendor’s obligations under this DPA and/or under Applicable Laws.
9. Term; Termination.
This DPA shall remain in effect until (a) all Service Agreements have terminated and (b) all obligations that Vendor has under the Service Agreements and under Applicable Laws with respect to Personal Data, and all rights that Customer has under the Service Agreements and under Applicable Laws with respect to Personal Data, have terminated. Notwithstanding termination of this DPA, any provisions hereof that by their nature are intended to survive, shall survive termination.
10. Miscellaneous.
10.1. Any notice made pursuant to this DPA will be in writing and will be deemed delivered on (a) the date of delivery if delivered personally, (b) five (5) calendar days (or upon written confirmed receipt) after mailing if duly deposited in registered or certified mail or express commercial carrier, or (c) one (1) calendar day (or upon written confirmed receipt) after being sent by email, addressed to Customer at the address or email address on record with Vendor, or addressed to Vendor at the address or email address designated below, or to such other address or email address as may be hereafter designated by either Party:
Olivier Kaeser, CEO
77 Van Ness Ave, San Francisco, CA 94102, USA
10.2. This DPA shall be governed by and construed in accordance with governing law and jurisdiction provisions in the applicable Service Agreements, unless required otherwise by Applicable Laws.
10.3. Neither Party may assign or transfer any part of this DPA without the written consent of the other Party; provided, however, that this DPA, collectively with all Service Agreements, may be assigned without the other Party’s written consent by either Party to a person or entity who acquires, by sale, merger or otherwise, all or substantially all of such assigning Party’s assets, stock or business. Subject to the foregoing, this DPA shall bind and inure to the benefit of the Parties, their respective successors and permitted assigns. Any attempted assignment in violation of this Section 10.3 shall be void and of no effect.
10.4. This DPA is the Parties’ entire agreement relating to its subject and supersedes any prior or contemporaneous agreements on that subject; provided, however, that, notwithstanding the foregoing but subject to the last sentence of this Section 10.4, nothing in this DPA shall be deemed to supersede any of the Service Agreements. Vendor may modify the terms of this DPA if, as reasonably determined by Vendor, such modification is (i) reasonably necessary to comply with Applicable Laws or any other law, regulation, court order or guidance issued by a governmental regulator or agency; and (ii) does not: (a) result in a degradation of the overall security of the Services, (b) expand the scope of, or remove any restrictions on, Vendor’s processing of Personal Data, and (c) otherwise have a material adverse impact on Customer’s rights under this DPA. Any other amendments must be executed by both of the Parties and expressly state that they are amending this DPA. Failure to enforce any provision of this DPA shall not constitute a waiver. If any provision of this DPA is found unenforceable, it and any related provisions shall be interpreted to best accomplish the unenforceable provision’s essential purpose. The headings contained in this DPA are for reference purposes only and shall not affect in any way the meaning or interpretation of this DPA. In the event of a conflict between the terms and conditions of this DPA and the terms and conditions of any Service Agreement, the terms and conditions of this DPA shall govern.
1. Definitions
2. With respect to Personal Data transferred from the European Economic Area, the EU SCCs will apply and form part of this Schedule I, unless the European Commission issues updates to the EU SCCs, in which case the updated EU SCCs will control. Undefined capitalized terms used in this provision will have the meanings given to them (or their functional equivalents) in the definitions in the EU SCCs. For purposes of the EU SCCs, they will be deemed completed as follows:
3. With respect to Personal Data transferred from the United Kingdom for which the law of the United Kingdom (and not the law in any European Economic Area jurisdiction) governs the international nature of the transfer, the UK SCCs form part of this Schedule I and take precedence over the rest of this Schedule I as set forth in the UK SCCs, unless the United Kingdom issues updates to the UK SCCs, in which case the updated UK SCCs will control. Undefined capitalized terms used in this provision will have the meanings given to them (or their functional equivalents) in the definitions in the UK SCCs. For purposes of the UK SCCs, they will be deemed completed as follows:
4. With respect to Personal Data transferred from Switzerland for which Swiss law (and not the law in any European Economic Area jurisdiction) governs the international nature of the transfer, the EU SCCs will apply and will be deemed to have the following differences to the extent required by the Swiss Federal Act on Data Protection (“FADP”):
Data exporter(s):
Name: Entity identified as “Customer” in the DPA.
Address: See the Service Agreement(s).
Contact person’s name, position and contact details: See the Service Agreement(s).
Activities relevant to the data transferred under these Clauses: To receive the Services (as defined in the DPA).
Role (controller/processor): Controller.
Data importer(s):
Name: Atlas Unlimited Inc. (“Vendor”)
Address: 77 Van Ness Ave, San Francisco, CA 94102, USA
Contact person’s name, position and contact details:
Name: Olivier Kaeser (olivier@atlasgo.org)
Role: CEO
Address: 77 Van Ness Ave, San Francisco, CA 94102, USA
Activities relevant to the data transferred under these Clauses: To provide Customer with the Services (as defined in the DPA).
Role (controller/processor): Processor.
B. DESCRIPTION OF TRANSFER
Categories of data subjects whose personal data is transferred
Individuals affiliated with Customer that register to use Vendor’s online platform (collectively, “Users”).
Categories of personal data transferred
Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.
None.
The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).
For the duration of the Services pursuant to the Service Agreement(s).
Nature of the processing
To provide the Services pursuant to the Service Agreement(s).
Purpose(s) of the data transfer and further processing
To provide the Services pursuant to the Service Agreement(s).
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
As long as necessary to provide the Services pursuant to the Service Agreement(s).
For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing
To provide the Services pursuant to the Service Agreement(s).
C. COMPETENT SUPERVISORY AUTHORITY
Identify the competent supervisory authority/ies in accordance with Clause 13
Where the data exporter has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established shall act as competent supervisory authority.
Where the data exporter has not appointed a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: The supervisory authority of one of the Member States in which the data subjects whose personal data is transferred under these Clauses in relation to the offering of goods or services to them, or whose behaviour is monitored, are located, shall act as competent supervisory authority.
1. Access Control
2. Asset Management
3. Business Continuity Management
4. Operations Security
5. Information Security Incident Management
6. System Acquisition, Development, and Maintenance
The controller has authorised the use of the sub-processors listed at https://atlasgo.org/vendors_integrations/
This website stores cookies on your computer. These cookies are used to collect information about how you interact with our website and allows us to remember you. We use this information in order to improve and customize your browsing experience and for analytics and metrics about our visitors both on this website and other media. To find out more about the cookies we use, please see our Privacy Policy.
Get your corporate challenge or employee wellbeing program live and empower your team’s wellness journey.
"*" indicates required fields
"*" indicates required fields
[vc_row][vc_column width=”1/1″][contact-form-7 id=”55881″][/vc_column][/vc_row]
[vc_row][vc_column width=”1/1″][contact-form-7 id=”55802″][/vc_column][/vc_row]