Legal

Data Processing Addendum


When executed, this Data Processing Addendum ("DPA") forms a part of the Skills Base Master Subscription Agreement under which Skills Base provides the software subscription service.

1.0 Definitions

1.1. "Master Subscription Agreement" means the Skills Base Master Subscription Agreement all users of the service sign on to as a pre-requisite to creating any Skills Base instance
1.2 "Data Controller" means You, the Licensee, as defined in the Skills Base Master Subscription Agreement
1.3 "Data Processor" means Skills Base
1.4 "Data Protection Laws" means applicable laws and regulations in relation to the Processing of Personal Data
1.5 "Data Subject" means an identified or identifiable natural person.
1.6. "DPA" means this Data Processing Addendum
1.7 "Personal Data" means any information relating to a Data Subject uploaded by or for the Data Controller or its agents, employees or contractors to a Skills Base Instance
1.8 "Sensitive Data" means Personal Data of a sensitive nature including social security and other government-issued identification number, financial and health information, and other Personal Data deemed sensitive or “special categories of personal data” under Data Protection Laws
1.9 "Skills Base Instance" means the specific instance within the Skills Base Subscription Service that is provisioned for the Data Controller's dedicated use
1.10 "Subscription Service" means the Skills Base software as a service (SaaS) offering provided via the Internet
1.11 "Processing" or "Process" means any operation performed on Personal Data including but not limited to by manual or automated means
1.12 "Sub-Processor" means any entity engaged in the Processing of Personal Data by the Data Processor

2.0 Data Processor

2.1. Commissioned Processor

The Data Controller appoints the Data Processor to Process Personal Data on behalf of the Data Controller for the purposes of providing the Subscription Service described in the Master Subscription Agreement. The Data Processor may only process Personal Data for the purposes defined by the Master Services Agreement and not for any other purposes.

2.2. Nature and Purpose

The Data Processor may only process Personal Data for the purposes determined by the Controller to the extent necessary for providing the Subscription Service.

2.3. Third Parties

The Data Processor may not transfer, or make available personal data to a third party, unless expressly permitted by the Data Controller.

2.4. Actions and Instructions

The Data Processor shall have no liability for any damages or harm resulting from the Data Processor's compliance with the Data Controller's actions or instructions.

2.5. Data Controller Obligations

Where possible and practical, the Data Processor shall assist the Data Controller in fulfilling its obligations where required, in relation to Processing of the Personal Data.

2.6. Personnel

The Data Processor shall ensure that access to Personal Data is limited to personnel who are bound by confidentiality agreement(s) and who require access in order to fulfill the Data Processor’s obligations under the Master Subscription Agreement.

2.7. Security Measures

The Data Processor shall implement and maintain appropriate technical and organizational safeguards to protect the security and confidentiality of the Personal Data, including protection against unauthorized access, use, erasure or disclosure. These include:

i. Encryption of passwords and backups
ii. Disaster Recovery
iii. Software testing
iv. Event logging

2.8. Data Deletion and Destruction

The Data Processor shall comply with the Data Controller’s request to delete or destroy data if:

i. The request is to destroy all data and not a partial amount of data, and
ii. The Data Controller has specifically subscribed to a service form the Data Processor that facilitates this type of action

2.9. Sensitive Data

The Data Processor does not agree to store or process Personal Data that could be classified as Sensitive Data.

3.0 Data Controller

3.1. Grant of Access

The Data Controller acknowledges and accepts that it is responsible for granting and administering access to data, including the delegation of those privileges to other entities. The Data Processor shall not be responsible for the acts and omissions of the Data Controller in relation to the granting and administering of access to Personal Data by the Data Controller.

3.2. Compliance with Law

The Data Controller shall comply with its obligations under Data Protection Laws when Processing Personal Data.

3.3. Security

The Data Controller agrees that it is responsible for conducting an appropriate risk assessment to determine whether the security features and controls within in the Subscription Service are adequate, taking into account applicable Data Protection Laws, as well as the nature of the data and the associated risks. The Data Controller is solely responsible for determining the suitability and adequacy of the security features and controls provided by the Subscription Service.

3.4. Data Controller Affiliates

The Data Controller shall be liable for the acts and omissions of its affiliates, and for their compliance with this DPA and Data Protection Laws. Data Controller Affiliates shall not bring any claim directly against the Data Processor.

3.5. Representation

The Data Controller acknowledges that the Data Processor is reliant on the Data Controller's representations the Data Controller's entitlement to use or Process Personal Data.

3.6. Sensitive Data

The Data Controller agrees not to store Personal Data that could be classified as Sensitive Data on the Data Processor’s systems, or to send that data to those systems, or to allow the Data Controller’s users and affiliates to send Sensitive Data to the Data Processor or its systems. The Data Controller accepts responsibility for the actions of, as well as educating and informing its users and affiliates on the restrictions in relation to Sensitive Data under this DPA.

3.7. Special Requirements

If the Data Controller has any requirements that are outside of the terms of this DPA, these shall be considered “Special Requirements” and must be requested by the Data Controller in writing and expressly agreed to by both parties. The Data Processor may have the right to remuneration for any additional costs incurred by the Data Processor as a result of any agreed Special Requirements.

