This Data Processing Addendum (the “DPA”) is entered into by and between you (“Customer”,“you,” and “yours”) (collectively, with its Affiliates, “Customer”) and MAP Communications Holdings Inc. doing business as Calling Inn (collectively, with its Affiliates, “Provider”). This DPA supplements and is incorporated into the existing agreement between Customer and Provider (the “Agreement”) pursuant to which Provider will provide services (“Services”) to Customer and has the same Effective Date as the Agreement. In the course of providing the Services to Customer, Provider may Process Personal Data on behalf of Customer, and the parties agree to comply with the following provisions with respect to any Personal Data.
The following measures are in place to test, assess and evaluate the Effectiveness of Technical and Organizational Measures:
Hospitality answering service for hotels, inns, B&Bs, resorts, spas, vacation rentals and more.
Hospitality answering service for hotels, inns, B&Bs, resorts, spas, vacation rentals and more.
This Data Processing Addendum (the “DPA”) is entered into by and between you (“Customer”,“you,” and “yours”) (collectively, with its Affiliates, “Customer”) and MAP Communications Holdings Inc. doing business as Calling Inn (collectively, with its Affiliates, “Provider”). This DPA supplements and is incorporated into the existing agreement between Customer and Provider (the “Agreement”) pursuant to which Provider will provide services (“Services”) to Customer and has the same Effective Date as the Agreement. In the course of providing the Services to Customer, Provider may Process Personal Data on behalf of Customer, and the parties agree to comply with the following provisions with respect to any Personal Data.
3.1 Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Customer Personal Data, Customer is the Controller and Provider is the Processor.
3.2 Customer Authority. Customer represents and warrants that it is and will at all relevant times remain duly and effectively authorized to give the instructions set forth in Section 3.3 below on behalf of itself.
3.3 Provider’s Processing of Customer Personal Data.
3.4 Details of the Processing. The details of this Processing are further specified in Exhibit A of this DPA, and may be amended by the parties as necessary. Provider shall only be obligated to perform any additional instructions to the extent that they are consistent with the terms and scope of the Agreement and this DPA.
3.5 Customer’s Responsibility. Customer is solely responsible for its compliance with all Data Protection Laws applicable to it. Customer represents and warrants that it has obtained all necessary consents, licenses and permissions, if any, required from Data Subjects and any third parties, and as required by Data Protection Laws for Provider’s Processing.
4.1 Provider shall restrict its employees from Processing Customer Personal Data without authorization by Provider and shall limit the Processing to that which is needed for the specific individual’s job duties in connection with Provider’s provision of the Services.
4.2 Provider shall ensure that all of its employees that Process Customer Personal Data will be subject to contractual duties to: (a) keep confidential all Customer Personal Data; (b) follow appropriate data security measures; and (c) cooperate with Customer with respect to Data Subject requests in accordance with Section 8.
5.1 Approval of Sub-processors. Customer provides Provider with a general authorization to engage Sub-Processors. To the extent required by Data Protection Laws, Provider shall notify Customer of any intended changes concerning the addition or replacement of Sub-processors. Unless Customer objects in writing to the Sub-processor within 7 (seven) days, the request shall be deemed approved.
5.2 Sub-processing Agreement; Liability. Provider has or shall enter into a written agreement with each Sub-processor (the “Sub-processing Agreement”) containing data protection obligations not less protective than those in this DPA with respect to Customer Personal Data, to the extent applicable to the nature of the Services provided by such Sub-processor.
5.3 Copies of Sub-Processor Agreements. Provider shall provide to Customer for review copies of the Sub-processor agreements as Customer may reasonably request from time to time.
7.1 To the extent that Customer Personal Data is transferred under the Agreement from the European Economic Area or the United Kingdom to a country that has not received an adequacy determination from the EU Commission (or the Information Commissioner’s Office in the case of transfers from the United Kingdom), including transfers to the United States (collectively “Restricted Transfers”), the parties agree that they will use, together or individually, any necessary transfer mechanisms such as the Standard Contractual Clauses (“SCCs”). The parties intend to abide by the SCCs with the following choices:
7.2 Where a Restricted Transfer is made from the UK, the UK Transfer Addendum is incorporated into this DPA and applies to the transfer as follows:
7.3 To the extent that the parties determine that a different version of the SCCs should apply, or should an adequacy decision become effective, the parties agree to cooperate in good faith to ensure the appropriate transfer mechanisms are in place.
8.1 Cooperation for Data Subject Requests. Provider shall assist and reasonably cooperate with Customer in responding to any Data Subject requests received by Customer.
8.2 Responding to Data Subjects. In the event that Provider or a Sub-processor receives a Data Subject request relating to Customer Personal Data, Provider shall notify Customer in writing with 3 (three) days. Provider shall respond to the request according to instructions by Customer to either: (1) act on behalf of Customer in responding to the request or (2) inform the Data Subject that the request cannot be acted upon because the request has been sent to a Processor.
9.1 Provider shall report a Security Incident to Customer as soon as practicable, but no later than seventy-two (72) hours after becoming aware of such Security Incident. Such notification to be provided in writing (by email) to [Customer email] and telephonically to the [Customer phone number], as such email address or phone number may be modified from time to time upon written notice from Customer.
9.2 Immediately following Provider’s notification to Customer of a Security Incident, the parties shall coordinate with each other to investigate the Security Incident. Provider and Customer agree to reasonably cooperate with each other in the investigation of any Security Incident.
12.1 Report on Compliance. At Customer’s written request, Provider will provide Customer all information necessary to demonstrate compliance with Data Protection Laws and this DPA.
12.2 Audit. Provider shall allow for and contribute to audits, including inspections, by Customer or an auditor mandated by Customer in relation to the Processing of the Customer Personal Data by Provider or Sub-processors.
I. Confidentiality
II. Integrity
III. Availability and Resilience
IV. Rapid Recovery
V. Procedures for Regular Testing, Assessment and Evaluation of the Effectiveness of Technical and Organizational Measures for Ensuring the Security
VI. Order or Contract Control
VII. Organizational Control
Hospitality answering service for hotels, inns, B&Bs, resorts, spas, vacation rentals and more.