4.0 Sub-Processors

The Data Controller authorizes the Data Processor to engage Sub-Processors declared in Appendix B and appointed in accordance with this DPA to support the provision of services under the Master Subscription Agreement.

4.1. New Sub-Processors

The Data Processor shall ensure that any new Sub-Processor has entered into a written agreement with the Data Processor that contains terms no less restrictive than what is set out in this DPA. The Data Processor shall notify of new Sub-Processors via announcement through the Data Processor’s public website. The Data Controller may request in writing additional information about any new or existing Sub-Processor.

4.2. Objection to new Sub-Processors

The Data Controller may object in writing within five (5) business days after the Data Processor publishes an announcement of a new Sub-Processor. Upon receipt of an objection, the Data Processor shall review and respond within ten (10) business days. If the decision to appoint the new Sub-Processor is upheld the Data Processor may terminate the Master Subscription Agreement with any pre-paid, unused fees shall be refunded. This termination shall not remove or diminish The Data Controller’s obligations to pay any outstanding fees in accordance with the Master Subscription Agreement.

4.3. Sub-Processor Liability

Use of Sub-Processors shall not relive the Data Processor’s obligations under this DPA, or to diminish those obligations in any way.

5.0 Geography

5.1. Data storage

By default, data shall be physically stored within the United States, unless the Data Controller specifically subscribes to a service in another region (eg: EU), in which case the Data Processor shall ensure that data it processes shall exclusively be stored in the region specified in the subscription. Where the Data Controller specifically subscribes to a service in region other than the United States, the Data Processor shall not transfer Personal Data to any geographic region other than the one specified in the subscription, unless expressly requested or authorized by the Data Controller.

5.2. Serving of Data

By default, data shall be physically served from servers in the United States, unless the Data Controller specifically subscribes to a service in another region (eg: EU), in which case the Data Processor shall ensure that the data hall exclusively be served from the region specified in the subscription, unless expressly requested or authorized by the Data Controllers. In all cases, the Data Controller acknowledges and accepts that there are no geographical restrictions placed on where the data can be served to, and that authenticated and authorized users (delegated by the Data Controller) will be able to access the data regardless of their physical location.

6.0 Audit Rights

6.1. Data Controller’s Requirements

The Data Controller has the right to, by itself or through a third party, verify that the Data Processor is meeting its obligations in respect to this DPA. The Data Processor shall reasonably assist the Data Controller or its agent by providing information, documentation and evidence. The Data Processor may have the right to remuneration for any costs above and beyond what may be considered “reasonable” incurred by the Data Processor as a result of assisting the Data Controller with an audit.

6.2. Public Authorities

The Data Processor shall cooperate with any relevant public supervisory authority undertaking an audit of the Data Processor.

7. Data Disclosure

7.1. Requests for Information

The Data Processor shall refer any requests for disclosure of Personal Data to the Data Controller for approval. The Data Processor shall not disclose Personal Data unless approved by the Data Controller in writing.

8. General Terms

8.1. Limitation of Liability

The Data Controller’s remedies in respect to any breach of this DPA by the Data Processor shall be subject to any aggregate limitation of liability specified in the Master Subscription Agreement.

8.2. Termination

This DPA terminates simultaneously with the Master Subscription Agreement. Notwithstanding the foregoing, The Data Processor undertakes to continue to protect Personal Data for as long as it is in its possession.

8.3. Execution and Legal Effect

This DPA shall only become legally binding between parties when executed. Execution of this agreement is deemed to have occurred when signed by both parties.

8.4. Applicable Law and Jurisdiction

This Agreement is governed by and shall be construed in accordance with the laws of Victoria, Australia. The courts of Victoria, Australia shall have exclusive jurisdiction.

9. Appendix A – Details of Processing

9.1. Nature and Purpose

The Data Processor will Process Personal Data as required in order to provide the services specified in the Master Subscription Agreement.

9.2. Data Subjects

Any individual that the Data Controller enters into Data Processor's systems, or entered by users that have been delegated access by the Data Controller or its delegates.

9.3. Categories of Data

The Personal Data Processed concern the following categories of data:

  • Full name (Mandatory)
  • Email address (Mandatory)
  • Role name
  • Team name
  • Location name
  • Skill levels (Mandatory)
  • Qualifications
  • File attachments at the discretion of the Data Controller and its delegates and users
  • Images of individuals at the discretion of the Data Controller and its delegates and users
  • Any other information that the Data Controller, its delegates or users enter into the system of their own volition

9.4. Special Categories of Data

The Data Processor does not agree to Process data that could fall under this category.

9.5. Processing Operations and Purpose

The Personal Data will be subject to the following Processing activities, and/or Processed for the following purposes:

  • Hosting and storage for the purpose of making the service available to the Data Controller and its users
  • Backup to comply with Service Level Agreements and Disaster Recovery plans
  • Support, maintenance and development of the system

10.0 Appendix B – Data Sub-Processors

  1. Amazon Web Services, 1200 12th Avenue South, Suite 1200, Seattle, WA 98144, United States